RIYADH 3

Azure Infrastructure Services

Compute , Network and Storage Overview

16 February 2019
Microsoft Riyadh
 Ahmed Fakhry
IT Infrastructure Presales Consultant & Solution Architect
Cloud Architect , CCNP , CCDP , MCITP , VCP , EMCIE , EMCTA ,ITIL, AWSCSA
Agenda
Relation between Business and Infrastructure
Cloud Migration Strategies
Azure Infrastructure Services
Azure Account Management
Azure Virtual Machines
Azure Networking
Azure Storage Account
Identity and Access Management
Demo
Business and Infrastructure
Business-IT Alignment

Business
IT Strategy
strategy

Business IT
Infrastructure Infrastructure

Business organization uses information technology (IT) to achieve business objectives

Harmony between IT and business decision-makers within the organizations
The ability of IT to produce business value
Business-IT Alignment Cont.

Applications
Availability

Performance

IT infrastructure Security
Decision Makers
Cost/ROI

Operation Team
IT Infrastructure
Isolation region

Backup Server

Recovery Center

Internet
IE/Navigator DDN/FR
Internet Router Internet Router
Firewall

PSTN
Switch
Phone
Lan

Fax
Lan

Application
DB Servers Server
IT Infrastructure Components

Servers Storage Networking Security

Data Processing Storing Data Interconnectivity Data Protection
CPUs, RAMs, Interfaces Disks , Controllers , - -
Rack , Blade , Tower DAS , SAN , NAS Switches , Routers .. NGFW , SIEM , MFA ,..
Bare metal or Software-defined storage or Software-defined Network or Virtual controls or
Virtualization traditional traditional Appliances
IT Infrastructure Deployment Models
Migration to Cloud
Cloud Infrastructure Services
Cloud characteristics and Benefits
Business agility
Resource
Reduced IT costs pooling
Broad
Rapid
High availability network
elasticity
access
Business continuity

Flexible scaling
On-
Measured
Flexibility of access demand Cloud service
self-service
Application development and testing

Simplified Infrastructure Management

Increased collaboration

Masked complexity
Cloud Services Models
Application Application Application

Database Database Database

Consumer

Programming Programming Programming

Framework Framework Framework

Cloud Provider
Cloud Provider
OS OS OS

Compute system Compute system Compute system

Cloud Provider

Storage Storage Storage

Network Network Network

IaaS PaaS SaaS

Azure Cloud Migration Journey
Cloud Migration Strategies

Lift and Shift (Re-host)

Lift and shift is a strategy for moving an application or operation from
one environment to another “Cloud”– without redesigning the app.
The lift-and-shift approach is a common option for replicating on-
premises apps in the cloud while avoiding costly, time-consuming re-
design.
The complexity of an application is a key factor in the decision whether it
should be lifted and shifted or re-architected.

Redesign (Refactor/Re-architect/Rebuild)
Utilize Available “Software As A Service” Services
Utilize Available “Platform As A Service” Services
Build Cloud Native Application
Graceful degradation of Application Functionality
Retry Logic in Application Code
Persistent Application state model
Even-driven processing
Migrate & Modernize
Re-host Refactor

• Moving applications from your datacenter to the cloud • A quick way to modernize your apps.
quickly. • Often referred to as repackage
• Often referred to as “lift and shift” migration • Involves some change to the application design
• Each application is migrated as-is, which provides the • Application can take advantage of infrastructure as a
benefits of the cloud without the risks or costs of service (IaaS) and platform as a service (PaaS)
making code changes. products, such as Azure App Service, Azure SQL
Database Managed Instance, and containers.
Migrate & Modernize Cont.
Re-Architect Rebuild

