Differences

This shows you the differences between two versions of the page.

--- cloud:azure [2024/04/27 16:11] – skipidar
+++ cloud:azure [2024/07/22 20:15] (current) – [IAM and Role Based Access Control] skipidar
@@ Line 22: / Line 22: @@
-==== Azure function ====
-=== Azure functions in Azure Portal ===
-The runtime
-{{https://s3.eu-central-1.amazonaws.com/alf-digital-wiki-pics/sharex/Hgmm9qaqwh.png}}
-The trigger and code.
-Only available after uploading the code into the function, via
-''az functionapp deployment source config-zip -g $resourceg -n $functionname --src app.zip''
-which uploads the ''app.zip'' into the associated blob-container,
-from where it automatically is executed by the azure_function.
-{{https://s3.eu-central-1.amazonaws.com/alf-digital-wiki-pics/sharex/y8RhZMDYCe.png}}
-{{https://s3.eu-central-1.amazonaws.com/alf-digital-wiki-pics/sharex/8TPkU8gbcT.png}}
-Here the function ''http_trigger'' was recognized.
-{{https://s3.eu-central-1.amazonaws.com/alf-digital-wiki-pics/sharex/KAkOMqgCRq.png}}
-The Function URL
-{{https://s3.eu-central-1.amazonaws.com/alf-digital-wiki-pics/sharex/bYSSoOXd9R.png}}
-The URL response
-{{https://s3.eu-central-1.amazonaws.com/alf-digital-wiki-pics/sharex/TRJIKVCUQ4.png}}
-=== Limitations of Azure functions ===
-   * Azure functions - are NOT only serverless.
-     * You can choose a premium subscription and deploy your **Azure function**  as an always running instance into your network
-     * You CAN'T use a serverless function - in a private network
-   * You **CAN'T have multiple triggers** for a function. ONly one of
-     * http_trigger
-     * Blob trigger
-     * CosmosDB trigger
-     * EventHub trigger
-     * Queue trigger
-     * ServiceBus Queue trigger
-     * ServiceBus Topic trigger
-     * Timer Trigger
-=== Serverless Azure functions ===
-https://learn.microsoft.com/en-us/azure/azure-functions/functions-proxies
-=== Python linux functions ===
-https://learn.microsoft.com/en-us/azure/azure-functions/create-first-function-cli-python?tabs=linux%2Cbash%2Cazure-cli%2Cbrowser
-Run like https://learn.microsoft.com/en-us/azure/azure-functions/create-first-function-cli-python?tabs=linux%2Cbash%2Cazure-cli%2Cbrowser#run-the-function-locally
-<sxh shell>
-func start
-</sxh>
-IN general read about developing locally:
-https://learn.microsoft.com/en-us/azure/azure-functions/functions-develop-local
 ==== Azure Messaging services ====
@@ Line 177: / Line 110: @@
+==== Azure API Management ====
+=== Policies ===
+  * Intro https://www.svenmalvik.com/azure-apim-policies/
+  * Example https://learn.microsoft.com/en-us/azure/api-management/api-management-policies
+=== Evaluation order ===
+Policies are **executed sequentially** based on their placement within the policy configuration.
 ==== Network ====
@@ Line 194: / Line 140: @@
 https://learn.microsoft.com/en-us/azure/load-balancer/load-balancer-overview
 {{https://learn.microsoft.com/en-us/azure/load-balancer/media/load-balancer-overview/load-balancer.png}}
+==== Azure Data Ops ====
+Data Management Landing Zone:
+{{https://learn.microsoft.com/en-us/azure/cloud-adoption-framework/scenarios/cloud-scale-analytics/images/data-management-overview.png#lightbox}}
+Source:
+https://learn.microsoft.com/en-us/azure/cloud-adoption-framework/scenarios/cloud-scale-analytics/architectures/data-management-landing-zone
+) Data Landing Zone:
+{{https://learn.microsoft.com/en-us/azure/cloud-adoption-framework/scenarios/cloud-scale-analytics/images/data-landing-zone-2.png#lightbox}}
+Source:
+https://learn.microsoft.com/en-us/azure/cloud-adoption-framework/scenarios/cloud-scale-analytics/architectures/data-landing-zone
+==== IAM and Role Based Access Control ====
+see
+https://learn.microsoft.com/en-us/training/modules/describe-azure-identity-access-security/6-role-based-access-control
+{{https://s3.eu-central-1.amazonaws.com/alf-digital-wiki-pics/sharex/vKOYaMe0Ce.png}}
+Azure Custom Roles:
+  * https://learn.microsoft.com/en-us/azure/role-based-access-control/custom-roles#custom-role-example
+IAM and Role Based Access Control
+<sxh java>
+{
+  "assignableScopes": [
+    "/"
+  ],
+  "description": "Allows for send access to Azure Service Bus resources.",
+  "id": "/providers/Microsoft.Authorization/roleDefinitions/69a216fc-b8fb-44d8-bc22-1f3c2cd27a39",
+  "name": "69a216fc-b8fb-44d8-bc22-1f3c2cd27a39",
+  "permissions": [
+    {
+      "actions": [
+        "Microsoft.ServiceBus/*/queues/read",
+        "Microsoft.ServiceBus/*/topics/read",
+        "Microsoft.ServiceBus/*/topics/subscriptions/read"
+      ],
+      "notActions": [],
+      "dataActions": [
+        "Microsoft.ServiceBus/*/send/action"
+      ],
+      "notDataActions": []
+    }
+  ],
+  "roleName": "Azure Service Bus Data Sender",
+  "roleType": "BuiltInRole",
+  "type": "Microsoft.Authorization/roleDefinitions"
+}
+</sxh>
+Custom role, which allows to assign roles to Azure API Managers.
+<sxh java>
+{
+  "Name": "APIM Role Assignment Manager",
+  "IsCustom": true,
+  "Description": "Allows managing role assignments for Azure API Management",
+  "Actions": [
+    "Microsoft.Authorization/*/write",
+    "Microsoft.Authorization/*/delete"
+  ],
+  "NotActions": [],
+  "DataActions": [],
+  "NotDataActions": [],
+  "AssignableScopes": [
+    "/subscriptions/<subscription-id>/resourceGroups/<resource-group-name>/providers/Microsoft.ApiManagement/service/<apim-service-name>"
+  ]
+}
+</sxh>