CLOUD NETWORK AND SECURITY

SERVICES
GOOGLE AMAZON AZURE

JYOTI TIWARI
17BCE1135
DIGITAL ASSIGNMENT-1
 CLOUD NETWORK
&
SECURITY SERVICES

Overview
This overview is designed to help you understand the overall landscape of Google
Cloud Platform (GCP). Here, you'll take a brief look at some of the commonly used
features and get pointers to documentation that can help you go deeper. Knowing
what's available and how the parts work together can help you make decisions
about how to proceed. You'll also get pointers to some tutorials that you can use to
try out GCP in various scenarios.

GCP resources
GCP consists of a set of physical assets, such as computers and hard disk drives,
and virtual resources, such as virtual machines (VMs), that are contained in
Google's data centersaround the globe. Each data center location is in a global
region. Regions include Central US, Western Europe, and East Asia. Each region is
a collection of zones, which are isolated from each other within the region. Each
zone is identified by a name that combines a letter identifier with the name of the
region.

This distribution of resources provides several benefits, including redundancy in

case of failure and reduced latency by locating resources closer to clients. This
distribution also introduces some rules about how resources can be used together.

Accessing resources through services

In cloud computing, what you might be used to thinking of as software and hardware
products, become services. These services provide access to the underlying
resources. The list of available GCP services is long, and it keeps growing. When
you develop your website or application on GCP, you mix and match these services
into combinations that provide the infrastructure you need, and then add your code
to enable the scenarios you want to build.

Global, regional, and zonal resources

Some resources can be accessed by any other resource, across regions and zones.
These global resourcesinclude preconfigured disk images, disk snapshots, and
networks. Some resources can be accessed only by resources that are located in
the same region. These regional resources include static external IP addresses.
Other resources can be accessed only by resources that are located in the same
zone. These zonal resourcesinclude VM instances, their types, and disks.
The following diagram shows the relationship between global scope, regions and
zones, and some of their resources:

The scope of an operation varies depending on what kind of resources you're

working with. For example, creating a network is a global operation because a
network is a global resource, while reserving an IP address is a regional operation
because the address is a regional resource.

As you start to optimize your GCP applications, it's important to understand how
these regions and zones interact. For example, even if you could, you wouldn't want
to attach a disk in one region to a computer in a different region because the latency
you'd introduce would make for very poor performance. Thankfully, GCP won't let
you do that; disks can only be attached to computers in the same zone.
Depending on the level of self-management required for the computing and hosting
service you choose, you might or might not need to think about how and where
resources are allocated.
For more information about the geographical distribution of GCP, see Geography
and Regions.

Ways to interact with the services

GCP gives you three basic ways to interact with the services and resources.

Google Cloud Platform Console

The Google Cloud Platform Console provides a web-based, graphical user interface
that you can use to manage your GCP projects and resources. When you use the
GCP Console, you create a new project, or choose an existing project, and use the
resources that you create in the context of that project. You can create multiple
projects, so you can use projects to separate your work in whatever way makes
sense for you. For example, you might start a new project if you want to make sure
only certain team members can access the resources in that project, while all team
members can continue to access resources in another project.
Command-line interface
If you prefer to work in a terminal window, the Google Cloud SDK provides
the gcloudcommand-line tool, which gives you access to the commands you need.
The gcloud tool can be used to manage both your development workflow and your
GCP resources. See the gcloudreference for the complete list of available
commands.
GCP also provides Cloud Shell, a browser-based, interactive shell environment for
GCP. You can access Cloud Shell from the GCP console. Cloud Shell provides:
 A temporary Compute Engine virtual machine instance.
 Command-line access to the instance from a web browser.
 A built-in code editor.
 5 GB of persistent disk storage.
 Pre-installed Google Cloud SDK and other tools.
 Language support for Java, Go, Python, Node.js, PHP, Ruby and .NET.
 Web preview functionality.
 Built-in authorization for access to GCP Console projects and resources.

CLOUD NETWORKING PRODUCTS

  A Fast, High Performance Global Network
Google’s high quality private network connects our regional locations to more than
100 global network points of presence close to your users. Google Cloud Platform
also uses state-of-the-art software-defined networking and distributed systems
technologies to host and deliver your services around the world. Google global VPC
leverages the Google-owned global high-speed network to link your applications
across regions—privately and reliably. When every millisecond of latency counts,
Google ensures that your content is delivered with the highest throughput, thanks to
innovations like BBR congestion control intelligence.

