- 1. Monitor Service
- 2. Comparison of Access Management
- 3. Key management service
1. Monitor Service
Alibaba Cloud CloudMonitor is a service that monitors Alibaba Cloud resources and IoT (Internet of Things) applications. Alibaba Cloud CloudMonitor can be used to collect monitoring metrics for Alibaba Cloud resources or monitoring metrics customized by the user to detect service availability, and to set alerts for these metrics. It allows you to be fully aware of resource usage, service status, and service health on Alibaba Cloud, and enables you to promptly respond to error alerts and ensure smooth running of your application.
Azure Monitoring is the act of collecting and analyzing data to determine the performance, health, and availability of your business application as well as the resources that it depends on. An effective monitoring strategy helps you understand the detailed operation of your application’s components. It also helps you increase your uptime by proactively notifying you of critical issues so that you can resolve them before they become problems.
1.1 Main functions comparison
In general, Alibaba Cloud CloudMonitor supports more functions than AWS ClouWatch. The following table shows the details of the comparision.
|Service Type||Alibaba CloudMonitor||Azure Monitor(Azure portal)|
|Alarm mode||Aliwangwang, Email, MNS, SMS + DingTalk (China site)||Email，SMS，call|
|Digital operation||Dashboard，resource usage monthly report||Dashboard +Azure portal|
|Site monitoring||Supported||Not supported|
|Cloud service monitoring||Supported||Supported|
|Log monitoring||Supported (currently unsupported for the international site)||Supported|
|Overview||Overview of all cloud resource statistics, alerts, events, and resource count & level||Overview of alerts，service running status and Activity log error，Application Insights|
1.2 Host monitoring and cloud service monitoring
- Hybrid cloud: Supports Alibaba Cloud host, one-click installation, authorized automatic installation, non-Alibaba Cloud hosts, and all mainstream operating systems.
- Metrics: Supports extensive metrics, for example cpu/mem, load/disk/net/device 30+f. More metrics will be supported, such as rdma gpu and virtual multiple NICs.
- Process: Top 5 process resource consumption information.
- Second-level monitoring: Collects data every second, aggregates data every 15s, averages resource consumption and business requirements.
- Monitoring: Supports monitoring of all cloud products that have been connected to CloudMonitor.
- Microsoft Azure provides rich monitoring metrics that allow users to monitor the running load and status of the cloud host. By default, Azure Monitor’s host enables the four following metrics: CPUs, memory, disks and networks. Users can perform configuration in the Azure console to select monitoring metrics that they want to enable.
- Metric alerts can run as frequently as once every minute. Classic metric alerts always run at a frequency of once every 5 minutes.
- You can alert on dimensional metrics, which means you can monitor a specific instance of the metric
- Azure Monitorprovides basic infrastructure metrics and logs for most services available in Microsoft Azure.
1.3 Alert service
- One-click alert function: Supports one-click alert for mainstream products, covering all instances of these products.
- Alert module: Alert module and application grouping allows quick monitoring over big data IT infrastructures.
- Supports combining product alerts to improve the user’s alert configuration efficiency.
- Alert methods: Supports multi-channel alerting, including MNS subscription, emails, and Aliwangwang.
Features of the unified alert experience:
(1)View triggered Log Analytics alerts in the Azure portal
(2)Separation of triggered alerts and alert rules
(3)Combined monitoring of multiple metrics
(4)Better notification system: The unified alert uses action groups, which are named groups of notifications and actions that can be reused in multiple alerts
- Classic metric alerts: This alert triggers when the value of a specified metric crosses a threshold that you assign.
- Classic activity log alerts: This streaming log alert triggers when an activity log event is generated that matches filter criteria that you’ve previously assigned.
- Alert methods: Action groups support notification by posting to a webhook URL in addition to email addresses, SMS numbers, and a number of other actions.
1.4 Application group
- Supports cross-product and cross-region resource grouping.
- Supports group-level aggregation computing and alert aggregation.
- Supports grouping custom speedup settings and time logs.
- Supports group-level authorization, subaccounts, primary/subaccounts, cross-accounts, and so on.
An action group is a collection of notification preferences defined by the user. Azure Monitor and Service Health alerts are configured to use a specific action group when the alert is triggered. Various alerts may use the same action group or different action groups depending on the user’s requirements.
Azure Monitor provides two out-of-the-box roles: a Monitoring Reader and a Monitoring Contributor.
Monitoring Reader: People assigned the Monitoring Reader role can view all monitoring data in a subscription but cannot modify any resource or edit any settings related to monitoring resources.
Monitoring Contributor: People assigned the Monitoring Contributor role can view all monitoring data in a subscription and create or modify monitoring settings, but cannot modify any other resources.
1.5 Digital operation
- dashboard： Supports cross-product and cross-region metric display. Supports log monitoring, custom monitoring, and other metrics.
- O&M weekly reports, resource utilization monthly reports (supported by Enterprise Edition).
- Dashboard: Azure portal + Dashboard
- Route the data to a third-party visualization tool using either live streaming or by having the tool read from an archive in Azure storage.
1.6 Site monitoring
- Provides IDC probes (charged) all over Alibaba Cloud with over 300,000 astmile user probes, and a 1-minute probing capacity.
