Microsoft Azure Master Class Part 9 - Monitoring and Security

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

John, all your azure videos are great, thanks for the content

👍︎︎ 4 👤︎︎ u/DeveloperBRdotnet 📅︎︎ Nov 03 2020 🗫︎ replies

Thanks for the great content! Now please do a writeup of your program and post it to /r/weightroom 😄

👍︎︎ 2 👤︎︎ u/[deleted] 📅︎︎ Nov 04 2020 🗫︎ replies

There is a ton of azure info out there but what sets these apart is how he talks through the application of all the different components. Excellent stuff.

👍︎︎ 1 👤︎︎ u/barf_the_mog 📅︎︎ Nov 04 2020 🗫︎ replies

Been watching your videos since you first started posting. Would love to see a collaboration between you and Aiden Finn. No idea what it would look like or entail mind. But still.

👍︎︎ 1 👤︎︎ u/Moral_Insanity 📅︎︎ Nov 05 2020 🗫︎ replies

Captions

hey everyone welcome to the monitoring and security part of the azure master class we're really going to focus on kind of a very holistic view of monitoring all our various azure resources and then thinking about taking that monitoring data and then applying that to sort of security scenarios so taking it to the next step it's going to get rid of this and then i actually want to look at a couple of special technologies in terms of managed identities and azure key vault to really hone our overall security posture minimize having credentials and secrets just kind of lying around but first i've mentioned it a few times in the past but please make sure you go and check out the github repository on the github repository for this course i'm actually diving into all of the different materials so here we can actually see so there's a folder for each of the various modules there's an index page with links to other videos you can go and click on there's other supplementary videos to give you information in each folder it's now all organized so you can see things like well there's the whiteboard of the session and there's the handout of the slides and any kind of other artifacts maybe powershell scripts etc so if you're asking well where's this where's that well it's all there in the github repository so go and check that out and as always if this is useful please go ahead and give this a like subscribe comment and share so monitoring in azure um azure is a shared responsibility model that's really a huge part of maybe what's different than when i think about monitoring on premises so i've drawn this a whole bunch of times but it's really kind of important to understand the idea that we have things like well there's the storage there's the network there's the computer there's the hypervisor then there's an operating system a runtime a middleware an app and the data and again as we talked about in the past on-prem you're kind of responsible for all of those things in the cloud there's very much kind of a hard line here that all of that well that's the responsibility definitely of azure and sometimes you'll hear kind of a racy model um kind of an r a c i and it's about people that are responsible are you actually doing the stuff people that are accountable people that need to make sure it's actually done people that are consulted so hey i need your input about doing this and then informed hey i'm just telling you but i don't really need your input on that thing so when i think about the cloud where these models vary depends on is it is is it paz is it sas so in kind of an iaz world i'm really at minimum accountable now say responsible as well but the reason i kind of caveat that is that there are all these different agents so there's all these extensions where i can have things like the patching the backup the antivirus the firewall the configuration automatically apply best practices whatever extensions that can do that for me so the responsible party i could actually shift and let azure do that for me now it's a tooling at the end of the day she could still argue people in my company are responsible to use that tooling but certainly it's my responsibility it's my accountability to make sure all of this is done so in an iaz world kind of all of those things definitely i'm kind of responsible for and i'm accountable for now as i move up if i talk about paz when a paz weld it it's there is the line i am responsible and accountable for my app and my data but even the os the runtimes the middlewares i select that based on the platform and then azure becomes responsible for the other parts now even with that said what's kind of important is even these bits that's azure's responsibility they're accountable for it i might still want to be informed so me as the customer sure asha that's all you but you know what um i still want to be informed i want to know about that things be it paz or be it is and in fact if it's pairs and azure is responsible for these well i still want to minimum be informed i want to know if there's a problem with saying underlying now sometimes you may actually be consulted if you think about things like the fabric updates you're told hey there's going to be a maintenance window in 35 days time technically for some services you can say actually it doesn't work for me instead i want to do the maintenance window in this time window so i can actually give some input i i'm kind of being consulted on those things so i can actually modify how that actually all comes together but certainly even if i'm not responsible i still want to know so when we think about monitoring it's still important i understand all of these things are happening and i need some insight into them for example if you think about networking hey on my networking i have gateways they're provided by azure via a vpn gateway or an express route gateway the resources in my v-net but i have no access to them whatsoever but if they're erroring i need to know i might want to be able to see the performance i want to see metrics in them so again that informed i want to be able to see into those resources even if i'm not responsible so as we move up from i as to pass to sas i am responsible accountable for less and less it shifts up but i still want to know about these things when i think about starting to plan out my monitoring have a plan understand what my organization's requirements are for knowing about how it's going to respond and who would be notified is there going to be kind of auto remediation do i have maybe workbooks or logic apps or plans playbooks to respond to certain types of things so i have to know as a company what is my plan how will i actually react to these things as i talked about i still want to know about service health i still want to know about availability even if i'm not responsible for it ultimately i might be accountable for all up service that's built on those things so i need to know if there's a problem now obviously when i architect solutions i try and remove any single point of failure i always think about using availability sets availability zones multiple regions redundant connections be express rail or site-to-site vpn to different locations different meet me's i try and eliminate any single point of failure but things can still happen maybe it's just a degradation in my capacity but i need to know about that so i want to be aware of these things and when i think about monitoring very logically uh azure monitor is that primary conduit into all of that kind of data i might care about and also responding so what i want to do now is kind of walk through the layers that i can get data from i'm really going to break this into three big sections as i think about where i can get data from where i can put it what can i do with it and then how i can build security on top of it so that's kind of that high level view for what i want to do with this presentation so they're the layers so let's kind of move along and think about what elements do we have in our complete azure architecture so the top level well there's azure ad always have an azure ad tenant and that that's critical that provides all of kind of the authentication the authorization for my resources and if i think about what comes in from there well i have audit logs i have sign-in information and there are some other things as well and for example risk there's other elements that can actually come in from my azure id and all of these things by default if i'm in the premium plans they're retained for kind of 30 days um on the free i think it's seven for most of them so there's a certain amount of retention just kind of built in for those things so i get audit logs things that are changing happening around the azure id and then sign-in events sign-in events are obviously very useful for trying to spot well is there an attack just telemetry well how are people interacting with my tenant and if we actually jump over for a second so if i jump over and let's go and look at our subscriptions and i'll go and look at my azure ad so if i quickly just search for where's it gone i've lost my azure active directory there it is so my azure id well i can see when i go to my monitoring down here i can see yep i've got those sign-ins i've got those audit logs now you can also see there's like now provisioning logs there's various other pieces of information but i can see detail all about what's happening in my azure ad instance and i'm not going to go into any detail on this now but also what you'll see is this diagnostic settings option so i'm just showing you how i can change things in the future we're going to come back to this but you can see i can kind of do this ad diagnostic setting i can see all the different types of logs there actually are and i have these destination details log analytics a storage account and an event hub super interesting we'll come back to that later so my azure ad well then of course i have my subscription so i think about okay well now i have my azure subscription i may have multiple subscriptions if i think about what happens at a subscription level well i have