# Azure data centers - Azure data centers are secured by using different technical isoalations. - Based on following components: - [Azure Fabric Controller](#azure-fabric-controller-fc) - [Virtualization](#virtualization) - [Logical Separations](#logical-separations) ## Azure Fabric Controller (FC) - Kernel of the Azure platform, managing resources as needed. - Provisions, stores, delivers, monitors and commands the VMs and physical servers that make up the Azure customer environment and infrastructure. - Deploys & manages health of compute services. - Manages data center infrastructure (hardware & software), recovers from failures - Drives infrastructure updates. ## Virtualization - The **Host OS** is a configuration-hardened version of Windows Server. - The **Hypervisor** is Hyper-V from Windows Server 2012 R2, which has been battle-tested and proven in enterprise environments worldwide. - Two types of a hypervisor: - Type 1 Hypervisor *(e.g. VMware, HyperV)* runs the OS. - Type 2 Hypervisor *(e.g. VMware Workstation, VirtualBox)* runs on OS. - The **Guest VM OS** can be either Windows Server, several distributions of Linux, or an OS image supplied by the customer (much be supported Operating Systems, or starting from the Azure Marketplace images. ## Logical separations - Segregates each customer's data & application from that of others. - **Storage isolation** - **Storage Access Key (SAK)**: Data is accessible only through claims-based Identity Management & access control with a Storage Access Key. - **Shared Access Signature (SAS)** - Recommended as it does not reveal account key and is more granular & restricted access. - Can be reset via the Microsoft Azure Portal or the Storage Management API. - Storage blocks are hashed by the hypervisor to separate accounts. - **SQL isolation**: SQL Azure isolates separate account databases. - **Network isolation**: VM switch at the host level blocks inter-tenant communication.