 Manage Networking For Your Resources

With Google Virtual Private Cloud (VPC) Network, you can provision your Google
Cloud Platform resources, connect them to each other using the Google-owned
global network, and isolate them from one another. You can also define fine-grained
networking policies with Cloud Platform, on-premise or other public cloud
infrastructure. VPC Network is a comprehensive set of Google-managed networking
capabilities, including granular IP address range selection, routes, firewall, Virtual
Private Network (VPN) and Cloud Router.

 Worldwide Autoscaling and Load Balancing

Scale your applications on Google Compute Engine from zero to full-throttle with
Google Cloud Load Balancing, with no pre-warming needed. Distribute your load
balanced compute resources in single or multiple regions, close to your users and to
meet your high availability requirements. Cloud Load Balancing can put your
resources behind a single anycast IP and scale your resources up or down with
intelligent Autoscaling. Cloud Load Balancing comes in a variety of flavors and is
integrated with Google Cloud CDN for optimal application and content delive

 Highly Available Global DNS Network

Google Cloud DNS is a scalable, reliable and managed authoritative Domain
Naming System (DNS) service running on the same infrastructure as Google. It has
low latency, high availability and is a cost-effective way to make your application and
services available to your users. Cloud DNS translates requests for domain names
like www.google.com into IP addresses like 74.125.29.101. Cloud DNS is
programmable. You can easily publish and manage millions of DNS zones and
records using our simple user interface, command-line interface or API.

 Fast, High Availability Interconnect

Google Cloud Interconnect allows Cloud platform customers to connect to Google
via enterprise-grade connections with higher availability and/or lower latency than
their existing Internet connections. Connections are offered by Carrier Interconnect
service provider partners, and may offer higher SLAs than standard Internet
connections. Google also supports direct connections to its network through direct
peering. Customers who cannot meet Google at its peering locations, or do not meet
peering requirements, may benefit from Carrier Interconnect.

 Content Delivery Network

Google Cloud CDN leverages Google's globally distributed edge caches to
accelerate content delivery for websites and applications served out of Google
Compute Engine. Cloud CDN lowers network latency, offloads origins, and reduces
serving costs. Once you've set up HTTP(S) Load Balancing, simply enable Cloud
CDN with a single checkbox.

GOOGLE SECURITY OVERVIEW

Deploy on an infrastructure protected by top experts in information, application, and
network security.
Google Security Model
The Google security model is an end-to-end process, built on over 15 years of
experience focused on keeping customers safe on Google applications like Gmail,
Search and other Apps. With Google Cloud Platform your applications and data take
advantage of the same security model. Read more about our security model in
our Security, Infrastructure Security Design Overview, Encryption at
Rest, Encryption in Transit and Application Layer Transport Security whitepapers.

Information Security Team

At the center of the Google security model is our Information Security Team
consisting of top experts in information, application, and network security. This team
is tasked with maintaining the company’s defense systems, developing security
review processes, building security infrastructure and implementing Google’s
security policies. Their notable achievements include: discovering the Heartbleed
vulnerability, starting a reward program for reporting software security issues, and
implementing an “SSL by default” policy at Google.

Data Center Physical Security

Google data centers feature a layered security model, including safeguards like
custom-designed electronic access cards, alarms, vehicle access barriers, perimeter
fencing, metal detectors, and biometrics. The data center floor features laser beam
intrusion detection.

Our data centers are monitored 24/7 by high-resolution interior and exterior cameras
that can detect and track intruders. Access logs, activity records, and camera
footage are reviewed in case an incident occurs. Data centers are also routinely
patrolled by experienced security guards who have undergone rigorous background
checks and training. Fewer than one percent of Googlers will ever set foot in one of
our data centers.
Server and Software Stack Security
At Google, we run tens of thousands of identical, custom-built servers. We’ve built
everything from hardware and networking to the custom Linux software stack with
security in mind. Homogeneity, combined with ownership of the entire stack, greatly
reduces our security footprint and allows us to react to threats faster.

Trusted Server Boot

The only way to protect the boot process of a server is to secure it with an entity that
can be trusted to always behave in an expected manner. Google has purpose-built a
security chip called Titan to provide this root of trust. Titan enables the verification of
the system firmware and software components, and establishes a strong, hardware-
rooted system identity.

Data Encryption
Cloud Platform services always encrypt customer content that is stored at rest, with
a few minor exceptions. Encryption is automatic, and no customer action is required.
One or more encryption mechanisms are used. For example, any new data stored in
persistent disks is encrypted under the 256-bit Advanced Encryption Standard
(AES-256), and each encryption key is itself encrypted with a regularly rotated set of
master keys. The same encryption and key management policies, cryptographic
libraries, and root of trust used for your data in Google Cloud Platform are used by
many of Google’s production services, including Gmail and Google’s own corporate
data.
Operating System and Application Patches
Google Compute Engine and Google Kubernetes Engine are powered by virtual
machines (VM). If you use these technologies in your projects, it is your
responsibility to keep the VM operating system and applications up to date with the
latest security patches. Google maintains security and patching of the host OS
environments.

