ELL 887 - CLOUD COMPUTING

Azure Management & Governance

 2

Outline
• Azure Cost Management
• Azure Governance and Compliance
• Managing and Deploying Azure Resources
• Azure Monitoring Tools
 3

Outline
• Azure Cost Management
• Azure Governance and Compliance
• Managing and Deploying Azure Resources
• Azure Monitoring Tools
 4

Factors that affect cost in Azure

 Azure shifts development costs from the capital expense (CapEx) of
building out and maintaining infrastructure and facilities to an
operational expense (OpEx) of renting infrastructure as needed,
whether it’s compute, storage, networking, and so on.
 The OpEx cost can be impacted by many factors. Some of the
impacting factors are:
• Resource type
• Consumption
• Maintenance
• Geography
• Subscription type
• Azure Marketplace
 5

Resource Type
 A number of factors influence the cost of Azure resources. The type of
resources, the settings for the resource, and the Azure region will all have an
impact on how much a resource costs.
 When an user provisions an Azure resource, Azure creates metered instances
for that resource.
 The meters track the resources' usage and generate a usage record that is
used to calculate the bill.
 Examples
• With a storage account, users specify a type such as blob, a performance tier, an
access tier, redundancy settings, and a region.
− Creating the same storage account in different regions may show different costs and
changing any of the settings may also impact the price.
• With a virtual machine (VM), users may have to consider licensing for the operating
system or other software, the processor and number of cores for the VM, the
attached storage, and the network interface.
− Just like with storage, provisioning the same virtual machine in different regions may result in
different costs.

•
 6

Consumption
 Pay-as-you-go where users pay for the resources that they use during a billing
cycle us utilized
• It’s a straight forward pricing mechanism that allows for maximum flexibility.
 However, Azure also offers the ability to commit to using a set amount of cloud
resources in advance and receiving discounts on those “reserved” resources.
− Many services, including databases, compute, and storage all provide the option to
commit to a level of use and receive a discount, in some cases up to 72 percent.
− When users reserve capacity, they are committing to using and paying for a certain
amount of Azure resources during a given period (typically one or three years).
− With the back-up of pay-as-you-go, if users see a sudden surge in demand that eclipses
what they have pre-reserved, they just pay for the additional resources in excess of their
reservation.
− This model allows users to recognize significant savings on reliable, consistent workloads
while also having the flexibility to rapidly increase their cloud footprint as the need arises.
 7

Maintenance
 The flexibility of the cloud makes it possible to rapidly adjust resources based
on demand.
 Using resource groups can help keep all of the resources organized.
 In order to control costs, it’s important to maintain the cloud environment.
• For example, every time a VM is provisioned, additional resources such as
storage and networking are also provisioned.
• If the VM is deprovisioned, those additional resources may not deprovision
at the same time, either intentionally or unintentionally.
• By keeping an eye on your resources and making sure you’re not keeping
around resources that are no longer needed, you can help control cloud
costs.
 8

Geography
 When most resources are provisioned in Azure, a region needs to be defined
where the resource deploys.
 Azure infrastructure is distributed globally, which enables users to deploy their
services centrally or closest to their customers, or something in between.
 With this global deployment comes global pricing differences.
• The cost of power, labor, taxes, and fees vary depending on the location.
• Due to these variations, Azure resources can differ in costs to deploy depending on
the region.
 Network traffic is also impacted based on geography.
• For example, it’s less expensive to move information within Europe than to move
information from Europe to Asia or South America.
 9

Network Traffic
 Billing zones are a factor in determining the cost of some Azure services.
 Bandwidth refers to data moving in and out of Azure datacenters.
 Some inbound data transfers (data going into Azure datacenters) are free.
 For outbound data transfers (data leaving Azure datacenters), data transfer
pricing is based on zones.
 A zone is a geographical grouping of Azure regions for billing purposes.
 Bandwidth Pricing Page:
• https://azure.microsoft.com/en-us/pricing/details/bandwidth/
 10

Subscription Type
 Some Azure subscription types also include usage allowances, which affect
costs.
 For example, an Azure free trial subscription provides access to a number of
Azure products that are free for 12 months.
• It also includes credit to spend within first 30 days of sign-up.
• Also granted access to more than 25 products that are always free (based on
resource and region availability).
 11

