Architecting Azure – Exam Ref 70-535

What is Cloud Computing?

• The term Cloud computing is used to describe Internet
based computing, where services such as servers,
storage and applications are delivered to an
organization's computers and devices over the Internet
as opposed to a LAN.

Microsoft Confidential
Cloud Computing Options
• Public Cloud
• A public cloud is one in which the services and infrastructure are provided off-
site and accessible over the Internet e.g. Microsoft Azure
• Private Cloud
• A private cloud is one in which the services and infrastructure are maintained on
a private network e.g. Microsoft Azure Stack
• Hybrid Cloud
• A hybrid cloud includes a variety of public and private clouds with multiple
providers e.g. Microsoft Azure & Microsoft Azure Stack

Microsoft Confidential
Cloud Computing Services

Microsoft Confidential
Hyper Scale Infrastructure
• 30 regions worldwide with 8 additional regions announced
Microsoft Azure Infrastructure
• Over 1 million physical servers globally
• ~50 servers per rack
• ~20 racks make up a “cluster” which provides a unit of fault isolation
• 5 servers per rack are reserved for the Fabric Controller (FC)
• The FC is the “kernel” of the Azure cloud operating system responsible for:
• Datacenter resource allocation
• Datacenter resource provisioning
• Service lifecycle management
• Service health management

• Using Software Defined Networking (Operating at Virtual Layer-2)

Microsoft Confidential
Microsoft Azure Compute

Microsoft Confidential
Microsoft Azure Virtual Machines
• Azure Virtual Machines is one of several types of on-demand, scalable computing resources
that Azure offers.
• Flexibility of virtualization without having to buy and maintain the physical hardware that
runs the virtual machine
• Virtual Machines lets you create and use VM’s in the cloud providing what is known as
Infrastructure as a Service (IaaS)
• Examples of VM workloads:
• Development and testing
• Running applications in the cloud
• Extending your own datacenter into Azure
• Disaster recovery

Microsoft Confidential
Microsoft Azure Virtual Machine Scale Sets
• Azure Virtual Machine Scale Sets is a compute resource used to deploy and manage a set of
identical VMs.
• Designed to support true auto scale of IaaS VM’s with no pre-provisioning.
• Integrated load balancing
• Built-in high availability
• Support for manual roll out of OS image updates without downtime.
• Visual Studio support
• REST, SDK, and command line support

Microsoft Confidential
Microsoft Azure Batch
• Azure Batch is a compute resource which at its core is a high-scale job scheduling engine
that is available as a managed service.
• Running a large volume of similar tasks to get some desired result e.g. software testing,
engineering stress analysis, financial risk modeling etc.
• Create and manage pools of virtual machines and schedule jobs and tasks to run on them.
• Batch API’s, Batch PowerShell cmdlets, Azure CLI & Batch Management.NET can be used to
communicate with the Batch service.

Microsoft Confidential
Microsoft Azure Cloud Services
• Azure Cloud Services is a compute resource that is used as a container to store roles.
• A role is a container for an instance and is also used to define the type of workload and
configuration of the instance that will be running inside it e.g:
• A Web Role (An instance of Windows Server 2012 R2 virtual machine running IIS)

• A Worker Role (An instance of Windows Server 2012 R2 virtual machine)

• A Virtual Machine Role (An instance of any virtual machine)

• An instance is the virtual machine running inside a role.

• Web & Worker roles are PaaS & Virtual Machine roles are IaaS.
• RDP can be configured for all roles with limited control over Web & Worker roles.

Microsoft Confidential
Microsoft Azure Service Fabric
• Azure Service Fabric is a compute resource that is Microsoft’s next generation Platform as a
Service offering.
• Provides software developers with a platform on which they can develop their applications
composed of Microservices.
• Microservices are small, independent components that communicate with each other to
form complex applications.
• Platform consists of a number of underlying components e.g: virtual machines, operating
systems, networking, storage etc. that are managed by Microsoft.

Microsoft Confidential
Microsoft Azure Container Service
• Azure Container Service is a compute resource that makes it simpler to create, configure,
and manage a cluster of virtual machines that are preconfigured to run containerized
applications.
• Containerization is a lightweight alternative to full machine virtualization that involves
encapsulating an application in a container with its own operating environment.
• Leverages the Docker container format to ensure that application containers are fully
portable.
• Container hosting environment is exposed by API endpoints.
• Configure deployment by using either DC/OS or Docker Swarm.

