【本公眾號內容僅適用於學習交流,文中所使用圖文,若涉及侵權,請發郵件至 Yu-Guo@outlook.com 聯繫 餘果Hugo 刪除,學習交流郵件也請發至該郵箱】
本文主要整理自微軟認證考試中心 [https://www.microsoft.com/zh-cn/learning/exam-az-900.aspx]
6. Core Cloud Services -Azure networking options
§ Introduction
§ Deploy your site to Azure
loosely coupled architectures(鬆耦合體系結構)
鬆耦合系統通常是基於消息的系統,此時客戶端和遠程服務並不知道對方是如何實現的。客戶端和服務之間的通訊由消息的架構支配。只要消息符合協商的架構,則客戶端或服務的實現就可以根據需要進行更改,而不必擔心會破壞對方。鬆耦合通訊機制提供了緊耦合機制所沒有的許多優點,並且它們有助於降低客戶端和遠程服務之間的依賴性。但是,緊耦合性通常可以提供性能好處,便於在客戶端和服務之間進行更為緊密的集成。
An architectural pattern that can be used to build loosely coupled systems is N-tier. An N-tier architecture divides an application into two or more logical tiers. Architecturally, a higher tier can access services from a lower tier, but a lower tier should never access a higher tier.
· The web tier provides the web interface.
· The application tier runs business logic.
· The data tier includes databases and other storage that hold product information and customer orders.
What's a virtual network?
A virtual network is a logically isolated network on Azure. A virtual network is scoped to a single region; however, multiple virtual networks from different regions can be connected together using virtual network peering. Virtual networks can be segmented into one or more subnets, VMs are in the same virtual network but are in separate subnets.
user interaction -->public IP address
internal interaction--> private IP address
VPN gateway / Virtual Network gateway: Azure Virtual Network <--> on-premises location over the internet
What's a network security group? (NSG - a cloud-level firewall)
A network security group, or NSG, allows or denies inbound network traffic to your Azure resources.
§ Scale with Azure Load Balancer
· What are availability and high availability?
Availability refers to how long your service is up and running without interruption. High availability, or highly available, refers to a service that's up and running for a long period of time.
· What is resiliency?
Resiliency refers to a system's ability to stay operational during abnormal conditions.
· What is a load balancer?
A load balancer distributes traffic evenly among each system in a pool. A load balancer can help you achieve both high availability and resiliency. Load balancer directs traffic to one of the responsive servers.
· What is Azure Load Balancer? (負載均衡器)
Azure Load Balancer supports inbound and outbound scenarios, provides low latency and high throughput, and scales up to millions of flows for all Transmission Control Protocol (TCP) and User Datagram Protocol (UDP) applications.
· Azure Application Gateway (應用程式網關)(for HTTP traffic)
Azure Application Gateway is a load balancer designed for web applications. It uses Azure Load Balancer at the transport level (TCP) and applies sophisticated URL-based routing rules to support several advanced scenarios.
This type of routing is known as application layer (OSI layer 7) load balancing since it understands the structure of the HTTP message.
Here are some of the benefits of using Azure Application Gateway over a simple load balancer:
Cookie affinity. Useful when you want to keep a user session on the same backend server.
(「網絡餅乾」,網站存儲在用戶本地終端上的數據)
SSL termination. Application Gateway can manage your SSL certificates and pass unencrypted traffic to the backend servers to avoid encryption / decryption overhead. It also supports full end-to-end encryption for applications that require that.
Web application firewall(WAF). Application gateway supports a sophisticated firewall (WAF) with detailed monitoring and logging to detect malicious attacks against your network infrastructure.
URL rule-based routes. Application Gateway allows you to route traffic based on URL patterns, source IP address and port to destination IP address and port. This is helpful when setting up a content delivery network.
Rewrite HTTP headers. You can add or remove information from the inbound and outbound HTTP headers of each request to enable important security scenarios, or scrub sensitive information such as server names.
