Differences

This shows you the differences between two versions of the page.

--- cloud:azure [2024/03/17 15:47] – skipidar
+++ cloud:azure [2024/07/22 20:15] (current) – [IAM and Role Based Access Control] skipidar
@@ Line 22: / Line 22: @@
-==== Azure function ====
-=== Azure functions in Azure Portal ===
+==== Azure Messaging services ====
-The runtime
+Intro
-{{https://s3.eu-central-1.amazonaws.com/alf-digital-wiki-pics/sharex/Hgmm9qaqwh.png}}
+https://learn.microsoft.com/en-us/azure/architecture/aws-professional/messaging
+^AWS service	^Azure service ^
+|Simple Queue Service (SQS) | QUEUE |
+|Simple Notification Service (SNS) |	Service Bus |
+|Amazon EventBridge |	Event Grid |
+|Amazon Kinesis |	Event Hubs |
+|Amazon MQ |	Service Bus |
-The trigger and code.
+==== Azure physical infrastructure ====
-Only available after uploading the code into the function, via
-''az functionapp deployment source config-zip -g $resourceg -n $functionname --src app.zip''
-{{https://s3.eu-central-1.amazonaws.com/alf-digital-wiki-pics/sharex/KAkOMqgCRq.png}}
-The Function URL
-{{https://s3.eu-central-1.amazonaws.com/alf-digital-wiki-pics/sharex/bYSSoOXd9R.png}}
-The URL response
-{{https://s3.eu-central-1.amazonaws.com/alf-digital-wiki-pics/sharex/TRJIKVCUQ4.png}}
-=== Limitations of Azure functions ===
-   * Azure functions - are NOT only serverless.
-     * You can choose a premium subscription and deploy your **Azure function**  as an always running instance into your network
-     * You CAN'T use a serverless function - in a private network
-   * You **CAN'T have multiple triggers** for a function. ONly one of
-     * http_trigger
-     * Blob trigger
-     * CosmosDB trigger
-     * EventHub trigger
-     * Queue trigger
-     * ServiceBus Queue trigger
-     * ServiceBus Topic trigger
-     * Timer Trigger
-=== Azure physical infrastructure ===
 https://learn.microsoft.com/en-us/training/modules/describe-core-architectural-components-of-azure/5-describe-azure-physical-infrastructure
@@ Line 112: / Line 84: @@
-=== ESXi  ===
+==== ESXi  ====
 Bare Metal Hypervisor
@@ Line 124: / Line 96: @@
-=== Virtual SAN (vSAN) ===
+==== Virtual SAN (vSAN) ====
 VMware vSAN ist eine Storage-Virtualisierungssoftware für Unternehmen, die Hyper-Converged Infrastructure (HCI) unterstützt.
@@ Line 138: / Line 110: @@
-=== Network ===
+==== Azure API Management ====
+=== Policies ===
+  * Intro https://www.svenmalvik.com/azure-apim-policies/
+  * Example https://learn.microsoft.com/en-us/azure/api-management/api-management-policies
+=== Evaluation order ===
+Policies are **executed sequentially** based on their placement within the policy configuration.
+==== Network ====
 == public / private subnets ==
@@ Line 155: / Line 140: @@
 https://learn.microsoft.com/en-us/azure/load-balancer/load-balancer-overview
 {{https://learn.microsoft.com/en-us/azure/load-balancer/media/load-balancer-overview/load-balancer.png}}
+==== Azure Data Ops ====
+Data Management Landing Zone:
+{{https://learn.microsoft.com/en-us/azure/cloud-adoption-framework/scenarios/cloud-scale-analytics/images/data-management-overview.png#lightbox}}
+Source:
+https://learn.microsoft.com/en-us/azure/cloud-adoption-framework/scenarios/cloud-scale-analytics/architectures/data-management-landing-zone
+) Data Landing Zone:
+{{https://learn.microsoft.com/en-us/azure/cloud-adoption-framework/scenarios/cloud-scale-analytics/images/data-landing-zone-2.png#lightbox}}
+Source:
+https://learn.microsoft.com/en-us/azure/cloud-adoption-framework/scenarios/cloud-scale-analytics/architectures/data-landing-zone
+==== IAM and Role Based Access Control ====
+see
+https://learn.microsoft.com/en-us/training/modules/describe-azure-identity-access-security/6-role-based-access-control
+{{https://s3.eu-central-1.amazonaws.com/alf-digital-wiki-pics/sharex/vKOYaMe0Ce.png}}
+Azure Custom Roles:
+  * https://learn.microsoft.com/en-us/azure/role-based-access-control/custom-roles#custom-role-example
+IAM and Role Based Access Control
+<sxh java>
+{
+  "assignableScopes": [
+    "/"
+  ],
+  "description": "Allows for send access to Azure Service Bus resources.",
+  "id": "/providers/Microsoft.Authorization/roleDefinitions/69a216fc-b8fb-44d8-bc22-1f3c2cd27a39",
+  "name": "69a216fc-b8fb-44d8-bc22-1f3c2cd27a39",
+  "permissions": [
+    {
+      "actions": [
+        "Microsoft.ServiceBus/*/queues/read",
+        "Microsoft.ServiceBus/*/topics/read",
+        "Microsoft.ServiceBus/*/topics/subscriptions/read"
+      ],
+      "notActions": [],
+      "dataActions": [
+        "Microsoft.ServiceBus/*/send/action"
+      ],
+      "notDataActions": []
+    }
+  ],
+  "roleName": "Azure Service Bus Data Sender",
+  "roleType": "BuiltInRole",
+  "type": "Microsoft.Authorization/roleDefinitions"
+}
+</sxh>
+Custom role, which allows to assign roles to Azure API Managers.
+<sxh java>
+{
+  "Name": "APIM Role Assignment Manager",
+  "IsCustom": true,
+  "Description": "Allows managing role assignments for Azure API Management",
+  "Actions": [
+    "Microsoft.Authorization/*/write",
+    "Microsoft.Authorization/*/delete"
+  ],
+  "NotActions": [],
+  "DataActions": [],
+  "NotDataActions": [],
+  "AssignableScopes": [
+    "/subscriptions/<subscription-id>/resourceGroups/<resource-group-name>/providers/Microsoft.ApiManagement/service/<apim-service-name>"
+  ]
+}
+</sxh>