Here are some good short notes from my MS Azure Architecture training from Edx.
https://courses.edx.org/courses/course-v1%3AMicrosoft%2BDEV205Bx%2B2T2016/
The course is awesome and anyone technical enough to understand Azure architecture should take it.
Hope the note helps.
------------------------------------------------------------------------------------------------
------------------------------------------------------------------------------------------------
------------------------------------------------------------------------------------------------
https://courses.edx.org/courses/course-v1%3AMicrosoft%2BDEV205Bx%2B2T2016/
The course is awesome and anyone technical enough to understand Azure architecture should take it.
Hope the note helps.
------------------------------------------------------------------------------------------------
------------------------------------------------------------------------------------------------
------------------------------------------------------------------------------------------------
Design
The patterns
& practices team at Microsoft has collected twenty-four design patterns that are
relevant when designing the architecture of a cloud application. Each
pattern includes a brief discussion of the benefits, considerations and
implementation of each pattern. The collection of patterns is not meant
to be comprehensive and is instead focused on the most popular design patterns
for cloud applications.
------------------------------------------------------------------------------------------------
Performance
Abstracting
the physical location of the data in the sharding logic provides a high level
of control over which shards contain which data, and enables data to migrate
between shards without reworking the business logic of an application should the data in the
shards need to be redistributed later (for example, if the shards become
unbalanced). The tradeoff is the additional data access overhead required in
determining the location of each data item as it is retrieved.
-------------------------------------------------------------------------------------------------
Resilience
In
the cloud, transient faults are not uncommon and an application should be
designed to handle them elegantly and transparently, minimizing the effects
that such faults might have on the business tasks that the application is
performing.
If
an application detects a failure when it attempts to send a request to a remote
service, it can handle the failure by retrying the application logic after a
short wait. For the more common transient failures, the period between
retries should be chosen so as to spread requests from multiple instances of
the application as evenly as possible.
------------------------------------------------------------------------------------------------
Scalability
WHY
CACHE?
Caching
is a common technique that aims to improve the performance and scalability of a
system by temporarily copying frequently accessed data to fast storage located
close to the application. Caching is most effective when an application
instance repeatedly reads the same data, especially if the original data store
is slow relative to the speed of the cache, is subject to a high level of
contention, or is far away when network latency can cause access to be slow.
There
are two primary types of cache:
- In-memory cache
- Shared cache
------------------------------------------------------------------------------------------------
Scaling
Vertical
scaling = add more memory, cpu etc
Horizontal
scaling -= add more instances, VMs etc
Azure
supports auto scaling in top 2 bands (standard and premium) models
Web
Deploy is the standard deployment process
Web
Deploy allows you to package configuration and content of your installed Web
applications, including databases, and use the packages for storage or
redeployment. These packages can be deployed using IIS Manager, Visual Studio,
PowerShell or a wide variety of IDEs without requiring administrative
privileges to the destination server.
------------------------------------------------------------------------------------------------
KUDU
environment in Azure gives back end access to VMs on which web apps are
installed. For web apps you don’t get
RDP access, so Kudu allows you to diagnose logs, edit config files etc a
limited way as if you had access to VM
Visual
Studio Monaco: Visual
Studio Monaco is a source code editor designed to work entirely within the
browser. Visual Studio Monaco allows you to edit your web application's
source files directly in the live web application.
------------------------------------------------------------------------------------------------
TRAFFIC MANAGER
Microsoft
Azure Traffic Manager allows you to control the distribution of user traffic to
your specified endpoints, which can include Azure cloud services, websites, and
other endpoints. Traffic Manager works by applying an intelligent policy engine
to Domain Name System (DNS) queries for the domain names of your Internet
resources
------------------------------------------------------------------------------------------------
INTRODUCING APP SERVICE ENVIRONMENTS (ASE)
App
Services are useful because they separate many of the hosting and management
concerns for your web application and allow you to focus on your application's
functionality and configuration.
------------------------------------------------------------------------------------------------
To
implement scenarios where you require more control, you can use the App Service
Enviornment (ASE) service in Azure. How
much to expose to internet - where you don’t want a public facing endpoint.
