Azure Database Services:
Azure Database Services are fully managed Paas database services. Azure database services are fully managed, freeing up valuable time you’d otherwise spend managing your database so you can focus on new ways to delight your users and unlock opportunities. Enterprise-grade performance with built-in high availability means you can scale quickly and reach global distribution without worrying about costly downtime.
- Cosmos Database:Azure Cosmos DB is a globally distributed database service. It supports schema-less data that lets you build highly responsive and Always On applications to support constantly changing data. You can use this feature to store data that is updated and maintained by users around the world. Azure Cosmos DB is Microsoft’s globally distributed, multi-model database service. With a click of a button, Cosmos DB enables you to elastically and independently scale throughput and storage across any number of Azure regions worldwide. You can elastically scale throughput and storage, and take advantage of fast, single-digit-millisecond data access using your favorite API including SQL, MongoDB, Cassandra, Tables, or Gremlin. https://docs.microsoft.com/en-us/azure/cosmos-db/introduction
- SQL Database:
Azure SQL Database is a general-purpose relational database-as-a-service (DBaaS) based on the latest stable version of Microsoft SQL Server Database Engine. SQL Database is a high-performance, reliable, and secure cloud database that you can use to build data-driven applications and websites in the programming language of your choice, without needing to manage infrastructure. It is a PaaS offering from Microsoft. https://docs.microsoft.com/en-us/azure/sql-database/
- Azure Database Migration Service:
Azure Database Migration Service is a fully managed service designed to enable seamless migrations from multiple database sources to Azure data platforms with minimal downtime (online migrations). https://docs.microsoft.com/en-us/azure/dms/dms-overview
It is a service on Azure that connects Azure users with Microsoft partners, software vendors, and startups. Azure users can try and purchase apps and services from a lot of other service providers. These apps and services are certified to run on Azure.
The communication of internet-connected devices and identifying themselves to other devices is called IoT.
The Azure Internet of Things (IoT) is a collection of Microsoft-managed cloud services that connect, monitor and control billions of IoT assets. In simpler terms, an IoT solution is made up of one or more IoT devices and one or more back-end services running in the cloud that communicate with each other.
Azure SQL Data Warehouse:
SQL Data Warehouse is a cloud-based Enterprise Data Warehouse (EDW) that uses Massively Parallel Processing (MPP) to quickly run complex queries across petabytes of data. Use SQL Data Warehouse as a key component of a big data solution. Once data is stored in Data warehouse, you can run analytics at massive scale. Queries finish within seconds instead of hours.
HDInsight is a cloud service that makes it easy, fast, and cost-effective to process massive amounts of data. HDInsight also supports a broad range of scenarios, like extract, transform, and load (ETL); data warehousing; machine learning; and IoT.
Azure Data Lake Analytics:
Azure Data Lake Analytics is an on-demand analytics job service that simplifies big data. Instead of deploying, configuring, and tuning hardware, you write queries to transform your data and extract valuable insights. The analytics service can handle jobs of any scale instantly by setting the dial for how much power you need. You only pay for your job when it is running, making it cost-effective.
Azure Artificial Intelligence:
AI is the capability of a machine to imitate intelligent human behavior. Through AI, machines can analyze images, comprehend speech, interact in natural ways and make predictions using data.
Azure Machine Learning Service:
Azure Machine Learning service provides SDKs and services to quickly prep data, train, and deploy machine learning models. Improve productivity and costs with autoscaling compute & pipelines. Use these capabilities with open-source Python frameworks, such as PyTorch, TensorFlow, and scikit-learn.
Azure Machine Learning Studio:
Azure Machine Learning Studio is a collaborative, drag-and-drop tool for building, testing, and deploying predictive analytics solutions on your data. Tutorials, videos, and example models show you how to use Studio to build and deploy machine learning models.
Serverless Computing Solutions:
Serverless computing is the abstraction of servers, infrastructure, and operating systems. When you build serverless apps you don’t need to provision and manage any servers, so you can take your mind off infrastructure concerns. Serverless computing is driven by the reaction to events and triggers happening in near-real-time—in the cloud. As a fully managed service, server management and capacity planning are invisible to the developer and billing is based just on resources consumed or the actual time your code is running.
Serverless app runs only when an event is triggered. Scaling and performance are automatically handled.
