This is a continuation of an article that describes operational considerations for hosting solutions on Azure public cloud.

 

·        Resources can be locked to prevent unexpected changes. A subscription, resource group or resource can be locked to prevent other users from accidentally deleting or modifying critical resources. The lock overrides any permissions the users may have. The lock level can be set to CannotDelete or ReadOnly with the ReadOnly being more restrictive. Lock inheritance can be applied at a parent scope, all resources within that scope can then inherit the same lock. Some considerations still apply after locking. For example, a CannotDelete lock on a storage account does not prevent data within that account to be deleted. A read only lock on an application gateway prevents you from getting the backend health of the application gateway because it uses POST. Only Owner and User Access Administrator role members are granted access to Microsoft.Authorization/locks/* actions.

·        Azure KeyVaults can throttle client requests to help maintain optimal performance and reliability even though they take a high volume of concurrent calls to the Azure service. Failed requests return a 429 error code and the clients must exponentially backoff for retries. Caching the secrets retrieved from the Azure Key Vault in memory and reusing the secrets from memory mitigates the high load on a keyvault server. Encyrpt, wrap and verify public-key operations can be performed with no access to KeyVault, which not only reduces the risk of throttling, but also improves reliability. Prgrammatically, this can be done with the help of ServiceClientOptions when the corresponding client is initiated. The ServiceClientOptions takes a retry setting where a policy describing the delay, max delay, maxRetries and RetryMode can be specified.

·        Legacy authentication to Azure AD can be blocked with conditional access which gives users’ easy access to the cloud apps. Azure Active Directory supports a broad variety of authentication protocols including legacy authentication but those protocols such as POP, SMTP, IMAP and MAPI cannot enforce MFA and create a vulnerability to the overall service. A conditional access policy blocks legacy authentication. The Azure portal shows Azure Active Directory Sign-ins where the client app column indicates those that use legacy authentication.  Policies can then be set to block those applications directly or indirectly.

·        End-to-End data driven workflows for data processing scenarios can be created using pipelines and activities in Azure Data Factory and Azure Synapse Analytics which can have one or more pipelines. A pipeline consists of a set of activities and helps to manage them as a set instead of each one individually. There are three groupings of activities: data movement activities, data transformation activities and control activities. An activity can take zero or more input datasets and produce one or more output datasets. The pipeline can be exported as JSON

·