===== Azure =====

==== Login on Console ====

To execute console commands do

<sxh shell>

# login
az login

az account set --subscription a1a96cc4-4aa4-4c58-a53d-808b88bb4fb4

az account tenant list
az account show


# logout
az account clear

</sxh>



==== Azure Messaging services ====

Intro 
https://learn.microsoft.com/en-us/azure/architecture/aws-professional/messaging

^AWS service	^Azure service ^
|Simple Queue Service (SQS) | QUEUE |
|Simple Notification Service (SNS) |	Service Bus |
|Amazon EventBridge |	Event Grid |
|Amazon Kinesis |	Event Hubs |
|Amazon MQ |	Service Bus |

==== Azure physical infrastructure ====

https://learn.microsoft.com/en-us/training/modules/describe-core-architectural-components-of-azure/5-describe-azure-physical-infrastructure

== Availability Zones ==

{{https://learn.microsoft.com/en-us/training/wwl-azure/describe-core-architectural-components-of-azure/media/availability-zones-c22f95a3.png}}


== Region pairs ==

  * Planned Azure updates are rolled out to paired regions one region at a time to minimize downtime and risk of application outage.

{{https://learn.microsoft.com/en-us/training/wwl-azure/describe-core-architectural-components-of-azure/media/region-pairs-7c495a33.png}}


== Azure management infrastructure ==

{{https://learn.microsoft.com/en-us/training/modules/describe-core-architectural-components-of-azure/6-describe-azure-management-infrastructure}}

== Azure resources and resource groups ==

  * Resource groups are simply **groupings of resources**. 
  * When you create a resource, you’re **required to place it into a resource group**.
  * There aren’t hard rules about how you use resource groups, so consider how to set up your resource groups to maximize their usefulness for you

{{https://learn.microsoft.com/en-us/training/wwl-azure/describe-core-architectural-components-of-azure/media/resource-group-eb2d7177.png}}


== Azure subscriptions ==

  * **Billing boundary**: This subscription type determines how an Azure account is billed for using Azure. You can create multiple subscriptions for different types of billing requirements. Azure generates **separate billing reports** and invoices for each subscription so that you can organize and manage costs.
  * **Access control boundary**: Azure applies access-management policies at the subscription level, and you can create separate subscriptions to reflect different organizational structures. An example is that within a business, you have **different departments** to which you apply distinct Azure subscription policies. This billing model allows you to manage and control access to the resources that users provision with specific subscriptions.

{{https://learn.microsoft.com/en-us/training/wwl-azure/describe-core-architectural-components-of-azure/media/subscriptions-d415577b.png}}


== Azure management groups ==

  * You organize **subscriptions** into **containers called management groups** and apply governance conditions to the management groups.
  * All subscriptions within a management group automatically i**nherit the conditions applied to the management group**, 
    * the same way that **resource groups inherit settings from subscriptions** and 
    * resources inherit from resource groups.

{{https://learn.microsoft.com/en-us/training/wwl-azure/describe-core-architectural-components-of-azure/media/management-groups-subscriptions-dfd5a108.png}}

  * E.g. You **could limit** VM locations to the **US West Region** in a group called **Production**. 


==== ESXi  ====

Bare Metal Hypervisor

https://www.parallels.com/blogs/ras/vmware-esxi/

{{https://s3.eu-central-1.amazonaws.com/alf-digital-wiki-pics/sharex/9sxwipcsYv.png}}





==== Virtual SAN (vSAN) ====

VMware vSAN ist eine Storage-Virtualisierungssoftware für Unternehmen, die Hyper-Converged Infrastructure (HCI) unterstützt.

VMware vSAN fasst lokale und direkt angeschlossene Datenspeichergeräte in einem VMware vSphere-Cluster zusammen, um einen einzigen Datenspeicher zu erstellen, den alle Hosts in einem vSAN-Cluster gemeinsam nutzen. VMware vSAN ist in den VMware-Hypervisor, ESXi, integriert.