Microsoft Confidential
Microsoft Confidential
Microsoft Confidential
Microsoft Confidential
Scaling Possibilities

• VM Scale UP/Down
• VM Scale out Scale Sets (VMMS)
• Web App Scale up/ Scale down (Resize)
• Web App Scale out Manual/ Autoscaling

Microsoft Confidential
Design Principles for Cloud Infrastructure and
Development

Cloud Application Common Patterns

Microsoft Confidential
Stateless Service

Microsoft Confidential 21
Cloud Design Pattern

https://docs.microsoft.com/en-us/azure/architecture/patterns/

Microsoft Confidential 22
 Why Patterns?

Useful for building reliable, scalable, secure applications

in the cloud

Microsoft Confidential 23
Designing Virtual Networks

Microsoft Confidential 24
Azure Virtual Networks
An Azure virtual network (VNet) is a representation of your on premise network in the cloud

It is a logical isolation of a given address space with full network connectivity between all
hosts within it

IP address blocks, DNS settings, security policies, and route tables within a VNet can be
controlled

VNets can also be segmented into subnets to host Azure IaaS virtual machines (VMs) and/or
Cloud services (PaaS role instances)

Connectivity options available in Azure allow you to connect the VNet

to your on-premises network
Microsoft Confidential
Azure Virtual Networks

Microsoft Confidential
Virtual Network Name Resolution
An Internal DNS suffix *.internal.cloudapp.net is provided to each VM using DHCP
This enables hostname resolution as the hostname records are in the internal.cloudapp.net
zone on Azure internal DNS servers
An Internal DNS suffix is not supplied to VMs when using your own DNS
Instead we provide a non-functioning placeholder reddog.microsoft.com
Internal DNS name resolution resolves DNS queries only for hosts that are within the same
VNet

Microsoft Confidential
Microsoft Confidential 28
Microsoft Confidential 29
Reserved IP in a Virtual Subnet

Microsoft Confidential 30
Connectivity in Microsoft Azure

Microsoft Confidential
Virtual Network Connectivity Options

Microsoft Confidential
 Site-to-Site Connectivity
• Extend your on-premises to the cloud securely Windows Azure
• On-ramp for migrating services to the cloud <subnet 1> <subnet 2> <subnet 3>

• Use your on-premises resources in Azure (monitoring, DNS

Server
AD, …)

On-premises VPN
Gateway Virtual Network

Hardware VPN or
Windows RRAS

Your datacenter

Microsoft Confidential
The Virtual Branch Office

Microsoft Confidential
Public, Private and Microsoft peering
Azure Load Balancers
• Azure Load Balancer is a Layer 4 (TCP, UDP) load balancer that distributes incoming traffic among
healthy instances of services defined in a load-balanced set

• There are two types of Load Balancers:

• External - which is used to load balance incoming Internet traffic to virtual machines in a
virtual network
• Internal - which is used to load balance traffic between virtual machines in a virtual network,
between virtual machines in cloud services, or between on-premises computers and virtual
machines in a cross-premises virtual network

• Can also forward external traffic to a specific virtual machine

Load Balancer: Default Health Probe for Load Balanced Sets

Role Status Role Status

Microsoft Confidential
 Traffic Manager

Traffic Management Policies

• Performance – Direct to “closest” service

• Weighted – Distribute across all services
• Priority – Direct to “backup” if primary fails
• Nested – A combination of Performance,
Weighted and Priority
www.contoso.com
Microsoft Confidential
Network Security Groups (NSG)
• Define access control rules for
inbound/outbound traffic to a
VM/NIC or group of VMs in a
subnet
• NSG rules can be changed at any
time and apply to all instances
• NSG can be associated with:
• A single ASM VM in a VNet
or the NIC of an ARM VM
• A subnet in a VNet
• A VM/NIC and a Subnet
together for added security
• Rules are processed in order of
priority
• Rules are based on 5-tuple
(source/dest IP/port, protocol)
Network Security Groups
• Two different ACL groups, one
for individual VM/NIC, one for
Subnet
• Rules are applied to inbound
traffic for subnet followed by
rules for the VM/NIC
• Outbound rules are applied
for VM first and then followed
by subnet rules