User and Credential Management

Google Cloud Platform enables you to set user permissions at the project level.
Provide team members with least privileged access.
 CLOUD NETWORK AND
SECURITY SERVICES

What Is Cloud Computing?

Cloud computing is the on-demand delivery of compute power, database storage,

applications, and other IT resources through a cloud services platform via the
Internet with pay-as-you-go pricing. Whether you are running applications that share
photos to millions of mobile users or you’re supporting the critical operations of your
business, a cloud services platform provides rapid access to flexible and low-cost IT
resources. Cloud computing is Internet("CLOUD") based development and use of
computer technology ("COMPUTING").Cloud computing is a general term for
anything that involves delivering hosted services over the Internet. It is used to
describe both a platform and type of application. These cloud applications use large
data centers and powerful servers that host Web applications and Web services.
Anyone with a suitable Internet connection and a standard browser can access a
cloud application.
Types of clouds
There are different types of clouds that you can subscribe to depending on your
needs. As a home user or small business owner, you will most likely use public
cloud services.
 Public Cloud - A public cloud can be accessed by any subscriber with an
internet connection and access to the cloud space.
 Private Cloud - A private cloud is established for a specific group or organization
and limits access to just that group.
 Community Cloud - A community cloud is shared among two or more
organizations that have similar cloud requirements.
 Hybrid Cloud - A hybrid cloud is essentially a combination of at least two clouds,
where the clouds included are a mixture of public, private, or community.

BENEFITS OF CLOUD COMPUTING

 Cloud technology is paid incrementally, saving organizations money.

 Organizations can store more data than on private computer systems.
 No longer do IT personnel need to worry about keeping software up to date.
 Cloud computing offers much more flexibility than past computing methods.
 Employees can access information wherever they are, rather than having to
remain at their desks.
 No longer having to worry about constant server updates and other computing
issues, government organizations will be free to concentrate on innovation.
 Decoupling and separation of the business service from the infrastructure
needed to run it .
 Flexibility to choose multiple vendors that provide reliable and scalable business
services, development environments, and infrastructure that can be leveraged
out of the box and billed on a metered basis—with no long term contracts
TECHNICAL BENEFITS OF CLOUD COMPUTING
Automation - Scriptable infrastructure‖: You can create repeatable build and
deployment systems by leveraging programmable (APIdriven) infrastructure.
 Automation -Scriptable infrastructure‖: You can create repeatable build and
deployment systems by leveraging programmable (APIdriven) infrastructure.
 Auto-scaling -You can scale your applications up and down to match your
unexpected demand without any human intervention. Auto-scaling encourages
automation and drives more efficiency.
 Proactive Scaling - Scale your application up and down to meet your anticipated
demand with proper planning understanding of your traffic patterns so that you
keep your costs low while scaling.
 Improved Testability - Never run out of hardware for testing. Inject and
automate testing at every stage during the development process. You can spawn
up an ―instant test lab‖ with preconfigured environments only for the duration of
testing phase.
 Disaster Recovery and Business Continuity -The cloud provides a lower cost
option for maintaining a fleet of DR servers and data storage. With the cloud, you
can take advantage of geo-distribution and replicate the environment in other
location within minutes.

Cloud Computing Models :-

Infrastructure as a Service (IaaS)
Infrastructure as a Service (IaaS) contains the basic building blocks for cloud IT and
typically provide access to networking features, computers (virtual or on dedicated
hardware), and data storage space. IaaS provides you with the highest level of
flexibility and management control over your IT resources and is most similar to
existing IT resources that many IT departments and developers are familiar with
today.

Platform as a Service (PaaS)

Platform as a Service (PaaS) removes the need for your organization to manage the
underlying infrastructure (usually hardware and operating systems) and allows you
to focus on the deployment and management of your applications. This helps you be
more efficient as you don’t need to worry about resource procurement, capacity
planning, software maintenance, patching, or any of the other undifferentiated heavy
lifting involved in running your application.
Software as a Service (SaaS)
Software as a Service (SaaS) provides you with a completed product that is run and
managed by the service provider. In most cases, people referring to Software as a
Service are referring to end-user applications. With a SaaS offering you do not have
to think about how the service is maintained or how the underlying infrastructure is
managed; you only need to think about how you will use that particular piece of
software. A common example of a SaaS application is web-based email which you
can use to send and receive email without having to manage feature additions to the
email product or maintain the servers and operating systems that the email program
is running on.
WHAT IS DRIVING CLOUD COMPUTING?
The CLOUD COMPUTING is driving in two types of categories as follows
• Customer perspective
• Vendor perspective

CUSTOMER PERSPECTIVE
 Faster, simpler, cheaper to use cloudcomputation.
No upfront capital required for servers and storage.
 No ongoing for operational expenses for running datacenter.
Application can be run from anywhere.

