What are the Azure Services?

COMPUTE

NETWORKING

STORAGE

WEB

What is Azure Cloud Shell?

Azure Cloud Shell is a browser-based scripting environment for command-line
administration of Azure resources. It provides support for two shell environments. Linux
users can opt for a Bash experience, while Windows users can use PowerShell.
What is Azure CLI?
Azure CLI is a cross-platform command-line program that connects to Azure and executes
administrative commands on Azure resources.

What is Azure Compute?

Azure compute is an on-demand computing service for running cloud-based applications. It
provides computing resources like multi-core processors and supercomputers via virtual
machines and containers. It also provides Serverless computing to run apps without
requiring infrastructure setup or configuration. There are four compute in Azure: • Virtual
machines • Containers • Azure App Service • Serverless computing

What are Virtual Machines?

Virtual machines, or VMs, are software emulations of physical computers. They include a
virtual processor, memory, storage, and networking resources. They host an operating
system (OS), and you’re able to install and run software just like a physical computer.
Total control over the operating system (OS) • The ability to run custom software • To use
custom hosting configurations.
Image: You can create and provision a VM in minutes when you select a pre-configured VM
image. Selecting an image is one of the most important decisions you’ll make when creating
a VM. An image is a template used to create a VM. These templates already include an OS
and often other software, like development tools or web hosting environments.

What is Azure App Service?

Azure App Service is a platform-as-a-service (PaaS) offering in Azure that is designed to host
enterprise-grade web-oriented applications. You can meet rigorous performance, scalability,
security, and compliance requirements while using a fully managed platform to perform
infrastructure maintenance.

Azure App Service enables you to build and host web apps, background jobs, mobile
backends, and RESTful APIs in the programming language of your choice without managing
infrastructure. It offers auto-scaling and high availability, supports both Windows and Linux,
and enables automated deployments from GitHub, Azure DevOps, or any Git repo to
support a continuous deployment model. This platform as a service (PaaS) allows you to
focus on the website and API logic while Azure takes care of the infrastructure to run and
scale your web applications.

Types of Web Apps: Web apps, API Apps, Web Jobs, and Mobile Apps.
Web Apps: App Service includes full support for hosting web apps using ASP.NET, ASP.NET
Core, Java, Ruby, Node.js, PHP, or Python. You can choose either Windows or Linux as the
host operating system.

What is Serverless computing?

With serverless computing, Azure takes care of managing the server infrastructure and
allocation/deallocation of resources based on demand. Infrastructure isn’t your
responsibility. Scaling and performance are handled automatically, and you are billed only
for the exact resources you use. There’s no need to even reserve capacity. You focus solely
on the logic you need to execute and the trigger that is used to run your code. You configure
your serverless apps to respond to events. This could be a REST endpoint, a periodic timer,
or even a message received from another Azure service. The serverless app runs only when
it’s triggered by an event. Azure has two implementations of serverless compute: • Azure
Functions which can execute code in almost any modern language. • Azure Logic Apps
which are designed in a web-based designer and can execute logic triggered by Azure
services without writing any code.

Azure Functions:
Azure Functions can be either stateless (the default) where they behave as if they’re
restarted every time they respond to an event), or stateful (called “Durable Functions”)
where a context is passed through the function to track prior activity.
Logic App:
Azure Logic Apps are similar to Functions - both enable you to trigger logic based on an
event. Where Functions execute code, Logic Apps execute workflows built from predefined
logic blocks. They are specifically designed to automate your business processes.
You create Logic App workflows using a visual designer on the Azure Portal or in Visual
Studio. The workflows are persisted as a JSON file with a known workflow schema.

What is diff b/w Function App and Logic App?

What is Event Grid?

Azure Event Grid allows you to easily build applications with event-based architectures.
First, select the Azure resource you would like to subscribe to, and then give the event
handler or WebHook endpoint to send the event to. Event Grid has built-in support for
events coming from Azure services, like storage blobs and resource groups. Event Grid also
has support for your own events, using custom topics. You can use filters to route specific
events to different endpoints, multicast to multiple endpoints, and make sure your events
are reliably delivered.