this all-important activity log remember the activity log of things happening at the azure resource manager level hey i'm creating a resource deleting a resource modifying a resource rotating a key all of those things would actually show here in my subscription now that activity log also includes logs related to service health so that can be important when i'm trying to figure out what's going on in my environment and when i think about the activity log that's going to be kept for 90 days by default yes so this has a built-in retention of 90 days so i can always go back kind of three months and see what's been happening and once again if we jump over and look at this go and look at a subscription what we're going to see once again is if i just jump out if i go and look at my subscription once again i can see that activity log it's right there showing me all of the results this is just the last six hours really nothing is happening here now i did mention that service health i talked about that in resiliency if i just quickly looked at service health you'd see service health has various kind of service issues i have health history i have health alerts so all of those things would also surface up through that activity log if i go back to my subscription and i kind of have all of these kind of activity log options here what you'll see up here at the top once again is diagnostic settings and once again i can add diagnostic settings i see there's various types of logs notice i have resource health service health recommendations policy auto scale and i have those same three destinations again at this point you're seeing a little bit of a pattern now within the subscription i have my resources so at the azure resource manager level i can think about okay well the sub it has stuff in it and i'm gonna jump over to the original blue again so now the azure resource manager level i have my arm azure resource manager resources this could be a virtual machine a container a virtual network a storage account an aks cluster now my arm resources are really spitting out two different things i can think about well out of those i have metrics and there's kind of like an mdm an internal name for that and metrics these are just out of the box oob turned on they're just there and they are retained for 90 days so there's actually a metric store i can go and interact with and look at 90 days of metrics they're just there by default and what you'll often hear this kind of talked about is this metric is a fast pipeline basically it's sub 60 seconds so it's saying happens within 60 seconds i should know about these these are very lightweight and these are essentially numeric so when i think about metrics it's out of the box they're turned on and they're numeric so they're just numbers they're numeric values only but they're lightweight they're super fast and it's very good to react to these because it's a fast pipeline hey at cpu thresholds over a certain number i've had a certain thing happened i'm a certain iops i'm at a certain threshold of something metrics are super good for that so i'm spitting out metrics the exact metrics will vary by resource but pretty much every resource has some manner of metrics even for example availability there's a metrics around that and then we have logs now once again the exact logs are going to vary greatly different resources will have different types of logs available these are text or numeric and the collection is sporadic really depends on when they're generating and there's definitely going to be a lag it's not submitted on these so for these i have to actually configure they do not exist there is no log store just native in the subscription they're not going anywhere they don't exist they don't come into existence until i configure the collection of locks and the exact logs i want at the point i can figure it then they spring into existence and then they go to wherever i tell them to go so these can be numeric oops numeric or text again it's that more sporadic type information but again they don't exist until configured that's kind of important point they're not just like oh there's somewhere i can go and grab them until you configure that collection they're nowhere and once again just like the other types of resource if we jump over and look at something uh let's pick um i don't know now this does vary by particular types of resource so i'll try and find something that i think will likely have this let's go to um we'll go to a cosmos db you'll see i have a whole load of like there's alerts there's metrics and i have diagnostic settings and once again here you can see i have all these different types of logs there's various metrics and i have these destination details and complete shock and surprise to us all i can send it to log analytics i can send it to archive well i can stream it to an event hub and again i'm going to come back to exactly what these mean okay so we have the resources that spit out all of these different types of information and i can go and query that metric store i can query directly i can go and look at a resource and i can look at that directly from within that resource now depending on the type of the resource here well there might actually be kind of a an operating system so within this resource i can always think about well there might be an os it could be windows it could be a linux and so what we can do here is there's different types of collection there's like a a diagnostics extension there are various agents and what these will actually do is once again they can spit out their own sets of metrics and their own sets of logs now these will be different when i look at metrics here these are typically metrics of the azure resource maybe for a vm it's things it sees at the host the hyper-v host level that it translates to a vm here i'm looking at metrics inside the guest os so if i look at the cpu it's the cpu the guest believes it's using here these would be the os logs maybe the iis logs i'm capturing saying from a linux box so here these are a little bit different and i'm writing os and i'm writing it coming from an arm resource but realize as soon as we start getting into the agent mode well that that really changes what we could do so right and this agent it could also be a resource over here that has that same agent on it so this could be on premises it could be another cloud because it's just an agent running inside the guest so i could actually install the agent and then with that i get back to there and i can feed that stuff to wherever we happen to send this and again we're going to dive into that so i have the idea of okay i've got this these agents these extensions i can gather things inside the resource now i also talked about the layers and i might have custom applications so another thing i can actually have is well if i have my app there's something called app insights and this is basically where i enable my application it can be codeless attach but basically i i put in the scaffolding so my application is now linked in and once again for app insights i can get various kind of metrics and logs about now the functionality of my application how it's performing what it's talking to work out mapping dive into when there's problems so by actually enabling my application for app insights again i can either build this in a compilation time or for most things i can do a codeless attach i don't have to change the app at all but the execution it can kind of plug in to the runtime like j2e.net and it will just still gather all of these various pieces of information for me but it can spit out metrics it can spit out logs and then of course i may just have custom i can have custom stuff that's going to build in data so i have all these different things that can bring in and generate data now there are some things that i'm going to talk about where this is all going to go there are some things that maybe don't send or everything to for example the metric store hd insight is a good example hd insight and hadoop cluster sends some things it services some stuff up for azure monitor but at some stuff it doesn't so when i think about the really deep monitoring i actually have to go inside my hadoop cluster and there's a separate set of tooling i would leverage to get the full insight things like aks and kubernetes there's different things we want to visualize and again i can kind of scrape the data but to get the level of insight typically we use thing called prometheus prometheus has its own kind of server to gather the data or now we can actually scrape it into metrics and then there's kind of a pod we can run that can send it to prometheus and so there's different things we can do with the data the point is there's a massive number of sources and if you think the holistic picture i need to kind of look at all of them i mean i need to understand all these different things from my azure id to the subscription and to my arm resources to if there's an os the things running inside maybe things on prem are part of an all up solution maybe my custom applications and maybe just some other custom feed so i've got some custom something maybe it's using a rest api that i'm going to use to send stuff okay so for all of these things where can i send this stuff i i kind of alluded i've shown these things already i showed that diagnostic settings it was common across everything so i can think about okay where am i sending it to so we have these diagnostic settings i.e where i can put things so for all of those options where i showed you i really have three places i can send it we talked about storage so this is just an azure storage account blob blob is nice because it's cheap so it's i might use it for kind of long-term retention i just want to keep it somewhere because i have to storage is great for that okay then that's one option then i can have event hub so event hub is that kind of publish subscribe where i can push events