Azure B2B

Azure business-to-business (B2B) is a secure collaboration method for sharing applications, services and data between organisations.

Azure B2B allows you to invite external users into your Azure AD tenant as a guest using a simple enrolment and invitation service. The third party does not need to be within an Azure AD tenant and you do not need to manage the credentials for the individual.

Once an individual has been invited into your Azure AD tenant, you can allocate access to resources as appropriate, you can also wrap up conditional access policies to further protect and enhance the security posture for the invited user.

Azure B2C

Azure B2C, also known as Azure Active Directory B2C, is a business to consumer identity management service. It enables an organisation to manage and control customer sign up, sign in and manage customer profiles when using applications, all while protecting the customers identity.

Azure B2C supports modern authentication protocols (such as OpenID and OAuth 2.0), as well as third party identity providers such as Facebook, Amazon or a Microsoft consumer account.

Using Azure B2C enables an organisation to provide a branded registration and login experience. It also allows customers to authenticate with their preferred identity provider, while providing captured login, preference and conversion data for customers.

Multi Factor Authentication

Multi Factor Authentication

Azure Multi Factor Authentication (MFA) provides a secure authentication mechanism that makes it significantly harder for attackers to compromise your resources, services or applications. Multi-factor authentication is one of the most effective controls an organisation can implement to prevent attackers from breaching systems and accessing sensitive information.

Multi-factor authentication is part of the following offerings:

• Azure Active Directory Premium or Microsoft 365 Business – full featured use of Azure MFA using Conditional Access policies to require multi-factor authentication.
• Azure AD Free, Azure AD Basic, or standalone Office 365 licenses – use pre-created conditional access baseline protection policies to require multi-factor authentication for your users and administrators.
• Azure Active Directory Global Administrators – a subset of Azure MFA capabilities are available as a means to protect global administrator accounts.

Azure Stack

Azure Stack is a suite of On-Premises hardware products that allow for the consumption of key Azure services locally. Azure Stack Hub is a fully managed Azure compute and service fabric offering a sub-section of Azure services such as Virtual Machines, Web Applications and DB as a Service for example.

Azure Stack enables customers to keep workloads on-premises and seamlessly move them to the Azure public cloud as needed. The software is proprietary and is purchased exclusively as an integrated system from hardware vendors such as Cisco, Dell, HPE and Lenovo.

Common to both Azure and Azure Stack Hub are the underlying architecture, management portal, and application model and development tools. Both Infrastructure as a Service (IaaS) and Platform as a Service (PaaS) models are supported and you can use the same deployment tools for either Azure Stack Hub or Azure.

Azure Stack Hub addresses business and technical considerations such as regulation, data sovereignty, low latency, customisation and cloud costs. Its main use case is for software development that may be cheaper to develop on-premises and move to the cloud once ready for production.

Azure Stack Edge is a single compute unit providing On-Premises processing of Data including a subset of A.I analytics prior to streaming to Azure.

Container Service

Azure Container Service allows you to deploy container orchestration tools such as Kubernetes, Docker Swarm and Distributed Cloud Operating System (DC/OS) – which is based on Apache Mesos. Kubernetes is Microsoft’s preferred container orchestration solution.

Containerisation is the evolution of virtualisation. Containers allow multiple applications or services to run in isolation on a single host and still access the same OS kernel.

Virtual Machine Availability Set

Virtual Machine Availability Set

The objective of a Virtual Machine Availability Set is to reduce the risk of its member virtual machines being unavailable at the same time. It provides a mechanism to ensure servers performing similar or the same roles are running in separate fault and update domains.

• A fault domain can be thought of as a single rack in the data centre, so faults such as power supply issues and physical hardware issues are mitigated when VMs are spread across fault domains.
• An update domain is a grouping of underlying servers that can be rebooted at the same time, usually for the purpose of maintaining the underlying servers.

For example, if you have an application that load balances client connections across two web servers, when you provision the servers you would add both to the same Availability Set. This will ensure both servers are not in the same fault domain or update domain. An additional advantage of using Availability Sets is that Microsoft guarantees connectivity to at least one of the virtual machines 99.99% of the time. There is also an alternative of using Availability Zones instead. In the example above, an Availability Zone would ensure that one of the two web servers would be available even in the event of a data centre outage within an Azure region.

Management Groups

Azure Management Groups allow the grouping of one or more subscriptions and other management groups to facilitate their management and governance.

As subscriptions are in a single group, you can apply policies at the management group level which will flow down to all member subscriptions. As an example, you could create a hierarchy of Management Groups each with multiple subscriptions based on company departments. Then you could apply policies and permissions which are specific for the company at the root level which would flow down to all other Management Groups and subscriptions. Policies and permissions which are department specific would be applied to Management Groups lower in the hierarchy.

Azure Arc

Azure Arc is an infrastructure management service to support complex distributed environments. The service extends Azure management to enable Azure data services to run Kubernetes clusters across on-premises, edge, and multi-cloud.

Azure Arc supports centralised and organised practices by adopting policies from Azure to on-premises. Azure Data services with Azure Arc protects data workloads with Azure Security Center by using Advanced Threat Protection and Vulnerability Assessment. Services provisioned and protected by Arc can be managed natively from the Azure Portal regardless of where they are hosted.

Arc is currently in preview and supports Windows, Linux, Kubernetes, SQL, Web Apps and PostgreSQL with other service types on-boarding. Due to the preview nature, Arc is currently provided at no cost.

Azure Automation

Azure Automation is a cloud-based orchestration service for the automated management of Azure and non-Azure environments. It provides dependable and consistent workflows for provisioning, operating and decommissioning workloads and resources.

The key capabilities of Azure Automation are:

• Process Automation
• Configuration Management
• Update Management
• Shared Capabilities
• Orchestration across heterogeneous environments

Event Grid

Azure Event Grid is a service that can receive notifications from Azure services and applications when state changes occur and route those events to another destination.

Historically an event subscriber service would pull events from an event publisher. This process was intense on compute resources. With Azure Event Grid, events from the source can be pushed to the Event Grid service, where they are then routed to the subscriber or the service that needs to consume that event. This means compute and network resources are only used when there is an actionable event.

This ability to connect data sources and event handlers enables developers to build scalable serverless applications, get near-real time notifications, have fully managed event delivery, speed-up automation and seamlessly connect their application to other Azure services.

Stream Analytics

Azure Stream Analytics is a powerful real-time event processing engine that can process and analyse massive amounts of data from multiple sources simultaneously. The power of Stream Analytics means patterns and data relationships can be identified from IoT devices, social media feeds, clickstreams and applications. Workflows can be designed to be initiated after identified patterns are triggered, initiating reports, alerting or capturing of the data for later analysis.

Azure Stream Analytics is ideal for the following scenarios:

• Capture and analysis of real-time telemetry from IoT devices
• Insights into web logs and clickstream analytics
• Geospatial analytics
• Remote monitoring and predictive maintenance
• Point of Sale telemetry

Notification Hubs

The notifications you see in the Microsoft Authenticator App from Azure Multi Factor Authentication (MFA), come from Azure Notification Hubs. Azure Notification Hubs allow you to send notifications to mobile devices on a massive scale. It can be connected to any back-end platform and supports all major Access Point Names (APNs).

Logic Apps

Azure Logic Apps provide a serverless process and workflow engine, allowing complex data processing and integration tasks using a no-code graphical user interface.

Using the same engine as Microsoft Flow, Azure Logic Apps is aimed at the enterprise and developer market, rather than the business-centric "citizen developer" interface that Flow provides. Unlike Flow, Azure Logic Apps can be developed and deployed using Visual Studio, and testing and source control can be provided through Azure DevOps.

Featuring over 200 connectors, Azure Logic Apps can integrate with standardised web technologies such as REST, as well as many first and third-party proprietary platforms such as SQL, Office 365, SharePoint, Dynamics 365, Twitter, SalesForce, Google services and other Azure services. On-premises data can also be integrated in a secure manner by using the on-premises Data Gateway, allowing Logic Apps to integrate with platforms such as BizTalk, SQL Server and Oracle.

Web App

Azure’s Platform as a Service (PaaS) offering deploys Web Apps fast with built-in high availability and scalability. Scale up your app automatically, vertically or horizontally, at peak times and scale down when the extra resources are no longer required.