• Modernize your app into a resilient, highly scalable, • Rebuild an application from scratch using cloud-native
independently deployable architecture and use Azure to technologies. (E.g. using PaaS for Dev & Deploy)
accelerate the process, scale applications with confidence, • With this cloud migration strategy, you manage the
and manage your apps with ease.. applications and services you develop, and Azure manages
• Modify or extend your application's code base to scale everything else.
and optimize it for the cloud.
Azure Infrastructure Services
Azure Compute services
Area Azure service AWS service Description
Virtual servers Azure Virtual Elastic Compute Virtual servers allow users to deploy, manage, and maintain
Machines Cloud (EC2) OS and server software. Instance types provide
Instances combinations of CPU/RAM. Users pay for what they use
with the flexibility to change sizes.
Container Azure Container EC2 Container Azure Container Instances is the fastest and simplest way to
instances Service Service (ECS) run a container in Azure, without having to provision any
virtual machines or adopt a higher-level orchestration
service.
Microservices Azure Kubernetes Elastic Container Deploy orchestrated containerized applications with
/ container Service (AKS) Service for Kubernetes. Simplify monitoring and cluster management
orchestrators Kubernetes (EKS) through auto upgrades and a built-in operations console.
Serverless Azure Functions Lambda Integrate systems and run backend processes in response to
events or schedules without provisioning or managing
servers.
Scalability Azure AutoScaling AWS Auto Scaling Lets you automatically change the number of instances
providing a particular compute workload. You set defined
metric and thresholds that determine if the platform adds or
removes instances.
Azure Storage Services
Area Azure service AWS Service Description
Object storage Azure Storage—Block Simple Storage Object storage service, for use cases including cloud
Blob (for content logs, Services (S3) applications, content distribution, backup, archiving,
files) (Standard—Hot) disaster recovery, and big data analytics.
Virtual Server Azure Storage Disk— Elastic Block Store SSD storage optimized for I/O intensive read/write
disk Page Blobs (EBS) operations. For use as high performance Azure virtual
infrastructure Azure Storage Disks— machine storage.
Premium Storage
Shared file Azure Files (file share Elastic File System Provides a simple interface to create and configure file
storage between VMs) systems quickly, and share common files. It’s shared file
storage without the need for a supporting virtual
machine, and can be used with traditional protocols that
access files over a network.
Archiving— Azure Storage— S3 Infrequent Cool storage is a lower cost tier for storing data that is
cool storage Standard Cool Access (IA) infrequently accessed and long-lived.
Archiving— Azure Storage-Standard S3 Glacier Archive storage has the lowest storage cost and higher
cold storage Archive data retrieval costs compared to hot and cool storage.
Bulk data Import/Export AWS A data transport solution that uses secure disks and
transfer Import/Export Disk appliances to transfer large amounts of data. Also offers
Azure Network Services
Area Azure service AWS Service Description
Cloud virtual Virtual Network Virtual Private Provides an isolated, private environment in the cloud.
networking Cloud (VPC) Users have control over their virtual networking
environment, including selection of their own IP
address range, creation of subnets, and configuration of
route tables and network gateways.
Domain name Azure DNS Route 53 Manage your DNS records using the same credentials
system and billing and support contract as your other Azure
management services
Content Azure Content Delivery CloudFront A global content delivery network that delivers audio,
delivery Network video, applications, images, and other files.
network
Dedicated ExpressRoute Direct Connect Establishes a dedicated, private network connection
network from a location to the cloud provider (not over the
Internet).
Load balancing Load Balancer Classic Automatically distributes incoming application traffic to
Application Gateway Load/network/App add scale, handle failover, and route to a collection of
lication Balancer resources.
Azure Security, identity, and access Services
Area Azure service AWS Service Description
Authentication Azure Active Directory Identity and Allows users to securely control access to services and
and Azure Active Directory Access resources while offering data security and protection.
authorization Premium Management Create and manage users and groups, and use
(IAM) permissions to allow and deny access to resources.
Azure Subscription and AWS Organizations Security policy and role management for working with
Service Management + multiple accounts.
Azure RBAC
Multi-Factor Multi-Factor Helps safeguard access to data and applications while
Authentication Authentication meeting user demand for a simple sign-in process. It
delivers strong authentication with a range of
verification options, allowing users to choose the
method they prefer.
Encryption Key Vault Key Management Provides security solution and works with other services
Service by providing a way to manage, create, and control
encryption keys stored in hardware security modules
(HSM).
Firewall Application Gateway Web Application A firewall that protects web applications from common
Web Application Firewall Firewall web exploits. Users can define customizable web
security rules.
Azure Security, identity, and access Services Cont.
Area Azure service AWS Service Description
Security Security Center Inspector An automated security assessment service that
improves the security and compliance of applications.
Automatically assess applications for vulnerabilities or
deviations from best practices.
App Service Certificates Certificate Service that allows customers to create, manage and
available on the Portal Manager consume certificates seamlessly in the cloud.
Azure DDos Protection AWS Shield Provides cloud services with protection from distributed
Service denial of services (DDoS) attacks.
Compliance Service Trust Platform AWS Artifact Provides access to audit reports, compliance guides, and
trust documents from across cloud services.
Account Management
Azure Account hierarchy

