สำหรับอันนี้เป็นสรุปที่ผมจดๆจาก MS Learn แล้วแปะไว้ใน Blog ครับ หัวข้อตามนี้เลย
Design an Azure compute solution
- Recap Azure compute services
- IAAS - Azure Virtual Machines / Azure Batch (HPC)
- PAAS - Azure App Service / Azure Container Instances / Azure Container Apps / Azure Kubernetes Service (AKS)
- FAAS - Azure Functions / Azure Logic Apps
- Choose an Azure compute service
Things to consider when choosing Azure compute services
- Architecture and infrastructure requirements
- microservice
- full-fledged orchestration
- serverless
- classic vm (lift and shift) - Support for new workload scenarios, like HPC applications / event-driven workloads.
- Required hosting options
- เช่น เป็น Linux Container / Windows Container (มัน Require VM)
และต้องเข้าใจ Shared Responsibility ของ IAAS / PAAS / FAAS - Support for migrations, such as
- cloud-optimized
- lift and shift
- Containerized - Control: Determine if you require full control over installed software and applications.
- Design for Azure Virtual Machines solutions
Things to consider when using Azure Virtual Machines
- กำหนด Network / Subnet ให้เรียบร้อยก่อน มันรื้อตอนหลังยาก รวมถึงเรื่องการเชื่อมกับ On-Premise
- Virtual machine name - ตั้งชื่อให้บริหารจัดการง่าย เช่น
[ENV][LOCATION]-[ROLE] machine[RUNNING_NO] devusc-webvirtual machine01
- Virtual machine location - แต่ละ Region ราคาก็ต่าง / HW ต่างๆ หรือ Service แต่ละที่เปิดไม่เหมือนกัน / legal, compliance, or tax requirements.
- Virtual machine size/Purpose
| Classification | Description | Scenarios |
|---|---|---|
| General purpose | balanced CPU-to-memory ratio | - Testing and development - Small to medium databases - Low-Medium traffic web server |
| Compute optimized | high CPU-to-memory ratio | - Medium traffic web servers - Network appliances - Batch processes - Application servers |
| Memory optimized | high memory-to-CPU ratio | - RDBMS - Medium to large caches - In-memory analytics |
| Storage optimized | high disk throughput and I/O | - Database |
| GPU | เน้น GPU | - Model training and inferencing with deep learning |
| High Performance Computes | high CPU / high-throughput (optional) network | - งาน Process เยอะ ใช้ Mem/Network สูง |
- Virtual machine pricing
- Compute Cost
- Storage Cost
- OS Cost - เอาจาก Azure เอง หรือ จาก Market Place ก็ได้นะ มัมีค่า License ด้วย อ๋อและก็ VM OS 64 bits นะ - Azure Storage - VM มีตัว Azure Managed Disks
Business application - ดูจาก Wizard นี้ได้เลย Azure Virtual Machines selector tool
- Design for Azure Batch solutions
Azure Batch - เหมือนงานที่เป็น parallel workloads ที่มีการกระจายงาน effective for applications that need to communicate with each other (tightly coupled workloads)
Things to consider when using Azure Batch - Azure Batch best practices.
- Consider pools - ถ้า job สั้นๆ อย่าไปสร้าง pool แยก
- Consider nodes - Individual nodes aren't guaranteed to always be available ใช้หลาย Node เพื่อไม่ให้งานสะดุด
- Consider jobs. Uniquely name your jobs so you can accurately monitor and log the activity / job ใหญ่ทีมีหลาย Task จะใช้มี Perf ได้ดีกว่า เช่น 1 job มี 1000 task / ดีกว่า 100 job ที่แต่ละอัน 10 Task
- Design for Azure App Service solutions
- App Service offers built-in load balancing and traffic management at global scale with high availability.
- provides built-in authentication and authorization capabilities
- Standard App Service มีตัว Continuous deployment + Azure DevOps
Things to consider when using Azure App Service
- Consider web apps.
- ASP.NET, ASP.NET Core, Java, Ruby, Node.js, PHP, or Python. You can choose
- Host: Windows or Linux. - Consider API apps.
- full Swagger support
- apps can be consumed from any HTTP or HTTPS client. - Consider WebJobs.
