Governance and Compliance Flashcards
Describe the Azure Architecture
• Azure is made up of datacenters around the globe, and datacenters are organized and made available in regions.
• Datacenters are in close proximity and networked together with a low-latency network.
Azure is GA in 60+ regions and in 140 countries
Azure Region Definition
A geographical area on the planet containing at least one; but potentially multiple datacenters.
Azure Regions - things to know (5)
- Azure has more global regions than any other cloud provider.
- Regions provide flexibility and scale needed by today’s demands.
- Regions preserve data residency, offer comprehensive compliance and resiliency options
- For most Azure services, you choose the region where you want your resource deployed.
- Exceptions these global services do not require it: Azure AD, Azure Traffic Manager, and Azure DNS.
- Each Azure region is paired with another region within the same geography, making a regional pair. The exception is Brazil South, paired with a region outside of its geography.
Azure Region Pairs - things to know (5)
- Physical isolation - Azure prefers 300 miles of separation b/w these datacenters - reduces likelihood of natural disasters, civil unrest, power outages or physical network outages affecting both regions at once.
- Platform-provided replication
- Region recovery order - recovery of one region is prioritized out of every pair.
- Sequential updates - Planned Azure system updates are rolled out to paired regions sequentially.
- Data residency - helps meet data residency requirements for tax and law enforcement jurisdiction purposes.
Azure Subscription - Definition
Is a logical unit of Azure services that is linked to an Azure Account. Billing for Azure services is done on a per subscription basis.
Azure Subscription - Use Cases (5)
- Help you organize access to could resources (e.g. prod vs dev resources)
- Help you control how resource usage is reported, billed, and paid for
- Each subscription can have a diff billing and payment setup, e.g., you can have diff subscriptions by department, project, regional office, and so on.
- Every service belongs to a subscription
- Subscription IDs may be required for programmatic operations.
How to get an Azure Subscription (4 Options)
- Enterprise Agreement
- Customers with an EA can add Azure to their agreement by making an upfront monetary commitment to Azure. That commitment is consumed throughout the year by using any combination of cloud services Azure offers. EAs have a 99/95% monthly SLA.
- Reseller
- Through Open Licensing program, flexible way to purchase cloud services from your MSFT reseller.
- Partners
- Find a Microsoft partner who can design and implement your Azure cloud solution.
- Personal
- Free trial account.
Azure Subscription Usage (4 Types)
- Free
- Includes a $200 credit to spend on any service for the first 30 days, free access to the most popular Azure products for 12 months, and access to more than 25 products that are always free. Excellent for new users.
- Pay-as-you-go
- Charges you monthly for the services you used in that billing period.
- Enterprise Agreement
- Flexibility to buy cloud services and software licenses under one agreement, with discounts for new licenses and SA. Targeted at enterprise-scale orgs.
- Student
- Includes $100 credits to be used within first 12 months plus select free services without requiring a credit card to sign up. Must verify student status through organizational email address.
Azure Resource Tags - Definition
You can apply tags to your Azure resources to logically organize them by category. Tags use Key-value pairs
What is Azure Cost Management
Helps you monitor, control, and optimize Azure spending.
Plan and control expenses - perform: Cost analysis, Budgets, Recommendations, Exporting cost management data
Azure Cost Savings Opportunities (5)
- Reservations
- Save money by paying ahead of time. You ca pay 1-year or 3-years of VM, SQL DB, Azure Cosmos DB, or other resource costs up to 72% on pay-as-you-go prices. Provide a billing discount and don’t affect the runtime state of your resources.
- Azure Hybrid Benefits
- Pricing benefit for customers who have licenses with Software Assurance, it helps maximize the value of existing on-premises Windows Server or SQL Server license investments when migrating to Azure. There’s an Azure Hybrid Benefit Savings Calculator out there.
- Azure Credits
- Monthly credit benefit, e.g., Visual Studio subscribers get an Azure credit to make Azure their personal sandbox for dev/test.
- Budgets
- Can be set up to help you plan for and drive organizational accountability.
- Pricing Calculator
What is Azure Policy?
A service in Azure to create, assign, and manage policies to enforce rules over your resources to help ensure those resources stay compliant with your corporate standards and SLAs. Azure Policy runs evaluations and scans for resources that are not compliant.
Azure Policy - Advantages and Use Cases
Advantage: Enforcement and compliance implementation, scaling, and remediation
Good when you need to govern:
- Multiple engineering teams that will deploy and manage the environment
- Multiple subscriptions
- Need to standardize/enforce how cloud resources are configured.
- Manage regulatory compliance, cost control, security, or design consistency.
Use Cases:
- Specify the resource types that your organization can deploy
- Specify a set of virtual machine SKUs that your organization can deploy
- Restrict the locations your organization can specify when deploying resources.
- Enforce a required tag and its value
- Audit if Azure Backup service is enabled for all Virtual machines
Define Azure Policy Components (4)
-
Browse Policy Definitions - expresses what to evaluate and what action to take
- There are a lot of built-in policy definitions
- You can create a new policy, and even import a policy definition from GitHub.
- Create Initiative Definition - a set of policy definitions to help track your compliance state for a larger goal, e.g. making a branch office compliant.
- Scope the Initiative Definition - limit the scope to a management group, subscription, or resource group
-
View Policy Evaluation Results - are the existing resources compliant with your created policy?
- You determine compliance in the Compliance blade to review non-compliant initiatives, policies, and resources. Evaluation happens about once per hour.
Define Azure Role-Based Access Control (RBAC)
RBAC (is a authorization** and **least-privileged access feature) helps you manage who has access to Azure resources, what they can do with those resources, and what areas they have access to.
- It is an authorization system built on Azure Resource Manager that provides fine-grained access management of resources in Azure.
- Follows least-privileged principle - you can segregate duties within your team and grant only the amount of access to users that they need to perform their jobs.
Roles are a set of properties defined in a JSON file.
Azure RBAC Roles vs Azure AD Roles
High-level:
-
Azure RBAC - control permissions to manage Azure resources, think IaaS, PaaS, etc.
- Azure AD Admin Roles - control permissions to manage Azure AD resources, e.g., identities (users, groups, and domains) and devices. Think also Microsoft 365.
