--------------------------------------------------------------------------------------------- AZURE LEARNING NOTES ARCHITECTURE ============================================================================================= Skills measured / Functional groups --------------------------------------------------------------------------------------------- ++ (1) Design identity, governance, and monitoring solutions (25-30%) ++ (2) Design data storage solutions (25-30%) ++ (3) Design business continuity solutions (10-15%) ++ (4) Design infrastructure solutions (25-30%) ============================================================================================= ++ (1) Design identity, governance, and monitor solutions -> -> (1.1) Design governance ============================================================================================= + Governance = Rules & Policies <-> Enforce Compliance <-> Apply Policies + Governance Strategy = compliance + standards + regulatory + Tenant Root Group <-> Management Groups <-> Subscriptions <-> Resource Groups : Resources + Strategies = Azure Policies / Resource Tags --------------------------------------------------------------------------------------------- + Management Groups > limit regions vms > 1 user access multi-subscr via 1 role assignement > Monitor / Audit / Subscr / Role / Policy Assgn + Management Groups > aggregate policy and initiative = Azure Policy > six levels ( w/o root or subscr level ) > RBAC Auth is not a default > default = all subsc under root mgmt group + Management Groups > Governance = apply policy mgmt group level > flat hierarchy = 3 or 4 levels > top level mgmt group = platform policy and RBAC = across org > org or dept structure = sales / corp / IT mgmt group > geo structure = compliance by region > production mgmt group = policies per APP in prod > sandbox mgmt group = isolation / test / VAT > isolate sensitive info = separate mgmt group --------------------------------------------------------------------------------------------- + Subscriptions > logical container = scale + billing boundaries = limits and quotas > types = Azure Plan / EA / Pay-as-you-go / Free trial / Azure for Students > organize workload : scale outside > envs = dev / test / prod > compliance = policies > manage and track cost + Subscriptions > together under management group = same set of policies + Azure Roles > shared service subscr = all common netw resources = billing = Xroute vWAN > IoT / SAP = separate < resource limits > service limits / quotas / constrn > 1 subscription = 1 or more legal depts > Policies in Mgmt Groups or Subscr. e.g.: Subscr for PCI compliance > Network Topology : VNETs accross subscriptions : VNET peering , VPNs > Access Review : Azure AD PIM Priviledged Identity Management : R&R --------------------------------------------------------------------------------------------- + Resource Groups > RG = logical containers = APPs : DB : storage accounts > resources = similar usage / type / location / logical groups > resource = lifecycle = create / delete (sametime) > RG = role permissions > group access to admin group of resources > resource locks = protect individual = delete / change + Resource Groups > own region assigned = location where metadata stored > if RG region is temp_unavail = can't update resources = metadata unavail > resources in other regions function > cannot update > metadata unavail > resources in RG = can be in diff regions > resource can connect others in different RGs > resources = MOVE > exceptions > > resources = add / remove from RG + Resource Groups > cannot be nested + Resource Groups > 1 resource must be in 1 RG + Resource Groups > cannot be renamed + RG > type|APP|dept-region-cc|org strategy|lifecycle|admin overhead|access ctrl|compliance + RG level > Azure Policies > Azure Roles > LOCKS |compliance = set RG metadata region --------------------------------------------------------------------------------------------- + Resource Tags > name-value pair > env:prod > env:test > 1 or more Tags p/ Azure Resource , RG , Subscription > Powershell / Azure CLI / ARM Templates / Rest API / portal.azure.com > RG = resources do not inherit TAGS from RG's + Resource Tags > Dept nomenclature > compliance > cost > location > confidentiality > tagging : IT-aligned : workload|APP|function|env|decisions > tagging : Business-aligned|accounting|BO|cost > functional > classification > accounting > partnership > purpose > few tags : scale out > policy : apply