1. Manage Azure Identities and Governance

Azure Active Directory (Azure AD):

• Azure Active Directory (Azure AD): Azure’s cloud-based identity and access management service. It allows employees to access resources like Microsoft 365, Azure Portal, and third-party SaaS applications.
  1. Azure AD Users and Groups: Manage user identities and groups, assign roles and permissions.
  2. Service Principals: Non-human identity for apps, services, or automation to access Azure resources.
  3. Enterprise Applications: Integrate third-party applications with Azure AD for single sign-on (SSO).

Role-Based Access Control (RBAC):

• RBAC: Azure’s granular access control model that assigns roles to users, groups, and applications to give them appropriate access to resources.
  1. Roles: Common built-in roles include Owner, Contributor, and Reader.
  2. Custom Roles: You can create custom roles if built-in roles do not meet your security requirements.
  3. Role Assignment Scope: Assign roles at various scopes: management group, subscription, resource group, or resource.

Azure AD Connect and Sync:

• Azure AD Connect: A tool for integrating your on-premises directories (Active Directory) with Azure AD.
  1. Password Hash Synchronization: Sync passwords from on-prem AD to Azure AD.
  2. Federated Authentication: Use existing on-prem AD infrastructure for authentication.
  3. Azure AD Domain Services: Provide domain-join, group policy, LDAP, and Kerberos/NTLM authentication without managing domain controllers.

Conditional Access and Multi-Factor Authentication (MFA):

• Conditional Access: Policy-based control that limits access to applications or services based on conditions like location, device status, or user risk level.
  1. MFA: Requires a second form of verification (e.g., phone, app) to strengthen security.

Azure Policies and Blueprints:

• Azure Policy: Ensures that resources comply with your organizational standards. Example: enforcing the use of specific SKUs or ensuring tagging on resources.
  1. Initiatives: A collection of Azure policies, used to achieve large-scale compliance goals.
  2. Azure Blueprints: Define a repeatable set of resources and policies, ensuring consistency in deployments.

Azure Monitor and Service Health:

• Azure Monitor: Collects, analyzes, and acts on telemetry data from Azure resources. Allows tracking of performance and diagnostic data.
  1. Logs and Metrics: Logs are event-based, and metrics are numerical data over time.
  2. Alerts: Set up triggers for certain conditions (e.g., CPU above 80%) to notify administrators.
• Azure Service Health: Alerts and reports on the health of Azure services impacting your environment.

Managing Subscriptions and Management Groups:

• Azure Subscriptions: Logical containers that hold resources. Each subscription has unique billing and access control boundaries.
  • Management Groups: Organize multiple subscriptions under one hierarchy. Management groups allow unified policy and role assignment across subscriptions.

2. Manage Storage

Azure Storage Accounts:

• Storage Account Types:
  1. General-purpose v2 (GPv2): Support all storage services and the latest features like tiering and lifecycle management.
  2. Blob Storage: Optimized for storing unstructured data.
• Access Tiers: Hot, Cool, Archive tiers to optimize costs depending on data access frequency.

Blob Storage (Hot, Cool, and Archive):

• Blob Types:
  1. Block Blob: Stores text and binary data, typically for large files like images or videos.
  2. Append Blob: Optimized for append operations, such as logging.
  3. Page Blob: Used for VMs or managed disks.
• Storage Tiers:
  1. Hot: Frequently accessed data.
  2. Cool: Infrequently accessed data.
  3. Archive: Rarely accessed data; retrieval takes longer.

Azure Files and Azure File Sync:

• Azure Files: Fully managed shared file system in the cloud, accessible over SMB/NFS protocols.
  1. File Sync: Synchronizes on-premises file servers with Azure Files for hybrid cloud storage.

Azure Disks (Managed vs Unmanaged):

• Managed Disks: Azure automatically manages the disk storage for VMs, simplifying management.
  1. Premium SSD, Standard SSD, and Standard HDD disks available for different performance requirements.

Access Control and Encryption in Storage:

1. Access Control: Apply RBAC to storage accounts to limit access based on roles.
2. Encryption: Data is encrypted at rest by default using Microsoft-managed keys. You can opt for customer-managed keys via Azure Key Vault.