There are five concepts in Azure Event Grid that let you get going: • Events - What
happened. • Event sources - Where the event took place. • Topics - The endpoint where
publishers send events. • Event subscriptions - The endpoint or built-in mechanism to route
events, sometimes to more than one handler. • Subscriptions are also used by handlers to
intelligently filter incoming events. • Event handlers - The app or service reacting to the
event.

Azure offers three services that assist with delivering event messages throughout a solution:
• Event Grid • Event Hubs • Service Bus
Event Grid uses a publish-subscribe model. Publishers emit events, but have no expectation
about which events are handled. Subscribers decide which events they want to handle.
Event Grid is deeply integrated with Azure services and can be integrated with third-party
services. It simplifies event consumption and lowers costs by eliminating the need for
constant polling. Event Grid efficiently and reliably routes events from Azure and non-Azure
resources.

Azure Event Hubs is a big data pipeline. It facilitates the capture, retention, and replay of
telemetry and event stream data. The data can come from many concurrent sources. Event
Hubs allows telemetry and event data to be made available to a variety of stream-
processing infrastructures and analytics services. It is available either as data streams or
bundled event batches. This service provides a single solution that enables rapid data
retrieval for real-time processing as well as repeated replay of stored raw data. It can
capture the streaming data into a file for processing and analysis.

Service Bus is intended for traditional enterprise applications. These enterprise applications
require transactions, ordering, duplicate detection, and instantaneous consistency. Service
Bus enables cloud-native applications to provide reliable state transition management for
business processes. When handling high-value messages that cannot be lost or duplicated,
use Azure Service Bus. Service Bus also facilitates highly secure communication across
hybrid cloud solutions and can connect existing on-premises systems to cloud solutions.
Service Bus is a brokered messaging system. It stores messages in a “broker” (for example, a
queue) until the consuming party is ready to receive the messages.

What is Azure Storage? How many types of Azure Storage?

Azure Storage is Microsoft’s cloud storage solution for modern data storage. Azure Storage
offers a massively scalable object store for data objects, a file system service for the cloud, a
messaging store for reliable messaging, and a NoSQL store.
Azure Storage includes these data services:
• Azure Blobs: A massively scalable object store for text and binary data.
Azure Blob storage is Microsoft’s object storage solution for the cloud. Blob storage is
optimized for storing massive amounts of unstructured data.
Blob storage is designed for: • Serving images or documents directly to a browser. • Storing
files for distributed access. • Streaming video and audio. • Writing to log files. • Storing data
for backup and restore, disaster recovery, and archiving. • Storing data for analysis by an on-
premises or Azure-hosted service.
Users or client applications can access objects in Blob storage via HTTP/HTTPS, from
anywhere in the world. Objects in Blob storage are accessible via the Azure Storage REST
API, Azure PowerShell, Azure CLI, or an Azure Storage client library. Client libraries are
available for a variety of languages, including .NET, Java, Node.js, Python, Go, PHP, and
Ruby.

Azure Files: Managed file shares for cloud or on-premises deployments.

Azure Files enables you to set up highly available network file shares that can be accessed
by using the standard Server Message Block (SMB) protocol. That means that multiple VMs
can share the same files with both read and write access. You can also read the files using
the REST interface or the storage client libraries.
Azure Files from files on a corporate file share is that you can access the files from anywhere
in the world using a URL that points to the file and includes a shared access signature (SAS)
token. You can generate SAS tokens; they allow specific access to a private asset for a
specific amount of time.
Azure Queues: A messaging store for reliable messaging between application components.
Azure Queue storage is a service for storing large numbers of messages that can be accessed
from anywhere in the world. Azure Queue Storage can be used to help build flexible
applications and separate functions for better durability across large workloads. When
application components are decoupled, they can scale independently. Queue storage
provides asynchronous message queueing for communication between application
components, whether they are running in the cloud, on the desktop, on-premises, or on
mobile devices.

Azure Tables: A NoSQL store for schemaless storage of structured data.