and enforce tagging rules > critical --------------------------------------------------------------------------------------------- + Azure policy > create:assign:manage > control:audit resources > compliance + Azure policy > individual policies | initiatives ( groups of policies ) > scope and enforce > levels > inherited down the hierarchy > > evaluates resources > highlights non-compliants > prevent non-compliant resources > evaluate all Azure and Arc enabled resources > integrates with DevOps > pre-deployment | post-deployment policies + Azure policy > Compliance Dashboard : per-resource|per-policy|bulk+automatic remediation + Azure policy > Evaluate resources : create|del|update|newlyassigned|upd_Pol_initiative|24hs + Azure policy > non-compliant|deny chg|log chg|alter resource b/a|deploy related compliant + Azure policy > autoremediate > apply|reapply tags + Azure policy != RBAC > together = full_scope > Policy > resource state compliant > independent from who > RBAC > control user actions > access to non-compliant : policy still blocks --------------------------------------------------------------------------------------------- + Identity Management Solution > what resources each identity can access > enforce > monitor + RBAC > grant access to Azure resources > ___________ __________________________ ___________________ [_NO_ACCESS_]->[_retrieve_assignm_t/apply_]->[_eval_deny_assignm_] ___________|___ <_Explicit_Deny_> Y -> Access Blocked _________________|N______ [evaluate_role_assignments] ___________|___ security_principals/action/scope <_request_match_>---> N -> Not Allowed ! ___________|Y___ <_any_conditions_>--> N -> Access Allowed ___________|Y___ / <_met_conditions_>--> Y' + RBAC = allow model > RoleR = read permissions to RG ; RoleW = write permissions , etc + RBAC > role definition + related permissions > assign users|groups|service_principals + RBAC > scope roles > MG|SUBSCR|RG|R| < least privilege + ROLE = Reader ( auditor ) > MG|SUBSCR|RG| + ROLE = R-rpecific|Custom|Contributor ( devls-HelpDesk ) > MG|SUBSCR|RG| + ROLE = Owner ( Admins ) : MG|SUBSCR|RG| + ROLE = Reader|R-specific|Custom|Contributor|Owner ( R-level ) > Automated Processes + ROLE Overlapping > RBAC additive model > effective permissions SUM(RoleAssignments) --------------------------------------------------------------------------------------------- Azure Blueprints > repeatable set governance tools > scale gov practices org [ compose ]---[ manage ]---[ scale ] [ RBAC/Policy/Templ ]---[ BluePrints ] - [ Subscr a,b,c ] Blueprint definition <-> Blueprint assignment RG <-> Subscr <-> new RG for Blueprint ARM <-> Subscr|RG <-> Templates : nested + linked templ : SP + Azure ASC + Log analytics Policy Assignment <-> Subscr|RG <-> Pol or Initiative to Subscr : scope : definition locat Role Assignment <-> Subscr|RG <-> usr/group to built-in role : Policy -> default allow and explicit deny > resource properties > gov > req + std Policy -> included as one of many artifacts in Blueprint > ongoing compliance > Blueprint ============================================================================================= ++ (1) Design identity, governance, and monitor solutions -> -> (1.2) Design authentication and authorization solutions ============================================================================================= + IAM solution > Unif Ident Mgmt + Seamless usr exp + Secure adaptv access + simplf ident gov + Unified identity management > all identt + access + all apps + cloud/on-prem + Seamless user experience > fast sign-in + reduce psw mgmt + Secure adaptive access > strong auth + risk-based adaptive access policies + Simplified identity governance > control APP+data access:usrs+admins|AutomIdentGov + Azure AD > IAM employees in cloud or hybrid env + Azure B2B > Collab guest-users + external business partners/supliers/vendors + Azure B2C > Customers sign-up/sign-in > manage profiles for APPs + Azure AD > multitenant cloud-based DIR + IDM : DS + APP AM + IP = cloud or hybrid + Cloud identity Solution > AAD > IDM + Account protection > RBAC|CA|AccessReviews + Hybrid identity Solution > extend on-prem AD > AAD Connect | AAD ConnCloudSync < onpremIDs > Centralize identity management > integ on-prem + cloud DIR : 1 IDM access cloud|on-prem Rs > Establish a single Azure AD instance > +clarity -securityrisk -err -cfgcomplx > Don't synchronize on-prem High Privilege accounts to Azure AD > AADconn filters out > Turn on password hash synchronization > sync usrID psw hashes on-prem AD to AAD > Enable single sign-on (SSO) > noMultiplePsw domain-joined devices > via GRP memberships > Azure B2B > partner users own IDM | AAD not req | > On-premIDs[ADDS]-AADconn>[AAD:intnlUSRs:on-premUSRs:guestB2B]<-invites[B2B]externalIDs > B2B > 1.inviteEXTGuestUSR > fill in form > 2.receives invitation e-mail : link > B2B > 3.MFA> mobile code > 4.accessPanelPage > shared APPs+services > cloud or on-prem > B2B > Designate an application owner to manage guest users > B2B > Use conditional access policies to intelligently grant or deny access > B2B > Enable MFA > CA policy require MFA process > > B2B > Integrate with identity providers > FB|MSaccounts|Google|IdP > FED|IdP < extID > B2B > Create a self-service sign-up user flow > Sign-up IdPs + Custom B2B --------------------------------------------------------------------------------------------- > B2C > Azure AD B2C is a type of Azure AD tenant > identities + APP access > B2C > Sec Auth customers : their IdP > B2C > Capture Sign in, Preference and Conversion Data : customers > B2C > Custom attributes / customers > Branded registration / sign-in > ORG/CUST accts On-Premise IDs | Azure IDs | External IDs [ADDS]---------|-AADconn->[AAD]<--invites--|----[B2B] | + internal USRs | | + on-premise USRs | |____+_Guest_USRs_(B2B)_____| | [AAD B2C]<--APPreg-[X]<---|---USRflow > B2C > Configure user journeys by using policies = USR create new account : USR flows > B2C > Use identity providers to let users sign in using their social ident = FB:Linkdn:MS > B2C > Customize your user interface = HTML/CSS : page layout templates > B2C > Integrate with external user stores = 100+ cust attributes per USR | externalCRM > B2C > Third-party identity verification and proofing = trust scoring | appr USR acct creat --------------------------------------------------------------------------------------------- > CA > Conditional Access > allow/deny access|sign-in: who_the_USR_is/where/device:MFA/deny [USR]->[ Conditions ]------->[ Actions ]---On-Premises[v]/Cloud[APPs] ^ USR/GRP ^ AllowAccess ^ cloudAPP ^ EnforceMFA ^ device state p/USR:p/APP ^ locat(IPrange) x BlockAccess ^ clientAPP ^ sign-in risk > CA > Require multifactor authentication (MFA): 2nd Authn p/APP|MFA p/USR(admin|extUSRs) > CA > Require access to services only through approved client applications: O365|mobileAPP > CA > Require users to access applications only from managed devices: Security STD/Compl > CA > Block access from untrusted sources: unknown/unexpected locations > CA > Use for enabling multifactor authentication for more granular control: unexpLocat > CA > Test by using report-only mode: impact|blockLegacyAuthn|reqMFA|sign-in_RiskPolicy > CA > Exclude geographic areas from which you never expect a sign-in: Policy/Block > CA > Require managed devices: access only v/managed_device > CA > Require approved client applications: manage data & access > CA > Respond to potentially compromised accounts:USRsMFA|HriskUSRsPSWchg|M/LriskUSRsMFA > CA > Block access > blockUSR/ORG|sign-in|blockNTWlocat|blockLegacyAuthAPP > CA > Block legacy authentication protocols > older protocols / password spray attacks > CA > Use the What If tool: troubleshoot CA Policies / Test before implement --------------------------------------------------------------------------------------------- > IP > Identity Protection > Autom|detect|remed|IDbasedRisk/InvstgRisk/ExportRiskDtctnData [ USR ]--(1)-sign-in-attempt-->[ Azure AD ]<------------------.---. ___ | USRsign-in/|\ /|\ /_!_\<--(2)-AAD-real-time-sign-in-risk-' w/o Challeng| | '--(3)----._______________ | | (x)--(3)--->[_USRrisk-level_] IP = realt-sign-in-risk (5a)| |(5b) USR:MFA/PSWchg existUSRRiskLvL |(4) + existUSRRiskLvL | | or Blocked |\|/| | | AAD eval USR risk / IP \----->Scn1: noUSRrisk/thresh/noPOL--' | IdP policy p/USR \POLCY/----->Scn2: USRrisklvl~POL:POLapplied---' > IP > risk_policies : AAD IP : ident suspicious action : USRaccts > (USR|sign-in)!) (>!) \ und | / \ risky sign-ins (>!) 5 risk detections /!\/!\ /!\ /!\ /!\ |/____\risky detections /!