Azure Active Directory (Azure AD) is the foundation of your cloud identity and the security perimeter for all of your Microsoft online services, including Office 365.
Using Azure AD Connect, you can extend your on-premises Active Directory forest and domains into the Microsoft online ecosystem. Once established, users within the organisation will be able to authenticate to applicable online services using seamless single sign-on, Federated authentication or Passthrough authentication. Azure AD is available under four licensing models:
Azure Domain Services are a way to provide identity and authentication services to your services and applications using the same underlying infrastructure as traditional Domain Controller Services.
Azure Domain Services differ from Azure Active Directory in that you gain the functionality of a traditional Domain Controller such as:
The major benefit of using Azure Domain Services is that you do not need to manage the underlying infrastructure for identity services that cannot leverage advanced authentication services such as Azure Active Directory or Key Vault
Monitoring the health of critical identity infrastructure is paramount and Azure Active Directory Connect Health is a key part of the complete monitoring picture.
Managing and monitoring the sync or federation status for on-premises directories to Azure Active Directory will ensure that your identities are always available and up-to-date with the latest changes. Connect Health assists with this management by monitoring the end-to-end health of your sync infrastructure and providing alerts for action.
Connect Health's alerting and reporting capability uses an agent based method for ADFS and ADFS Web Application Proxy hosts that provide key metrics and alerts for federation, along with native support built into the Azure Active Directory Connect service.
Connect Health is available if you are licensed for Azure Active Directory Premium Plan 1 or 2, and is essential for the overall health of your Azure Active Directory enabled users.
Azure Cognitive Services (Decision) is a collection of application programming interfaces (APIs) that enable developers to easily add decision-making and recommendation capability to applications. The three APIs in this grouping are:
Azure Cognitive Services (Language) is a collection of application programming interfaces (APIs) that enable developers to easily add understanding of unstructured text and natural language to applications. The five APIs in this grouping are:
Azure business-to-business (B2B) is a secure collaboration method for sharing applications, services and data between organisations.
Azure B2B allows you to invite external users into your Azure AD tenant as a guest using a simple enrolment and invitation service. The third party does not need to be within an Azure AD tenant and you do not need to manage the credentials for the individual.
Once an individual has been invited into your Azure AD tenant, you can allocate access to resources as appropriate, you can also wrap up conditional access policies to further protect and enhance the security posture for the invited user.
Azure B2C, also known as Azure Active Directory B2C, is a business to consumer identity management service. It enables an organisation to manage and control customer sign up, sign in and manage customer profiles when using applications, all while protecting the customers identity.
Azure B2C supports modern authentication protocols (such as OpenID and OAuth 2.0), as well as third party identity providers such as Facebook, Amazon or a Microsoft consumer account.
Using Azure B2C enables an organisation to provide a branded registration and login experience. It also allows customers to authenticate with their preferred identity provider, while providing captured login, preference and conversion data for customers.
Azure Multi Factor Authentication (MFA) provides a secure authentication mechanism that makes it significantly harder for attackers to compromise your resources, services or applications. Multi-factor authentication is one of the most effective controls an organisation can implement to prevent attackers from breaching systems and accessing sensitive information.
Multi-factor authentication is part of the following offerings:
Azure Stack is a suite of On-Premises hardware products that allow for the consumption of key Azure services locally. Azure Stack Hub is a fully managed Azure compute and service fabric offering a sub-section of Azure services such as Virtual Machines, Web Applications and DB as a Service for example.
Azure Stack enables customers to keep workloads on-premises and seamlessly move them to the Azure public cloud as needed. The software is proprietary and is purchased exclusively as an integrated system from hardware vendors such as Cisco, Dell, HPE and Lenovo.
Common to both Azure and Azure Stack Hub are the underlying architecture, management portal, and application model and development tools. Both Infrastructure as a Service (IaaS) and Platform as a Service (PaaS) models are supported and you can use the same deployment tools for either Azure Stack Hub or Azure.
Azure Stack Hub addresses business and technical considerations such as regulation, data sovereignty, low latency, customisation and cloud costs. Its main use case is for software development that may be cheaper to develop on-premises and move to the cloud once ready for production.
Azure Stack Edge is a single compute unit providing On-Premises processing of Data including a subset of A.I analytics prior to streaming to Azure.
Azure Container Service allows you to deploy container orchestration tools such as Kubernetes, Docker Swarm and Distributed Cloud Operating System (DC/OS) - which is based on Apache Mesos. Kubernetes is Microsoft's preferred container orchestration solution.
Containerisation is the evolution of virtualisation. Containers allow multiple applications or services to run in isolation on a single host and still access the same OS kernel.
The objective of a Virtual Machine Availability Set is to reduce the risk of its member virtual machines being unavailable at the same time. It provides a mechanism to ensure servers performing similar or the same roles are running in separate fault and update domains.
For example, if you have an application that load balances client connections across two web servers, when you provision the servers you would add both to the same Availability Set. This will ensure both servers are not in the same fault domain or update domain. An additional advantage of using Availability Sets is that Microsoft guarantees connectivity to at least one of the virtual machines 99.99% of the time. There is also an alternative of using Availability Zones instead. In the example above, an Availability Zone would ensure that one of the two web servers would be available even in the event of a data centre outage within an Azure region.
Azure Management Groups allow the grouping of one or more subscriptions and other management groups to facilitate their management and governance.
As subscriptions are in a single group, you can apply policies at the management group level which will flow down to all member subscriptions. As an example, you could create a hierarchy of Management Groups each with multiple subscriptions based on company departments. Then you could apply policies and permissions which are specific for the company at the root level which would flow down to all other Management Groups and subscriptions. Policies and permissions which are department specific would be applied to Management Groups lower in the hierarchy.
Azure Arc is an infrastructure management service to support complex distributed environments. The service extends Azure management to enable Azure data services to run Kubernetes clusters across on-premises, edge, and multi-cloud.
Azure Arc supports centralised and organised practices by adopting policies from Azure to on-premises. Azure Data services with Azure Arc protects data workloads with Azure Security Center by using Advanced Threat Protection and Vulnerability Assessment. Services provisioned and protected by Arc can be managed natively from the Azure Portal regardless of where they are hosted.
Arc is currently in preview and supports Windows, Linux, Kubernetes, SQL, Web Apps and PostgreSQL with other service types on-boarding. Due to the preview nature, Arc is currently provided at no cost.
Azure Automation is a cloud-based orchestration service for the automated management of Azure and non-Azure environments. It provides dependable and consistent workflows for provisioning, operating and decommissioning workloads and resources.
The key capabilities of Azure Automation are:
Azure Event Grid is a service that can receive notifications from Azure services and applications when state changes occur and route those events to another destination.
