Microsoft Azure
Jump to navigation
Jump to search
Contents
Azure CLI
az configure
az config set core.output=table
az config set core.output=json
- usually gives you a lot more
az login
az account show
storage
az storage account show --name StorageAccountName > /path/to/file
az storage blob download-batch --auth-mode login -d . -s container_name --account-name storage_account_name --pattern path/without/leading/slash/dir/*
Azure Storage Services
Blob storage
- Anykind of file, BinaryLarge OBject file - usually unstructured data (PNG, MOV, EXE, TXT)
- Blobs are subdivided into containers
Access tier
- Hot - frequently accessed data
- Cool - lower availability, high durability - older versions and backups
- Archive - Long term backup - rarely if-ever accessed data, could take
Queue Storage
- Storage for small pieces of data (messages)
- designed for scalable asynchronous processing
Table Storage
- semi-structured data
- no schemas, like noSQL
- No need for foreign joins, foreign keys, relationships or strict schema
- designed for fast access so it's scalable
File storage
- Blob:File::Container:Share
- Access shares via SMB protocol, i.e., Map Network Drive
- Can also have REST protocol apparently
How to set up
- Create new resource
- Create new resource group name
- Provide storage account name
- Pick standard vs premium performance,
Access Control Model
- Grants access to user/application without requiring them to have an identity in Azure Active Directory
- Grants access to user/application without requiring them to have an identity in Azure Active Directory
Role-based access control (Azure RBAC)
- Requires user/application to have an identity in Azure Active Directory
- Course-grained access to storage account data, e.g., all data in storage account.
Attribute-based access control (Azure ABAC)
- Requires user/application to have an identity in Azure Active Directory
- More fine-grained than RBAC, you can add conditions, e.g., read/write access to all data objects in storage account that have a specific tag.
Access control lists (ACLs)
- Requires user/application to have an identity in Azure Active Directory
- Finest-grained access, can unlock specific files and/or directories.
Authorize Access
General
- Authorize access to data in Azure Storage
- Each time you access data in your storage account, your client application makes a request over HTTP
- Every resource is secured by default
- Every request to a secure resource must be authorized
Access Vectors
- Shared Key / storage account key (not recommended)
- Client passes a header with every request that is signed using the storage account access key
- Shared access signature
- Provide limited delegated access to resources in a storage account via a signed URL
- "A service SAS or account SAS is signed with the account key, while the user delegation SAS is signed with Azure AD credentials and applies to blobs only."
- Azure Active Directory
- On-premises active directory domain services
- Anonymous public read access (not recommended)
- Storage Local Users (used only with SFTP)
Access Control Lists
Azure Active Directory (Entra ID)
- Cloudd-based identity provider
- What is Active Directory
Identity fundamentals
- Identity and access management (IAM) fundamental concepts
- IAM ensures that the right people, machines and software components get access to the right resources at the right time
- First the person, machine, or software component proves they're who or what they claim to be
- They are then allowed or denied access to or use of certain resources
- Identity: Three identity types, human, workload and device
- Authentication: Proves the identity of the user. The process of challenging a person, software component or device for credentials in order to verify their identity
- Often uses OpenID Connect (OIDC) (which is built on OAuth2.0 protocol) or SAML protocols
- Authorization: Done after successful authentication. Grants or denies the user access. Validates that the user, machine or software component has been granted access to certain resources
- Often uses OAuth2.0 protocol
Identity and access management
- Identity management
- create, store and manage identity information
- Identity providers - software that is used to track and manage user identities, as well as permissions and access levels associated with those identities
- Identity federation
- You can allow users who already have passwords elsewhere to get access to your system
- Provisioning and deprovisioning of users
- Create and manage user accounts
- Specify which users have access to which resources
- Assign permission and access levels
- Authentication of users
- Can add MFA, or SSO authenticate identity with one portal instead of many different resources
- Authorization
- Ensures a user is granted the exact level and type of access to a tool that they're entitled to
- Users can also be portioned into groups or roles so large cohorts of users can be granted the same privileges.
- Access control
- The process of determining who or what has access to which resources
- defining user roles and permissions
- Setting up authentication and authorization mechanisms
- Regulate access to systems and data
- Reports and monitoring
- Generate reports after actions taken on the platform (sign-in time, systems accessed, type of authentication)
- Ensure compliance and assess security risks
- Gain insights into the security and usage patterns of your environment.