Azure Enterprise https://ea.azure.com/

Departments

Accounts http://aacount.azure.com

Subscriptions https://portal.azure.com

Resource Groups

Resources
Azure Account hierarchy Cont.
Azure Resource Manager [ARM]

• Azure Resource Manager is the deployment and management service for Azure.
• Deploy , Manage, and monitor all the resources for your solution as a group, rather than handling these
resources individually.
Virtual Machines
Virtual Machine (VM)
Deployment • Ability to divide workloads

• Mobility
Portability • Backups and disaster recovery

Abstraction • Limited direct Access to hardware

• Limits Security exposure

Isolation • Reduces spread of risks

• Quickly Recover from Security

Roll-back breaches

• A virtual machine (VM) is an operating system (OS) or application environment that is installed on software,
which imitates dedicated hardware
 Virtualization enables multiple operating systems to run on the same physical platform
• Without VMs: A single OS owns all hardware resources
• With VMs: Multiple OSes, each running its own virtual machine, share hardware resources
Azure Virtual Machine
• Azure Virtual Machines (VM) is one of several types of on-demand, scalable computing resources that Azure offers.
• Gives the flexibility of virtualization without having to buy and maintain the physical hardware that runs it.
• Maintain the VM by performing tasks, such as configuring, patching, and installing the software that runs on it

Use Cases

Applications
in the cloud

Development
and test

Extended
datacenter
Virtual Machine Type
Type Description
General purpose Balanced CPU-to-memory ratio. Ideal for testing and development, small to medium
databases, and low to medium traffic web servers.
Compute optimized High CPU-to-memory ratio. Good for medium traffic web servers, network appliances,
batch processes, and application servers.
Memory optimized High memory-to-CPU ratio. Great for relational database servers, medium to large
caches, and in-memory analytics.
Storage optimized High disk throughput and IO ideal for Big Data, SQL, NoSQL databases, data warehousing
and large transactional databases.
GPU Specialized virtual machines targeted for heavy graphic rendering and video editing, as
well as model training and inferencing (ND) with deep learning. Available with single or
multiple GPUs.
High performance Our fastest and most powerful CPU virtual machines with optional high-throughput
compute network interfaces (RDMA).

More Details : https://docs.microsoft.com/en-us/azure/virtual-machines/windows/sizes

Azure Virtual Machine checklist
Start with the network

Name the VM

Decide the location for the VM

Determine the size of the VM

Understanding the pricing model

Storage for the VM

Select an operating system

Virtual Network
Azure Virtual Network (VNet)
• Azure Virtual Network enables many types of Azure resources, such as Azure Virtual Machines (VM), to
securely communicate with each other, the internet, and on-premises networks.
• A virtual network is scoped to a single region; however, multiple virtual networks from different
regions can be connected together using Virtual Network Peering.

Communicate between Azure resources

Communicate with the internet

Communicate with on-premises resources

Isolation and segmentation

Filter network traffic

Route network traffic

Connect virtual networks

Plan virtual networks

Regions • All Azure resources are created in an Azure region and subscription.

Subscriptions • Deploy as many virtual networks as required within each subscription, up to

the limit.

Segmentation • Create multiple virtual networks per subscription and per region.
• Create multiple subnets within each virtual network.