Example PowerShell:
New-AzureNetworkSecurityGroup -Name "MyVNetSG" -Location uswest
-Label "Security group for my Vnet in West US“

Get-AzureNetworkSecurityGroup -Name "MyVNetSG" | Set-

AzureNetworkSecurityRule -Name WEB -Type Inbound -Priority 100
-Action Allow -SourceAddressPrefix 'INTERNET' -SourcePortRange
'*' -DestinationAddressPrefix '*' -DestinationPortRange '*' -
Protocol TCP
Forced Tunneling
• Force all traffic from a subnet
to a VNet gateway
• Allows scenario for inspection
and auditing of traffic
• Can create a routing table to
create a default route, then
associate routing table to
VNet subnets
User Defined Routing
• By default, Azure provides a route table based on your virtual network settings
• Need for custom routing may include
• Use of a virtual appliance in your Azure environment, ex. Firewall
• Implementing a virtual NAT appliance to control traffic between your Azure virtual
network and the Internet
• BGP Route – if you are using ExpressRoute, you can enable BGP to propagate routes
from your on-premises network to Azure

Ex. - All traffic directed to the mid-tier and backed subnets initiated from the front end subnet goes
through a virtual firewall appliance
Azure Application Gateway

• Azure-managed, first-party
virtual appliances Customer VMs

• HTTP routing based on app- VM

• Load Balancing
• Cookie Affinity
level policies: Web1
o Cookie based session affinity
App
o URL hash HTTP & HTTPS
Gateway
o Weight (load) VM
Web2
• SSL termination and caching
o Centralize certificate management
o Scalable backend provisioning VM • SSL Offload
Web3
Application Gateway – LB Hierarchy
Azure Service What Example

Internet
Traffic Cross-region http://news.com
Manager redirection & ➔ apac.news.com
availability ➔ emea.news.com Azure Traffic Manager (DNS Load Balancer)
➔ us.news.com
SLB In-region emea.news.com
scalability & ➔ AppGw1 SLB (L4 Load Balancer) SLB (L4 Load Balancer)
availability ➔ AppGw2
➔ AppGw2
Application URL/content- news.com/topnews Application Application Application Application
Gateway Gateway Gateway Gateway
Gateway based routing & news.com/sports
load balancing news.com/images
VM VM VM VM VM VM VM VM
VMs Web Servers
Region 1 Region 2
DMZ between Azure and your on-premises datacenter
Azure Storage Services

Queues
Reliable queues at
scale for cloud
services

Decouple and scale

components

Message visibility timeout

and update message to
protect against unreliable
dequeuers

Code against (REST API)

Microsoft Confidential
Azure Storage & Data Services

Blobs Data Lake Tables

Highly scalable, Store Key Value, high
REST based cloud HDFS as a service scale, auto-scaling
object store NoSQL store

DocumentDB Azure SQL DB SQL Data

NoSQL document Fully managed Warehouse
database service database-as-a-
Elastic data
service built on SQL
warehouse as a
service
Microsoft Confidential
Standard Storage Account

Exposed via RESTful Web services:

Can CDN-enable an account
500 TB per account
20 Storage Accounts per subscription (default)
Up to 20,000 IOPS Per Account and Up to 500 IOPS per VHD
Encryption at Rest

Microsoft Confidential
Storage Options Types

Local redundant storage (LRS)

Zone Redundant – block blobs only, no metrics
Geo-replication (Geo Redundant Storage)
Read Access Geo-Redundant

Microsoft Confidential
Azure Premium Storage
Available in select regions - https://azure.microsoft.com/en-us/regions/#services

•Only support Locally Redundant Storage (LRS)

•Must use DS-Series or GS-Series disks for VMs

•Cannot be mapped to a custom domain

•Storage analytics not currently supported

No support for Block blobs, Azure Files, Azure Tables or Azure Queues only Page Blobs for
Virtual Machines (aka VHD’s)

Microsoft Confidential
Azure Premium Storage Scalability

Premium Storage Disk

P10 P20 P30
Type

Disk size 128 GiB 512 GiB 1024 GiB (1 TB)

IOPS per disk 500 2300 5000

Throughput per disk 100 MB per second 150 MB per second 200 MB per second

Microsoft Confidential
Storage Security
Microsoft Azure Storage provides simple security for calls to storage service
• HTTPS endpoint
• Digitally sign requests for privileged operations

