Microsoft Azure
Subscription
- Billing management
- This is the container created in
Azureto separate billing and environments. - An account can have multiple
subscriptionsthat can be used to create isolated environments and billing boundaries. - Each
subscriptionyou create will be mapped to atenant, and it is always a one-to-one mapping. - You can always move
subscriptionsacrosstenantsif you have a multitenant environment.
Subscription Types
- Pay-As-You-Go
- Enterprise Agreement
- Microsoft Customer Agreement
Azure AD / Microsoft Entra ID
- Identity management service for authentication
Tenant
The term tenant means a single instance of Microsoft Entra (Azure AD) denoting a single organization.
When you sign up for any Microsoft cloud service (Azure, Office365, etc.), a dedicated instance of Azure AD is provisioned for you.
Each tenant is tied to a specific DNS name, which is a unique name associated to this tenant that will have the suffix onmicrosoft.com and a unique ID assigned to the tenant called the tenant ID.
An organization can create multiple directories/tenants for creating disparate environments or realms with different users and groups.
Once you have your tenant, you can add one or more capacities to it.
Service Principal
Access control (IAM)
- RBAC for authorization
- Can be specified on every resource level
Networking
VPN Gateway
-
Cross-premises connection options
- Point-to-site
- Site-to-site
- VNet-to-VNet
- Multi-Site
- ExpressRoute
Observability
-
Advisor
- A recommendation engine to:
- Get proactive, actionable, and personalized best practices recommendations.
- Improve the performance, security, and reliability of your resources, as you identify opportunities to reduce your overall Azure spend.
- Get recommendations with proposed actions inline.
- A recommendation engine to:
-
Monitor
- Similar to AppDynamics or CloudWatch, a comprehensive APM solution
-
Service Health
- Personalised view of the health of the Azure services and regions you're using
- The best way to use Service Health is to set up Service Health alerts to notify you via your preferred communication channels when service issues, planned maintenance.
Management
Azure Instance Metadata Service
curl -s -H Metadata:true --noproxy "*" "http://169.254.169.254/metadata/instance?api-version=2021-02-01" | jq
Azure CLI
Get the active Subscription ID
az account list --output table
To see all the Resource Groups for your current Subscription
az group list --output table
Get the active Tenant ID
az account show
Display all VM's Managed Identities
az vm identity show --name <VM-name> --resource-group <Resource-Group>
Install interactive extension
-
az interactive -
AKS
-
Configure local
kubectlto connect to aAKSclusteraz aks get-credentials --resource-group <resource-group> --name <cluster-name> -
List node pools
az aks nodepool list --cluster-name <cluster-name> --resource-group <resource-group> -
RBAC
-
Pod assuming Managed Identity
# Retrieve Managed Identity's Client ID and Resource ID export IDENTITY_CLIENT_ID="$(az identity show -g ${RESOURCE_GROUP} -n ${IDENTITY_NAME} --query clientId -otsv)" export IDENTITY_RESOURCE_ID="$(az identity show -g ${RESOURCE_GROUP} -n ${IDENTITY_NAME} --query id -otsv)"# Create a Pod identity in AKS, associating it with the specified Managed Identity export POD_IDENTITY_NAME="my-pod-identity" export POD_IDENTITY_NAMESPACE="my-app" az aks pod-identity add -g ${RESOURCE_GROUP} --cluster-name ${CLUSTER_NAME} --namespace ${POD_IDENTITY_NAMESPACE} --name ${POD_IDENTITY_NAME} --identity-resource-id ${IDENTITY_RESOURCE_ID}# A Pod identity is essentially a Kubernetes resource of Kind AzureIdentity k get azureidentity ${POD_IDENTITY_NAME} -n $POD_IDENTITY_NAMESPACE k get azureidentitybinding -n $POD_IDENTITY_NAMESPACE# Specify the Pod identity with a predefined label aadpodidbinding apiVersion: v1 kind: Pod metadata: name: demo labels: aadpodidbinding: $POD_IDENTITY_NAME
-
-