Cloud models

Access Azure Managed Identity (5 min Security Management Identity Azure), (no keys, con or pass)


Database options like Azure SQL Database, Azure Cosmos DB (NoSql), and Azure Table Storage (key/attribute store with a schemaless design)
Store and send messages, Azure Queues and Event Hubs (HTTP(S))
Store loose file with Azure Files and Azure Blobs

Azure Data Lake Storage. Azure Data Lake, based on Apache Hadoop, is designed for large data volumes and can store unstructured and structured data.

Access Azure Storage

During the development phase of your project, you might not want developers to incur additional costs by using Azure storage accounts. In those cases, you can use a locally based emulator. Storage Explorer supports two emulators: Azure Storage Emulator and Azurite.

Azure Storage Explorer – behandling av skylagring | Microsoft Azure

Authorize requests to Azure Storage

Authorize requests to Azure Storage (REST API) | Microsoft Docs

Data redundancy – Azure Storage | Microsoft Learn

Locally redundant storage (LRS) replicates your storage account three times within a single data center in the primary region. LRS provides at least 99.999999999% (11 nines) durability of objects over a given year.

Zone-redundant storage (ZRS) replicates your storage account synchronously across three Azure availability zones in the primary region. Each availability zone is a separate physical location with independent power, cooling, and networking. ZRS offers durability for storage resources of at least 99.9999999999% (12 9’s) over a given year.

ZRS provides excellent performance, low latency, and resiliency for your data if it becomes temporarily unavailable. However, ZRS by itself may not protect your data against a regional disaster where multiple zones are permanently affected. For protection against regional disasters, Microsoft recommends using geo-zone-redundant storage (GZRS), which uses ZRS in the primary region and also geo-replicates your data to a secondary region.