VENDOR PERSPECTIVE:
 Easier for application vendors to reach newcustomers.
Lowest cost way of delivering and supporting applications.
Ability to use commodity server and storage hardware

AMAZONEC2 FUNCTIONALITY
Amazon EC2 presents a true virtual computing environment, allowing you to use
web service interfaces to launch instances with a variety of operating systems, load
them with your custom application environment, manage your network’s access
permissions, and run your image using as many or few systems as you desire.
To use Amazon EC2, you simply:
 Select a pre-configured, template image to get up and running immediately. Or
create an Amazon Machine Image (AMI) containing your applications, libraries,
data, and associated configuration settings.
 Configure security and network access on your Amazon EC2 instance.
 Choose which instance type(s) and operating system you want, then start,
terminate, and monitor as many instances of your AMI as needed, using the web
service APIs or the variety of management tools provided.
 Determine whether you want to run in multiple locations, utilize static IP
endpoints, or attach persistent block storage to your instances.
 Pay only for the resources that you actually consume, like instance-hours or data
transfer.

SERVICES
ELASTIC
Amazon EC2 enables you to increase or decrease capacity within minutes, not
hours or days. You can commission one, hundreds or even thousands of server
instances simultaneously. Of course, because this is all controlled with web service
APIs, your application can automatically scale itself up and down depending on its
needs. You have the choice of multiple instance types, operating systems, and
software packages. Amazon EC2 allows you to select a configuration of memory,
CPU, instance storage, and the boot partition size that is optimal for your choice of
operating system and application.
RELIABLE
Amazon EC2 offers a highly reliable environment where replacement instances can
be rapidly and predictably commissioned. The service runs within Amazon’s proven
network infrastructure and datacenters. The Amazon EC2 Service Level Agreement
commitment is 99.95% availability for each Amazon EC2 Region.
SECURE
Amazon EC2 provides numerous mechanisms for securing your computer
resources. Amazon EC2 includes web service interfaces to configure firewall
settings that control network access to and between groups of instances. When
launching Amazon EC2 resources within Amazon Virtual Private Cloud (Amazon
VPC), you can isolate your compute instances by specifying the IP range you wish
to use, and connect to your existing IT infrastructure using industry-standard
encrypted IPsec VPN. 3.2.4 INEXPENSIVE – Amazon EC2 passes on to you the
financial benefits of Amazon’s scale. You pay a very low rate for the compute
capacity you actually consume. See Amazon EC2 Instance Purchasing Options for
a more detailed description.

Cloud Computing Deployment Models

Cloud
A cloud-based application is fully deployed in the cloud and all parts of the
application run in the cloud. Applications in the cloud have either been created in the
cloud or have been migrated from an existing infrastructure to take advantage of the
benefits of cloud computing. 1 Cloud-based applications can be built on low-level
infrastructure pieces or can use higher level services that provide abstraction from
the management, architecting, and scaling requirements of core infrastructure.
Hybrid
A hybrid deployment is a way to connect infrastructure and applications between
cloud-based resources and existing resources that are not located in the cloud. The
most common method of hybrid deployment is between the cloud and existing on-
premises infrastructure to extend, Amazon Web Services – Overview of Amazon
Web Services Page 4 and grow, an organization's infrastructure into the cloud while
connecting cloud resources to the internal system. For more information on how
AWS can help you with your hybrid deployment, please visit our hybrid.
On-premises
The deployment of resources on-premises, using virtualization and resource
management tools, is sometimes called the “private cloud.” On-premises
deployment doesn’t provide many of the benefits of cloud computing but is
sometimes sought for its ability to provide dedicated resources. 3 In most cases this
deployment model is the same as legacy IT infrastructure while using application
management and virtualization technologies to try and increase resource utilization.
Security and Compliance
Security
Cloud security at AWS is the highest priority.5 As an AWS customer, you will benefit
from a data center and network architecture built to meet the requirements of the
most securitysensitive organizations. Security in the cloud is much like security in
your on-premises data centers—only without the costs of maintaining facilities and
hardware. In the cloud, you don’t have to manage physical servers or storage
devices. Instead, you use software-based security tools to monitor and protect the
flow of information into and of out of your cloud resource
Benefits of AWS Security
 Keep Your Data Safe: The AWS infrastructure puts strong safeguards in place to
helpprotect your privacy. All data is stored in highly secure AWS data centers.
 Meet Compliance Requirements: AWS manages dozens of compliance
programs in itsinfrastructure. This means that segments of your compliance have
already been completed.
 Save Money: Cut costs by using AWS data centers. Maintain the highest
standard ofsecurity without having to manage your own facility.C1
 Scale Quickly: Security scales with your AWS Cloud usage. No matter the size
of your business, the AWS infrastructure is designed to keep your data safe.