Security • Filter network traffic to and from resources in a virtual network using
network security groups and network virtual appliances.

Connectivity • Connect a virtual network to other virtual networks using virtual network
peering, or to your on-premises network, using an Azure VPN gateway.

Policy • Enforce different rules over your resources

Virtual Network (VNet) Components

• A virtual network is a virtual, isolated portion of the Azure public network. Each virtual network is
dedicated to your subscription.
• A virtual network can be segmented into one or more subnets up to the limits.
• A network security group contains several default security rules that allow or deny traffic to or from
resources
Virtual networks and virtual machines in Azure
Before you create a VM or you can as you
create a VM.
You create these resources to support
communication with a VM:
Virtual network and subnets
Network interfaces
IP addresses

In addition to those basic resources, you

should also consider these optional
resources:
Network security groups
Load balancers
DEMO
Storage
Data Classes and Azure Storage Solutions
Structured Semi- Unstructured
data structured data

Adheres to a Generally
Less organized
schema ambiguous

non-relational
Documents ,
Database , NoSQL
videos
(XML,JSON)

Azure SQL , Azure Cosmos

Azure Blobs
MySQL DB

Data is a collection of Raw Facts which conclusions may be draw

Azure Storage
• Azure Storage is Microsoft's cloud storage solution for
Durable
Modern data storage scenarios. and highly
• Azure Storage offers a massively scalable object store available
for
• Data objects
• A file system service for the cloud Accessible Secure
• A messaging store for reliable messaging
• NoSQL store Azure
Storage

Managed Scalable
Azure Storage services

Service Description / Use case

Azure Blob Storage • A massively scalable object store for text and binary data.
• Useful for storing files, small and large, like audio, video or VHD files
Azure File Storage • Managed file shares for cloud or on-premises deployments.
• Based on the SMB protocol, File Storage is meant to be mounted as a disk in a VM. It is very useful to use for
lifting and shifting applications into the cloud
Azure Disk Storage • A NoSQL store for schemaless storage of structured data.
• Disk Storage is optimized for high I/O operations and can be used as a hard disk for a VM, like a server
Azure Queue Storage • A messaging store for reliable messaging between application components.
• Meant for storing small messages that are picked up by other applications. Queue Storage can help to
decouple your applications
Azure Storage Account
• A storage account is a container that groups a set of Azure Storage services together.
• Only data services from Azure Storage can be included in a storage account (Azure Blobs, Azure Files, Azure
Queues, and Azure Tables).
• Organizations often have multiple storage accounts to let them implement different sets of requirements.

Subscription

Location

Storage account settings

Performance

Replication

Access tier

Secure transfer
required

Virtual networks
Azure Storage Account & Types
• An Azure storage account contains all of your Azure Storage data objects: blobs, files, queues, tables, and
disks.
• Data in your Azure storage account is durable and highly available, secure, massively scalable, and
accessible from anywhere in the world over HTTP or HTTPS.

General- General-
Blob
purpose purpose
Basic storage storage
v2 v1 Legacy account
account type for accounts
accounts accounts type for blobs, Blob-only storage
blobs, files,
files, queues, and accounts.
queues, and
tables.
tables.

Recommended for Use general- Use general-

most scenarios purpose v2 purpose v2
using Azure accounts instead accounts instead
Storage. when possible. when possible
Storage Tiers

Hot Cold Archive

Higher Storage Lower Storage Lower Storage
Costs Costs Costs

Lower Access Higher Access Higher retrieval

Costs Costs costs

Intended for data When a blob in

that will remain archive storage
cool for 30 days it’s offline and
or more cannot be read
Azure Storage Account Limits
The following table describes default limits for Azure Storage. The ingress limit refers to all data (requests) being sent
to a storage account. The egress limit refers to all data (responses) being received from a storage account.