Web Apps are easy to troubleshoot with remote debugging. You can also gain instant insights into your App from Azure Monitor and Application Insights. Furthermore, it provides integration with source control tools such as GitHub, BitBucket and Azure DevOps which allows the automation of your App deployment with CI/CD pipelines. Plus you can leverage the built-in Azure Active Directory (AD) integration to provide SSO with all SaaS applications federated with Azure AD, or use major identity providers such as Google and Facebook as an identity source.

Application Service Environment

Application Service Environment

If you are in the modern service world then you are likely to be consuming platform and serverless workloads. You may reach a tipping point where multiple applications will fill your All Resources view with content.

The Application Service Environment (ASE) allows for application/API and data platform consolidation, while providing key benefits such as: SSL support for individual applications, private VNet hosting support, native Layer 7 load balancing, development cycle switching, testing in production, stress testing, rich application code inspection and insights. The ASE is available in multiple offerings that allow you to select the most appropriate hosting platform for your needs.

• Free – prototype and sand pit
• Shared – development and testing
• Basic – dedicated development and testing
• Standard – production non critical
• Premium – enhanced and scalable production
• Dedicated – high performance, isolated and mission critical

If you are serious about hosting modern business systems then the ASE should be considered for its many benefits and unparalleled scaling capability.

Cognitive Services Search

Cognitive Services Search

Azure
Cognitive Services (Search) is a collection of application programming interfaces (APIs) that enable developers to easily add powerful ad-free search engine capabilities to applications.

Leveraging the web-scale power of Bing, search can be performed across web pages, images, videos and news. The ten APIs in this grouping are:

• Bing Spell Check – contextual, multi-lingual spell checking
• Bing Web Search – ad-free, safe search and location-aware searching
• Bing Visual Search – similar image and product identification, knowledge acquisition from images
• Bing Video Search – ad-free video search, topic and trend identification
• Bing Image Search – ad-free image search
• Bing News Search – ad-free news search, topic and trend identification
• Bing Entity Search – named entity recognition and classification
• Bing Autosuggest – search query auto-complete
• Bing Local Business Search – find local business results
• Bing Custom Search – custom search engine creation

Cognitive Services Vision

Cognitive Services Vision

Description

Azure
Cognitive Services (Vision) is a collection of application programming interfaces (APIs) that enable developers to easily add image recognition, classification, facial detection, video analysis, document content extraction and handwriting recognition to applications. The six APIs in this grouping are:

• Computer Vision – image processing and classification
• Face – facial detection and recognition
• Video Indexer – video and audio insights
• Form Recognizer – data extraction from documents
• Ink Recognizer – digital ink and handwriting detection
• Custom Vision Service – build your own image classifier

Work Account

A work account is an extension of your current on-premises credentials into Azure Active Directory (AD). Utilising Azure AD Connect you can federate or synchronise your existing accounts into Azure. Work accounts offer significant sign-on benefits, such as seamless single sign-on for Microsoft hosted SaaS applications, as well as your own applications hosted in Azure.

Work accounts are considered hybrid in the sense that the source of identity truth exists within existing domain infrastructure, and is extended into the Azure AD ecosystem. Using features such as password hash sync and seamless single sign-on, users can authenticate to existing on-premises applications and services, as well as cloud hosted applications without requiring multiple authentication prompts. Work accounts are also protected by the advanced identity protection features built into Azure AD, such as bad password protection, Conditional Access, Multi Factor Authentication and more.

Microsoft Account

Your Microsoft account is the starting place for onboarding into Azure and Office 365. When you establish a new Microsoft account for Azure, you are registering your company against the @OnMicrosoft.com namespace. For example if your company name was Contoso, the first account you would establish would use the %Name%@contoso.onmicrosoft.com domain name.

It is recommended to maintain at least two @OnMicrosoft.com accounts within an Azure Active Directory (Azure AD) tenant for emergency reasons. Emergency access accounts help organisations restrict access within an existing Azure AD environment. Such accounts are highly privileged, and should not be assigned to specific individuals.

Emergency access accounts should be limited to emergency or break glass scenarios; situations where normal administrative accounts cannot be used. An organisation might need to use an emergency access account in the following situations:

• The user accounts are federated, and federation is currently unavailable because of a cell-network break or an identity provider outage. For example, if the identity provider host in your environment has gone down, users might be unable to sign in when Azure AD redirects to their identity provider
• The administrators are registered through Azure Multi-Factor Authentication (MFA), and all their individual devices are unavailable. Users might be unable to complete MFA to activate a role. For example, a mobile network outage is preventing them from answering phone calls or receiving text messages, the only two authentication mechanisms that they registered for their device
• The person with the most recent global administrative access has left the organisation. Azure AD prevents the last global administrator account from being deleted, but it does not prevent the account from being deleted or disabled on-premises. Either situation might make the organisation unable to recover the account

Organisations can elect to only use the Microsoft provided Azure AD tenant for authentication and access control. For on-premises integration with existing domains please refer to the Work Account tile.

Role Based Access Control

Role Based Access Control

Role Based Access Control (RBAC) is a common security methodology and Azure provides a flexible solution for granting the appropriate permissions to resources. Scoped for nearly every resource in Azure is the ability to apply granular permissions for nominated users using the "Access Control (IAM)" blade for that resource, resource group, subscription and tenant level.

• Azure Active Directory (Tenant) The starting place for top level permissions, here you will find the Global Admin role along with over 70 built-in preconfigured roles that grant access to the various services and offerings in Azure. Use these roles to grant the minimal set of permissions that your IT and nominated staff require. With Azure Active Directory Premium Plan 2 you can leverage Privileged Identity Management (PIM) to apply approval based workflow for stepping up permission where required. Always treat the Global Admin as the top-most highly sensitive role and heavily restrict membership just as you would for AD Schema, Enterprise and Domain Admin membership
• Subscriptions The second level of permissions with predefined role definitions. Scope access here to limit and control at the entire subscription level
• Resource Group The third level of delegation, here you can grant access to a limited subset of resources that are grouped by commonality
• Resource The last level, with the option of granting individual access to a single resource

Virtual Machines

Azure Virtual Machines are the core workload within Azure with on average accounting for 70% of customer consumption, selecting the right VM for the particular workload is a critical decision. With 175 different VM sizes available it can be challenging to select the right size to balance cost versus performance.

VM sizes can be categorised into the following top level workload specifications:-

• General purpose VM sizes provide balanced CPU-to-memory ratio. Ideal for testing and development, small to medium databases, and low to medium traffic web servers
  • A v2 Series including A1_v2, A2_v2, A2m_v2, A4_v2, A4m_v2, A8_v2 and A8m_v2
  • B Series including B1s, B1ms, B2s, B2ms, B4ms, B8ms, B1ls, B12ms, B16ms and B20ms
  • D v2\v3 Series including D1_v2, D2_v2, D2_v3, D3_v2, D4_v2, D4_v3, D5_v2, D8_v3, D11_v2, D12_v2, D13_v2, D14_v2, D15_v2, D15i_v2, D16_v3, D32_v3, D48_v3 and D64_v3
• Compute optimised VM sizes have a high CPU-to-memory ratio. These sizes are good for medium traffic web servers, network appliances, batch processes, and application servers.
  • F v2 Series including F2s_v2, F4s_v2, F8s_v2, F16s_v2, F32s_v2, F48s_v2, F64s_v2 and F72s_v2
• Storage optimised VM sizes offer high disk throughput and IO, and are ideal for Big Data, SQL, NoSQL databases, data warehousing, and large transactional databases.
  • L v2 Series including L8s_v2, L16s_v2, L32s_v2, L48s_v2, L64s_v2, L80s_v2 and L96s_v2
• Memory optimised VM sizes offer a high memory-to-CPU ratio that are great for relational database servers, medium to large caches, and in-memory analytics.
  • N Series including E2_v3, E4_v3, E8_v3, E16_v3, E20_v3, E32_v3, E48_v3, E64_v3, M16s, M32s, M64s, M128s, M208s_v2, M416s_v2
• GPU optimised VM sizes are specialized virtual machines available with single or multiple NVIDIA GPUs. These sizes are designed for compute-intensive, graphics-intensive, and visualization workloads.
  • N Series including NC6, NC6s_v3, NC12, NC12s_v3, NC24, NC24R, NC24rs_v3, NC24s_v3, NV6, NV12, NV12s_v3, NV24, NV24s_v3 and NV48s_v3
• High performance computing VM sizes are designed to deliver leadership-class performance, MPI scalability, and cost efficiency for a variety of real-world HPC workloads.
  • H Series including H8, H8m, H16, H16m, H16mr, H16r, HB60rs, HB120rs_v2, HC44rs

VM sizes allow for a great deal of flexibility with CPU and Memory ratios ranging from 1 CPU and 500MB of Memory to a staggering 416 CPUs and 11.4TB of Memory

Virtual Machine Scale Set

Virtual Machine Scale Set

Azure Virtual Machine Scale Sets enable customers to provision elastic services that dynamically expand and retract to align with current workloads.