AZURE
SQL DATABASE ARCHITECTURE
Behind
the scenes, the Azure SQL Database service is separated into tiers with varying
sets of responsibility. These tiers are listed below:
- Client Layer: This layer is composed of the tools that you can use to connect to Azure SQL Database at it's TDS endpoint. This layer is used by applications to communicate directly with SQL Database.
- Services Layer: This layer is a gateway between the client layer and the Platform layer
- Platform Layer: This layer includes physical servers and services that support the Services layer and actually implements the database service.
- Infrastructure Layer: This layer is the layer where Azure's fabric controller and hypervisor manages the physical hardware and operating systems.
------------------------------------------------------------------------------------------------
Azure
resource manager
- Resource: A resource is simply a single service instance in Azure. Most services in Azure can be represented as a resource. For example, a Web App instance is a resource. An App Service Plan is also a resource. Even a SQL Database instance is a resource.
- Resource Group: A resource group is a logical grouping of resources. For example, a Resource Group where you would deploy a VM compute instance may be composed of a Network Interface Card (NIC), a Virtual Machine, a Virtual Network, and a Public IP Address.
- Resource Group Template: A resource group template is a JSON file that allows you to declaratively describe a set of resources. These resources can then be added to a new or existing resource group. For example, a template could contain the configuration necessary to create 2 API App instances, a Mobile App instance and a Document DB instance
------------------------------------------------------------------------------------------------
Azure
tables
The
Azure Table storage service stores large amounts of structured data. The
service is a NoSQL datastore which accepts authenticated calls from inside and
outside the Azure cloud. Azure tables are ideal for storing structured,
non-relational data
------------------------------------------------------------------------------------------------
STORAGE
BLOBS
Blobs
provide a way to store large amounts of unstructured, binary data, such as
video, audio, images, etc. In fact, one of the features of blobs is streaming
content such as video or audio. There are two types of blob storage available,
each provides specific functionality:
Block Blobs
Block Blobs
Page
Blobs
CONTAINERS
A
container provides a grouping of a set of blobs. Every blob is organized into a
container. All blobs must be in a container as the container forms part of the
blob name. A storage account can contain any number of containers, and a
container can contain any number of blobs, up to the 500 TB capacity limit of
the storage account. Containers also provide a useful way to assign security
policies to groups of objects.
------------------------------------------------------------------------------------------------
REST API
Every
blob uploaded to Azure Storage is associated with a relative URI. An extensive
REST API for Storage is already available that allows you to manage your
Storage Account and individual blobs in a RESTful manner. For blobs, this API
has been extended to ensure that it is easy to access a blob by using a simple
URL. You can access blobs by using the GET, PUT, POST, or DELETE HTTP methods.
------------------------------------------------------------------------------------------------
AZURE
STORAGE QUEUES
Azure
Queue storage is a service for storing large numbers of messages that can be
accessed from anywhere in the world via authenticated calls using HTTP or
HTTPS. A single queue message can be up to 64 KB in size, and a queue can
contain millions of messages, up to the total capacity limit of a storage
account. A storage account can contain up to 500 TB of blob, queue, and table
data.
------------------------------------------------------------------------------------------------
AZURE
STORAGE TABLES
The
Azure Table storage service stores large amounts of structured data. The
service is a NoSQL datastore which accepts authenticated calls from inside and
outside the Azure cloud. Azure tables are ideal for storing structured,
non-relational data. Common uses of the Table service include:
------------------------------------------------------------------------------------------------
AZURE
FILES
File
storage offers shared storage for applications using the standard SMB 2.1 protocol. Microsoft Azure virtual
machines and cloud services can share file data across application components
via mounted shares, and on-premises applications can access file data in a
share via the File storage API.
------------------------------------------------------------------------------------------------
STORSIMPLE
StorSimple
is the combination of a service, device and management tools that can create
workflows for migrating data to a cloud storage center or back on premise.