Azure Table storage is a service that stores structured NoSQL data in the cloud, providing a
key/attribute store with a schemaless design. Because Table storage is schemaless, it’s easy
to adapt your data as the needs of your application. Access to Table storage data is fast and
cost-effective for many types of applications.
Common uses of Table storage include:
• Storing TBs of structured data capable of serving web scale applications
• Storing datasets that don’t require complex joins, foreign keys, or stored procedures and
can be denormalized for fast access
• Quickly querying data using a clustered index
• Accessing data using the OData protocol and LINQ queries with WCF Data Service .NET
Libraries
What is Azure Data Lake Storage Gen2?
Blob storage supports Azure Data Lake Storage Gen2, Microsoft’s enterprise big data
analytics solution for the cloud. Data Lake Storage Gen2 makes Azure Storage the
foundation for building enterprise data lakes on Azure. Designed from the start to service
multiple petabytes of information while sustaining hundreds of gigabits of throughput, Data
Lake Storage Gen2 allows you to easily manage massive amounts of data.
The two common modes of accessing data are object-based (such as Azure Blob Storage)
and file-based. In an object-based mode, there isn’t a hierarchy of objects. You simply store
the object in a flat model.
When to use Azure Blobs, Azure Files or Azure Disks?
What is Disk Storage?
An Azure managed disk is a virtual hard disk (VHD). You can think of it like a physical disk in
an on-premises server but, virtualized. Azure managed disks are stored as page blobs, which
are a random IO storage object in Azure. We call a managed disk ‘managed’ because it is an
abstraction over page blobs, blob containers, and Azure storage accounts. With managed
disks, all you have to do is provision the disk, and Azure takes care of the rest.

What is HD Insight?
Azure HDInsight, a full managed Cloud Hadoop and Spark offering.
HDInsight is a cloud service that makes it easy, fast, and cost-effective to process massive
amounts of data. HDInsight also supports a broad range of scenarios, like extract, transform,
and load (ETL); data warehousing; machine learning; and IoT.

What are Storage Tiers in Azure?

Azure storage offers different access tiers, which allow you to store blob object data in the
most cost-effective manner.
Hot storage tier: optimized for storing data that is accessed frequently.
The hot access tier has higher storage costs than cool and archive tiers, but the lowest
access costs.
• Data that’s in active use or expected to be accessed (read from and written to) frequently.
• Data that’s staged for processing and eventual migration to the cool access tier.
Cool storage tier: optimized for data that is infrequently accessed and stored for at least 30
days.
The cool access tier has lower storage costs and higher access costs compared to hot
storage.
• Short-term backup and disaster recovery datasets.
• Older media content not viewed frequently anymore but is expected to be available
immediately when accessed.
• Large data sets that need to be stored cost effectively while more data is being gathered
for future processing. (For example, long-term storage of scientific data, raw telemetry data
from a manufacturing facility)
Archive storage tier: for data that is rarely accessed and stored for at least 180 days with
flexible latency requirements.
The archive access tier has the lowest storage cost and higher data retrieval costs compared
to hot and cool tiers.
• Long-term backup, secondary backup, and archival datasets
• Original (raw) data that must be preserved, even after it has been processed into final
usable form. (For example, Raw media files after transcoding into other formats)
• Compliance and archival data that needs to be stored for a long time and is hardly ever
accessed. (For example, security camera footage, old X-Rays/MRIs for healthcare
organizations, audio recordings, and transcripts of customer calls for financial services).

Azure Networking:
The networking services in Azure provide a variety of networking capabilities that can be
used together or separately:
Connectivity services: Connect Azure resources and on-premises resources using any or a
combination of these networking services in Azure:
• Virtual Network (VNet) • Virtual WAN • ExpressRoute • VPN Gateway • Azure DNS • Azure
Bastion
Services that provide connectivity between Azure resources, connectivity from an on-
premises network to Azure resources, and branch to branch connectivity in Azure.

You can use a VNets to:

• Communicate between Azure resources: You can deploy VMs, and several other types of
Azure resources to a virtual network
• Communicate between each other: You can connect virtual networks to each other,
enabling resources in either virtual network to communicate with each other, using virtual
network peering. The virtual networks you connect can be in the same, or different, Azure
regions.
• Communicate to the internet: All resources in a VNet can communicate outbound to the
internet, by default. You can communicate inbound to a resource by assigning a public IP
address or a public Load Balancer. You can also use Public IP addresses or public Load
Balancer to manage your outbound connections.
• Communicate with on-premises networks: You can connect your on-premises computers
and networks to a virtual network using VPN Gateway or ExpressRoute.