When you’re concerned only about the code running your service, and not the underlying platform or infrastructure, Azure Functions are ideal. They’re commonly used when you need to perform work in response to an event, often via a REST request, timer, or message from another Azure service and when that work can be completed quickly, within seconds or less.
Azure Functions scale automatically based on demand, so they’re a solid choice when demand is variable. For example, you may be receiving messages from an IoT solution used to monitor a fleet of delivery vehicles. You’ll likely have more data arriving during business hours.
Using a VM-based approach, you’d incur costs even when the VM is idle. With functions, Azure runs your code when it’s triggered and automatically deallocates resources when the function is finished. In this model, you’re only charged for the CPU time used while your function runs.
Furthermore, Azure Functions can be either stateless (the default) where they behave as if they’re restarted every time they respond to an event), or stateful (called “Durable Functions”) where a context is passed through the function to track prior activity.
Azure Functions is a solution for easily running small pieces of code, or “functions,” in the cloud. You can write just the code you need for the problem at hand, without worrying about a whole application or the infrastructure to run it. Functions can make development even more productive, and you can use your development languages of choice, such as C#, F#, Node.js, Python, or PHP. Pay only for the time your code runs and Azure scales as needed.
Azure Logic Apps:
Azure Logic Apps provides a way to simplify and implement scalable integrations and workflows in the cloud. It provides a visual designer to model and automates your process as a series of steps called a workflow. There are many connectors across cloud and on-premises services to quickly connect a serverless app to other APIs. A logic app begins with a trigger (like ‘When an account is added to Dynamics CRM’) and after firing can begin many combinations of actions, conversions, and condition logic. Logic Apps is a great choice when orchestrating different Azure Functions in a process – especially when the process requires interacting with an external system or API.
Azure Logic Apps are similar to Functions – both enable you to trigger logic based on an event. Where Functions execute code, Logic Apps execute workflows built from predefined logic blocks. They are specifically designed to automate your business processes.
You create Logic App workflows using a visual designer on the Azure Portal or in Visual Studio. The workflows are persisted as a JSON file with a known workflow schema.
Azure provides over 200 different connectors and processing blocks to interact with different services – including most popular enterprise apps. You can also build custom connectors and workflow steps if the service you need to interact with isn’t covered. You then use the visual designer to link connectors and blocks together, passing data through the workflow to do custom processing – often all without writing any code.
As an example, let’s say a ticket arrives in ZenDesk. You could:
- Detect the intent of the message with cognitive services
- Create an item in Sharepoint to track the issue
- If the customer isn’t in your database, add them to your Dynamics 365 CRM system
- Send a follow-up email to acknowledge their request
All of that could be designed in a visual designer making it easy to see the logic flow which is ideal for a business analyst role.
Functions vs. Logic Apps:
Functions and Logic Apps can both create complex orchestrations. An orchestration is a collection of functions or steps, that are executed to accomplish a complex task. With Azure Functions, you write code to complete each step, with Logic Apps, you use a GUI to define the actions and how they relate to one another.
You can mix and match services when you build an orchestration, calling functions from logic apps and calling logic apps from functions. Here are some common differences between the two.
|State||Normally stateless, but Durable Functions provide state||Stateful|
|Development||Code-first (imperative)||Designer-first (declarative)|
|Connectivity||About a dozen built-in binding types, write code for custom bindings||Large collection of connectors, Enterprise Integration Pack for B2B scenarios, build custom connectors|
|Actions||Each activity is an Azure function; write code for activity functions||Large collection of ready-made actions|
|Monitoring||Azure Application Insights||Azure portal, Log Analytics|
|Management||REST API, Visual Studio||Azure portal, REST API, PowerShell, Visual Studio|
|Execution context||Can run locally or in the cloud||Runs only in the cloud.|
Azure Event Grid:
Azure Event Grid allows you to easily build applications with event-based architectures. First, select the Azure resource you would like to subscribe to, and then give the event handler or WebHook endpoint to send the event to. Event Grid has built-in support for events coming from Azure services, like storage blobs and resource groups. Event Grid also has support for your own events, using custom topics.
DevOps is a set of practices that automates the processes between software development and IT teams, in order that they can build, test, and release software faster and more reliably. The concept of DevOps is founded on building a culture of collaboration between teams that historically functioned in relative siloes. The promised benefits include increased trust, faster software releases, ability to solve critical issues quickly, and better manage unplanned work.