Data Replication Strategies:

• Replication Options:
  1. Locally Redundant Storage (LRS): Three copies of your data within a single datacenter.
  2. Geo-Redundant Storage (GRS): Replicates data to a secondary region, ensuring disaster recovery.
  3. Zone-Redundant Storage (ZRS): Replicates across multiple zones within the same region.

Azure Storage Explorer:

• Azure Storage Explorer: A free desktop tool that allows you to manage Azure storage resources. You can upload, download, and manage blobs, tables, queues, and files.

3. Manage Azure Compute Resources

Azure Virtual Machines (VMs):

• Azure VMs: On-demand scalable virtualized computing resources in Azure.
  1. VM Sizes: VMs are available in various sizes with different combinations of CPU, memory, and disk types.
  2. Images: Choose from pre-configured images like Windows Server, Ubuntu, or create custom images.

VM Availability and Resiliency (Availability Sets, Availability Zones):

1. Availability Sets: Group VMs into fault domains and update domains to ensure high availability. Protects against hardware failures and maintenance events.
2. Availability Zones: VMs can be distributed across physically separate datacenters within the same region to ensure fault tolerance.

VM Scale Sets:

• VM Scale Sets: Enable automatic scaling of VMs based on demand, providing high availability and elasticity. Used to handle workload surges automatically.

Azure App Services (Web Apps, API Apps, Mobile Apps):

• App Services: Fully managed platform for building, deploying, and scaling web, mobile, and API apps. Supports multiple languages like .NET, Java, Python, and PHP.

Azure Kubernetes Service (AKS):

• AKS: Managed Kubernetes service in Azure for deploying, managing, and scaling containerized applications.
  1. Container Registry: Store and manage Docker container images for deployment.

Azure Functions and Logic Apps:

1. Azure Functions: A serverless compute service that automatically scales to handle spikes in demand. Ideal for microservices architecture or background tasks.
2. Logic Apps: A no-code platform for automating workflows and integrating services across platforms.

Azure Automation and Azure Bastion:

1. Azure Automation: Automate frequent, time-consuming tasks with workflows (runbooks) and configuration management.
2. Azure Bastion: Provides secure RDP/SSH access to VMs without exposing them to the public internet.

4. Configure and Manage Virtual Networks

Azure Virtual Network (VNet) Overview:

1. Azure VNet: A logical isolation of the Azure cloud dedicated to your subscription. VNets allow resources like VMs to communicate securely.
2. IP Addressing: Define a private IP address range using IPv4 or IPv6.

Subnets and IP Addressing:

• Subnets: VNets are divided into subnets for logical segmentation of resources.
  1. Private Subnets: Resources in these subnets do not have internet access by default.

Network Security Groups (NSGs) and Route Tables:

1. NSGs: Control inbound and outbound traffic to Azure resources based on rules.
2. Route Tables: Manually define routes to control traffic flow between subnets, to on-prem environments, or the internet.

Azure VPN Gateway, ExpressRoute:

1. VPN Gateway: Provides site-to-site or point-to-site secure communication between your on-premises network and Azure using IPsec/IKE.
2. ExpressRoute: Private connection between your on-prem network and Azure, bypassing the public internet.

VNet Peering:

• VNet Peering: Connect two VNets to allow them to communicate with each other. Can be used across regions (Global VNet Peering).

Azure Load Balancer and Application Gateway:

1. Azure Load Balancer: Distributes incoming traffic across multiple VMs to ensure high availability.
2. Application Gateway: Load balancer with additional features like SSL termination, URL-based routing, and Web Application Firewall (WAF).

Azure DNS and Azure Firewall:

1. Azure DNS: Hosts your DNS domains and resolves domain names in Azure.
2. Azure Firewall: Managed network security service to protect Azure VNets with high availability and scaling.

Monitoring Networks with Network Watcher:

• Network Watcher: Provides tools for monitoring, diagnosing, and viewing network performance in Azure.

5. Manage Azure Security and Identity

Azure Security Center:

• Azure Security Center: Centralized security management system that provides threat detection, security recommendations, and vulnerability assessments for Azure resources.

