Azure Architectural Components PDF

Summary

This document presents an overview of Azure architectural components, focusing on regions, availability zones, and resources. It details the global reach of Azure regions and the benefits of availability zones for disaster recovery. The document also explores different types of Azure resources, including virtual machines, storage accounts, and networking services.

Full Transcript

Azure architectural components
 REGIONS

Azure biedt
meer globale
regions aan
dan elke
andere cloud
provider.
Waarbij ze
60-plus
regions in
ruim 140
landen
hebben.
 REGIONS

Azure biedt
meer globale
regions aan
dan elke
andere cloud
provider.
Waarbij ze
60-plus
regions in
ruim 140
landen
hebben.
Een region bestaat uit 1 of meer datacenters welke dicht bij elkaar staan

Ze beiden flexibiliteit en schalen om de latency van de klant te verkleinen

Regions bieden dataopslag met indrukwekkende voorwaarden
 AZURE ARCHITECTURAL
COMPONENTS

© Copyright Microsoft Corporation. All rights reserved.
 AVAILABILITY ZONES
Azure Region
Availability Zone 1 Availability Zone 2

Bescherming tegen downtime door datacenter
uitval
Fysieke scheiding van datacenters binne een
region
Elk datacenter is uitgerust met onafhankelijke
voeding, koeling en network
Availability Zone 3
Verbonden door privé optische netwerken
Region pairs
At least 300 miles of Region Region
separation between region North Central US​ South Central US​
pairs. East US​ West US​
Automatic replication for West US 2​ West Central US​
US East 2​ Central US​
some services.
Canada Central​ Canada East​
Prioritized region recovery in North Europe​ West Europe​
the event of outage. UK West​ UK South​
Updates are rolled out Germany Central​ Germany Northeast​
South East Asia​ East Asia​
sequentially to minimize
East China​ North China​
downtime.
Japan East​ Japan West​
Web link: Australia Southeast​ Australia East​
https://aka.ms/PairedRegions India South​ India Central​
Brazil South (Primary)​ South Central US ​
© Copyright Microsoft Corporation. All rights reserved.
Azure sovereign regions (US government services)

Meets the security and
compliance needs of US
federal agencies, state
and local governments,
and their solution
providers.
Azure government:
Separate instance of
Azure.
Physically isolated from
non-US government
deployments.
Accessible only to
screened, authorized
personnel.

© Copyright Microsoft Corporation. All rights reserved.
Azure sovereign regions (Azure China)
Microsoft is China’s first foreign public cloud service provider, in compliance
with government regulations.

Azure China features:
Physically separated instance of Azure cloud services operated by
21Vianet.
All data stays within China to ensure compliance.

© Copyright Microsoft Corporation. All rights reserved.
Azure resources
Azure resources are components like storage, virtual machines, and
networks that are available to build cloud solutions.

Virtual machines Storage accounts Virtual networks

App services SQL databases Functions

© Copyright Microsoft Corporation. All rights reserved.
Resource groups

A resource group is Resource groups
a container you use to (web plus DB, VM, storage) in one
manage and group
aggregate resources
in a single unit.
Resources can exist in
OR
only one resource group.
Resources can exist in
different regions.
Resources can be moved
Web Virtual
to different resource and DB machine Storage
groups. resource resource resource
group group group
Applications can utilize
multiple resource
groups.
© Copyright Microsoft Corporation. All rights reserved.
Azure subscriptions

An Azure subscription
provides you with
authenticated and
authorized access to
Azure accounts.
Billing boundary:
Generate separate
billing reports and
invoices for each
subscription.
Access control
boundary: Manage and
control access to the
resources that users can
provision with specific
subscriptions.
© Copyright Microsoft Corporation. All rights reserved.
Management groups
Management groups
can include multiple
Azure subscriptions.
Subscriptions inherit
conditions applied to
the management
group.
10,000 management
groups can be
supported in a single
directory.
A management group
tree can support up to
six levels of depth.
© Copyright Microsoft Corporation. All rights reserved.
Compute and networking

© Copyright Microsoft Corporation. All rights reserved.
Azure compute services
Azure compute is an on-demand service that provides computing resources
such as disks, processors, memory, networking, and operating systems.

Virtual App Container Azure Kubernetes Azure Virtual
Machines Services Instances Services (AKS) Desktop

© Copyright Microsoft Corporation. All rights reserved.
Azure virtual machines

Azure virtual
machines (VMs) are
software emulations
of physical computers.
Includes virtual
processor, memory,
storage, and
networking.
IaaS offering that
provides total control
and customization.