\ > IP > sign-in risk policies : probability of non-Authz b/IdentOwner : sign-in risk > IP > sign-in POL : Anonymous IP address : ToR : anonymzd VPNs > IP > sign-in POL : Atypical travel : 2 distant GEOlocat : 1 atypical based on history > IP > sign-in POL : Malware linked IP address : malw<-->botSRVR > IP > sign-in POL : Password spray : defeat PSW lockout : manyUSRs1password --------------------------------------------------------------------------------------------- > AccessReview > EmployeeHiredNoAccess-->1stJob-->2ndJob-->EmployeeLeavesCompany > AccessReview > User access to applications integrated with Azure AD for single sign-on > AccessReview > Group memberships (sync to Azure AD, or created in AAD or M365 + MSTeams) > AccessReview > Access Packages that group resources: GRPs|APPs|Sites > AccessReview > Azure AD roles and Azure Resource roles as defined in PIM > AccessReview > ResourceOwners|delegatesByARadmin|EUself-attest>(autom|manual)Actions|commn --------------------------------------------------------------------------------------------- > ServicePrincipalsAPPs > Azure managed identity ( AAD ) > APP authn < Azure Resourcs|Srvcs > SP > Managed Identities > no need to manage credentials/secrets secure comm btw components > SP > MI > ident f/APPs AADauthn > APPs--MI--AADtokens > APP--AzureKVault[cred|storageAcct] > SP > MI > AzureADauthn+AzureRBAC > noNeedRotateCred|noExpCerts > useTokenCallService > SP > whenMI > Client ID: A unique ID that's linked to the Azure AD application and SP > SP > whenMI > Object ID: The service principal object of the managed identity > SP > whenMI > Azure Instance Metadata Service: REST API|ARM_VM|endpoint_VMaccsblOnly] > MI > DevAPP [VM|APPsrvc|Funct|Contnr|Kubrnt|Logic]--[AADauthn|APPs|AKV|Strg|SQL] MI > EnabDiab MI/Rlevel > RBAC > Creat|Rd|Upd|Del AActvLogs > sign-in Azure AD sign-inLogs > MI > SYS-assigned: SRVClifecycle > delSRVc=delMI > WL:singlAzureR|indepIdentities > MI > USR-assigned: MI MGMT separate from R > WL:multRshareMI|pre-AuthzFlow|permissConsistn > MI > VaultAuthn > svcPSW|connSTRG|secr > AKV-webAPP-MI > registerAPP|AADtoken Access Resource secured b/ Azure AD tenant> the entity needs t/b/repr b/SecurityPrincipal > Requirement is true for both users (user principal) and applications (service principal) > SecurityPrincipal:def accessPOL+perms f/ user/application in the Azure AD tenant > SPtypes > APP|MI|Legacy > APP:localRepGlobalAPPobj | SPforMI | lgcySP:cred:SPn:replURL > APPobj|SP > APPobj:GLBL|SP:local > APPobj(1:1)APP | APPobj(1:many)SPobj +-----------------------------+ +-----------------------------+ | /\_AAD_Tenant_A_ | | /\_AAD_Tenant_B_ | SP: instance of an APP | | [APP]---|----------|-|-|----->(SP) | | SP : APPobj |_|_________(SP)___|__________| | |________|_______|__________| APPobj : multpl SP / \ / \ ( SUBS1 [Funct] [R] ) ( SUBS2 [Obj] [R] ) > USR consent > OAuth2.0 authz protocol > 3rdPTYAPP:accessWebHostedResourceOnBehalfOfUSR > Permissions > delegated|APPperm > deleg:APPs|sign-inUSR|USRgivesPerm > APPperm:nosigndUSR > EffectivePerm > APP can never have more privileges than the signed-in user > EffectivePerm > AdminRoles: USRmembrshp | signedUSRpolicy > User.ReadWrite.All > delegated permission Admin|regularUSR < APP permission < all ORG --------------------------------------------------------------------------------------------- > Azure Key Vault > Secrets Management > access to tokens|passwords|certificates|API keys > Azure Key Vault > Key Management > create|ctrl:encrptKeys > encryptData > Azure Key Vault > Cert Mgmt > enroll|mng|deployPublPrivTLS/SSLcerts > internal conn R > Azure Key Vault > 2 tiers > STD: sftwKey > Premium: HSM-protectedKeys > AKV > Separation of sensitive app information from other configuration and code > AKV > Restricted secret access with access policies f/ APPs and USRs that need them > AKV > Centralized secret storage > changes happen in only one place > AKV > Access logging and monitoring > understand how and when secrets are accessed > AKV > Allow customers to own and manage their own keys|secrets|certificates > AKV > APPs:KEYS signing and encrypt > key management external from your APP > AKV > manage creds: psw|access keys|sas tokens|store in AKV as secrets > manageCerts > AKV > Keys+SAS(SharedAccessSignature): RclientAccess|permOnR|howlongSASvalid > SASwhen > StorgAcct: UPl/DWl>front-endPRXYservc|Authn > LWsrvc:authn+genSAS--StorgAcct ============================================================================================= ++ (1) Design identity, governance, and monitor solutions -> -> (1.3) Design a solution to log and monitor Azure resources ============================================================================================= + Azure Monitor : common data platform : logs|metrics|queries|near-real-time|kusto query > Monitor > [APP|OS|R|Subsc|Tenant]->[metrics|logs]->insights:APP|VM|Container|MonSolutions ->[metrics|logs]->integrate:LogicAPP/exportAPIs -> Analyze:Metric|Log|Analytics| ->[metrics|logs]->respond:alerts|autoscale ->visualzize:dashboard|PowerBI|views|workbooks [ APP data ] [ OS data ] [ Diagnostics Extension ]-> Azure Monitor Metrics (win) | Azure Event Hubs | Azure Storage [ Log Analytics Agent ]-> Log Analytics workspace [ Dependency Agent ]-> Virtual Machine Insights [ Azure resource data ] [ Azure subscription data ] [ Azure tenant data ] [ Azure Active Directory ]-> Azure Monitor logs | Azure storage (archiving) -> Azure tenant logging solutions | Telemetry | AAD Audit Logs [ Custom Sources ] [ APP Code ] [ OS ] .