Azure Marketplace
 Azure Marketplace lets purchase of Azure-based solutions and services from
third-party vendors.
• This could be a server with software preinstalled and configured, or managed
network firewall appliances, or connectors to third-party backup services.
 When products are purchased through Azure Marketplace, users may pay for
not only the Azure services that they are using, but also the services or
expertise of the third-party vendor.
• Billing structures are set by the vendor.
 All solutions available in Azure Marketplace are certified and compliant with
Azure policies and standards.
• The certification policies may vary based on the service or solution type and Azure
service involved.
 12

Pricing Calculator
 The pricing calculator is designed to give an user an estimated cost for
provisioning resources in Azure.
 The user can get an estimate for individual resources, build out a solution, or
use an example scenario to see an estimate of the Azure spend.
 The pricing calculator’s focus is on the cost of provisioned resources in Azure.
 The Pricing calculator is for information purposes only.
• The prices are only an estimate.
• Nothing is provisioned when an user add resources to the pricing calculator, and the
won't be charged for any services you select.
 With the pricing calculator, the user can estimate the cost of any provisioned
resources, including compute, storage, and associated network costs.
• The user can even account for different storage options like storage type, access tier,
and redundancy.
 13

Pricing Calculator

https://azure.microsoft.com/en-us/pricing/calculator/
 14

Total Cost of Ownership Calculator

• The TCO calculator is designed to help compare the costs for running an on-
premises infrastructure compared to an Azure Cloud infrastructure.
• With the TCO calculator, users can enter their current infrastructure
configuration, including servers, databases, storage, and outbound network
traffic.
• The TCO calculator then compares the anticipated costs for the current
environment with an Azure environment supporting the same infrastructure
requirements.
• With the TCO calculator, the users enters their configuration, add in
assumptions like power and IT labor costs, and are presented with an
estimation of the cost difference to run the same environment in their current
datacenter or in Azure.
•
 15

Total Cost of Ownership Calculator

https://azure.microsoft.com/en-us/pricing/tco/calculator/
 16

Microsoft Cost Management Tool

 Microsoft Azure is a global cloud provider, meaning resources can be provisioned
anywhere in the world.
 Users can provision resources rapidly to meet a sudden demand, or to test out a
new feature, or on accident.
 If users accidentally provision new resources, they may not be aware of them until
it’s time for their invoice.
Cost Management is a service that helps avoid those situations.
 Cost Management provides the ability to quickly check Azure resource costs, create
alerts based on resource spend, and create budgets that can be used to automate
management of resources.
 Cost analysis is a subset of Cost Management that provides a quick visual for Azure
costs.
 Using cost analysis, users can quickly view the total cost in a variety of different
ways, including by billing cycle, region, resource, and so on.
 Cost analysis can be used to explore and analyze the organizational costs.
• Users can view aggregated costs by organization to understand where costs are accrued
and to identify spending trends.
• Users can also see accumulated costs over time to estimate monthly, quarterly, or yearly
cost trends against a budget.
 17

Microsoft Cost Management Tool

 18

Budgets
• A budget is where an user set a spending limit for Azure.
• Budgets can be set based on a subscription, resource group, service type,
or other criteria.
• When a budget is set, a budget alert is also set.
• In the Azure portal, budgets are defined by cost.
• Budgets are defined by cost or by consumption usage when using the
Azure Consumption API.
• A more advanced use of budgets enables budget conditions to trigger
automation that suspends or otherwise modifies resources once the
trigger condition has occurred.
• Cost Management budgets are created using the Azure portal or the
Azure Consumption API.
 19

Cost Alerts
 Cost alerts provide a single location to quickly check on all of the different
alert types that may show up in the Cost Management service.
 The three types of alerts that may show up are:
• Budget alerts
• Credit alerts
• Department spending quota alerts
 20

Budget Alerts
• Budget alerts notify an user when spending, based on usage or cost,
reaches or exceeds the amount defined in the alert condition of the
budget.
• Budget alerts support both cost-based and usage-based budgets.
• Budget alerts are generated automatically whenever the budget alert
conditions are met.
• All cost alerts can be viewed in the Azure portal.
• Whenever an alert is generated, it appears in cost alerts.
• An alert email is also sent to the people in the alert recipients list of the
budget.
 21

