AZ-900 자격증 준비 4 - Describe the core architectural components of Azure

4.1 What is Microsoft Azure

Azure is a continually expanding set of cloud services that help you meet current and future business challenges. Azure gives you the freedom to build, manage, and deploy applications on a massive global network.

 

When you're working with your own applications and business needs, you need to create an Azure account, and a subscription will be created for you. After you've created an Azure account, you're free to create additional subscriptions. For example, your company might use a single Azure account for your business and separate subscriptions for development, marketing, and sales departments. After you've created an Azure subscription, you can start creating Azure resources within each subscription.

 

 

4.2 Describe Azure physical infrastructure

The core Azure architecture divided into two main groupings: the physical infrastructure and the management infrastructure. 

 

Physical infrastructure

The physical infrastructure starts with datacenters (facilities with resources arranged in racks, with dedicated power, cooling and networking infrastructure). 

Azure has datacenters around the world, but these are not directly accessible: they are grouped into Azure Regions or Azure Availability Zones that are designed to help you achieve resiliency and reliability.

 

Regions

A region is a geographical area on the planet that contains at least one, but potentially multiple datacenters that are nearby and networked together with a low-latency network. 

Azure intelligently assigns and controls the resources within each region to ensure worloads are appropriately balanced.

When you deploy a resource in Azure, region 골라야함.

 

Availability Zones

Availability zones are physically separate datacenters within an Azure region. 

Each availability zone is made up of one or more datacenters equipped with independent power, cooling and networking.

An availability zone is set up to be an isolate boundary: if one zone goes down, the other continues working.

Availability zones are connected through high-sped, private fiber-optic networks. 

To ensure resiliency, a minimum of three separate availability zones are present in all availability zone-enabled regions.

 

 

Use availability zones in your apps

You want to ensure your services and data are redundant so you can protect your information in case of failure.

When you host your infrastructure, setting up your own redundancy requires that you create duplicate hardware environments (done through availability zones).

You can use availability zones to make your application highly available by co-locating your compute, storage, networking, and data resources within an availability zone and replicating in other availability zones.

 

Availability zones are primarily for VMs, managed disks, load balancers and SQL DBs. Azure services that support availability zones fall into three categories:

- Zonal services: you pin the resource to a specific zone (e.g. VMs, managed disks, IP addresses)

- Zone-redundant services: the platform replicates automatically across zones (e.g. zone redundant storage, SQL DB)

- Non-regional services: services are always available from Azure geographies and are resilient to outages

 

Even with the additional resiliency that availability zones provide, it's possible that an event could be so large that it impacts multiple availability zones in a single region. → Region pairs

 

 

Region pairs

Most Azure regions are paired with another region within the same geography at least 300 miles away (e.g. West US and East US).

This allows for the replication of resources across a geography that helps reduce the likelihood of interruptions that affect the entire region. → provide reliable services and data redundancy.

E.g. if a region is affected, services are moved to the other region in its region pair.

Not all Azure services automatically replicate data or automatically fall back from a failed region to cross-replicate to another enabled region).

 

 

Additional advantages of region pairs

• If an extensive Azure outage occurs, one region out of every pair is prioritized to make sure at least one is restored as quickly as possible for applications hosted in that region pair.
• Planned Azure updates are rolled out to paired regions one region at a time to minimize downtime and risk of application outage.
• Data continues to reside within the same geography as its pair for tax and law enforcement jurisdiction purposes.

 

Sovereign Regions

In addition to regular regions, Azure also has sovereign regions.

Sovereign regions are instances of Azure that are isolated from the main instance of Azure, which may be needed for compliance or legal purposes.

 

Examples:

1. US DoD Central, US Gov Virginia, etc : These regions are physical and logical network-isolated instances of Azure for US Government agencies and partners.

2. China East, China North and more: These regions are available through a partnership, where Microsoft does not directly maintain the datacenters.

 

 

 

4.3 Describe Azure management infrastrucrture

The management infrastructure includes Azure resources and resource groups, subscriptions, and accounts. 

 

Azure resources and resource groups

A resource is the basic building block of Azure, e.g. VMs, virtual networks, DBs, are all resources within Azure.

Resource groups are groupings of resources: when you create a resource, it needs to be in a resource group.

Resource group can contain many resources, but a single resource can only be in one resource group.

Resources can be moved between resource groups, then it will be no longer part of the former resource group.

Resource groups can't be nested, so resource group B cannot be inside of resource group A.

 

Resource groups provide a convenient way to group resources together.

When you apply an action to a resource group, it applies to all resources within the resource group.

E.g. Deleting resource group, granting or denying access to resource group applies to all the resources in the resource group.

 

E.g. if you are setting up a temporary dev environment, grouping all the resources together means you can deprovision all of the associated resources at once by deleting the resource group.

If you are provisioning compute resources that will need three different access schemas, best to group resources based on the access schema, and then assign access at the resource group level.

 

 

Azure subscriptions

In Azure, subscriptions are a unit of management, billing, and scale. 

Similar to how resource groups are a way to logically organize resources, subscriptions allow you to logically organize your resource groups and facilitate billing. 

 

Using Azure requires an Azure subscription. A subscription provides you with authenticated and authorized access to Azure products and services and also to provision resources.

An account can have multiple subscriptions, but it's only required to have one.

In a multi-subscription account, you can use the subscriptions to configure different billing models and apply different access-management policies.

Billing boundary: Multiple subscriptions for different types of billing requirements.

Access control boundary: Azure applies access-management policies at the subscription level, and you can create separate subscriptions to reflect different organizational structures, e.g. departments within business.

 

 

Create additional Azure subscriptions

You might choose to create additional subscriptions to separate:

- Environments: e.g. for development, testing, security

- Organizational structures

- Billing: costs are aggregated at the subscription level, so to manage and track costs.

 

 

Management group, subscriptions, and resource group hierarchy

 

Examples of how you could use management groups:

- Create a hierarchy that applies a policy: Limit VM locations to US West Region in a group called Production. This policy will inherit onto all the subscriptions that are descendants of that management group and will apply to all VMs under those subscriptions. → improved governance

 

- Provide user access to multiple subscriptions: By moving multiple subscriptions under a management group, you can create one Azure role-based access control (Azure RBAC) assignment on the management group. Assigning Azure RBAC at the management group level means that all sub-management groups, subscriptions, resource groups, and resources underneath that management group would also inherit those permissions. One assignment on the management group can enable users to have access to everything they need instead of scripting Azure RBAC over different subscriptions.

 

10,000 management groups can be supported in a single directory.

A management group tree can support up to six levels of depth, excluding the root level or the subscription level.

Each management group and subscription can support only one parent.

 

 

 

Module Assignment

1. How many resource groups can a resource be in at the same time?

One

 

2. What happens to the resources within a resource group when an action or setting at the Resource Group level is applied?

The setting is applied to current and future resources.

 

3. What Azure feature replicates resources across regions that are at least 300 miles away from each other?

Region pairs