The
StorSimple device is an on-premises hybrid storage array that provides primary
storage and iSCSI access to data stored on it. It manages communication with
cloud storage, and helps to ensure the security and confidentiality of all data
that is stored on the StorSimple solution. The StorSimple device includes
solid state drives (SSDs) and hard disk drives (HDDs), as well as support for
clustering and automatic failover. It contains a shared processor, shared
storage, and two mirrored controllers.
------------------------------------------------------------------------------------------------
CONTAINER
SECURITY
Typically,
only the owner of a storage account can access resources within that account.
If your service or application needs to make these resources available to other
clients, you have various options available. First, you can make the public
access key generally available. This is not typically recommended as this key
gives individuals full access to your entire storage account and its management
operations. Another, more common option is to manage access for the entire
container. This access can be managed using the Public Read Access property of
a specific container.
------------------------------------------------------------------------------------------------
SHARED
ACCESS SIGNATURES
A
shared access signature is a URI that grants restricted access rights to
containers, blobs, queues, and tables. You can provide a shared access
signature to clients who should not be trusted with your storage account key
but to whom you wish to delegate access to certain storage account resources.
By distributing a shared access signature URI to these clients, you can grant
them access to a resource for a specified period of time, with a specified set
of permissions.
------------------------------------------------------------------------------------------------
STORED
ACCESS POLICIES
Azure
SAS also supports server-stored access policies that can be associated with a
specific resource such as a table or blob. This feature provides additional
control and flexibility compared to application-generated SAS tokens, and
should be used whenever possible.
------------------------------------------------------------------------------------------------
INTRODUCING
MOBILE APPS
Azure
Mobile Apps is a component of Azure App Services offering designed to make
it easy to create highly-functional mobile apps using Azure. Mobile Apps brings
together a set of Azure services that enable backend capabilities for your
apps. Mobile Apps provides the following backend capabilities in Azure to
support your apps:
- Single Sign On - Select from an ever-growing list of identity providers including Azure Active Directory, Facebook, Google, Twitter, and Microsoft Account, and leverage Mobile Apps to add authentication to your app in minutes.
- Offline Sync - Mobile Apps makes it easy for you to build robust and responsive apps that allow employees to work offline when connectivity is not available, and synchronize with your enterprise backend systems when devices comes back online. Offline sync capability is supported on all client platforms and works with any data source including SQL, Table Storage, Mongo, or Document DB, and any SaaS API including Office 365, Salesforce, Dynamics, or on-premises databases.
- Push Notifications - Mobile Apps offers a massively scalable mobile push notification engine, Notification Hubs, capable of sending millions of personalized push notifications to dynamic segments of audience using iOS, Android, Windows, or Kindle devices within seconds. You can easily hook Notification Hubs to any existing app backend, whether that backend is hosted on-premises or in the cloud.
- Auto Scaling - App Service enables you to quickly scale-up or out to handle any incoming customer load. Manually select the number and size of VMs or set up auto-scaling to scale your mobile app backend based on load or schedule.
------------------------------------------------------------------------------------------------
INTRODUCING
NO-SQL
Many
modern application workloads need to store large amounts of data that may not
be well structured or even deduplicated. These large amounts of data need to be
stored or read in bulk and in a very performant manner. Most traditional
relational databases are based on the concepts of ACID (atomicity, consistency, isolation and durability) which
can be restrictive when trying to solve these problems. ACID concerns are why
the storage and retrieval of records in databases such as SQL can become very
complicated. The CAP theorem
states that databases may only excel at two out of three attribtues:
- Consistency (all nodes see the same data at the same time)
- Availability (a guarantee that every request receives a response about whether it succeeded or failed)
- Partition tolerance (the system continues to operate despite arbitrary partitioning due to network failures)
------------------------------------------------------------------------------------------------
DOCUMENT
DATABASES
There
are many types of NoSQL stores. For the next few units, we will focus
on Document Databases.
A
document database is similar in concept to a key/value store except that the
values stored are documents. A document is a collection of named fields and
values, each of which could be simple scalar items or compound elements such as
lists and child documents. The data in the fields in a document can be encoded
in a variety of ways, including XML, YAML, JSON, BSON, or even stored as plain
text.