Compliance

AWS Cloud Compliance enables you to understand the robust controls in place
at AWS to maintain security and data protection in the cloud.6 As systems are
built on top of AWS Cloud infrastructure, compliance responsibilities will be
shared. By tying together governancefocused, audit-friendly service features with
applicable compliance or audit standards, AWS Compliance enablers build on
traditional programs. This helps customers to establish and operate in an AWS
security control environment.
 The IT infrastructure that AWS provides to its customers is designed and
managed in alignment with best security practices and a variety of IT security
standards. The following is a partial list of assurance programs with which AWS
complies:

 SOC 1/ISAE 3402, SOC 2, SOC 3

 FISMA, DIACAP, and FedRAMP
 PCI DSS Level 1
 ISO 9001, ISO 27001, ISO 27018

AWS provides customers a wide range of information on its IT control

environment in whitepapers, reports, certifications, accreditations, and other third-
party attestations.
NETWORKING
Azure networking
Azure provides a variety of networking capabilities that can be used together or separately. Click
any of the following key capabilities to learn more about them:

 Connectivity between Azure resources: Connect Azure resources together in a secure, private virtual
network in the cloud.
 Internet connectivity: Communicate to and from Azure resources over the Internet.
 On-premises connectivity: Connect an on-premises network to Azure resources through a virtual
private network (VPN) over the Internet, or through a dedicated connection to Azure.
 Load balancing and traffic direction: Load balance traffic to servers in the same location and direct
traffic to servers in different locations.
 Security: Filter network traffic between network subnets or individual virtual machines (VM).
 Routing: Use default routing or fully control routing between your Azure and on-premises resources.
 Manageability: Monitor and manage your Azure networking resources.
 Deployment and configuration tools: Use a web-based portal or cross-platform command-line tools
to deploy and configure network resources.

Connectivity between Azure resources

Azure resources such as Virtual Machines, Cloud Services, Virtual Machines Scale Sets, and Azure
App Service Environments can communicate privately with each other through an Azure Virtual
Network (VNet). A VNet is a logical isolation of the Azure cloud dedicated to your subscription.
You can implement multiple VNets within each Azure subscription and Azure region. Each VNet is
isolated from other VNets. For each VNet you can:

 Specify a custom private IP address space using public and private (RFC 1918) addresses. Azure
assigns resources connected to the VNet a private IP address from the address space you assign.
 Segment the VNet into one or more subnets and allocate a portion of the VNet address space to each
subnet.
 Use Azure-provided name resolution or specify your own DNS server for use by resources connected
to a VNet.

To learn more about the Azure Virtual Network service, read the Virtual network overview article.
You can connect VNets to each other, enabling resources connected to either VNet to
communicate with each other across VNets. You can use either or both of the following options to
connect VNets to each other:

 Peering: Enables resources connected to different Azure VNets within the same Azure region to
communicate with each other. The bandwidth and latency across the VNets is the same as if the
resources were connected to the same VNet. To learn more about peering, read the Virtual network
peering overview article.
 VPN Gateway: Enables resources connected to different Azure VNets within different Azure regions
to communicate with each other. Traffic between VNets flows through an Azure VPN Gateway.
Bandwidth between VNets is limited to the bandwidth of the gateway. To learn more about
 connecting VNets with a VPN Gateway, read the Configure a VNet-to-VNet connection across
regions article.

Internet connectivity
All Azure resources connected to a VNet have outbound connectivity to the Internet by default.
The private IP address of the resource is source network address translated (SNAT) to a public IP
address by the Azure infrastructure. To learn more about outbound Internet connectivity, read
the Understanding outbound connections in Azure article.