- WebJobs feature to run a program or script as background tasks
- Lang Support: Java, PHP, Python, or Node.js.
- Script: cmd, bat, PowerShell, or Bash.
- WebJobs can be scheduled or run by a trigger - Consider Mobile apps
- Store mobile app data in a cloud-based SQL database.
- Authenticate customers against common social providers, such as MSA, Google, X, and Facebook.
- Send push notifications.
- Execute custom back-end logic in C# or Node.js. - Consider continuous deployment - Standard App Service Plan tier มี Slot
- Consider authentication and authorization. - built-in authentication capabilities Microsoft Entra ID, Facebook, Google, and X จริง Azure Function ก็มีนะ
- Consider multiple plans to reduce costs. - Free App Service plan สำหรับเทส พร้อมแล้วขยับไปเสียเงิน
อ่อ Azure App Service costs มันเป็น Plan ที่ Azure App Service plan จ่ายเป็นรายเดือน
- Design for Azure Container Instances solutions
Azure Container Instances
- per second billing. You incur costs only while your container is running
- custom sizes (CPU/MEM) for your containers
- offers persistent storage. Azure Files shares
- Windows and Linux containers Support
A container group is a collection of containers that get scheduled on the same host machine. The containers in a container group share a lifecycle, resources, local network, and storage volumes.
Multi-container groups divide a single functional task into several container images โดย Use Case ดังนี้
- web application and a container
- App + logging container - ดึงข้อมูลจาก App และส่วนให้ Storage เหมือน sidecar pattern for logging
- App + monitoring container - periodically makes a request to the application to ensure it's running and responding correctly + trigger ตาม Event
- front-end container and a back-end container
Things to consider when using Azure Container Instances
- Use a private registry - จริงๆอะไรที่ Secure + Trust
- Ensure image integrity throughout the lifecycle
- Monitor container resource activity
Compare Azure Container Instances to Azure Virtual Machines
| Compare | Azure Container Instances | Azure Virtual Machines |
|---|---|---|
| Isolation | lightweight isolation | complete isolation |
| Operating system | as a process | complete operating system |
| Deployment | docker / aks | Windows Admin Center or Hyper-V Manager |
| Persistent storage | Azure Disks for local storage for a single node, or Azure Files (SMB shares) | virtual hard disk (VHD) |
| Fault tolerance | rapidly recreated | ต้องมีการเตรียมพร้อมก่อน ถ้ารอสร้างใหม่นานกว่า Container |
- Design for Azure Kubernetes Service solutions
AKS - K8S บน Azure โดย Azure ดู Infra ให้ และเราสามารถ Auto สร้างได้ด้วยนะ โดยใช้ ARM Template
Things to consider when using Azure Kubernetes Service
| Feature | Note |
|---|---|
| Identity and security management | Entra ID / Azure AD Support |
| Integrated logging and monitoring | Azure Monitor |
| Automatic cluster node and pod scaling | 2 แบบ HPA (Pod) / cluster autoscaler scale cluster ถ้า pod หาที่ลงไม่ได้ |
| Cluster node upgrades | AKS จัดการให้ เราไปเน้นส่วน APP |
| Storage volume support | AKS supports both static and dynamic storage volumes |
| Virtual network support | Do you need pod-to-pod network or access to on-premises networks from your AKS cluster? - deployed into an existing virtual network with ease. |
| Ingress with HTTP application routing support | OK |
| Docker image support | OK จริงๆมันตามมาตรฐาน OCI |
| Private container registry | ใช้ได้ เช่น ACR |
Business application how Mercedes-Benz R&D is using Azure Kubernetes Service\
- Design for Azure Functions (Code-First) / Azure Logic Apps (Design-First GUI) solutions
Azure Function
- Azure Functions supports compute on demand in two significant ways:
- Azure Functions lets you implement your system's logic into readily available blocks of code. These code blocks (functions) can run anytime you need to respond to critical events.
- As requests increase, Azure Functions meets the demand with as many resources and function instances as necessary. As requests complete, any extra resources and application instances drop off automatically.
- Azure Functions is an ideal solution for handling specific definable actions triggered by an event. A function can process an API call and store the processed data in Azure Cosmos DB. After the data transfer happens, another function can trigger a notification.