CDN: A content delivery network (CDN) is adistributed network of servers that can efficiently deliver web content to users. It is a way to get content to users in their local region to minimize latency.
· Azure DNS(域名伺服器)
DNS, or Domain Name System, is a way to map user-friendly names to their IP addresses. You can think of DNS as the phonebook of the internet.
(e.g., contoso.com --> 40.65.106.192)
§ Reduce latency with Azure Traffic Manager
· What is network latency?
Latency refers to the time it takes for data to travel over the network. Latency is typically measured in milliseconds.
Compare latency to bandwidth. Bandwidth (網絡帶寬) refers to the amount of data that can fit on the connection. Latency (網絡延遲) refers to the time it takes for that data to reach its destination.
· Use Traffic Manager to route users tothe closest endpoint
Azure Traffic Manager(流量管理器) uses the DNS server that's closest to the user to direct user traffic to a globally distributed endpoint.
· Compare Load Balancer to Traffic Manager
Azure Load Balancer distributes traffic within the same region to make your services more highly available and resilient.
Traffic Manager works at the DNS level, and directs the client to a preferred endpoint. This endpoint can be to the region that's closest to your user.
7. Security, responsibility and trust in Azure
§ Introduction
§ Cloud security is a shared responsibility
· Share security responsibility with Azure
· A layered approach to security
Defense in depth(縱深防禦)is a strategy that employs a series of mechanisms to slow the advance of an attack aimed at acquiring unauthorized access to information. Defense in depth can be visualized as a set of concentric rings, with the data to be secured at the center. Each ring adds an additional layer of security around the data.
Data
Application
Compute
Networking
Perimeter(邊界): distributed denial of service (DDoS) protection(分布式拒絕服務防護), perimeter firewalls(邊界防火牆)
Identity and access
Physical security
§ Get tips from Azure Security Center
· Available tiers
free / standard
· Usage scenarios
Use Security Center for incident response
Use Security Center recommendations to enhance security (security policy)
To upgrade a subscription to the Standard tier, you must be assigned the role of Subscription Owner, Subscription Contributor, or Security Admin.
§ Identity and access
· Authentication and authorization
Authentication (AuthN) is the process of establishing the identity of a person or service looking to access a resource.
Authorization (AuthZ) is the process of establishing what level of access an authenticated person or service has.
Azure provides services to manage both authentication and authorization through Azure Active Directory (Azure AD).
· What is Azure Active Directory?
Azure AD is a cloud-based identity service. It has built in support for synchronizing with your existing on-premises Active Directory or can be used stand-alone.
Azure AD provides services such as:
Authentication: self-service password reset, multi-factor authentication (MFA), a custom banned password list, and smart lockout services
Single-Sign-On (SSO): only one ID and one password to access multiple applications
Application management: Azure AD Application Proxy, SSO, the My apps portal (Access panel), and SaaS apps
B2B identity services
Device Management
· Multi-factor authentication
free of charge to any user who has the Global Administrator role in Azure AD
Multi-factor authentication (MFA) provides additional security for your identities by requiring two or more elements for full authentication. These elements fall into three categories: Something you know, Something you possess, Something you are.
Something you know would be a password or the answer to a security question. Something you possess could be a mobile app that receives a notification or a token-generating device. Something you are is typically some sort of biometric property, such as a fingerprint or face scan used on many mobile devices.
· Providing identities to services
Service principals: A service principal is an identity that is used by a service or application. And like other identities, it can be assigned roles.
Managed identities for Azure services: A managed identity can be instantly created for any Azure service that supports it—and the list is constantly growing. When you create a managed identity for a service, you are creating an account on your organization's Active Directory (a specific organization's Active Directory instance is known as an "Active Directory Tenant").
· Role-based access control (RBAC)
· Privileged Identity Management (PIC)
§ Encryption
· What is encryption?
There are two top-level types of encryption: symmetric and asymmetric.
Symmetric encryption (對稱加密) uses the same key to encrypt and decrypt the data.