To communicate inbound to Azure resources from the Internet, or to communicate outbound to

the Internet without SNAT, a resource must be assigned a public IP address. To learn more about
public IP addresses, read the Public IP addresses article

Security
You can filter traffic to and from Azure resources using the following options:

 Network: You can implement Azure network security groups (NSGs) to filter inbound and outbound
traffic to Azure resources. Each NSG contains one or more inbound and outbound rules. Each rule
specifies the source IP addresses, destination IP addresses, port, and protocol that traffic is filtered
with. NSGs can be applied to individual subnets and individual VMs. To learn more about NSGs, read
the Network security groups overview article.
 Application: By using an Application Gateway with web application firewall you can protect your web
applications from vulnerabilities and exploits. Common examples are SQL injection attacks, cross site
scripting, and malformed headers. Application gateway filters out this traffic and stops it from
reaching your web servers. You are able to configure what rules you want enabled. The ability to
configure SSL negotiation policies is provided to allow certain policies to be disabled. To learn more
about the web application firewall, read the Web application firewall article.

If you need network capability Azure doesn't provide, or want to use network applications you use
on-premises, you can implement the products in VMs and connect them to your VNet. The Azure
Marketplace contains several different VMs pre-configured with network applications you may
currently use. These pre-configured VMs are typically referred to as network virtual appliances
(NVA). NVAs are available with applications such as firewall and WAN optimization.

Routing
Azure creates default route tables that enable resources connected to any subnet in any VNet to
communicate with each other. You can implement either or both of the following types of routes
to override the default routes Azure creates:

 User-defined: You can create custom route tables with routes that control where traffic is routed to
for each subnet. To learn more about user-defined routes, read the User-defined routes article.
 Border gateway protocol (BGP): If you connect your VNet to your on-premises network using an
Azure VPN Gateway or ExpressRoute connection, you can propagate BGP routes to your VNets. BGP is
the standard routing protocol commonly used in the Internet to exchange routing and reachability
information between two or more networks. When used in the context of Azure Virtual Networks, BGP
enables the Azure VPN Gateways and your on-premises VPN devices, called BGP peers or neighbors,
 to exchange "routes" that inform both gateways on the availability and reachability for those prefixes
to go through the gateways or routers involved. BGP can also enable transit routing among multiple
networks by propagating routes a BGP gateway learns from one BGP peer to all other BGP peers. To
learn more about BGP, see the BGP with Azure VPN Gateways overview article.

Manageability
Azure provides the following tools to monitor and manage networking:

 Activity logs: All Azure resources have activity logs which provide information about operations
taken place, status of operations and who initiated the operation. To learn more about activity logs,
read the Activity logs overview article.
 Diagnostic logs: Periodic and spontaneous events are created by network resources and logged in
Azure storage accounts, sent to an Azure Event Hub, or sent to Azure Log Analytics. Diagnostic logs
provide insight to the health of a resource. Diagnostic logs are provided for Load Balancer (Internet-
facing), Network Security Groups, routes, and Application Gateway. To learn more about diagnostic
logs, read the Diagnostic logs overview article.
 Metrics: Metrics are performance measurements and counters collected over a period of time on
resources. Metrics can be used to trigger alerts based on thresholds. Currently metrics are available
on Application Gateway. To learn more about metrics, read the Metrics overview article.
 Troubleshooting: Troubleshooting information is accessible directly in the Azure portal. The
information helps diagnose common problems with ExpressRoute, VPN Gateway, Application
Gateway, Network Security Logs, Routes, DNS, Load Balancer, and Traffic Manager.
 Role-based access control (RBAC): Control who can create and manage networking resources with
role-based access control (RBAC). Learn more about RBAC by reading the Get started with
RBAC article.
 Packet capture: The Azure Network Watcher service provides the ability to run a packet capture on a
VM through an extension within the VM. This capability is available for Linux and Windows VMs. To
learn more about packet capture, read the Packet capture overview article.
 Verify IP flows: Network Watcher allows you to verify IP flows between an Azure VM and a remote
resource to determine whether packets are allowed or denied. This capability provides administrators
the ability to quickly diagnose connectivity issues. To learn more about how to verify IP flows, read
the IP flow verify overview article.
 Troubleshoot VPN connectivity: The VPN troubleshooter capability of Network Watcher provides
the ability to query a connection or gateway and verify the health of the resources. To learn more
about troubleshooting VPN connections, read the VPN connectivity troubleshooting overviewarticle.
 View network topology: View a graphical representation of the network resources in a VNet with
Network Watcher. To learn more about viewing network topology, read the Topology overviewarticle.