Credit Alerts
• Credit alerts notify users when their Azure credit monetary commitments
are consumed.
• Monetary commitments are for organizations with Enterprise Agreements
(EAs).
• Credit alerts are generated automatically at 90% and at 100% of an
organization’s Azure credit balance.
• Whenever an alert is generated, it's reflected in cost alerts, and in the
email sent to the account owners.
 22

Department Spending Quota Alerts

• Department spending quota alerts notify users when department
spending reaches a fixed threshold of the quota.
• Spending quotas are configured in the EA portal.
• Whenever a threshold is met, it generates an email to department owners,
and appears in cost alerts.
 23

Managing Costs
• As cloud usage grows, it's increasingly important to stay organized.
• A good organization strategy helps understand cloud usage and can help
manage costs.
• One way to organize related resources is to place them in their own
subscriptions.
• Users can also use resource groups to manage related resources.
• Resource tags are another way to organize resources.
 24

Resource Tags
 A resource tag consists of a name and a value.
 One or more tags can be applied to each Azure resource.
 Resource tags provide extra information, or metadata, about resources.
 This metadata is useful for:
• Resource management:
− Tags enable an user to locate and act on resources that are associated with specific workloads, environments,
business units, and owners.
• Cost management and optimization:
− Tags enable users to group resources so that they can report on costs, allocate internal cost centers, track budgets,
and forecast estimated cost.
• Operations management:
− Tags enable users to group resources according to how critical their availability is to their business.
− This grouping helps users formulate service-level agreements (SLAs) - an uptime or performance guarantee
between you and your users.
• Security
− Tags enable users to classify data by its security level, such as public or confidential.
• Governance and regulatory compliance:
− Tags enable users to identify resources that align with governance or regulatory compliance requirements, such as
ISO 27001.
− Tags can also be part of an organization’s standards enforcement efforts.
− For example, it might be required that all resources be tagged with an owner or department name.
• Workload optimization and automation
− Tags can help users visualize all of the resources that participate in complex deployments.
− For example, they might tag a resource with its associated workload or application name and use software such as
Azure DevOps to perform automated tasks on those resources.
 25

Managing Resource Tags

 Users can add, modify, or delete resource tags through Windows PowerShell,
the Azure CLI, Azure Resource Manager templates, the REST API, or the Azure
portal.
 Azure Policy can be used to enforce tagging rules and conventions.
• For example, users can require that certain tags be added to new resources as
they're provisioned.
• Users can also define rules that reapply tags that have been removed.
 Resources don't inherit tags from subscriptions and resource groups, meaning
that tags can be applied at one level and not have those tags automatically
show up at a different level, allowing the creation of custom tagging schemas
that change depending on the level (resource, resource group, subscription,
and so on).
 Note that users don't need to enforce that a specific tag is present on all of
their resources.
• For example, users might decide that only mission-critical resources have the tag.
• All non-tagged resources would then not be considered as mission-critical.
 26

An Example Tagging Structure

 27

Outline
• Azure Cost Management
• Azure Governance and Compliance
• Managing and Deploying Azure Resources
• Azure Monitoring Tools
 28

Microsoft Purview
 Microsoft Purview is a family of data governance, risk, and compliance
solutions that helps users get a single, unified view into their data.
 Microsoft Purview brings insights about users’ on-premises,
multicloud, and software-as-a-service data together.
 With Microsoft Purview, users can stay up-to-date on their data
landscape thanks to:
• Automated data discovery
• Sensitive data classification
• End-to-end data lineage
 29

Microsoft Purview

 Two main solution areas comprise Microsoft Purview:

1. risk and compliance
2. unified data governance
 30

Microsoft Purview Risk and Compliance Solutions

 Microsoft 365 features as a core component of the Microsoft Purview

risk and compliance solutions.
 Microsoft Teams, OneDrive, and Exchange are just some of the
Microsoft 365 services that Microsoft Purview uses to help manage
and monitor user data.
 Microsoft Purview, by managing and monitoring data, is able to help
an organization:
• Protect sensitive data across clouds, apps, and devices.
• Identify data risks and manage regulatory compliance
requirements.
• Get started with regulatory compliance.
 31