Historically an event subscriber service would pull events from an event publisher. This process was intense on compute resources. With Azure Event Grid, events from the source can be pushed to the Event Grid service, where they are then routed to the subscriber or the service that needs to consume that event. This means compute and network resources are only used when there is an actionable event.
This ability to connect data sources and event handlers enables developers to build scalable serverless applications, get near-real time notifications, have fully managed event delivery, speed-up automation and seamlessly connect their application to other Azure services.
Azure Stream Analytics is a powerful real-time event processing engine that can process and analyse massive amounts of data from multiple sources simultaneously. The power of Stream Analytics means patterns and data relationships can be identified from IoT devices, social media feeds, clickstreams and applications. Workflows can be designed to be initiated after identified patterns are triggered, initiating reports, alerting or capturing of the data for later analysis.
Azure Stream Analytics is ideal for the following scenarios:
The notifications you see in the Microsoft Authenticator App from Azure Multi Factor Authentication (MFA), come from Azure Notification Hubs. Azure Notification Hubs allow you to send notifications to mobile devices on a massive scale. It can be connected to any back-end platform and supports all major Access Point Names (APNs).
Azure Logic Apps provide a serverless process and workflow engine, allowing complex data processing and integration tasks using a no-code graphical user interface.
Using the same engine as Microsoft Flow, Azure Logic Apps is aimed at the enterprise and developer market, rather than the business-centric "citizen developer" interface that Flow provides. Unlike Flow, Azure Logic Apps can be developed and deployed using Visual Studio, and testing and source control can be provided through Azure DevOps.
Featuring over 200 connectors, Azure Logic Apps can integrate with standardised web technologies such as REST, as well as many first and third-party proprietary platforms such as SQL, Office 365, SharePoint, Dynamics 365, Twitter, SalesForce, Google services and other Azure services. On-premises data can also be integrated in a secure manner by using the on-premises Data Gateway, allowing Logic Apps to integrate with platforms such as BizTalk, SQL Server and Oracle.
Azure's Platform as a Service (PaaS) offering deploys Web Apps fast with built-in high availability and scalability. Scale up your app automatically, vertically or horizontally, at peak times and scale down when the extra resources are no longer required.
Web Apps are easy to troubleshoot with remote debugging. You can also gain instant insights into your App from Azure Monitor and Application Insights. Furthermore, it provides integration with source control tools such as GitHub, BitBucket and Azure DevOps which allows the automation of your App deployment with CI/CD pipelines. Plus you can leverage the built-in Azure Active Directory (AD) integration to provide SSO with all SaaS applications federated with Azure AD, or use major identity providers such as Google and Facebook as an identity source.
If you are in the modern service world then you are likely to be consuming platform and serverless workloads. You may reach a tipping point where multiple applications will fill your All Resources view with content.
The Application Service Environment (ASE) allows for application/API and data platform consolidation, while providing key benefits such as: SSL support for individual applications, private VNet hosting support, native Layer 7 load balancing, development cycle switching, testing in production, stress testing, rich application code inspection and insights. The ASE is available in multiple offerings that allow you to select the most appropriate hosting platform for your needs.
If you are serious about hosting modern business systems then the ASE should be considered for its many benefits and unparalleled scaling capability.
Azure Cognitive Services (Search) is a collection of application programming interfaces (APIs) that enable developers to easily add powerful ad-free search engine capabilities to applications.
Leveraging the web-scale power of Bing, search can be performed across web pages, images, videos and news. The ten APIs in this grouping are:
Azure Cognitive Services (Vision) is a collection of application programming interfaces (APIs) that enable developers to easily add image recognition, classification, facial detection, video analysis, document content extraction and handwriting recognition to applications. The six APIs in this grouping are:
A work account is an extension of your current on-premises credentials into Azure Active Directory (AD). Utilising Azure AD Connect you can federate or synchronise your existing accounts into Azure. Work accounts offer significant sign-on benefits, such as seamless single sign-on for Microsoft hosted SaaS applications, as well as your own applications hosted in Azure.
Work accounts are considered hybrid in the sense that the source of identity truth exists within existing domain infrastructure, and is extended into the Azure AD ecosystem. Using features such as password hash sync and seamless single sign-on, users can authenticate to existing on-premises applications and services, as well as cloud hosted applications without requiring multiple authentication prompts. Work accounts are also protected by the advanced identity protection features built into Azure AD, such as bad password protection, Conditional Access, Multi Factor Authentication and more.
Your Microsoft account is the starting place for onboarding into Azure and Office 365. When you establish a new Microsoft account for Azure, you are registering your company against the @OnMicrosoft.com namespace. For example if your company name was Contoso, the first account you would establish would use the %Nameemail@example.com domain name.
It is recommended to maintain at least two @OnMicrosoft.com accounts within an Azure Active Directory (Azure AD) tenant for emergency reasons. Emergency access accounts help organisations restrict access within an existing Azure AD environment. Such accounts are highly privileged, and should not be assigned to specific individuals.
Emergency access accounts should be limited to emergency or break glass scenarios; situations where normal administrative accounts cannot be used. An organisation might need to use an emergency access account in the following situations:
Organisations can elect to only use the Microsoft provided Azure AD tenant for authentication and access control. For on-premises integration with existing domains please refer to the Work Account tile.
Role Based Access Control (RBAC) is a common security methodology and Azure provides a flexible solution for granting the appropriate permissions to resources. Scoped for nearly every resource in Azure is the ability to apply granular permissions for nominated users using the "Access Control (IAM)" blade for that resource, resource group, subscription and tenant level.
Azure Virtual Machines are the core workload within Azure with on average accounting for 70% of customer consumption, selecting the right VM for the particular workload is a critical decision. With 175 different VM sizes available it can be challenging to select the right size to balance cost versus performance.
VM sizes can be categorised into the following top level workload specifications:-
VM sizes allow for a great deal of flexibility with CPU and Memory ratios ranging from 1 CPU and 500MB of Memory to a staggering 416 CPUs and 11.4TB of Memory
Azure Virtual Machine Scale Sets enable customers to provision elastic services that dynamically expand and retract to align with current workloads.
These sets or groups contain identical, load balanced Virtual Machines (VMs) that grow and shrink in number by either schedule or when demand increases. When demand subsides the additional VMs are powered off to save costs.
Azure Virtual Machine Scale Sets also work as a High Availability solution for your applications or workloads. These sets are centrally managed as a single unit, so management is a breeze.
Azure Monitor provides a solution to monitor the performance and health of your cloud resources.
