part 3 Flashcards
Azure preview portal
beta, preview, pre-release. Can test new features via preview.portal.azure.com
Powershell
CL shell and scripting language. Task automation and configuration management framework. Built on top of .Net Common language runtime. Accepts and returns .Net objects, making scripting easier.
Azure Cloud Shell
Interactive, authenticated, browser-accessible shell for managing resources. Can choose either bash or powershell.
Azure CLI
Command Line Interface - processes commands to a computer program in form of lines of text. OS implement a CLI in a shell or terminal. Azure CLI installed on windows, mac and linux. az followed by commands
Azure Trust Center
Public facing web portal providing easy access to privacy, security and regulatory compliance info
Compliance programs
Businesses have to ensure Azure is:
NIST 800-53 compliant - voluntary framework for managing cybersecurity risks
UK Government G-Cloud: cloud computing certification for services used by government entities in UK
PIPEDA Compliant
HIPPA Compliant -US federal law regulating patient protected health info
FIPS-140-2 Compliant - US/Canadian gov standard specifying security requirements for cryptographic modules protecting sensitve info
CJIS (criminal justice info services) - any US state or local agency that wants to access FBI’s CJIS db is required to adhere to CJIS security policy
CSA (cloud security alliance STAR certification) - independent 3rd party assessment of a cloud provider’s security
GDPR
EU model clauses - contractual guarantees around transfer of personal data outside EU
ISO and IEC - code of practice re personal info processing by cloud service providers
IDA - standard to apply to addressing customer concerns about security + confidentiality of cloud data
SOC 1,2,3 - independent 3rd party exam reports demonstrating how company achieves compliance controls +objectives
Azure AD
identity and access management service. helps employees sign in and access resources. e.g. Azure portal, Office 365, SaaS apps, internal networking, workstations on premise.
- Free - MFA, SSO, user management, usage reports
- Office 365 Apps - company branding, SLA etc
- Premium 1 - hybrid architecture, advanced group/conditional access
- Premium 2 - identity protection, identity governance
Azure Security Center
unified infrastructure security management system. provides advanced threat protection across hybrid workloads in cloud
Key Vault
helps safeguard cryptographic keys and secrets used by cloud apps and services.
Secrets management: store and tightly control access to tokens, passwords, certificates, API keys etc
Key management: create and control encryption keys to encrypt data
Certificate management: easily provision, manage, deploy public and private SSL certificates for use with Azure and internal connected resources
Hardware security module: secrets and keys can be protected by software or FIPS 140-2 Level 2 validated HSMs
HSM
Hardware security module - piece of hardware designed to store encryption keys. Stored in RAM - so when shuts down, keys are gone.
Multitenant HSMs - FIPS 140-2 compliant (multiple customers virtually isolated on an HSM)
Single tenant HSMs - FIPS 140-3 compliant (single customer on a dedicated HSM)
DDOS
Distributed denial of service attack - maliciously disrupting normal traffic by flooding a website with large amounts of fake traffic.
Azure has built in ddos protection
two tiers of ddos protection from azure
DDoS protection basic: free, already turned on protect Azure’s global network
DDoS protection standard: starting at $2994/mo. metrics, alerts, reporting, DDoS expert support, application and cost protection SLA
Azure firewall
managed, cloud-based network security service that protects your Azure virtual network resources. VNet with firewall is an intermediate between main vnets with VMs. decides which traffic can pass through.
Azure firewall features
Centrally create, enforce and log application and network connectivity policies across subscriptions and virtual networks.
Uses a static public IP address for your virtual network resources so outside firewalls can identify traffic originating from your virtual network.
Built in high availability - no load balancers required.
Can configure during deployment to span multiple AZs for inc availability.
No additional cost for a firewall deployed in an AZ
Azure info protection (AIP)
protects sensitive info with encryption e.g. emails and docs, restriced access and rights, and integrated security in Office apps
Azure app gateway
A web-traffic load balancer (HTTP requests, level 7 HTTP) that re-route traffic based on rules. including security rules. A WAF (web app firewall) can be attached for additional protection on OSI level 7.
Advanced Threat Protection (ATP). What is IDS/IPS
Intrusion detection system + intrusion protection system
- Device/software app that monitors a network or systems for malicious activity or policy violations. IDS detects and IPS protects.
ATP
cloud based security solution that leverages your on-premises AD signals to identify, detect and investigate advanced threats, compromised identities and malicious insider actions directed at organisation.
Microsoft Security Development Lifecycle (SDL)
industry-leading software security assurance process.
Microsoft-wide initiative + mandatory policy since 2004.