Unified Data Governance

 Microsoft Purview has robust, unified data governance solutions that
help manage user’s on-premises, multicloud, and software as a
service data.
 Microsoft Purview’s robust data governance capabilities enable users
to manage data stored in Azure, SQL and Hive databases, locally, and
even in other clouds like Amazon S3.
 Microsoft Purview’s unified data governance helps an organization:
• Create an up-to-date map of the entire data estate that includes data
classification and end-to-end lineage.
• Identify where sensitive data is stored in an organization’s estate.
• Create a secure environment for data consumers to find valuable data.
• Generate insights about how data is stored and used.
• Manage access to the data in an organization’s estate securely and at scale.
 32

Azure Policy
 Azure Policy is a service in Azure that enables users to create, assign, and manage policies that
control or audit their resources.
 These policies enforce different rules across user’s resource configurations so that those
configurations stay compliant with corporate standards.
 Azure Policy enables users to define both individual policies and groups of related policies,
known as initiatives.
 Azure Policy evaluates user’s resources and highlights resources that aren't compliant with the
policies that have been created.
 Azure Policy can also prevent noncompliant resources from being created.
 Azure Policies can be set at each level, enabling users to set policies on a specific resource,
resource group, subscription, and so on.
 Additionally, Azure Policies are inherited, so if a policy is set at a high level, it will automatically
be applied to all of the groupings that fall within the parent.
• For example, if you set an Azure Policy on a resource group, all resources created within that resource
group will automatically receive the same policy.
 33

Azure Policy
 Azure Policy comes with built-in policy and initiative definitions for Storage, Networking,
Compute, Security Center, and Monitoring.
• For example, if a policy is defined that allows only a certain size for the virtual machines (VMs) to be
used in the user’s environment, that policy is invoked when a new VM is created and whenever existing
VMs are resized.
• Azure Policy also evaluates and monitors all current VMs in the environment, including VMs that were
created before the policy was created.
 In some cases, Azure Policy can automatically remediate noncompliant resources and
configurations to ensure the integrity of the state of the resources.
• For example, if all resources in a certain resource group should be tagged with AppName tag and a
value of "SpecialOrders," Azure Policy will automatically apply that tag if it is missing.
• However, users still retain full control of their environment.
• If users have a specific resource that they don’t want Azure Policy to automatically fix, they can flag that
resource as an exception – and the policy won’t automatically fix that resource.
 Azure Policy also integrates with Azure DevOps by applying any continuous integration and
delivery pipeline policies that pertain to the pre-deployment and post-deployment phases of
users’ applications.
 34

Azure Policy Initiatives

 An Azure Policy initiative is a way of grouping related policies together.
 The initiative definition contains all of the policy definitions to help track an
organization’s compliance state for a larger goal.
• For example, Azure Policy includes an initiative named Enable Monitoring in Azure
Security Center.
• Its goal is to monitor all available security recommendations for all Azure resource
types in Azure Security Center.
• Under this initiative, the following policy definitions are included:
− Monitor unencrypted SQL Database in Security Center This policy monitors for unencrypted
SQL databases and servers.
− Monitor OS vulnerabilities in Security Center This policy monitors servers that don't satisfy
the configured OS vulnerability baseline.
− Monitor missing Endpoint Protection in Security Center This policy monitors for servers that
don't have an installed endpoint protection agent.
• In fact, the Enable Monitoring in Azure Security Center initiative contains over 100
separate policy definitions.
 35

Resource Locks
• A resource lock prevents resources from being accidentally deleted or changed.
• Even with Azure role-based access control (Azure RBAC) policies in place, there's
still a risk that people with the right level of access could delete critical cloud
resources.
• Resource locks prevent resources from being deleted or updated, depending on
the type of lock.
• Resource locks can be applied to individual resources, resource groups, or even
an entire subscription.
• Resource locks are inherited, meaning that if a resource lock is placed on a
resource group, all of the resources within the resource group will also have the
resource lock applied.
 36

Types of Resource Locks

 There are two types of resource locks, one that prevents users from
deleting and one that prevents users from changing or deleting a
resource.
• Delete means authorized users can still read and modify a resource, but they
can't delete the resource.
• ReadOnly means authorized users can read a resource, but they can't delete
or update the resource. Applying this lock is similar to restricting all
authorized users to the permissions granted by the Reader role.
 37

