Microsoft Azure Nesting
This article will explain the components of Microsoft Azure architecture and how they nest together. It was confusing to me when I first began learning Microsoft Azure what fits inside of what and needed to have someone explain it to me, so here is an explanation in plain English what each Russian nesting doll does.
Tenant
At the very top is a tenant. And a tenant is the single Entra ID instance given to you at the beginning of your relationship with Microsoft. Formally known as Azure Active Directory, Microsoft Entra ID is an integrated cloud identity and access solution.
- Integrated: Entra ID can integrate its directory services into other products, like other Microsoft products and popular SaaS applications.
- Identity: Bob works in the IT department, he started on July 5th, his birthday is Jan 4th, he lives in Washington D.C… etc.
- Access: Bob is an administrator and can do and access anything. Sue is a receptionist, she can’t see the executive roadmap.
If you’re familiar with Active Directory than you will be mostly familiar with directory services of Entra ID. Primarily its where you manage your users, groups, and permissions in the cloud. It can sync with your on-premises Microsoft Active Directory, which is a huge bonus for most companies that are migrating to the cloud. It makes moving to a hybrid cloud model easier, where your halfway on-premises and halfway in the cloud. It also provides Single-Sign-On services to many popular Software-as-a-Service apps. There is a one-to-one-to-one relationship between a company, an Entra ID, and a tenant.
Every company has a tenant made up of its employees identity and access
Thats the way you should think about it. But just like everything else, it cannot be over simplified easily. Since some companies acquire other companies, each one will have its own tenant and the architecture becomes multi-tenant. There becomes a need for something to connect the two and manage them both under one roof.
This function is called Azure Lighthouse. Azure Lighthouse is also used to allow outside access for organizations such as managed services providers.
Alright, I don’t want to go to far into the weeds with that.
Subscription
The next thing that is nested is the subscription. This is your agreement with Microsoft on how you’re going to pay for things. Since one company might have business units that pay for things separately, for instance IT might use Azure to manage IT infrastructure, and Security might use Azure to manage corporate security, each one would use different services and each one has their own budget bucket that it needs to come out of but its still under the umbrella of their tenant company ACME Corp.
Cost management is perhaps the most common reason someone would have multiple subscriptions. There has never been a cheap Microsoft product ever made.
Another reason is that there are limits on certain resource creations per subscription, like VPCs, and some companies create additional subscriptions to side-step that limitation.
Resource Group
To understand what a resource group is, we have to first understand what a resource is. Its fairly simple so it won’t take long. A resource is the individual service that you’re consuming. So virtual machines, virtual networks, and storage accounts are all examples of Azure resources. Since you will need all three of those resources to create a web server for your website ACME.com, you would create a resource group called ACME Website to manage them together. When you’re done with the website, you can just destroy everything associated with it by deleting the resource group, for example.
Workspace
A Log Analytics Workspace (LAW) is a resource. It must be inside of a resource group, subscription, and tenant. Its a log collector. Thats all it really does, its a fancy cloud version of greylog or logstash. You can have multiple log collectors. If you need your data to stay in Europe for GDPR, you create one in europe and can manage the permissions to only allow folks from Europe to look at it. A few things to note:
- You’re charged twice. When data goes in, and for how long its stored (and again for Sentinel).
- Other than storing, it offers analytics and querying the data using the Kusto Query Language (KQL) that all Microsoft products use. You can even set up alerts based on queries.
Even with alerts, its not efficient in managing security.
Sentinel
Sentinel is more or less an application that sits on top of Log Analytics Workspace but its not a resource. You add this platform to the workspace and what it does is it turns Log Analytics Workspace alerts into actionable incidents.
Alerts become incidents.
In other words Sentinel is the SIEM. This is how it does that:
- Correlating alerts together (putting similar alerts and activity together) and calculating risky behavior
- Enriching alerts to provide context and intelligence to the raw logs
- Investigates threats with artificial intelligence
- Automated alert orchestration and response to security incidents
Sentinel makes it easy to integrate and collect logs from many data sources with the click of a button. And then the logs are ingested and stored in your Log Analytics Workspace. When deploying Microsoft Sentinel you’re billed for every gigabyte you ingest into Sentinel on top of the costs you generate for ingesting that same gigabyte in the underlying Log Analytics Workspace.
Key Microsoft Sentinel isn’t really a stand-alone Azure resource in itself. It’s actually a solution (SecurityInsights) that you enable within an Azure Log Analytics workspace. You still pay for data ingestion into the workspace, and a separate fee for the additional Sentinel functionality.
Summary
I hope that this was helpful to you in understanding how the components nest together. It was confusing to me for sometime before it was explained to me so I am here to explain it to you!
In my honest opinion, Microsoft’s sheer ability to integrate with its existing products removes a lot of the technical hurdles of migrating to the cloud and makes them the 900lb gorilla in the market for Enterprise cloud deployments. The vast majority of companies use Windows and can be managed relatively easy. Windows Defender suite and Azure Security Center require not much more than a subscription purchase and a few clicks of a button to onboard all of a company’s existing devices into a cutting edge platform for managing cybersecurity, compliance, configuration management, and more. I see Microsoft’s vision and think theres no reason why a $3 trillion dollar company can’t make this real and monopolize the market. That is my career bet, and I’m looking for any takers. This is a huge part of Microsoft’s initiative, I don’t know of anything bigger. Even AI relies on the cloud. AWS is a subsidiary of Amazon who only has half the valuation. Theres no way Amazon is going to be able to keep up in the long run.
Tyler Wall is the founder of Cyber NOW Education. He holds bills for a Master of Science from Purdue University, and also CISSP, CCSK, CFSR, CEH, Sec+, Net+, A+ certifications. He mastered the SOC after having held every position from analyst to architect and is the author of three books, 100+ professional articles, four online courses, and regularly holds webinars for new cybersecurity talent.
You can connect with him on LinkedIn.
Get 20% off all courses in our On-Demand catalog with coupon code “Welcome20”
Download the Azure Security Labs eBook from the Secure Style Store. These labs walk you through several hands-on fun labs in Microsoft Azure, leaving you with the know-how to create a gig in Fiverr or Upwork to start your cybersecurity freelancing.
Also available in the Secure Style Store, download the Job Hunting Application Tracker for FREE to keep track of all your job applications.
Check out my latest book Jump-start Your SOC Analyst Career: A Roadmap to Cybersecurity Success published June 1st, 2024 and winner of the 2024 Cybersecurity Excellence Awards.
