Microsoft Azure Architecture Master Class - Infrastructure

Azure Infrastructure Architecture Introduction

Setting up your infrastructure in Azure can be very complex. The platform offers hundreds of services and you need to decide which ones are useful and how to implement them in the best possible way for your organization. A number of factors will drive your decision: cost, manageability, performance, security, scalability.

• Global Azure Infrastructure
• Deployment Solutions: SaaS, PaaS, IaaS
• Hybrid Cloud Solutions: Azure Stack, Stack Hub
• Architectural Building Blocks: Storage, Networking, Compute
• Design Influencers: Security, Cost, Performance, High Availability, ...
• LAB: Azure Infrastructure Architecture Introduction

Designing Subscriptions

As a company you will probably end up with multiple subscriptions and lots of resources. Structuring these Azure resources will be key to stay on top of it all.

• Tenants
• Management Groups
• Subscriptions
• Resource Groups
• Azure Lighthouse
• LAB: Designing Subscriptions

Resource Deployment

Azure resources can be deployed with lots of different methods: the Azure portal, scripts (PowerShell, Azure CLI), declarative methods (ARM templates, Terraform, Bicep). Choosing the right method for your organization can reduce the cost of managing and creating your infrastructure components.

• Scripting versus Declarative Approach
• Declarative Languages: ARM Templates, Terraform, Bicep
• Azure BluePrints
• Azure DevOps versus GitHub
• LAB: Resource Deployment

Choosing a Compute Solution

Hosting applications in the cloud can be done using various different compute options. Choosing the right solution in terms of cost, availability, ease of management is essential to provide a stable environment for your users.

• Virtual Machines
• Containers: Container Instances, Container Apps, AKS
• App Services: Web Apps, Azure Functions
• Compare Solutions: Cost, Security, Availability, Scalability
• LAB: Choosing a Compute Solution

Network Design

Designing a network in the cloud is very similar to implementing your on-prem network. The same choices need to be made, the same services need to be provisioned.

• IP Address Ranges
• Hub and Spoke Topology
• Azure Virtual WAN
• Network Routing: UDR versus BGP
• Firewall Solutions
• Hybrid Networking: VPN Gateways versus ExpressRoute
• LAB: Network Design

Name Resolution

To allow for easy communication between various application components both in the cloud and on-premisses, you need to design a name resolution strategy.

• Azure DNS Service
• Public DNS Zone
• Private DNS Zone
• Hybrid Name Resolution: Azure DNS Private Resolver
• LAB: Name Resolution

Design an Application Protection Strategy

Protecting your applications against a failure is an important part of your infrastructure setup. Azure provides different services to help you accomplish this goal. The choice you make will have a significant impact on the price of the solution and the recovery time of your application.

• Disaster Recovery, Business Continuity and High Availability Solutions
• Azure Backup Services
• Azure Recovery Services
• Choosing a Load Balancing Solution: Azure Load Balancer, Application Gateway, Traffic Manager, Front Door
• LAB: Design an Application Protection Strategy

VNet Integration Options for PaaS Solutions

By design, PaaS solutions have a public endpoint which makes them accessible over the Internet. This is not always the best implementation from security point of vue. Most PaaS services can be integrated with a VNet to limit public access.

• Service Endpoints
• Private Endpoints
• VNet Integration
• App Service Environment
• LAB: VNet Integration Options for PaaS Solutions

Security Architecture

To control access to the services in the Azure cloud, you need to carefully design an authorization strategy. Decide which resources users and services can access by implementing an RBAC mechanism. Consider where you are going to store your sensitive data and protect it accordingly.

• Role Based Access Control (RBAC)
• Options for Storing Sensitive Data
• Key Vault
• Managed Identities
• LAB: Security Architecture

Design for Identities

Azure AD is the center of everything that is related to authentication and authorization in the cloud. Azure AD supports various authentication mechanisms and protection services that can help you secure your identities better and protect against possible identity theft. Instead of this centralized system, Microsoft also supports decentralized identities with Verified IDs.

• Azure AD
• Hybrid Options: Azure AD Connect versus Azure AD Cloud Sync
• Sign In Options: MFA, Password-less Authentication
• Azure AD as Central Identity Service for all Applications
• Protection Features: Design Conditional Access Policies
• External Identities: Lifecycle Management
• Centralized versus Decentralized Identities: Verified IDs
• LAB: Design for Identities