------------------------------------------------------------------------------------------------
DOCUMENTDB
Modern
applications produce, consume and respond quickly to very large volumes of
data. These applications evolve very rapidly and so does the underlying data
schema. In response to this, developers have increasingly chosen schema-free
NoSQL document databases as simple, fast, scalable solutions to store and
process data while preserving the ability to quickly iterate over application
data models and unstructured data feeds. However, many schema-free databases do
not allow for complex queries and transactional processing, making advanced
data management difficult.
DocumentDB
is a NoSQL document database service designed both as a highly scalable and
available document store and higher levels of consistency than traditional
NoSQL databases. DocumentDB is designed to consistently fast reads and
writes, schema flexibility, and the ability to easily scale a database up and
down on demand. DocumentDB enables complex ad hoc queries using a SQL language,
supports well defined consistency levels, and offers JavaScript language
integrated, multi-document transaction processing using the familiar
programming model of stored procedures, triggers, and UDFs.
------------------------------------------------------------------------------------------------
CONSISTENCY
LEVELS
DocumentDB
offers four well-defined consistency levels with associated performance levels.
In most real world scenarios, applications benefit from making fine grained
trade-offs between consistency, availability, and latency. This allows
application developers to make predictable consistency-availability-latency
trade-offs. The four consistency levels are listed below:
- Strong: Strong consistency guarantees that a write is only visible after it is committed durably by the majority quorum of replicas. A write is either synchronously committed durably by both the primary and the quorum of secondaries or it is aborted. A read is always acknowledged by the majority read quorum - a client can never see an uncommitted or partial write and is always guaranteed to read the latest acknowledged write.
- Bounded staleness: Bounded staleness consistency guarantees the total order of propagation of writes with the possibility that reads lag behind writes by at most K prefixes. The read is always acknowledged by a majority quorum of replicas. The response of a read request specifies its relative freshness (in terms of K).
- Session: Unlike the global consistency models offered by strong and bounded staleness consistency levels, “session” consistency is tailored for a specific client session. Session consistency is usually sufficient since it provides guaranteed monotonic reads, and writes and ability to read your own writes. A read request for session consistency is issued against a replica that can serve the client requested version (part of the session cookie).
- Eventual: Eventual consistency is the weakest form of consistency wherein a client may get the values which are older than the ones it had seen before, over time. In the absence of any further writes, the replicas within the group will eventually converge. The read request is served by any secondary index.
------------------------------------------------------------------------------------------------
MONGODB
MongoDB
is an open source, document-oriented NoSQL database designed for maximum
scalability and agility. Unlike traditional relational databases, MongoDB
doesn’t store data in tables and rows. Rather, it stores BSON (binary
serialized object notation) documents, which are binary JSON (JavaScript Object
Notation) documents, with dynamic schemas. These BSON documents are stored in
collections, which are named groupings of documents. Instead of a SQL query
syntax, BSON queries can be made directly in most object-oriented languages.
------------------------------------------------------------------------------------------------
MYSQL
Using
Windows or Linux virtual machines, you can always install and run MySQL in the
Azure environment. ClearDB also provides a managed MySQL instance that
you can create from the Azure Marketplace.
------------------------------------------------------------------------------------------------
HBASE
Apache
HBase is an open-source, NoSQL database that is built on Hadoop and modeled
after Google BigTable. HBase provides random access and strong consistency for
large amounts of unstructured and semistructured data in a schemaless database
organized by column families.
------------------------------------------------------------------------------------------------
SERVICE
BUS
Azure
Service Bus provides a hosted, secure, and widely available infrastructure for
widespread communication, large-scale event distribution, naming, and service
publishing. Service Bus provides connectivity options for Windows Communication
Foundation (WCF) and other service endpoints – including REST endpoints -- that
would otherwise be difficult or impossible to reach. Endpoints can be located
behind network address translation (NAT) boundaries, or bound to
frequently-changing, dynamically-assigned IP addresses, or both.
