# Cloud Computingm

## NIST Cloud Computing Definition

- Definition
    - Cloud computing is a model for enabling ubiquitous, convenient, on-demand network access to a shared pool of configurable computing resources (e.g., networks, servers, storage, applications, and services) that can be rapidly provisioned and released with minimal management effort or service provider interaction. 
- Cloud Model
    - 5 essential characteristics
        - On-demand self-service
        - Broad network access
        - Resource pooling
        - Rapid elasticity
        - Measured service
    - 3 service models
        - SaaS
        - PaaS
        - IaaS
        - On-Premise
        - IT Stack
            - Application
            - Data
            - Runtime
            - Middleware
            - OS
            - Virtualization
            - Compute
            - Storage
            - Networking
            - Facility
    - 4 deployment models
      - Priavte Cloud
          - Single Tenant Implementation
      - Community Cloud
      - Hybrid Cloud
      - Public Cloud 
          - Multi-Tenant Implementation
          - Ownership: Service Provider
          - Access: Via Internet

## Overview

- Advantages of Cloud Computing
    - Capex shifts to Opex
    - Benefits from massive economies of scale
    - Stop guessing capacity/Provisioning on-demand
    - Increse speed of deployment and business agility
    - Stop spending on running and maintianing data centers
    - Go globally in minutes
- User Case/Benifits of Cloud Computing
  - Cost
  - Business Agile
  - Reliability
  - Security
  
- Features/Functions
  - Elasticity
  - Scalability
    - Scale Out
    - Scale Up
  - Agility
  - Availability
    - HA
    - FT
    - DR
  - Security
  - Manageability
- Cloud Economics
  - Economies of Scale
  - CAPEX vs OPEX
    - Cost Effectiveness
  - Consumption Based Model

# Azure

## Core Services Overview

<img style="-webkit-user-select: none;margin: auto;cursor: zoom-in;" src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/94214iF8738A37E3E44F77" width="800" height="600">

## Architecture

- [Azure Architecture Center](https://docs.microsoft.com/en-us/azure/architecture/)

<img style="-webkit-user-select: none;margin: auto;cursor: zoom-in;" src="Azure-ResourceView.png" width="750" height="600">

### Building Blocks

#### Compute

<img style="-webkit-user-select: none;margin: auto;cursor: zoom-in;" src="Azure-ComputeView.png" width="750" height="600">

- Computing Types
    - VMs
    - VMSS: VMs Scale Set
    - Batch
    - AKS: Azure Container Service
    - Service Fabric
    - App Service
        - Service Plan
            - Free/Shared/Basic/Standard/Premium/Isolated
    - Serverless Computing
        - Azure Functions
        - Azure Logic Apps
            - Triggers
            - Actions
        - Azure Event Grid
- Terms
    - ACU: Azure Compute Units
    - UD: Update Domain
    - FD: Fault Domain
    - AS: Availability Set
    - AZ: Availability Zoon
    - VMSS: Scale Set

#### Storage

<img style="-webkit-user-select: none;margin: auto;cursor: zoom-in;" src="Azure-StorageView.png" width="750" height="600">

- Storage Account
    - GPv1 Account
    - Blob Account
    - GPv2 Account
- General Storage
    - Blob Storage
      - Storage Account
      - Container
      - Blob
        - Blob Snapshot
        - Metadata
        - Block blobs
        - Page blobs
        - Append blobs
    - File Storage
    - Table Storage
    - Queue Storage
- Disk Storage
    - Standard HDD
    - Standard SSD
    - Premium SSD
    - Ultra SSD
    
- VM Storage View
    - Image .VHD stored in page blob
    - OS Disk stored in page blob
    - temporary os disk soted in local Physical Machine
    - Data Disk 
      - HDD
      - SDD
        
- Replication
    - LRS: Local Replicated Storage
    - ZRS: Zone Replicated Storage
    - GRS: Geographially Replicated Storage
    - RA-GRS: Read-Only Geographially Replicated Storage

- Storage Access Tiers
    - Premium
    - Hot
    - Cold
    - Archive
- Data Transfer 
  - Azure File Sync
  - Azure Import/Export
  - RoboCopy
  - AzCopy