Azure Virtual Wide Area Network (WAN) is a networking service that provides optimized
and automated branch connectivity to, and through, Azure. Azure regions serve as hubs that
you can choose to connect your branches to. You can leverage the Azure backbone to also
connect branches and enjoy branch-to-VNet connectivity.

Application Protection Services: The networking services in Azure that help protect your
network resources.
Application Delivery Services:

Global load balancing services such as Traffic Manager and Front Door distribute traffic from
your end users across your regional backends, across clouds or even your hybrid on-premise
services. Global load balancing routes your traffic to your closest service backend and reacts
to changes in service reliability or performance to maintain always-on, maximal
performance for your users.

Regional load balancing services such as Standard Load Balancer or Application Gateway
provide the ability to distribute traffic within virtual networks (VNETs) across your virtual
machines (VMs) or zonal service endpoints within a region.

Azure Front Door: a service that offers a single global entry point for customers accessing
web apps, APIs, content and cloud services.
Application Gateway: uses Azure Load Balancer at the transport level and then applies the
routing rules to support layer-7 (HTTP) load balancing.
Azure Traffic Manager: load balancer for geographically distributed datacenters. Azure
Traffic Manager uses DNS to redirect requests to an appropriate geographical location
endpoint. Traffic Manager does not see the traffic passing between the client and the
service. It simply redirects the request based on most appropriate endpoints.

Network Monitoring Services:

What is Azure Region?

A region is one or more Azure data centers within a specific geographic location. East US,
West US, and North Europe are examples of regions. In this instance, you see that the
application is running in the East US region.

What is Virtual Network?

Virtual Network: A virtual network allows Azure resources to securely communicate with
each other, the internet, and on-premises networks. A virtual network is scoped to a single
region; however, multiple virtual networks from different regions can be connected
together using virtual network peering.

Subnet: Virtual networks can be segmented into one or more subnets. Subnets enable you
to segment the virtual network into one or more sub-networks and allocate a portion of the
virtual network’s address space to each subnet. You can then deploy Azure resources in a
specific subnet.

You can secure resources within subnets using Network Security Groups. Users interact with
the web tier directly, so that VM has a public IP address along with a private IP address.
Users don’t interact with the application or data tiers, so these VMs each have a private IP
address only.

What is VPN Gateway?

VPN gateway (or virtual network gateway), It can provide a secure connection between an
Azure Virtual Network and an on-premises location over the internet. A VPN gateway is a
specific type of virtual network gateway that is used to send encrypted traffic between an
Azure virtual network and an on-premises location over the public Internet. You can also use
a VPN gateway to send encrypted traffic between Azure virtual networks over the Microsoft
network. Each virtual network can have only one VPN gateway. However, you can create
multiple connections to the same VPN gateway. When you create multiple connections to
the same VPN gateway, all VPN tunnels share the available gateway bandwidth.

What is Network Security Group?

