Microsoft Azure Architecture Master Class - Infrastructure

Azure Infrastructure Architecture Introduction

Setting up your infrastructure in Azure can be very complex. The platform offers hundreds of services and you need to decide which ones are useful and how to implement them in the best possible way for your organization. A number of factors will drive your decision: cost, manageability, performance, security, scalability.

• Global Azure Infrastructure
• Architectural Building Blocks: Storage, Networking, Compute
• Design Influencers: Security, Cost, Performance, High Availability, ...

Designing Subscriptions

As organizations grow in Azure, they quickly accumulate multiple subscriptions and a large number of resources. Without a clear structure, this can become difficult to manage and govern. In this module, you’ll learn how to organize Azure environments effectively using tenants, management groups, subscriptions, and resource groups, along with best practices for naming, tagging, and regional design.

• Tenants
• Management Groups
• Subscriptions
• Resource Groups
• Azure Regions
• Naming and Tagging
• LAB: Designing Subscriptions

Resource Deployment

Azure resources can be deployed with lots of different methods: the Azure portal, scripts (PowerShell, Azure CLI), declarative methods (ARM templates, Terraform, Bicep). Choosing the right method for your organization can reduce the cost of managing and creating your infrastructure components.

• Scripting versus Declarative Approach
• Declarative Languages: ARM Templates, Terraform, Bicep
• Azure Template Specs and Deployment Stacks
• Azure DevOps versus GitHub
• Automation Design Considerations
• LAB: Resource Deployment

Network Design

Designing a network in the cloud is very similar to implementing your on-prem network. The same choices need to be made, the same services need to be provisioned.

• IP Address Ranges
• Hub and Spoke Topology
• Azure Virtual WAN
• Network Routing: UDR versus BGP
• Hybrid Networking: VPN Gateways versus ExpressRoute
• Network Topology Design Options
• LAB: Network Design

Name Resolution

To allow for easy communication between various application components both in the cloud and on-premises, you need to design a name resolution strategy.

• Azure-Provided Name Resolution
• Azure Private DNS Zone
• Hybrid Name Resolution: Azure DNS Private Resolver
• Name Resolution with Azure Virtual WAN
• LAB: Name Resolution

VNet Integration Options for PaaS Solutions

By design, PaaS solutions have a public endpoint which makes them accessible over the Internet. This is not always the best implementation from security point of view. Most PaaS services can be integrated with a VNet to limit public access.

• Service Endpoints
• Private Endpoints
• VNet Integration
• App Service Environment
• Hybrid Connections
• LAB: VNet Integration Options for PaaS Solutions

Choosing a Compute Solution

Hosting applications in the cloud can be done using various different compute options. Choosing the right solution in terms of cost, availability, ease of management is essential to provide a stable environment for your users.

• Virtual Machines
• Containers: Container Instances, Container Apps, AKS
• App Services: Web Apps, Azure Functions
• Compare Solutions: Cost, Security, Availability, Scalability
• Choosing a Load Balancing Solution
• LAB: Choosing a Compute Solution

Security Architecture

To control access to the services in the Azure cloud, you need to carefully design an authorization strategy. Decide which resources users and services can access by implementing an RBAC mechanism. Consider where you are going to store your sensitive data and protect it accordingly.

• Role-Based Access Control (RBAC)
• Options for Storing Sensitive Data
• Key Vault
• Managed Identities
• Inbound/Outbound Internet Connectivity
• Security Best Practices
• LAB: Security Architecture

Design for Identities

Microsoft Entra ID is the center of everything that is related to authentication and authorization in the cloud. Entra ID supports various authentication mechanisms and protection services that can help you secure your identities better and protect against possible identity theft.

• Microsoft Entra ID
• Hybrid Options: Entra Connect versus Entra Cloud Sync
• Hybrid Sign In Options: Password Hash Sync, Pass-Through Authentication, Federation
• Authentication Options: MFA, Password-less Authentication
• Entra ID as Central Identity Service for all Applications
• Protection Features: Design Conditional Access Policies