In addition to collecting performance metrics and logs to analyse the health of your resources, Azure Monitor provides insights as to how your applications are performing, diagnoses errors and produces alerts to notify you of critical conditions.
Azure Monitor can be configured to take specific actions when alerts are generated. It can auto-scale resources to meet demand requirements.
Azure Monitor can integrate with your current service management platform through IT service management (ITSM) connectors to create incidents and alerts.
Azure Alerts is a sub capability of the unified monitoring experience within Azure known as Azure Monitor. By setting up rules to monitor resources, conditions and to perform actions, Azure Alerts can proactively notify IT admins when issues are detected.
Azure Alerts can send notifications based on metric values, log search queries, activity log events, health of the underlying Azure platform and synthetic transactions for website availability.
Alert data can be visualised on Azure Dashboards, Azure Monitor Views, Power BI or interactive workbook documents.
A Subscription enables you to run services and infrastructure within Azure. A subscription can be likened to a data center and is a blank canvas for workload deployments. Subscriptions are provisioned under different offers allowing for flexibility and consumption under different types of billing account.
|Offer Name||Offer Number|
|Enterprise Agreement Support|
|Microsoft Azure EA Sponsorship||0136P|
|Support Plans||0041P, 0042P, 0043P|
|Visual Studio Professional subscribers||0059P|
|Visual Studio Test Professional subscribers||0060P|
|MSDN Platforms subscribers||0062P|
|Visual Studio Enterprise subscribers||0063P|
|Visual Studio Enterprise (BizSpark) subscribers||0064P|
|Visual Studio Enterprise (MPN) subscribers||0029P|
|Microsoft Azure Sponsored Offer||0036P|
|Azure Pass Sponsorship||0243P|
|Azure in Open Licensing||0111p|
|Azure for Students||0170p|
|Microsoft Azure for Students Starter||0144P|
|Azure in CSP||0145P|
|Microsoft Azure Dev Tools for Teaching|
Azure Event Hubs is a service that can ingest millions of events per second from any source. This ability to collect big data facilitates real-time analytics that can unlock valuable insights, enabling rapid response to business challenges.
Event Hubs integrates with other Azure services as well as Apache Kafka clients and applications such as Mirror Maker, Apache Flink and Akka streams.
Azure IoT Hub is a fully managed cloud PaaS service that acts as the gateway for IoT devices that connect to an Azure IoT solution.
The Azure IoT Hub can connect millions of devices and receive millions of messages per second from supports devices. Azure IoT Hub can also be used to provision, configure and manage IoT devices.
Azure IoT Hub can also be connected to data processing services such as Azure Machine Learning, Azure Stream Analytics, Azure database services or even Microsoft Dynamics 365; enabling businesses to gain insight and take action based on data received from IoT connected devices.
Microsoft Azure Service Bus is an enterprise multi-tenant cloud-based messaging service which allows asynchronous communication between two or more decoupled systems or endpoints.
Decoupling the sender and receiver brings many advantages, such as not requiring both sides to be online at the same time, therefore removing any impacts due to disconnections, outages, updates or maintenance on the involved systems. Furthermore, it improves reliability and performance and as a Platform as a Service (PaaS) it brings all the scalability and high-availability of the cloud.
The overarching service is divided into the following offerings:
The following protocols are available when using Azure Service Bus:
Typical use cases are for shopping carts, order processing, logging, event-driven applications, notifications, firewalled systems, inter-bank transactions, quotes, settlements, notifications, claims processing and many more.
Azure Service Bus Queues Queues allow asynchronous communication between distributed systems. Queues are ideal for one direction communication, where on one side of the queue you have the producer(s), and on the other side you have a single consumer. All messages are sent to the queue persistent storage and are either consumed by the consumer or expired. Messages are guaranteed to be delivered in first-in, first-out (FIFO) order and each message has a unique ID.
As an example take an e-commerce website where users enter orders. Let's say your application is hosted in Australia East and is composed of a UI with an API layer sitting behind, which writes orders to a database. Your clients are growing quickly, not only in Australia but in the US as well. One option would be to set up the same architecture in the US datacenter, but then you would have to replicate the databases so they are consistent, and this is usually costly and there are latency concerns. So instead you put a worker role and service bus between the API layer and the database layer so that the transaction can be picked up from the service bus queue by the worker role, and committed to the local database, and sent to the service bus queue in the other data centre to be committed in the other database.
There are many other examples when you don't want to wait for a task to be processed. You could queue a message for report generation, image processing, video processing, email to be sent, provisioning users, etc.
Azure Service Bus Topics and Subscriptions Topics and Subscriptions are very similar to queues in that they are also one direction communication, but instead of having producers and consumers, it is based on a publisher/subscriber model. You may have one of more topics with one or multiple subscriptions. Once the message reaches the topic it is distributed to subscriber queues.
Let's take as an example an online retail store which sells shoes. They work hard to have all products in stock but sometimes orders get delayed, or for whatever reason that product is not available. Instead of displaying an out-of-stock message on their website, they first check with other suppliers if they can fulfil that order and increase customer satisfaction. This is where Topics and Subscriptions is useful. Once the shoe retailer checks against their database the product is not in stock, a message is sent to a service bus topic, which is distributed to several partner suppliers who are subscribers to that topic. The suppliers evaluate the message and if the product is available they send another message to a queue stating they can fulfil the order. Back in the website the order is completed.
Azure Service Bus Relays Relays are not like queues or topics and subscriptions. Communication is bidirectional, and both endpoints need to be active for the communication to happen. Relays don't store messages but instead are used as a bridge between two systems. Relays are automatically created and deleted. They are great to use between disconnected systems that are behind firewalls or proxies. They allow the communication to be established by an outbound connection, so no ports need to be opened inbound. A good example of use of an Azure Service Bus Relay is Azure Active Directory (AD) Connect. It leverages a relay to establish a connection between Azure AD and the on-premises directory.
Azure Functions allow you to create and run code in the cloud without having to support or provision the underlying server infrastructure.
Think of Azure Functions as microservices - they are a piece of code that perform a particular task in the cloud, such as writing a message to an Azure storage queue, and they are event driven. Triggers start the function running. They listen for a particular event and when it occurs they kick-off the function. Examples of triggers are http requests, a file being written to blob storage or a timer that schedules the function to run. You can also make data from external services available to your function through the use of input bindings, whilst output bindings provide a means to write data to an external service (such as the example above of writing to a storage queue).
You are only charged for Azure Functions when they are actually executed, so there is no need to pay for compute resources that are waiting to run code (which you would be doing in a more traditional server-based architecture).
A key component of the serverless compute era, API Apps provide exceptional scalability and agility to your application hosting infrastructure.