Two 512-bit symmetric keys per storage account

• Can be regenerated independently

More granular security via Shared Access Signatures (SAS)

Azure Storage does not authenticate users

Microsoft Confidential
Shared Access Signatures
Fine grain access rights to storage entities (blobs/tables etc)

Sign URL with storage key—permit elevated rights

Revocation:
• Use short time periods and re-issue
• Use container-level policy that can be deleted

Two broad approaches:

• Ad hoc
• Policy-based

Microsoft Confidential
Ad Hoc Signatures
Create short-dated SAS
• Signedresource Blob or Container
• AccessPolicy Start, Expiry, and Permissions
• Signature HMAC-SHA256 of above fields

Use case
• Single use URLs
• For example, provide URL for the client to upload to container

http://...blob.../pics/image.jpg?
sr=c&st=2009-02-09T08:20Z&se=2009-02-10T08:30Z&sp=w
&sig= dD80ihBh5jfNpymO5Hg1IdiJIEvHcJpCMiCMnN%2fRnbI%3d

Microsoft Confidential
Policy-Based Signatures
Create container-level policy
• Specify StartTime, ExpiryTime, and Permissions
Create SAS URL
• Signedresource Blob or Container
• Signedidentifier optional pointer to container policy
• Signature HMAC-SHA256 of above fields
http://...blob.../pics/image.jpg?
sr=c&si=MyUploadPolicyForUserID12345
&sig=dD80ihBh5jfNpymO5Hg1IdiJIEvHcJpCMiCMnN%2fRnbI%3d

Use case
• Providing revocable permissions to certain users/groups
• To revoke: Delete or update container policy

Microsoft Confidential
Storage Service Encryption (Encryption at Rest)

Secure data storage at rest VM Disks

Apps using Blob
REST API

• For Blob Storage service (includes IaaS VM disks)

Storage Service - Blob Front Ends

• For sensitive data from healthcare, finance, etc. (REST API provider, authentication, billing, throttling,…)
Encryption and decryption using MS Managed Keys for every request

• Service side – No additional client side overhead

Storage Service – Index and Distributed File System

• Microsoft takes care of all key management practices All Data is stored in an encrypted form

Microsoft Confidential
Business Continuity Challenges
Common business continuity and disaster recovery hurdles

Cost of protecting key applications and workloads

Integration with existing investments and technologies

Comprehensive protection from metal to app

Monitoring and management of protection and recovery

Complexity of integration, protection, and recovery

Microsoft Confidential
Section Overview
The purpose of this section is to introduce basic concepts and terminology
used to discuss Business Continuity and Disaster Recovery (BC/DR) strategies

We will cover:
1. Stateless and Stateful Workloads
2. Disaster Recovery Terms
• Recovery Point Objective (RPO)
• Recovery Time Objective (RTO)
3. Factors influencing BC/DR Strategy
4. BC/DR options with cloud constructs

Microsoft Confidential 63
Disaster Recovery Terms
Recovery Point Objective (RPO):
• Maximum amount of last updates (time interval) the application can lose
by the moment it fully recovers after the disruptive event. RPO measures
the maximum loss of data during the failures.
• Answers the question: To what point in time can I recover?
Recovery Time Objective (RTO):
• Maximum acceptable time before the application fully recovers after the
Disruption
disruptive event. RTO
RPO
measures the maximum loss
Event of availability during
RTO
the failures
• Answers the question:
Complete How
data / soon can the services recover after the
Service Unavailable
transactions lost
disruption?
Microsoft Confidential 64
Microsoft Confidential 65
Microsoft Confidential 66
Azure Site Recovery At-A-Glance

Continuous Health Orchestrated

Automated Protection
Monitoring Recovery
• Delivers on-going • Continuously and • Orchestrates orderly
replication of virtual remotely monitors recovery of virtual
machines application availability machines that compose
• Integrates with Hyper-V • Only Virtual Machine multi-tier services
Replica and System Manager servers • Offers customizable
Center Virtual Machine communicate directly recovery plans
Manager technologies with Azure • Simplifies recovery plan
• Workload data remains testing
in your network

Microsoft Confidential 67
Microsoft Confidential 68
Microsoft Confidential 69
Azure Site Recovery
Key Scenarios
Replication