© Copyright Microsoft Corporation. All rights reserved.
VM scale sets

Scale sets provide a
load-balanced
opportunity to
automatically scale
resources.
Scale out when resource
needs increase.
Scale in when resource
needs are lower.

© Copyright Microsoft Corporation. All rights reserved.
VM availability sets

© Copyright Microsoft Corporation. All rights reserved.
Azure Virtual Desktop

Azure Virtual
Desktop is a desktop
and app virtualization
that runs in the cloud.
Create a full desktop
virtualization
environment without
having to run additional
gateway servers.
Reduce risk of resource
being left behind.
True multisession
deployments.

© Copyright Microsoft Corporation. All rights reserved.
Azure container services
Azure containers provide a lightweight, virtualized environment that does
not require operating system management, and can respond to changes on
demand.
Azure Container Instances: A PaaS offering that runs a container or pod
of containers in Azure.

Azure Container Apps: A PaaS offering, like container instances, that can
load balance and scale.

Azure Kubernetes Service: An orchestration service for containers with
distributed architectures and large volumes of containers.

© Copyright Microsoft Corporation. All rights reserved.
Azure Functions

Azure Functions: A PaaS offering that supports serverless compute
operations.
Event-based code runs when called without requiring server infrastructure
during inactive periods.

© Copyright Microsoft Corporation. All rights reserved.
Comparing Azure compute options

Virtual machines Virtual Desktop Containers
Cloud-based server that Provides a cloud-based Lightweight, miniature
supports either Windows personal computer environment well suited for
or Linux environments. Windows desktop running microservices.
Useful for lift-and-shift
experience. Designed for scalability and
migrations to the cloud. Dedicated applications to resiliency through
Complete operating
connect and use, or orchestration.
accessible from any Applications and services
system package, including
modern browser.
the host operating system. are packaged in a container
Multiclient login allows that sits on top of the host
multiple users to log into operating system. Multiple
the same machine at the containers can sit on one
same time. host OS.

© Copyright Microsoft Corporation. All rights reserved.
Azure App Services

Azure App Services is
a fully managed
platform to build,
deploy, and scale web
apps and APIs quickly.
Works with.NET,.NET
Core, Node.js, Java,
Python, or php.
PaaS offering with
enterprise-grade
performance, security,
and compliance
requirements.

© Copyright Microsoft Corporation. All rights reserved.
Azure networking services

Azure Virtual Network (VNet) enables Azure resources to
communicate with each other, the internet, and on-premises
networks.
Public endpoints, accessible from anywhere on the internet.

Private endpoints, accessible only from within your network.

Virtual subnets segment your network to suit your needs.

Network peering connects your private networks directly together.

© Copyright Microsoft Corporation. All rights reserved.
Azure networking services: VPN
Gateway

VPN Gateway is used to send encrypted traffic between an Azure virtual network
and an
on-premises location over the public internet.

© Copyright Microsoft Corporation. All rights reserved.
Azure networking services:
ExpressRoute

ExpressRoute extends on-premises networks into Azure over a private connection
that is facilitated by a connectivity provider.

© Copyright Microsoft Corporation. All rights reserved.
Azure DNS
Reliability and performance by leveraging a global network of DNS name servers
using Anycast networking.
Azure DNS security is based on Azure resource manager, enabling role-based
access control and monitoring and logging.
Ease of use for managing your Azure and external resources with a single DNS
service.
Customizable virtual networks allow you to use private, fully customized domain
names in your private virtual networks.
Alias records support alias record sets to point directly to an Azure resource.

© Copyright Microsoft Corporation. All rights reserved.
Storage

© Copyright Microsoft Corporation. All rights reserved.
Storage accounts

Must have a
globally
unique name.
Provide over-the-
internet access
worldwide.
Determine storage
services and
redundancy options.

© Copyright Microsoft Corporation. All rights reserved.
Storage redundancy

Redundancy configuration Deployment Durability

Locally redundant storage (LRS) Single datacenter in the primary region 11 nines

Three availability zones in the primary
Zone-redundant storage (ZRS) 12 nines
region

Single datacenter in the primary and
Geo-redundant storage (GRS) 16 nines
secondary region
Three availability zones in the primary
Geo-zone-redundant-storage
region and a single datacenter in the 16 nines
(GZRS)
secondary region

© Copyright Microsoft Corporation. All rights reserved.
Azure storage services
Azure Blob: Optimized for storing massive amounts of unstructured data, such
as text or binary data.

Azure Disk: Provides disks for virtual machines, applications, and other
services to access and use.

Azure Queue: Message storage service that provides storage and retrieval for
large amounts of messages, each up to 64 KB.

Azure Files: Sets up a highly available network file share that can be accessed
by using the Server Message Block protocol.

