Storage Account

• Gist

  • A storage account provides a unique namespace in Azure for your data. Every object that you store in Azure Storage has a URL address that includes your unique account name. The combination of the account name and the service endpoint forms the endpoints for your storage account.

• Account types

  • Standard general purpose v2 (GPv2)

    • Blob Storage (including Data Lake Storage)
    • Queue Storage
    • Table Storage
    • Azure Files

  • Premium block blobs

  • Premium file shares

  • Premium page blobs

Subscription

• Billing management
• This is the container created in Azure to separate billing and environments.
• An account can have multiple subscriptions that can be used to create isolated environments and billing boundaries.
• Each subscription you create will be mapped to a tenant, and it is always a one-to-one mapping.
• You can always move subscriptions across tenants if you have a multitenant environment.

Subscription Types

• Pay-As-You-Go
• Enterprise Agreement
• Microsoft Customer Agreement

Azure AD / Microsoft Entra ID

• Identity management service for authentication

Tenant

The term tenant means a single instance of Microsoft Entra (Azure AD) denoting a single organization.

When you sign up for any Microsoft cloud service (Azure, Office365, etc.), a dedicated instance of Azure AD is provisioned for you.

Each tenant is tied to a specific DNS name, which is a unique name associated to this tenant that will have the suffix onmicrosoft.com and a unique ID assigned to the tenant called the tenant ID.

An organization can create multiple directories/tenants for creating disparate environments or realms with different users and groups.

Once you have your tenant, you can add one or more capacities to it.

Service Principal

• Demystifying Service Principals – Managed Identities (opens in a new tab)

Access control (IAM)

• RBAC for authorization
• Can be specified on every resource level

Networking

VPN Gateway

• Cross-premises connection options

  • Point-to-site
  • Site-to-site
  • VNet-to-VNet
  • Multi-Site
  • ExpressRoute

Observability

• Advisor

  • A recommendation engine to:
    • Get proactive, actionable, and personalized best practices recommendations.
    • Improve the performance, security, and reliability of your resources, as you identify opportunities to reduce your overall Azure spend.
    • Get recommendations with proposed actions inline.

• Monitor

  • Similar to AppDynamics or CloudWatch, a comprehensive APM solution

• Service Health

  • Personalised view of the health of the Azure services and regions you're using
  • The best way to use Service Health is to set up Service Health alerts to notify you via your preferred communication channels when service issues, planned maintenance.

Management

Azure Instance Metadata Service

• curl -s -H Metadata:true --noproxy "*" "http://169.254.169.254/metadata/instance?api-version=2021-02-01" | jq

Azure CLI

Get the active Subscription ID

• az account list --output table

To see all the Resource Groups for your current Subscription

• az group list --output table

Get the active Tenant ID

• az account show

Display all VM's Managed Identities

• az vm identity show --name <VM-name> --resource-group <Resource-Group>

Install interactive extension

• az interactive

• AKS

  • Configure local kubectl to connect to a AKS cluster

    az aks get-credentials --resource-group <resource-group> --name <cluster-name>

  • List node pools

    az aks nodepool list --cluster-name <cluster-name> --resource-group <resource-group>

  • RBAC

    • Pod assuming Managed Identity

      # Retrieve Managed Identity's Client ID and Resource ID
      export IDENTITY_CLIENT_ID="$(az identity show -g ${RESOURCE_GROUP} -n ${IDENTITY_NAME} --query clientId -otsv)"
      export IDENTITY_RESOURCE_ID="$(az identity show -g ${RESOURCE_GROUP} -n ${IDENTITY_NAME} --query id -otsv)"

      # Create a Pod identity in AKS, associating it with the specified Managed Identity
      export POD_IDENTITY_NAME="my-pod-identity"
      export POD_IDENTITY_NAMESPACE="my-app"
      az aks pod-identity add -g ${RESOURCE_GROUP} --cluster-name ${CLUSTER_NAME} --namespace ${POD_IDENTITY_NAMESPACE}  --name ${POD_IDENTITY_NAME} --identity-resource-id ${IDENTITY_RESOURCE_ID}

      # A Pod identity is essentially a Kubernetes resource of Kind AzureIdentity
      k get azureidentity ${POD_IDENTITY_NAME} -n $POD_IDENTITY_NAMESPACE
      k get azureidentitybinding -n $POD_IDENTITY_NAMESPACE

      # Specify the Pod identity with a predefined label aadpodidbinding
      apiVersion: v1
      kind: Pod
      metadata:
        name: demo
        labels:
          aadpodidbinding: $POD_IDENTITY_NAME

      • Resources

        • Microsoft Docs - Use Azure Active Directory pod-managed identities in Azure Kubernetes Service (Preview) (opens in a new tab)

References

• Keyboard shortcuts in the Azure portal (opens in a new tab)
• AWS to Azure services comparison (opens in a new tab)
• GitHub - Azure Samples (opens in a new tab)