Building enterprise solutions in Azure IaaS is complex. The platform is rapidly changing. In this course, Auditing Your Azure Assets for Security and Best Practices, you will be given real world advice and guidance to help you tackle the ever-changing Azure world. This course has been designed to highlight the areas where mistakes are often made. First, you will learn about the four pillars of good Azure design: Security, Performance, Support, and Cost. Next, you will explore the major pitfalls with Service Level Agreements, Network, Virtual Machines, Storage, and Backup. Finally, course moves on to cover Azure Advisor and the Security Centre and also perimeter device options. By the end of the course, you will have a different view of Azure and you will be armed with a better understanding of the platform.
Course Overview Hi there. My name is Gavin, and welcome to my course, Auditing Your Azure Assets for Security and Best Practice. This course is designed to give you real-world advice and guidance in the ever-changing world of Azure. The course was designed to highlight the areas where mistakes are often made, and we're going to use four pillars to guide you through the course. The pillars are security, performance, support, and cost. Some of the major topics we will cover include service level agreements and why they're important, auditing and reviewing network, virtual machines, storage, and backup in Azure. We'll spend some time going through the Azure Advisor and the importance of the security center. And finally, we'll discuss some of the perimeter devices and security options you have in Azure. By the end of the course, you'll know most of the mistakes I've made over the years, and I'm more than happy to share them with you. The Azure world is changing quickly, but this course will give you a core understanding and the best approaches for auditing and securing your environment. I hope you'll join me on this journey through the land of pillars, audits, security, SLAs, and random anecdotes. This is the Auditing Your Azure Assets for Security and Best Practices course at Pluralsight.
Service Level Agreements Welcome back to Pluralsight. My name is Gavin, and in this section, we're going to cover the service level agreements in Azure and why they're important. So a quick overview of the section. We've got to discuss what SLAs are and why they're important. Let's give it a bit of context. Then I'm going to call out the important SLAs. There's a lot of SLAs in Azure, but there are a few that are critical to understand. We're going to spend a bit of time understanding how SLAs combine together to give you the true SLA of the service that you're providing. And finally, we'll look at some design examples, balance between cost in an SLA. When is one machine better than two and so on? So let's look at the approach we're going to take in this section, and we have our pillars that we're going through for review. In this instance, we're going to spend a lot of time talking about support, staying in those supported configurations, and we're also going to spend a couple of minutes talking about that balance between cost and supportability.
Virtual Machines and Storage Welcome to Pluralsight. My name is Gavin, and you're in the Virtual Machines and Storage section, and this is the section I've titled Where Battles Are Won and Lost, so let me explain. So compute is the biggest cost in your Azure bill. It is singly the biggest cost you're going to face. So choosing the balance between cost and performance is critical. In the virtualization world, it's very easy just to turn the dial all the way up to 11, select 16 CPUs and as much RAM as you can overcommit, and there's little or not impact on the cost. After all, you own the server hardware already. But if you take that approach in Azure, you're going to find that your costs rise and rocket very, very quickly. So there's a fine balance between cost and performance, and that's what this module is all about. So we're going to discuss choosing the right virtual machine and sizes. And in particular, we'll look at the relationship between storage and size. This is an exercise you can take by going back and looking back at your existing environments in Azure or when you're doing your design process. And then finally, we'll spend a few minutes talking about virtual machine security. So in the spirit of the structured approach and review, the four pillars of security, performance, support, and cost are very, very relevant for virtual machines. So a virtual machine security, there is an immediate action. You've got to be really, really careful. And performance, as we discussed, is a balancing act. And support, really critically important to make sure you understand the application so you design and implement the right virtual machine infrastructure. Otherwise, you might not be supported. And then, after all, nothing is free in the cloud, so you need to have a cost effective design. One side note, and bear this in mind in everything that you do. When you find those cheap virtual machines in Azure or, indeed, Amazon or Google, cheap equals slow, and it's there for a reason. So sometimes choosing the smallest machine is actually the wrong thing to do. And again, we're going to go through that in more detail in this section.