With multiple language support, you have the ability to transform your services and move away from traditional iAAS and leverage the benefit of dynamic scale, continuous deployment and reduced cost. Current languages supported are:
Added benefits include on-premises connectivity support that allows you to extend and enhance your current solutions into Azure. API Apps also leverage the full suite of Azure authentication services including OAuth, Azure Active Directory, B2B and B2C to provide native secure authentication support.
SendGrid is a third-party cloud-based service that provides reliable email services and is available directly from the Azure Marketplace.
SendGrid provides its own email API allowing an easy integration with application code. It provides a whopping 99.999% up-time SLA and up to 30,000 transactions per second. It services over 50 billion emails per month and it has some heavy-weight customers such as Airbnb, Spotify and Uber. And last but not least, you can sign up and enjoy 25,000 emails per month for free!
"The goal is to turn data into information, and information into insight." Carly Fiorina, Former CEO of HP
Without the ability to report on the data an organisation generates, it is impossible to make informed, considered decisions. Microsoft Power BI is a collection of analytic services which use reporting dashboards to display data via the visualisation of data both on-premises and in the cloud.
Power BI is comprised of three main services:
Power BI allows developers to embed interactive detailed content into applications via Power BI Embedded. Power BI includes APIs and SDK libraries to ensure that data remains secure and automatically scales visuals to ensure the best possible user experience.
Azure Cognitive Services (Speech) is a collection of application programming interfaces (APIs) that enable developers to easily add speech-to-text, text-to-speech, transcription and translation services to applications. The two APIs in this grouping are:
Conditional Access Polices (CAP) are a capability of Azure Active Directory that enables an organisation to grant, block or require certain conditions be met, before allowing access to resources. These conditions can be based on location, device platform, device compliance, proof of identity (MFA), or even what kind of application is being used to access the resource (e.g. a full client app or a browser session).
Conditional Access Policies reduce risk by controlling the WHO, HOW, WHERE and WHEN of access to cloud and network resources. If you are licensed under Azure Active Directory Premium Plan 1 then you can use CAP to dynamically protect your user accounts, based on conditions. Stepping up to Azure Active Directory Premium Plan 2 adds the capability to dynamically control authentication events based on the risk level for that event. If a user logs in under a high risk condition such as an impossible travel event from two discrete locations, or their user credentials are found for sale on the black market, then you can control what happens automatically.
Gain visibility into suspicious activity running on your cloud workloads. With Security Center, you can provision security policies across your resources to limit exposure. Security Center also uses a variety of detective capabilities to alert you to when attackers are trying to breach your environment. These include:
With these capabilities you can help disrupt the cyber kill chain and meet your security monitoring requirements.
Azure Security Center comes in two tiers - Free and Standard. If you are deploying production or public facing infrastructure in Azure, you should consider using the standard version of Security Center to ensure your cloud services are protected.
Application Insights, a feature of Azure Monitor, helps your development team understand how an application or service is performing and how it's being used. Key monitors supported are:
Application Insights is more than a platform for monitoring an application environment in Azure. Support exists to receive telemetry from nearly all Azure resource types such as Azure AD, Azure Storage and more.
A major benefit of this platform is that it monitors more than just your Azure environment. Support can be extended to on-premises applications and service infrastructure, providing a low cost, robust and insightful monitoring platform for your line-of-business applications.
Running workloads in Azure and would like to save money? Azure Advisor is an often overlooked built-in feature of Azure, providing automated recommendations on cost control, security, governance and performance/high availability.
Recommendations for cost saving often include purchasing Reserved Instances (RI) to lock in the compute cost of a virtual machine over a 1-3 year term. Alongside RI recommendations you may receive notifications on orphaned or over provisioned resources. Security alerts are reported from Security Center.
All reports are exportable to CSV or PDF with full PowerShell and API support for automatic recommendation reporting and even remediation by using Automation runbooks.
Azure Backup encompasses a suite of different options that includes: Data Protection Manager (DPM), Microsoft Azure Backup Server (MABS), Microsoft Azure Recovery Services (MARS) and the Azure Backup, which is native to the Azure Fabric.
Azure Site Recovery (ASR) provides Disaster Recovery as a Service (DRaaS) by automating the replication and orchestration of your servers to a secondary, disaster recovery site.
When protecting on-premises workloads, ASR supports fail-over of your virtual and physical servers to Azure, or to your own secondary data centre. For the protection of VMs already running in Azure, ASR orchestrates the fail-over of workloads to a second Azure site.
Recovery Plans are configured within ASR to automatically recover your servers to the target site in an orderly manner, ensuring that core services (for example domain controllers) are up and running before dependent servers are powered up. There is also the ability to run scripts and manual actions as part of the recovery plan to ensure applications and servers are configured correctly in the DR environment.
ASR can replicate physical servers and virtual servers (VMware, Hyper-V, Azure and Azure Stack) and supports Windows and Linux operating systems. It also integrates with existing DR technologies such as SQL Server AlwaysOn.
ASR can also be used as a one-off migration tool to migrate servers from on-premises or AWS (Windows only) to Azure. Since ASR is free for the first 31 days you can migrate servers for free if completed within this time.
Azure Migrate takes the guesswork out of planning lift and shift migrations to Azure.
Azure Migrate analyses and assesses your current on-premises VMware virtual machines (VMs) and provides a migration strategy to move them to Azure. Support for Hyper-V environments is currently in preview.
Azure Migrate utilises a collector appliance which is a preconfigured VMware VM image that is downloaded and imported into vCenter. The appliance collects information for the assessment and uploads the results to the Azure portal. It does not require any agents or software to be installed on the hosts or guests.
After data collection and performance profiling has completed, you will be presented with a decision tree for Azure migration suitability including indicative pricing.
Azure Database Migration Service (DMS) helps you assess and migrate on-premises databases to Azure with minimal downtime. It accelerates the process and reduce complexity while allowing the migration from multiple sources to the target database.
Azure Cost Management was made generally available in April 2019. The objective of this service is to enable customers to control their Azure spend through monitoring of costs and optimisation of workloads. You are able to identify trends in spending across your subscriptions and understand current and projected costs.
Cost analysis within Azure Cost Management allows you to create a wide variety of customised searches of billing data. For example you can group the results by resource group, resource type, location and service name, and you can filter the results based on many different attributes. This gives you visibility into exactly where the costs are within your environment.
Create Azure Budgets within Azure Cost Management, to set thresholds to monitor your Azure spending and trigger actions when the threshold (or a portion of) has been reached. Actions can include sending alerts via email or SMS, or kicking off an automated task. For example you could automatically shut down VMs when a budget has been reached for the month. Budgets can be set monthly, quarterly and annually.