Things to consider when using Azure Logic Apps
- Avoid large, long-running functions that can cause unexpected timeout issues ถ้าไม่ได้ลองใช้ durable functions The default timeout is 300 seconds for Consumption Plan functions, / 30 minutes for any other plan
- ลองใช้ Durable functions ทำให้ Function มี State และ state, checkpoints, and restarts ลองดูใน
- [AZ-204] Durable Functions
- What are Durable Functions? - Consider performance and scaling - แยก Function ย่อยๆตาม Profile ของ Resource ที่ใช้ ้มีงานจัดการ Message ใน Queue ที่ใช้ Memory น้อย จากนั้นเอามาประมวลผลซึ่งใช้ Memory เยอะ ควรแยก 2 Function เพื่อความคุ้มค่า
- Consider defensive functions. กันในเคสที่คาดไม่ถึง เช่น เกิด Exception / Network / memory limits ให้ ทำงานต่อได้
- Maximize performance by using a separate storage account for each function application
Azure Logic Apps
Azure Logic Apps is a component of Azure Integration Services เน้นเชื่อมงานให้ง่ายสะดวก GUI เอา Component (Connector) มาต่อกัน เลยเป็นที่มา Integration โดยจุดที่ต่าง มีดังนี้
| Compare | Azure Functions | Azure Logic Apps |
|---|---|---|
| Development | Code-first | Design-first |
| Method | Write code and use the durable functions extension | Create orchestrations with a GUI or by editing configuration files |
| Connectivity | - Large selection of built-in binding types - Write code for custom bindings | - Large collection of connectors - Enterprise Integration Pack for B2B scenarios - Build custom connectors |
| Monitoring | Azure Application Insights | Azure portal, Azure Monitor Logs (Log Analytics) |
Things to consider when using Azure Logic Apps
- Consider integration
- Logic Apps can process large datasets in parallel to let you achieve high throughput.
- conditional expressions. Build highly complex and deeply nested conditionals into your Logic Apps.
- Consider connectors. Investigate whether pre-built connectors ถ้าไม่มีต้องใช้ API REST แทน
Business application: Take a few minutes to learn how Azure Logic Apps
Knowledge Check: Design an Azure compute solution
Design an application architecture
- Describe message and event scenarios
- Messages
- raw data that's produced by one component and consumed by another component. - Events
- lighter weight than messages and are most often used for broadcast communications
- publisher and subscribers.
มี pattern เช่น "fan out" publisher can send Events to multiple subscribers through a single message queue
Things to consider when choosing messages or events
- Consider messages and events
- Consider sender expectations
- messages - when expects communication to be processed in a specific way by the destination component
- events - when sender component in your application has no requirements for the destination component - Consider guaranteed communication - using messages
- Consider ephemeral communication - Ephemeral งานนั้นอาจจะไม่มีใครรับไปทำ using events.
- Design a messaging solution
บน Azure มี 3 ตัวนะ
- Azure Queue Storage - Size Limit storage account / Access by REST API
- Azure Service Bus - Message queues
- Azure Service Bus - Publish-subscribe topics
Things to consider when choosing messaging services
| Messaging solution | Example scenarios |
|---|---|
| Azure Queue Storage | You want a simple queue to organize messages. You need an audit trail of all messages that pass through the queue. You expect the queue storage to exceed 80 GB. You'd like to track progress for processing a message inside of the queue. |
| Azure Service Bus message queues | You require - an at-most-once delivery guarantee. - at-least-once message processing (PeekLock receive mode). - at-most-once message processing (ReceiveAndDelete receive mode). You want to group messages into transactions. You want to receive messages without polling the queue. You need to handle messages larger than 64 KB. You expect the queue storage won't exceed 80 GB. You'd like to publish and consume batches of messages. |
| Azure Service Bus publish-subscribe topics | You need multiple receivers to handle each message. You expect multiple destinations for a single message but need queue-like behavior. |
- Design an Azure Event Hubs messaging solution
Azure Event Hubs is a fully managed, big data streaming platform and event ingestion service
- Events received by Azure Event Hubs are added to the end of its data stream.
- The data stream orders events according to the time they event is received.
- Consumers can seek along the data stream by using time offsets.
- Event Hubs implements a pull model that differentiates it from other messaging services like Azure Service Bus queues.