Auditing - Storage Welcome to Pluralsight. My name is Gavin, and this is the Auditing - Backup and Recovery section of the course. Backup and recovery is often overlooked until too late. Backup and recovery is a bit of a blind spot for most of the environments I review and indeed most of the design processes I go through. I don't know why they're overlooked. They're always overlooked, and they're rarely, rarely tested. But the reality is, backup and restore should be part of every Azure build. When you've built it, you should document the restore process and test it. So if we look at the things you need to consider from our normal structured approach. Security for backups, yeah we'll talk a little bit about that. Performance is critical with backup. When do you start it? When do you stop it? How long does it take? What's a supported configuration for a backup? And how much do they cost? So quick summary of the module, we're going to go through my rant about backup and restore and how it's often overlooked. Yeah, yeah, yeah. But then we'll talk a little bit about the recovery time objective and the recovery point objective. Yeah, more acronyms, but let's just have a brief discussion on them. We'll look at some of the options for backup and restore. We're going to choose from that set many options and the technology available. We'll try and calculate the cost, finger in the air guesses. I'll explain that later on and then some general recommendations on backup and recovery, notes from the field, and then obviously the restore process. So just as a side note, backup and restore is more than the virtual machine or the operating system. You could conceivably restore a virtual machine and, you know, with proud declaration state to the business that you've restored the application only for the application specialist to come on board and say, no we can't start the application. The data is corrupt and so on. See the thing about the backup and restore is that is has to be about the application and not the operating system. I don't know why people just focus on a tick box to say yes, we have backed up the virtual machine. Yes, we have restored it. But very few dig into the application, and that's what we're going to cover in the next section.
Azure Advisor and Security Center Welcome to Pluralsight. My name is Gavin, and this is the Azure Advisor and Security Center part of our course. Another Pair of Eyes. A quick overview of our module, we'll touch on Azure Advisor. It's sometimes very, very helpful and sometimes not so helpful. We'll also spend time talking about the Azure Security Center. In my mind, it's a must have minimum security baseline. The free tier has a lot of great stuff in it that you'd be a fool not to use. So our structured approach of security, performance, support, and cost, where does Azure Advisor and Security Center fit into it? Well Security Center obviously fits in security. Performance, less so. Advisor does do its best to give you some pointers on performance and so on. Support, you don't get too much advice on support. You do get pointers that say something is not protected. And Advisor does talk about cost, and I'll come on to that now in a moment. The cynic in me says that Azure Advisor just wants you to spend more on compute and storage, always advising that maybe you need to increase the size of the virtual machine and so on. And the cynic would probably be right, but to be fair to Advisor, it doesn't have the context of the application. So if there are potential performance issues or potential bottlenecks, then the only answer generally is to turn up the dial. But Advisor does do a couple of things that are really, really useful. It is a really generic, standard, default, uncomplicated service. But what it does review is high availability. It points out where this is no high availability on a particular virtual machine. It does bring in some of the Security Center stuff. It does talk a little bit about performance, but as I said I'm a bit of a cynic and a skeptic on it. And it does talk about cost. It does a good attempt as well at putting an impact on priority using a standard high, medium, and low approach.
Perimeter Devices – What’s on Offer Welcome to Pluralsight. My name is Gavin, and this is the Perimeter Security Options in Azure, Adding the Right Level of Security. So in this module, we're really just going to have a discussion about the various options for securing the perimeter in your software- defined data center. I'm not going to dig into the technical aspects of all the various firewall options that are out there, but I think it's worth discussing their various merits and the various different options you have. So again going through our structured approach, we're going to talk a little bit about security, performance, support, and cost, and cost is a big thing again as ever. So this is a software defined data center. It's not just a virtualization platform, so you have to consider what you're going to do for perimeter security in your Azure data center. You can, of course, just use network security groups, and you can decide not to use an appliance, but there comes a tipping point where you're really going to need to put some sort of perimeter device. But just bear in mind that Azure does not provide any level of intelligence or traffic analysis on the perimeter for those internet facing virtual machines. It's just those basic network security groups. The basic allow and deny based on source ports, destination ports, source IP, and destination IP. So the default starting position in Azure is when you expose a virtual machine to the internet, there is generally no protection from Azure. Yes, Windows and Linux machines do have firewalls, but Azure doesn't give you any traffic inspection. So just as a side note, I don't know why people do this. People in the Windows world tend to turn off the firewalls. When you're doing that in Azure, you're removing the final layer of protection. So a little bit of management, and yes it is a bit of an overhead to manage the Windows firewall. And as a side note, those internal firewalls work very, very well when you're considering insight threats and malware spread, so there's a real merit to keeping them turned on. And, as I said, the network security groups are just access controls. There's no application protection.