Azure DevOps (Formerly known as Visual Studio Team Services VSTS) provides development and collaboration tools for your DevOps environment.
Azure DevTest Labs:
Azure DevTest Labs enables developers on teams to efficiently self-manage virtual machines (VMs) and PaaS resources without waiting for approvals.
DevTest Labs creates labs consisting of pre-configured bases or Azure Resource Manager templates. These have all the necessary tools and software that you can use to create environments. You can create environments in a few minutes, as opposed to hours or days.
Azure Management Tools:
Using management tools you can access Azure resources.
Azure Portal is a website, https://portal.azure.com using which you can access all your azure resources from your browser. You can manage, deploy and delete resources as you like.
What is a blade?
The Azure portal uses a blades model for navigation. A blade is a slide-out panel containing the UI for a single level in a navigation sequence. For example, each of these elements in this sequence would be represented by a blade: Virtual machines > Compute > Ubuntu Server.
Each blade contains some information and configurable options. Some of these options generate another blade, which reveals itself to the right of any existing blade. On the new blade, any further configurable options will spawn another blade, and so on. Soon, you can end up with several blades open at the same time. You can maximize blades as well so that they fill the entire screen.
A dashboard is a customizable collection of UI tiles displayed in the Azure portal. You add, remove, and position tiles to create the exact view you want, and then save that view as a dashboard. Multiple dashboards are supported, and you can switch between them as needed. You can even share your dashboards with other team members.
Azure PowerShell provides a set of cmdlets that use the Azure Resource Manager model for managing your Azure resources. Azure PowerShell uses .NET Standard, making it available for Windows, macOS, and Linux. Azure PowerShell is also available on Azure Cloud Shell. Azure PowerShell is available as a module using which you can connect to your Azure resources and manage them from PowerShell console.
Azure CLI is a command-line tool using which you can connect to your Azure resources and manage them. It is available on Windows, Linux and MacOS.
Azure Cloud shell:
Azure Cloud Shell is an interactive, browser-based scripting environment for managing Azure resources. It provides the flexibility of choosing the shell experience that best suits the way you work. Linux users can opt for a Bash experience, while Windows users can opt for PowerShell. It is accessible via URL, https://shell.azure.com.
Both environments support the Azure CLI and Azure PowerShell CLIs. Linux defaults to the Azure CLI (with the
azcommand pre-installed), but you can switch to PowerShell for Linux by typing
pwsh. The Windows-based environment has both CLI tools pre-installed. You can create, build, and deploy apps right from this browser-based environment. It’s all persistent as well – you’re prompted to create an Azure Storage Account when you access the Azure Cloud Shell. This storage area is used as your $HOME folder and any scripts or data you place here is kept across sessions. Each subscription has a unique storage account associated with it so you can keep the data and tools you need right for each account you manage.
Azure Mobile App:
The Microsoft Azure mobile app allows you to access, manage, and monitor all your Azure accounts and resources from your iOS or Android phone or tablet. Once installed, you can:
- Check the current status and important metrics of your services
- Stay informed with notifications and alerts about important health issues
- Quickly diagnose and fix issues anytime, anywhere
- Review the latest Azure alerts
- Start, stop, and restart virtual machines or web apps
- Connect to your virtual machines
- Manage permissions with role-based access control (RBAC)
- Use the Azure Cloud Shell to run saved scripts or perform ad hoc administrative tasks
Azure Advisor is a free service built into Azure that provides recommendations on high availability, security, performance, and cost. Advisor analyzes your deployed services and looks for ways to improve your environment across those four areas. You can view recommendations in the portal or download them in PDF or CSV format.
With Advisor, you can:
- Get proactive, actionable, and personalized best practices recommendations.
- Improve the performance, security, and high availability of your resources, as you identify opportunities to reduce your overall Azure spend.
- Get recommendations with proposed actions inline.
You can access Advisor through the Azure portal. Sign in to the portal, locate Advisor in the navigation menu, or search for it in the All services menu. Azure Advisor provides security recommendations by integrating with azure security center.
Azure Firewall is a managed, cloud-based network security service that protects your Azure Virtual Network resources. It’s a fully stateful firewall as a service with built-in high availability and unrestricted cloud scalability.
You can centrally create, enforce, and log application and network connectivity policies across subscriptions and virtual networks. Azure Firewall uses a static public IP address for your virtual network resources allowing outside firewalls to identify traffic originating from your virtual network.