- Event Hubs holds each message in its cache and allows it to be read.
- When a message is read from Event Hubs, it's not deleted. The message remains for other consumers.
- Event Hubs doesn't have a built-in mechanism to handle messages that aren't processed as expected.
- scales according to the number of purchased throughput (processing) units
Things to consider when using Azure Event Hubs
- Consider common implementations
- Consider language and framework integration
- Consider pricing tier and throughput units
- Ingress: Up to 1 MB per second or 1,000 events per second (whichever comes first)
- Egress: Up to 2 MB per second or 4,096 events per second - Consider pull model benefits
- Consider message failures - กำหนด
time-to-live - Consider data stream access
- Design an event-driven solution (Event Grid)
Azure Event Grid is a fully managed event routing service that runs on Azure Service Fabric
- aggregates all your events and provides routing from any source to any destination อาจจะดูจาก tags เช่น จาก Blob ไป topic ต่างๆ แล้วส่งให้ Handler จัดการ
- Events are distributed to handlers like Azure Functions and Azure DevOps Webhooks.
Things to consider when using Azure Event Grid
- Consider multiple services
| Azure service | Purpose | Message or Event | Usage scenario |
|---|---|---|---|
| Azure Event Grid | Reactive programming | Event distribution (discrete) | React to status changes |
| Azure Event Hubs | Big data pipeline | Event streaming (series) | Conduct telemetry and distributed data streaming |
| Azure Service Bus | High-value enterprise messaging | Message | Fulfill order processing and financial transactions |
- Consider distinct roles for services ให้ให้เหมาะ เช่น
- An e-commerce site can use Azure Service Bus to process an order
- Azure Event Hubs to capture site telemetry
- Azure Event Grid to respond to events like an item being shipped - Consider linking services - ทำ pipeline
- Design a caching solution
Caching is a common technique that aims to improve the performance and scalability of a system เป็น Temp พักข้อมูล ลดการขอ Resource เดิมซ้ำๆ
Azure Cache for Redis provides an in-memory data store based on the Redis software แชะเอามาใช้กับ Service อื่นได้ด้วย เช่น Azure SQL or Azure Cosmos DB.
Things to consider when using Azure Cache for Redis
| Pattern | Scenario | Solution |
|---|---|---|
| Data cache | client instance repeatedly reads the same data but Databases are often too large to load directly into a cache. | - use the cache-aside pattern to only load data into the cache as needed |
| Content cache | Static Content แบบพวก image html ไม่ต้องให้ Server ทำให้ตลอด | - use in-memory cache - Redis Output Cache Provider to this with ASP.NET |
| Session store | shopping carts and other user history data | - use an in-memory cache + cookie as a key |
| Job and message queuing | Some operations take significant time to complete มันทำให้เกิดการรอ | - Longer running operations are queued to be processed - Redis distributed queue |
| Distributed transactions | require a series of commands against a back-end datastore to execute as a single atomic operation | - Redis supports executing a batch of commands as a single transaction |
- Design API integration
Azure API Management is a cloud service platform that lets you publish, secure, maintain, and analyze all your APIs / decouple your APIs. front end ไม่รู้ปลายทางนะ
- Acts as a facade to backend services by accepting API calls and routing them to appropriate backends
- Verifies API keys and other credentials such as JWT tokens and certificates presented with requests
- Enforces usage quotas and rate limits
- Optionally transforms requests and responses as specified in policy statements
- If configured, caches responses to improve response latency and minimize the load on backend services
- Emits logs, metrics, and traces for monitoring, reporting, and troubleshooting
เหมือนพวก API Gateway อย่าง Kong
Things to consider when using Azure API Management
- Consider number of APIs -
- Consider rate of API changes - implement API revisions and versions.
- Consider API administration load - policies include usage quotas, call rate limits, request transformations, and request validation
- Consider standardizing disparate APIs - standardize API specs, generate documentation, and create a consistent base URL for ease of use
- Consider centralized API management
- Consider enhanced API security - ทำให้ด้วย อย่างพวก Authen / permissions and access / malicious usage กำหนด policy
- Design an automated app deployment solution (infrastructure as code)
- ARM Template
- Azure Bicep - Bicep is used to create ARM templates.
