Search icon CANCEL
Subscription
0
Cart icon
Your Cart (0 item)
Close icon
You have no products in your basket yet
Save more on your purchases! discount-offer-chevron-icon
Savings automatically calculated. No voucher code required.
Arrow left icon
Explore Products
Best Sellers
New Releases
Books
Videos
Audiobooks
Learning Hub
Free Learning
Arrow right icon
Arrow up icon
GO TO TOP
Exam Ref AZ-304 Microsoft Azure Architect Design Certification and Beyond

You're reading from   Exam Ref AZ-304 Microsoft Azure Architect Design Certification and Beyond Design secure and reliable solutions for the real world in Microsoft Azure

Arrow left icon
Product type Paperback
Published in Jul 2021
Publisher Packt
ISBN-13 9781800566934
Length 520 pages
Edition 1st Edition
Languages
Tools
Arrow right icon
Author (1):
Arrow left icon
Brett Hargreaves Brett Hargreaves
Author Profile Icon Brett Hargreaves
Brett Hargreaves
Arrow right icon
View More author details
Toc

Table of Contents (30) Chapters Close

Preface 1. Section 1: Exploring Modern Architecture
2. Chapter 1: Architecture for the Cloud FREE CHAPTER 3. Chapter 2: Principles of Modern Architecture 4. Section 2: Identity and Security
5. Chapter 3: Understanding User Authentication 6. Chapter 4: Managing User Authorization 7. Chapter 5: Ensuring Platform Governance 8. Chapter 6: Building Application Security 9. Section 3: Infrastructure and Storage Components
10. Chapter 7: Designing Compute Solutions 11. Chapter 8: Network Connectivity and Security 12. Chapter 9: Exploring Storage Solutions 13. Chapter 10: Migrating Workloads to Azure 14. Section 4: Applications and Databases
15. Chapter 11: Comparing Application Components 16. Chapter 12: Creating Scalable and Secure Databases 17. Chapter 13: Options for Data Integration 18. Chapter 14: High Availability and Redundancy Concepts 19. Section 5: Operations and Monitoring
20. Chapter 15: Designing for Logging and Monitoring 21. Chapter 16: Developing Business Continuity 22. Chapter 17: Scripted Deployments and DevOps Automation 23. Section 6: Beyond the Exam
24. Chapter 18: Engaging with Real-World Customers 25. Chapter 19: Enterprise Design Considerations 26. Mock Exam
27. Mock Answers
28. Assessments 29. Other Books You May Enjoy

Understanding infrastructure and platform services

One of the big differences between IaaS and PaaS is about how the responsibility of components shifts.

The simplest examples of this are with websites and Structured Query Language (SQL) databases. Before we look at IaaS, let's consider an on-premise implementation.

When hosted in your own data center, you might have a server running IIS, upon which your website is hosted, and a database server running SQL. In this traditional scenario, you own full responsibility for the hardware, Basic Input/Output System (BIOS) updates, operating system (OS) patching, security updates, resilience, inbound and outbound traffic—often via a centralized firewall—and all physical security.

IaaS

The first step in migrating to cloud might be via a lift-and-shift approach using virtual networks (VNETs) and VMs—again, running IIS and SQL. Because you are running in Microsoft's data centers, you no longer need to worry about the physical aspects of the underlying hardware.

Microsoft ensures their data centers have all the necessary physical security systems, including personnel, monitoring, and access processes. They also worry about hardware maintenance and BIOS updates, as well as the resilience of the underlying hypervisor layer that all the VMs run on.

You must still, however, maintain the software and operating systems of those VMs. You need to ensure they are patched regularly with the latest security and improvement updates. You must architect your solution to provide application-level resilience, perhaps by building your SQL database as a failover cluster over multiple VMs; similarly, your web application may be load-balanced across a farm of IIS servers.

Microsoft maintains network access in general, through its networking and firewall hardware. However, you are still responsible for configuring certain aspects to ensure only the correct ports are open to valid sources and destinations.

A typical example of this split in responsibility is around access to an application. Microsoft ensures protection around the general Azure infrastructure, but it provides the relevant tools and options to allow you to set which ports are exposed from your platform. Through the use of network security groups (NSGs) and firewall appliances, you define source and destination firewall rules just as you would with a physical firewall device in your data center. If you misconfigure a rule, you're still open to attack—and that's your responsibility.

PaaS

As we move toward PaaS, accountability shifts again. With Azure SQL databases and Azure web apps, Microsoft takes full responsibility for ensuring all OS-level patches are applied; it ensures the platforms that run Azure SQL databases and Azure web apps are resilient against hardware failure.

Your focus now moves toward the configuration of these appliances. Again, for many services, this includes setting the appropriate firewalls. However, depending on your corporate governance rules, this needs to be well planned.

By default, communications from a web app to a backend Azure SQL database are over the public network. Although it is, of course, contained within Microsoft's network, it is technically open. To provide more secure connectivity, Azure provides the option to use service connections—direct communication over its internal backbone—but this needs specifically configuring at the web app, the SQL service, and the VNET level.

As the methods of those who wish to circumvent these systems become increasingly sophisticated, further controls are required. For web applications, the use of Web Application Firewall (WAF) is an essential part of this—as the architect, you must ensure they are included in your designs and configured correctly; they are not included by default.

Important note

Even though Microsoft spends billions of dollars a year on securing the Azure platform, unless you carefully architect your solutions, you are still vulnerable to attack. Making an incorrect assumption about where your responsibility lies leads to designing systems that are exposed—remember, many cloud platforms' networking is open by default; it has to be, and you need to ensure you fully understand where the lines are drawn.

Throughout this chapter, we have covered how changing technologies have significantly impacted how we design and build solutions; however, so far, the discussion has been around the technical implementation.

As software and infrastructure become closely aligned, teams implementing solutions have started to utilize the same tools as developers, which has changed the way projects are managed.

This doesn't just affect the day-to-day life of an architect; it has yet another impact on the way we design those solutions as well.

You have been reading a chapter from
Exam Ref AZ-304 Microsoft Azure Architect Design Certification and Beyond
Published in: Jul 2021
Publisher: Packt
ISBN-13: 9781800566934
Register for a free Packt account to unlock a world of extra content!
A free Packt account unlocks extra newsletters, articles, discounted offers, and much more. Start advancing your knowledge today.
Unlock this book and the full library FREE for 7 days
Get unlimited access to 7000+ expert-authored eBooks and videos courses covering every tech area you can think of
Renews at $19.99/month. Cancel anytime
Banner background image