Azure DDOS Protection:
A DDoS attack attempts to exhaust an application’s resources, making the application unavailable to legitimate users. DDoS attacks can be targeted at any endpoint that is publicly reachable through the internet. Azure DDoS protection, combined with application design best practices, provide defense against DDoS attacks.
Azure Network Security Groups:
You can filter network traffic to and from Azure resources in an Azure virtual network with a network security group. A network security group contains security rules that allow or deny inbound network traffic to, or outbound network traffic from, several types of Azure resources.
Azure Active Directory:
Azure account is a globally unique entity that gives you access to your Azure subscriptions and services. Authentication for your account is performed using Azure Active Directory (Azure AD). Azure AD is a modern identity provider that supports multiple authentication protocols to secure applications and services in the cloud.
Azure AD is not the same as Windows Active Directory. Windows Active Directory is focused on securing Windows desktops and servers. In contrast, Azure AD is all about web-based authentication standards such as OpenID and OAuth.
Users, applications, and other entities registered in Azure AD aren’t all lumped into a single global service. Instead, Azure AD is partitioned into separate tenants. A tenant is a dedicated, isolated instance of the Azure Active Directory service, owned and managed by an organization (a specific organization’s Active Directory instance is known as an “Active Directory Tenant”). When you sign up for a Microsoft cloud service subscription such as Microsoft Azure, Microsoft Intune, or Office 365, a dedicated instance of Azure AD is automatically created for your organization.
When it comes to Azure AD tenants, there is no concrete definition of “organization” — tenants can be owned by individuals, teams, companies, or any other group of people. Tenants are commonly associated with companies. If you sign up for Azure with an email address that’s not associated with an existing tenant, the sign-up process will walk you through creating a tenant, owned entirely by you.
Azure AD is a cloud-based identity service. It has built in support for synchronizing with your existing on-premises Active Directory or can be used stand-alone. This means that all your applications, whether on-premises, in the cloud (including Office 365), or even mobile can share the same credentials. Administrators and developers can control access to internal and external data and applications using centralized rules and policies configured in Azure AD.
Azure AD provides services such as:
- Authentication. This includes verifying identity to access applications and resources, and providing functionality such as self-service password reset, multi-factor authentication (MFA), a custom banned password list, and smart lockout services.
- Single-Sign-On (SSO). SSO enables users to remember only one ID and one password to access multiple applications. A single identity is tied to a user, simplifying the security model. As users change roles or leave an organization, access modifications are tied to that identity, greatly reducing the effort needed to change or disable accounts.
- Application management. You can manage your cloud and on-premises apps using Azure AD Application Proxy, SSO, the My apps portal (also referred to as Access panel), and SaaS apps.
- Business to business (B2B) identity services. Manage your guest users and external partners while maintaining control over your own corporate data Business-to-Customer (B2C) identity services. Customize and control how users sign up, sign in, and manage their profiles when using your apps with services.
- Device Management. Manage how your cloud or on-premises devices access your corporate data.
Along with a normal username and password, users are prompted to enter an additional MFA challenge to be completed in order to login to the application or a system. MFA delivers strong authentication via a range of easy verification options—a phone call, text message, or mobile app notification and one-time passwords—allowing users to choose the method they prefer. It can be used both on-premises and in the cloud to add security for accessing Microsoft online services, Azure Active Directory-connected SaaS applications, line of business applications, and remote access applications. In order to complete the authentication, you are requested to enter a username, password, and an MFA token. This completes the whole authentication process.
MFA works by requiring two or more of the following authentication methods:
- Something you know (typically a password)
- Something you have (a trusted device that is not easily duplicated, like a phone)
- Something you are (biometrics)
Azure Security Center:
Security Center is a monitoring service that provides threat protection across all of your services both in Azure, and on-premises. Security Center can:
- Provide security recommendations based on your configurations, resources, and networks.
- Monitor security settings across on-premises and cloud workloads, and automatically apply required security to new services as they come online.
- Continuously monitor all your services, and perform automatic security assessments to identify potential vulnerabilities before they can be exploited.
- Use machine learning to detect and block malware from being installed on your virtual machines and services. You can also define a list of allowed applications to ensure that only the apps you validate are allowed to execute.
- Analyze and identify potential inbound attacks, and help to investigate threats and any post-breach activity that might have occurred.