Critical role in embedding security and privacy in microsoft software + culture
Building security into each SDL phase of dev lifecycle helps catch issues early and reduce dev costs.
Phases: training, requirements, design, implementation, verification, release, response
Azure policy
Service you can use to create, assign and manage policies. Allows you to enforce or control the properties of a resource..
Evaluates resources by comparing properties to business rules called policy definitions.
RBAC
helps manage who has resource access, what they can do with it and what areas they have access to.
Role assignment consists of
security principal, role definition, scope
RBAC: security principal + Scope + role def
SP - represents the identities requesting access to an Azure resource e.g. user, group, service principal, managed identity (identity in AAD automatically managed by Azure)
Scope - set of resources that access for the role assignment applies to. e.g. management group, subscription or resource group.
role definition - collection of permissions e.g. read, write, delete. Roles can be high level like owner or specific like VM reader
fundamental built in roles
owner - can read, grant access + create, update, delete
contributor - read + create, update, delete
reader - read
user access admin - grant access
Lock resources
Admins can lock subscriptions, resource groups or resources to prevent other users from accidentally deleting or modifying critical resources.
- CanNotDelete - can read and modify but not delete a reosurce
- ReadOnly - can read but not update or delete resource
Management groups
Manage multiple subscriptions into a hierarchal structure.
Directory given a top-level mangement group (root)
All subscriptions inherit conditions of mgmt group
Azure monitor
Comprehensive solution for collecting, analysing and acting on telemetry from your cloud and on-premises environments
- Create visual dashboards, smart alerts, automated actions, log monitoring
Service health
Info about current and upcoming issues e.g. service impacting events, planned maintenance, other changes that may affect availability
- Azure status: informs of service outages
- Azure service health: personalised view of health of Azure services + regions using
- Azure resource health: info about health of individual cloud resources e,g. VM
Azure advisor
Personalised cloud consultant that helps follow best practices to optimise your Aure deployments.
Displays personalised recommendations for subscriptions in 5 categories - high availability, security, performance, cost, operational excellence
Service level agreements (SLA)
Azure’s commitments for uptime and connectivity - individualised per Azure service.
Uptime and connectivity is described as performance targets.
Represented as a percentage (99% = 2 nines, 99.9% = 3 nines) etc
Not provided on free or shared tiers
Service credits
Customers may have a discount applied to their azure bill as compensation for an underperforming Azure product or service based on the SLA.
Monthly uptime < 99.9% = service credit 10%
Monthly uptime < 99% = service credit 25%
Monthly uptime < 95% = service credit 100%
Composite SLAs
Different services have different SLAs.
Composite - combining SLAs across different sercice offerings, e.g. a web app SLA is the combination of it’s component item’s SLAs
Fallback systems improve overall SLA
TCO calculator
estimates cost savings by migrating workloads to Azure.
Generates detailed report and export as a PDF to send to decision makers.
azure.microsoft.com/pricing/calculator
Azure Marketplace
Apps and services by third party publishers to quickly get started. Can be free, free trial, pay as you go or bring your own license
Azure support
-basic, developer, standard, professional direct, enterprise
Basic: email support only for billing and account, 0/mo
Developer: email tech support during business hours, third party software support. Min business impact (sev C) respond < 8 hours, Architecture general guidance, 29/mo
Standard: 24/7 phone support, third party software support, Min business impact (sev C) respond < 8 hours, Sev B < 4 hours, Sev A < 1 hour, Architecture general guidance, 100/mo
Professional direct: 24/7 phone support, third party software support, Min business impact (sev C) respond < 4 hours, Sev B < 2 hours, Sev A < 1 hour, proactive guidance by prodirect delivery managers, webinars by azure engineers. 1000/mo
Azure Hybrid (use) Benefit (HUB)
Customers have invested in windows server licenses and want to repurpose this investment on Azure
Gives customer right to use licenses for VMs on Azure (windows servers, sql servers)
HUB can be turned on and off at anytime for existing VMs
HUB can be applied at deployment time for new VMs
(BYOL) bring your own license
Subscriptions
4 tiers: free (200$ USD credits free for 30 days. certain products free for 12 months)
Pay as you go (PAYG) charged at end of month based on consumed cloud resources
Enterprise agreement: enterprise and Azure agree to receive discounted price for licenses and cloud services
Student sub: 100$ usd credits for 12 mo, need student email. no credit card required
Azure pricing calc
Configure and estimate costs for Azure products. Download excel spreadsheet.
Azure cost management
Perform cost analysis, visualise spending of azure cloud resources
Create budgets, set a budget threshold be alerted when approaching or exceeded