Deployment and configuration tools

You can deploy and configure Azure networking resources with any of the following tools:

 Azure portal: A graphical user interface that runs in a browser. Open the Azure portal.
 Azure PowerShell: Command-line tools for managing Azure from Windows computers. Learn more
about Azure PowerShell by reading the Azure PowerShell overview article.
 Azure command-line interface (CLI): Command-line tools for managing Azure from Linux, macOS,
or Windows computers. Learn more about the Azure CLI by reading the Azure CLI overview article.
 Azure Resource Manager templates: A file (in JSON format) that defines the infrastructure and
configuration of an Azure solution. By using a template, you can repeatedly deploy your solution
throughout its lifecycle and have confidence your resources are deployed in a consistent state. To
 learn more about authoring templates, read the Best practices for creating templates article.
Templates can be deployed with the Azure portal, CLI, or PowerShell. To get started with templates
right away, deploy one of the many pre-configured templates in the Azure Quickstart
Templates library.

Pricing
Some of the Azure networking services have a charge, while others are free. View the Virtual
network, VPN Gateway, Application Gateway, Load Balancer, Network Watcher, DNS, Traffic
Manager and ExpressRoute pricing pages for more information.

What is a content delivery network on Azure?

A content delivery network (CDN) is a distributed network of servers that can efficiently deliver
web content to users. CDNs store cached content on edge servers in point-of-presence (POP)
locations that are close to end users, to minimize latency.

Azure Content Delivery Network (CDN) offers developers a global solution for rapidly delivering
high-bandwidth content to users by caching their content at strategically placed physical nodes
across the world. Azure CDN can also accelerate dynamic content, which cannot be cached, by
leveraging various network optimizations using CDN POPs. For example, route optimization to
bypass Border Gateway Protocol (BGP).

The benefits of using Azure CDN to deliver web site assets include:

 Better performance and improved user experience for end users, especially when using applications in
which multiple round-trips are required to load content.
 Large scaling to better handle instantaneous high loads, such as the start of a product launch event.
 Distribution of user requests and serving of content directly from edge servers so that less traffic is
sent to the origin server.

For a list of current CDN node locations, see Azure CDN POP locations.

How it works
 1. A user (Alice) requests a file (also called an asset) by using a URL with a special domain name,
such as <endpoint name>.azureedge.net. This name can be an endpoint hostname or a
custom domain. The DNS routes the request to the best performing POP location, which is
usually the POP that is geographically closest to the user.
2. If no edge servers in the POP have the file in their cache, the POP requests the file from the
origin server. The origin server can be an Azure Web App, Azure Cloud Service, Azure Storage
account, or any publicly accessible web server.
3. The origin server returns the file to an edge server in the POP.
4. An edge server in the POP caches the file and returns the file to the original requestor (Alice).
The file remains cached on the edge server in the POP until the time-to-live (TTL) specified by
its HTTP headers expires. If the origin server didn't specify a TTL, the default TTL is seven
days.
5. Additional users can then request the same file by using the same URL that Alice used, and
can also be directed to the same POP.
6. If the TTL for the file hasn't expired, the POP edge server returns the file directly from the
cache. This process results in a faster, more responsive user experience.

Requirements
To use Azure CDN, you must own at least one Azure subscription. You also need to create at least
one CDN profile, which is a collection of CDN endpoints. Every CDN endpoint represents a specific
configuration of content deliver behavior and access. To organize your CDN endpoints by internet
domain, web application, or some other criteria, you can use multiple profiles. Because Azure CDN
pricing is applied at the CDN profile level, you must create multiple CDN profiles if you want to use
a mix of pricing tiers. For information about the Azure CDN billing structure, see Understanding
Azure CDN billing.

Limitations

Each Azure subscription has default limits for the following resources:
  The number of CDN profiles that can be created.
 The number of endpoints that can be created in a CDN profile.
 The number of custom domains that can be mapped to an endpoint.

For more information about CDN subscription limits, see CDN limits.

Azure CDN features

Azure CDN offers the following key features:

 Dynamic site acceleration

 CDN caching rules
 HTTPS custom domain support
 Azure diagnostics logs
 File compression
 Geo-filtering

For a complete list of features that each Azure CDN product supports, see Compare Azure CDN
product features.

MANAGEMENT TOOLS
Azure Security Documentation
Security is integrated into every aspect of the Azure. Azure offers you unique security advantages
derived from global security intelligence, sophisticated customer-facing controls, and a secure
hardened infrastructure. This powerful combination helps protect your applications and data,
support your compliance efforts, and provide cost-effective security for organizations of all sizes.

Azure Service Health Documentation

Azure Service Health is a suite of experiences that provide personalized guidance and support
when issues in Azure services affect you. It can notify you, help you understand the impact of
issues, and keep you updated as the issue resolves. It can also help you prepare for planned
maintenance and changes that could affect the availability of your resources.