- Provide just-in-time access control for ports, reducing your attack surface by ensuring the network only allows traffic that you require.
Azure Security Center is part of the Center for Internet Security (CIS) recommendations.
Azure Key Vault:
Cloud applications and services use cryptographic keys and secrets to help keep information secure. Azure Key Vault safeguards these keys and secrets. When you use Key Vault, you can encrypt authentication keys, storage account keys, data encryption keys, .pfx files, and passwords by using keys that are protected by hardware security modules (HSMs).
Key Vault helps solve the following problems:
- Secret management: Securely store and tightly control access to tokens, passwords, certificates, API keys, and other secrets.
- Key management: Create and control encryption keys that encrypt your data.
- Certificate management: Provision, manage and deploy public and private Secure Sockets Layer/Transport Layer Security (SSL/TLS) certificates for use with Azure and your internal connected resources.
- Store secrets backed by HSMs: Use either software or FIPS 140-2 Level 2 validated HSMs to help protect secrets and keys.
Azure Information Protection:
Azure Information Protection (sometimes referred to as AIP) is a cloud-based solution that helps an organization to classify and optionally, protect its documents and emails by applying labels. Labels can be applied automatically by administrators who define rules and conditions, manually by users, or a combination where users are given recommendations. After your content is classified (and optionally protected), you can then track and control how it is used.
Azure Advanced Threat Protection (Azure ATP):
Azure Advanced Threat Protection (ATP) is a cloud-based security solution that leverages your on-premises Active Directory signals to identify, detect, and investigate advanced threats, compromised identities, and malicious insider actions directed at your organization.
Azure ATP monitors your domain controllers by capturing and parsing network traffic and leveraging Windows events directly from your domain controllers then analyzes the data for attacks and threats. Utilizing profiling, deterministic detection, machine learning, and behavioral algorithms Azure ATP learns about your network, enables detection of anomalies, and warns you of suspicious activities.
Azure ATP Components
Azure ATP consists of the following components:
- Azure ATP portal
The Azure ATP portal (https://portal.atp.azure.com) allows the creation of your Azure ATP instance, displays the data received from Azure ATP sensors, and enables you to monitor, manage, and investigate threats in your network environment.
- Azure ATP sensor
Azure ATP sensors are installed directly on your domain controllers. The sensor directly monitors domain controller traffic, without the need for a dedicated server, or configuration of port mirroring.
Azure ATP cloud service
Azure ATP cloud service runs on Azure infrastructure and is currently deployed in the US, Europe, and Asia. Azure ATP cloud service is connected to Microsoft’s intelligent security graph.
Azure Policy is a service in Azure that you use to create, assign, and manage policies. These policies enforce different rules and effects over your resources, so those resources stay compliant with your corporate standards and service level agreements.
The journey of creating and implementing a policy in Azure Policy begins with creating a policy definition. Every policy definition has conditions under which it’s enforced. And, it has a defined effect that takes place if the conditions are met.
In Azure Policy, we offer several built-in policies that are available by default. For example:
- Require SQL Server 12.0: Validates that all SQL servers use version 12.0. Its effect is to deny all servers that don’t meet these criteria.
- Allowed Storage Account SKUs: Determines if a storage account being deployed is within a set of SKU sizes. Its effect is to deny all storage accounts that don’t adhere to the set of defined SKU sizes.
- Allowed Resource Type: Defines the resource types that you can deploy. Its effect is to deny all resources that aren’t part of this defined list.
- Allowed Locations: Restricts the available locations for new resources. Its effect is used to enforce your geo-compliance requirements.
- Allowed Virtual Machine SKUs: Specifies a set of virtual machine SKUs that you can deploy.
- Apply tag and its default value: Applies a required tag and its default value if it’s not specified by the deploy request.
- Enforce tag and its value: Enforces a required tag and its value to a resource.
- Not allowed resource types: Prevents a list of resource types from being deployed.
To implement these policy definitions (both built-in and custom definitions), you’ll need to assign them. You can assign any of these policies through the Azure portal, PowerShell, or Azure CLI.
Azure Role Based access control:
Role-based access control (RBAC) helps you manage who has access to Azure resources, what they can do with those resources, and what areas they have access to. RBAC provides access to azure resources, enabling you to grant rights to users they need to complete their jobs.
RBAC is provided at no additional cost to all azure subscribers.