Azure Tables: Provides a key/attribute option for structured nonrelational data
storage with a schema-less design.

© Copyright Microsoft Corporation. All rights reserved.
Storage service public endpoints

Storage service Public endpoint
Blob Storage https://.blob.core.windows.net

Data Lake Storage Gen2 https://.dfs.core.windows.net

Azure Files https://.file.core.windows.net

Queue Storage https://.queue.core.windows.net

Table Storage https://.table.core.windows.net

© Copyright Microsoft Corporation. All rights reserved.
Azure storage access tiers

Hot Cool Cold Archive
Optimized for storing Optimized for storing Optimized for storing Optimized for storing
data that is accessed data that is data that is data that is rarely
frequently. infrequently accessed infrequently accessed accessed and stored
and stored for at least and stored for at least for at least 180 days
30 days. 90 days. with flexible latency
requirements.

© Copyright Microsoft Corporation. All rights reserved.
Azure Migrate
Unified migration
platform.
Range of integrated
and standalone tools.
Assessment and
migration.

© Copyright Microsoft Corporation. All rights reserved.
Azure Data Box
Store up to 80 terabytes

of data.
Move your disaster
recovery backups to
Azure.
Protect your data in a
rugged case during
transit.
Migrate data out of
Azure for compliance or
regulatory needs.
Migrate data to Azure
from remote locations
with limited or no
connectivity.
© Copyright Microsoft Corporation. All rights reserved.
File management options

AzCopy Azure Storage Explorer Azure File Sync
Command-line utility. Graphical user interface Synchronizes Azure and on-
Copy blobs or files to or (similar to Windows premises files in a
from your storage account. Explorer). bidirectional manner.
One-direction Compatible with Windows, Cloud tiering keeps
synchronization. MacOS, and Linux. frequently accessed files
Uses AzCopy to handle file local, while freeing up
operations. space.
Rapid reprovisioning of
failed local server (install
and resync).

© Copyright Microsoft Corporation. All rights reserved.
Identity, access, and
security

© Copyright Microsoft Corporation. All rights reserved.
Microsoft Entra ID

Microsoft Entra ID is
Microsoft Azure’s cloud-
based identity and
access management
service.
Authentication
(employees sign in to
access resources).
Single sign-on (SSO).
Application
management.
Business to
Business (B2B).
Device management.

© Copyright Microsoft Corporation. All rights reserved.
Microsoft Entra Domain Services

Gain the benefit of cloud-based domain services without managing domain controllers.
Run legacy applications (that can’t use modern auth standards) in the cloud.
Automatically sync from Microsoft Entra ID.

© Copyright Microsoft Corporation. All rights reserved.
Compare authentication and authorization

Authentication Authorization
Identifies the person or service seeking Determines an authenticated person’s or
access to a resource. service’s level of access.
Requests legitimate access credentials. Defines which data they can access, and

Basis for creating secure identity and
what they can do with it.
access control principles.

© Copyright Microsoft Corporation. All rights reserved.
Multifactor authentication

Provides additional security for your identities by requiring two or more elements for
full authentication.
Something you know  Something you possess  Something you are

© Copyright Microsoft Corporation. All rights reserved.
Microsoft Entra External ID B2B

© Copyright Microsoft Corporation. All rights reserved.
Azure AD External Identities B2C

© Copyright Microsoft Corporation. All rights reserved.
Conditional Access

Conditional Access is
used to bring signals
together, to make
decisions, and enforce
organizational policies.
User or group
membership
IP location
Device
Application
Risk detection

© Copyright Microsoft Corporation. All rights reserved.
Role-based access control
Fine-grained access
management.
Segregate duties
within the team and Microsoft Entra ID
grant only the amount
of access to users
that they need to
perform their jobs.
Azure
Enables access to the subscription
User Apps User groups
Azure portal and Resource group
controlling access to
resources. Resource group

© Copyright Microsoft Corporation. All rights reserved.
Zero Trust

© Copyright Microsoft Corporation. All rights reserved.
Defense in depth
A layered approach to
securing computer Physical security
systems.
Identity and access
Provides multiple
Perimeter
levels of protection.
Attacks against one Network
layer are isolated
from subsequent Compute
layers.
Application

Data

© Copyright Microsoft Corporation. All rights reserved.
Microsoft Defender for Cloud

Microsoft Defender for
Cloud is a monitoring
service that provides
threat protection across
both Azure and on-
premises datacenters.
Provides security
recommendations.
Detect and block
malware.
Analyze and identify
potential attacks.
Just-in-time access
control
for ports.
© Copyright Microsoft Corporation. All rights reserved.