These sets or groups contain identical, load balanced Virtual Machines (VMs) that grow and shrink in number by either schedule or when demand increases. When demand subsides the additional VMs are powered off to save costs.

Azure Virtual Machine Scale Sets also work as a High Availability solution for your applications or workloads. These sets are centrally managed as a single unit, so management is a breeze.

Azure Monitor

Azure Monitor provides a solution to monitor the performance and health of your cloud resources.

In addition to collecting performance metrics and logs to analyse the health of your resources, Azure Monitor provides insights as to how your applications are performing, diagnoses errors and produces alerts to notify you of critical conditions.

Azure Monitor can be configured to take specific actions when alerts are generated. It can auto-scale resources to meet demand requirements.

Azure Monitor can integrate with your current service management platform through IT service management (ITSM) connectors to create incidents and alerts.

Azure Alert

Azure Alerts is a sub capability of the unified monitoring experience within Azure known as Azure Monitor. By setting up rules to monitor resources, conditions and to perform actions, Azure Alerts can proactively notify IT admins when issues are detected.

Azure Alerts can send notifications based on metric values, log search queries, activity log events, health of the underlying Azure platform and synthetic transactions for website availability.

Alert data can be visualised on Azure Dashboards, Azure Monitor Views, Power BI or interactive workbook documents.

Subscription

A Subscription enables you to run services and infrastructure within Azure. A subscription can be likened to a data center and is a blank canvas for workload deployments. Subscriptions are provisioned under different offers allowing for flexibility and consumption under different types of billing account.

• Microsoft Online Services Program A individual billing account for a Microsoft Online Services Program is created when you sign up for Azure through the Azure website. For example, when you sign up for an Azure Free Account, account with pay-as-you-go rates or as a Visual studio subscriber.
• Enterprise Agreement A billing account for an Enterprise Agreement is created when your organisation signs an Enterprise Agreement (EA) to use Azure.
• Microsoft Customer Agreement A billing account for a Microsoft Customer Agreement is created when your organisation works with a Microsoft representative to sign a Microsoft Customer Agreement. Some customers in select regions, who sign up through the Azure website for an account with pay-as-you-go rates or upgrade their Azure Free Account may have a billing account for a Microsoft Customer Agreement as well.

After selecting the most apropriate billing account you will need to select the offer that will be used for the subscription. Different offer types are available which have feature, pricing, billing and contract differences.

Event Hubs

Azure Event Hubs is a service that can ingest millions of events per second from any source. This ability to collect big data facilitates real-time analytics that can unlock valuable insights, enabling rapid response to business challenges.

Event Hubs integrates with other Azure services as well as Apache Kafka clients and applications such as Mirror Maker, Apache Flink and Akka streams.

Azure IoT Hub

Azure IoT Hub is a fully managed cloud PaaS service that acts as the gateway for IoT devices that connect to an Azure IoT solution.

The Azure IoT Hub can connect millions of devices and receive millions of messages per second from supports devices. Azure IoT Hub can also be used to provision, configure and manage IoT devices.

Azure IoT Hub can also be connected to data processing services such as Azure Machine Learning, Azure Stream Analytics, Azure database services or even Microsoft Dynamics 365; enabling businesses to gain insight and take action based on data received from IoT connected devices.

Service Bus

Microsoft Azure Service Bus is an enterprise multi-tenant cloud-based messaging service which allows asynchronous communication between two or more decoupled systems or endpoints.

Decoupling the sender and receiver brings many advantages, such as not requiring both sides to be online at the same time, therefore removing any impacts due to disconnections, outages, updates or maintenance on the involved systems. Furthermore, it improves reliability and performance and as a Platform as a Service (PaaS) it brings all the scalability and high-availability of the cloud.

The overarching service is divided into the following offerings:

• Queues
• Topics and Subscriptions
• Relays

The following protocols are available when using Azure Service Bus:

• Advanced Message Queuing Protocol (AMQP)
• Service Bus Messaging Protocol (SBMP)
• HTTP

Typical use cases are for shopping carts, order processing, logging, event-driven applications, notifications, firewalled systems, inter-bank transactions, quotes, settlements, notifications, claims processing and many more.

Azure Service Bus Queues Queues allow asynchronous communication between distributed systems. Queues are ideal for one direction communication, where on one side of the queue you have the producer(s), and on the other side you have a single consumer. All messages are sent to the queue persistent storage and are either consumed by the consumer or expired. Messages are guaranteed to be delivered in first-in, first-out (FIFO) order and each message has a unique ID.

As an example take an e-commerce website where users enter orders. Let’s say your application is hosted in Australia East and is composed of a UI with an API layer sitting behind, which writes orders to a database. Your clients are growing quickly, not only in Australia but in the US as well. One option would be to set up the same architecture in the US datacenter, but then you would have to replicate the databases so they are consistent, and this is usually costly and there are latency concerns. So instead you put a worker role and service bus between the API layer and the database layer so that the transaction can be picked up from the service bus queue by the worker role, and committed to the local database, and sent to the service bus queue in the other data centre to be committed in the other database.

There are many other examples when you don’t want to wait for a task to be processed. You could queue a message for report generation, image processing, video processing, email to be sent, provisioning users, etc.

Azure Service Bus Topics and Subscriptions Topics and Subscriptions are very similar to queues in that they are also one direction communication, but instead of having producers and consumers, it is based on a publisher/subscriber model. You may have one of more topics with one or multiple subscriptions. Once the message reaches the topic it is distributed to subscriber queues.

Let’s take as an example an online retail store which sells shoes. They work hard to have all products in stock but sometimes orders get delayed, or for whatever reason that product is not available. Instead of displaying an out-of-stock message on their website, they first check with other suppliers if they can fulfil that order and increase customer satisfaction. This is where Topics and Subscriptions is useful. Once the shoe retailer checks against their database the product is not in stock, a message is sent to a service bus topic, which is distributed to several partner suppliers who are subscribers to that topic. The suppliers evaluate the message and if the product is available they send another message to a queue stating they can fulfil the order. Back in the website the order is completed.

Azure Service Bus Relays Relays are not like queues or topics and subscriptions. Communication is bidirectional, and both endpoints need to be active for the communication to happen. Relays don’t store messages but instead are used as a bridge between two systems. Relays are automatically created and deleted. They are great to use between disconnected systems that are behind firewalls or proxies. They allow the communication to be established by an outbound connection, so no ports need to be opened inbound. A good example of use of an Azure Service Bus Relay is Azure Active Directory (AD) Connect. It leverages a relay to establish a connection between Azure AD and the on-premises directory.

Functions

Azure Functions allow you to create and run code in the cloud without having to support or provision the underlying server infrastructure.

Think of Azure Functions as microservices – they are a piece of code that perform a particular task in the cloud, such as writing a message to an Azure storage queue, and they are event driven. Triggers start the function running. They listen for a particular event and when it occurs they kick-off the function. Examples of triggers are http requests, a file being written to blob storage or a timer that schedules the function to run. You can also make data from external services available to your function through the use of input bindings, whilst output bindings provide a means to write data to an external service (such as the example above of writing to a storage queue).

You are only charged for Azure Functions when they are actually executed, so there is no need to pay for compute resources that are waiting to run code (which you would be doing in a more traditional server-based architecture).