->[ Logs ] ------> Log Analytics [ Azure Resources ] |->[ Audit Logs ]-> Azure Portal [ Azure Subscription ] |->[ Storage ] [ [ Active Directory ] tenant ]-'->[ Event Hub ]--> non-Az-destinations ->OS logging solutions [ Custom Sources ] [ APP Code ] .......................->[ Metrics ]----> Metrics explorer [ OS diagExt'' LogAnlAgt:depAgt ]--|->[ Logs ] ------> Log Analytics [ Azure Resources ] '------------|->[ Logs ] ------' [ Azure Subscription ] '->[ Storage ] [ [ Active Directory ] tenant ] '->[ Event Hub ]--> non-Az-destinations > Azure Monitor > Design for Log Analytics | +1 Workspace p/ Azure Subscription > Azure Monitor > LAW : GeoLocat DataStorage|DataIsolat|Scope:pricingTier:Retention:Capping > Azure Monitor > AccessControl> log spec region compliance|centralized:decentralized:hybrid > Azure Monitor > avoid outbound data transfer charges : same region data charges > LogAnalyticsAgent: +1 workspaces (SCOMmgmtgrp): upto4WRKspcs > Azure Monitor > AccessControl> RBAC "VMlogs" only to the "VM Team" > Azure Monitor > Access Mode : Access control mode : Permissions : Table level Azure RBAC > Access Mode > who each model intended for ? workspace-context vs resource-context > Access Mode > what does user req to view logs ? scope permssn ? how USR access logs ? [ TEAMS ] ----> [ RBAC ] ----> [ Azure Monitor Log Access ] Central IT ...........( central admin )....owner...( LogAnalyticsWorkspace shared ) :.owner... : APPs Team 1 ........... APPTEAMGRP1...............:.....( RG APPTEAM1 )..Rcontext.: APPs Team 2 ........... APPTEAMGRP2...............:.....( RG APPTEAM2 )..Rcontext.: > Azure Workbooks > logs|metrics|ARGraph|alerts|workloadHealth|AzureDataExplorer Logs|Metrics|Az Resource Graph|Alerts|Workload Health|Az Resource Health|Az Data Explorer Real power of workbooks = combine data from disparate sources = single report > Azure Insights > App|container|cosmosDB|netw|RG|storage|VM|KV|AzCacheForRedis > APPS:Extensible Application Performance Management (APM) > container > Azure Kubernetes Service (AKS) > VM > virtual machine scale sets at scale > KV > Key Vault requests, performance, failures, and latency > Azure Insights > dependency rates|perf|rt|failure rate|pageviews|AJAX calls|usr|sessions| > Azure Insights > performance counters|VMcpu|mem|netwUse|hostdiag|traceLogs|customEvents > Azure Monitor VM insights > Health|VMs at-scale across multiple subs and RG > Azure Monitor VM insights > Az VM scale sets|hybrVMs--AzureArc|On-PremVM|VM_otherClouds > Azure Monitor container insights > resource bottlenecks|controller|pod|overall perf > Azure Monitor container insights > average&heaviestLoad|alerts|thresholds|queries > Prometheus > AKSengineOnPem||ARHOS|AzArc > Azure Data Explorer > fast and highly scalable data exploration service|log|telemetry data ============================================================================================= Skills measured / Functional groups --------------------------------------------------------------------------------------------- ++ (1) Design identity, governance, and monitoring solutions (25-30%) ++ (2) Design data storage solutions (25-30%) ++ (3) Design business continuity solutions (10-15%) ++ (4) Design infrastructure solutions (25-30%) --------------------------------------------------------------------------------------------- ++ (1) Design identity, governance, and monitoring solutions (25-30%) --------------------------------------------------------------------------------------------- Design a solution for logging and monitoring + Design a log routing solution + Recommend an appropriate level of logging + Recommend monitoring tools for a solution Design authentication and authorization solutions + Recommend a solution for securing resources with role-based access control + Recommend an identity management solution + Recommend a solution for securing