Abbreviation examples for Azure resources

Abbreviation examples for Azure resources – Cloud Adoption Framework | Microsoft Learn
ResourceAn entity that’s managed by Azure. Examples include Azure Virtual Machines, virtual networks, and storage accounts.
SubscriptionA logical container for your resources. Each Azure resource is associated with only one subscription. Creating a subscription is the first step in adopting Azure.
A customer’s agreement with Microsoft that enables them to obtain Azure services. The subscription pricing and related terms are governed by the offer chosen for the subscription.
Azure accountThe email address that you provide when you create an Azure subscription is the Azure account for the subscription.The party that’s associated with the email account is responsible for the monthly costs that are incurred by the resources in the subscription. When you create an Azure account, you provide contact information and billing details, like a credit card. You can use the same Azure account (email address) for multiple subscriptions. Each subscription is associated with only one Azure account.
Account administratorThe party associated with the email address that’s used to create an Azure subscription. The account administrator is responsible for paying for all costs that are incurred by the subscription’s resources.
Azure Active Directory (Azure AD)The Microsoft cloud-based identity and access management service. Azure AD allows your employees to sign in and access resources.
Azure AD tenantA dedicated and trusted instance of Azure AD. An Azure AD tenant is automatically created when your organization first signs up for a Microsoft cloud service subscription like Microsoft Azure, Intune, or Microsoft 365. An Azure tenant represents a single organization.
Azure AD directoryEach Azure AD tenant has a single, dedicated, and trusted directory. The directory includes the tenant’s users, groups, and applications. The directory is used to perform identity and access management functions for tenant resources. A directory can be associated with multiple subscriptions, but each subscription is associated with only one directory.
Resource groupsLogical containers that you use to group related resources in a subscription. Each resource can exist in only one resource group. Resource groups allow for more granular grouping within a subscription, and are commonly used to represent a collection of assets required to support a workload, application, or specific function within a subscription.
Management groupsLogical containers that you use for one or more subscriptions. You can define a hierarchy of management groups, subscriptions, resource groups, and resources to efficiently manage access, policies, and compliance through inheritance.
RegionAn area within a geo that does not cross national borders and contains one or more datacenters. Pricing, regional services, and offer types are exposed at the region level. A region is typically paired with another region, which can be up to several hundred miles away. Regional pairs can be used as a mechanism for disaster recovery and high availability scenarios. Also referred to as location.
A set of Azure datacenters that are deployed inside a latency-defined perimeter. The datacenters are connected through a dedicated, regional, low-latency network. Most Azure resources run in a specific Azure region.
ZoneAn Azure region is made up of multiple datacentres and each zone is made up of one or more datacentres. Each datacentre is equipped with independent power, cooling and networking.
API appAnother name for App Service app
App Service appThe compute resources that Azure App Service provides for hosting a website or web application, web API, or mobile app backend. App Service apps are also referred to as App Services, web apps, API apps, and mobile apps.
Azure App Service is an HTTP-based service for hosting web applications, REST APIs, and mobile back ends. You can develop in your favorite language, be it .NET, .NET Core, Java, Ruby, Node.js, PHP, or Python. Applications run and scale with ease on both Windows and Linux-based environments.
Azure App Service planAn App Service plan defines a set of compute resources for a web app to run. These compute resources are analogous to the server farm in conventional web hosting.
Each App Service plan defines:
Operating System (Windows, Linux)
Region (West US, East US, etc.)
Number of VM instances
Size of VM instances (Small, Medium, Large)
Pricing tier (Free, Shared, Basic, Standard, Premium, PremiumV2, PremiumV3, Isolated, IsolatedV2)
virtual machineVirtual Machines in Azure
Within Azure when you spin up a virtual machine it gives you an availability of either 95%, 99.5% or 99.9% depending on how you configure your disks with that virtual machine. When you think about it in monthly terms a 95% Service Level Agreement (SLA) allows for around one and half days downtime. For a lot of workload cases and organisations these availability numbers will be more than adequate. If you need more then that’s where Availability Zone and Sets can help.
virtual machine extensionA resource that implements behaviors or features that either help other programs work or provide the ability for you to interact with a running computer. For example, you could use the VM Access extension to reset or modify remote access values on an Azure virtual machine.
Availability Sets Availability Sets takes the virtual machine and configures multiple copies of it. Each copy is isolated within a separate physical server, compute rack, storage units and network switches within a single datacentre within an Azure Region.
A collection of virtual machines that are managed together to provide application redundancy and reliability. The use of an availability set ensures that during either a planned or unplanned maintenance event at least one virtual machine is available.
When you create your virtual machine you can specify the Availability Set, you can’t change it or move it in or out of an Availability Set after creation. If you wanted to make changes you would need to start again and recreate the virtual machine. And Availability Sets only apply to virtual machines, they can’t be used for any other type of resource within Azure.
Using an Availability Set takes your acceptable downtime to around 22minutes a month. Which is a vast improvement over the single virtual machine deployment.
Availability ZoneThe next level of availability for your virtual machines within Azure is Availability Zones.  With Availability Zones utilised your acceptable downtime a month moves to less than 5 minutes as you’ve got a 99.99% SLA.
With Availability Zones you are starting to use zone aware services. Your workload will be spread out across the different zones that make up an Azure region.  An Azure region is made up of multiple datacentres and each zone is made up of one or more datacentres.  Each datacentre is equipped with independent power, cooling and networking.
When do use them?There can be a few deciding factors around Availability Zones versus Availability Sets, you should be thinking about these questions when designing your workloads in Azure:
Are Availability Zones available in the region I want to use?
What SLA or availability does this workload really need? Make sure you really understand the business needs versus the wants.  Each configuration will offer you the following:
99.9% = Single VM (with Premium SSD or Ultra Disk)
99.95% = Availability Set
99.99% = Availability Zones
virtual machine scale setsAzure virtual machine scale sets let you create and manage a group of load balanced VMs. The number of VM instances can automatically increase or decrease in response to demand or a defined schedule. Scale sets provide high availability to your applications, and allow you to centrally manage, configure, and update a large number of VMs. With virtual machine scale sets, you can build large-scale services for areas such as compute, big data, and container workloads.
Virtual Machine Scale Sets is a free service, therefore, it does not have a financially backed SLA itself. However, if the Virtual Machine Scale Sets includes Virtual Machines in at least 2 Fault Domains, the availability of the underlying Virtual Machines SLA applies. See the Virtual Machines SLA for more details.
SLASLA for Virtual Machines
Updated: 11/2020

For all Virtual Machines that have two or more instances deployed across two or more Availability Zones in the same Azure region, we guarantee you will have Virtual Machine Connectivity to at least one instance at least 99.99% of the time.