- Azure Automation - cloud-based automation and configuration service that supports consistent management
- Process automation - runbooks (script) graphically in PowerShell or by using Python
- Configuration management - supports change tracking across services, daemons, software, registry, and files in your environment
- Update management - ทำให้ patch / feature เท่ากัน
Other Ref: [AZ-400] Manage infrastructure as code using Azure and DSC / [Azure] Azure Automation Step Note
- Design an app configuration management solution
Azure App Configuration provides a service to centrally manage application settings and feature flags. You can use App Configuration to store all the settings for your application and secure their accesses in one place.
Other Ref:
- [AZ-400] Implement a secure continuous deployment using Azure Pipelines
- [AZ-204]: Implement secure cloud solutions
Knowledge check: Design an application architecture
Design Network Solutions
- Recommend a network architecture solution based on workload requirements
network requirements
1. Plan IP addressing for virtual networks
- กำหนด IP Address ตาม CIDR ให้ดี เพราะ private ip มี max 65,536
- ให้ IP มันทับซ้เอบกับส่วนของ On-Premise เพราะมันจะมีปัญหาตอนทำ Peering / Gateway มันมีท่า NAT แต่จะอ้อมไป
- แยก Subnets segmented อาจจะแยกตาม App ก็ได้
| Subnet | CIDR | Addresses | Usage |
|---|---|---|---|
| DEV-FE-EUS2 | 10.245.16.0/22 | 1019 | Front-end or web-tier virtual machines |
| DEV-APP-EUS2 | 10.245.20.0/22 | 1019 | Application-tier virtual machines |
| DEV-DB-EUS2 | 10.245.24.0/23 | 507 | Database virtual machines |
- นอกจากนี้ต้องกำหนด VNET - Naming / Region / Subscriptions / Segmentation / Filtering
2. Implement hub-spoke network topology
- Recap
- Hub is a VNET that acts as a central point of connectivity
- Spokes are VNETs that connect to the hub virtual network by using peering - Sample
- Hub VNET central point of connectivity to on-premises networks
- Spoke VNET host services used by workloads - Use spoke virtual networks to isolate workloads with each spoke managed separately from other spokes.
- Configure hub and spoke virtual networks in different resource groups, and even in different subscriptions. When you peer virtual networks in different subscriptions,
Things to consider when defining workload requirements
- Consider segmentation options for your VNET แยกตาม App / Tier / Env
- Consider required interfaces and IP addresses
- Consider network security groups - filter network traffic
- Consider network traffic routing - Azure routes ปกติมีตารางให้แล้ว แต่เราสามารถปรับได้นะ
- Design patterns for Azure network connectivity services
Segmentation and Azure Firewall
- Azure Firewall works across both Azure Virtual Network and subscriptions to govern traffic flows by using layer 3 to layer 7 controls
- Single virtual network - create segments by network security groups (NSGs) + application security groups (ASGs)
Compare patterns
| Compare | Single virtual network | Multiple networks with peering | Multiple networks in hub-spoke topology |
|---|---|---|---|
| Connectivity/Routing (how segments communicate) | System routing provides default connectivity to any workload in any subnet. | System routing provides default connectivity to any workload in any subnet. | No default connectivity between spoke virtual networks. A layer 3 router (such as Azure Firewall) in the hub virtual network is required to enable connectivity. |
| Network-level traffic filtering | Traffic is allowed by default. NSG can be used for filtering. | Traffic is allowed by default. NSG can be used for filtering. | Traffic between spoke virtual networks is denied by default. Azure Firewall configuration can enable selected traffic, such as windowsupdate.com. |
| Centralized logging | NSG logs for the virtual network. | Aggregate NSG logs across all virtual networks. | Azure Firewall logs to Azure Monitor all accepted/denied traffic sent via a hub. |
| Unintended open public endpoints | DevOps can accidentally open a public endpoint via incorrect NSG rules. | DevOps can accidentally open a public endpoint via incorrect NSG rules. | An accidentally opened public endpoint in a spoke virtual network won't enable access. The return packet is dropped via stateful firewall (asymmetric routing). |
| Application level protection | NSG provides network layer support only. | NSG provides network layer support only. | Azure Firewall supports FQDN filtering for HTTP/S and MSSQL for outbound traffic and across virtual networks. |
- Design outbound connectivity and routing
Azure NAT Gateway (Azure Virtual Network NAT) - Full Manage NAT Network //Business scenarios
- Support on-demand outbound-to-internet connectivity without pre-allocation
- Configure one or more static public IP addresses for scale
- Enable configurable idle timeout
- Allow TCP reset for unrecognized connections
routing tables and routes
- System routes
- User-defined routes (UDR custom)
- filtering of internet traffic
- Flow traffic between subnets through an NVA
- define route + next hop - Routes from other virtual networks
- Border Gateway Protocol routes
- Service endpoint routes
- Routing order - same address prefix > ลำดับตาม UDRs > BGP routes > system routes.