A network security group, or NSG, allows or denies inbound network traffic to your Azure
resources. Think of a network security group as a cloud-level firewall for your network.
For example, notice that the VM in the web tier allows inbound traffic on ports 22 (SSH) and
80 (HTTP). This VM’s network security group allows inbound traffic over these ports from all
sources. You can configure a network security group to accept traffic only from known
sources, such as IP addresses that you trust.
Scale with Azure Load Balancer:
What are Availability and High Availability?
Availability refers to how long your service is up and running without interruption. High
availability, or highly available, refers to a service that’s up and running for a long period of
time. High Availability is the concept or goal of ensuring your critical systems are always
functioning. In practice, this means creating and managing the ability to automatically
“failover” to a secondary system if the primary system goes down for any reason as well as
eliminating all single points of failure from your infrastructure.
Fault Tolerance describes a computer system or technology infrastructure that is designed
in such a way that when one component fails (be it hardware or software), a backup
component takes over operations immediately so that there is no loss of service. The
concept of having backup components in place is called redundancy and the more backup
components you have in place, the more tolerant your network is hardware and software
failure.
The main and most important difference between high availability and fault tolerance, is
actually that if an error occurs during an active action, a highly available system does not
ensure the correct end state of that action, whilst a fault tolerant one, does. In other words,
if, for instance, a web request is being processed by your highly available platform, and one
of the nodes crashes, that user will probably get a 500 error back from the API, but the
system will still be responsive for following requests. In the case of a fault-tolerant platform,
the failure will somehow (more on this in a minute) be worked-around and the request will
finish correctly, so the user can get a valid response. The second case will most likely take
longer, due to the extra steps.
Disaster Recovery refers to the set of policies and procedures in place to ensure the
continuity and recovery of mission critical systems in the event of a disruptive event such as
a power outage, flood, or cyberattack. In other words, how quickly can you get your
computers and systems up and running after a disastrous event? It might seem as though
you don’t need a disaster recovery infrastructure if your systems are configured with HA or
FT. After all, if your servers can survive downtime with 99.999% or better availability, why
set up a separate DR site? DR goes beyond FT or HA and consists of a complete plan to
recover critical business systems and normal operations in the event of a catastrophic
disaster like a major weather event (hurricane, flood, tornado, etc), a cyberattack, or any
other cause of significant downtime. HA is often a major component of DR, which can also
consist of an entirely separate physical infrastructure site with a 1:1 replacement for every
critical infrastructure component, or at least as many as required to restore the most
essential business functions.

What is Azure Load Balancer?

Azure Load Balancer is a load balancer service that Microsoft provides that helps take care
of the maintenance for you. Load Balancer supports inbound and outbound scenarios,
provides low latency and high throughput, and scales up to millions of flows for all
Transmission Control Protocol (TCP) and User Datagram Protocol (UDP) applications.
You can use Load Balancer with incoming internet traffic, internal traffic across Azure
services, port forwarding for specific traffic, or outbound connectivity for VMs in your virtual
network.

Azure Application Gateway: If all your traffic is HTTP, a potentially better option is to use
Azure Application Gateway. Application Gateway is a load balancer designed for web
applications. It uses Azure Load Balancer at the transport level (TCP) and applies
sophisticated URL-based routing rules to support several advanced scenarios.
With Application Gateway, you can make routing decisions based on additional attributes of
an HTTP request, such as URI path or host headers. For example, you can route traffic based
on the incoming URL. So if /images is in the incoming URL, you can route traffic to a specific
set of servers (known as a pool) configured for images. If /video is in the URL, that traffic is
routed to another pool that’s optimized for videos.

This type of routing is known as application layer (OSI layer 7) load balancing since it
understands the structure of the HTTP message.
Here are some of the benefits of using Azure Application Gateway over a simple load
balancer:
• Cookie affinity. Useful when you want to keep a user session on the same backend server.
• SSL termination. Application Gateway can manage your SSL certificates and pass
unencrypted traffic to the backend servers to avoid encryption/decryption overhead. It also
supports full end-to-end encryption for applications that require that.
• Web application firewall. Application gateway supports a sophisticated firewall (WAF) with
detailed monitoring and logging to detect malicious attacks against your network
infrastructure.
• URL rule-based routes. Application Gateway allows you to route traffic based on URL
patterns, source IP address and port to destination IP address and port. This is helpful when
setting up a content delivery network.
• Rewrite HTTP headers. You can add or remove information from the inbound and
outbound HTTP headers of each request to enable important security scenarios, or scrub
sensitive information such as server names.

What is Content Delivery Network?

A content delivery network (CDN) is a distributed network of servers that can efficiently
deliver web content to users. It is a way to get content to users in their local region to
minimize latency. CDN can be hosted in Azure or any other location. You can cache content
at strategically placed physical nodes across the world and provide better performance to
end users. Typical usage scenarios include web applications containing multimedia content,
a product launch event in a particular region, or any event where you expect a high-
bandwidth requirement in a region.

What about DNS?