Managing Resource Locks

 Resource locks can be managed from the Azure portal, PowerShell, the Azure CLI, or from
an Azure Resource Manager template.
 To view, add, or delete locks in the Azure portal, go to the Settings section of any
resource's Settings pane in the Azure portal.
 Although locking helps prevent accidental changes, one can still make changes by the
following process:
• To modify a locked resource, one must first remove the lock after which users can apply any action
they have permissions to perform.
• Resource locks apply regardless of RBAC permissions.
• Even an owner of the resource, must still remove the lock before she performs the blocked activity.
 38

Service Trust Model

• The Microsoft Service Trust Portal is a portal that provides access to various
content, tools, and other resources about Microsoft security, privacy, and
compliance practices.
• The Service Trust Portal contains details about Microsoft's implementation of
controls and processes that protect our cloud services and the customer data
therein.
• To access some of the resources on the Service Trust Portal, one must sign in
as an authenticated user with Microsoft cloud services account (Microsoft
Entra organization account).
• One will need to review and accept the Microsoft non-disclosure agreement
for compliance materials.
• The Service Trust Portal can accessed at: https://servicetrust.microsoft.com/
 39

Service Trust Portal

 The Service Trust Portal features and content are accessible from the main menu.
 The categories on the main menu are:
•Service Trust Portal provides a quick access hyperlink to return to the Service Trust Portal home
page.
•My Library lets users save (or pin) documents to quickly access them on their My Library page.
Users can also set up to receive notifications when documents in your My Library are updated.
•All Documents is a single landing place for documents on the service trust portal. From All
Documents, users can pin documents to have them show up in My Library.
 40

Outline
• Azure Cost Management
• Azure Governance and Compliance
• Managing and Deploying Azure Resources
• Azure Monitoring Tools
 41

Tools for interacting with Azure

 To get the most out of Azure, an user needs a way to interact with the
Azure environment, the management groups, subscriptions, resource
groups, resources, and so on.
 Azure provides multiple tools for managing the environment,
including the:
• Azure portal
• Azure PowerShell
• Azure Command Line Interface (CLI)
 42

Azure Portal
 The Azure portal is a web-based, unified console that provides an
alternative to command-line tools.
 With the Azure portal, users can manage their Azure subscription by
using a graphical user interface.
 Users can:
• Build, manage, and monitor everything from simple web apps to complex
cloud deployments
• Create custom dashboards for an organized view of resources
• Configure accessibility options for an optimal experience
 The Azure portal is designed for resiliency and continuous availability.
• It maintains a presence in every Azure datacenter.
• This configuration makes the Azure portal resilient to individual datacenter
failures and avoids network slowdowns by being close to users.
• The Azure portal updates continuously and requires no downtime for
maintenance activities.
 43

Azure PowerShell
 Azure PowerShell is a shell with which developers, DevOps, and IT
professionals can run commands called command-lets (cmdlets).
 These commands call the Azure REST API to perform management
tasks in Azure.
 Cmdlets can be run independently to handle one-off changes, or they
may be combined to help orchestrate complex actions such as:
• The routine setup, teardown, and maintenance of a single resource or
multiple connected resources.
• The deployment of an entire infrastructure, which might contain dozens or
hundreds of resources, from imperative code.
 Capturing the commands in a script makes the process repeatable
and automatable.
 In addition to be available via Azure Cloud Shell, users can install and
configure Azure PowerShell on Windows, Linux, and Mac platforms.
 44

Azure CLI
• The Azure CLI is functionally equivalent to Azure PowerShell, with the
primary difference being the syntax of commands.
• While Azure PowerShell uses PowerShell commands, the Azure CLI
uses Bash commands.
• The Azure CLI provides the same benefits of handling discrete tasks or
orchestrating complex operations through code.
• It’s also installable on Windows, Linux, and Mac platforms, as well as
through Azure Cloud Shell.
• Due to the similarities in capabilities and access between Azure
PowerShell and the Bash based Azure CLI, it mainly comes down to
which language an user is most familiar with.
•
 45