- Consider overriding routes. Plan for route overrides to control traffic flow
- Flow through NVA: Configure route tables to force traffic between subnets to flow through an NVA
- Forced tunneling: Force all internet-bound traffic through an NVA, or on-premises, through an Azure VPN gateway
- Design for on-premises connectivity to Azure Virtual Network
Compare services
| Compare | Azure VPN Gateway | Azure ExpressRoute | ExpressRoute + VPN failover | Azure Virtual WAN + hub-spoke |
|---|---|---|---|---|
| Benefits | - Simple to configure - High bandwidth available (up to 10 Gbps depending on VPN Gateway SKU) | - High bandwidth available (up to 10 Gbps depending on connectivity provider) - Supports dynamic scaling of bandwidth to help reduce costs during periods of lower demand (not supported by all connectivity providers) - Enables direct organizational access to national clouds (depends on connectivity provider) | - High availability if ExpressRoute circuit fails (fallback connection on lower bandwidth network | - Reduced operational overhead by replacing existing hubs with fully managed service - Cost savings by using managed service, which removes need for NVA - Improved security via centrally managed secured hubs with Azure Firewall and Virtual WAN - Separates concerns between central IT (SecOps, InfraOps) and workloads (DevOps) |
| Challenges | - Requires on-premises VPN device | - Can be complex to set up - Requires working with third-party connectivity provider - Provider responsible for provisioning network connection - Requires high-bandwidth routers on-premises | - Complex to configure - Must set up both VPN connection and ExpressRoute circuit - Requires redundant hardware (VPN appliances) - Requires redundant Azure VPN Gateway connection for which you pay charges | Note: Azure Virtual WAN is designed to reduce previously listed connectivity challenges. |
| Scenarios | Hybrid apps with light traffic between on-premises hardware and the cloud Able to trade slightly extended latency for flexibility and processing power of the cloud | Hybrid apps running large-scale, mission-critical workloads that require high degree of scalability | Hybrid apps that require higher bandwidth of ExpressRoute and highly available network connectivity | Connectivity among workloads requires central control and access to shared services Enterprise requires central control over security aspects like a firewall and segregated management for workloads in each spoke |
- Choose an application delivery service
Criteria: Traffic type (http / https / tcp) / Scope (Global / Local) / Availability (SLA) / Features + limits
การเลือก Service ต่างมี Flow Chart ตามนี้
Azure Application Gateway is the best choice for a web app that's not internet facing.
