What can you use to deploy Azure resources across multiple subscriptions in a?
The first step in building an MSP cloud practice with Microsoft Azure is deeply familiarizing yourself with Microsoft Azure’s fundamentals: its terminology, elements, and hierarchy. Here we will list and define the most critical Azure elements and discuss how they interrelate with each other. In this section, we will focus exclusively on
Azure Resource Manager (ARM), which is Microsoft’s latest and more current implementation of Azure. Prior to ARM, Azure used a “Classic” model, which had significantly different terminology associated with it and is not relevant to the MSP community today. Microsoft Azure is a diverse cloud platform that contains hundreds of products (also known as SKUs). Azure to Cloud is like Apple to devices–each has many products within multiple
categories. These products fall into many categories. For instance: We will focus on IaaS, SaaS, and somewhat on PaaS — as those are the most fundamental building blocks an MSP needs to build a cloud practice in Azure. At the highest level is an Azure account, also known as a tenant or directory (these
terms will be used interchangeably). An Azure account is uniquely associated with an Azure Active Directory (AAD), where user objects that access the Azure Portal exist. An Azure tenant is free to create, and by itself is simply a container for subscriptions and AAD objects. You cannot run anything in an Azure account without a subscription. Azure tenant names must be globally unique (i.e. no one else in the world can use
the same name) and each one has a TenantName.onmicrosoft.com domain associated with it. TIP: Inside an Azure tenant there are subscriptions. A single Azure tenant can contain multiple subscriptions, but each subscription must be contained within a single tenant. A subscription is the “billing container”. You obtain a
subscription directly from Microsoft or through an Azure reseller and you can create resources inside of that subscription. The monthly Azure invoice will contain the consumption of every resource you run inside of a subscription. If you don’t run any resources and therefore have no consumption–-your bill is $0. Subscriptions come in many flavors, but the easiest way to think about them is an agreement between you and Microsoft that you will use any
of the available Azure products under the terms of your subscription and you agree to pay for them after you’ve used them. A good comparison is electrical power service in your home. You open an account with the electricity provider (subscription), agree on a rate for electricity and delivery, use the electricity during a month, and then pay the bill once the power company tells you how much you have used or consumed. Subscriptions obtained directly from Microsoft will typically be Pay-as-you-go, Free, EA, CSP, or Sponsored. Most MSPs, however, purchase Azure through a CSP Provider(like Pax8, Sherweb, Ingram, Techdata, etc.). The MSP in this scenario is known as a “CSP Reseller”. Using the CSP Provider’s own portal, the MSP will be able to create a subscription to consume resources inside this subscription. The CSP Provider will get a bill from Microsoft for the consumption and will in turn bill the MSP. The MSP will then bill its customer for the Azure consumption.
Subscriptions have globally unique IDs (GUID) associated with them. They also have a friendly name that you can set to anything you want, and this name does not have to be unique. As a matter of fact, you can have subscriptions with the same friendly name inside of the same tenant. However, try to assign logical, unique names to each of your subscriptions to make things easier to manage.