Day1, afternoon
- Deploy solution directly from github list
- lots of templates "Resource management templates"
- Infrastructure as a service
- account.windowsazure.com
Portal
- portal.azure.com
- can't put v1 and v2 on same service network
Resource manager ("ARM")
- New model for administration
- portal.azure.com
- "v2"
- Used for: VMs VNets ("Virtual networks") and storage
Service Manager ("ASM")
- classic portal
- manage.windowsazure.com
- "v1", or "classic"
Business/resource groups
- Applications
- Environments
- Nested
Resource manager templates
- declaration using JSON
- define/deploy infrastructure through declaritive syntax
- run imperative commands to manage resources, e.g.,
- set azure VM network
Azure Iaas v2 implementation guidelines
- Naming conventions
- Storage
- virtual networks
- virtual machines
Operations Management
- OMS workspace
- organization wide
- collect logs
- consolidated view
- interest for public cloud vs. on premises
Azure access management
- role-based access groups (RBAC)
Module 3
- Subscription
- Virtual network - governing IP range, e.g. 10.0.0.0/16
- Subnets - hav IP range that fits into lerger 10.0.0.0/24, 10.0.0.1/24
- Virtual network - governing IP range, e.g. 10.0.0.0/16
- Network interface object (NIC) - obtain an ip address form the subnet, then connect to a virtual machine.
- All it does is hold an ip address
- VNet -> subnet -> NIC -> VM
- If you use a custom domain name like chriscoletta.com, To connect DNS, have a DNS server on a VM which would provice resolution to whatever name zones, needs to be able to resolve dns naming on its own
- Attach to network security groups that acts as port and ip firewalls for that group
- e.g., Allow TCPIP
- Apply to individual components, or on a VNet level
- Cross-premises network connectivity
- VPN always attaches to a VNet on the Azure side
- VNet features
- Private addresses to a NIC
- Public IP to a NIC or a load balancer
- IP addressing in VNet
- Azure will take away the first 3 and the last
- 10.0.0.1 -> 10.0.0.254
- Azure range goes from
- CIDR notation
- slash defines howmany bits represent the network
- 4 binary octets that make up the address
- tells where the divider is network or clients
- bigger number after slash leaves
- how big is the subnet, and how many individual clients/servers
- if it's outside my subnet then I need a route to it or I just don't worry about it.
- e.g. 255.255.255.0, is another way of saying /24. Anything with ze is client addressable.
NIC
- NIC not VM is the ip configurable, can detach VM from NIC which keeps DNS name and IP configuration, and attach another one. Allows to trat independently.
- Could have a VM that has multiple NICs, can treat security of different security groups differently.
- Number of NIC you can have is based in the VM skew, D1-4, adding "multiple network cards"
- e.g., eight NICs at as a load balancer, network failover or bandwidth aggregation.
Private IP address allocation
- dynamic & statis
- "Rm" in commandlets stands for "Resource Manager", i.e., v2 stuff
Load Balancer
- internal load balancer
- internet-facing load balancer
- Application Gateway - layer7 "they go right to HTTP1" SSL1
- Primary design to handle web traffic
- redirecting traffic to a webserver based on cookie information
- traffic manager
- allows to direct traffic internally and externally,
- primarily used to redirect based on network affinity, endpoints in india, eas asia, will diret to appropriate endpoint for tha tapplication
- Configure load balancer
- Configure front-end IP
- configure backend address pool, which consists of one or more subnets
- configure laod balancing rules
- * create health probe, don't redirect traffic to a node that's down/not present
Azure DNS
- Create Azure DNS zone
- Select subscription
- Create new resource group
- Create a DNS Zone
- Retrieve SOa and NS rcords for the Zone
- Create a resource record
- have your own-domain based, e.g., extend ActiveDomain
- Use this server to do DNS rather than the native DNS, most universal application
Planning for Azure virtual networks
- Choose both private and public non-overlapping address space
- Important if you have on-premises address space
- Choose subnets
- If we want to be sure we don't have overalpping, use statis private IP addresses (optional)