Replication Replication
SAN SAN

Microsoft
Hyper-V Hyper-V Hyper-V Hyper-V Hyper-V Azure
Hyper-V to Hyper-V Hyper-V to Hyper-V
Hyper-V to Microsoft Azure
(on-premises) (on-premises)

Replication Replication

Microsoft
VMware/Physical VMware VMware/Physical Azure
VMware/Physical to VMware/Physical to
VMware (on-premises) Microsoft Azure

Microsoft Confidential 70
Supported Deployment Methods
Planning with Staged Slots
• Deploy your website to a separate deployment slot instead of the default production slot
• Available in the Standard or Premium app service plan
• Once testing is complete, development slot can be swapped with production slot
• Benefits:
• You can validate website changes in a staging deployment slot before swapping it with the production
slot
• Deploying a site to a slot first and swapping it into production ensures that all instances of the slot
are warmed up before being swapped into production
• Four deployment slots in addition to the production slot are supported for each website in the
Standard plan.
• 19 deployment slots in addition to the production slot are supported for each website in the
Premium plan.
Compute Scaling

Microsoft Confidential
App Service Plans
• Supports the Azure Web app pricing tiers
• Web apps need to be in the same
subscription, resource group and region to
share an app service plan
• A web app can only be associated with one
app service plan
• All web apps that use the same app service
plan will be placed on the same resource
hardware
• You can have multiple app service plans in a
single resource group to allow for difference
capacity needs

Microsoft Confidential
What are Azure API Apps?
• A modern REST-based service that is hosted in the Azure cloud
API
• Excels at accepting and generating structured data like JSON and XML
• It is part of the family of Azure App Services offerings…

WEB APPS LOGIC APPS MOBILE APPS API APPS

API Apps can be discovered and consumed by

Microsoft Confidential
external applications or other App Services
API Apps Inherit Web App Features

Web Apps Features

• High availability
API App Features
• Enterprise-grade security
▪ Bring your API as-is
• Simple access control
▪ Connectivity to SaaS platforms
• Multi platform/languages support
▪ Swagger metadata support
• Auto-scaling and load balancing
▪ Discovery
• WebJobs for background processing
▪ Logic App integration
• Easy deployment/continuous delivery
▪ Visual Studio tooling and code gen
• CORS Support
• Support for .NET, Node.js, PHP, and Java

Microsoft Confidential
Swagger Support
• Swagger is an open-source framework for describing, consuming and visualizing API services
• The Visual Studio Azure API App template includes “Swagger” support
• Behind the scenes, Swagger libraries reflect across service endpoints and
dynamically render metadata that describe service endpoints, parameters
and model data formats
• Clients leverage the metadata to discover an API and generate code to
consume it
• Swagger provides visual documentation to help developers better
understand the API and its functionality

Configures service
metadata generation

Microsoft Confidential
What is Azure Functions?

Code Events + data Azure Functions

Microsoft Confidential
Azure Functions features
• Choice of language – Write functions using C#, F#, Node.js, Python, PHP, batch, bash or any exe
• Pay-per-use pricing model – Pay for only the time spent executing the function
• Use your own code dependencies – Functions support NuGet and NPM, use your own libraries
• Integrated security – Protect HTTP-triggered functions with OAuth providers
• Integration with other Azure services and SaaS providers
• Continuous integration
• Open-source – Azure Functions runtime is open-source and available on GitHub

Microsoft Confidential
What can Azure Functions do?
• BlobTrigger - Process Azure Storage blobs when they are added to containers
• EventHubTrigger - Respond to events delivered to an Azure Event Hub
• Generic webhook - Process webhook HTTP requests from any service that supports webhooks
• GitHub webhook - Respond to events that occur in your GitHub repositories
• HTTPTrigger - Trigger the execution of your code by using an HTTP request
• QueueTrigger - Respond to messages as they arrive in an Azure Storage queue
• ServiceBusQueueTrigger - Connect your code to other Azure services or on-premises services by listening
to message queues
• ServiceBusTopicTrigger - Connect your code to other Azure services or on-premises services by subscribing
to topics
• TimerTrigger - Execute cleanup or other batch tasks on a predefined schedule

Microsoft Confidential
Azure Functions Architecture
Input Bindings

Triggers Functions
Functions
Programming
Runtime
Interface

Output Bindings

App Service
App Hosting Plans

Microsoft Confidential
Agenda

• Introduction
• Logic Apps Terms
• Minimum Requirement & Price And Services
• How to Access Logic app
• Triggers and Actions
Why Logic Apps?

