Azure CosmosDB Design Decisions

Video Activity
Join over 3 million cybersecurity professionals advancing their career
Sign up with
Required fields are marked with an *
or

Already have an account? Sign In »

Time
14 hours 28 minutes
Difficulty
Intermediate
CEU/CPE
15
Video Transcription
00:00
>> Hello, Cybrarians.
00:00
Welcome to Lesson 3.11 of Module 3
00:00
>> of this course titled,
00:00
>> AZ-301: Microsoft Azure Architect Design.
00:00
Here are the learning objectives
00:00
for this particular lesson.
00:00
We'll start out by covering
00:00
Azure Cosmos DB design decisions
00:00
from an availability perspective.
00:00
What the things that we need to know
00:00
if we're designing for availability.
00:00
Well then proceeds to cover
00:00
Cosmos DB design decisions
00:00
from a scalability perspective,
00:00
and also from a monitoring perspective.
00:00
We'll talk about Azure Cosmos DB
00:00
Security design decisions,
00:00
and we'll end by talking about
00:00
Azure Cosmos DB costs design decisions.
00:00
Let's get right into this.
00:00
When it comes to security design decisions
00:00
of Azure, Cosmos DB.
00:00
Talking about network security,
00:00
we can use IP firewall rules,
00:00
to lockdown network connectivity access,
00:00
or we can limit connectivity
00:00
to vNet that is under our control.
00:00
When it comes to access management,
00:00
it's a similar case of who wants to use
00:00
role-based access control to restrict
00:00
management access to the Cosmos DB service itself.
00:00
Then we have two master keys and
00:00
two read-only keys that are provided
00:00
when we create an Azure Cosmos DB account,
00:00
we want to protect these keys.
00:00
Because anyone that gets a hold
00:00
of those keys essentially can
00:00
connect to the service and get access to our data.
00:00
When it comes to data protection,
00:00
encryption is enabled at rest by default,
00:00
and that's using AES-256 encryption.
00:00
We can enhance this by using our own key.
00:00
For example, the default encryption
00:00
uses Microsoft managed keys.
00:00
We can choose to use our own keys
00:00
integrated with Azure Key Vault.
00:00
When it comes to threat protection,
00:00
we can enable advanced threat protection
00:00
for Azure Cosmos DB.
00:00
This provides an additional layer
00:00
of security intelligence.
00:00
This can be up to detect,
00:00
unusual or potentially harmful attempts
00:00
to exploit Azure Cosmos DB account.
00:00
This uses a combination of heuristic and behavior
00:00
analysis and machine learning to make this detections.
00:00
When talking about costs for Azure Cosmos DB,
00:00
we need to understand what we pay for,
00:00
what we mainly pay for Azure Cosmos DB are two things.
00:00
We pay for the guaranteed performance,
00:00
which are the requests units that was selected.
00:00
If you're not familiar with what request units are.
00:00
I will recommend looking into
00:00
other Azure courses provided in
00:00
the library for Azure and have a look at those.
00:00
What we pay for, is we pay for
00:00
guaranteed performance with a requests you need.
00:00
We also pay for,
00:00
and it's very important, what we pay
00:00
for is consumed storage.
00:00
Multi region replication with
00:00
a single master essentially doubles the cost.
00:00
You enable replication that
00:00
doubles the cost of the request units.
00:00
Multi-region replication with
00:00
multiple masters increases request unit costs.
00:00
If you are going to be using multi, right,
00:00
regions, be aware that your request unit cost increases.
00:00
If you're using a single region Cosmos DB account
00:00
and you enable the option for availability zones.
00:00
That's going to hard to your cost,
00:00
that is the equivalent of you using a multi
00:00
regional or adding
00:00
this an additional region to your account.
00:00
Be aware of that.
00:00
Like many other Microsoft services
00:00
or platform services in Azure,
00:00
Azure Cosmos DB supports reserved capacity,
00:00
