# Azure data centers

- Azure data centers are secured by using different technical isoalations.
- Based on following components:
  - [Azure Fabric Controller](#azure-fabric-controller-fc)
  - [Virtualization](#virtualization)
  - [Logical Separations](#logical-separations)

## Azure Fabric Controller (FC)

- Kernel of the Azure platform, managing resources as needed.
- Provisions, stores, delivers, monitors and commands the VMs and physical servers that make up the Azure customer environment and infrastructure.
  - Deploys & manages health of compute services.
  - Manages data center infrastructure (hardware & software), recovers from failures
  - Drives infrastructure updates.
  
## Virtualization

- The **Host OS** is a configuration-hardened version of Windows Server.
- The **Hypervisor** is Hyper-V from Windows Server 2012 R2, which has been battle-tested and proven in enterprise environments worldwide.
  - Two types of a hypervisor:
    - Type 1 Hypervisor *(e.g. VMware, HyperV)* runs the OS.
    - Type 2 Hypervisor *(e.g. VMware Workstation, VirtualBox)* runs on OS.
- The **Guest VM OS** can be either Windows Server, several distributions of Linux, or an OS image supplied by the customer (much be supported Operating Systems, or starting from the Azure Marketplace images.
  
## Logical separations

- Segregates each customer's data & application from that of others.
- **Storage isolation**
  - **Storage Access Key (SAK)**: Data is accessible only through claims-based Identity Management & access control with a Storage Access Key.
  - **Shared Access Signature (SAS)**
    - Recommended as it does not reveal account key and is more granular & restricted access.
    - Can be reset via the Microsoft Azure Portal or the Storage Management API.
  - Storage blocks are hashed by the hypervisor to separate accounts.
- **SQL isolation**: SQL Azure isolates separate account databases.
- **Network isolation**: VM switch at the host level blocks inter-tenant communication.