A resource tag consists of a name and a value. You can assign one or more tags to each Azure resource.
Name
Value
AppName
The name of the application that the resource is part of.
CostCenter
The internal cost center code.
Owner
The name of the business owner who’s responsible for the resource.
Environment
An environment name, such as “Prod,” “Dev,” or “Test.”
Impact
How important the resource is to business operations, such as “Mission-critical,” “High-impact,” or “Low-impact.”
Here’s an example that shows these tags as they’re applied to a virtual machine during provisioning.
You can run queries, for example, from PowerShell or the Azure CLI, to list all resources that contain these tags.
Azure Policy is a service in Azure that enables you to create, assign, and manage policies that control or audit your resources. These policies enforce different rules and effects over your resource configurations so that those configurations stay compliant with corporate standards.
A resource lock prevents resources from being accidentally deleted or changed.
You can manage resource locks from the Azure portal, PowerShell, the Azure CLI, or from an Azure Resource Manager template.
To view, add, or delete locks in the Azure portal, go to the Settings section of any resource’s Settings pane in the Azure portal.
Here’s an example that shows how to add a resource lock from the Azure portal. You’ll apply a similar resource lock in the next part.
You can apply locks to a subscription, a resource group, or an individual resource. You can set the lock level to CanNotDelete or ReadOnly
Resource locks apply regardless of RBAC permissions
To make the protection process more robust, you can combine resource locks with Azure Blueprints. Azure Blueprints enables you to define the set of standard Azure resources that your organization requires. For example, you can define a blueprint that specifies that a certain resource lock must exist. Azure Blueprints can automatically replace the resource lock if that lock is removed.
Allow one user to manage VMs in a subscription and another user to manage virtual networks.
Allow a database administrator group to manage SQL databases in a subscription.
Allow a user to manage all resources in a resource group, such as virtual machines, websites, and subnets.
Allow an application to access all resources in a resource group.
Azure RBAC is enforced on any action that’s initiated against an Azure resource that passes through Azure Resource Manager. Resource Manager is a management service that provides a way to organize and secure your cloud resources.
You typically access Resource Manager from the Azure portal, Azure Cloud Shell, Azure PowerShell, and the Azure CLI. Azure RBAC doesn’t enforce access permissions at the application or data level. Application security must be handled by your application.
RBAC uses an allow model. When you’re assigned a role, RBAC allows you to perform certain actions, such as read, write, or delete. If one role assignment grants you read permissions to a resource group and a different role assignment grants you write permissions to the same resource group, you have both read and write permissions on that resource group.
You manage access permissions on the Access control (IAM) pane in the Azure portal. This pane shows who has access to what scope and what roles apply. You can also grant or remove access from this pane.
The following screenshot shows an example of the Access control (IAM) pane for a resource group. In this example, Alain Charon has been assigned the Backup Operator role for this resource group.
I am looking at taking our product page gallery and hosting it under multiple domains but keeping it with one app service so it is easy to deploy updates across these multiple domains. The code for this site would handle the UI change based on the domain.
Would hosting a simple app service and just adding multiple CNAME records be the best option for this? How many CNAME records can you have for one app service and how many SSL certificates?
I understand how to add multiple domains to a web app. What if I have say 100+ other company domains that I want to reference to the same webapp. These companies would create their own subdomains to point to this website the example is.
I would assume I would need to host a separate SSL for each company and connect each CNAME. I am more just concerned I would hit a block after so many of these added to the same web app or wondering if there is a better option I should use in Azure if anyone knows of.
Azure App service allows 500 Custom domains per app that will be over this limit.
There are two core models when creating Azure SQL database as PaaS service; DTU and vCore.
DTU is a blend of CPU, Memory, Reads and Writes. A database with 5 DTU will perform better than a database with 1 DTU.
vCore is more robust and feels similar to the on-prem environments. Here you get the option of choosing the Cores.
Databases have varying requirements depending on the workload. Microsoft offers three different instance options;
Single Database deployment
The hosting option create a single database deployment, with dedicated management via an SQL Database server. Being Single, each database is fully isolated and portable across Azure platform.
Single database can also be moved in and out of “elastic pool”, allowing for better resource distribution with multiple database instances.
This instance uses DTU purchasing model for billing. A DTU is the convergence of vCores, RAM and IOPS into a standardized measure for benchmarking and billing database instances. They can be used to figure out the cost by using DTU calculator.
Single instances are best suited to businesses running applications that require a resource guarantee at the database level.
Elastic pool
An elastic pool offers a convenient, cost-effective option for maintaining multiple databases. With multiple databases, there is some unpredictability with how much computational power is needed. For this reason, pooled resources can offer better performance, and value for money.
There are four service tiers but I just looked at two; Serverless and DTU.
Serverless
The serverless compute tier for single database is an autoscaling and auto pause delay service. The cost is summation of compute and storage.
Auto pausing is trigger, if number of sessions = 0 or CPU = 0 for use workload running in the user pool. Auto resuming is triggered when a user login. Auto pausing delay could be 1 hour, max is 7 days.
This is only supported in the General-Purpose tier on Gen5 hardware in vCore purchasing model.
This tier is price-performance optimized with intermittent, unpredictable usage pattern that can afford some delay in compute warm-up after idle usage periods.
DTU (Database Transaction Units)
The most common one is a Single database option. DTU is a blend of CPU, Memory, Reads and Writes and a database having 5 DTUs will perform 5 times better than another database having just 1 DTU.. When selecting DTU, A normal conversation between Developer and IT Pro is;
Developer = I’d like a database server
IT Pro = ok, how much CPU do you need?
Developer = average…whatever the normal is
IT Pro = uh…ok, how many IOPS do you need?
Developer = what’s IOPS?
At the end, either too many or too few resources are provided and no one is happy. DTU take the metrics that determine the performance of a database and mush them together in a measure that we can use to abstract and compare performance.
What should I choose for dev/test?
We may be able to run our dev\test database on the Basic tier (5DTU $5/month) or the Standard S0 tier (10DTU $15/month), or maybe it would make more sense to put them all in a 50DTU elastic pool ($112/month). For production we’ll probably start out with a Standard S3 for our main DB and a Standard S0 or S1 for our auditing DB. Then depending on the loads scale them back or possibly put them in an Elastic Pool together.
The Basic tier is incredibly limited. It’s good for occasional/casual use, and it’s a cheap way to “park” your database when you aren’t using it. But if you’re running any real application, the Basic tier isn’t going to work for you.
The Standard Tier is pretty limited, too, but for small applications it’s capable of meeting your needs. If you have a 2-core server running a handful of databases, then those databases individually might fit into the Standard tier. Similarly, if you have a server with only one database, running 1 CPU core at 100% (or 2 cores running at 50%), it is probably just enough horsepower to tip the scale into the Premium-P1 service tier.
What is DTU? This simple way to understand DTU is;
When we build a SQL server box, we go with CPU count, some amount of RAM, storage configuration for enough IOPS for workload. When you jump to Azure, it’s call DTU. DTU is a blend of CPU, Memory, and Storage (Reads and Writes). A database with 5 DTU will perform better than a database with 1 DTU.