Azure Key Vault:

• Azure Key Vault: A service to securely store secrets, keys, and certificates used by applications.

Azure Firewall and DDoS Protection:

1. Azure Firewall: Managed network security service that protects Azure resources from external and internal threats.
2. DDoS Protection: Provides automatic protection against Distributed Denial of Service (DDoS) attacks.

Azure Defender for Cloud:

• Azure Defender: Provides advanced threat protection across hybrid cloud workloads, including VMs, databases, containers, and more.

Microsoft Sentinel:

• Microsoft Sentinel: A cloud-native security information and event management (SIEM) system. Collects and analyzes security data across your environment.

Privileged Identity Management (PIM):

• PIM: Provides time-based and approval-based access to resources in Azure AD, reducing the risk of excessive, unnecessary permissions.

6. Monitor and Backup Azure Resources

Azure Monitor:

• Azure Monitor: A comprehensive monitoring solution for collecting, analyzing, and responding to telemetry data across Azure resources.

Log Analytics and Metrics:

1. Log Analytics: Centralized log management service for querying and analyzing log data from multiple sources.
2. Metrics: Numerical data measured over time for Azure services (e.g., CPU usage, memory consumption).

Azure Alerts and Action Groups:

1. Alerts: Notifications based on metrics or logs exceeding a certain threshold (e.g., VM CPU > 90%).
2. Action Groups: Define who gets notified or what action to take when an alert is triggered.

Backup with Azure Backup:

1. Azure Backup: Provides scalable and secure backup solutions for Azure VMs, SQL databases, and file shares.

Disaster Recovery with Azure Site Recovery:

• Azure Site Recovery (ASR): Automates disaster recovery by replicating VMs to a different region. Can be used for failover and failback during outages.

Azure Resource Health:

• Azure Resource Health: Provides information about the health of your resources, helping identify issues related to availability and performance.

7. Manage and Implement Cost Management

Azure Pricing Calculator:

• Azure Pricing Calculator: An online tool to estimate costs of different Azure services based on your expected usage.

Azure Cost Management and Budgets:

1. Cost Management: Helps you track, allocate, and optimize Azure spending.
2. Budgets: Set cost thresholds and receive alerts when you approach or exceed a defined budget.

Cost-Saving Strategies (Reservations, Auto-Scaling):

1. Reservations: Pre-purchase services like VMs for 1 or 3 years at a significant discount.
2. Auto-Scaling: Dynamically scale resources like VMs or App Services to meet demand, reducing costs during periods of low usage.

Tagging Resources for Cost Optimization:

• Tags: Apply tags (key-value pairs) to Azure resources to track usage by department, project, or cost center.

Azure Advisor Recommendations:

• Azure Advisor: Provides personalized best practice recommendations for improving cost-efficiency, security, performance, and reliability.

8. Automation and Infrastructure as Code (IaC)

Azure Resource Manager (ARM) Templates:

• ARM Templates: Declarative JSON-based files that define Azure resources for deployment. They allow consistent deployments and are often used in CI/CD pipelines.

Azure CLI and PowerShell:

1. Azure CLI: Command-line tool for managing Azure resources.
2. PowerShell: A scripting language for managing Azure resources and automating tasks.

Azure DevOps for Automation:

• Azure DevOps: Offers tools for CI/CD pipelines, version control (Azure Repos), and managing infrastructure as code deployments.

Terraform and Bicep:

1. Terraform: Open-source tool for defining infrastructure as code that can work across multiple cloud providers.
2. Bicep: A domain-specific language (DSL) for deploying Azure resources that simplifies ARM templates.

Automation with Azure Runbooks:

• Azure Runbooks: Automate recurring tasks and processes using PowerShell or Python scripts. Schedules can be applied to run runbooks automatically.

Azure Blueprints for Governance:

• Azure Blueprints: Define a repeatable set of Azure resources, policies, and role assignments to ensure compliance and consistency across your environment.

9. Conclusion

This notes includes comprehensive knowledge of identity management, governance, storage, compute resources, networking, security, and monitoring in Azure. Mastering these areas is critical for effective cloud resource management and optimizing an organization’s Azure environment.

Download Elysium Spark Note