to it and then people can subscribe to them so this would be super useful if you think about well i had some kind of third party sim solution i have some external monitoring that maybe like a splunk i just want to get the feed of the things from these other resources so here with diagnostic settings i could publish it to a certain event hub my third party sim could subscribe to that event hub and actually then receive everything that's going on get that data use it in the race of a ticketing system do whatever i wanted to do so i have that ability as well and then kind of what from an azure perspective the superhero we have log analytics now you also this is called azure monitor logs it's kind of the correct name now but that's still built on a log analytics workspace a workspace is a particular unit of storage and kind of analysis capability and i can think of log analytics as really that phenomenal store massive scale the data is broken into tables of certain formats which i can then store for a period of time and actually interact with i can run queries against to actually get data from it so for log analytics it's kind of a two year max retention that's the max but that retention is configurable because i pay for this so the metrics store that i talked about metrics you don't pay anything for that but with log analytics for most things i've written green green for money and there's there's cost there's cost for the ingestion so actually getting the data into it and then there's cost for the storage itself now there are some data feeds that you don't pay for some of them can actually be marked as non-billable and you don't pay for example office 365 um has an integration where i have something called sentinel that sits on top of this where that's marked as non-billable so i do not pay for that data so there are exceptions to this but typically i'm going to pay for the data that gets ingested in and then i'll pay for the amount of data i store so i can change to attention in my log analytics workspace to really optimize well how much do i want to pay for and in addition to this i can actually kind of set caps so i can kind of set an ingestion cap so hey don't ingest more than this amount a day to control my costs and then again i can configure that retention interval to kind of map what i want to do but the key point of this one for log analytics is hey yeah i want to store the data but then i'm not just storing it i want to do i want to analyze the data as well i actually want to get insight into well let's see some trends let's see what's happening i can bring lots of different things i can write very complex queries to give me full insight into this now i kind of drew the idea that everything has these common diagnostic settings and that's mostly true but when i start to get into agents when i start getting things like app insights that's not true so for these things here well they go to log analytics likewise had those custom things most of the time trying to get the line right they also go to log analytics there are some things that can write into the azure metrics store but for the most part all of these these are just going to go to log analytics so you might be saying well that's a problem i was really hoping to get the data from that log analytics agent running in these os to my event hub or i want to store it for that long term retention now remember i talked about this log analytics is actually made up of kind of tables there's tables where it organizes the various types of data so what i can actually configure is an export at a per table granularity there's no additional filtering i can't say just these types of record but i can say this table i want to export and i can export it both to event hub and i can export it to storage the event hub export is pretty much real time the storage is hourly if i wanted to be more granular in what i'm exporting and what the solution used to be is i i can absolutely um write something like um a logic app that could be triggered or maybe a schedule or something else and then the logic app could have a filter that then kind of sent the data to some output which could be event hub it could be storage so i can still do those things if i want to it's there but now i have this native kind of export capability that's actually pretty nice i keep drawing on the board today um so i have this so just when i think about data coming in i have all these different feeds and we kind of get this great big picture i think i'm gonna fill it on the screen in one go so that's how we look at it we look at it we have all these different types of data coming in for the diagnostic settings i can send it to these things so storage i just want to store it for maybe a long time as cheap as possible event hub i want to send it to something else um i have some third-party sim that will then subscribe and take the things i'm sending to it log analytics well i actually want to do that analysis um native now this you want to be careful just be very transparent it can get expensive if you turn on a huge amount of data doing a huge amount of ingestion and you're keeping it for two years um what's your bill so i really want to make sure i'm just absorbing in what i care about don't just go and turn everything on and send it to log analytics it's going to cost you money both in ingestion and the storage so what do i care about remember i said have a plan well bring in what you need to achieve your plan and then great i can do fantastic anal analysis from this and what i'm going to show in a second is actually then ways to build on top of this and do stuff with it but when i think about where's data coming from this is really it okay so we got the data two things why uh what do we want to actually do with the data so sometimes we just want to visualize it i want to get an idea of my overall service remember my overall service may be made up of multiple resources hey i've got a virtual network and a gateway and these 10 vms in a vm scale set and a kubernetes cluster and this load balancer and this traffic manager and i want to be able to see an all up kind of dashboard a single pane of glass to see it sometimes i want something to help me with actual troubleshooting i may want to be able to share these things i want to be able to do a deeper analysis of issues so maybe i have a more detailed kind of workbook i can go through and maybe change certain values to change different visualizations to help me understand what's happening most likely i want to be able to react so yes it's great to be able to go and see oh that's nice i can see my resources but sometimes things happen i want it to reach out and tell me or reach out and do something maybe i can automate a response to fix it turn it off and turn it on again it fixes everything so now i want to think about for a second actually going in and what can i do with these actual things so we go back to our picture and in fact rather than try and build on top of this and let's kind of we'll start over here and we'll redraw a few other components so if i zoom back in again remember we thought about well we had that phenomenal log analytics so we have this store of log analytics so we've got all of that various pieces of data that have come in from various different things all built up out of tables so remember that there's fed from pretty much anything could build into there now also i can have things like well we had metrics from our metric store and maybe even from our subscription we had things like the activity log now i talked about i can absolutely go and look at those things just directly if i jump over for a second if we go and look at a resource so i go over here let's just just look at a virtual machine i'll pick just one of them i can scroll down and i can see the metrics so we can see i have metrics at the host level i talked about that's the arm resource or there's actually metrics coming from the guests as well so the host level this is a b series maybe virtual machine i can't remember the exact conflict i have to check but i could see cpu credits but i could also look at things like all of these different metrics around it os maybe percentage cpu so i can see the cpu i could also add another metric this time let's actually look at the guess so what does the guest os think it's doing and i can kind of pick the same metric so i'll see the processor wherever that is processor information percent processor time actually it's a little bit different and you might say well that's kind of odd why are they different remember at the hyper-v host level there's other stuff it has to do so yes the guest is consuming cpu but the host for that guest has to provide other services there's other things running on the host related to that guest operating system when i think about things like the network stack the storage stack there's a vm worker process there's other things the host has to do for that vm so yes from a cpu consumption perspective the guest is using and kind of see it correlates but also the host has to do other work for that virtual machine but i can go in and directly kind of see those metrics and you saw there's a whole different set of them the exact ones will vary based on the type of the resource again from here you can see hey i've got both guest metrics and i've got things with the host and i am viewing this you'll notice from monitor so what's happening here is remember i drew that picture before where i said kind of that the host sends it to log analytics well i also said things can send to the metrics pipeline so what's actually happening here these extensions these metrics it does actually go and feed into the metrics pipeline as well so they're just natively available i don't have to go and tie in directly to log analytics but it is actually using log analytics as well for some of the other diagnostics and we'll see that in a second but i can think about yes i can natively