To execute console commands do

# login
az login

az account set --subscription a1a96cc4-4aa4-4c58-a53d-808b88bb4fb4

az account tenant list
az account show


# logout
az account clear

Intro https://learn.microsoft.com/en-us/azure/architecture/aws-professional/messaging

https://learn.microsoft.com/en-us/training/modules/describe-core-architectural-components-of-azure/5-describe-azure-physical-infrastructure

• Planned Azure updates are rolled out to paired regions one region at a time to minimize downtime and risk of application outage.

6-describe-azure-management-infrastructure

• Resource groups are simply groupings of resources.
• When you create a resource, you’re required to place it into a resource group.
• There aren’t hard rules about how you use resource groups, so consider how to set up your resource groups to maximize their usefulness for you

• Billing boundary: This subscription type determines how an Azure account is billed for using Azure. You can create multiple subscriptions for different types of billing requirements. Azure generates separate billing reports and invoices for each subscription so that you can organize and manage costs.
• Access control boundary: Azure applies access-management policies at the subscription level, and you can create separate subscriptions to reflect different organizational structures. An example is that within a business, you have different departments to which you apply distinct Azure subscription policies. This billing model allows you to manage and control access to the resources that users provision with specific subscriptions.

• You organize subscriptions into containers called management groups and apply governance conditions to the management groups.
• All subscriptions within a management group automatically inherit the conditions applied to the management group,
  • the same way that resource groups inherit settings from subscriptions and
  • resources inherit from resource groups.

• E.g. You could limit VM locations to the US West Region in a group called Production.

Bare Metal Hypervisor

https://www.parallels.com/blogs/ras/vmware-esxi/

VMware vSAN ist eine Storage-Virtualisierungssoftware für Unternehmen, die Hyper-Converged Infrastructure (HCI) unterstützt.

VMware vSAN fasst lokale und direkt angeschlossene Datenspeichergeräte in einem VMware vSphere-Cluster zusammen, um einen einzigen Datenspeicher zu erstellen, den alle Hosts in einem vSAN-Cluster gemeinsam nutzen. VMware vSAN ist in den VMware-Hypervisor, ESXi, integriert.

Der vCenter Server dient der Verwaltung einer vSphere-Infrastruktur. Er umfasst Funktionen zum Erzeugen, Löschen oder Ändern von virtuellen Data Centern

• Intro https://www.svenmalvik.com/azure-apim-policies/
• Example https://learn.microsoft.com/en-us/azure/api-management/api-management-policies

Policies are executed sequentially based on their placement within the policy configuration.

Comparison of AWS public / private subnets with Azure: https://devblogs.microsoft.com/premier-developer/differentiating-between-azure-virtual-network-vnet-and-aws-virtual-private-cloud-vpc/

• https://learn.microsoft.com/en-us/azure/virtual-network/tutorial-filter-network-traffic

see Default outbound access in Azure https://learn.microsoft.com/en-us/azure/virtual-network/ip-services/default-outbound-access

https://learn.microsoft.com/en-us/azure/load-balancer/load-balancer-overview

Data Management Landing Zone:

Source: https://learn.microsoft.com/en-us/azure/cloud-adoption-framework/scenarios/cloud-scale-analytics/architectures/data-management-landing-zone

2) Data Landing Zone:

Source: https://learn.microsoft.com/en-us/azure/cloud-adoption-framework/scenarios/cloud-scale-analytics/architectures/data-landing-zone

see https://learn.microsoft.com/en-us/training/modules/describe-azure-identity-access-security/6-role-based-access-control

Azure Custom Roles:

• https://learn.microsoft.com/en-us/azure/role-based-access-control/custom-roles#custom-role-example

IAM and Role Based Access Control

{
  "assignableScopes": [
    "/"
  ],
  "description": "Allows for send access to Azure Service Bus resources.",
  "id": "/providers/Microsoft.Authorization/roleDefinitions/69a216fc-b8fb-44d8-bc22-1f3c2cd27a39",
  "name": "69a216fc-b8fb-44d8-bc22-1f3c2cd27a39",
  "permissions": [
    {
      "actions": [
        "Microsoft.ServiceBus/*/queues/read",
        "Microsoft.ServiceBus/*/topics/read",
        "Microsoft.ServiceBus/*/topics/subscriptions/read"
      ],
      "notActions": [],
      "dataActions": [
        "Microsoft.ServiceBus/*/send/action"
      ],
      "notDataActions": []
    }
  ],
  "roleName": "Azure Service Bus Data Sender",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

Custom role, which allows to assign roles to Azure API Managers.

{
  "Name": "APIM Role Assignment Manager",
  "IsCustom": true,
  "Description": "Allows managing role assignments for Azure API Management",
  "Actions": [
    "Microsoft.Authorization/*/write",
    "Microsoft.Authorization/*/delete"
  ],
  "NotActions": [],
  "DataActions": [],
  "NotDataActions": [],
  "AssignableScopes": [
    "/subscriptions/<subscription-id>/resourceGroups/<resource-group-name>/providers/Microsoft.ApiManagement/service/<apim-service-name>"
  ]
}