Azure Functions support a wide variety of languages including C#, JavaScript, PowerShell (currently in Preview), Python and more. They also support integration with many other services such as Azure CosmosDB, Azure Event Hubs, Azure Storage, and on-premises integration using Service Bus.

API Apps

A key component of the serverless compute era, API Apps provide exceptional scalability and agility to your application hosting infrastructure.

With multiple language support, you have the ability to transform your services and move away from traditional iAAS and leverage the benefit of dynamic scale, continuous deployment and reduced cost. Current languages supported are:

• .NET
• Node.js
• PHP
• Java
• Python
• HTML
• Custom Windows Container

Added benefits include on-premises connectivity support that allows you to extend and enhance your current solutions into Azure. API Apps also leverage the full suite of Azure authentication services including OAuth, Azure Active Directory, B2B and B2C to provide native secure authentication support.

Send Grid

SendGrid is a third-party cloud-based service that provides reliable email services and is available directly from the Azure Marketplace.

SendGrid provides its own email API allowing an easy integration with application code. It provides a whopping 99.999% up-time SLA and up to 30,000 transactions per second. It services over 50 billion emails per month and it has some heavy-weight customers such as Airbnb, Spotify and Uber. And last but not least, you can sign up and enjoy 25,000 emails per month for free!

Power BI

"The goal is to turn data into information, and information into insight." Carly Fiorina, Former CEO of HP

Without the ability to report on the data an organisation generates, it is impossible to make informed, considered decisions. Microsoft Power BI is a collection of analytic services which use reporting dashboards to display data via the visualisation of data both on-premises and in the cloud.

Power BI is comprised of three main services:

• Power BI Service – read existing reports
• Power BI Desktop – create and publish reports
• Power BI Report Server – publish reports to on-premises servers

Power BI allows developers to embed interactive detailed content into applications via Power BI Embedded. Power BI includes APIs and SDK libraries to ensure that data remains secure and automatically scales visuals to ensure the best possible user experience.

Cognitive Services Speech

Cognitive Services Speech

Description

Azure
Cognitive Services (Speech) is a collection of application programming interfaces (APIs) that enable developers to easily add speech-to-text, text-to-speech, transcription and translation services to applications. The two APIs in this grouping are:

• Speech Services – speech-to-text, text-to-speech, transcription, translation, voice assistant, phrase list, custom speech adaptation, wake-word
• Speech Recognition – speaker verification, speaker identification, voice signature

Conditional Access

Conditional Access Polices (CAP) are a capability of Azure Active Directory that enables an organisation to grant, block or require certain conditions be met, before allowing access to resources. These conditions can be based on location, device platform, device compliance, proof of identity (MFA), or even what kind of application is being used to access the resource (e.g. a full client app or a browser session).

Conditional Access Policies reduce risk by controlling the WHO, HOW, WHERE and WHEN of access to cloud and network resources. If you are licensed under Azure Active Directory Premium Plan 1 then you can use CAP to dynamically protect your user accounts, based on conditions. Stepping up to Azure Active Directory Premium Plan 2 adds the capability to dynamically control authentication events based on the risk level for that event. If a user logs in under a high risk condition such as an impossible travel event from two discrete locations, or their user credentials are found for sale on the black market, then you can control what happens automatically.

Security Center

Gain visibility into suspicious activity running on your cloud workloads. With Security Center, you can provision security policies across your resources to limit exposure. Security Center also uses a variety of detective capabilities to alert you to when attackers are trying to breach your environment. These include:

• Integrated threat intelligence – looks for known bad actors by using threat intelligence from other Microsoft products, the Microsoft Digital Crimes Unit (DCU), the Microsoft Security Response Center (MSRC), and external feeds.
• Behavioural analytics – applies known patterns to discover malicious behaviour.
• Anomaly detection – uses statistical profiling to build a historical baseline. It alerts on deviations from established baselines that conform to a potential attack vector.

With these capabilities you can help disrupt the cyber kill chain and meet your security monitoring requirements.

Azure Security Center comes in two tiers – Free and Standard. If you are deploying production or public facing infrastructure in Azure, you should consider using the standard version of Security Center to ensure your cloud services are protected.

Application Insights

Application Insights, a feature of Azure Monitor, helps your development team understand how an application or service is performing and how it’s being used. Key monitors supported are:

• Request rates, response times, and failure rates. Find out which pages are most popular, at what times of day, and where your users are. See which pages perform best. If your response times and failure rates go high when there are more requests, then perhaps you have a resourcing problem.
• Dependency rates, response times, and failure rates. Find out whether external services are slowing you down.
• Exceptions. Analyse the aggregated statistics, or pick specific instances and drill into the stack trace and related requests. Both server and browser exceptions are reported.
• Page views and load performance. Reported by your users’ browsers.
• AJAX calls from web pages. Rates, response times, and failure rates.
• User and session counts.
• Performance counters from your Windows or Linux server machines, such as CPU, memory, and network usage.
• Host diagnostics from Docker or Azure.
• Diagnostic trace logs from your app so that you can correlate trace events with requests.
• Custom events and metrics that you write in the client or server code, to track business events such as items sold.

Application Insights is more than a platform for monitoring an application environment in Azure. Support exists to receive telemetry from nearly all Azure resource types such as Azure AD, Azure Storage and more.

A major benefit of this platform is that it monitors more than just your Azure environment. Support can be extended to on-premises applications and service infrastructure, providing a low cost, robust and insightful monitoring platform for your line-of-business applications.

Azure Advisor

Running workloads in Azure and would like to save money? Azure Advisor is an often overlooked built-in feature of Azure, providing automated recommendations on cost control, security, governance and performance/high availability.

Recommendations for cost saving often include purchasing Reserved Instances (RI) to lock in the compute cost of a virtual machine over a 1-3 year term. Alongside RI recommendations you may receive notifications on orphaned or over provisioned resources. Security alerts are reported from Security Center.

All reports are exportable to CSV or PDF with full PowerShell and API support for automatic recommendation reporting and even remediation by using Automation runbooks.

Azure Backup

Azure Backup encompasses a suite of different options that includes: Data Protection Manager (DPM), Microsoft Azure Backup Server (MABS), Microsoft Azure Recovery Services (MARS) and the Azure Backup, which is native to the Azure Fabric.

• The Microsoft Azure Recovery Services (MARS) agent enables customers to backup files and folders, on nearly any Windows OS, directly to a Azure Recovery Services Vault. The agent is a great fit for remote office, branch office (ROBO) sites or use cases where a dedicated central point for managing backups such as DPM does not make sense.
• Data Protection Manager (DPM) and Microsoft Azure Backup Server (MABS) enables customers to protect virtual and physical workloads on-premises with application-aware VSS restore points. While both DPM and MABS perform disk-to-disk-to-cloud backups, only DPM supports tapes (but requires a paid license).
• Azure IaaS VM Backup is part of the Azure Fabric. The benefit of this solution is no backup infrastructure is needed – unlike DPM and MABs, and even the MARS agent requires installing software on the server. Azure IaaS VM Backups are configured within the Azure Portal and restore points are stored inside a Recovery Services Vault.

Azure Site Recovery

Azure Site Recovery (ASR) provides Disaster Recovery as a Service (DRaaS) by automating the replication and orchestration of your servers to a secondary, disaster recovery site.

When protecting on-premises workloads, ASR supports fail-over of your virtual and physical servers to Azure, or to your own secondary data centre. For the protection of VMs already running in Azure, ASR orchestrates the fail-over of workloads to a second Azure site.

Recovery Plans are configured within ASR to automatically recover your servers to the target site in an orderly manner, ensuring that core services (for example domain controllers) are up and running before dependent servers are powered up. There is also the ability to run scripts and manual actions as part of the recovery plan to ensure applications and servers are configured correctly in the DR environment.

ASR can replicate physical servers and virtual servers (VMware, Hyper-V, Azure and Azure Stack) and supports Windows and Linux operating systems. It also integrates with existing DR technologies such as SQL Server AlwaysOn.

ASR can also be used as a one-off migration tool to migrate servers from on-premises or AWS (Windows only) to Azure. Since ASR is free for the first 31 days you can migrate servers for free if completed within this time.

Azure Migrate

Azure Migrate takes the guesswork out of planning lift and shift migrations to Azure.