For all Virtual Machines that have two or more instances deployed in the same Availability Set or in the same Dedicated Host Group, we guarantee you will have Virtual Machine Connectivity to at least one instance at least 99.95% of the time.

For any Single Instance Virtual Machine using Premium SSD or Ultra Disk for all Operating System Disks and Data Disks, we guarantee you will have Virtual Machine Connectivity of at least 99.9%.

For any Single Instance Virtual Machine using Standard SSD Managed Disks for Operating System Disk and Data Disks, we guarantee you will have Virtual Machine Connectivity of at least 99.5%.
For any Single Instance Virtual Machine using Standard HDD Managed Disks for Operating System Disks and Data Disks, we guarantee you will have Virtual Machine Connectivity of at least 95%.
fault domainThe collection of virtual machines in an availability set that can possibly fail at the same time. An example is a group of machines in a rack that share a common power source and network switch. In Azure, the virtual machines in an availability set are automatically separated across multiple fault domains.
geoThe process of automatically replicating content such as blobs, tables, and queues within a regional pair.
imageA file that contains the operating system and application configuration that can be used to create any number of virtual machines. In Azure there are two types of images:
VM image and OS image.
A VM image includes an operating system and all disks attached to a virtual machine when the image is created.
An OS image contains only a generalized operating system with no data disk configurations.
limitsThe number of resources that can be created or the performance benchmark that can be achieved. Limits are typically associated with subscriptions, services, and offerings.
load balancerA resource that distributes incoming traffic among computers in a network. In Azure, a load balancer distributes traffic to virtual machines defined in a load-balancer set. A load balancer can be internet-facing, or it can be internal.
mobile appAnother name for App Service App.
Resource Manager templateA JSON file that declaratively defines one or more Azure resources and that defines dependencies between the deployed resources. The template can be used to deploy the resources consistently and repeatedly.
Role / RBACK /ADA means for controlling access that can be assigned to users, groups, and services. Roles are able to perform actions such as create, manage, and read on Azure resources.
Azure AD Admin roles are used to manage resources in Azure AD, such as users, groups, and domains.
Azure RBAC roles provide more fine-grained access management to Azure resources.
service level agreement (SLA)The agreement that describes Microsoft’s commitments for uptime and connectivity. Each Azure service has a specific SLA.
shared access signature (SAS)A signature that enables you to grant limited access to a resource, without exposing your account key. For example, Azure Storage uses SAS to grant client access to objects such as blobs. IoT Hub uses SAS to grant devices permission to send telemetry.
storage accountAn account that gives you access to the Azure Blob, Queue, Table, and File services in Azure Storage. The storage account name defines the unique namespace for Azure Storage data objects.
tagAn indexing term that enables you to categorize resources according to your requirements for managing or billing. When you have a complex collection of resources, you can use tags to visualize those assets in the way that makes the most sense. For example, you could tag resources that serve a similar role in your organization or belong to the same department.
TenantA tenant is a group of users or an organization that share access with specific privileges to an instance of a product, service, or application. In Azure Active Directory a tenant is an instance of Azure Active Directory that an organization receives when it signs up for a cloud application like Microsoft 365. Each Azure AD tenant is distinct and separate from other Azure AD tenants. Multitenancy refers to an instance of an application shared by multiple organizations, each with separate access to the instance.
update domainThe collection of virtual machines in an availability set that are updated at the same time. Virtual machines in the same update domain are restarted together during planned maintenance. Azure never restarts more than one update domain at a time. Also referred to as an upgrade domain.
virtual networkA network that provides connectivity between your Azure resources that is isolated from all other Azure tenants. An Azure VPN Gateway lets you establish connections between virtual networks and between a virtual network and an on-premises network. You can fully control the IP address blocks, DNS settings, security policies, and route tables within a virtual network.
Web appAnother name for App Service App.
Virtual NetworkVNet is similar to a traditional network that you’d operate in your own data center, but brings with it additional benefits of Azure’s infrastructure such as scale, availability, and isolation.
Communicate with the internetAll resources in a VNet can communicate outbound to the internet, by default. You can communicate inbound to a resource by assigning a public IP address or a public Load Balancer. You can also use public IP or public Load Balancer to manage your outbound connections.
Communicate between Azure resourcesAzure resources communicate securely with each other in one of the following ways:
Through a virtual networkThrough a virtual network: You can deploy VMs, and several other types of Azure resources to a virtual network, such as Azure App Service Environments, the Azure Kubernetes Service (AKS), and Azure Virtual Machine Scale Sets.
Through a virtual network service endpointExtend your virtual network private address space and the identity of your virtual network to Azure service resources, such as Azure Storage accounts and Azure SQL Database, over a direct connection. Service endpoints allow you to secure your critical Azure service resources to only a virtual network.
Through VNet PeeringYou can connect virtual networks to each other, enabling resources in either virtual network to communicate with each other, using virtual network peering. The virtual networks you connect can be in the same, or different, Azure regions.
Communicate with on-premises resourcesYou can connect your on-premises computers and networks to a virtual network using any combination of the following options:
Point-to-site virtual private network (VPN)Established between a virtual network and a single computer in your network. Each computer that wants to establish connectivity with a virtual network must configure its connection. This connection type is great if you’re just getting started with Azure, or for developers, because it requires little or no changes to your existing network. The communication between your computer and a virtual network is sent through an encrypted tunnel over the internet.
Site-to-site VPNEstablished between your on-premises VPN device and an Azure VPN Gateway that is deployed in a virtual network. This connection type enables any on-premises resource that you authorize to access a virtual network. The communication between your on-premises VPN device and an Azure VPN gateway is sent through an encrypted tunnel over the internet.
Azure ExpressRouteEstablished between your network and Azure, through an ExpressRoute partner. This connection is private. Traffic does not go over the internet.
Filter network trafficYou can filter network traffic between subnets using either or both of the following options:
Network security groupsNetwork security groups and application security groups can contain multiple inbound and outbound security rules that enable you to filter traffic to and from resources by source and destination IP address, port, and protocol.
Network virtual appliancesA network virtual appliance is a VM that performs a network function, such as a firewall, WAN optimization, or other network function.