Azure Cost Management makes recommendations for optimising your resources. For example it can identify underutilised resources and recommend less expensive resources that could run the workload instead, or recommend re-sizing a virtual machine to a lower specification.
Azure SQL Database is a fully managed platform-as-a-service (PaaS) offering that delivers high performance, highly scalable and secure database infrastructure, without the need to spin up and maintain infrastructure.
Azure SQL Database is secured by Azure Active Directory, virtual networks, firewalls and encrypted connections. It is a completely flexible solution where organisations can spin up anything from a single database instance, through to entire elastic pools of multiple databases, for unpredictable usage demands. With the scalability of Azure SQL Database, instances can be geo-distributed to maximise application performance while still maintaining the ease at which they are monitored, tuned and secured.
Azure SQL Managed Instance (MI) is a feature of Azure's SQL Database-as-a-Service offering. A managed SQL database instance is the best solution for migrating on-premises SQL server databases to the cloud. By using a SQL MI, organisations can migrate databases with zero downtime, apply advanced security features that leverage Azure Active Directory, and apply service tiers to mitigate infrastructure failure in the cloud.
The major advantage of SQL MI is that you gain significant operational efficiency by utilising a data platform featuring enterprise class resilience features of a full SQL always-on cluster, without needing to maintain the host or the SQL cluster.
Azure Database for PostgreSQL is a relational database service in the Microsoft cloud that is designed to enable developers to focus on rapid application development. It is available in two deployment options: Single Server and Hyperscale (Citus).
Azure SQL Elastic Pool provides the same functionality as standalone databases, but allows for resource consumption optimisation leading to a reduction in cost. It is perfect for databases with steady resource utilisation with infrequent spikes. As an example, instead of having 15 databases running as standalone Azure SQL Databases, you could include them in the same SQL Elastic Pool which would optimise the resource utilisation, reduce costs while still allowing them to consume more resources from time to time when demand is higher.
Similar to Azure SQL Databases, SQL Elastic Pools are also based on DTU and vCore purchase models. Note that Reservations and Azure Hybrid Licensing are only available with the vCore model.
Azure Cosmos DB service provides a multi-model database service that supports various NoSQL ("not only SQL") database engines, including MongoDB, Cassandra, and Gremlin. The Cosmos DB service is globally distributed and guarantees low latency worldwide.
Cosmos DB offers horizontal partitioning and multi-master replication database. The service includes non-relational databases like key-value, column-family, documents, and graph structure.
Azure Analysis Services provides cloud based analysis services, as a platform as a service (PaaS). This is built-in in the SQL Server Analysis Services Enterprise Edition.
The service integrates data from multiple sources into a BI semantic model and manages data modelling. The service is compatible with most features in SQL Server Analysis Services Enterprise Edition.
Note: some functions may not yet be supported - like Multidimensional models and PowerPivot for SharePoint in 2019.
Azure Search is a cloud-based search-as-a-service solution targeted at private content.
Unlike Bing, which is for searching the public web, Azure Search is for searching internal web and enterprise application data. Azure Search is based on the same natural language stack as Bing and Office search but is boosted by the capabilities of artificial intelligence.
Azure Search leverages AI capabilities to identify and capture data from images, unstructured raw text and many different types of content spread across platforms. The user experience can be shaped by using filters, autocomplete, and suggestions for auto-corrected terms. Multi-lingual search is also supported.
Azure Cognitive Services is a cloud-based service that assists developers to design and build applications that can see, hear, speak and understand.
Using Vision, Speech, Language, Search and Decision API's, developers can create applications to take advantage of these capabilities without any prior artificial intelligence or data science knowledge.
Azure Key Vault is a tool for managing cryptographic keys and secrets used by services and cloud applications. Protections must be in place so items like passwords, certificates, connection strings, API and encryption keys are not exposed.
Azure Key Vaults can be software or hardware protected. In scenarios where the maximum security possible is required, the keys and secrets can be stored in hardware security modules (HSM's). These HSM's are Federal Information Processing Standard (FIPS) 140-2 Level 2 validated, and operate in a way that the secret never leaves the HSM boundary.
Microsoft uses nCipher hardware security modules and specialist tools can be used to move keys between the HSM and the Azure Key Vault. Microsoft will never be able to see or extract data from an Azure Key Vault.
Azure Resource Groups (RGs) provide a means to group resources within Azure into logical entities, and then perform management and other tasks on that group and its members.
All members of a resource group should be part of the same lifecycle, for example they should be deployed or deleted together. Every resource within Azure can be a member of only one Resource Group. Access control to resources can be configured at the RG level, allowing you to implement detailed access control for groups of resources at a time.
RGs do not restrict interaction between members of the RG and members of other RGs. For example you may have a RG which contains all application servers for a given application, and another RG which contains all file share servers for that application; the application servers can access the file share servers even though they are in separate resource groups.
Resources do not have to permanently remain a member of the resource group they were first added to, you can move them between resource groups. Although resource groups are created in a given region they can contain members that are from different regions.
To minimise the complexity of managing your Azure environment, it is important to have a naming convention for your RGs, and to determine how you will organise your resources into RGs from the start.
Azure Rights Management (Azure RMS) provides a service to protect your company data. It enables you to implement policies and encryption to ensure only the right people have access to your company data.
Information can be protected both within your organisation, and outside your organisation, because the protection remains with the data even if it is copied to storage outside of your control.
Azure RMS provides auditing and monitoring of your protected files. You can see who has opened protected files, who failed to open protected files and what actions were performed with the files.
Azure RMS protects your company data in Office 365 and can also protect on-premises services such as Microsoft Exchange Server, SharePoint Server and Windows Server when the RMS connector is deployed.
Monitoring network traffic into and out of Azure is critical to enable control of operational costs and to diagnose possible network issues. Azure Network Watcher allows you to perform packet level inspection of network traffic and monitor VPNs to gain insight and control over your network.
An extension of Network Watcher, called Network Performance Monitor (NPM), allows you to monitor throughput/packet loss/latency and jitter for ExpressRoute circuits to ensure that your end-to-end connectivity solution is optimal.
Azure Traffic Manager is a geographic load balancer designed to optimally distribute traffic amongst global Azure regions where organisations are running applications and service endpoints.
Traffic Manager uses DNS routing and other load balancing mechanisms, to redirect client requests to the most optimal endpoint based on routing rules and the health state of the endpoints.
Azure Application Gateway is designed to protect your web applications. It is a Layer 7 smart application proxy that provides a number of services including load balancing, web application gateway/proxy and health monitoring. The load balancer can be used for any protocols, the application gateway only supports HTTP and HTTPS protocols.