Resource Default limit

Number of storage accounts per region per subscription, including both standard and 250
premium accounts
Max storage account capacity 2 PB for US and Europe, 500 TB for all other regions
including UK
Max number of blob containers, blobs, file shares, tables, queues, entities, or messages No limit
per storage account
1
Maximum request rate per storage account 20,000 requests per second
1 2
Max ingress per storage account (US Regions) 10 Gbps if RA-GRS/GRS enabled, 20 Gbps for LRS/ZRS
1 2
Max ingress per storage account (Non-US regions) 5 Gbps if RA-GRS/GRS enabled, 10 Gbps for LRS/ZRS

Max egress for general-purpose v2 and Blob storage accounts (all regions) 50 Gbps
2
Max egress for general-purpose v1 storage accounts (US regions) 20 Gbps if RA-GRS/GRS enabled, 30 Gbps for LRS/ZRS
2
Max egress for general-purpose v1 storage accounts (Non-US regions) 10 Gbps if RA-GRS/GRS enabled, 15 Gbps for LRS/ZRS

Azure standard storage accounts support higher limits for ingress by request
Blobs vs Files vs Disks
Blobs

• Access Application data from anywhere

• large Amount of objects to store , images , videos etc .

Files

• Access files across multiple machines

• Jumpbox scenarios for shared development scenarios

Disks

• Do not need to access the data outside of the VM

• lift-and-shift of machines from on-premised
• Disk explansion for application installation
Block Blobs vs Page Blobs
Block
Page Blobs
Blobs

Ideal for storing text or Efficient for read/write

binary files operations

A Single block blob cab

contain up to 50K
blocks of up to 100MB Used by Azure VMs
each , for a total size of
4.75TB

Append blobs are

optimized for append
Up to 8Tb in Size
operations (e.g.
Logging)
Azure Storage Explorer

https://azure.microsoft.com/en-us/features/storage-explorer/
 Create and access Azure Blob

Create and access Azure FS

DEMO
Identity and Access Management
Identity and Access management

Active Directory Azure Active

Azure Active
Domain Services Directory Domain
Directory (AAD)
(ADDS) Services (AADS)

Modern AD
Legact Active Provides managed
Service build for
Direcotry domain Services
Cloud

Often Same ad
Tradtional LDAP Allow consume
O365 Direcotry
Funciotnaly domain Srvices
Service

Sync with On- Deployed on No need to patch

Premise directory Windows OS on or Mainitance
service VM Domain Contollers

Domain Join ,
Group Policy ,
LDAP , ..
Azure Active Directory (AAD)

• Azure Active Directory (Azure AD) is Microsoft’s cloud-based identity and access management service.
• Azure AD helps your employees sign in and access resources in:
• External resources, such as Microsoft Office 365, the Azure portal, and thousands of other SaaS applications.
• Internal resources, such as apps on your corporate network and intranet, along with any cloud apps developed
by your own organization.
AAD Features
Enterprise Identity Single Sign-On
Solution • provides single sign-on access
• Create a Single identity for to applications and
users and keep them in sync infrastructure services
across the enterprise

Mutifactor Self Service

Authencitcaiton (MFA) • Empower your users to
• enhance security with complete password resets
additional factor of themselves as well as request
authentication access to specific apps and
services
AAD Options
Azure Active
Directory Free Provides user and group management, on-premises directory synchronization, basic
reports, and single sign-on across Azure, Office 365, and many popular SaaS apps.

Azure Active
In addition to the Free features, Basic also provides cloud-centric app access, group-based
Directory Basic access management, self-service password reset for cloud apps, and Aure AD Application
Proxy, which lets you publish on-premises web apps using Azure AD.

Premium P1. In addition to the Free and Basic features, P1 also lets your hybrid users
Azure Active access both on-premises and cloud resources. It also supports advanced administration,
such as dynamic groups, self-service group management, Microsoft Identity Manager (an
Directory on-premises identity and access management suite) and cloud write-back capabilities,
which allow self-service password reset for your on-premises users.

Azure Active In addition to the Free, Basic, and P1 features, P2 also offers Azure Active Directory
Identity Protection to help provide risk-based conditional access to your apps and critical
Directory company data and Privileged Identity Management to help discover, restrict, and monitor
administrators and their access to resources and to provide just-in-time access when
Premium P2 needed.
DEMO
Thanks