This post is the second in ‘The Azure Bakery’ series: this part is about management groups. Click here for the introduction to the series.
Welcome back for the second layer of our cake. The first layer was Azure Active Directory. Today, we’ll look at management groups, the enterprise-scale landing zone architecture framework, and Azure Resource Manager.
The landing zone framework’s core consists of management groups and subscriptions and is a great tool to help you design the fundamentals of your Azure environment. Going through Azure Resource Manager, its scopes, inheritance, and templates solidify your Azure understanding.
Management groups are a crucial aspect in managing access, policies, and compliance across Azure. A management group is like a container for your subscriptions and allows you to apply governance to all subscriptions within that management group.
Most organizations have multiple subscriptions. Management groups provide the possibility to organize subscriptions in subgroups. The subscriptions inherit the configuration from the management groups above. We’ll look at subscriptions in detail in the next layer.
Management groups are always a cake by themself. Even though it’s possible to nest management groups up to six levels deep, the recommendation is to keep the hierarchy mostly flat with no more than four levels for an efficient and flexible management strategy. The first level in every Azure tenant is the so-called “Tenant root group” management group. It’s built-in and allows you to apply governance at the directory level.
Create a top-level platform management group to combine and govern the subscriptions used for the foundation of your Azure environment. The top-level sandbox management group allows your organization to experiment with Azure. The sandbox is isolated from the rest of the environments.
A management group is like a container for your subscriptions and allows you to apply governance to all subscriptions within that management group.
There are multiple ways you can design and utilize management groups and their subscriptions. For example, you can mirror the billing hierarchy, categorize on workload or application, model your organization or use the enterprise-scale landing zone architecture framework.
The design of your management groups goes hand in hand with the design of your subscriptions. For this layer, we’ll focus on the enterprise-scale landing zone architecture framework. In the next layer, we go through the other design strategies in more detail.
Even though the landing zone framework is initially meant for enterprises, it’s beneficial for every organization. It allows you to design your management groups and subscriptions and thereby your Azure environment in a modular and scalable way.
#azure #technology #cloud
No organization that is on the growth path or intending to have a more customer base and new entry into the market will restrict its infrastructure and design for one Database option. There are two levels of Database selection
Options to choose from:
Key Data platform services would like to highlight
#azure-databricks #azure #microsoft-azure-analytics #azure-data-factory #azure series
Azure Web Application Firewall (WAF) provides centralized protection on the Azure Application gateway. The attackers who try to get into the web servers and tries to disrupt the services are protected via WAF. The attacks and vulnerabilities include SQL Injection, cross-site scripting, etc. The interesting part is, WAF automatically updates to include protection against any new vulnerabilities with no configuration needed at all.
While WAF is for Application security, you need a security and protection layer that is for the Network, which is taken care of by Azure Firewall — it is a cloud-based network security service that protects your organization’s Azure Virtual Network Resources. It is fully stateful in the sense that inbound requests trace outbound responses. Across your organization’s subscription and virtual networks, you can enforce, create and log application and network connectivity policies. It uses Static IP for your virtual network sources allowing outside firewalls to identify traffic from the virtual network and is fully integrated for Azure monitor for logging and analytics.
#azure-interview #azure-security #azure series #azure #network #protection
Azure SQL Database is a Platform-as-a-Service (PaaS) solution that offers managed database service. Azure DB provides many features such as automatic database tuning, vulnerability assessment, automated patching, performance tuning, alerts. It provides a 99.995% availability SLA for the Zone redundant database in the business-critical service tier.
This article explores Transparent Data Encryption (TDE) using the customer-managed key in Azure SQL Database.
In an on-premise SQL Server instance, database administrators can enable Transparent Data Encryption (TDE) for securing the data and log files of a database. It is helpful to protect you from a malicious threat by encrypting data at rest. You get real-time encryption of the database, transaction log files and associated backup files without any configuration changes at the application end.
The high-level steps for implementing the TDE encryption are as below.
In the following image, we can visualize the TDE hierarchy. If you are new to TDE, you can refer to the following articles to get familiar with TDE.
