Wednesday, September 6, 2017

AZURE 70-534 Exam Notes and Cheat Sheet -Part 3 (Application Storage and Data Access Strategy )

Quick Summary 

Primary objective of this page is to summarize key data points of all the security option available to Azure Infrastructure as per AZURE 70-534 Exam Objective III (Application Storage and Data Access Strategy). Use this page as quick refresher or Cheat Sheet but no way a replacement of actual exam study guide or course 

This Post is part of multi-part series and I will keep posting other part as it progress

Azure Data Storage Option

  1. Storage option are categorized in flowing Category
    1. RDBMS -SQL Server , Oracle , MySQL , SQL Compact , SQL Lite, PostGreSQL
    2. Key Value - Azure Storage(File), Tables , Cache , Redis , MemCache, Riak 
    3. Column Family - HBase , Cassandra
    4. Document - Mango, Raven, Couch
    5. Graph - NEO4J 
    6. Queue Service 
  2. All Storage service false under Storage account that is also used for billing 
  3. Each Subscription can have multiple Storage Account (soft limit 20)
  4. Storage Account can have 500 TB of data 20K IOPS (I KB Message)
  5. Storage account are region specific and also works as storage security boundary 
  6. Unlimited Blobs container , table queue etc.
  7. Storage Redundancy
    1. Azure support four type of  redundancy 
      1. Local redundancy 
      2. Zonal redundancy 
      3. Geographical redundancy 
      4. Read Only  Geographical redundancy
  8. Storage Account Limits
    1. 20 K IOPS
    2. Bandwidth Geo Redundant - 10 GB-IN-20GB-OUT
    3. Bandwidth Locally Redundant - 20 GB-IN-30GB-OUT

Azure Blob Storage 

  1.  Can store almost any binary data  object like file 
  2. Block are stored in Blob container like folders 
  3. Max throughput for individual blob - 60MB sec , 500 trans/sec
  4. Support Three Concurrency
    1. Last Win (Default)
    2. Optimistic - notification to application when conflict happens
    3. Pessimistic - application lock object in advance before update 

Azure Table 

  1. Massive Scale No SQL Cloud Store , Support Massive Data Set and Schema Less 
  2. Data is partitioned via partition key
  3. Max throughput 2000 entities per partition
  4. Use Optimistic Concurrency By default   

Queue Storage 

  1. Max Message Size 64 KB , throughput  2000 msg/sec

Azure File Service 

  1. Support REST and SMB, Replacement of On Premise file share 
  2. Through Put 60 MB/S, 1000 IOPS 
  3. Port 445 must be open 
  4. Support persistent and not persistent credential 
  5. Support Mounting as drive 
  6. Support both SMB 2.0 and SMB 3.0 (with encryption)

Azure VHD

  1. Persistent Disk for IAAS VMs 
  2. Stored in Azure Page Blob 
  3. Page Blob are Optimized for Random I/O
  4. Read /Write are mapped to GET/PUT
  5. Support Premium Storage
    1. SSD based Single digit latency 
    2. 1 TB Disk Blob and support up to 32 TB  stripe
      1. making 32 TB max with 50 K IOPS

Azure Data Security 

  1. Azure SQL (PAAS) Security 
  2. Available on pot 1443 only 
  3. Azure SQL firewall works only on instance level not db level
  4. By Default all traffic is blocked 
  5. Most common firewall configuration is to allow traffic from a predefined subnet 
  6. Connection required TLS by using certificates 
  7. any idle connection more than 30 min is forced closed 
  8. active connection are reauthorized every 600 min (10 hours)
  9. Password change forces existing connection to close 
  10. Support both Contained Database user and AS authentication 