- Data Protection
    - Storage Firewall
    - Storage Encryption
    - Azure Backup 
    - Azure Site Recovery

#### Networking

<img style="-webkit-user-select: none;margin: auto;cursor: zoom-in;" src="Azure-NetworkingView.png" width="750" height="600">

- VNet: 
  - Capability
    - Isolated
      - Open for Traffic by default
      - IP Segementation
      - DNS Management
    - Internet Access
      - VPN connection
    - Chainable
      - VNet Peering
    - Traffic Routing
    - Traffic Filtering
    - Security Policy Management

- IP Addresses
    - Public
    - Private
        - Dynamic: DHCP
        - Static

- Subnet
    - Capability
        - NSG config
        - Route Table config

- Network Interfaces

- DNS

- NSG: Network Security Group
    - as a Network Filter
    - Capability
        - In-bound Rule
        - Out-bound Rule
        - NIC config
        - Subnet Attach

- Router
    - Azure Router Table

- VPN
    - S2S: Site-to-Site
        - IPSec VPN with VPN Gateway
        - M2S: Multisites-to-Site
    - ExpressRoute
        - CloudExchange Colocation
        - P2P EthernetConnection
        - A2A IP VPN Connection
    - P2S: Point-to-Site
        - Personal/Workstation VPN
    - VNet Peering
   
- LB
    - L7 LB/Http/WAF
        - Azure App Gateway
    - Global L7 DNS LB
        - Azure Traffic Manager
            - DNS based 
    - L4 LB
        - Azure Load Balancer
             - IP:Port Hash
             - IP Affinity
             - Port
         - Types
             - Public-facing LB
             - Internal LB

        
- FW
    - Azure Firewall
    - Storage Firewall

- DDOS
    - Azure DDoS Protection
    
- Network Management
    - Azure Network Watcher
- CDN
    - Dynamic site acceleration
    - HTTPS support
    - Query string caching
    - Geo-filtering
    - Azure diagonostics logs

- NVA: Network Virtualization Appliance
    - Azure Firewall
    
- Service Endpoints
    - Security ACL point
    
- HA Architecture Design
    - Components
        - Azure Availability Set
        - Traffic Manager
        - LBs(L4)
        - Application Gateway(L7)

- Terms
    - System Route
    - UDR: User Defined Route

#### Web+Mobile

<img style="-webkit-user-select: none;margin: auto;cursor: zoom-in;" src="Azure-AppView.png" width="750" height="600">

- App Service Plan
  - Shared compute: 
      - Free and Shared,
  - Dedicated compute: 
      - Basic, Standard, Premium, and PremiumV2 
  - Isolated
  
- Dev Platforms
  - ASP
  - Nodejs
  - Python
  - PHP

- Terms
    - Deployment Slot

#### Databases

#### Analytics

#### Enterprise Integration

#### Security

- Azure AD
    - Enterprise Identity Management
        - User
        - Group
    - SSO
    - MFA
    - Self-Service
- Azure AD DS
- Window Server AD DS
- Azure PIM: Privileged Identity Management

#### AI+ML

#### IoT

### Topology

- View
    - Functional View Hierarchy
    - Business View Hierarchy
    - Geographic View Hierarchy

#### Physical Hierarchy

- Geography
    - Groups of Region
- Region
    - Groups of DCs
    - Low Latency Networking
    - Multi-Regions
      - Active-Passive
      - Active-Active
- AZ: Availability Zone
    - one or more DCs
    - Multi-AZs
      - HA design for some Services
- AS:  Availability Set
    - Isolation Boundary
- FD: Fault Domain
    - Physical Boundary
- UD: Update Domain
    - Logical Boundary

#### Account  Hierarchy

- Azure Enterprise
- Departments
- Accounts
- Azure Subscriptions

#### Resources Hierarchy

- Resources Hierarchy
  - Management Group
    - Azure Enterprise
    - Departments
    - Accounts
  - Azure Subscriptions
  - Resources Groups
    - share same lifecycle
    - share same administrative boundary
      - Metering and Billing
      - Monitoring and Alarm
      - Apply Polices
        - Quota
        - ACL
    - can across regions
  - Resources