------------------------------------------------------------------------------------------------
SERVICE
BUS NOTIFICATION HUBS
Smartphones
and tablets have the ability to "notify" users when an event has
occurred whether or not your application is running. Typically, to
implement this push functionality, you would require deep experience on all
major mobile platforms along with a rich network of servers sending the actual
notification payload. Azure Notification Hubs provide an easy-to-use,
multiplatform, scaled-out push infrastructure that enables you to send mobile
push notifications from any backend (in the cloud or on-premises) to any mobile
platform as a managed service.
------------------------------------------------------------------------------------------------
SERVICE
BUS QUEUE
- Guarantees First-In-First-Out (FIFO) order
- Messages are guaranteed to be delivered at-least-once and at-most-once
- Supports batch send and retrieve
- Supports peek
- Transactions are supported
- Supports long polling (blocking)
STORAGE
QUEUE
- Ordering is not guaranteed due to visibility timeout
- Messages are guaranteed to be delivered at-least-once
- Supports batch receive
- Supports peek
- Supports different timeout values per message and timeout renewals (leases)
------------------------------------------------------------------------------------------------
AZURE
ACTIVE DIRECTORY (AD)
Azure
Active Directory (Azure AD) allows businesses to manage identity and access,
both in the cloud and on-premises across many different applications and
devices. Users can use the same work or school account for single sign-on to
any cloud and on-premises web application. Your users can use their favorite
devices, including iOS, Mac OS X, Android, and Windows. Your organization can
protect sensitive data and applications both on-premises and in the cloud with
integrated multi-factor authentication ensuring secure local and remote access.
Azure AD extends your on-premises directories so that information workers can
use a single organizational account to securely and consistently access their
corporate resources. Azure AD also offers comprehensive reports, analytics, and
self-service capabilities to reduce costs and enhance security.
------------------------------------------------------------------------------------------------
SYNC
OPTIONS
There
are three primary ways that you can sync identities with an Azure AD directory.
Identity Sync
In
the simplest directory synchronization scenario, user (identity) objects are
the only ones synced with Azure AD. Identities can be managed on-premise
and these changes will reflect in the Azure AD directory. The users,
however, will have different credentials for their cloud and on-premise
identities.
Password Sync
In
this scenario, the hash value of the password is also synced with the user
identity. This allows users to log into off-premise services (such as
Office 365, Microsoft Intune, CRM Online) using the same password that they use
on-premise. Passwords can be modified on-premise and eventually synced to
the Azure AD instance. This offers eventual consistency for passwords.
Password Sync
with Writeback
Password
writeback is only available for current subscribers of Azure AD
Premium. Users can use an online self-service password management
portal to reset their password from any location. The passwords are then
validated immediately against your existing AD password policies. If
validated, this password is then stored as a hash and synced with your
enterprise Active Directory instance. The writeback is done using Service
Bus relay to avoid creating inbound firewall rules.
------------------------------------------------------------------------------------------------
AZURE
ACTIVE DIRECTORY SINGLE-SIGN ON
Single
sign-on, also called identity federation, is a hybrid-based directory
integration scenario of Azure Active Directory that you can implement when you
want to simplify your user’s ability to seamlessly access cloud services, such
as Office 365 or Microsoft Intune, with their existing Active Directory
corporate credentials. Without single sign-on, your users would need to
maintain separate user names and passwords for your online and on-premises
accounts.
An
Secure Token Service (STS) enables identity federation, extending the notion of
centralized authentication, authorization, and SSO to Web applications and
services located virtually anywhere, including perimeter networks, partner
networks, and the cloud. When you configure an STS to provide single sign-on
access with a Microsoft cloud service, you will be creating a federated trust
between your on-premises STS and the federated domain you’ve specified in your
Azure AD tenant.
There
is a clear benefit to users when you implement single sign-on: it lets them use
their corporate credentials to access the cloud service that your company has
subscribed to. Users don’t have to sign in again and remember multiple
passwords.