The Azure Application Gateway is a great replacement for legacy applications such as Microsoft Threat Management Gateway and Microsoft Unified Access Gateway, as it offers end-to-end SSL encryption, intelligent routing based on policy rules, SSL offload, and automatic scaling to match web application traffic load.
Azure Load Balancer is part of Azure's Platform-as-a-Service (PaaS) capability. As the name suggests, Load Balancers are used to balance load between resources so applications can scale, and high availability of services can be created.
Azure Load Balancers can distribute inbound flow, as well as outbound connections, for virtual machines inside the virtual network.
Use of Azure Load Balancer is available through two SKUs. The Basic SKU is free to use while the Standard SKU has an associated cost. The Standard SKU offers more flexibility, scaling and integrated monitoring capability.
Load Balancers can also be deployed as external or internal facing services for your applications and services.
Azure Virtual WAN allows the creation of Wide Area Networks in Azure. This enables customers to configure site-to-site, point-to-site and ExpressRoute connections.
By using Azure Virtual WAN, network policy and management is deliverable under a single pane of glass, while still enabling automated scaling, branch connectivity and optimised routing of network traffic.
Azure DNS is a fully hosted and self-managed name resolution service in Azure. If you are hosting web applications in Azure, then coupling the entry point name with Azure DNS will allow you to rapidly on-board new applications and provide public URL's under your domain name quickly. By leveraging Azure's global scale and resilience, your DNS zones will be highly available and local to the requesting users.
Azure DNS can also be leveraged for private name resolution within Azure and potentially negates the requirement to host Windows or Linux name servers.
Data Lake provides fast, scalable and secure storage for big data analysis and can store various types and sizes of data.
Azure Data Lake Storage Gen1 is compatible with the Hadoop Distributed File System (HDFS) in the Hadoop environment.
Azure Data Lake Storage Gen2 extends Azure Blob Storage and Data Lake Gen1 capabilities. This provides lower cost support for open source platforms such as HDInsight, Hadoop, Cloudera and Azure Databricks.
Azure Media Services is a scalable cloud-based platform that enables delivery of applications and media management. Media can be securely uploaded, stored, encoded and delivered both on-demand and live streaming to various platforms such as TV, PC and mobile devices.
Azure Media Services is composed of the following sub-services:
Azure Data Factory is a cloud-based ETL (Extract, Transform, Load) service to integrate data from different sources.
The service provides a workflow to organise and process raw data into various types, including relational and non-relational data, so that the business can make data-driven decisions by analysing the integrated data.
Synapse Analytics is Azure SQL Datawarehouse re-imagined! Combining hyperscale enterprise grade data warehousing with big data analytics, Synapse provides complex and flexible live query capability for your Data.
Synapse supports the following features and integration options with other advanced Azure services:
Azure Redis Cache is Microsoft's version of the famous Redis software. As the name indicates, Redis Cache caches frequently accessed data from databases such as SQL servers and allows super-fast access to that data directly from memory.
Content Delivery Networks are used to cache static content closer to users. Redis Cache can also cache static content closer to users, but in-memory which provides much faster access to the data. Furthermore, it can also be used as a message broker system, in-memory data structure store and a distributed non-relational database.
Azure HDInsight is a big data analytics service that can run popular open source frameworks such as Apache Hadoop, Spark and Kafka.
By using HDInsight organisations can process massive data sets, rapidly provision big data clusters and elastically scale them up or down as needed. HDInsight integrates with Azure Data Factory and Azure Data Lake storage and meets industry and government standards for data protection.
Azure Bot Services is a managed service for conversational bot development. Using an open source software development kit (SDK), developers can build bots that users can easily interact with using natural language.
Azure Bot Services leverage Azure Cognitive Services and can be integrated with natural language and speech API's for enhancing the end user experience when interacting with the virtual assistant.
Azure Machine Learning (ML) is a data science and data mining tool in the cloud that enables computers and programs to recognise data without explicitly being programmed.
Using data sets for input, Azure ML can create algorithms (known as machine learning models). Pretrained models can be used for vision, speech, language and search capabilities. Azure ML service can be used to train custom models using any framework such as PyTorch, TensorFlow, Keras or ONNX.
Manage Shadow IT, control data stored on cloud platforms and identify other threats with Microsoft Cloud App Security (MCAS). MCAS is a multi-source Cloud Access Security Broker (CASB), designed to allow visibility, control, security and reporting of access to cloud enabled applications and services within an environment.
MCAS can be connected to multiple cloud applications including, but not limited to:
MCAS enables organisations to discover and control Shadow IT by identifying applications used within an organisation. Additionally it offers the ability to manage access and compliance to ensure information and device security.
To enable organisations to manage information stored in cloud environments, MCAS is capable of understanding, classifying and reporting on documents at rest. This includes documents shared via cloud services such as OneDrive and Box.
MCAS can help protect against possible cyber threats by detecting unusual behaviour, impossible travel scenarios, administrative activities from non-corporate IPs and malware identification. Policies can be configured to perform governance actions ranging from alerting IT, to suspending user accounts and quarantining files.
Do you have a Security Information and Event Management system (SIEM)? Do you need to ensure strict security controls and reporting within Azure and/or on-premises?
Sentinel is an Azure hosted SIEM as-a-service that can ingest and inspect security related events from virtually anywhere. Powered by advanced Artificial Intelligence and backed by security research analysis based on trillions of signals daily, Sentinel is pre-configured and ready to report on anomalous and malicious behaviour within your infrastructure.
The compelling reason to select Sentinel over other SIEM services, is the elegance and simplicity of setup and configuration. Built-in data connectors can be configured in seconds to ingest data streams from Azure Active Directory, Office 365, Advanced Threat Protection (ATP), Security Center and many more.
Network Security Groups (NSGs) are Azure's equivalent of your own virtual firewall within your Azure networks. NSGs allow you to define access control rules for inbound and outbound traffic to a subnet or a network interface on a VM.
When an NSG is created, the settings are configured and associated with one or many subnets or network interfaces. For simplification of administration it is recommended that NSGs be linked to subnets rather than individual interfaces, however associating it with an individual interface may be required to ensure specific restrictions are imposed on an interface.
To efficiently maintain NSGs that are linked to network interfaces, you can use application security groups. VM network interfaces can be made members of an application security group, then an NSG can be used to deny or allow traffic to and from all interfaces that are members of the application security group. Rules within NSGs are applied to inbound traffic for the subnet first, followed by the rules for the VM network interface. Outbound rules are applied for the VM network interface first, and then followed by subnet rules.
