Region is an area, geographical containing on or more datacenters.
Azure subscription, Logical unit of services linked to account, billing is by subscription, organize access to services.
Azure accounts, account is identity in AD. Types of account, enterprise, resellers, partners, personal. Free, wont be charged before you upgrade.
Pay for what you use, monitor and control spending and also optimize resource use.
Name:Value, Enviroment, Test etc. With tags you can retrieve all resources in the subscription with the name and value for tag. (Many tags, Powershell or CLI)
- Reservations, pre-pay for 1 or 3 years for VM’s,SQL db capacity, get discount on resources.
- Hybrid benefits, when you have licenses with software assurance, that helps existing on-premises win server/sql license migrating to Azure. A calculator for this
- Regions, price can be different from region to region
- Budget, plan, drive cost over time, and monitor
If the company has many subscriptions, Management groups provide management on a level over subscription. Organize subscriptions in boxes(containers) and use governance to the groups.
- Alignment of organization with hierarchies / groups
- Policies / budget across subscriptions with inheritance ->
- Cost report and compliance
Service for creating, assign and control the use with rules over resources. This forces the resources to stay compliant with standards and SLA
- Built in or custom policies, real time scan
- Apply policies to management groups, several or exclude policies
- Reversing / stopping policies in real time
Role-bases access control
RBAC manage who has access to resources, and what action they can do.
RBAC is built on Azure Resource Manger authorization.
Allow access to all resources in a group for an application or user, allow one user to create VM’s and another to to create vnet’s, DBA to manage SQL.
The concepts are
- Security principal, Objects (user, groups, identity) requesting access
- Role definition, set of permissions that can be done (read, write contributor, etc)
- Scope, Level of access, subscription, resources, management groups
- Assignment, ad a role definition to a SP (Security principal) for a selected scope, users can grant access by making assigments.
- Is properties in a json file (Name, Id, Description, Actions,NotActions and scope (read, write etc))
- The “*” is all actions, “/” is all scopes.
- is the process of adding a role def to user, group , service principal, managed identity for a scope to grant access
Azure RBAC vs Azure AD
- Subscription admin roles (classic)
- RBAC roles
- Azure AD admin roles
Azure RBAC roles control security/permis. to manage Azure resources, Azure AD admin roles controls security/permis. to Azure Active Directory resources.
Nb, subscription admin roles (classic) should not be used if using Azure Resource Manager.
- Owner, 100% access and can delegate
- Contributor, create/manage all types of resources, but cannot delegate
- Reader, view all
- User Access Administrator, manage user access to resources