------------------------------------------------------------------------------------------------
EXTERNAL
USERS
In
Azure AD you can also add users to an Azure AD directory from another Azure AD
directory or a user with a Microsoft Account. A user can be a member of up to
20 different directories. Users who are added from another directory are
external users. External users can collaborate with users who already exist in
a directory, such as in a test environment, without requiring them to sign in
with new accounts and credentials. External users are authenticated by their
home directory when they sign in, and that authentication works for all other
directories that they are a member of.
------------------------------------------------------------------------------------------------
ACCESS
CONTROL LIST
A
Network Access Control List (ACL) is a security enhancement available for your
Azure deployment. An ACL provides the ability to selectively permit or deny
traffic for a virtual machine endpoint. This packet filtering capability
provides an additional layer of security. An ACL is an object that contains a
list of rules. When you create an ACL and apply it to a Virtual Machine
endpoint, packet filtering takes place on the host node of your VM. This means
the traffic from remote IP addresses is filtered by the host node for matching
ACL rules instead of on your VM. This prevents your VM from spending the CPU
cycles on packet filtering.
------------------------------------------------------------------------------------------------
NETWORK
ACLS AND LOAD BALANCED SETS
Network
ACLs can be specified on a Load balanced set (LB Set) endpoint. If an ACL is
specified for a LB Set, the Network ACL is applied to all Virtual Machines in
that LB Set. For example, if a LB Set is created with "Port 80" and
the LB Set contains 3 VMs, the Network ACL created on endpoint "Port
80" of one VM will automatically apply to the other VMs.
------------------------------------------------------------------------------------------------
NETWORK
SECURITY GROUPS
Network
security groups are different than endpoint-based ACLs. Endpoint ACLs work only
on the public port that is exposed through the input endpoint. An NSG works on
one or more VM instances and controls all the traffic that is inbound and
outbound.
You
can associate an NSG to a VM, or to a subnet within a VNet. When associated
with a VM, the NSG applies to all the traffic that is sent and received by the
VM instance. When applied to a subnet within your VNet, it applies to all the
traffic that is sent and received by ALL the VM instances in the subnet. A VM
or subnet can be associated with only 1 NSG, and each NSG can contain up to 200
rules. You can have 100 NSGs per subscription.on the VM.
------------------------------------------------------------------------------------------------
Administrative role
|
Limit
|
Summary
|
Account
Administrator
|
1
per Azure account
|
Authorized
to access the Account Center (create subscriptions, cancel subscriptions,
change billing for a subscription, change Service Administrator, and more)
|
Service
Administrator
|
1
per Azure subscription
|
Authorized
to access Azure Management Portal for all subscriptions in the account. By
default, same as the Account Administrator when a subscription is created.
|
Co-administrator
|
200
per subscription (in addition to Service Administrator)
|
Same
as Service Administrator, but can’t change the association of subscriptions
to Azure directories.
|
------------------------------------------------------------------------------------------------
ROLE-BASED
ACCESS CONTROL (RBAC)
Azure
role-based access control allows you to grant appropriate access to Azure AD
users, groups, and services, by assigning roles to them on a subscription or
resource group or individual resource level. The assigned role defines the
level of access that the users, groups, or services have on the Azure resource.
Role
A
role is a collection of actions that can be performed on Azure resources. A
user or a service is allowed to perform an action on an Azure resource if they
have been assigned a role that contains that action. There are built-in roles
that include (but is not limited to):
ROLE NAME
|
DESCRIPTION
|
Contributor
|
Contributors can manage everything except access.
|
Owner
|
Owner can manage everything, including access.
|
Reader
|
Readers can view everything, but can't make changes.
|
User Access Administrator
|
Lets you manage user access to Azure resources.
|
Virtual Machine Contributor
|
Lets you manage virtual machines, but not access to
them, and not the virtual network or storage account they're connected to.
|
------------------------------------------------------------------------------------------------
ROLE
ASSIGNMENT
A
role assignment can be created that associates a security principal to a
role. The role is further used to grant access to a resource scope.
This decoupling allows you to specify that a specific role has access to a
resource in your subscription and add/remove security principals from that role
in a loosely connected manner. Roles can be assigned to the following types of
Azure AD security principals:
- Users: roles can be assigned to organizational users that are in the Azure AD with which the Azure subscription is associated. Roles can also be assigned to external Microsoft accounts that exist in the same directory.