An alternative to using NSGs is to deploy a Network Virtual Appliance (NVA). NVAs are available through the Azure Marketplace and are provided by all of the major network appliance vendors. Often an NVA will be used when an organisation has more advanced networking requirements (such as detailed traffic inspection, or the implementation of a Web Application Firewall), or when integrating Azure with an existing on-premises environment and you want to extend the same networking solution across cloud and on-premises.
When using NSGs it is vital to plan your network architecture and security requirements in advance, as the number and complexity of NSGs can quickly become difficult to navigate and maintain.
If you are using Office 365 then congratulations, you are already using the Azure Front Door Service. Azure is providing the highly available, scalable and security endpoint entry into your Apps.
Front Door is very similar to the Azure Application Gateway, the difference being the first provides global load balancing services and the last only provides regional load balancing services. Using the Front Door Service you can route your traffic to your closest service back-end, providing the best performance for your users.
Other Front Door features that are similar to the Application Gateway are:
In order to provide the best service to your users on a global scale, a combination of these services can be used.
Azure offers cloud services that are easily accessible over the internet, or via a site-to-site VPN connection. But if your organisation requires a private, high-throughput and predictable connection to Azure services from your existing network, ExpressRoute is required.
ExpressRoute can be used to connect your organisation to Office 365, Dynamics 365 and Azure. This dedicated network link can be provided in three different ways:
To access ExpressRoute through a Cloud Exchange you must be co-located in a data centre with this capability. A layer 2 or 3 connection can then be provisioned to connect your co-location with Azure.
A Point-to-Point Ethernet or IP VPN - such as a multiprotocol label switching (MPLS) WAN - connection can be established by your network service provider if you are not co-located in a facility with a cloud exchange. More than one ExpressRoute circuit can be provisioned to provide connectivity to the same or different regions within Azure.
There are two types of peering for ExpressRoute, Azure private peering and Microsoft peering.
A VPN gateway is a specific type of virtual network gateway that is used to send encrypted traffic between an Azure virtual network and an on-premises location over the Internet. You can also use a VPN gateway to send encrypted traffic between Azure virtual networks over the Microsoft network.
Each virtual network can have only one VPN gateway. However, you can create multiple connections to the same VPN gateway. When you create multiple connections to the same VPN gateway, all VPN tunnels share the available gateway bandwidth.
Azure Virtual Networks are also referred to as VNets. They provide the networking foundation for your Azure resources to be able to communicate with each other and to communicate over the Internet and to other networks (such as your local WAN).
You can allow different types of Azure resources to communicate with each other in your VNets, such as IaaS resources (e.g. Virtual Machines) and PaaS resources (e.g. Web Apps). Each VNet contains subnets and within those subnets sit your Azure resources, such as Virtual Machines.
A VNet is configured with a private IP address range, which is then split up into multiple subnets. By default, there is complete isolation between VNets, so resources in one VNet cannot communicate with resources in another VNet. Each VNet can only be present in a single Azure region, however you can connect VNets to each other if you require resources in one VNet or region, to communicate with resources in another VNet or region.
On-premises environments can be configured to connect to VNets through the use of point-to-site VPNs, site-to-site VPNS or Azure ExpressRoute. The traffic within the VNet can also be filtered, for example traffic between subnets or between virtual machine network interfaces.
Virtual Appliances can also be integrated within your VNets. When you configure custom routes within your subnets you can force all network traffic through these appliances (for monitoring, filtering and even packet inspection).
Azure Virtual Networks (VNets) can be broken up into virtual subnets. These are similar to the subnets that are created in traditional on-premises network environments, but are limited to your Azure network.
Each subnet that you create within a virtual network must have a unique address range within that virtual network. Once created, you can add Azure resources to the subnet to allow them to communicate with each other and to resources in other subnets within the virtual network.
A special type of Azure virtual subnet is a gateway subnet. These are dedicated subnets used for connecting your on-premises networks to an Azure virtual network using a VPN gateway.
All traffic within an Azure network is routable, so by default Azure will route traffic between subnets in the same virtual network. Alternatively you can configure a custom route table in Azure to ensure all traffic is routed through a Network Virtual Appliance (NVA) to reach other subnets within the same virtual network (or destinations outside of the virtual network). You can control the traffic that is allowed to flow in and out of a subnet by using network security groups. They can allow or deny traffic based on specific criteria (such as source port, destination port, source IP, destination IP, etc.).
With an Azure On-Premises Data Gateway, you can utilise your on-premises data sources in cloud applications such as Microsoft Power BI, PowerApps, Flow, Azure Logic Apps and the Azure Analysis Service. Query datasets from your on-premises sources, including legacy data, in new and interesting ways without having to move that data to the cloud.
Install and deploy one Gateway to connect multiple on-premises data sources with Microsoft Azure. Data flow between the Gateway and Azure is protected using strong encryption standards.
Azure Data Box is an extension of the Import/Export service in Azure. It provides an easy, quick, reliable and inexpensive way of sending data to Azure.
Data Box can be used for offline and online scenarios.
Storing data in Azure requires you to have an Azure storage account as a location to store your data. There are five types of storage account available. The storage account type you use will depend on what data is being stored and what it is being used for. The name of each storage account needs to be unique across the whole of Azure as it is used to provide access to your data.
Azure File Sync allows for the syncing (caching) of files between an Azure file share and a local server. This allows for files to be directly accessed from on-premises servers while benefiting from features of Azure storage like scalability and redundancy.
Direct access to the files from on-premises servers allows for improved performance, especially where the Internet connection is slow or limited. The cloud tiering feature allows for frequently accessed files to be cached locally while other files are stored in Azure with a placeholder file left in place.
Azure File Sync could be compared to OneDrive, with the cloud tiering feature being similar to the OneDrive On-Demand feature. Azure File Sync can also be used as a way to migrate existing on premises files to the cloud.
Microsoft StorSimple enables customers to both protect their valuable data and automatically tier infrequently accessed data to Azure BLOB. By tiering "cool" data blocks to Azure BLOB it frees up space on the customers typically faster, more expensive storage, while still enabling seamless data access to the tiered data blocks.
StorSimple automatically ensures the most frequently accessed blocks remain local to the StorSimple device to ensure the best performance possible. This automated tiering design enables StorSimple to maintain a small on-premises footprint while still enabling the customer to store large datasets on the device.
Another benefit of Azure StorSimple is its ability to perform daily snapshots that are stored in Azure Cloud. This snapshot feature enables end users to easily perform individual file level recovery, or recover the entire StorSimple device in the event of a larger site outage. This snapshot capability makes StorSimple an ideal candidate for file servers at ROBO locations, deployed to enable archival of old datasets to Azure BLOB, or even backup targets to enable offsite backup copies.