Azure Resource Manager

 Azure Resource Manager (ARM) is the deployment and management service for Azure.
 It provides a management layer that enables users to create, update, and delete resources in
their Azure account.
 Anytime users do anything with their Azure resources, ARM is involved.
• When a user sends a request from any of the Azure tools, APIs, or SDKs, ARM receives the request.
• ARM authenticates and authorizes the request.
• Then, ARM sends the request to the Azure service, which takes the requested action.
• Users see consistent results and capabilities in all the different tools because all requests are handled
through the same API.
• With Azure Resource Manager, users can:
• Manage their infrastructure through declarative templates rather than scripts. A Resource Manager
template is a JSON file that defines what users want to deploy to Azure.
• Deploy, manage, and monitor all the resources for user’s solution as a group, rather than handling
these resources individually.
• Re-deploy user solution throughout the development life-cycle and have confidence the resources are
deployed in a consistent state.
• Define the dependencies between resources, so they're deployed in the correct order.
• Apply access control to all services because RBAC is natively integrated into the management platform.
• Apply tags to resources to logically organize all the resources in a subscription.
• Clarify an organization's billing by viewing costs for a group of resources that share the same tag.
 46

Azure Arc
 Managing hybrid and multi-cloud environments can rapidly get complicated.
 Azure provides a host of tools to provision, configure, and monitor Azure resources.
 In utilizing Azure Resource Manager (ARM), Arc lets users extend their Azure compliance and
monitoring to their hybrid and multi-cloud configurations.
 Azure Arc simplifies governance and management by delivering a consistent multi-cloud and
on-premises management platform.
 Azure Arc provides a centralized, unified way to:
• Manage users’ entire environment together by projecting their existing non-Azure resources into ARM.
• Manage multi-cloud and hybrid virtual machines, Kubernetes clusters, and databases as if they are
running in Azure.
• Use familiar Azure services and management capabilities, regardless of where they live.
• Continue using traditional ITOps while introducing DevOps practices to support new cloud and native
patterns in your environment.
• Configure custom locations as an abstraction layer on top of Azure Arc-enabled Kubernetes clusters
and cluster extensions.
 Currently, Azure Arc allows the management of the following resource types hosted outside
of Azure:
• Servers
• Kubernetes clusters
• Azure data services
• SQL Server
• Virtual machines
 47

Infrastructure as Code
• Infrastructure as code is a concept where users manage their infrastructure as
lines of code.
• At an introductory level, it's things like using Azure Cloud Shell, Azure
PowerShell, or the Azure CLI to manage and configure their resources.
• Advanced users can use the infrastructure as code concept to manage entire
deployments using repeatable templates and configurations.
• ARM templates and Bicep are two examples of using infrastructure as code
with the Azure Resource Manager to maintain an environment.
 48

ARM Templates
• By using ARM templates, users can describe the resources they want to use in
a declarative JSON format.
• With an ARM template, the deployment code is verified before any code is
run.
• This ensures that the resources will be created and connected correctly.
• The template then orchestrates the creation of those resources in parallel.
• That is, if 50 instances of the same resource are needed, all 50 instances are
created at the same time.
• Ultimately, the developer, DevOps professional, or IT professional needs only
to define the desired state and configuration of each resource in the ARM
template, and the template does the rest.
• Templates can even execute PowerShell and Bash scripts before or after the
resource has been set up.
 49

Benefits of using ARM Templates

 Declarative syntax:
• ARM templates allow users to create and deploy an entire Azure infrastructure declaratively.
• Declarative syntax means declaration of what users want to deploy but don’t need to write the
actual programming commands and sequence to deploy the resources.
• Repeatable results:
• Repeatedly deploy infrastructure throughout the development lifecycle and have confidence that
resources are deployed in a consistent manner.
• Users can use the same ARM template to deploy multiple dev/test environments, knowing that
all the environments are the same.
• Orchestration:
• Users don't have to worry about the complexities of ordering operations.
• Azure Resource Manager orchestrates the deployment of interdependent resources, so they're
created in the correct order.
• When possible, Azure Resource Manager deploys resources in parallel, so deployments finish
faster than serial deployments.
• Users deploy the template through one command, rather than through multiple imperative
commands.
 50

Benefits of using ARM Templates

 Modular files:
• Users can break ARM templates into smaller, reusable components and link them together at
deployment time.
• Users can also nest one template inside another template.
• For example, a template can be created for a VM stack, and then nested inside of templates that
deploy entire environments, and that VM stack will consistently be deployed in each of the
environment templates.
• Extensibility:
• With deployment scripts, users can add PowerShell or Bash scripts to their templates.
• The deployment scripts extend users’ ability to set up resources during deployment.
• A script can be included in the template or stored in an external source and referenced in the
template.
• Deployment scripts give users the ability to complete their end-to-end environment setup in a
single ARM template.
 51