Asymmetric encryption (非對稱加密) uses a public keyand private key pair. (公鑰+私鑰)- Transport Layer Security(TLS) (used in HTTPS) and data signing (用於傳輸層安全、數據籤名)
· Encryption at rest
Data at rest is the data that has been stored on a physical medium.
· Encryption in transit
Data in transit is the data actively moving from one location to another, such as across the Internet or through a private network.
· Encryption on Azure
· Encrypt raw storage
Azure Storage Service Encryption: Withthis feature, the Azure storage platform automatically encrypts your data before persisting it to Azure Managed Disks, Azure Blob storage, Azure Files, or Azure Queue storage, and decrypts the data before retrieval.
· Encrypt virtual machine disks
Azure Disk Encryption: Azure Disk Encryption is a capability that helps you encrypt your Windows and Linux IaaS virtual machine disks.
(BitLocker feature of Windows / dm-crypt feature of Linux --> volume encryption for the OS and data disks)
(Azure Key Vault --> control and manage the disk encryption keys and secrets)
· Encrypt databases
Transparent data encryption (TDE) helps protect Azure SQL Database and Azure Data Warehouse against the threat of malicious activity. By default, TDE is enabled for all newly deployed Azure SQL Database instances.
· Encrypt secrets
Azure Key Vault is a centralized cloud service for storing your application secrets. Key Vault helps you control your applications' secrets by keeping them in a single, central location and by providing secure access, permissions control, and access logging capabilities. (用於加密存儲密鑰/密碼)
§ Protect your network
· A layered approach to network security
What is a Firewall?
A firewall is a service that grants server access based on the originating IP address of each request. You create firewall rules that specify ranges of IP addresses. Only clients from these granted IP addresses will be allowed to access the server.
(firewall rules -->specific network protocol and port information)
· Azure Firewall(防火牆) is a managed, cloud-based, network security service that protects your Azure Virtual Network resources. Azure Firewall provides inbound protection for non-HTTP/S protocols. Examples of non-HTTP/S protocols include: Remote Desktop Protocol (RDP), Secure Shell (SSH), and File Transfer Protocol (FTP). It also provides outbound, network-level protection for all ports and protocols, and application-level protection for outbound HTTP/S.
· Azure Application Gateway (應用程式網關) is a load balancer that includes a Web Application Firewall (WAF) that provides protection from common, known vulnerabilities in websites. It is specifically designed to protect HTTP traffic.
· Network virtual appliances (NVAs) (網絡虛擬設備) are ideal options for non-HTTP services or advanced configurations, and are similar to hardware firewall appliances.
Stopping Distributed Denial of Service(DDoS) attacks
DDoS attacks attempt to overwhelm a network resource by sending so many requests that the resource becomes slow or unresponsive.
· Azure DDoS protection (分布式拒絕服務攻擊防護) identifies the attacker's attempt to overwhelm the network and blocks further traffic from reaching Azure services. Legitimate traffic from customers still flows into Azure without any interruption of service.
Azure DDoS Protection provides the following service tiers:
Basic: automatically enabled
Standard: specifically to Microsoft Azure Virtual Network resources --> mitigate volumetric /protocol / resource (application) layer attacks
· Controlling the traffic inside your virtual network
Virtual network security(Vnet)
Network Security Groups (NSGs) allow you to filter network traffic to and from Azure resources in an Azure virtual network.
(service endpoints --> limit Azure service access to Vnet)
Network integration
Virtual private network(VPN)connections are a common way of establishing secure communication channels between networks. (Azure ExpressRoute)
§ Protect your shared documents
Microsoft Azure Information Protection (AIP) is a cloud-based solution that helps organizations classify and optionally protect documents and emails by applying labels.
Labels can be applied automatically based on rules and conditions, manually, or a combination of both where users are guided by recommendations.
You can purchase AIP either as a standalone solution, or through one of the following Microsoft licensing suites: Enterprise Mobility + Security, or Microsoft 365 Enterprise.