• Easy to use design tools

• Compose SaaS easily
• Get started quickly from templates
• Extensibility baked-in
• Real integration horsepower

88
89
90
91
92
Why use the Azure Service Bus?

Azure Service Bus

Transactional Cloud AMQP/HTTP Broker
Queue High-Scale, High-Reliability Messaging
Sessions, Scheduled Delivery, etc.

Transactional Message Distribution

Topic Up to 2000 subscriptions per Topic
Up to 2K/100K filter rules per subscription

Cloud-scale telemetry ingestion from

Event Hub websites, apps, and devices

NAT and Firewall Traversal Service

Relay Request/Response Services
Unbuffered with TCP Throttling

Microsoft Confidential
Azure Architecture for Processing Events

Microsoft Confidential
Topics

Microsoft Confidential
Identity Today

On-premises Cloud Hybrid Hybrid with Federation

Kerberos
Negotiate
NTLM
SChannel AAD AAD AAD
Digest

Sync with Sync with/without

WS-Federation Federation
pwd hashes pwd hashes
SAML-P
AD DS Oauth
OpenID Connect AD DS AD DS
Microsoft Azure Active Directory

Simple Self-service Single

connection sign on

Windows Server
Active Directory Username

•••••••••••
Other
Directories

SaaS
Azure

Public Office 365

cloud

On-premises Microsoft Azure Active Directory Cloud

102

What we are accustomed to….

From having a trusted domain for users and apps…

Application

Directory

Microsoft Confidential
Cloud identity – external application

Application

Trusted domain 1. How does the application get data from the on-
premises, firewalled identity store?
2. How does the application trust data sent by the
identity store?
3. How does the identity store know that it is OK to
send user data to the Application?
 Cloud identity – mobile users

Application

1. How does the user provide credentials to

the firewalled identity store? Trusted domain
2. How to avoid having the user sign-in
separately to each application (SSO)?
3. Do we trust users outside the domain the
same way as those on the domain?
Cloud identity – no trusted domain – public internet

Application

1. How do we support multi-tenant applications

(one application, many organizations)?
2. How do we support organizations with no
identity infrastructure and individual users?
3. How do we support different application and
identity platforms?
Cloud identity – some issues
• User:
o Whom can I trust with my credentials?
o I want single sign-on to all my applications, no matter where they are or who owns them
• Application:
o Can I trust the token?
o How do I get the token? (directory behind firewall – application outside)
o My users belong to many organizations (multi-tenancy)
• Directory
o How do I decide whether this is a valid user?
o Can I give information about the user to this application?
o Which token format do I give?
Glossary
• Security Token – serialized collection of claims about a user, signed with a crypto key to
confirm issuer, e.g.: JWT (Json) and SAML (Xml).
• Claims – a collection of name/value pairs items describing a user (e.g. email address, display
name, age).
• Security Token Server – a web service capable of determining user identity (e.g. via password
credentials) and issuing a Security Token using an authentication/authorization protocol.
• Authentication/Authorization protocol – an agreed way of requesting, issuing, renewing or
cancelling a Security Token, e.g. WS-Federation, SAML-P, OAuth2.
Example – passive client

4 0
Trust
A A
3
A Application
STS

2
Role-based access control (RBAC)
Defined in application manifest:
"appRoles": [
{
"allowedMemberTypes": ["User"],
"description": "Admins can manage roles and perform all task actions.",
"displayName": "Admin",
"id": "81e10148-16a8-432a-b86d-ef620c3e48ef",
"isEnabled": true,
"origin": "Application",
"value": "Admin"
},

Through Azure portal, Powershell or GraphAPI

Application code
RBAC – role assignment in portal UI

Client app User/delegated user

"appRoles": [ "appRoles": [
{ {
"allowedMemberTypes": [“Application"], "allowedMemberTypes": ["User"],
Azure ARM RBAC
• Application of Azure AD RBAC to Azure Resources and Resource Providers
• Supports inherited role assignment
o Subscription role->Resource Group role -> Resource type role -> Resource Instance role
• Comes with pre-defined roles but allows custom roles:
o VM Reader
o VM Contributor
o Reader for specific VM (custom)
• Exposed in Production Portal
(not in Classic portal)

112
Resource Scope