DNS, or Domain Name System, is a way to map user-friendly names to their IP addresses.
You can think of DNS as the phonebook of the internet. For example, your domain name,
contoso.com, might map to the IP address of the load balancer at the web tier,
40.65.106.192.
You can bring your own DNS server or use Azure DNS, a hosting service for DNS domains
that runs on Azure infrastructure.

Compare Load Balancer to Traffic Manager:

Azure Load Balancer distributes traffic within the same region to make your services more
highly available and resilient. Traffic Manager works at the DNS level, and directs the client
to a preferred endpoint. This endpoint can be to the region that’s closest to your user.
Load Balancer and Traffic Manager both help make your services more resilient, but in
slightly different ways. When Load Balancer detects an unresponsive VM, it directs traffic to
other VMs in the pool. Traffic Manager monitors the health of your endpoints. In contrast,
when Traffic Manager finds an unresponsive endpoint, it directs traffic to the next closest
endpoint that is responsive.

Azure Security Center: Security Center is a monitoring service that provides threat
protection across all of your services both in Azure, and on-premises.
Security Center can:
• Provide security recommendations based on your configurations, resources, and
networks.
• Monitor security settings across on-premises and cloud workloads, and automatically
apply required security to new services as they come online.
• Continuously monitor all your services, and perform automatic security assessments to
identify potential vulnerabilities before they can be exploited.
• Use machine learning to detect and block malware from being installed on your virtual
machines and services. You can also define a list of allowed applications to ensure that only
the apps you validate are allowed to execute.
• Analyse and identify potential inbound attacks, and help to investigate threats and any
post-breach activity that might have occurred.
• Provide just-in-time access control for ports, reducing your attack surface by ensuring the
network only allows traffic that you require.

Authentication is the process of establishing the identity of a person or service looking to

access a resource. It involves the act of challenging a party for legitimate credentials, and
provides the basis for creating a security principal for identity and access control use. It
establishes if they are who they say they are.

Authorization is the process of establishing what level of access an authenticated person or

service has. It specifies what data they’re allowed to access and what they can do with it.

Azure provides services to manage both authentication and authorization through Azure
Active Directory (Azure AD).

What is Azure Active Directory?

Azure AD is a cloud-based identity service. It has built in support for synchronizing with your
existing onpremises Active Directory or can be used stand-alone. This means that all your
applications, whether onpremises, in the cloud (including Office 365), or even mobile can
share the same credentials. Administrators and developers can control access to internal
and external data and applications using centralized rules and policies configured in Azure
AD.
Azure AD provides services such as:
• Authentication. This includes verifying identity to access applications and resources, and
providing functionality such as self-service password reset, multi-factor authentication
(MFA), a custom banned password list, and smart lockout services.
• Single-Sign-On (SSO). SSO enables users to remember only one ID and one password to
access multiple applications. A single identity is tied to a user, simplifying the security
model. As users change roles or leave an organization, access modifications are tied to that
identity, greatly reducing the effort needed to change or disable accounts.
• Application management. You can manage your cloud and on-premises apps using Azure
AD Application Proxy, SSO, the My apps portal (also referred to as Access panel), and SaaS
apps.
• Business to business (B2B) identity services. Manage your guest users and external
partners while maintaining control over your own corporate data Business-to-Customer
(B2C) identity services.
Customize and control how users sign up, sign in, and manage their profiles when using your
apps with services.
• Business to consumer (B2C) identity services. Azure Active Directory (Azure AD) B2C is a
business-to-consumer identity management service.
• Device Management. Manage how your cloud or on-premises devices access your
corporate data.

Multi-factor authentication (MFA) provides additional security for your identities by

requiring two or more elements for full authentication. These elements fall into three
categories:
• Something you know • Something you possess • Something you are
Something you know would be a password or the answer to a security question.
Something you possess could be a mobile app that receives a notification or a token-
generating device.
Something you are is typically some sort of biometric property, such as a fingerprint or face
scan used on many mobile devices.

What is Firewall?
A firewall is a service that grants server access based on the originating IP address of each
request. You create firewall rules that specify ranges of IP addresses. Only clients from these
granted IP addresses will be allowed to access the server.