§ Azure Advanced Threat Protection
Azure Advanced Threat Protection (Azure ATP) is a cloud-based security solution that identifies, detects, and helps you investigate advanced threats, compromised identities, and malicious insider actions directed at your organization.
· Azure ATP components:
Azure ATP portal
Azure ATP sensor
Azure ATP cloud service: Azure ATP cloud service runs on Azure infrastructure and is currently deployed in the United States, Europe, and Asia. Azure ATP cloud service is connected to Microsoft's intelligent security graph.
Azure ATP is available as part of the Enterprise Mobility + Security E5 suite (EMS E5) and as a standalone license. It is not available to purchase via the Azure portal.
8. Apply and monitor infrastructure standards with Azure Policy
§ Introduction
§ Define IT compliance with Azure Policy
Azure Policy is a service in Azure that you use to define, assign, and, manage standards for resources in your environment.
Azure Policy can integrate with Azure DevOps, by applying any continuous integration and delivery pipeline policies that affect the pre-deployment and post-deployment of your applications.
· Creating a policy
Create a policy definition --> Assign a definition to a scope of resources --> View policy evaluation results
What is a policy definition? (JSON file)
A policy definition expresses what to evaluate and what action to take:
Allowed Storage Account SKUs, Allowed Resource Type, Allowed Locations, Allowed Virtual Machine SKUs, Not allowed resource types.
The policy definition itself is represented as a JSON file.
Assign a definition to a scope of resources
A policy assignment is a policy definition that has been assigned to take place within a specific scope.
Policy assignments are inherited by all child resources. However, you can exclude a subscope from the policy assignment.
Policy effects
Requests to create or update a resource through Azure Resource Manager are evaluated by Azure Policy first. Each policy definition in Azure Policy has a single effect:
Deny, Disabled (The policy rule is disabled), Append, Audit/AuditIfNotExists, DeployIfNotExists.
Policy evaluation results
Azure Policy can allow a resource to be created even if it doesn't pass validation. In these cases, you can have it trigger an audit event which can be viewed in the Azure Policy portal, or through command-line tools.
§ Organize policy with initiatives
An initiative definition is a set or group of policy definitions to help track your compliance state for a larger goal. An initiative assignment is an initiative definition assigned to a specific scope.
· Defining initiatives
Initiative definitions simplify the process of managing and assigning policy definitions by grouping a set of policies into a single item, e.g.:
Enable Monitoring in Azure Security Center -->
· Monitor unencrypted SQL Database in Security Center
· Monitor OS vulnerabilities in Security Center
· Monitor missing Endpoint Protection in Security Center
· Assigning initiatives
Initiative assignments reduce the need to make several initiative definitions for each scope. This scope could also range from a management group to a resource group.
(initiative就是policy的組合或集合,可以簡化「管理和分配大量policy」的過程)
§ Enterprise governance management
Access management occurs at the Azure subscription level. Azure Management Groups are containers for managing access, policies, and compliance across multiple Azure subscriptions. All subscriptions within a management group automatically inherit the conditions applied to the management group.
(在同一個management group的資源和訂閱將自動繼承該group的條件,e.g., policies, rules)
§ Define standard resources with Azure Blueprints
Azure Blueprint allows you to define a repeatable set of Azure resources that implement and adhere to your organization's standards, patterns, and requirements.
Azure Blueprints are also useful in Azure DevOps scenarios, where blueprints are associated with specific build artifacts and release pipelines and can be tracked more rigorously.
Azure Blueprint is a declarative way to orchestrate the deployment of various resource templates and other artifacts, such as:
Role assignments, Policy assignments, Azure Resource Manager templates, Resource groups.
The process of implementing Azure Blueprint consists of the following high-level steps:
Create an Azure Blueprint --> Assign the blueprint --> Track the blueprint assignments
Azure Blueprints are different from Azure Resource Manager Templates. When Azure Resource Manager Templates deploy resources, they have no active relationship with the deployed resources (they exist in a local environment or source control). By contrast, with Azure Blueprint, each deployment is tied to an Azure Blueprint package. This means that the relationship with resources will be maintained, even after deployment.