Resource Groups and ResourcesBelow the subscription are resource groups (RG). These are logical groupings of resources in Azure that allow you to easily view and manage sets of resources associated with a single function. For example, if you have two complex, multi-component applications A and B, you will want to split them up into resource groups (e.g. RG-A and RG-B) to logically group all the compute, storage, and networking for each application with other related components. Resource groups are not billing units. You won’t be able to easily answer the question of “how much are the resources in resource group RG-A costing me” by looking at your Azure invoice. These RGs are there for ease of management, resource organization, and isolation. There are lots of resources in every Azure deployment so keeping things nice, tidy, and logical is very important. There could be multiple resource groups within a single subscription, but any one resource group can only be part of only one subscription. Resource group names do not have to be globally unique, but must be unique within a single subscription. Finally, resources are created inside of a resource group, which is inside a subscription, which is inside a tenant. What are resources? It’s everything that does something in Azure. Examples are virtual machines, virtual networks, disks, network cards, VPN gateways, IP addresses, etc. Usage and BillingThere are many categories of resources and each one has different configuration, usage and billing characteristics. We will explore the most important elements in this and future write-ups. For now, let’s focus on billing. Some resources will be billable while others won’t. For example, a virtual machine (compute resource) will be billable while a virtual network interface (network resource) attached to a virtual machine will not be billable. Billing in Azure typically has a unit and frequency. The easiest way to think about this is to go back to our electricity at home example. Electric power is a resource, the unit is kWatt and frequency is hour. We therefore have a pre-defined cost per kWatt-hour. As we use electricity, there is a meter running that measures how many kWatt-hours we’ve used up and then the electric company sends us a bill for what we used. Azure works the same way. For instance, a virtual machine (VM) is billed for compute capacity (unit) on a per-second basis (frequency). Every time we start up (provision) a VM, a meter starts up and keeps track of how long this VM is running. At the end of the month our invoice will show how many hours we used a particular type of VM and that’s what we owe either Microsoft directly or via a CSP. The key takeaway here is that each billable resource has a virtual “meter” that’s running any time the resource in “used” (this is defined differently for each type of resource). If we stop the resource, we stop the meter and we are no longer billed. Azure Object Hierarchy Overview Familiarizing yourself with this set of core building blocks including Accounts, Tenants, Subscriptions, Resource Groups, Resources, and Billing options is the first step an MSP should take in determining the most efficient and cost-effective way to build a cloud IT practice in Microsoft Azure. Now, let’s dive deeper in Azure Resource Azure ResourcesAs we stated above, the building blocks of an Azure IT environment are Resources. These resources are organized into Resource Groups inside of an Azure subscription. There are billable and non-billable resources. Billable resources have a Meter attached to them that runs while the resource is provisioned. In this section, we will explore the three most common types of Azure resources used by MSPs when deploying IT environments: Compute (virtual machines), Storage, and Network. Every resource used in Azure must be deployed in a geographical location known as a Region. An Azure region is a grouping of data centers located in a specific geographic location. Microsoft is constantly growing its global footprint and adding data centers and regions. At the time of this article, there are 54 regions available in 140 countries and the list is growing. The most up-to-date map of regions can be viewed here. Resources deployed in the same region are interconnected with high speed connectivity (think LAN speeds). Resources in different regions can still communicate with each other but are subject to additional WAN latency. The latency depends on how far the regions are from each other. You can also download our complete guide to Azure resources here Associate or add an Azure subscription to your Azure Active Directory tenantAn Azure subscription has a trust relationship with Azure Active Directory (Azure AD). A subscription trusts Azure AD to authenticate users, services, and devices. Multiple subscriptions can trust the same Azure AD directory. Each subscription can only trust a single directory. If your subscription expires, you lose access to all the other resources associated with the subscription. However, the Azure AD directory remains in Azure. You can associate and manage the directory using a different Azure subscription. All of your users have a single home directory for authentication. Your users can also be guests in other directories. You can see both the home and guest directories for each user in Azure AD. Ref:https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/active-directory-how-subscriptions-associated-directory Understand scopeAzure provides four levels of scope: management groups, subscriptions, resource groups, and resources. The following image shows an example of these layers. You apply management settings at any of these levels of scope. The level you select determines how widely the setting is applied. Lower levels inherit settings from higher levels. For example, when you apply a policy to the subscription, the policy is applied to all resource groups and resources in your subscription. When you apply a policy on the resource group, that policy is applied the resource group and all its resources. However, another resource group doesn’t have that policy assignment. You can deploy templates to tenants, management groups, subscriptions, or resource groups What can you use to deploy Azure resources across multiple subscriptions in a consistent manner SC 900?Answer : Explanation: You can use an Azure network security group to filter network traffic to and from Azure resources in an Azure virtual network.
Which can be used to manage governance across multiple Azure subscriptions?The correct answer is B, Management Groups. From the Microsoft Documentation, Azure Management Groups are containers for managing access across multiple Azure subscriptions.
Which service provides organizations with the ability to manage compliance of Azure resources across multiple subscriptions?Resource groups provide organizations with the ability to manage the compliance of Azure resources across multiple subscriptions.
Can Azure resources be move across subscriptions?You can move Azure resources to either another Azure subscription or another resource group under the same subscription. You can use the Azure portal, Azure PowerShell, Azure CLI, or the REST API to move resources. To learn more, see Move resources to a new resource group or subscription.
|