{{https://s3.eu-central-1.amazonaws.com/alf-digital-wiki-pics/sharex/D6HtMqS90L.png}}


=== vSphere ===

Der vCenter Server dient der Verwaltung einer vSphere-Infrastruktur. Er umfasst Funktionen zum Erzeugen, Löschen oder Ändern von virtuellen Data Centern



==== Azure API Management ====


=== Policies ===

  * Intro https://www.svenmalvik.com/azure-apim-policies/
  * Example https://learn.microsoft.com/en-us/azure/api-management/api-management-policies


=== Evaluation order ===

Policies are **executed sequentially** based on their placement within the policy configuration.
==== Network ====

== public / private subnets ==

Comparison of AWS public / private subnets
with Azure: https://devblogs.microsoft.com/premier-developer/differentiating-between-azure-virtual-network-vnet-and-aws-virtual-private-cloud-vpc/

{{https://s3.eu-central-1.amazonaws.com/alf-digital-wiki-pics/sharex/QxvMzFbgxl.png}}

  * https://learn.microsoft.com/en-us/azure/virtual-network/tutorial-filter-network-traffic


{{https://learn.microsoft.com/en-us/azure/virtual-network/ip-services/media/default-outbound-access/explicit-outbound-options.png}}
see Default outbound access in Azure https://learn.microsoft.com/en-us/azure/virtual-network/ip-services/default-outbound-access

https://learn.microsoft.com/en-us/azure/load-balancer/load-balancer-overview
{{https://learn.microsoft.com/en-us/azure/load-balancer/media/load-balancer-overview/load-balancer.png}}



==== Azure Data Ops ====

Data Management Landing Zone:

{{https://learn.microsoft.com/en-us/azure/cloud-adoption-framework/scenarios/cloud-scale-analytics/images/data-management-overview.png#lightbox}}

Source:
https://learn.microsoft.com/en-us/azure/cloud-adoption-framework/scenarios/cloud-scale-analytics/architectures/data-management-landing-zone



2) Data Landing Zone:

{{https://learn.microsoft.com/en-us/azure/cloud-adoption-framework/scenarios/cloud-scale-analytics/images/data-landing-zone-2.png#lightbox}}

Source:
https://learn.microsoft.com/en-us/azure/cloud-adoption-framework/scenarios/cloud-scale-analytics/architectures/data-landing-zone



==== IAM and Role Based Access Control ====

see
https://learn.microsoft.com/en-us/training/modules/describe-azure-identity-access-security/6-role-based-access-control

{{https://s3.eu-central-1.amazonaws.com/alf-digital-wiki-pics/sharex/vKOYaMe0Ce.png}}


Azure Custom Roles:

  * https://learn.microsoft.com/en-us/azure/role-based-access-control/custom-roles#custom-role-example

IAM and Role Based Access Control

<sxh java>
{
  "assignableScopes": [
    "/"
  ],
  "description": "Allows for send access to Azure Service Bus resources.",
  "id": "/providers/Microsoft.Authorization/roleDefinitions/69a216fc-b8fb-44d8-bc22-1f3c2cd27a39",
  "name": "69a216fc-b8fb-44d8-bc22-1f3c2cd27a39",
  "permissions": [
    {
      "actions": [
        "Microsoft.ServiceBus/*/queues/read",
        "Microsoft.ServiceBus/*/topics/read",
        "Microsoft.ServiceBus/*/topics/subscriptions/read"
      ],
      "notActions": [],
      "dataActions": [
        "Microsoft.ServiceBus/*/send/action"
      ],
      "notDataActions": []
    }
  ],
  "roleName": "Azure Service Bus Data Sender",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}
</sxh>


Custom role, which allows to assign roles to Azure API Managers.
<sxh java>
{
  "Name": "APIM Role Assignment Manager",
  "IsCustom": true,
  "Description": "Allows managing role assignments for Azure API Management",
  "Actions": [
    "Microsoft.Authorization/*/write",
    "Microsoft.Authorization/*/delete"
  ],
  "NotActions": [],
  "DataActions": [],
  "NotDataActions": [],
  "AssignableScopes": [
    "/subscriptions/<subscription-id>/resourceGroups/<resource-group-name>/providers/Microsoft.ApiManagement/service/<apim-service-name>"
  ]
}
</sxh>