§ Explore your service compliance with Compliance Manager
· Microsoft Privacy Statement
The Microsoft privacy statement explains what personal data Microsoft processes, how Microsoft processes it, and for what purposes.
· Microsoft Trust Center
The Microsoft Trust Center is a website resource containing information and details about how Microsoft implements and supports security, privacy, compliance, and transparency in all Microsoft cloud products and services.
· Service Trust Portal (STP)
The Service Trust Portal (STP) hosts the Compliance Manager service, and is the Microsoft public site for publishing audit reports and other compliance-related information relevant to Microsoft’s cloud services.
(ISO, SOC, NIST, FedRAMP, GDPR)
· Compliance Manager
Compliance Manager is a workflow-based risk assessment dashboard within the Service Trust Portal that enables you to track, assign, and verify your organization's regulatory compliance activities related to Microsoft professional services and Microsoft cloud services such as Office365, Dynamics 365, and Azure.
(Compliance Score: track your progress and prioritize auditing controls)
§ Monitor your service health
Azure provides two primary services to monitor the health of your apps and resources: Azure Monitor, Azure Service Health.
· Azure Monitor
Azure Monitor maximizes the availability and performance of your applications by delivering a comprehensive solution for collecting, analyzing, and acting on telemetry from your cloud and on-premises environments.
Data sources
Data tier
Description
Application monitoring data
Data about the performance and functionality of the code you have written, regardless of its platform.
Guest OS monitoring data
Data about the operating system on which your application is running. This could be running in Azure, another cloud, or on-premises.
Azure resource monitoring data
Data about the operation of an Azure resource.
Azure subscription monitoring data
Data about the operation and management of an Azure subscription, as well as data about the health and operation of Azure itself.
Azure tenant monitoring data
Data about the operation of tenant-level Azure services, such as Azure Active Directory.
Diagnostic settings
Activity Logs record when resources are created or modified and Metrics tell you how the resource is performing and the resources that it's consuming.
· Enable guest-level monitoring
· Performance counters: collect performance data
· Event Logs: enable various event logs
· Crash Dumps: enable or disable
· Sinks: send your diagnostic data to other services for more analysis
· Agent: configure agent settings
Getting more data from your apps
· Application Insights is a service that monitors the availability, performance, and usage of your web applications, whether they're hosted in the cloud or on-premises. (Log Analytics)
· Azure Monitor for containers is a service that is designed to monitor the performance of container workloads, which are deployed to managed Kubernetes clusters hosted on Azure Kubernetes Service (AKS).
· Azure Monitor for VMs is a service that monitors your Azure VMs at scale, by analyzing the performance and health of your Windows and Linux VMs (including their different processes and interconnected dependencies on other resources, and external processes).
Responding to alert conditions
· Alerts: Azure Monitor proactively notifies you of critical conditions using alerts, and can potentially attempt to take corrective actions.
· Autoscale: Azure Monitor uses Autoscale to ensure that you have the right amount of resources running to manage the load on your application effectively.
Visualize monitoring data
· Dashboards
· Views
· Power BI
Integrate with other services
· Azure Service Health
Azure Service Health is a suite of experiences that provide personalized guidance and support when issues with Azure services affect you.
Azure Status provides a global view of the health state of Azure services.
Service Health provides you with a customizable dashboard that tracks the state of your Azure services in the regions where you use them.
(Health advisories, Health history - 90 days, Health alerts)
Resource Health helps you diagnose and obtain support when an Azure service issue affects your resources.
9. Control and organize Azure resources with Azure Resource Manager
§ Introduction
§ Principles of resource groups
· What are resource groups?
A resource group is a logical container for resources deployed on Azure. Resource groups can't be nested.(資源組是不可以嵌套的)
Logical grouping
Life cycle
If you delete a resource group, all resources contained within are also deleted. Organizing resources by life cycle can be useful in non-production environments.
