Azure Cloud Architect
This course explores some of the most important management tools in Azure and how they can be used to monitor your workloads, maintain security, track and audit deployments, spot errors with the Azure platform, and more.
When you sign up for an Azure account, Microsoft creates both a billing account and a subscription. It’s easy to get the two mixed up because they’re both involved in billing. A billing account is an agreement you or your organization sign to use Microsoft services. A subscription is actually just a collection of Azure resources, but all of the resources in a subscription are on the same monthly bill, so it’s also a unit of billing.
So why do you need to have both a billing account and a subscription? Well, you might want to have multiple subscriptions in your billing account. Since each subscription generates a separate invoice, it can be useful to have a separate subscription for each department in your organization. Also, since the resources in different subscriptions are isolated from each other, you might want to have multiple subscriptions for security or compliance reasons.
Like a subscription, a resource group is a collection of resources. But a subscription can have multiple resource groups, so it’s a way of further grouping the resources within a subscription.
There are a variety of ways to divide resources into resource groups, but a best practice is to group related resources together, such as a VM and its associated storage account. Generally speaking, the resources in a group should be created and deleted at the same time, which makes sense if they’re components that work together to provide a solution.
Building a solution is one thing, but making sure it continues to run properly and cost-efficiently is another. And, of course, you also need to make sure everything is secure and compliant. Fortunately, Microsoft has lots of services to help you with these tasks, too.
Azure Monitor is your one-stop-shop for keeping track of what’s happening with your Azure resources. It’s a collection of a variety of monitoring tools. Remember when I mentioned Application Insights in the last lesson? That’s actually just one component of Azure Monitor. Another is Log Analytics, which lets you run complex queries on multiple logs collected from your Azure resources.
But the core features of Azure Monitor are metrics and alerts. Metrics are basically statistics on various aspects of your resources, such as CPU usage on virtual machines and space used on Blob Storage. Azure Monitor creates graphs showing how these metrics have changed over time. It can also watch critical metrics you specify and send you an alert if there’s a problem. For example, it could text you if a database is overwhelmed by a sudden spike in activity.
Microsoft also provides a dashboard called Service Health where you can find out about problems with the Azure platform itself as well as upcoming maintenance events. You can even create alerts so you’ll be notified of both planned and unplanned outages.
Speaking of outages, it’s always a good idea to have backups of your critical resources to help recover from service failures. Most Azure services, such as Cosmos DB, have their own built-in backup capabilities. Azure VMs are a little different because you back them up using a service called Azure Backup. Surprisingly, you can even use this service to back up your on-premises systems.
Even if you’re doing a good job of maintaining your Azure systems, you might still be able to make some improvements. Microsoft provides a very helpful service called Azure Advisor that will not only suggest ways to improve the performance and availability of your applications, but it will even suggest ways to reduce your costs. For example, if it finds underutilized virtual machines, it will recommend that you use smaller (and less expensive) VMs to perform the same tasks.
Azure Advisor also provides security recommendations. It actually gets these recommendations from an important service called Microsoft Defender for Cloud, which was formerly known as Azure Security Center. So if you want to get more details, that’s the place to go. It’s a dashboard that gathers security information from resources across your subscriptions and assesses your vulnerabilities.
First, it shows you your secure score, which is an assessment of how secure your Azure resources are. You can click on it to see a list of recommendations to improve the security of your compute, storage, networking, and identity resources. Each recommendation shows you how much your secure score would be improved if you were to implement the recommendation. You don’t have to implement these recommendations, but it’s usually a good idea.
Then it shows you how well the resources in your Azure subscriptions meet regulatory compliance standards. By default, it will measure your compliance with a set of policies called the Azure Security Benchmark. You can customize these default policies if you want, or you can create your own custom policies from scratch in a service called, naturally, Azure Policy. For example, you could create a policy saying that all storage resources must reside in the European Union, and then if someone in your organization created a storage resource outside of the EU,it would show up in this compliance panel. You can also add other regulatory compliance standards, such as ISO 27001.
Finally, the Workloads protection panel shows you how many security alerts you have. These are potential threats that were detected by Microsoft Threat Intelligence. You can click on it to see the actual alerts so you can address them.
Be aware that only secure score and its recommendations are free. To get the other features, you need to enable enhanced security. This’ll give you lots of additional features as well. One really important feature is the ability to add your on-premises environments to the set of resources that are protected. Another enhanced feature is called just-in-time VM access. This blocks access to a virtual machine until an administrator allows specific users or IP addresses to get in for a limited period of time.
Once you’re happy with a particular configuration for a resource, such as a virtual machine, you’ll probably want to create nearly identical resources in a more automated way. The solution is something called an ARM template. ARM is short for Azure Resource Manager.
First, you create an ARM template that specifies all of the configuration details for one or more resources. For example, suppose you create an ARM template for a specific VM configuration. Then, whenever you need to create a VM with those characteristics, you can just run a certain command using that template, and voila, it takes care of all of the details for you. The best part is that Microsoft makes it really easy to create an ARM template. All you have to do is go to an existing resource that has the configuration you want and select “Export template” from the menu.
An even more powerful tool is Azure Blueprints, which lets you automate the deployment of entire Azure environments. A blueprint is a collection of ARM templates plus a few other details, such as policies and user permissions. When a blueprint is assigned to a subscription, it not only automates the creation of an environment, but it also keeps a record of the deployment. This makes it a critical governance tool because it enables the tracking and auditing of deployments.
We’ve covered a lot of Azure management tools, and that’s not even all of them. You can rest assured that Microsoft has the services you need to manage your Azure infrastructure.
Guy launched his first training website in 1995 and he's been helping people learn IT technologies ever since. He has been a sysadmin, instructor, sales engineer, IT manager, and entrepreneur. In his most recent venture, he founded and led a cloud-based training infrastructure company that provided virtual labs for some of the largest software vendors in the world. Guy’s passion is making complex technology easy to understand. His activities outside of work have included riding an elephant and skydiving (although not at the same time).