- Design for application delivery services
| Service | Use-Case |
|---|---|
| Azure Content Delivery Network | - Implement point-of-presence locations that are close to large clusters of users - Reduce latency, both the transmission delay and the number of router hops - Support Microsoft, Akamai, and Verizon content delivery networks - Use custom domains, file compression, caching, and geo-filtering |
| Azure Front Door | - Low latency: Ensure requests are sent to the lowest latency backends - Priority: Support primary and secondary backends Weighted: Distribute traffic by using weight coefficients - Affinity: Ensure requests from the same end user are sent to the same backend - Support WAF and CDN integration for HTTP(S) traffic |
| Azure Traffic Manager | - Increase application availability - Improve application performance - Combine hybrid applications - Distribute traffic for complex deployments |
| Azure Load Balancer | - Manage inbound and outbound connections - Configure public and internal load-balanced endpoints - Manage service availability by mapping inbound connections to back-end pool destinations (via TCP and HTTP health-probe rules) |
| Azure Application Gateway | - Path-based routing - Multiple-site routing |
- Design for application protection services
| Service | Use-Case |
|---|---|
| Azure DDoS Protection | - กัน DDOS พวกยิง Request ถล่อเว็บ - Access multi-layered protection attack analytics/metrics/alerting |
| Azure Private Link | - ไม่ให้ Traffic ออก Net นอก แบบพวก Azure Storage / SQL Database พวก PAAS กับ Service ตัวอื่นๆ - Integrate with on-premises and peered networks |
| Azure Firewall | - inbound protection for non-HTTP/S protocols (such as RDP, SSH, and FTP) - Implement centralized creation, enforcement, logging of application and network connectivity policies - just in time (JIT) access to restrict access to your VM Port |
| Azure Web Application Firewall | - protection to your web applications from common web exploits and vulnerabilities - อิงตาม OWASP Top 10 เช่น SQL Injection / cross-site scripting |
| Azure network security group (NSGs). | - filter network traffic - Control how Azure routes traffic from subnets เรียงตาม Priority ยิ่งน้อยจะ override ของเดิม You can use a network virtual appliance (NVA) such as Azure Firewall or firewalls from other vendors. |
| Azure Virtual Network service endpoints | - https://www.mvpskill.com/kb/vnet-service-endpoint.html |
| Azure Bastion | - Jump Host RDP/SSH ผ่าน web |
Knowledge Check: Design network solutions
Design migrations
- Evaluate migration with the Cloud Adoption Framework
Cloud Adoption Framework - เป็น Guideline ย้าย On-Premise > Cloud โดยมี 3 ขั้นตอนหลักๆ
- Assess - ตรวจสอบของเดิมก่อน ว่ามีอะไรบ้าง และมีเงื่อนไข อะไรบ้าง (Constraint) ก่อนการขึ้นไป Cloud โดยต้องมีดูว่าขึ้นด้วยท่าไหน
- Deploy - เอาที่ตรวจสอบขึ้น Cloud
- Release - หลังจากขึ้น Cloud ไปแล้ว ให้มา Test และ Optimize อีกที
- Describe the Azure migration framework
Stage 1: Assess your on-premises environment
- ต้องรู้ก่อนมีอะไรต้องย้าย และระบบที่มีสำคัญยังไงบ้าง ความเกี่ยวข้องกับธุรกิจ
- Azure Monitor > Service Map
- Azure Migrate
- Data Migration Assistant (DMA) - พวก SQL Server / MySQL Postgress
- Database Migration Service
- Data Migration tool - NoSQL DB - ใครที่เกี่ยวข้องบ้าง
- full inventory and dependency map of your servers, services, and apps
- Estimate your cost ใช้
- Azure TCO Calculator - Identify appropriate tools and services ใน Stage 4
Migration strategy patterns
- Rehost - lift and shift migration / ไม่เน้นปรับ App ใช้ IAAS พวก VM
- Refactor - repackaging / แก้เล็กน้อย บางอันใช้ Service Cloud ได้ เช่น DB เดียว ย้ายใช้ PAAS พวก DB
- Rearchitect - ปรับโครงสร้าง จริงมันมี Keyword Cloud Native แก้ Code ใหม่ ปรับให้เเหมาะสม อาจจะต้องทำ Code เดิมบน Windows > Container และขึ้นบน AKS
- Rebuild - ปรับไปเลย เช่น ดึงงานบางส่วนของ APP ออกมาเป็น Serverless อย่าง Azure Function
| Rehost | Refactor | Rearchitect | Rebuild |
|---|---|---|---|