Authorization
Resource groups are also a scope for applying role-based access control (RBAC) permissions.
· Create a Resource Group
Resource groups can be created by using the following methods:
· Azure portal
· Azure PowerShell
· Azure CLI
· Templates
· Azure SDKs (like .NET, Java)
· Explore a resource group and add a resource
· Use resource groups for organization
Consistent naming convention (一致的命名約定)
Organizing principles
· By resource type:
· By environment:
· By business department:
· Combination:
· Organizing for authorization:
Since resource groups are a scope of RBAC, you can organize resources by who needs to administer them.
· Organizing for life cycle:
We mentioned earlier that resource groups serve as the life cycle for the resources within it. If you delete a resource group, you delete all the resources in it. Use this to your advantage, especially in areas where resources are more disposable, like non-production environments.
· Organizing for billing:
Placin gresources in the same resource group is a way to group them for usage in billing reports.
§ Use tagging to organize resources
· What are tags?
Tags are name/value pairs of textdata that you can apply to resources and resource groups. Tags allow you to associate custom details about your resource, in addition to the standard Azure properties a resource has:
department (like finance, marketing, and more)
environment (prod, test, dev),
cost center
life cycle and automation (like shutdown and startup of virtual machines).
A resource can have up to 15 tags.
The tag name is limited to 512 characters (except storage accounts --> 128 characters).
The tag value is limited to 256 characters.
Tags aren't inherited from parent resources. Not all resource types support tags, and tags can't be applied to classic resources.
(Tags不能從parent resources繼承,不是所有的resource types都支持tags)
You can use Azure Policy to automatically add or enforce tags for resources your organization creates based on policy conditions that you define.
· Apply tags to resources
· Use tags for organization
§ Use policies to enforce standards
· What is Azure Policy?
Azure Policy is a service you can use to create, assign, and manage policies.
· Create a policy
Create the policy definition
Create a policy assignment
Test out the policy
Please note that the policy assignment may take up to 30 minutes to take effect.
· Use policies to enforce standards
use policies to ensure that our resources have the tags
use policy to restrict which Azure regions we can deploy resources to
use policy to restrict which types of virtual machine sizes can be deployed
use policy to enforce naming conventions
§ Secure resources with role-based access control(RBAC)
RBAC provides fine-grained access management for Azure resources, enabling you to grant users the specific rights they need to perform their jobs. RBAC is considered a core service and is included with all subscription levels at no cost.
RBAC uses an allow model for access.
§ Use resource locks to protect resources
· What are resource locks?
Resource locks are a setting that can be applied to any resource to block modification or deletion. Resource locks can set to either Delete or Read-only.
· Delete will allow all operations against the resource but block the ability to delete it.
· Read-only will only allow read activities to be performed against it, blocking any modification or deletion of the resource.
Resource locks can be applied to subscriptions, resource groups, and to individual resources, and are inherited when applied at higher levels.
· Create a resource lock
10. Predict costs and optimize spending for Azure
§ Introduction
§ Purchasing Azure products and services
· Enterprise- Enterprise customers sign an Enterprise Agreement with Azure that commits them to spend a negotiated amount on Azure services, which they typically pay annually. Enterprise customers also have access to customized Azure pricing.
· Web direct - Direct Web customers pay general public prices for Azure resources, and their monthly billing and payments occur through the Azure website.
· Cloud Solution Provider - Cloud Solution Provider (CSP) typically are Microsoft partner companies that a customer hires to build solutions on top of Azure. Payment and billing for Azure usage occur through the customer's CSP.
(Azure's pay-for-what-you-use model)
· Usage meters(用量表)
The key take away is that resources are always charged based on usage.
§ Factors affecting costs
· Resource type
Each meter tracks a particular kind of usage. (e.g., bandwidth usage, the number of operations, size…) The usage that a meter tracks correlates to a number of billable units.