Azure container Security 

  1. By default only storage account owner has full access to storage 
  2. each account has a public key and gives full access to storage account management and operation 
  3. Access can be assigned either at container level or blob level 
  4. Shared Access Signature 
    1. can be used to provide restricted access and can be applied to blob, table and queue 
    2. Can be used on Ad Hoc basis
    3. Supported only fro resource not account 
    4. Support start and end date 
  5. Stored Access Policy 
    1. A policy defines on a resource container 
    2. Constraints are in inherited from Policy 
    3. Do not required issues of new tokens 
    4. New policies can be generated from existing one\

Blob Encryption 

  1. Client side Encryption is  supported using Key Vault (CEK/KEK)

Azure Data Access Options

Azure Mobile Services (Mobile Data Access)

  1. Offers cloud based storage for mobile apps
  2. support both Node or .Net
  3. Support Proxy (Data Classes) for SQL Data Base , technically it create web-service 
  4. Support Many different data source like Azure SQL, Blob , Table and Mongo DB
  5. Support Hybrid Service 
  6. Support Social providers for authentication 
  7. Support Several Push Notification Services 
    1. Windows Push Notification Services (WNS)
    2. Microsoft Push Notification Service (MPNS)
    3. Apple Push Notification Service (APNS)
    4. Google Content Notification 
    5. Azure Notification Hub 
  8. Also support Git integration 
  9. Can be consumed from cross platform client by adding Mobile Service Client Library reference in you project.
  10. Offline Sync is supported via SQL Lite 
  11. Mobile service support custom coding and create more feature to API
  12. Mobile Service Security 
    1. Authorization has four modes 
      1. Application Key Required 
      2. Everyone - public
      3. Authenticated user (ID +Token)
      4. Admin and Other Script (Need Master key from mobile service)
    2. Authentication provider 
      1. Azure AD 
      2. MS Account 
      3. Facebook 
      4. Twitter 
      5. Google
    3. More than one identity provider are supported by mobile service 
    4. Log in request made to LoginAsycn end point that in turn provide User variable containing  claims like user level , and user id  
    5. Azure provide and AD Authentication Library as abstraction layer for client apps that support featured like token cache and automatic token refresh 

 Azure Application Notification Services

  1. There are two way to push a notification on device 
  2. Push Notification Service (discussed above) 
      1. Notification services are specific to Device provider 
  3. Notification Hub 
    1. Notification Hub is latest approach to implement push service 
    2. Fully Managed and highly scalable service 
    3. it is abstraction over push notification service and vendor independent 
    4. Allow collect data back from devices like GPS location 
    5. Support Message Template 

Azure Application Services 

  1. Azure offer various application service some of them are renamed and some new 
  2. Web App , Mobile Apps, BizTalk API apps, Api Apps, Logic App (Workflow) are key name to highlight 
  3. App Service Plan 
    1. Service belongs to five pricing tier called , Free, Shared , Basic , Standard , Premium 
    2. Only one service plan can be associated at any time 
  4. Azure API Apps 
    1. Builtin Support for swagger 
    2. automatic generation of client code 
    3. CORS support out of the box 
    4. Support for azure logic apps 
    5. Support built in access level 
      1. Internal , Public , and Public Authenticated
    6. Support Scale Up and Out 
    7. Security 
      1. Azure Ad is used for authentication 
      2. Support  express and Advance mode of integration 
      3. Advance mode requires AD App Client ID and Issues URI 
  5.  WebJobs  Apps 
    1. Allow execution of script on host 
    2. Deployed via Zip, FTP or IDEs
    3. an run on demand or scheduled 

Service Bus Relay 

  1. An Extension of WCF to make available on the cloud and internet 
  2. it is a Alternative of BizTalk Azure 
  3. It is Hosted on premises but but listening of new session are delegated to Service Bus Hosted in Azure 
  4. Shared Access Signature is used for authentication 
  5. Only Support WCF based Services and relay Binding 

Azure BizTalk Hybrid Connection (ABHC)