- Groups: roles can be assigned to Azure AD security groups. A user is automatically granted access to a resource if the user becomes a member of a group that has access. The user also automatically loses access to the resource after getting removed from the group. Managing access via groups by assigning roles to groups and adding users to those groups is the best practice, instead of assigning roles directly to users.
- Service principals: service identities are represented as service principals in the directory. They authenticate with Azure AD and securely communicate with one another. Services can be granted access to Azure resources by assigning roles via the Azure module for Windows PowerShell to the Azure AD service principal representing that service.
------------------------------------------------------------------------------------------------
STORAGE
SECURITY
Azure
Storage flexibly stores and provides retrieval access for large amounts of
unstructured data. By default, only the storage account owner can access
resources in the storage account. For the security of your data, every request
made against resources in your account must be authenticated. Authentication
relies on a Shared Key model. Blobs can also be configured to support anonymous
authentication.
Your
storage account is assigned two private access keys on creation that are used
for authentication. Having two keys ensures that your application remains
available when you regularly regenerate the keys as a common security key
management practice. While you may access storage services using your key and
HTTP, using HTTPS for secure access is highly recommended.
------------------------------------------------------------------------------------------------
ANONYMOUS
ACCESS
To
give anonymous users read permissions to a container and its blobs, you can set
the container permissions to allow public access. Anonymous users can read
blobs within a publicly accessible container without authenticating the
request. Containers provide the following options for managing container
access:
------------------------------------------------------------------------------------------------
SHARED
ACCESS SIGNATURES
A
shared access signature is a URI that grants restricted access rights to
containers, blobs, queues, and tables for a specific time interval. By
providing a client with a shared access signature, you can enable them to
access resources in your storage account without sharing your account key with
them.
The
shared access signature URI query parameters incorporate all of the information
necessary to grant controlled access to a storage resource. The URI query
parameters specify the time interval over which the shared access signature is
valid, the permissions that it grants, the resource that is to be made
available, and the signature that the storage services should use to
authenticate the request.
------------------------------------------------------------------------------------------------
VALET-KEY
PATTERN USING SHARED ACCESS SIGNATURES
A
common scenario where a SAS is useful is a service where users read and write
their own data to your storage account. In a scenario where a storage account
stores user data, there are two typical design patterns:
- Clients upload and download data via a front-end proxy service, which performs authentication. This front-end proxy service has the advantage of allowing validation of business rules, but for large amounts of data or high-volume transactions, creating a service that can scale to match demand may be expensive or difficult.
- Using the Valet Key Pattern, A lightweight service authenticates the client as needed and then generates a SAS. Once the client receives the SAS, they can access storage account resources directly with the permissions defined by the SAS and for the interval allowed by the SAS. The SAS mitigates the need for routing all data through the front-end proxy service.
------------------------------------------------------------------------------------------------
STORED
ACCESS POLICIES
A
shared access signature can take one of two forms:
- Ad hoc SAS: When you create an ad hoc SAS, the start time, expiry time, and permissions for the SAS are all specified on the SAS URI (or implied, in the case where start time is omitted). This type of SAS may be created on a container, blob, table, or queue.
- SAS with stored access policy: A stored access policy is defined on a resource container - a blob container, table, or queue - and can be used to manage constraints for one or more shared access signatures. When you associate a SAS with a stored access policy, the SAS inherits the constraints - the start time, expiry time, and permissions - defined for the stored access policy.
The
difference between the two forms is important for one key scenario: revocation.
A SAS is a URL, so anyone who obtains the SAS can use it, regardless of who
requested it to begin with. If a SAS is published publically, it can be used by
anyone in the world. Stored access policies give you the option to revoke
permissions without having to regenerate the storage account keys. Set the
expiration on these to be a very long time (or infinite) and make sure that it
is regularly updated to move it farther into the future.
------------------------------------------------------------------------------------------------
No comments:
Post a Comment