identities Design governance + Recommend an organizational and hierarchical structure for Azure resources + Recommend a solution for enforcing and auditing compliance Design identities and access for applications + Recommend solutions to allow applications to access Azure resources + Recommend a solution that securely stores passwords and secrets + Recommend a solution for integrating applications into Azure Active Directory (Azure AD) + Recommend a user consent solution for applications --------------------------------------------------------------------------------------------- ++ (2) Design data storage solutions (25-30%) --------------------------------------------------------------------------------------------- Design a data storage solution for relational data + Recommend database service tier sizing + Recommend a solution for database scalability + Recommend a solution for encrypting data at rest, data in transmission, and data in use Design data integration + Recommend a solution for data integration + Recommend a solution for data analysis Recommend a data storage solution + Recommend a solution for storing relational data + Recommend a solution for storing semi-structured data + Recommend a solution for storing non-relational data Design a data storage solution for non-relational data + Recommend access control solutions to data storage + Recommend a data storage solution to balance features, performance, and cost + Design a data solution for protection and durability --------------------------------------------------------------------------------------------- ++ (3) Design business continuity solutions (10-15%) --------------------------------------------------------------------------------------------- Design a solution for backup and disaster recovery + Recommend a recovery solution for Azure, hybrid, and on-premises workloads that meets recovery objectives (Recovery Time Objective [RTO], Recovery Level Objective [RLO], Recovery Point Objective [RPO]) + Understand the recovery solutions for containers + Recommend a backup and recovery solution for compute + Recommend a backup and recovery solution for databases + Recommend a backup and recovery solution for unstructured data Design for high availability + Identify the availability requirements of Azure resources + Recommend a high availability solution for compute + Recommend a high availability solution for non-relational data storage + Recommend a high availability solution for relational data storage --------------------------------------------------------------------------------------------- ++ (4) Design infrastructure solutions (25-30%) --------------------------------------------------------------------------------------------- Design a compute solution + Recommend a virtual machine-based compute solution + Recommend an appropriately sized compute solution based on workload requirements + Recommend a container-based compute solution + Recommend a serverless-based compute solution Design an application architecture + Recommend a caching solution for applications + Recommend a messaging architecture + Recommend an event-driven architecture + Recommend an automated deployment solution for your applications + Recommend an application configuration management solution + Recommend a solution for API integration Design migrations + Evaluate a migration solution that leverages the Cloud Adoption Framework for Azure + Assess and interpret on-premises servers, data, and applications for migration + Recommend a solution for migrating applications and virtual machines + Recommend a solution for migrating databases + Recommend a solution for migrating unstructured data Design network solutions + Recommend a network architecture solution based on workload requirements + Recommend a connectivity solution that connects Azure resources to the internet + Recommend a connectivity solution that connects Azure resources to on-premises networks + Optimize network performance for applications + Recommend a solution to optimize network security + Recommend a load balancing and routing solution --------------------------------------------------------------------------------------------- + Azure Monitor + Azure Advisor + Azure Service Health + Azure Help + support + Azure Analytics + Azure APP insights + Azure PIM : just-in-time access + Azure Front Door + Azure Application Gateway LB ---------------------------------------------------------------------------------------------