go and just look at metrics if i kind of know what i'm doing sure most of us will not know what we're doing and so a good place to start is there's something called insights and what insights are doing is they're actually taking data from different sources and what it's going to give me is this curated view so this is created by the people that create the resources they're creating this phenomenal view for me now it's available for things like virtual machines um aks um some of the database products storage all of these different things start here so when i'm thinking about starting my journey of monitoring and trying to see what's going on yes you can go and open up some metrics but why your best place to go is to go and look at the insights they've done the hard work for you if we jump back over and let's just go back to this kind of virtual machine here yep i could guess at what matters or i could click insights and what we're seeing here is where i can go to performance it's going to show me the things that typically matter the most now i can see logical disk performance over here um i can see cpu available memory logical disk iops megabytes it's just there for me now you have to turn this on and it is using log analytics so it's using these i can see the various properties of the machine i could see log events again it's capturing so i can say okay configuration data heartbeat i could see if there's alerts i could see changes it's giving me very powerful insight into it there's additional information via workbooks that i could actually dive into there's a network map i can see what it's talking to now you'll notice there's no kind of edit button up here because this insight is built off of kind of a custom solution if i was to go and look at something else so if i went and looked at a storage account instead so i'm just going to go and pick storage accounts and i'll pick my old faithful over here once again i have metrics i have a whole bunch of metrics i can add i could see capacity lots of stuff available at the account level and the individual service levels or i can hear insights and it's showing me useful data now you'll notice this one um well yes i got failure views performance views availability views very important from an sla perspective i can see all those different piece data i see my capacity i can click customize and i can actually now take this and edit it as my own version to see the things i care about and then save it likewise now i'm going to access insights via azure monitor itself directly here we can see in my menu so here if i go to monitoring i can see different types of insights there's networking cosmos keyboard if i pick containers i can see the monitored clusters i have my cni cluster now i'm looking at the insides of my cluster cluster nodes controllers once again no edit button but i do have a bunch of workbooks that i could go into and then i can edit them this was where i would go to maybe try and troubleshoot things if i went to my key vault looked at my insights i do have an edit button so what exactly is going on here so what's happening is those insights actually can use one of two different methods to actually show me things so when it's showing me it can either use a workbook or it can use a custom solution if it's a workbook well i can edit it i can take here i can do whatever i want modify if this customer can't it's some custom solution it's not built off of the azure monitor workbook there's limitations to what i can do there but as you saw most of them actually at least have child objects that have workbooks for pieces of it then i could go and get it and i could edit and modify those things and it's left my weird kind of edit thing there there we go go away so we have those insights and that's where you should start it's going to show you the things that probably the most important that you really care about and get me kind of started on what matters to me what do i really need to see now let's kind of expand on this workbook idea because i might want to generate my own visualizations so i might say hey i want to create a visualization i maybe want some pretty charts maybe a a pretty pie chart or something maybe there's a sign of kind of some markup language and i want to bring these things in and again i can have all these different things brought into my environment and there's really two options on what i can do here i can have something called a dashboard and i can have a workbook the workbook is kind of the the azure monitor solution and when we think about which do i use both of them can have very similar things i i can bring in metrics and logs i can have like resource graph queries so yes i'm bringing all these things in but i can also bring in things like um arm data i can bring in resource graphs so they're queries of those things i can bring this in a dashboard is great it's very compact kind of single pane of glass i can have kind of auto refresh it's great for that single view i can make it full screen i can really do a lot of things and it's very um it's tightly integrated so it's integrated the portal and while that's useful is pretty much anything i'm looking at i can kind of add it to a dashboard so if we jump over for a second so you've probably actually noticed from here see this little pin icon at the top that pin icon that's pretty much everywhere if i just go and look at metrics for a second and if i just added total api requests um to something here i've got pin to dashboard pretty much anywhere i'm doing anything now it's even here i've got a pin icon um dashboards are simply canvases i can create new ones i've might have existing ones i've got they're just things they're widgets that i could put on it so i create a blank dashboard and i could add details i could add a clock i could add a metrics chart i could add resource group data here we can see resource graph single values markdown i can add static text to this but the point is i can add all these various things even manually by dragging them onto it or i can simply go to a resource let's go back to my virtual machine for a second and i'll look at something i care about and i can just pin it so i can just go to my metric sure we'll look at that one and i can just pin it to my dashboard and i can say well is it a private dashboard which dashboard i can create new ones and i'll just say hey go ahead and pin it it's pinned it to my dashboard and there it is i can go full screen as i mentioned get a great single pane of glass or i could edit it i could change the size of this thing so i have this complete flexibility to put different things on this kind of canvas the other really nice thing about kind of these dashboards is that it's a native azure resource so i can actually publish this i can share it do role based access control then i can just give someone this so it has its own role-based access control so if i give someone that dashboard all i have to do is give them permission to the dashboard not necessarily the underlying resources they'll be able to view it so typically i'll create a separate dashboard for each type of service i have or maybe i'm a database admin i want all my database services on a dashboard so i can have multiple dashboards then i can share them i can kind of publish them make them available to other people but they have their own role-based access control so that's very very powerful a workbook is more aligned about actually i want to analyze what's going on it's more of a document it can update as i select maybe value from a table it can change the visualizations within there so it's designed to help me really go in and analyze a certain scenario but here there there is no native rbac i.e if i share a workbook for someone to use it they have to have permissions to all the resources underneath so we can bring the data up and surface it in the workbook so once again let's look at this so again dashboards super powerful and to get kind of that overall view they auto refresh you can see there's a refresh here i can configure these different things i can change all these visualizations but if i go to monitor i have workbooks now there's a whole bunch of different ones built in that i could start with and then modify i could start with an empty workbook and then add things to it so here you can see why i could add text so this is just markup language so i could say hey i don't know john's workbook and i can't spell can't spell and i could done edit in that and then i could add other things to it i could add queries i could add metrics i could group things and it would build up to be this very powerful workbook that i could then once again i could share but people would need access i can actually pin this as well so if i pin this i could pin all of the various steps to the dashboard that's from within here that can be so i can combine the things together but i once again i can save this i can make it available to other people but it doesn't have its own native our back they would have to have permissions to the underlying resources and i think i need a space in there it's kind of bothering me why it's not working um i think i need a space you can always check oh there we go oh that's better must have the right look so i i can customize i can add all different metrics so i could go in here pick the resource i've got and add it so i can create this workbook that i can actually walk through to help me troubleshoot resource or again most likely i'd maybe start with one of the ones they provide and then i can always modify it it's like virtual machines hey i can see key metrics i could add that to it and here you can see okay it's a nice view showing me this great little honeycomb view of my virtual machines i could then it's interactive which again a dashboard isn't so nice thing about the workbook i could select one of these and then go and get other details based on that i can't do that with a dashboard so that's