· Services
Azure usage rates and billing periods can differ between Enterprise, Web Direct, and Cloud Solution Provider (CSP) customers. Some subscription types also include usage allowances, which affect costs. The Azure team develops and offers first-party products and services, while products and services from third-party vendors are available in the Azure Marketplace. Different billing structures apply to each of these categories.
· Location
Azure has datacenters all over the world. Usage costs vary between locations that offer particular Azure products, services, and resources based on popularity, demand, and local infrastructure costs.
· Azure billing zones
Bandwidth refers to data moving in and out of Azure datacenters. Most of the time inbound data transfers (data going into Azure datacenters) are free. For outbound data transfers (data going out of Azure datacenters), the data transfer pricing is based on Billing Zones.
(通常情況下,入站流量免費,出站流量收費)
A Zone is a geographical grouping of Azure Regions for billing purposes. The following zones exist and include the listed countries (regions) listed:
Zone
Areas
Zone 1
United States, Europe, Canada, UK, France
Zone 2
Asia Pacific, Japan, Australia, India, Korea
Zone 3
Brazil
DE Zone 1
Germany
In most zones, the first outbound 5 GB per month is free. After that, you are billed a fixed price per GB.
§ Estimate costs with the Azure pricing calculator
· Introducing the Azure pricing calculator
The Azure pricing calculator is a free web-based tool that allows you to input Azure services and modify properties and options of the services. It outputs the costs per service and total cost for the full estimate.
The options that you can configure in the pricing calculator vary between products, but basic configuration options include:
Option
Description
Region
Lists the regions from which you can provision a product. Southeast Asia, central Canada, the western United States, and Northern Europe are among the possible regions available for some resources.
Tier
Sets the type of tier you wish to allocate to a selected resource, such as Free Tier, Basic Tier, etc.
Billing Options
Highlights the billing options available to different types of customer and subscriptions for a chosen product.
Support Options
Allows you to pick from included or paid support pricing options for a selected product.
Programs and Offers
Allows you to choose from available price offerings according to your customer or subscription type.
Azure Dev/Test Pricing
Lists the available development and test prices for a product. Dev/Test pricing applies only when you run resources within an Azure subscription that is based on a Dev/Test offer.
Try out the Azure pricing calculator
Azure pricing calculator
· Estimate a solution
· Share and save your estimate
You can share your estimate through an Excel spreadsheet or through a URL.
§ Predict and optimize with Cost Management and Azure Advisor
· What is Azure Advisor?
Azure Advisor is a free service builtinto Azure that provides recommendations on high availability, security, performance, and cost.
Advisor makes cost recommendations in the following areas:
· Reduce costs by eliminating unprovisioned Azure ExpressRoute circuits.
· Buy reserved instances to save money over pay-as-you-go.
· Right-size or shut down underutilized virtual machines.
(underutilized virtual machines: average CPU utilization is 5 percent or less and network usage is 7MB or less for four or more days)
· Azure Cost Management
Azure Cost Management is another free, built-in Azure tool that can be used to gain greater insights into where your cloud money is going.
(require an Enterprise Agreement, EA)
· Cloudyn
Cloudyn, a Microsoft subsidiary, allows you to track cloud usage and expenditures for your Azure resources and other cloud providers including Amazon Web Services and Google.
§ Estimate the Total Cost of Ownership with the Azure TCO calculator
The pricing calculator and cost management advisor can help you predict and analyze your spend for new or existing services.
If you are starting to migrate to the cloud, a useful tool you can use to predict your cost savings is the Total Cost of Ownership (TCO) calculator. To use the TCO calculator, you need to complete four steps:
· Step 1: Open the TCO calculator
Total Cost of Ownership calculator
· Step 2: Define your workloads
Start by entering details about your on-premises infrastructure into the TCO calculator according to four groups:
Group
Description
Servers
Enter details of your current on-premises server infrastructure.
Databases
Enter details of your on-premises database infrastructure in the Source section. In the Destination section, select the corresponding Azure service you would like to use.
Storage
Enter the details of your on-premises storage infrastructure.