StorSimple devices can be deployed straight from the Azure Marketplace into Azure Cloud, or on-premises via virtual storage arrays or physical appliances. Data can be written to StorSimple via iSCSI volumes or SMB, which means these devices can function both as a SAN or a file server (NAS).
Azure Databricks is an artificial intelligence (AI) solution based on Apache Spark-based analytics.
Using Azure Databricks, an organisation can quickly provision a workspace and an Apache Spark cluster where users can collaborate on shared projects. With integration into other Azure services, an organisation can build a modern data warehouse and machine learning solution.
The service integrates other Azure services for a big data pipeline: Azure Data factory for ingesting data in batches, Kafka, Event Hub, IoT hub for streaming. Azure Databricks can read data from various Azure storage solutions such as Azure Synapse, Azure Cosmos DB and Azure Blob Storage for example.
Azure Databricks supports multiple languages including Python, R, Scala, R, Java, and SQL with CPU or GPU enabled clusters.
Azure Digital Twins is an extension of Azure Internet of Things (IoT) and provides intelligence in the form of virtual replication of the physical world by modelling the relationships between people, places, and devices in a spatial intelligence graph.
Digital Twins provides correlation of data across the physical and digital worlds. Discovering opportunities to improve consumer experiences, create new efficiencies, and improve the spaces in which people live, work and play.
IoT is one of the fastest growing offerings today. If you are looking to enter the world of internet connected things, then IoT Central is essential for you.
IoT Central is a pure SaaS offering that provides a complete management and reporting solution for IoT connected devices. Within minutes you can provision a workspace, register and manage devices, receive critical telemetry and visualise data within pre-built and customisable dashboards.
Azure DDoS Protection is a service provided by Microsoft that enables your website or online resources to remain accessible in the event of traffic flood style attacks (Distributed Denial of Service). It features always-on traffic monitoring and real-time mitigation of attacks for any public IP address you use within Azure. This is the same type of protection used by Microsoft's own online services, which has withstood a wide variety of attacks over the years.
Azure DDoS protection constantly monitors web traffic to your resources, and requires no special changes to your public applications or resources. Additionally, Azure Monitor can show if DDoS mitigation was automatically enabled as a result of an attack, and provide metrics and reports for the previous 30 days.
Azure DDoS protection is available in two service tiers - Basic (free) and Standard.
Azure Firewall is a cloud native firewall built specifically for Azure. It is not an instance based offering and is provided as a managed service with built-in high availability and scalability.
Azure Firewall features:
Azure Firewall allows you to centrally manage and enforce stateful filtering rules by source and destination address, port and protocol. This can be applied across multiple VNets and across multiple subscriptions.
Azure Bastion allows for agentless management of Azure VM’s using RDP/SSH whilst ensuring all traffic is securely transmitted over SSH.
Bastion enables you to connect to servers with a single click, from within the Azure Portal which allows for HTML-5 based RDP Webclient securely over SSH.
To prevent having to expose any public IP’s, Azure Bastion is provisioned within your existing Virtual Network to ensure the connection is only made using the VM’s private IP. As Azure Bastion is deployed as PaaS service it protects against zero day exploits by being hardened by design.
Azure Bastion fully integrates with Azure Event Auditing to enable tracking of who has logged onto VM, screen recording of sessions is currently in private preview to allow playback of what changes have been made to a VM.
Content Delivery Networks (CDNs) are used to bring content closer to end users.
Static content you are advertising such as websites, mobile apps, gaming software etc. are cached on servers around the globe and delivered to users from those closest to their location.
CDNs enable organisations to deliver content faster, save bandwidth and improve the user experience.
The service creates templates to support repeatable and consistent deployments by defining the infrastructure and dependencies for services within the template. The service provides security by managing access and actions on the resources based on the role of users or groups.
Azure Blueprints enable Azure architects to design and architect a repeatable solution based on artifacts and governance that can create or update Azure subscriptions according to the company's requirements and policies. The artefacts which make an Azure Blueprint are:
Azure Blueprints have a lifecycle like other resources in Azure. You first create a blueprint and add artefacts. Until you publish it, it will be in a draft mode and cannot be assigned. Once published it cannot be edited but a new version of the same blueprint can be added and then edited. The new version has to be published before it can be assigned. Assignments may also be updated if, for instance, you need to change the assignment to a different blueprint version.
Once a blueprint version is no longer needed it can be deleted, but first you must delete its assignment(s). The blueprint assignment triggers a blueprint deployment which grants the blueprints service owner permissions to the subscription(s), creates the required artifacts and finally revokes its rights from the subscription(s).
Azure Blueprints supports parameters which provides flexibility, agility and reusability. Parameters can be hardcoded during the blueprint creation, or can be required during the blueprint assignment. Parameters can also enforce prefixes which allows governance on naming standards.
Azure Blueprints can give you assurance and agility to deploy Azure subscriptions in a secure, compliant and ready to be used state.
Automation runbooks exist to make your operations life easier. With authoring support for Python, PowerShell and UI driven code with workflow, runbooks can essentially do anything for you. Common usage scenarios for runbooks include:
DevTest Labs provides a self-service sandbox environment in Azure where developers and testers can create development environments, whilst tight control is maintained over resource types and costs.
Developers and testers can log into the Azure portal and run a DevTest environment without having to go through a service request process to have infrastructure administrators prepare and deploy the resources they require.
Strict quotas can be configured and enforced, ensuring spend on development and test resources in Azure is controlled. You can specify the types of resources that are allowed to be deployed (such as VM sizes) and which subnets the resources can be deployed in to. Automated shut down of the environment can also be enforced, for example you may want to have all development environments shut down outside of business hours to save on costs.
An Azure administrator can setup once and using policies and schedules, permissions are granted to developers and testers, enabling them to provision their own DevTest environments.
ARM templates can be used to spin up new labs, which enables a standard set of policies and settings to be deployed each time. You can also create DevTest Labs environments from your continuous integration/continuous deployment (CI/CD) tools through the REST API.
Azure Resource Graph allows you to query at scale across many subscriptions to get deep insights and rich context on your resources. It is based on the Kusto query language and, as with other enterprise grade query languages, it provides advanced filtering, grouping and sorting of objects. Furthermore, it allows you to assess the impact of applying policies in your environment as well as detailed changes made to resource properties.
Azure Resource Graph is a free service that is throttled to provide the best user experience. To increase throttle limits, you can raise a support ticket with Microsoft.
Azure DevOps provides developer services to support teams to plan work, collaborate on code development, and build and deploy applications.
Developers can work in the cloud using Azure DevOps Services or on-premises using Azure DevOps Server - formerly named Visual Studio Team Foundation Server (TFS).