Azure Core Architectural Components (AZ-104)

In the previous AZ 104 posts we looked at an overview of EntraID and what is offered by Microsoft for identity management. In this post we will look at Azure giving an overview of the cloud platform. Azure is Microsoft’s cloud platform where they provide a large array of services from standard virtual machines, managed SQL Server, managed Kubernetes, serverless compute, Artificial Intelligence (AI), Machine-Learning (ML) and Data platforms. There are many ways to use and consume the services supplied on Azure. Whether you are migrating existing workloads from your on-premises environments or wanting to try new Azure service. Then you can utilise the cloud platform.

To use Azure services you need to create an Azure subscription. Whilst you can access learning sandboxes through Microsoft’s MS Learn site for specific services and scenarios. For learning and understanding the services fully it is recommended to create your own subscription if possible. This allows you to complete own testing and learning. However, depending on the services you are using the subscription will be charged for the services consumed. If you are new to Azure you can create a Free subscription that offers $200 credit for use within the first 30 days and access to subset of popular services for free for 12months which include burstable VMs, blob storage and AI Vision.

Azure Infrastructure Overview

Azure hosts it’s physical infrastructure within datacenters. Similar in design to a corporate private datacenter, they host all the physical hardware and servers needed to run the Azure platform alongside the required dedicated power, cooling and networking. These datacenters are distributed around the world and grouped into Azure regions.

Regions and Availability Zones

Regions are a geographic area that contains one or more datacenters, they are networked together to ensure low-latency communication. All workloads created within the region are assigned to datacenters within the region and balanced as needed. Some services (e.g. Azure FrontDoor) are global services and don’t require a region but deploying the majority of service you will need to select a region at the creation phase e.g. East US, West EU, Japan East.

The larger regions also offer Availability Zones, these are physically separated datacenters within a single Azure region. Each availability zone has independent power, cooling and networking meaning each zone is isolated from the others. Ensuring that if one zone goes down the region continues to operate within the zones. For resiliency requirements you can ensure additional protection from downtime by spreading your workloads over the Availability Zones. This means mission-critical applications can be built with high-availability in mind. Please note running workloads in multiple availability zone or regions will increase the cost.

Types of services fall into three categories,
Global / Non-Regional : as mentioned above these services run across the Azure infrastructure and resilient to outages that are zone wide as well inter-regional.

Zonal : These are services pinned to a specific Availability Zone, i.e. Virtual Machines

Zone-Redundant: these services automatically replicate information between zones i.e. Blob Storage

Region Pairs

Most regions are paired with another region within the same geography (e.g. US, Europe). These pairs are used to protection against natural disasters and full region outages. You can enable replication between the region pairs and allow for fail over between regions. These regions are within the same geographic region to be inline of local data protection legislation but still over 300 miles away to give the additional protection. Some services offer automatic replication of data, but most services would need to have recovery and replication services configured to allow for failover and data recovery in the secondary region.

Within regions pairs updates are scheduled to ensure they are rolled out one region at a time to ensure that any mission critical services that use region pairing for protection is not at risk of full outage. In larger outages Azure will also prioritize one region in each region pair to ensure that at least one is restored as quickly as possible.

Sovereign Regions

On top of the regular regions Azure also offered more protected regions for data sovereignty which isolates the data further from the main Azure infrastructure. These regions include the DoD Central, US Gov and China regions. These regions are isolated regions used for specific users and partners. DoD Central and US Gov regions are used for hosting services required by US government. The Chinese regions are hosted by 21Vianet on behalf of Microsoft with China, Microsoft does not directly access or maintain these Chinese regions, but allows for services to be run within China.

Azure Management

We have discussed the physical infrastructure and how it is group and managed by Microsoft. We will now look at the methods used to managed and organize Azure resources.

Azure Subscriptions

Previously mentioned you need an Azure Subscription to deploy resources into Azure. An Azure subscription is linked to an Entra ID tenant for authentication and authorizes you to access resources.  The subscription is a logical unit of management and billing allowing a user to access multiple subscriptions with different billing models or separate invoices. This allows organizations to split dev, test and production environments into individual subscriptions with each subscription having different access permissions and policies as needed.

Management Groups

Management Groups provide a management model for managing multiple subscriptions. These allow the application of standardised governance conditions and permissions. All subscriptions within a management group inherit. Management group give enterprise-grade management for all types of subscriptions. Management groups can also be nested to allow for multiple levels of control. A single directory can support 10000 management groups up to six levels of depth allowing for large scale of control of the whole environment.

Resource Groups

Each service deployed into Azure uses one or more resources, which are the building blocks of Azure. Resources can be grouped into a logical group known as a Resource Group. Resource Groups can contain many resources, each resource can only exist in a single Resource Group and groups can not be nested. Resource Groups generally contain resources that share a lifecycle e.g. a Virtual Machine including Network Interface, Storage account, Public IP address etc. This is due to when a resource group is deleted then all resources within the group are also removed from Azure.

Azure access controls can also be applied at the resource group level, role based access control (RBAC) allows roles to be applied at multiple levels including the resource group level. This means RGs can also be used to apply different access levels for users to specific resources.

Summary

So to summarize, your user account can be granted access to multiple subscriptions, which contain 1 or more resource groups containing deployed resources. In logical grouping for either billing, access or lifecycle management. The various groups and subscription Microsoft provide allow for management of your Azure estate in a logical and structured manner.