Azure Migrate analyses and assesses your current on-premises VMware virtual machines (VMs) and provides a migration strategy to move them to Azure. Support for Hyper-V environments is currently in preview.

Azure Migrate utilises a collector appliance which is a preconfigured VMware VM image that is downloaded and imported into vCenter. The appliance collects information for the assessment and uploads the results to the Azure portal. It does not require any agents or software to be installed on the hosts or guests. 

After data collection and performance profiling has completed, you will be presented with a decision tree for Azure migration suitability including indicative pricing.

Database Migration Service

Database Migration Service

Azure Database Migration Service (DMS) helps you assess and migrate on-premises databases to Azure with minimal downtime. It accelerates the process and reduce complexity while allowing the migration from multiple sources to the target database.

Cost Management

Azure Cost Management was made generally available in April 2019. The objective of this service is to enable customers to control their Azure spend through monitoring of costs and optimisation of workloads. You are able to identify trends in spending across your subscriptions and understand current and projected costs.

Cost analysis within Azure Cost Management allows you to create a wide variety of customised searches of billing data. For example you can group the results by resource group, resource type, location and service name, and you can filter the results based on many different attributes. This gives you visibility into exactly where the costs are within your environment.

Create Azure Budgets within Azure Cost Management, to set thresholds to monitor your Azure spending and trigger actions when the threshold (or a portion of) has been reached. Actions can include sending alerts via email or SMS, or kicking off an automated task. For example you could automatically shut down VMs when a budget has been reached for the month. Budgets can be set monthly, quarterly and annually.

Azure Cost Management makes recommendations for optimising your resources. For example it can identify underutilised resources and recommend less expensive resources that could run the workload instead, or recommend re-sizing a virtual machine to a lower specification.

SQL Database

Azure SQL Database is a fully managed platform-as-a-service (PaaS) offering that delivers high performance, highly scalable and secure database infrastructure, without the need to spin up and maintain infrastructure.

Azure SQL Database is secured by Azure Active Directory, virtual networks, firewalls and encrypted connections. It is a completely flexible solution where organisations can spin up anything from a single database instance, through to entire elastic pools of multiple databases, for unpredictable usage demands. With the scalability of Azure SQL Database, instances can be geo-distributed to maximise application performance while still maintaining the ease at which they are monitored, tuned and secured.

SQL Managed Instance

Azure SQL Managed Instance (MI) is a feature of Azure’s SQL Database-as-a-Service offering. A managed SQL database instance is the best solution for migrating on-premises SQL server databases to the cloud. By using a SQL MI, organisations can migrate databases with zero downtime, apply advanced security features that leverage Azure Active Directory, and apply service tiers to mitigate infrastructure failure in the cloud.

The major advantage of SQL MI is that you gain significant operational efficiency by utilising a data platform featuring enterprise class resilience features of a full SQL always-on cluster, without needing to maintain the host or the SQL cluster.

PostgreSQL

Azure Database for PostgreSQL is a relational database service in the Microsoft cloud that is designed to enable developers to focus on rapid application development. It is available in two deployment options: Single Server and Hyperscale (Citus).

• Single Server deployment offers features such as built in high availability and enterprise grade security and compliance. It is available in three pricing tiers 1. Basic 2. General Purpose and 3. Memory Optimised, so you can dynamically scale apps as required.
• The Hyperscale (Citus) option should be used for applications that require greater scale and performance – typically over 100GB of data. It horizontally scales queries across multiple machines using sharding to achieve faster responses on large datasets.

SQL Elastic Pool

Azure SQL Elastic Pool provides the same functionality as standalone databases, but allows for resource consumption optimisation leading to a reduction in cost. It is perfect for databases with steady resource utilisation with infrequent spikes. As an example, instead of having 15 databases running as standalone Azure SQL Databases, you could include them in the same SQL Elastic Pool which would optimise the resource utilisation, reduce costs while still allowing them to consume more resources from time to time when demand is higher.

Similar to Azure SQL Databases, SQL Elastic Pools are also based on DTU and vCore purchase models. Note that Reservations and Azure Hybrid Licensing are only available with the vCore model.

Cosmos DB

Azure Cosmos DB service provides a multi-model database service that supports various NoSQL ("not only SQL") database engines, including MongoDB, Cassandra, and Gremlin. The Cosmos DB service is globally distributed and guarantees low latency worldwide.

Cosmos DB offers horizontal partitioning and multi-master replication database. The service includes non-relational databases like key-value, column-family, documents, and graph structure.

Analysis Services

Azure Analysis Services provides cloud based analysis services, as a platform as a service (PaaS). This is built-in in the SQL Server Analysis Services Enterprise Edition.

The service integrates data from multiple sources into a BI semantic model and manages data modelling. The service is compatible with most features in SQL Server Analysis Services Enterprise Edition.

Note: some functions may not yet be supported – like Multidimensional models and PowerPivot for SharePoint in 2019.

Azure Search

Azure Search is a cloud-based search-as-a-service solution targeted at private content.

Unlike Bing, which is for searching the public web, Azure Search is for searching internal web and enterprise application data. Azure Search is based on the same natural language stack as Bing and Office search but is boosted by the capabilities of artificial intelligence.

Azure Search leverages AI capabilities to identify and capture data from images, unstructured raw text and many different types of content spread across platforms. The user experience can be shaped by using filters, autocomplete, and suggestions for auto-corrected terms. Multi-lingual search is also supported.

Key Vault

Azure Key Vault is a tool for managing cryptographic keys and secrets used by services and cloud applications. Protections must be in place so items like passwords, certificates, connection strings, API and encryption keys are not exposed.

Azure Key Vaults can be software or hardware protected. In scenarios where the maximum security possible is required, the keys and secrets can be stored in hardware security modules (HSM’s). These HSM’s are Federal Information Processing Standard (FIPS) 140-2 Level 2 validated, and operate in a way that the secret never leaves the HSM boundary.

Microsoft uses nCipher hardware security modules and specialist tools can be used to move keys between the HSM and the Azure Key Vault. Microsoft will never be able to see or extract data from an Azure Key Vault.

Resource Group

Azure Resource Groups (RGs) provide a means to group resources within Azure into logical entities, and then perform management and other tasks on that group and its members.

All members of a resource group should be part of the same lifecycle, for example they should be deployed or deleted together. Every resource within Azure can be a member of only one Resource Group. Access control to resources can be configured at the RG level, allowing you to implement detailed access control for groups of resources at a time.

RGs do not restrict interaction between members of the RG and members of other RGs. For example you may have a RG which contains all application servers for a given application, and another RG which contains all file share servers for that application; the application servers can access the file share servers even though they are in separate resource groups.

Resources do not have to permanently remain a member of the resource group they were first added to, you can move them between resource groups. Although resource groups are created in a given region they can contain members that are from different regions.

To minimise the complexity of managing your Azure environment, it is important to have a naming convention for your RGs, and to determine how you will organise your resources into RGs from the start.

Azure Rights Management

Azure Rights Management (Azure RMS) provides a service to protect your company data. It enables you to implement policies and encryption to ensure only the right people have access to your company data.

Information can be protected both within your organisation, and outside your organisation, because the protection remains with the data even if it is copied to storage outside of your control.

Azure RMS provides auditing and monitoring of your protected files. You can see who has opened protected files, who failed to open protected files and what actions were performed with the files.

Azure RMS protects your company data in Office 365 and can also protect on-premises services such as Microsoft Exchange Server, SharePoint Server and Windows Server when the RMS connector is deployed.

Network Watcher

Monitoring network traffic into and out of Azure is critical to enable control of operational costs and to diagnose possible network issues. Azure Network Watcher allows you to perform packet level inspection of network traffic and monitor VPNs to gain insight and control over your network.

An extension of Network Watcher, called Network Performance Monitor (NPM), allows you to monitor throughput/packet loss/latency and jitter for ExpressRoute circuits to ensure that your end-to-end connectivity solution is optimal.

Azure Traffic Manager

Azure Traffic Manager is a geographic load balancer designed to optimally distribute traffic amongst global Azure regions where organisations are running applications and service endpoints.

Traffic Manager uses DNS routing and other load balancing mechanisms, to redirect client requests to the most optimal endpoint based on routing rules and the health state of the endpoints.