Azure Service Health is composed of:

1. Azure status - A global view of the health of Azure services

2. Service Health - A personalized view of the health of your Azure services
3. Resource Health - A deeper view of the health of the individual resources provisioned to you
by your Azure services

Azure Cost Management Documentation

Azure Cost Management licensed by Cloudyn, a Microsoft subsidiary, is a multi-cloud cost
management solution that helps you best utilize and manage Azure and other cloud resources
Azure Advisor Documentation
Advisor is a personalized cloud consultant that helps you follow best practices to optimize your
Azure deployments. It analyzes your resource configuration and usage telemetry and then
recommends solutions that can help you improve the cost effectiveness, performance, high
availability, and security of your Azure resources.

With Advisor, you can:

 Get proactive, actionable, and personalized best practices recommendations.

 Improve the performance, security, and high availability of your resources, as you identify
opportunities to reduce your overall Azure spend.
 Get recommendations with proposed actions inline.

You can access Advisor through the Azure portal. Sign in to the portal, locate Advisor in the
navigation menu, or search for it in the All services menu.

The Advisor dashboard displays personalized recommendations for all your subscriptions. You can
apply filters to display recommendations for specific subscriptions and resource types. The
recommendations are divided into four categories:

 High Availability: To ensure and improve the continuity of your business-critical

applications. For more information, see Advisor High Availability recommendations.
 Security: To detect threats and vulnerabilities that might lead to security breaches. For more
information, see Advisor Security recommendations.
 Performance: To improve the speed of your applications. For more information, see Advisor
Performance recommendations.

Prevent unexpected charges with Azure

billing and cost management
When you sign up for Azure, there are several things you can do to get a better idea of your
spend. The pricing calculator can provide an estimate of costs before you create an Azure
resource. The Azure portal provides you with the current cost breakdown and forecast for your
subscription. If you want to group and understand costs for different projects or teams, look
at resource tagging. If your organization has a reporting system that you prefer to use, check out
the billing APIs.

 If your subscription is an Enterprise Agreement (EA), the public preview for seeing your costs
in the Azure portal is available. If your subscription is through Cloud Solution Provider (CSP),
or Azure Sponsorship, then some of the following features may not apply to you.
See Additional resources for EA, CSP, and Sponsorship for more info.
  If your subscription is a Free Trial, Visual Studio, Azure in Open (AIO), or BizSpark, your
subscription is automatically disabled when all your credits are used. Learn about spending
limitsto avoid having your subscription unexpectantly disabled.
 If you have signed up for Azure free account, you can use some of the most popular Azure
services for free for 12 months. Along with the recommendations listed below, see Avoid
getting charged for free account.

About Azure Migrate

The Azure Migrate service assesses on-premises workloads for migration to Azure. The service
assesses the migration suitability of on-premises machines, performs performance-based sizing,
and provides cost estimations for running on-premises machines in Azure. If you're contemplating
lift-and-shift migrations, or are in the early assessment stages of migration, this service is for you.
After the assessment, you can use services such as Azure Site Recovery and Azure Database
Migration Service, to migrate the machines to Azure.

Why use Azure Migrate?

Azure Migrate helps you to:

 Assess Azure readiness: Assess whether your on-premises machines are suitable for running in
Azure.
 Get size recommendations: Get size recommendations for Azure VMs based on the performance
history of on-premises VMs.
 Estimate monthly costs: Get estimated costs for running on-premises machines in Azure.
 Migrate with high confidence: Visualize dependencies of on-premises machines to create groups of
machines that you will assess and migrate together.

Current limitations
 Currently, you can only assess on-premises VMware virtual machines (VMs) for migration to Azure
VMs. The VMware VMs must be managed by vCenter Server (version 5.5, 6.0, or 6.5).
 If you want to assess Hyper-VMs and physical servers, use the Azure Site Recovery Deployment
Planner for Hyper-V, and our partner tools for physical machines.
 You can discover up to 1500 VMs in a single discovery and up to 1500 VMs in a single project.
Additionally, you can assess up to 1500 VMs in a single assessment.
 If you want to discover a larger environment, you can split the discovery and create multiple
projects. Learn more. Azure Migrate supports up to 20 projects per subscription.
 You can only create an Azure Migrate project in West Central US or East US region. This doesn't
impact your ability to plan migration to any target Azure location. The location of the migration
project is used only to store metadata discovered from the on-premises environment.
 Azure Migrate only supports managed disks for migration assessment.