If you migrate your on-premise databases to Azure SQL Database, TDE is enabled by default. You can connect to the Azure portal and verify the configuration. It uses an Azure service managed key. It is Azure responsibility to manage the key without any user intervention. Microsoft automatically uses its internal security policy for rotating these certificates. It protects the certificate root key using its internal secret store.
As shown below, my [labazuresql] database is encrypted using the Transparent data encryption.
#azure #sql azure #azure sql database #azure sql #customer-managed
This article is a part of the series – Learn NoSQL in Azure where we explore Azure Cosmos DB as a part of the non-relational database system used widely for a variety of applications. Azure Cosmos DB is a part of Microsoft’s serverless databases on Azure which is highly scalable and distributed across all locations that run on Azure. It is offered as a platform as a service (PAAS) from Azure and you can develop databases that have a very high throughput and very low latency. Using Azure Cosmos DB, customers can replicate their data across multiple locations across the globe and also across multiple locations within the same region. This makes Cosmos DB a highly available database service with almost 99.999% availability for reads and writes for multi-region modes and almost 99.99% availability for single-region modes.
In this article, we will focus more on how Azure Cosmos DB works behind the scenes and how can you get started with it using the Azure Portal. We will also explore how Cosmos DB is priced and understand the pricing model in detail.
As already mentioned, Azure Cosmos DB is a multi-modal NoSQL database service that is geographically distributed across multiple Azure locations. This helps customers to deploy the databases across multiple locations around the globe. This is beneficial as it helps to reduce the read latency when the users use the application.
As you can see in the figure above, Azure Cosmos DB is distributed across the globe. Let’s suppose you have a web application that is hosted in India. In that case, the NoSQL database in India will be considered as the master database for writes and all the other databases can be considered as a read replicas. Whenever new data is generated, it is written to the database in India first and then it is synchronized with the other databases.
While maintaining data over multiple regions, the most common challenge is the latency as when the data is made available to the other databases. For example, when data is written to the database in India, users from India will be able to see that data sooner than users from the US. This is due to the latency in synchronization between the two regions. In order to overcome this, there are a few modes that customers can choose from and define how often or how soon they want their data to be made available in the other regions. Azure Cosmos DB offers five levels of consistency which are as follows:
In most common NoSQL databases, there are only two levels – Strong and Eventual. Strong being the most consistent level while Eventual is the least. However, as we move from Strong to Eventual, consistency decreases but availability and throughput increase. This is a trade-off that customers need to decide based on the criticality of their applications. If you want to read in more detail about the consistency levels, the official guide from Microsoft is the easiest to understand. You can refer to it here.
Now that we have some idea about working with the NoSQL database – Azure Cosmos DB on Azure, let us try to understand how the database is priced. In order to work with any cloud-based services, it is essential that you have a sound knowledge of how the services are charged, otherwise, you might end up paying something much higher than your expectations.
If you browse to the pricing page of Azure Cosmos DB, you can see that there are two modes in which the database services are billed.
Let’s learn about this in more detail.
#azure #azure cosmos db #nosql #azure #nosql in azure #azure cosmos db
In this article, I’ll explain the concepts around Managed Identities in Azure, the different types of managed identities, and how to assign them to a VM. Then we will show how to authenticate Terraform to Azure using the managed identity. Lastly, we will configure an Application Gateway to use a managed identity in order to access secrets in an Azure Key Vault.
Managed identities provide an identity for applications to use when connecting to resources that support Azure Active Directory (Azure AD) authentication.
Crucially the management of credentials is handled by the managed identity (hence the word managed), and not by the application or the developer.
You can use a _system-assigned _managed identity to authenticate when using Terraform. The managed identity will need to be assigned RBAC permissions on the subscription, with a role of either Owner, or both Contributor and User access administrator.
Manged identities can also be created and managed using Terraform and then assigned a role. These can then be tied to a resource, like a VM or Application Gateway.
#azure-devops #azure-managed-identities #azure-active-directory #azure #terraform