- ARM: Azure Resource Manager
  - Deployment and Management 
    - CRUD: Create, Read, Update, Delete
    - Access Control, Tagging, Auditing
    - Declarative Template Deployment
  - RBAC

### Availability and Continuity

- Redundancies
  - Data Center Level
  - Availability Zone Level
  - Region Level
- HA Design
  - Availability Set
      - Update Domain
      - Fault Domain
  - Availability Zone
  - Scale Set
- FT Design
- DR Design
- SLA Management

- Azure Backup
    - File and Folder
    - Workloads: SQL Server/Sharepoint/Exchange
    - System States
    - Baremetal
    - VMs
        - Azure VM
        - Linux/Windows System
        - Hyper-V/VMware VMs
- Azure Site Recovery

### Security

<img style="-webkit-user-select: none;margin: auto;cursor: zoom-in;" src="Azure-SecurityView.png" width="750" height="600">

#### Security Management

- CIA Modle
    - Confidentiality
    - Integrity
    - Availability
    
- Security Layered Model
    - Physical Security
    - Identity and Access
    - Perimeter
    - Network
    - Compute
    - Application
    - Data
    
- Shared Responsibility Model

- Physical Security
    - Vendor Responsibility
- Identity and Access
    - Identity Management
    - 3A
        - Authentication
        - Authorization
        - Auditing
    - AC
        - RBAC
        - PBAC
- Perimeter
    - DDoS
    - IPS
    - IDS
    - FW
- Networking Security
    - Azure Network Security Group
    - Azure Firewall
    - Azure DDoS Protection

- Compute Security
    - System
        - VM OS
- Application Security
    - Software
    
- Data Security
    - Data at Rest
        - Storage Security
            - manage plane security
                - RBAC with Azure AD
            - data plane security
            - encryption in transit
            - encryption at rest
            - CORS: Cross Origin Resource Sharing
        - Database Service Encryption, Auditing
            - TDE: Transparent Data Encryption
                - DEK: Database Encryption Key
                - AEJ: Always Encrypted Key
                    - CMK: Column Master Key
                    - CEK: Column Encryption Key
    - Data at Transit
        - SSL 3.0
        - TLS 1.2
    - Data at Processing
        - Confidential Computing
            - TEE: Trusted Executioin Environments
            - 
    - Regulation/Laws
        - GDPR
        - ISO 27001
        - NIST
    - Information Security
        - AIP Azure Information Protection


- IAM
  - Azure AD
  - Azure MFA
  
- System Security
    - ATP Azure Advanced Thread Protection

- Azure Key Vault
    - Secrets Management
    - Key Management
    - Certificate Management
    
- Azure Security Center
- Azure Service Trust Portal
- Azure Trust Center
- Microsoft Compliance Manager
- Blueprints

#### Identity Management

<img style="-webkit-user-select: none;margin: auto;cursor: zoom-in;" src="Azure-Security-AD.png" width="750" height="600">

- Account Hierarchy
  - Azure Enterprise
  - Departments
  - Accounts
  - Subscriptions
  - Resources Groups
  - Resources
- Authentication and Authorization
  - Authentication: Who you are
      - Security Token
  - Authorization: What you can do
      - Token with Claim
  - Azure Identity and Access Management

- Azure AD
    - Azure AD Features
        - Enterprise Identity Solution
        - SSO
        - MFA
        - Self-Service        
    - Azure Enterprise Identity
        - Identity Types in AD
          - User
          - Device
          - Group
          - Managed Identity
            - assigned by User
            - assigned by System
        - Identities
          - Cloud Identity
          - Synchronized Identity
          - Federated Identity
        - Authentication
            - PHS: Password Hash Syncronization
            - PTA: Pass-through Authentication
            - CBA: Certificate Based Authentication
        - Azure B2B
        - Azure B2C
- Azure PIM: Privileged Identity Management
- Azure AD Connect
    - Components
        - DirSync
            - Filtering
            - Password Hash
            - Password Writeback
            - Device Writeback
            - Deleting Prevention
            - Automatic Upgrade
        - AD FS
        - Health Monitor
- Azure MFA
    - You Are
    - You Know
    - You Have
- Azure AD DS
    - managed domain service
- AD DS
    - on-premises