some of the differences we really see with that now this is the built-in ones so i have dashboards like workbooks fantastic there are certainly others there are things like i'll do a grafana so grafana is very very powerful and it can actually read in from log analytics and surface that data in other ways things like prometheus i talked about that already but if i'm using containers and that's really around kind of aks my kubernetes that can now scrape data from metrics via a special pod and that's great for visualizations don't forget about things like power bi power bi is super powerful for kind of visualizing again that can sit on top of log analytics not so much metrics or activity log but if i've got it in log analytics power bi can actually go and read all of these things in so that's things i can kind of do very very simply now additionally i've got my computer i'm sitting here i can interface directly there's something called kql the cousteau query language i can write custom things to actually go and interact if i start with insights that's the place to start this would probably be a more advanced scenario so that's where kind of hey uh maybe i'm building off the inside it can show me that the workbooks can show me queries it's using under the hood but now i actually want to dive in and really do my own thing and we can go in there so if i quickly jump over just give you an idea so remember the diagnostic settings i would have had to have sent things to log analytics remember nothing is just there by default i have to have sent stuff to log analytics so use those diagnostic settings um we just look at one super quick let's go to our cosmos for example in our diagnostic settings we can have multiple log analytics workspaces so my settings i would have said yeah yeah i want to send it to a particular log analytics workspace and i would pick which one likewise if i go to a storage account i pick which storage account and i can then pick well how much data should i keep in my storage account and it will delete the older files for me if i go to an event hub which event hub so i have all those options so i would pick well which log analytics workspace they are still separate resources i can absolutely go and look at my log analytics workspaces and i'll see them all i've kind of got one per region i can go into that workspace i can see all the details and then i can go and look at my logs and start interacting directly if you go into azure monitor and go to logs essentially you're getting into the same kind of thing i can change the scope of actually what i want to look at and which ones i'm using i'll see which workspace it's using but i could change what i care about here i could change scope so i have all those same kind of options available honestly i'm more old school i like just going into log analytics workspace so here i can go into the workspace here we can kind of see the tables of the data i currently have so i can see alerts azure activity azure diagnostics so azure activity is my azure activity log so i can see that's brought in and then i can kind of see the schema of actually what it's doing i could mark it as kind of a favorite and there's some information about exactly what it's doing so i can see the underlying tables that's actually being stored likewise notice it's grouping it by solution i could group it by resource type there's actually kind of queries that i might want to use and i could group it for example by topic so there's queries related to auditing so throttled users resource count again i can set a scope for what i'm caring about so i'm going to change it actually to my subscription and then i'll see a whole bunch of different types of queries because now i've got different tables exposed to me so if i go back to my tables you can see like there's sentinel in here i've got other types of resource now a monitor available to me azure multiple vms i have a whole bunch more queries and again grouping by topic well what's nice about this is now i could see queries that would help me maybe create alerts so count app logs by severity request per hour it's super useful but maybe virtual machine available memory and here you can see the actual query so i'm taking it from the perf kind of table where the object name is memory and then looking at different counters i'm summarizing it in a 15-minute kind of window my computer and then rendering a chart and i can say run it so it's going to grab that data and show me hey there's that nice data for me so this is a very very powerful way of getting data and notice hey look pin to dashboard i can take the results of this query and pin it to a custom dashboard you also saw if i just go to queries again there's a whole bunch of different queries i can go and look at grouped by different things cpu usage trends okay now it's showing me percentage processor time or i can see the cpu usage so all of these are super powerful if i know what i'm doing i can go in and i can really get some powerful data from this so absolutely hey it's there i can do super cool stuff so if i if i know what i'm doing i can go in so i'm visualizing it and i'm getting insight into it often i want to do alerting so i actually want to know when something happens so got these sources so what i can think about is if i want it to kind of help me practically reach out what i can do is i can define alert rules now metrics is super powerful here so i can have alert rules based on metrics now yes i can also get metrics from log analytics however remember this is kind of that super fast i'm trying to draw it so it's fast super fast metric pipeline this is kind of that sub 60 second so if i want to respond i want to do an alert based on a metric this is the path to take take it from the metrics this so 99.99 metrics are going to come from here i would use log analytics for a metric alert if maybe it was like a more complicated combination i was using that kql to really generate a more complex type of query to get exactly the data i care about then sure but this this would absolutely be kind of an edge case this is not my regular metric i'm going to take that in what i would use this for is kind of logs hey i'm running a query based on logs and likewise in here i have events so i can generate alert rules based on events based on metrics based on logs and when i'm saying logs i can better read my own right in there redraw that again it's basically a query so i can write a query and then maybe say hey if it matches this was response do something or if i get this number of responses so maybe if i get five occurrences of this then it's a problem so i can generate these alert rules based on those inputs okay so what so what happens is well okay if i meet the rule i generate an alert very important alert generated i'll never do that again i don't look i could think about well if nothing else it will kind of surface to me in a dashboard so i can go and look at my alerts i've drew that terribly i'll do that again i could have a dashboard showing me kind of my alerts my alerts for example can have a severity like zero might be the highest severity down to i think it's four could be five but i get these alerts so the alert rules are going to drive alerts now they do actually get grouped so there's something called smart groups so if i got 10 alerts about the same thing what i'll actually see is them grouped just makes it easier for me by these smart groups so it's easier now i can see them i can see how they relate i can see the total number of instances so it makes it good for me a visualization and actually performing actions i could say okay they're all good carry on so that's good i can view them but i may actually want to do something based on the alert so what i have is i have something called action groups so i can have an action group and as you might imagine i'm really not that useful way for me to describe it it's a group of actions so hopefully that clarified it i could do things like an sms message i could send an email i could call kind of an automation i could call a web hook which means i could really do anything if i can call a restful endpoint i can do anything um i could inter interface with an itsm i could raise a ticket so an alert could fire an action group so hey the alerts happened and i'm associating really via the alert rule so not only does it go and generate the alert but it's associated with a certain action group as well to go and do a bunch of stuff so that means i have to configure on the action rule the action group as well now if i have a lot of different sources and one of different things that can actually be kind of a pain to do so the other thing i can actually have is something called an action rule and what this can say is well look when the alert happens i can have a filter for example only severity one zero whatever that is and if that happens on a certain scope so i can say well any events for this resource group uh any events on this subscription any events of this type so i can pick the scope then run the action group so i don't have to link the action group with the action rule i just say hey action ball is based on these things find an alert of this severity or whatever and i'm done then separately i can create action rules to say hey when alerts fire based on this filter for this scope call this action group it lets me separate what happens from the rule about the alert which makes it much easier for me to update in the future but anything else i can do yes i can absolutely trigger an action group go and do this thing but the other thing i can do that's super super powerful is i can actually suppress so i can say hey look this could be based on maybe a one time it could be a kind of maintenance window i.e it's recurring don't fire the action group so even if this action rule was defined to alert and to call an action group if i had an action rule that says hey look between these hours uh i