Here are some examples of what you can do with RBAC:
- Allow one user to manage virtual machines in a subscription and another user to manage virtual networks
- Allow a DBA group to manage SQL databases in a subscription
- Allow a user to manage all resources in a resource group, such as virtual machines, websites, and subnets
- Allow an application to access all resources in a resource group
Using RBAC, you can segregate duties within your team and grant only the amount of access to users that they need to perform their jobs. Instead of giving everybody unrestricted permissions in your Azure subscription or resources, you can allow only certain actions at a particular scope. When planning your access control strategy, it’s a best practice to grant users the least privilege to get their work done.
As an administrator, you may need to lock a subscription, resource group, or resource to prevent other users in your organization from accidentally deleting or modifying critical resources. You can set the lock level to CanNotDelete or ReadOnly. In the portal, the locks are called Delete and Read-only respectively.
- CanNotDelete means authorized users can still read and modify a resource, but they can’t delete the resource.
- ReadOnly means authorized users can read a resource, but they can’t delete or update the resource. Applying this lock is similar to restricting all authorized users to the permissions granted by the Reader role.
When you apply a lock at a parent scope, all resources within that scope inherit the same lock. Even resources you add later inherit the lock from the parent. The most restrictive lock in the inheritance takes precedence.
Azure Monitor maximizes the availability and performance of your applications by delivering a comprehensive solution for collecting, analyzing, and acting on telemetry from your cloud and on-premises environments. It helps you understand how your applications are performing and proactively identifies issues affecting them and the resources they depend on. Azure monitor starts collecting data as soon as you create azure subscription and start adding resources. Activity logs record when resources are created or modified and metrics display how the resource is performing.
Azure Service Health:
Azure Service Health is a suite of experiences that provide personalized guidance and support when issues in Azure services affect you. Azure Service Health can notify you, help you understand the effect of an issue, and keep you updated as the issue resolves. Azure Service Health also can help you prepare for planned maintenance and changes that could affect the availability of your resources.
Azure Service Health is composed of:
- Azure status – A global view of the health of Azure services
- Service Health – A personalized view of the health of your Azure services in regions where you use them.
- Resource Health – A deeper view of the health of the individual resources provisioned to you by your Azure services
Azure Trust Center:
The Azure Security Information site on Azure.com gives you the information you need to plan, design, deploy, configure, and manage your cloud solutions securely. With the Microsoft Trust center, you also have the information you need to be confident that the Azure platform on which you run your services is secure. Trust Center is a website which contains information about how Microsoft implements security, privacy, compliance, and transparency in azure cloud products and services.
Azure Service Trust Portal (STP):
The Microsoft Service Trust Portal provides a variety of content, tools, and other resources about Microsoft security, privacy and compliance practices. You can download audit reports given by external auditors and Microsoft authored reports that provides details on how Microsoft builds and operates its cloud services. You can access audit reports, compliance guides, trust documents, trust center from STP portal. To access some of the resources on the Service Trust Portal, you must log in as an authenticated user with your Microsoft cloud services account (either an Azure Active Directory organization account or a Microsoft Account) and review and accept the Microsoft Non-Disclosure Agreement for Compliance Materials.
Azure Compliance Manager:
Compliance Manager, a workflow-based risk assessment tool in the Microsoft Service Trust Portal, enables you to track, assign, and verify your organization’s regulatory compliance activities related to Microsoft Professional Services and Microsoft cloud services, such as Microsoft Office 365, Microsoft Dynamics 365, and Microsoft Azure.
Combines the detailed information provided by Microsoft to auditors and regulators as part of various third-party audits of Microsoft ‘s cloud services against various standards (for example, ISO 27001, ISO 27018, and NIST) and information that Microsoft compiles internally for its compliance with regulations (such as HIPAA and the EU General Data Protection Regulation, or GDPR) with your own self-assessment of your organization’s compliance with these standards and regulations.
- Enables you to assign, track, and record compliance and assessment-related activities, which can help your organization cross team barriers to achieve your organization’s compliance goals.
- Provides a Compliance Score to help you track your progress and prioritize the auditing controls that will help reduce your organization’s exposure to risk.
- Provides a secure repository for you to upload and manage evidence and other artifacts related to your compliance activities.
Produces richly detailed reports in Microsoft Excel that document the compliance activities performed by Microsoft and your organization, which can be provided to auditors, regulators, and other compliance stakeholders.
What is an Azure account?