##### RBAC: Role Based Access Control

<img style="-webkit-user-select: none;margin: auto;cursor: zoom-in;" src="Azure-Security-RBAC.png" width="750" height="600">

- Building Blocks
    - Security Principle
      - User
      - Group
      - Managed identity
      - Service Principle
        - A security identity used by applications or services to access specific Azure - - -- Resources
    - Scope
      - the set of resources that the access applies to
    - Role Definition
      - lists the operations that can be performed, such as read, write, and delete
- Mapping relationships
    - role-permissions
    - user-role  
    - role-role 
- Authorization
    - Role Assignment
    - Role Authorization
    - Transaction Authorization
  - coarse-grained access control
  - [RBAC for Azure resources](https://docs.microsoft.com/en-us/azure/role-based-access-control/overview)

##### PBAC: Policy Based Access Control

- Azure Policies
  - Definition
  - Assignment

#### Governance and Compliance

- Azure Advisor

- Azure Initiative
  - Group of Policies
  
- Azure Resource Manager
  
- ABAC: Attribute Based Access Control
  - User attributes
  - Environmental attributes
  - Resource attributes
  - Boolean Operation
- PBAC: Policy Base Access Control
    - Azure Policy
      - workflow
        - Create
        - Assign
        - Evaluate
        - Remediate

##### Azure Security Center

<img style="-webkit-user-select: none;margin: auto;cursor: zoom-in;" src="Azure-Security-SecurityCenter.png" width="750" height="600">

### Operation and Management

#### Charging

- Azure Cost Management
    - Account
    - Cost Factors
    - Billing Zone
    - TCO Calculator

#### Deployment, Configuration and Automation

- Deploy
    - ARM Template (Infra as Code)
        - parameters
        - variables
        - resources
        - outputs
    - Powershell Script
- Config Extensions
    - Powershell DSC
    - Custom Script Extension
    - Puppet Extension
- Automation
    - Runbook

#### Monitor and Visualize Metrics

#### Query and Analyze Logs

#### Setup and Alert Actions

## DevOps

### DevOps Tools

- Azure Management Tools
    - Azure Portal
        - Azure Cloud Shell
        - Azure Quickstart Template
    - Azure CLI
    - Azure PowerShell
        - ` Install-Module -Name Az -AllowClobber -Scope CurrentUser `
        - ` Connect-AzAccount `
    - Azure REST API
    - Azure Resource Manger Template
    - Azure Advisor
  
- Other Tools
    - Azure Storage Explorer



### Design

- Microservice
  - Functional Decomposition
  - Horizontal Scaling
  - Data Decoupling
  - Containerization
- Serverless Computing
  - Azure Functions
  - Logic Apps
    - Trigger-Action Paradigm
- Data Services
  - Event Grid
      - Event Driven Message Service

### Dev

### Ops

- VM

## Data Science

### Data Services

<img style="-webkit-user-select: none;margin: auto;cursor: zoom-in;" src="Azure-DS-DataView.png" width="750" height="600">

- Data Factory

### Big Data

<img style="-webkit-user-select: none;margin: auto;cursor: zoom-in;" src="Azure-DS-BigDataView.png" width="750" height="600">

#### Flow

- Data Explore
  - Ingestion
    - Data Pull
    - Batching
    - Validation
    - Data Manipulation
    - Committing
  - Analysis
    - Filtering
    - Modeling
    - Testing
    - Updating
- Data Store
- Data Prepare and Training
- Data Modeling and Serve
- Data Visualization and Present

### IoT

<img style="-webkit-user-select: none;margin: auto;cursor: zoom-in;" src="Azure-DS-IOTView.png" width="750" height="600">

## Terms

- Availability
  - Region
    - Region Pair
  - Zone
  - Set
  - Fault Domain
  - Update Domain
- Resource Group
- SKU: Stock Keeping Unit
  - Represents a purchasable Stock Keeping Unit (SKU) under a product. These represent the different shapes of the product.
- DTU: Database Transaction Unit
  - DTUs provide a way to describe the relative capacity of a performance level of Basic, Standard, and Premium databases. DTUs are based on a blended measure of CPU, memory, reads, and writes
- TDS

# END