  1. Alternative to Service Bu Relay  
  2. Multiple app services can share a connection 
  3. Unlike Service Bus Relay Support multiple framework like and node 
  4. Only Work with static TCP port and od not support dynamic TCP like Passive FTP
  5. Do not Support UDP
  6. Security
    1. Shared Access Signature is used for Azure App and On Premise Hybrid connection manager 
    2. Application level keys for On Premise Hybrid connection manager 
    3. key can be rolled and managed independently  
    4. Needed Outbound TCP or HTTP on Premises Network to Internet 
    5. Inbound firewall connection configuration not required because it works with outbound connection only 
    6. Key Port are 9352,5671,80,443
  7. ABHC- SQL Server Limitations
    1. It is not advised to used SQL express with ABHC in production 
    2. Multi subnet Failover not supported 
    3. ApplicationINtent =read Only not supported 
    4. SQL Authentication must be enabled for ABHC connection

Azure VPN 

  1. There are several VPN option based on need 
    1. Point to Site 
    2. Site to Site 
    3. Multi Site 
    4. VNet- Vnet
    5. Cross Subscription VPN 
  2. Two VPN Gateway Option 
    1. Default 
      1. 10 Site to site Tunnel 
      2. 100 MBPS
      3. 128 Point to site tunnel 
    2. High Performance 
      1. 30 Site to site tunnel 
      2. 200 MPBS

Azure Website and Azure VNETs

  1. Azure website can not be placed in VNET but can access resources on VNET through a special VPN Configuration 
  2. VNET Can be used for On Premise access and support boath TCP and UDP
  3. In order website can access VNET must have 
    1. Dynamic Gateway 
    2. Point to Site Enabled 
    3. V1 VNET is support not classic VNET 
    4. Website Must use VNET DNS server 
    5. Same VNET can be used by multiple APPS
    6. Requires STD or Premium pricing plan 
    7. Azure Website and VNET for not support Drive Mounting , AD Integration , NetBois, Express Route 
    8. Hybrid Connection Manager (HCM) can be used to allow Website/VPN access via Express Route 
      1. HCM Can only be installed on Windows 
      2. Max Five Instances of HCM 
      3. Only Support TCP (No UDP)
      4. Use with express route 

Cloud Services Vs Standalone Cloud Services

  1. It is one of the way to organised resources on Azure
  2. Each Cloud Service has a unique public DNS and IP address 
  3. Cloud Service without virtual network is called standalone 
  4. VMs in standalone cloud service must communicate over the intenet
  5.  Standalone cloud service can not participate in VPN
  6. Cloud Service are part of classic deployment that is being replaced with Azure Resource Manager that actually uses Resource Group 

Azure Media Solution and Services

  1. Delivery 
    1. Support Storage , Trans-coding and DRM of media 
    2. Only Blob can be used for on demand Video but for live streaming table cubes can be used. 
    3. Content Server is responsible for pulling resource from storage and delivery to client 
  2. Streaming 
    1. Support direct encoding Smooth Streaming format 
    2. Also support first encoding to MP4 than encoding Smooth Streaming format 
    3. Media is stored in multiple bit rate format are converted in real time as requested by client 
    4. Supported Streaming formats are Smooth Streaming, HLS and  DASH/CSF
  3. Content Protection 
    1. Delivery Using AES -128 or Play Ready DRM 
    2. Key and Licences are managed by azure 
    3. Media encrypted on the fly reducing storage and chances of key leaks 
    4. Can use AD Authentication 
  4. Media Indexing 
    1. MAVIS Windows Azure Service can can be access via REST API
      1. Perform speech recognition on video content 
      2. Build vocabulary
      3. Generate caption and keyboard 
      4. content is index and searchable
  5. Azure Media Played 
    1.   free solution for azure media services playback 
    2. Unified Java script interface support only Azure Media services 
    3. Uses HTML by default 
    4. Single Unified UI 
  6. Monitoring Plan 
    1. Three plans are supported , NONE, Verbose , Minimal 
    2. Minimal provide aggregated data 

No comments:

Post a Comment