really need to lay in this weekend i'm exhausted don't fire off action groups for these set of resources or if there's action rules that would have done it i can suppress it as well so i can actually stop the action groups firing so these action rules are actually really kind of your friend to manage this at another level up so it really is a cool thing so let's super quickly look at this so here i'm going to jump over to monitor and we'll kind of build this up so i can think about alerts so i can go manage my alert rules over here and i can see i've got a bunch so i've got some based off metrics so i can see here well this is a vm metric and it's i've given it a name and it's basically just based on the cpu metric over 50 so nothing particularly special i can go and look at it it shows me my historical and i can see i've got a greater than 50 percent now i want you to notice one the metric ones there's actually an option of dynamic so rather than me having to work out what is the right value it can actually use machine learning to say well what's typical and it will automatically set the threshold based on what it sees so that that's uh obviously very useful for most people i've also got metrics built off of a query log analytics so here i've got one based on cpu pressure so what i'm looking at now is if i see database weight statistics and my weight type is sos scheduler yield i it's under pressure i'm basing on the number of results now i could also just do a metric measurement but if i get more than zero i i want to know straight away now i might say look let's see if i get five of them then i'll worry about it but mine is saying straight away there's a problem do this thing and how often is actually evaluated and then i'm calling an action group send me an email and you'll notice it's actually costs for now you get a certain amount for free there's a certain amount of activity logs metrics you just kind of get out the box there's no cost for those other ones you pay especially things like machine learning you pay a bit more the logs it's having to run a log query well i'm going to pay for those things likewise i've got one based on the activity log so here it says actually an activity log with a category so i've got a condition of regenerate so if someone regenerates the key on my particular storage account it's going to fire off an alert and then again i'm sending an email so all these different types of input and i can create new ones if i do a new alert rule what is the resource i care about and i can kind of see all the different types of resources that i want to focus it on and then for the actually i have to select one quick um let's just say filled by resource type quick say virtual machines we can so some of the nice things we can actually do is we can say just all of them so now if i add future ones it will still count for those and then my condition well it's a vm so different types of signal activity log administrative um for those ones because i actually selected too many types of resource let's do that back a second so i've got the resource group as well let's just pick one so that's showing me the types that are available to me in that bottom corner now you'll see i have metrics as well so here okay based on metrics i could create it on cpu credits remaining it's showing me historically how many i have remaining i could say hey just be dynamic you learn what i typically have based on historical data how aggressive do i want to be for my my threshold setting and then kind of what do i want to do so my what i want to do is the action group so if i jump back over to rules now i can manage my actions so the action rules will when to generate the alert and then if i want to call an action group i don't have to i don't have to have an action group for an action rule then i have my action groups so these are what to do so here you can see mine is an email email john and it'll be my email address but i could also do an sms message i can push to the azure mobile app i can even phone you up and start yelling at you additionally in addition to those for a look at the action type i can call that automation run book an azure function integrate the itsm system call a logic app a service web a secure web hook or just a regular web hook so i can add all of those different things so they're the actions i can perform and then well we have action rules if i say new action rule this is where i can pick the scope so it could maybe just be certain things in a certain resource group so let's go down look at my resource groups there we go so i'm going to say only in this resource group and i could add another filter so based on description alert type and severity equals set zero and set one just the important ones for example so it has to be those and then i can call an action group and select which action group it's got the list of things i want to do or i can actually say hey look let's suppress it and my suppression can then be well at a scheduled time for a certain time window or with a certain recurrence i want a daily weekly monthly recurrence um really weekly on sunday and saturday i really don't care if the world's on fire um do not fire these i probably wouldn't have that set to zero on one um i'd probably maybe change that to maybe hey i don't want to know about two three and four i give it a name um leave me alone at the weekend don't care i'll probably have spaces in it you get the idea um and then i can put a description and where it stores it and then enabling on creation so i can actually do those suppressions as well so we kind of saw kind of bringing all those things together that great i can have rules based on metrics logs events that can generate alerts optionally an alert rule can be tied to an action group or i can just separately have the action rules based on filters and scope it's called an action group for both trigger and suppression purposes so if all of those kind of capabilities available to me now i want to start thinking about security so we've got all this data different ways to visualize it i want to act on that data and security should be saying we think about all of the time we want to think about preemptive i should always be making sure it's just enough permissions just in time permissions making sure you're patching all of your resources you're running upstate versions you have anti-malware you have fireballs you have nsgs you have edge appliances you have good monitoring good alerting there's huge numbers of factors that come into overall security and that's really just not my focus for this but you think layers i don't think one solution i think layers all along so i can have the firewall in my os for example i still have nsgs and then i might have my app gateway i think layers for networking my identity remember that's kind of our new security parameter in the cloud so i think about risk based mfa i use conditional access i have access reviews people don't have things they don't need i think all the different levels give people just enough but my focus for this because this really was around kind of monitoring is how i can build security on top of kind of that insight so minimize your responsibilities if there's a path option use the patch option also a lot of the paths options now have things it was called advanced threat protection i all those monitoring things we had it adds machine learning and intelligence on top of it to actually determine what it means some metrics on their own and logs on their own honestly and not that useful i have to add intelligence to them to actually do something with the signals so yes signals are great but they're just signals unless i know what they mean and bring in maybe different signals from different sources then i can actually draw a conclusion and get something useful out of it so that's really what i want to focus on here so if we go back to our kind of this picture we built up log analytics and actually i'm going to draw this again so now i can think okay we had that log analytics you'll notice a common thread here log analytics i've drawn three times now it really is central to pretty much everything because all these different sources are feeding in it's getting when i talk about signals i can get signals from pretty much anything there's custom connectors all of the resources can send to it if i want to think about creating something to give me insight into my environment this is it and it's not just remember my environment in azure i can feed into this thing from on premises from other clouds pieces of hardware firewalls edge devices i can bring it all in together here to get that all up complete view so when i think about starting off with doing something with this data there's azure security center let's zoom in a little bit okay now there's a free offering there's azure security center free and then i can add on to that for dollars whatever your local currency is i can essentially turn on plus defender now there's been some branding changes very recently it used to be this was called azure security center standard and then i could individually turn on uh different additional advanced threat protection services like for storage like for key vault like for sql server now they are just defender skews that i can turn on this is not to be confused with defender for endpoint so there's a defender endpoint solution that's for both servers and clients it's an endpoint uh detection and response solution and edr that actually runs on client oss on server os's and gets me signals in so i can really do like a deep analysis of a threat someone clicked this url well then it downloaded this well then it spoke to this website and then it spawned off this process that process went and took that kind of defender for endpoint this is now kind of the the cloud defender and when i think about this all up solution it actually does integrate very tightly with azure policy and i showed this