Networking
Enter the amount of network bandwidth you currently consume in your on-premises environment.
· Step 3: Adjust assumptions
Adjust the values of assumptions that the TCO calculator makes, which might vary between customers.
· Step 4: View the report
The TCO calculator generates a detailed report based on the details you enter and the adjustments you make. The report allows you to compare the costs of your on-premises infrastructure with the costs of using Azure products and services to host your infrastructure in the cloud.
(TCO計算器用於評估將on-premises部署的服務遷移至雲端所節省的成本)
§ Save on infrastructure costs
· Use Azure credits
Visual Studio subscribers can activate a monthly credit benefit which allows you to experiment with, develop, and test new solutions on Azure.
· Use spending limits
By default, Azure subscriptions which have associated monthly credits (which includes trial accounts) have a spending limit to ensure you aren't charged once you have used up your credits.
The spending limit feature is specific to subscriptions that include a monthly Azure credit allotment. It is not available on pay-only subscriptions.
· Use reserved instances(RIs)
If you have VM workloads that are static and predictable, particularly ones that run 24x7x365, using reserved instances is a fantastic way to potentially save up to 70-80%,depending on the VM size. (plus Azure Hybrid Benefit)
Reserved instances are purchased in one-year or three-year terms, with payment required for the full term upfront.
(虛擬機預留實例就是預付一年或三年的服務使用費)
· Choose low-cost locations and regions
The cost of Azure products, services, and resources can vary across locations and regions, and if possible, you should use them in those locations and regions where they cost less.
Some resources are metered and billed according to how much outgoing network bandwidth they consume (egress). You should provision connected resources that are bandwidth metered in the same region to reduce egress traffic between them.
· Research availablecost-saving offers
Keep up-to-date with the latest Azure customer and subscription offers, and switch to offers that provide the most significant cost-saving benefit.
· Right-size underutilized virtual machines
Right-sizing a virtual machine is the process of resizing it to a proper size.
· Deallocate virtual machines in off hours
automation solution
· Delete unused virtual machines
· Migrate to PaaS or SaaS services
IaaS requires Azure to dedicate resources while PaaS give Azure more flexibility in how services are delivered. This means Azure can fill and operate hardware efficiently and therefore offer PaaS services at a savings over IaaS.
The Azure Architecture Center is a great place to get ideas for transforming your application, as well as best practices across a wide array of architectures and Azure services.
§ Save on licensing costs
· Linux vs. Windows
In some cases, the cost of the product can be different based on the OS you choose.
· Azure Hybrid Benefit for Windows Server
Many customers have invested in Windows Server licenses and would like to repurpose this investment on Azure. The Azure Hybrid Benefit gives customers the right to use these licenses for virtual machines on Azure. That means you won't be charged for the Windows Server license and will instead be billed at the Linux rate.
· Azure Hybrid Benefit for SQL Server
The Azure Hybrid Benefit for SQL Server helps you maximize the value from your current licensing investments and accelerate your migration to the cloud. Azure Hybrid Benefit for SQL Server is an Azure-based benefit that enables you to use your SQL Server licenses with active Software Assurance to pay a reduced rate.
· Use Dev/Test subscription offers
The Enterprise Dev/Test and Pay-As-You-Go Dev/Test offers are a benefit you can take advantage of to save costs on your non-production environments.
There are a few requirements for this benefit, one being that it's only for non-production workloads, and another being that any users of these environments (excluding testers) must be covered under a Visual Studio ubscription.
· Bring your own SQL Server license
· Use SQL Server Developer Edition
· Use constrained instancesizes for database workloads
References
[1] Microsoft/ Learning / Certifications & Exams.考試AZ-900:Microsoft Azure 基礎知識. [EB/OL].
https://www.microsoft.com/zh-cn/learning/exam-az-900.aspx, 2019-8-2
[2] Microsoft/ Docs / Learn.Azure Fundamentals. [EB/OL].
https://docs.microsoft.com/en-us/learn/paths/azure-fundamentals/, 2019-8-2.