Azure Firewall is a managed, cloud-based, network security service that protects your Azure
Virtual Network resources. It is a fully stateful firewall as a service with built-in high
availability and unrestricted cloud scalability. Azure Firewall provides inbound protection for
non-HTTP/S protocols. Examples of nonHTTP/S protocols include: Remote Desktop Protocol
(RDP), Secure Shell (SSH), and File Transfer Protocol (FTP). It also provides outbound,
network-level protection for all ports and protocols, and application-level protection for
outbound HTTP/S.

• Azure Application Gateway is a load balancer that includes a Web Application Firewall
(WAF) that provides protection from common, known vulnerabilities in websites. It is
specifically designed to protect HTTP traffic.
• Network virtual appliances (NVAs) are ideal options for non-HTTP services or advanced
configurations, and are similar to hardware firewall appliances.

You can deploy Azure Firewall on any virtual network, but customers typically deploy it on a
central virtual network and peer other virtual networks to it in a hub-and-spoke model.

The advantage of this model is the ability to centrally exert control on multiple spoke VNETs
across different subscriptions. There are also cost savings as you don’t need to deploy a
firewall in each VNet separately. The cost savings should be measured versus the associate
peering cost based on the customer traffic patterns.
There are three types of rule collections available in Azure Firewall:
• Network Address Translation (NAT) rules are used to forward traffic from the firewall to
another device on the network
• Network rules are rules that allow traffic on specific IP address ranges and ports that you
specify
• Application rules are used to allow applications such as Windows Update to communicate
across you network. They can also be used to allow particular domain names such as
azure.com and microsoft.com.
Azure Firewall provides inbound protection for non-HTTP/S protocols (for example, RDP,
SSH, FTP), outbound network-level protection for all ports and protocols, and application-
level protection for outbound HTTP/S.

What is the diff b/w NSG and Azure Firewall?

• Network security groups provide distributed network layer traffic filtering to limit traffic to
resources within virtual networks in each subscription.
• Azure Firewall is a fully stateful, centralized network firewall as-a-service, which provides
network- and application-level protection across different subscriptions and virtual
networks.

Monitor Your Service Health:

Azure provides two primary services to monitor the health of your apps and resources.
• Azure Monitor • Azure Service Health

Azure Monitor maximizes the availability and performance of your applications by delivering
a comprehensive solution for collecting, analysing, and acting on telemetry from your cloud
and on-premises environments. It helps you understand how your applications are
performing and proactively identifies issues affecting them and the resources they depend
on.

• Metrics are numerical values that describe some aspect of a system at a particular point in
time. They are lightweight and capable of supporting near real-time scenarios.
• Logs contain different kinds of data organized into records with different sets of properties
for each type. Telemetry such as events and traces are stored as logs in addition to
performance data so that it can all be combined for analysis.

Application Insights is a service that monitors the availability, performance, and usage of
your web applications, whether they’re hosted in the cloud or on-premises. It leverages the
powerful data analysis platform in Log Analytics to provide you with deeper insights into
your application’s operations. Application Insights can diagnose errors, without waiting for a
user to report them. Application Insights includes connection points to a variety of
development tools, and integrates with Microsoft Visual Studio to support your DevOps
processes.

What are Resource Groups?

A resource group is a logical container for resources deployed on Azure. These resources are
anything you create in an Azure subscription like virtual machines, Application Gateways,
and Cosmos DB instances. All resources must be in a resource group and a resource can only
be a member of a single resource group. Resources can be moved between resource groups
at any time.

What is Azure Active Directory?

Azure account is a globally unique entity that gives you access to your Azure subscriptions
and services. Authentication for your account is performed using Azure Active Directory
(Azure AD). Azure AD is a modern identity provider that supports multiple authentication
protocols to secure applications and services in the cloud.
Azure AD is partitioned into separate tenants. A tenant is a dedicated, isolated instance of
the Azure Active Directory service, owned and managed by an organization. When you sign
up for a Microsoft cloud service subscription such as Microsoft Azure, Microsoft Intune, or
Office 365, a dedicated instance of Azure AD is automatically created for your organization.
Azure AD tenants and subscriptions have a many-to-one trust relationship: A tenant can be
associated with multiple Azure subscriptions, but every subscription is associated with only
one tenant.