when i talked about governance so azure policy is super powerful for compliance for both auditing but also for enforcing i can deny i can deploy if thing doesn't exist so this feeds into this azure security center and that optional kind of defender level as well and i guess the other thing i should point out is we have kind of this magical machine learning that is kind of overused today when we talk about the magic of everything and i don't know why i've got that on my l but machine learning does actually come into play to here as well so if we jump over let's go and look at our subscription here i can jump over to security center and straight away we can see things like oh i've got a secure score i've got how i would meet various regulatory compliance offerings over here i've got different insights i've got azure defender information and i talked about those different kind of skus so i can absolutely go to pricing and settings i can select my subscription and here i can see what i've got defender plan is on so this gives me things like just in time vm access i can click a button say enable my public-facing ip give me access to vms republic ip address for a set amount of time adaptive application controls hey look at resources see applications that are typically used and then advise me on updates to policy to whitelist so it's only good things coming in those regulatory compliance dashboards that threat protection for my azure vms and even non-azure servers and threat protection for supported pass services and then individually there's additional types of what was advanced threat protection but i can turn these on and again it shows me the pricing for the actual various parts of the service i can also turn in things like well how i'm collecting the data how i can on board so i've got my auto provisioning the workspace i'm storing it so i have a lot of different configurations and remember for log analytics in there i can pick the retention settings as well but i have this great secure score and this is super useful for hey where should i get started so i would go and look at my secure score and then whichevers give me the highest potential score increase well i should do those first so hey remediate vulnerabilities and some of them have a quick fix hey go and do these and you'll notice some of these are powered by qualis so that's kind of an agent running inside the os that goes beyond the basic windows kind of scanning some of these are just using native kind of discovery a lot of the data actually comes from azure policy so if you look to azure policy and again i covered that in the governance section but i guess super quickly i'll show it again you'll see there's initiatives and that initiative there's built in ones let's go to my initiatives i can see kind of azure security benchmarks i can see um there we go there's nist ones related to nist i have all these different capabilities here enable monitoring azure security center over here so that drives a whole bunch of policies we can see at security center here as is this one that drives a lot of the intelligence coming out security center now that secure score if you look to azure advisor it now has an advisor score which is built up of yes security but also things like reliability cost so that can drive other types of things but i'm going to get very similar types of recommendations once again it has quick fix items as well but really focusing on azure security center here i could see alerts so once again it's applying some intelligence and it's like oh there's an unusual application access to key vault i could kind of dive into that it would show me the details of well what was doing that from where was it doing that what resource it thinks it was maybe a credential access but it was me but i can see the details of which resource it was actually accessing so it's actually some really cool stuff it's given me within the security center again i've got those recommendations i should really look at and start to follow those now is this everything no but it's definitely a phenomenal place to start and again don't think of this as just my azure resources i can absolutely bring in stuff from kind of other clouds as well and on premises to really bring in and obviously i would pay for those resources as i bring it into azure security center now the other thing you've probably heard a lot about when you talk about security and sim and source solutions is sentinel azure sentinel and absolutely this sits on top of log analytics that's where that data is coming from now azure security center generates those alerts the biggest sort of collaboration between these two is those alerts can be sent to sentinel so when azure security center generates an alert it will send that to sentinel and what does sentinel do so i can really think of sentinel as a whole number of different things but it's really about that deep diving deeper and responding so when i think about sentinel or i can go hunting i can go and see exactly what's going on the types of problems i have i can have alerting out of this thing i can actually go and have incidents generated and i can also have things like playbooks so i can have a playbook with a set of automated things i can have logic apps so i can take action because there might be certain types of threat hey i'm seeing this bad actor coming in attacking this resource i have a logic app that maybe modifies an nsg to shut that off to block it at the nsg so i can think there's different types of things i can do here but kind of logic apps playbook can really help me drive um responses to this and once again that machine learning i mean is super pervasive there as well central is using those machine learning capabilities to do its job now yes it's feeding off of log analytics yes we drew the picture before of all of these different things center log analytics however sentinel does a lot more sentinel has its own set of connectors and there's a lot of them there i'm showing it drawing into sentinel but obviously fundamentally what it's kind of doing is really writing it to there and then kind of coming back up it runs off of log analytics and it's almost really anything and so i could think about well hey yes there's os instances i could think windows linux i can grab things like syslogs or i could be devices so network devices i can take things like syslogs i can do event forwarding windows event forwarding i have all those types of capabilities that could be network firewall it could be other services and i can there's there's different so i've got syslogs i could read those things in there's a sentinel api to drive custom so there's different ways to interface and actually take those again i can take events um there's also um if you think about threat intelligence so it's not just data about stuff i can actually bring in other sources of fret intel so there's a problem i think it's taxi and there's a standard format for this but i can actually get threat intelligence coming in now microsoft spends like a billion dollars a year on threat intelligence on security on detecting cyber crime and then he said on cyber crime they're not spending a billion dollars doing cyber crime detecting and protecting against cybercrime but also i can have other maybe i've got something local in my environment that detects types of threats and i want to bring that in for its analysis as well so i can absolutely bring additional threat intelligence in to help the sentinel kind of do that job if i jump over super quickly let's just go and look so i should jump over here for a second if i search for sentinel it says azure sentinel and again i'm paying for the log analytics workspace underneath so notice it's basically tied to a workspace it's going to show me information that it's getting from that log analytics workspace i can see recent incidents i can see sources of potential malicious events i could see if there were any incidents i have workbooks the same kind of format we talked about before many people are publishing these i can go and hunt someone say hey i think there's a certain type of attack help guide me on the hunt you can see here the queries that it's going to run against log analytics to actually go and find these so i could run the query and then see i've got zero results you'll kind of see that popped up here so that's good i i want to see that i can have various types of threat intelligence um that again i may have coming in then i have my connectors it's what i talked about so there's a map i've got three connected in my environment so mine is super super basic but there's a huge number of different connectors i can have feeding insight into sentinel and then i can have these for example playbooks which are essentially logic apps to actually help me go and respond but i'm not going to create that right now so the whole point is bringing all of these things together that i think about yes i i can gather the data then i want to be able to do something useful and you and i most likely trying to look at an individual signal that might be useful from a monitoring of performance yes i can look at cpu and memory and iops and network throughput in terms of detecting a security incident we probably don't have the knowledge of which signals we really care about and again remember one of the benefits that sentinel has is it's tying into other sources of information that can maybe go across tendencies like azure id it's the attacks that individually like a password spray attack maybe i wouldn't see it but it can go across tenants to get a wider view of what's happening so from a security and monitoring perspective again my big focus really was here at monitoring there's lots of things but we've kind of realized that even if i'm not responsible for it i still might want to know about it so all of these types of data and solutions are available so i can kind of do my job now just super quick i don't want to go