Application Gateway

Azure Application Gateway is designed to protect your web applications. It is a Layer 7 smart application proxy that provides a number of services including load balancing, web application gateway/proxy and health monitoring. The load balancer can be used for any protocols, the application gateway only supports HTTP and HTTPS protocols.

The Azure Application Gateway is a great replacement for legacy applications such as Microsoft Threat Management Gateway and Microsoft Unified Access Gateway, as it offers end-to-end SSL encryption, intelligent routing based on policy rules, SSL offload, and automatic scaling to match web application traffic load.

Load Balancer

Azure Load Balancer is part of Azure’s Platform-as-a-Service (PaaS) capability. As the name suggests, Load Balancers are used to balance load between resources so applications can scale, and high availability of services can be created.

Azure Load Balancers can distribute inbound flow, as well as outbound connections, for virtual machines inside the virtual network.

Use of Azure Load Balancer is available through two SKUs. The Basic SKU is free to use while the Standard SKU has an associated cost. The Standard SKU offers more flexibility, scaling and integrated monitoring capability.

Load Balancers can also be deployed as external or internal facing services for your applications and services.

Virtual WAN

Azure Virtual WAN allows the creation of Wide Area Networks in Azure. This enables customers to configure site-to-site, point-to-site and ExpressRoute connections.

By using Azure Virtual WAN, network policy and management is deliverable under a single pane of glass, while still enabling automated scaling, branch connectivity and optimised routing of network traffic.

DNS

Azure DNS is a fully hosted and self-managed name resolution service in Azure. If you are hosting web applications in Azure, then coupling the entry point name with Azure DNS will allow you to rapidly on-board new applications and provide public URL’s under your domain name quickly. By leveraging Azure’s global scale and resilience, your DNS zones will be highly available and local to the requesting users.

Azure DNS can also be leveraged for private name resolution within Azure and potentially negates the requirement to host Windows or Linux name servers.

Data Lake

Data Lake provides fast, scalable and secure storage for big data analysis and can store various types and sizes of data.

Azure Data Lake Storage Gen1 is compatible with the Hadoop Distributed File System (HDFS) in the Hadoop environment.

Azure Data Lake Storage Gen2 extends Azure Blob Storage and Data Lake Gen1 capabilities. This provides lower cost support for open source platforms such as HDInsight, Hadoop, Cloudera and Azure Databricks.

Data Factory

Azure Data Factory is a cloud-based ETL (Extract, Transform, Load) service to integrate data from different sources.

The service provides a workflow to organise and process raw data into various types, including relational and non-relational data, so that the business can make data-driven decisions by analysing the integrated data.

Azure Synapse Analytics

Synapse Analytics is Azure SQL Datawarehouse re-imagined! Combining hyperscale enterprise grade data warehousing with big data analytics, Synapse provides complex and flexible live query capability for your Data.

Synapse supports the following features and integration options with other advanced Azure services:

• Limitless scale
  • Provisioned Compute (Data Warehouse)
  • Materialised views
  • Workload importance
  • Workload isolation
  • On-demand query
• Powerful insights
  • Power BI integration
  • Azure Machine Learning integration
  • Data Lake exploration
  • Streaming analytics (Data Warehouse)
  • Apache Spark integration
• Unified experience
  • Hybrid data ingestion
  • Azure Synapse studio
• Unmatched security
  • Column- and row-level security
  • Dynamic data masking
  • Private endpoints

Redis Cache

Azure Redis Cache is Microsoft’s version of the famous Redis software. As the name indicates, Redis Cache caches frequently accessed data from databases such as SQL servers and allows super-fast access to that data directly from memory.

Content Delivery Networks are used to cache static content closer to users. Redis Cache can also cache static content closer to users, but in-memory which provides much faster access to the data. Furthermore, it can also be used as a message broker system, in-memory data structure store and a distributed non-relational database.

HD Insight

Azure HDInsight is a big data analytics service that can run popular open source frameworks such as Apache Hadoop, Spark and Kafka.

By using HDInsight organisations can process massive data sets, rapidly provision big data clusters and elastically scale them up or down as needed. HDInsight integrates with Azure Data Factory and Azure Data Lake storage and meets industry and government standards for data protection.

Bot Services

Azure Bot Services is a managed service for conversational bot development. Using an open source software development kit (SDK), developers can build bots that users can easily interact with using natural language.

Azure Bot Services leverage Azure Cognitive Services and can be integrated with natural language and speech API’s for enhancing the end user experience when interacting with the virtual assistant.

Cloud App Security

Manage Shadow IT, control data stored on cloud platforms and identify other threats with Microsoft Cloud App Security (MCAS). MCAS is a multi-source Cloud Access Security Broker (CASB), designed to allow visibility, control, security and reporting of access to cloud enabled applications and services within an environment.

MCAS can be connected to multiple cloud applications including, but not limited to:

• Office 365
• Microsoft Intune
• Amazon Web Services
• Dropbox

MCAS enables organisations to discover and control Shadow IT by identifying applications used within an organisation. Additionally it offers the ability to manage access and compliance to ensure information and device security.

To enable organisations to manage information stored in cloud environments, MCAS is capable of understanding, classifying and reporting on documents at rest. This includes documents shared via cloud services such as OneDrive and Box.

MCAS can help protect against possible cyber threats by detecting unusual behaviour, impossible travel scenarios, administrative activities from non-corporate IPs and malware identification. Policies can be configured to perform governance actions ranging from alerting IT, to suspending user accounts and quarantining files.

Azure Sentinel

Do you have a Security Information and Event Management system (SIEM)? Do you need to ensure strict security controls and reporting within Azure and/or on-premises?

Sentinel is an Azure hosted SIEM as-a-service that can ingest and inspect security related events from virtually anywhere. Powered by advanced Artificial Intelligence and backed by security research analysis based on trillions of signals daily, Sentinel is pre-configured and ready to report on anomalous and malicious behaviour within your infrastructure.

The compelling reason to select Sentinel over other SIEM services, is the elegance and simplicity of setup and configuration. Built-in data connectors can be configured in seconds to ingest data streams from Azure Active Directory, Office 365, Advanced Threat Protection (ATP), Security Center and many more.

Network Security Group

Network Security Groups (NSGs) are Azure’s equivalent of your own virtual firewall within your Azure networks. NSGs allow you to define access control rules for inbound and outbound traffic to a subnet or a network interface on a VM.

When an NSG is created, the settings are configured and associated with one or many subnets or network interfaces. For simplification of administration it is recommended that NSGs be linked to subnets rather than individual interfaces, however associating it with an individual interface may be required to ensure specific restrictions are imposed on an interface.

To efficiently maintain NSGs that are linked to network interfaces, you can use application security groups. VM network interfaces can be made members of an application security group, then an NSG can be used to deny or allow traffic to and from all interfaces that are members of the application security group. Rules within NSGs are applied to inbound traffic for the subnet first, followed by the rules for the VM network interface. Outbound rules are applied for the VM network interface first, and then followed by subnet rules.

An alternative to using NSGs is to deploy a Network Virtual Appliance (NVA). NVAs are available through the Azure Marketplace and are provided by all of the major network appliance vendors. Often an NVA will be used when an organisation has more advanced networking requirements (such as detailed traffic inspection, or the implementation of a Web Application Firewall), or when integrating Azure with an existing on-premises environment and you want to extend the same networking solution across cloud and on-premises.

When using NSGs it is vital to plan your network architecture and security requirements in advance, as the number and complexity of NSGs can quickly become difficult to navigate and maintain.

Front Door

If you are using Office 365 then congratulations, you are already using the Azure Front Door Service. Azure is providing the highly available, scalable and security endpoint entry into your Apps.

Front Door is very similar to the Azure Application Gateway, the difference being the first provides global load balancing services and the last only provides regional load balancing services. Using the Front Door Service you can route your traffic to your closest service back-end, providing the best performance for your users.

Other Front Door features that are similar to the Application Gateway are:

• SSL Offloading
• HTTP Load Balancing
• Session Affinity
• URL-based routing
• WAF
• DDoS Protection

In order to provide the best service to your users on a global scale, a combination of these services can be used.