which can lead to a cost savings of up to 65 percent.
00:00
When it comes to reserved capacity,
00:00
Microsoft has made some adjustment in terms of
00:00
the entry point to be able to purchase reserved capacity.
00:00
Now there's a new entry point of
00:00
5,000 request units per seconds.
00:00
You can reserve that and then you get a discounted price.
00:00
Also rather than just paying for it yearly upfront,
00:00
you can pay for it on a monthly basis.
00:00
Which is a good alternative.
00:00
The Microsoft recently just a few weeks ago,
00:00
announced something called Autopilot,
00:00
which is in preview, which allows for
00:00
more flexibility when it comes to request units.
00:00
Because in the past, what happens is we can only specify
00:00
the request units that our database would be using right
00:00
upfront and then we have to
00:00
implement some form of automated monitoring,
00:00
and automated adjustment, if we reach that limits.
00:00
What it allows us to do is to say,
00:00
you can consume up to this number of
00:00
requests units based on
00:00
the actual workload that's coming in.
00:00
What's to understand when it comes to costs is that this
00:00
has a slightly higher costs for request units per second.
00:00
Quiz question number 1,
00:00
you are designing a solution that uses Azure Cosmos DB.
00:00
You have enabled diagnostic logs
00:00
to be stored in Azure Log Analytics.
00:00
You need to ensure that an alert is
00:00
generated when a request charge for
00:00
a query exceeds 50 request units
00:00
more than 20 times within a 15 minute window.
00:00
What will you recommend?
00:00
Option 1, create a search query to
00:00
identify when requests charge exceeds 50,
00:00
configure an alert threshold of 20 and a period of 15.
00:00
Option 2, create
00:00
a search query to identify when duration
00:00
exceeds 20 and request charge exceeds 50,
00:00
configure a period of 15.
00:00
Option 3, create a search query to
00:00
identify when request charge exceeds 20,
00:00
configure a period of 15,
00:00
and a frequency of 20.
00:00
Option 4 create a search query to
00:00
identify when duration exceeds 20,
00:00
configure a period of 15.
00:00
If you selected option 1,
00:00
you would be correct,
00:00
will need to create a search query to
00:00
identify when the request charge exceed 50.
00:00
Then our alert threshold will be
00:00
20 and a period of 15 because that's within
00:00
a 15 minute window and we're looking for
00:00
when request charge exceeds 50 requests units.
00:00
That's what we'll be looking for.
00:00
Quiz question number 2.
00:00
You are designing a solution which requires you
00:00
to import data from a table in
00:00
an on-prem SQL Server database
00:00
into an Azure Cosmos DB account that uses SQL API.
00:00
What should you recommend?
00:00
Option 1, Azure Data Migration Assistant.
00:00
Option 2, AzCopy.
00:00
Option 3, Azure Cosmos DB Data Migration tool.
00:00
Option 4, Data Management Gateway.
00:00
Option 5, Azure Database Migration Service.
00:00
If you select that option 3,
00:00
Azure Cosmos DB Data Migration tool,
00:00
you will be correct because
00:00
that's the tool that supports migration
00:00
from SQL Server database to Azure Cosmos DB SQL API,
00:00
Database Migration Service only
00:00
support the MongoDB use case.
00:00
Quiz question number 3.
00:00
You plan to migrate
00:00
an on-premises deployment of MongoDB to
00:00
an Azure Cosmos DB account that uses the MongoDB API.
00:00
What solution will you recommend
00:00
>> for doing the migration?
00:00
>> Option 1, Azure Database Migration Service,
00:00
option 2, Data Migration Assistant.
00:00
Option 3, Azure Storage Explorer.
00:00
Option 4, Azure Cosmos DB Data Migration tool.
00:00
If you select that option
00:00
1 Azure Database Migration Service,
00:00
you will be correct because
00:00
that's supports that scenario.
00:00
>> This brings me to the end of this lesson.
00:00
Thanks very much for watching,
00:00
and I'll see you in the next lesson.
Up Next