| Move workloads quickly to the cloud Move a workload without modifying it For apps designed to take advantage of Azure IaaS scalability after migration When workloads are important to your business, but you don't need immediate changes to app capabilities | Apply innovative DevOps practices provided by Azure Implement a DevOps container strategy for workloads Support portability of your existing code base and available development skills | Your apps need major revisions to incorporate new capabilities Your apps need major revisions to work effectively on a cloud platform Use existing application investments Meet scalability requirements Apply innovative DevOps practices Minimize use of virtual machines | Rapid development Support existing apps with limited functionality and lifespan Expedite business innovation by using DevOps practices Rebuild with new cloud-native technologies like Azure Blockchain Rebuild legacy applications as "no code apps" or "low apps" in the cloud |
Stage 2: Migrate your workloads
- Deploy cloud infrastructure targets - ย้าย Deploy
- Migrate workloads
- Decommission on-premises infrastructure - ย้ายไปแล้ว ลดการใช้ Workload เดิมใน On-Premise จะได้ไม่ต้องมาดูแล 2 ฝั่ง
Stage 3: Optimize your migrated workloads
For the optimization stage, there are three main efforts to focus
- Analyze migration costs for your workloads
- Review recommendations for reducing your costs
- Identify options for improving your workload performance
Tools: Microsoft Cost Management
Stage 4: Monitor your workload
- ใช้ Azure Monitor มาตรวจสอบ Log / Trace / Metric มาปรับปรุงระบบ
Tools: Advisor / Monitor / Microsoft Sentinel
https://learn.microsoft.com/en-us/training/modules/design-migrations
- Assess your on-premises workloads
มีหลาย Tools เลย
- ถ้ามีงบหน่อยใช้ Azure Monitor > Service Map
- VM - Azure Migrate - Server Assessment บอกว่าเรามีอะไร แล้วอะไรที่เหมาะสม แต่ต้องเก็บข้อมูลสักพักนะ จะได้แม่นๆ
Step
- Select a migration tool
Azure Migrate hub tools: The Azure Migrate hub provides access to many migration tools.Expand table
| Tool | Usage |
|---|---|
| Azure Migrate: Discovery and assessment: Server Assessment | Discover and assess servers including SQL and web apps |
| Azure Migrate: Server Migration | Migrate servers |
| SQL Server Data Migration Assistant (DMA) | Assess SQL Server databases for migration to Azure SQL Database, Azure SQL Managed Instance, or Azure virtual machines running SQL Server |
| Azure Database Migration Service | Migrate on-premises databases to Azure virtual machines running SQL Server, Azure SQL Database, or SQL Managed Instances |
| Web app migration assistant | Assess on-premises web apps and migrate them to Azure |
| Azure Data Box | Migrate offline data |
Azure Resource Mover is a tool that helps move your Azure resources between subscriptions, resource groups, and regions
- Migrate your structured data in databases
Azure Database Migration Service is part of Azure Migrate ตัวที่ใช้ได้ตามรูปเลย โดยมี Mode 2 แบบ Online / Offline ซึ่งมีขั้นตอนหลักๆ 3 ขั้นตอน
- Assess databases
- Migrate schema
- Migrate data and verify
- Select an online storage migration tool for unstructured data
Azure Storage Migration Service - migrate unstructured data ที่ on-premises file servers เพื่อเก็บไว้ที่ Azure Files / Azure VM โดย 3 ขั้นตอน
- Inventory servers - ตรวจสอบว่ามีอะไร ตอนทำควรเลือก Server / failover cluster ที่มี File
- Transfer data
- ใช้ Windows Admin Center บนเครื่องที่ Run Migration Service
- โดยตอนที่ย้ายไป Server ต้นทางจะเข้าสู่ Maintaince State User / App เข้าถึงไม่ได้ - Cut over (option) - ย้ายไปใช้ของใหม่ โดยเครื่องต้นทาง ยัง Read Only ได้ ในช่วย Migrate
Azure File Sync - เป็น Service ที่ช่วย Sync File
- Azure File Sync to cache Azure file shares on Windows Server (SMB, NFS, and FTPS)
- Azure Disks as back-end storage เอาตัว Azure File Sync มาใช้กับ Azure Files / Azure VM File Server
- ถ้าบน Region เดียวกัน ทำ cloud tiering ช่วย ensures minimal duplication of data
- Migrate offline data
| Compare | Azure Import/Export | Azure Data Box |
|---|---|---|
| Note | Windows Required Bit Locker Use-Case - Migration - Backup - Recovery - Distribution | Data ขนาดใหญ่ มากๆ |
| Form factor | Internal SATA HDDs or SDDs | Secure, tamper-proof, single hardware appliance |
| Microsoft manages shipping logistics | No | Yes |
| Integrates with partner products | No | Yes |
| Custom appliance | No | Yes |
Knowledge check: Design migrations
Discover more from naiwaen@DebuggingSoft
Subscribe to get the latest posts sent to your email.