An Azure account is tied to a specific identity and holds information like:
- Name, email, and contact preferences
- Billing information such as a credit card
An Azure account is what you use to sign in to the Azure website and administer or deploy services. Every Azure account is associated with one or more subscriptions.
What is an Azure subscription?
An Azure subscription is a logical container used to provision resources in Microsoft Azure. It holds the details of all your resources like virtual machines, databases, etc.
Azure offers free and paid subscription options to suit different needs and requirements. The most commonly used subscriptions are:
- Free – An Azure free subscription includes a $200 credit to spend on any service for the first 30 days, free access to the most popular Azure products for 12 months, and access to more than 25 products that are always free.
- Pay-As-You-Go – A Pay-As-You-Go (PAYG) subscription charges you monthly for the services you used in that billing period. This subscription type is appropriate for a wide range of users, from individuals to small businesses, and many large organizations as well.
- Enterprise Agreement – An Enterprise Agreement provides flexibility to buy cloud services and software licenses under one agreement, with discounts for new licenses and Software Assurance. It’s targeted at enterprise-scale organizations.
- Student – An Azure for Students subscription includes $100 in Azure credits to be used within the first 12 months plus select free services without requiring a credit card at sign-up. You must verify your student status through your organizational email address.
Using multiple azure subscriptions:
You can create multiple subscriptions under a single Azure account. This is particularly useful for businesses because access control and billing occur at the subscription level, not the account level.
You can create separate subscriptions on your Azure account to reflect different organizational structures. For example, you could limit engineering to lower-cost resources, while allowing the IT department a full range. This design allows you to manage and control access to the resources that users provision within each subscription.
Subscriptions are also bound to some hard limitations. For example, the maximum number of Express Route circuits per subscription is 10. Those limits should be considered as you create subscriptions on your account. If there is a need to go over those limits in particular scenarios, then additional subscriptions may be needed.
One bill is generated for every Azure subscription on a monthly basis. The payment is charged automatically to the associated account credit or debit card within 10 days after the billing period ends. On your credit card statement, the line item would say MSFT Azure.
Subscriptions are billed independently, but the account owner is responsible for payment. In the case of “Pay-as-you-go” subscriptions, the account credit card will be charged for all associated subscriptions.
If your organization has many subscriptions, you may need a way to efficiently manage access, policies, and compliance for those subscriptions. Azure management groups provide a level of scope above subscriptions. You organize subscriptions into containers called “management groups” and apply your governance conditions to the management groups. All subscriptions within a management group automatically inherit the conditions applied to the management group. Management groups give you enterprise-grade management at a large scale no matter what type of subscriptions you might have.
For example, you can apply policies to a management group that limits the regions available for virtual machine (VM) creation. This policy would be applied to all management groups, subscriptions, and resources under that management group by only allowing VMs to be created in that region.
Azure Purchase Options:
- Purchase directly from Azure:
- Purchase through the azure website – Using and purchasing directly through Azure website at regular price.
- add azure to enterprise agreement – enterprise customers sign agreement with Microsoft for a negotiated price.
- Cloud Service Provider – CSPs are Microsoft partner companies that customers hire to build solutions on azure. Payment is done for azure usage goes through customer csp.
When you create an Azure resource, Azure creates one or more meters for that resource. Meters track resources usage and each meter generates a usage record that is used to calculate your bill.
Service Level Agreement for Azure:
Microsoft maintains its commitment to providing customers with high-quality products and services by adhering to comprehensive operational policies, standards, and practices. Formal documents called Service-Level Agreements (SLAs) capture the specific terms that define the performance standards that apply to Azure.
- SLAs describe Microsoft’s commitment to providing Azure customers with specific performance standards.
- There are SLAs for individual Azure products and services.
- SLAs also specify what happens if a service or product fails to perform to a governing SLA’s specification.
Azure does not provide SLAs for most services under the Free or Shared tiers. Also, free products such as Azure Advisor do not typically have an SLA.
When combining SLAs across different service offerings, the resultant SLA is called a Composite SLA. The resulting composite SLA can provide higher or lower uptime values, depending on your application architecture.
Resiliency refers to a system’s ability to stay operational during abnormal conditions.
These conditions include:
- Natural disasters
- System maintenance, both planned and unplanned, including software updates and security patches.
- Spikes in traffic to your site
- Threats made by malicious parties, such as distributed denial of service, or DDoS, attacks