Azure network security group to filter network traffic to and from Azure resources in an Azure virtual network. A network security group contains security rules that allow or deny inbound network traffic to, or outbound network traffic from, several types of Azure resources. For each rule, you can specify source and destination, port, and protocol.

You can probably imagine how NSG rules can become difficult to manage in large environments that contain multiple subnets and virtual machines.
This is where Application Security Groups (ASGs) come to the rescue. An ASG is a logical grouping of virtual machines that allows you to apply security rules at scale.
For example, if you have a group of VM’s serving a web application, the VM’s can be placed in an ASG called “webappvms”. The webappvms group can then be added to a rule within an NSG allowing HTTP (TCP) traffic over port 80.

An NSG is a firewall, albeit a very basic one. It’s a software defined solution that filters traffic at the Network layer.

Application security groups enable you to configure network security as a natural extension of an application’s structure, allowing you to group virtual machines and define network security policies based on those groups. You can reuse your security policy at scale without manual maintenance of explicit IP addresses.
Application Security Group is an object reference within a Network Security Group.
This provides the capability to group VMs into associated groups or workloads, simplifying the NSG rule definition process. Another great use of this is for scalability, creating the virtual machine and assigning the newly created virtual machine to its ASG will provide it with all the NSG rules in place for that specific ASG – zero distribution to your service!
Azure Firewall

Azure Firewall is a cloud-native and intelligent network firewall security service that provides the best of breed threat protection for your cloud workloads running in Azure. It’s a fully stateful, firewall as a service with built-in high availability and unrestricted cloud scalability. It provides both east-west and north-south traffic inspection.

Azure Firewall Standard
Azure Firewall Standard provides L3-L7 filtering and threat intelligence feeds directly from Microsoft Cyber Security. Threat intelligence-based filtering can alert and deny traffic from/to known malicious IP addresses and domains which are updated in real time to protect against new and emerging attacks.