into detail on these both of these things i have separate videos on go and watch those for the detail i did want to talk about managed identity and key vault super quick and just to make sure people are at least aware of it where possible i want to avoid having to store credential it ends up in my source code or in a parameter file which then ends up on github ideally i want the credential to be the resource itself so if i am a virtual machine if i'm a container if i'm an azure function i want to be able to be a resource and then that resource given access to other things now there's a massive number of azure services that support this if i go and look at this when we go to the portal what i can kind of see here just getting a bit more detail these are all the services that support managed identity so we can scroll down so the azure api app configuration app service arc enabled kubernetes we talked about monitoring i didn't really go into any detail on this i said about on-prem and other things azure arc leverages this massively azure arc lets me take the management plane of azure and apply it to my on-premises vms and kubernetes environments and then data services through that but also data feeds back up into log analytics so i can apply those monitoring and security solutions but azure blueprints cognitive services containers the list goes on and on and on so basically these support managed identity and what this means is that for those resources let's go over here if i think ordinarily azure id is my identity provider so i have my azure id instance and i have some service so let's just say for example it's a storage account and we'll say it's blob i want to access so ordinarily we can use the new data plane role based access control so i can actually use azure ad identities to give myself a data role for blob but i'd have to have a credential there'd be a credential i'd have to store that credential somewhere and then i could access the data role and what i've got over here is an azure resource and inside there there is some process running my code but let's say this is an azure function for example what i can do is i can turn on managed identity now there's a system managed identity and a user assigned managed identity a system assigned is the system assigns it automatically and the life cycle of that identity is tied to this particular resource if i delete the resource the manage identity goes away so we call this function1 so there would be a managed identity created for we'll just call it function1 only within that function or whatever the resource be it vm container whatever can actually get a token for that identity as a special endpoint but essentially now hey i i can go here and i've got my token that identity can now be given the role on that particular resource so hey i'm going to give function one manage identity the role so now with that token i can take the token and go oh okay here you go i can now get the data and read the content so i'm nowhere am i storing a credential by nature of being that identity being that resource i can natively use it so again that was the system aside it might be sometimes i have a collection of resources that all need the same sets of access to stuff so i can actually create a user assigned managed identity so i just create a managed identity and then i can say hey you you have access to this managed identity and then i might have another resource as well maybe this is function two or it could be there can be different types of resource so i can have both a system assigned and multiple user assigned i can say okay you have access to user assign one as well so now only processes running in those are allowed to request a token for the user one managed identity but essentially it lets me get access to roles that i can now just use now again go and watch the video where i talk about this in detail but just to give you an idea of this if i go and look at for example of a function app and that'll do and you'll see this is common across all of them i have identity i've turned on managed identity i can also add any user assigned so i also created one manually managed identity source one i could grant this resource permission to use that one as well now when it makes the call to the metadata endpoint it would say which identity it wants to use if it doesn't pass one it will use the system assigned and then i can grant that roles so in this case i can see all that managed identity has been given the contributor role on that particular storage account bingo data but it could also be given access to key to cosmos db databases i could go in and on the access control if i look at the role assignments i could actually go ahead and add a role assignment i could because it's storage there are data level permissions i could say well you can be a blob data reader role and i can say hey for function managed identities and then select the particular one i want so i have the ability to just by being that resource i can just act as that identity and i don't have to do anything else and that's things like azure functions and powershell it's just native it would just use it for other things there's sample code to how to go and get that identity now sometimes um you can't use managed identity maybe it's a different type of resource or maybe the resource i want to access doesn't support rbac i can't use the managed identity directly get access so i might still need secrets some value i can store and retrieve like a key also i might actually need keys so when i say a key for a secret it's not like a storage account key they use the term key but also in terms of vaulting a key is actually typically kind of a public private key and here it's something that i can write generate in a keyboard but i can't read it back out i would do the cryptographic operations within the key vault so i would say hey sign this hash for a signature or encrypt and decrypt this data perform these cipher actions for me or i need certificates a secret and a key and an envelope but it has a certain life cycle it has to be provisioned and it has to be renewed so i can do all of those in azure key vault and there's two different actual models for protecting key vault there's an access policy that applies to the entire key vault and i literally just posted a video about this like five days ago where i go into detail and show both of these so go and watch that video for the detail but the difference is an access policy applies to all of that particular type like a secret and that right for everything in the vault our back lets me very granularly now say just for this particular secret you have this particular result i can use azure policy and again i show that in the other video so i can audit if maybe sequels are over a certain amount of age or i could deny if i'm using the wrong cipher it can also be a source for event grid event grid is that technology i talked about last week in the app service class but hey i have event sources and then i can have event handlers so rather than maybe my app having to constantly poll keep up to say hey has the secret change has the secret changed it could actually event grid could grab that and then push the fact that the secret has changed to me and where this can really work together is let's say i'm trying to access some resource that doesn't support that rbac imagine i've got kind of a cosmos db and the cosmos db uses that kind of primary key or resource token to get access to it it doesn't have azure id role-based access control so what i could now do is i could have for example the key vault and what i could have inside there is a secret and it's secret one which is the key it's the key for cosmos db to actually get to it and what i could now do is i could say hey for that managed identity if i use the new model where it's at a per secret level or it could be for all sequels in the key vault i'll say hey managed actually f1 was the name of it for function one's identity yeah you have kind of get permission for this secret so now the model could be hey the function when it needs to do something would simply say okay i'll i've got my token to be function one i would take that token and now my path will be i've got the token i'll present it to key vault 1 so i can get the secret that i have permission to great and then use the secret which is the key to connect to cosmos db as the key so that's how i can think about using the two together so that chicken and egg problem of well i need a secret but how do i prove who i am to the key vault to get the secret well i use my managed identity so that's how i think about using those two things uh really together um so we covered a huge amount as always again the focus is have the plan gather the right amount of data that you need to be able to get the insight the monitoring the security the alerting the actions you want security solutions will build on top of the signals you have but will add intelligence will drive meaning from the data so i can actually drive some result from it things like azure security center i can add the defender level to get more insights and security solutions remember layers of security sentinel can bring in that deeper level of information and there's all these extra types of connectors and then when i'm writing my solutions really use that managed identity use the key vault don't have things in config files that you end up putting into github and it's a whole embarrassing mess so as always i hope this was useful um please any questions go and comment below and until next time take care yourself you

Info

Channel: John Savill's Technical Training

Views: 30,365

Rating: undefined out of 5

Keywords: azure, azure cloud, azure monitoring, log analytics, azure metrics, azure security center, azure security, azure sentinel, azure key vault, managed identity

Id: hTS8jXEX_88

Channel Id: undefined

Length: 105min 13sec (6313 seconds)

Published: Tue Nov 03 2020