ExpressRoute

Azure offers cloud services that are easily accessible over the internet, or via a site-to-site VPN connection. But if your organisation requires a private, high-throughput and predictable connection to Azure services from your existing network, ExpressRoute is required.

ExpressRoute can be used to connect your organisation to Office 365, Dynamics 365 and Azure. This dedicated network link can be provided in three different ways:

• Cloud Exchange
• Point-to-point Ethernet, or
• Any-to-Any IPVPN.

To access ExpressRoute through a Cloud Exchange you must be co-located in a data centre with this capability. A layer 2 or 3 connection can then be provisioned to connect your co-location with Azure.

A Point-to-Point Ethernet or IP VPN – such as a multiprotocol label switching (MPLS) WAN – connection can be established by your network service provider if you are not co-located in a facility with a cloud exchange. More than one ExpressRoute circuit can be provisioned to provide connectivity to the same or different regions within Azure.

There are two types of peering for ExpressRoute, Azure private peering and Microsoft peering.

• Azure private peering is an extension of your organisation’s network and provides direct connectivity between your existing network and the private IP addresses of your virtual machines and other Azure services.
• Microsoft peering, on the other hand, provides connectivity from your WAN to the public IP address ranges of Microsoft online services over your ExpressRoute connection. These services include Office 365, Dynamics 365 and Azure Platform as a Services (PaaS). This service, however, is generally discouraged for use by Microsoft as their online services are designed to be accessed securely and reliably over the Internet. If your organisation has regulatory requirements that mandate a private connection to these services then you can request this from Microsoft.

VPN Gateway

A VPN gateway is a specific type of virtual network gateway that is used to send encrypted traffic between an Azure virtual network and an on-premises location over the Internet. You can also use a VPN gateway to send encrypted traffic between Azure virtual networks over the Microsoft network.

Each virtual network can have only one VPN gateway. However, you can create multiple connections to the same VPN gateway. When you create multiple connections to the same VPN gateway, all VPN tunnels share the available gateway bandwidth.

Virtual Network

Azure Virtual Networks are also referred to as VNets. They provide the networking foundation for your Azure resources to be able to communicate with each other and to communicate over the Internet and to other networks (such as your local WAN).

You can allow different types of Azure resources to communicate with each other in your VNets, such as IaaS resources (e.g. Virtual Machines) and PaaS resources (e.g. Web Apps). Each VNet contains subnets and within those subnets sit your Azure resources, such as Virtual Machines.

A VNet is configured with a private IP address range, which is then split up into multiple subnets. By default, there is complete isolation between VNets, so resources in one VNet cannot communicate with resources in another VNet. Each VNet can only be present in a single Azure region, however you can connect VNets to each other if you require resources in one VNet or region, to communicate with resources in another VNet or region.

On-premises environments can be configured to connect to VNets through the use of point-to-site VPNs, site-to-site VPNS or Azure ExpressRoute. The traffic within the VNet can also be filtered, for example traffic between subnets or between virtual machine network interfaces.

Virtual Appliances can also be integrated within your VNets. When you configure custom routes within your subnets you can force all network traffic through these appliances (for monitoring, filtering and even packet inspection).

Virtual Subnet

Azure Virtual Networks (VNets) can be broken up into virtual subnets. These are similar to the subnets that are created in traditional on-premises network environments, but are limited to your Azure network.

Each subnet that you create within a virtual network must have a unique address range within that virtual network. Once created, you can add Azure resources to the subnet to allow them to communicate with each other and to resources in other subnets within the virtual network.

A special type of Azure virtual subnet is a gateway subnet. These are dedicated subnets used for connecting your on-premises networks to an Azure virtual network using a VPN gateway.

All traffic within an Azure network is routable, so by default Azure will route traffic between subnets in the same virtual network. Alternatively you can configure a custom route table in Azure to ensure all traffic is routed through a Network Virtual Appliance (NVA) to reach other subnets within the same virtual network (or destinations outside of the virtual network). You can control the traffic that is allowed to flow in and out of a subnet by using network security groups. They can allow or deny traffic based on specific criteria (such as source port, destination port, source IP, destination IP, etc.).

On Premises Data Gateway

With an Azure On-Premises Data Gateway, you can utilise your on-premises data sources in cloud applications such as Microsoft Power BI, PowerApps, Flow, Azure Logic Apps and the Azure Analysis Service. Query datasets from your on-premises sources, including legacy data, in new and interesting ways without having to move that data to the cloud.

Install and deploy one Gateway to connect multiple on-premises data sources with Microsoft Azure. Data flow between the Gateway and Azure is protected using strong encryption standards.

Data Box

Azure Data Box is an extension of the Import/Export service in Azure. It provides an easy, quick, reliable and inexpensive way of sending data to Azure.

Data Box can be used for offline and online scenarios.

• For offline scenarios, you can use a Data Box which is a NAS device with 100TB capacity featuring AES 256-bit encryption; or a Data Box Disk which comes in packs of 5 SSDs with 8TB capacity each featuring 128-bit encryption; or a Data Box Heavy which allows you to send 1 PB of data to the cloud.
• For online scenarios, you can use a Data Box Edge which is an on-premises physical network appliance featuring AI capabilities allowing the analysis, processing and transformation of data before sending it to the cloud; or a Data Box Gateway which is a virtual appliance that also allows transfer of data to and from Azure.

Storage Account

Storing data in Azure requires you to have an Azure storage account as a location to store your data. There are five types of storage account available. The storage account type you use will depend on what data is being stored and what it is being used for. The name of each storage account needs to be unique across the whole of Azure as it is used to provide access to your data.

• General-purpose V1 As with the General-purpose V2 account it supports all services but does not provide access to the latest features. Features that are not available are access tiers and new replication options. This is the only storage account type that supports the Azure classic deployment model and also supports older versions of the Storage Services REST API. The per GB capacity price is higher than the General-purpose V2 account but the transaction costs are lower.
• General-purpose V2 This type of storage account, as the name implies, is a general purpose account. It provides access to the latest features while supporting all services (Blob, File, Queue, Table, and Disk), performance tiers, access tiers and replication options. This type of account provides the cheapest per GB capacity prices.
• BlobStorage This is a cut down version of the General-purpose V2 account type which only supports block and append blobs. The only difference in pricing between the two account types relates to the cool tier. The General-purpose V2 account doesn’t charge for cool tier data writes but does charge for early deletion, while the Blob storage account is the opposite.
• BlockBlob Storage This specialised premium account type only supports block and append blobs. This is recommended for applications with high IO that require low and consistent storage latency. Currently BlockBlob Storage only supports the locally-redundant storage (LRS) replication option. When compared to the General-purpose V2 the per GB capacity prices are higher but most transaction charges are lower.
• FileStorage This is a specialised premium account type for premium file shares. Premium file shares are for situations where high IO and low latency is a requirement. Pricing for this account type is billed on the provisioned size of the share with no additional transaction costs. The standard storage options available with the General-purpose V1 and V2 account types are billed on the storage used and include additional costs for transactions.

File Sync

Azure File Sync allows for the syncing (caching) of files between an Azure file share and a local server. This allows for files to be directly accessed from on-premises servers while benefiting from features of Azure storage like scalability and redundancy.

Direct access to the files from on-premises servers allows for improved performance, especially where the Internet connection is slow or limited. The cloud tiering feature allows for frequently accessed files to be cached locally while other files are stored in Azure with a placeholder file left in place.

Azure File Sync could be compared to OneDrive, with the cloud tiering feature being similar to the OneDrive On-Demand feature. Azure File Sync can also be used as a way to migrate existing on premises files to the cloud.

StorSimple

Microsoft StorSimple enables customers to both protect their valuable data and automatically tier infrequently accessed data to Azure BLOB. By tiering "cool" data blocks to Azure BLOB it frees up space on the customers typically faster, more expensive storage, while still enabling seamless data access to the tiered data blocks.

StorSimple automatically ensures the most frequently accessed blocks remain local to the StorSimple device to ensure the best performance possible. This automated tiering design enables StorSimple to maintain a small on-premises footprint while still enabling the customer to store large datasets on the device.

Another benefit of Azure StorSimple is its ability to perform daily snapshots that are stored in Azure Cloud. This snapshot feature enables end users to easily perform individual file level recovery, or recover the entire StorSimple device in the event of a larger site outage. This snapshot capability makes StorSimple an ideal candidate for file servers at ROBO locations, deployed to enable archival of old datasets to Azure BLOB, or even backup targets to enable offsite backup copies.