Bicep
• Bicep is a language that uses declarative syntax to deploy Azure resources.
• A Bicep file defines the infrastructure and configuration.
• Then, ARM deploys that environment based on the Bicep file.
• While similar to an ARM template, which is written in JSON, Bicep files tend to
use a simpler, more concise style.
 52

Bicep - Benefits
 Support for all resource types and API versions:
• Bicep immediately supports all preview and GA versions for Azure services.
• As soon as a resource provider introduces new resource types and API versions, users can use
them in their Bicep file.
• They don't have to wait for tools to be updated before using the new services.
 Simple syntax:
• When compared to the equivalent JSON template, Bicep files are more concise and easier to
read. Bicep requires no previous knowledge of programming languages.
• Bicep syntax is declarative and specifies which resources and resource properties you want to
deploy.
 Repeatable results:
• Repeatedly deploy your infrastructure throughout the development lifecycle and have
confidence your resources are deployed in a consistent manner.
• Bicep files are idempotent, which means you can deploy the same file many times and get the
same resource types in the same state.
• You can develop one file that represents the desired state, rather than developing lots of
separate files to represent updates.
 53

Bicep - Benefits
 Orchestration:
• Users don't have to worry about the complexities of ordering operations.
• Resource Manager orchestrates the deployment of interdependent resources so they're created
in the correct order.
• When possible, Resource Manager deploys resources in parallel so deployments finish faster
than serial deployments.
• The file can be deployed through one command, rather than through multiple imperative
commands.
 Modularity:
• Bicep code can be broken into manageable parts by using modules.
• The module deploys a set of related resources.
• Modules enable users to reuse code and simplify development.
• The module can be added to a Bicep file anytime those resources are to be deployed
 54

Outline
• Azure Cost Management
• Azure Governance and Compliance
• Managing and Deploying Azure Resources
• Azure Monitoring Tools
 55

Azure Advisor
 Azure Advisor evaluates user’s Azure resources and makes recommendations to help
improve reliability, security, and performance, achieve operational excellence, and reduce
costs.
 Azure Advisor is designed to help users save time on cloud optimization.
 The recommendation service includes suggested actions users can take right away,
postpone, or dismiss.
 The recommendations are available via the Azure portal and the API, and users can set up
notifications to alert them to new recommendations.
 When users are in the Azure portal, the Advisor dashboard displays personalized
recommendations for all their subscriptions.
 Users can use filters to select recommendations for specific subscriptions, resource groups,
or services.
 The recommendations are divided into five categories:
• Reliability is used to ensure and improve the continuity of user’s business-critical applications.
• Security is used to detect threats and vulnerabilities that might lead to security breaches.
• Performance is used to improve the speed of user’s applications.
• Operational Excellence is used to help users achieve process and workflow efficiency, resource
manageability, and deployment best practices.
• Cost is used to optimize and reduce user’s overall Azure spending.
 56

Azure Advisor Dashboard

 57

Azure Service Health

 Microsoft Azure provides a global cloud solution to help users manage their infrastructure
needs, reach their customers, innovate, and adapt rapidly.
 Knowing the status of the global Azure infrastructure and user’s
individual resources could seem like a daunting task.
 Azure Service Health helps users keep track of Azure resource, both your
specifically deployed resources and the overall status of Azure.
 Azure service health does this by combining three different Azure
services:
I. Azure Status
II. Service Health
III. Resource Health
 58

Azure Service Health

 Azure Status
 A broad picture of the status of Azure globally.
 Azure status informs users of service outages in Azure on the Azure Status page.
 The page is a global view of the health of all Azure services across all Azure regions.
 It’s a good reference for incidents with widespread impact.
 Service Health
• Provides a narrower view of Azure services and regions.
• It focuses on the Azure services and regions an user is using.
• This is the best place to look for service impacting communications about outages, planned
maintenance activities, and other health advisories because the authenticated Service Health
experience knows which services and resources an user currently use.
• Users can even set up Service Health alerts to notify them when service issues, planned maintenance,
or other changes may affect the Azure services and regions they use.
 Resource Health
• A tailored view of users’ actual Azure resources.
• It provides information about the health of individual cloud resources, such as a specific virtual
machine instance.
• Using Azure Monitor, user can also configure alerts to notify them of availability changes to your cloud
resources.
 59

