Azure 基本概念梳理
最近在看Azure文档的时候,被文档中的许多概念搞得非常困惑,就去查看了一些官方文档,算是一个临时的理解和总结。
首先上一段我认为最能解决我疑惑的原文档:
Azure terminology
It’s helpful to know the following definitions as you begin your Azure cloud adoption efforts:
- Resource: An entity that’s managed by Azure. Examples include Azure Virtual Machines, virtual networks, and storage accounts.
- Subscription: A logical container for your resources. Each Azure resource is associated with only one subscription. Creating a subscription is the first step in adopting Azure.
- Azure account: The email address that you provide when you create an Azure subscription is the Azure account for the subscription. The party that’s associated with the email account is responsible for the monthly costs that are incurred by the resources in the subscription. When you create an Azure account, you provide contact information and billing details, like a credit card. You can use the same Azure account (email address) for multiple subscriptions. Each subscription is associated with only one Azure account.
- Account administrator: The party associated with the email address that’s used to create an Azure subscription. The account administrator is responsible for paying for all costs that are incurred by the subscription’s resources.
- Azure Active Directory (Azure AD): The Microsoft cloud-based identity and access management service. Azure AD allows your employees to sign in and access resources.
- Azure AD tenant: A dedicated and trusted instance of Azure AD. An Azure AD tenant is automatically created when your organization first signs up for a Microsoft cloud service subscription like Microsoft Azure, Microsoft Intune, or Office 365. An Azure tenant represents a single organization.
- Azure AD directory: Each Azure AD tenant has a single, dedicated, and trusted directory. The directory includes the tenant’s users, groups, and apps. The directory is used to perform identity and access management functions for tenant resources. A directory can be associated with multiple subscriptions, but each subscription is associated with only one directory.
- Resource groups: Logical containers that you use to group related resources in a subscription. Each resource can exist in only one resource group. Resource groups allow for more granular grouping within a subscription, and are commonly used to represent a collection of assets required to support a workload, application, or specific function within a subscription.
- Management groups: Logical containers that you use for one or more subscriptions. You can define a hierarchy of management groups, subscriptions, resource groups, and resources to efficiently manage access, policies, and compliance through inheritance.
- Region: A set of Azure datacenters that are deployed inside a latency-defined perimeter. The datacenters are connected through a dedicated, regional, low-latency network. Most Azure resources run in a specific Azure region.
Azure administrative roles
Azure defines three types of roles for administering subscriptions, identities, and resources:
- Classic subscription administrator roles.
- Azure role-based access control (RBAC) roles.
- Azure Active Directory (Azure AD) administrator roles.
The account administrator role for an Azure subscription is assigned to the email account that’s used to create the Azure subscription. The account administrator is the billing owner of the subscription. The account administrator can manage the subscription details in the Azure account center.
By default, the service administrator role for a subscription also is assigned to the email account that’s used to create the Azure subscription. The service administrator has permissions to the subscription equivalent to the RBAC-based Owner role. The service administrator also has full access to the Azure portal. The account administrator can change the service administrator to a different email account.
When you create an Azure subscription, you can associate it with an existing Azure AD tenant. Otherwise, a new Azure AD tenant with an associated directory is created. The role of global administrator in the Azure AD directory is assigned to the email account that’s used to create the Azure AD subscription.
An email account can be associated with multiple Azure subscriptions. The account administrator can transfer a subscription to another account.
For a detailed description of the roles defined in Azure, see Classic subscription administrator roles, Azure RBAC roles, and Azure AD administrator roles.
Subscriptions and regions
Every Azure resource is logically associated with only one subscription. When you create a resource, you choose which Azure subscription to deploy that resource to. You can move a resource to another subscription later.
While a subscription isn’t tied to a specific Azure region, each Azure resource is deployed to only one region. You can have resources in multiple regions that are associated with the same subscription.
就是是说同一个订阅中的资源可以在不同的地区,如东亚和北欧服务器中的资源可以在同一个资源组中。
Tenancy in Azure Active Directory
Azure Active Directory (Azure AD) organizes objects like users and apps into groups called tenants. Tenants allow an administrator to set policies on the users within the organization and the apps that the organization owns to meet their security and operational policies.
Who can sign in to your app?
When it comes to developing apps, developers can choose to configure their app to be either single-tenant or multi-tenant during app registration in the Azure portal.
- Single-tenant apps are only available in the tenant they were registered in, also known as their home tenant.
- Multi-tenant apps are available to users in both their home tenant and other tenants.
In the Azure portal, you can configure your app to be single-tenant or multi-tenant by setting the audience as follows.
Audience | Single/multi-tenant | Who can sign in |
---|---|---|
Accounts in this directory only | Single tenant | All user and guest accounts in your directory can use your application or API. Use this option if your target audience is internal to your organization. |
Accounts in any Azure AD directory | Multi-tenant | All users and guests with a work or school account from Microsoft can use your application or API. This includes schools and businesses that use Office 365. Use this option if your target audience is business or educational customers. |
Accounts in any Azure AD directory and personal Microsoft accounts (such as Skype, Xbox, Outlook.com) | Multi-tenant | All users with a work or school, or personal Microsoft account can use your application or API. It includes schools and businesses that use Office 365 as well as personal accounts that are used to sign in to services like Xbox and Skype. Use this option to target the widest set of Microsoft accounts. |
总结
这些文档大概解释了这些概念的定义以及大致的关系,可以让我们有个总体上模糊的认识。
总的来说,就是Azure AD是微软的一个身份认证服务,而每个组织可以利用它创建租户(Azure AD的一个实例),也就是tenant,每个租户都有自己唯一一个Azure AD 目录,每个目录都可以有多个订阅。可以通过资源组对订阅中的资源进行逻辑分组。
Azure Active Directory(Azure AD)将诸如用户和应用程序之类的对象组织到称为“ 租户”的组中。租户允许管理员为组织内的用户以及组织拥有的应用程序设置策略,以满足他们的安全和运营策略。
每个应用可以设置多租户或者单租户,单租户的应用只能本租户中的用户才有可能访问到。
参考文档:
https://docs.microsoft.com/en-us/azure/active-directory/develop/accounts-overview
https://docs.microsoft.com/en-us/azure/active-directory/develop/quickstart-create-new-tenant
https://docs.microsoft.com/en-us/azure/active-directory/develop/single-and-multi-tenant-apps