StorSimple devices can be deployed straight from the Azure Marketplace into Azure Cloud, or on-premises via virtual storage arrays or physical appliances. Data can be written to StorSimple via iSCSI volumes or SMB, which means these devices can function both as a SAN or a file server (NAS).

DataBricks

Azure Databricks is an artificial intelligence (AI) solution based on Apache Spark-based analytics.

Using Azure Databricks, an organisation can quickly provision a workspace and an Apache Spark cluster where users can collaborate on shared projects. With integration into other Azure services, an organisation can build a modern data warehouse and machine learning solution.

The service integrates other Azure services for a big data pipeline: Azure Data factory for ingesting data in batches, Kafka, Event Hub, IoT hub for streaming. Azure Databricks can read data from various Azure storage solutions such as Azure Synapse, Azure Cosmos DB and Azure Blob Storage for example.

Azure Databricks supports multiple languages including Python, R, Scala, R, Java, and SQL with CPU or GPU enabled clusters.

Digital Twins

Azure Digital Twins is an extension of Azure Internet of Things (IoT) and provides intelligence in the form of virtual replication of the physical world by modelling the relationships between people, places, and devices in a spatial intelligence graph.

Digital Twins provides correlation of data across the physical and digital worlds. Discovering opportunities to improve consumer experiences, create new efficiencies, and improve the spaces in which people live, work and play.

Azure IoT Central

IoT is one of the fastest growing offerings today. If you are looking to enter the world of internet connected things, then IoT Central is essential for you.

IoT Central is a pure SaaS offering that provides a complete management and reporting solution for IoT connected devices. Within minutes you can provision a workspace, register and manage devices, receive critical telemetry and visualise data within pre-built and customisable dashboards.

DDoS Protection

Azure DDoS Protection is a service provided by Microsoft that enables your website or online resources to remain accessible in the event of traffic flood style attacks (Distributed Denial of Service). It features always-on traffic monitoring and real-time mitigation of attacks for any public IP address you use within Azure. This is the same type of protection used by Microsoft’s own online services, which has withstood a wide variety of attacks over the years.

Azure DDoS protection constantly monitors web traffic to your resources, and requires no special changes to your public applications or resources. Additionally, Azure Monitor can show if DDoS mitigation was automatically enabled as a result of an attack, and provide metrics and reports for the previous 30 days.

Azure DDoS protection is available in two service tiers – Basic (free) and Standard.

Azure Firewall

Azure Firewall is a cloud native firewall built specifically for Azure. It is not an instance based offering and is provided as a managed service with built-in high availability and scalability.

Azure Firewall features:

• Stateful firewall as a service
• Built-in high availability with unrestricted cloud scalability
• FQDN filtering
• FQDN tags
• Network traffic filtering rules
• Outbound SNAT support
• Inbound DNAT support
• Centralised creation, enforcement, and logging of application and network policies
• Fully integrated with Azure Monitor for logging and analytics
• Threat intelligence based filtering
• Service tags filtering

Azure Firewall allows you to centrally manage and enforce stateful filtering rules by source and destination address, port and protocol. This can be applied across multiple VNets and across multiple subscriptions.

Azure Bastion

Azure Bastion allows for agentless management of Azure VM’s using RDP/SSH whilst ensuring all traffic is securely transmitted over SSH.

Bastion enables you to connect to servers with a single click, from within the Azure Portal which allows for HTML-5 based RDP Webclient securely over SSH.

To prevent having to expose any public IP’s, Azure Bastion is provisioned within your existing Virtual Network to ensure the connection is only made using the VM’s private IP. As Azure Bastion is deployed as PaaS service it protects against zero day exploits by being hardened by design.

Azure Bastion fully integrates with Azure Event Auditing to enable tracking of who has logged onto VM, screen recording of sessions is currently in private preview to allow playback of what changes have been made to a VM.

Content Delivery Network

Content Delivery Networks (CDNs) are used to bring content closer to end users.

Static content you are advertising such as websites, mobile apps, gaming software etc. are cached on servers around the globe and delivered to users from those closest to their location.

CDNs enable organisations to deliver content faster, save bandwidth and improve the user experience.

Azure Resource Manager

Azure Resource Manager (ARM) is the core service offering to deploy, manage, and control resources in Azure with a consistent management layer, using defined templates that utilise the JavaScript Object Notation (JSON) format.

The service creates templates to support repeatable and consistent deployments by defining the infrastructure and dependencies for services within the template. The service provides security by managing access and actions on the resources based on the role of users or groups.

Azure BluePrint

Azure
Blueprints enable Azure architects to design and architect a repeatable solution based on artifacts and governance that can create or update Azure subscriptions according to the company’s requirements and policies. The artefacts which make an Azure Blueprint are:

• Resource Groups
• ARM templates
• Policy Assignment
• Role Assignment

Azure Blueprints have a lifecycle like other resources in Azure. You first create a blueprint and add artefacts. Until you publish it, it will be in a draft mode and cannot be assigned. Once published it cannot be edited but a new version of the same blueprint can be added and then edited. The new version has to be published before it can be assigned. Assignments may also be updated if, for instance, you need to change the assignment to a different blueprint version.

Once a blueprint version is no longer needed it can be deleted, but first you must delete its assignment(s). The blueprint assignment triggers a blueprint deployment which grants the blueprints service owner permissions to the subscription(s), creates the required artifacts and finally revokes its rights from the subscription(s).

Azure Blueprints supports parameters which provides flexibility, agility and reusability. Parameters can be hardcoded during the blueprint creation, or can be required during the blueprint assignment. Parameters can also enforce prefixes which allows governance on naming standards.

Azure Blueprints can give you assurance and agility to deploy Azure subscriptions in a secure, compliant and ready to be used state.

Automation Runbooks

Automation runbooks exist to make your operations life easier. With authoring support for Python, PowerShell and UI driven code with workflow, runbooks can essentially do anything for you. Common usage scenarios for runbooks include:

• Build and deploy resources Deploy VMs across a hybrid environment using runbooks and Azure Resource Manager templates. Integrate into development tools like Jenkins and Azure DevOps.
• Configure VMs Assess and configure Windows and Linux machines with the desired configuration for the infrastructure and application.
• Monitor Identify changes on machines that are causing issues and remediate or escalate to management systems.
• Protect Quarantine VM if a security alert is raised. Set in-guest requirements.
• Govern Set up role-based access control for teams. Recover unused resources.

Dev Test Labs

DevTest Labs provides a self-service sandbox environment in Azure where developers and testers can create development environments, whilst tight control is maintained over resource types and costs.

Developers and testers can log into the Azure portal and run a DevTest environment without having to go through a service request process to have infrastructure administrators prepare and deploy the resources they require.

Strict quotas can be configured and enforced, ensuring spend on development and test resources in Azure is controlled. You can specify the types of resources that are allowed to be deployed (such as VM sizes) and which subnets the resources can be deployed in to. Automated shut down of the environment can also be enforced, for example you may want to have all development environments shut down outside of business hours to save on costs.

An Azure administrator can setup once and using policies and schedules, permissions are granted to developers and testers, enabling them to provision their own DevTest environments.

ARM templates can be used to spin up new labs, which enables a standard set of policies and settings to be deployed each time. You can also create DevTest Labs environments from your continuous integration/continuous deployment (CI/CD) tools through the REST API.

Resource Graph

Azure Resource Graph allows you to query at scale across many subscriptions to get deep insights and rich context on your resources. It is based on the Kusto query language and, as with other enterprise grade query languages, it provides advanced filtering, grouping and sorting of objects. Furthermore, it allows you to assess the impact of applying policies in your environment as well as detailed changes made to resource properties.

Azure Resource Graph is a free service that is throttled to provide the best user experience. To increase throttle limits, you can raise a support ticket with Microsoft.

Azure DevOps

Azure DevOps provides developer services to support teams to plan work, collaborate on code development, and build and deploy applications.

Developers can work in the cloud using Azure DevOps Services or on-premises using Azure DevOps Server – formerly named Visual Studio Team Foundation Server (TFS).