• Azure
• WAF_WellArchitectedFramework

Azure 2024 Well ARCHITECTED notes

• Links: Azure/AdoptCloud

5 x Pillars / Overview

• WAF focus on Architecture not on Implementation.

  • https://learn.microsoft.com/en-us/training/modules/azure-well-architected-introduction/2-pillars

  • https://youtu.be/vTjasx3ahjM

  • Azure provides checklists and tradeoffs !!!.

    • Tradeoffs, pick 2 from: Right, Fast, Cheap
• In an ideal architecture, you'd build the most secure, high-performance, highly available, and efficient environment possible.
  • However, as with everything, there are tradeoffs.
  • build an environment with the highest level of all these pillars, there's a cost.
    • might be in money
    • time to deliver
    • operational agility.
• Every organization has different priorities that affect the design choices that are made in each pillar.
  • As we design our architecture, we need to determine which trade-offs are acceptable and which aren't.

Work Flow

1. This doc - WAF
2. Workloads - Apps - Business service - etc.
3. Checklist and tradeoffs
4. Assessments
   • Gives Score and recommendations
   • Ongoing milestone's

1. Cost optimization

• Bill
• Waste
• Dynamic scale
• Shutdown over night

2. Operational excellence - Test - Monitoring

• Collect metrics at all levels -
• Automate
• Test

3. Performance efficiency

• Match App with Demand
• Scaling (Up or Out[Horizontal])
• Identify bottlenecks
• Increase app performance

4. Reliability

• Define SLA
  • Examine HA - cluster, LB
• Analyse possible data loss and major downtime scenarios.
  • include recovery strategies and the cost/benefit tradeoff for each
  • get insights into org priorities and role of app.
  • Include RPO (The maximum duration of acceptable data loss) e.g. 30 minutes of data. Limit data loss, not data theft.
  • Include RTO (The maximume duration of acceptable downtime during disaster) e.g. 8h
    • With RPO and RTO you can design backup, restore, replications and recovery capabilities to meet these objectives.
  • Where possible use existing services and best practices, try to resist creating your own.

5. Security

• Protecting data we use, store and transmit.
• Might be subject to more stringent legal and regulatory requirements e.g. PCI

Defense in depth (onion)

• multi layer creates a depth of protection if one layer fails or an attacker bypasses it.
• Layers
  • Data
    • Encryption
  • Application
    • Malicious code injections and execution - e.g. SQL injection for cross-site scripting (XSS)
  • VM/compute
    • malware can lead to further attacks and lateral movement.
  • Networking
    • Open ports e.g. RDP or SSH
  • Perimeter
    • DOS - downtime
  • Policies and access
    • Auth - OpenID Connect, OAuth or Kerberos(AD)
    • Limit permissions
    • Monitoring
  • Physical security
    • Unauthorized access to facilities.