Azure Firewall Premium
Azure Firewall Premium provides advanced capabilities include signature-based IDPS to allow rapid detection of attacks by looking for specific patterns. These patterns can includes byte sequences in network traffic, or known malicious instruction sequences used by malware. There are more than 58,000 signatures in over 50 categories which are updated in real time to protect against new and emerging exploits. The exploit categories include malware, phishing, coin mining, and Trojan attacks.

Azure Firewall and NSG in ConjuctionNSGs and Azure Firewall work very well together and are not mutually exclusive or redundant. You typically want to use NSGs when you are protecting network traffic in or out of a subnet. An example would be a subnet that contains VMs that require RDP access (TCP over 3389) from a Jumpbox.
Azure Firewall is the solution for filtering traffic to a VNet from the outside. For this reason, it should be deployed in it’s own VNet and isolated from other resources. Azure Firewall is a highly available solution that automatically scales based on its workload. Therefore, it should be in a /26 size subnet to ensure there’s space for additional VMs that are created when it’s scaled out.
Exercise – Create and deploy an Azure Resource Manager template – Learn | Microsoft Docs
“$schema”: “”,
“contentVersion”: “”,
“parameters”: {},
“functions”: [],
“variables”: {},
“resources”: [],
“outputs”: {}
Explore the Azure Resource Manager template parametersIn the parameters section of the template, you specify which values you can input when deploying the resources. The available properties for a parameter are:
{ “<parameter-name>” :
{ “type” : “<type-of-parameter-value>”,
“defaultValue”: “<default-value-of-parameter>”,
“allowedValues”: [ “<array-of-allowed-values>” ],
“minValue”: <minimum-value-for-int>,
“maxValue”: <maximum-value-for-int>,
“minLength”: <minimum-length-for-string-or-array>,
“maxLength”: <maximum-length-for-string-or-array-parameters>,
“metadata”: { “description”: “<description-of-the parameter>” } } }

Example with function, param and outputAdd a resource to the ARM template
In the azuredeploy.json file in Visual Studio Code, place your cursor inside the brackets in the resources block “resources”:[],.
Enter storage inside the brackets. A list of related snippets appears. Select arm-storage.
ARM template parameters
In the azuredeploy.json file in Visual Studio Code, place your cursor inside the braces in the parameters attribute. “parameters”:{},
Select Enter, and then enter par. You see a list of related snippets. Choose arm-param.
The syntax is [parameters(‘name of the parameter’)]
Add another parameter to limit allowed values

    “$schema”: “”,
    “contentVersion”: “”,
    “parameters”: {  // type arm + enter for a new parameter1
        // storage name will in this case come from input, ps1 script
        “storageName”: {
            “type”: “string”,
            “metadata”: {
                “description”: “description”
    // storage sku will in this case come from input, ps1 script
    “storageSKU”: {
        “type”: “string”,
   “defaultValue”: “Standard_LRS”,
   “allowedValues”: [
    “functions”: [],
    “variables”: {},
    “resources”: [{
        // here we pass the input from parameters
        “name”: “[parameters(‘storageName’)]”,
        “type”: “Microsoft.Storage/storageAccounts”,
        “apiVersion”: “2021-04-01”,
        “tags”: {
            “displayName”: “[parameters(‘storageName’)]”
        “location”: “[resourceGroup().location]”,
        “kind”: “StorageV2”,
        “sku”: {
            “name”: “[parameters(‘storageSKU’)]”,
            “tier”: “Premium”
    “outputs”: {
        “storageEndpoint”: {
            “type”: “object”,
            // here we pass the input from parameters as reference
            “value”: “[reference(parameters(‘storageName’)).primaryEndpoints]”
Review QuickStart templatesHurtigstartmaler for Azure (
ARM templates support // and /* */ comments.
ARM deploy$templateFile = “./azuredeploy.json”
$ran = Get-Random -Maximum 100
$deployName = “buildTest” + $ran + $ran
Write-Host “Running deploy: ” $deployName
$rg = ‘learn-af1fd9f8-de1d-4048-a20a-48904672560b’
New-AzResourceGroupDeployment -Name $deploymentName `
  -ResourceGroupName $rg `
  -TemplateFile $templateFile `
  -storageName “espenklei12” `
  -storageSKU “Standard_GRS” -Verbose