Azure Service Health

 By using Azure status, Service health, and Resource health, Azure Service
Health gives a complete view of an user’s Azure environment - all the
way from the global status of Azure services and regions down to specific
resources.
 Additionally, historical alerts are stored and accessible for later review.
 Something an user initially thought was a simple anomaly that turned into a
trend, can readily be reviewed and investigated thanks to the historical alerts.
 Finally, in the event that a workload an user is running is impacted by an
event, Azure Service Health provides links to support.
 60

Azure Monitor
• Azure Monitor is a platform for collecting data on your resources,
analyzing that data, visualizing the information, and even acting on
the results.
• Azure Monitor can monitor Azure resources, an user’s on-premises
resources, and even multi-cloud resources like virtual machines
hosted with a different cloud provider.
 61

Azure Monitor  On the left is a list of the sources of logging

and metric data that can be collected at
every layer in user’s application architecture,
from application to operating system and
network.
 In the center, the logging and metric data are
stored in central repositories.
 On the right, the data is used in several ways.
 Users can view real-time and historical
performance across each layer of their
architecture or aggregated and
detailed information.
 The data is displayed at different levels
for different audiences.
 Users can view high-level reports on
the Azure Monitor Dashboard or create
custom views by using Power BI and
Kusto queries.
 Additionally, users can use the data to help
them react to critical events in real time,
through alerts delivered via SMS, email, and
so on.
 Or thresholds can be used to trigger
autoscaling functionality to scale to meet the
demand.
 62

Azure Log Analytics

• Azure Log Analytics is the tool in the Azure portal where users can write and
run log queries on the data gathered by Azure Monitor.
• Log Analytics is a robust tool that supports both simple, complex queries, and
data analysis.
• Users can write a simple query that returns a set of records and then use
features of Log Analytics to sort, filter, and analyze the records.
• Users can write an advanced query to perform statistical analysis and visualize
the results in a chart to identify a particular trend.
• Whether users work with the results of their queries interactively or use them
with other Azure Monitor features such as log query alerts or workbooks, Log
Analytics is the tool that they are going to use to write and test those queries.
 63

Azure Monitor Alerts

 Azure Monitor Alerts are an automated way to stay informed when Azure Monitor detects a
threshold being crossed.
 Users set the alert conditions, the notification actions, and then Azure Monitor Alerts notifies
when an alert is triggered.
 Depending on the configuration, Azure Monitor Alerts can also attempt corrective action.
 Alerts can be set up to monitor the logs and trigger on certain log events, or they can be set
to monitor metrics and trigger when certain metrics are crossed.
• For example, users could set a metric-based alert up to notify when the CPU usage on a virtual
machine exceeded 80%.
 Alert rules based on metrics provide near real time alerts based on numeric values.
 Rules based on logs allow for complex logic across data from multiple sources.
 Azure Monitor Alerts use action groups to configure who to notify and what action to take.
• An action group is simply a collection of notification and action preferences that users associate with
one or multiple alerts.
• Azure Monitor, Service Health, and Azure Advisor all use actions groups to notify users when an alert
has been triggered.

•
 64

Azure Monitor Alerts

 65

Application Insights
 Application Insights, an Azure Monitor feature, monitors web applications.
 Application Insights is capable of monitoring applications that are running in Azure, on-
premises, or in a different cloud environment.
 There are two ways to configure Application Insights to help monitor application.
• Users can either install an SDK in their application
• Users can use the Application Insights agent which is supported in C#.NET, VB.NET, Java, JavaScript,
Node.js, and Python.
 Once Application Insights is up and running, users can use it to monitor a broad array of
information, such as:
• Request rates, response times, and failure rates
• Dependency rates, response times, and failure rates, to show whether external services are slowing
down performance
• Page views and load performance reported by users' browsers
• AJAX calls from web pages, including rates, response times, and failure rates
• User and session counts
• Performance counters from Windows or Linux server machines, such as CPU, memory, and network
usage
• Not only does Application Insights help users monitor the performance of their application,
but users can also configure it to periodically send synthetic requests to their application,
allowing them to check the status and monitor the application even during periods of low
activity.