- User access simulation to see the actual status of a website.
- Checks site status, including http, ping, tcp, udp, dns, pop, smtp, ftp, and response time.
- Network fault discovery.
1.7 Custom monitoring
- Using customized monitoring, you can quickly integrate Redis, MySql, and other monitoring metrics to Alibaba Cloud CloudMonitor.
- Custom monitoring is a feature that allows you to customize monitoring metrics and alert rules. By using this feature, you can monitor service metrics that you care about, and report collected monitoring data to Alibaba Cloud CloudMonitor, so that Alibaba Cloud CloudMonitor can process the data and generate alerts according to the results.
- You can use the Azure Monitor REST API, cross platform Command-Line Interface (CLI) commands, PowerShell cmdlets, or the SDK to access the data in the system or in Azure storage. Examples include: getting data for a custom monitoring application you have written; creating custom queries and sending that data to a third-party application.
- In alerts, log search alerts can take custom period and frequency value in minute(s)
2 Comparison of Access Management
Alibaba Cloud Resource Access Management (RAM) is a management service designed for the centralized management of cloud identities and access permissions. You can use RAM to grant access and management permissions to Alibaba Cloud resources to your enterprise members or partners.
Azure Active Directory (Azure AD) helps you manage user identities and create intelligence-driven access policies to secure your resources. Azure AD centralizes identity and access management to enable deep security, productivity, and management across devices, data, apps, and infrastructure.
2.1 Main functions comparison
|Service Type||Alibaba RAM||Azure AD|
|Flexibility||Supports integration with Alibaba Cloud service; supports external account management and multi-dimensional authorization||Applications can be integrated using Azure Active Directory|
|Availability||Multi-node redundancy deployment||Multi-tenant,geographically distributed and highly available design in Azure AD|
|Security||Token, access key||Multi-factor authentication and security tokens|
|Expenses||Free||Free version + paid version|
2.2 Identity Management Comparison
2.2.1 User Management
User is an Alibaba Cloud RAM identity which corresponds to an operation entity, such as an operator or application. If you have a new user or application to access your cloud resources, you must create an Alibaba Cloud RAM user and grant it the access to the relevant resources.
Azure Active Directory (Azure AD) is a cloud-based directory, and identity management service that combines core directory services, application access management, and identity protection into a single solution. Microsoft’s identity solutions span on-premise and cloud-based capabilities, creating a single user identity for authentication and authorization to all resources regardless of location.
2.2.2 Group Management
If you have created multiple Alibaba Cloud RAM users under your Alibaba Cloud account, we recommend you use groups to better manage the users and their permissions. You can create a group for Alibaba Cloud RAM users who share the same responsibilities, and grant permissions by group.This provides the following advantages:
- When a user’s responsibility changes, you only need to move this user to a group that has the corresponding responsibility, without affecting other users.
- When a group’s responsibility changes, you only need to modify the group’s authorization policy that applies to all users in the group.。
One of the Azure AD user management capabilities is to use groups to execute management tasks:
- A group of users created in Azure Active Directory. When a role is assigned to a group, all users in this group have this role.
- A license or permission can be assigned to multiple users at the same time.
2.2.3 Role Management
Alibaba Cloud RAM and user are both identities used in RAM. In comparison with a RAM user, a RAM role is a virtual user who does not have a long-term authentication key, and cannot be used without being played by an authorized entity.
- As a virtual user, a RAM role has a fixed identity and can be granted group authorization policies. However, it does not have a fixed identity authentication key (password or access key).
- A RAM role differs from a RAM user in the way it is used. A RAM role must be played by an authorized entity. After playing the role successfully, the entity receives a temporary STS security token for this RAM role. Then, this entity is able to use this security token to access the resources authorized for the role.
Azure AD has a set of different management roles that are used to manage directories or identity-related functions. These administrators have access to the Azure Portal or various functions in the Azure Portal. The administrator’s role determines what they can do, like create or edit users, assign administrative roles to others, reset user passwords, manage user licenses, or manage domains.Azure AD has a variety of user roles, including
- Cloud Application Administrator role
- Conditional Access Administrator role
- Application Developer role
- Intune Service Administrator role
Intune’s Role-Based Access Control (RBAC) helps you control who can perform various Intune tasks within your organization, and who those tasks apply to. You can either use the built-in roles that cover some common Intune scenarios, or you can create your own roles
2.3 Authorization Management Comparison
Alibaba Cloud RAM uses permission to describe an internal identity’s ability (such as user, user group, and role) to access a specific resource. A permission is used to allow or deny the execution of certain operations on certain resources under certain conditions.
In Azure AD, granting access to cloud apps is subject of user assignments. With Azure AD conditional access, you can control how authorized users can access your cloud apps under specific conditions. You can also configure access to be blocked by a policy.
Alibaba Cloud RAM permissions include:
- The primary account (resource owner) controls all permissions.
- By default, RAM users (operators) have no permissions.
- Resource creators (RAM users) are not automatically granted permissions for resources created by them.
Azure AD defines two kinds of permissions:
- Delegated permission: Are used by apps that have a signed-in user present.
- Application permissions: Are used by apps that run without a signed-in user present.
2.3.2 Authorization policies
Alibaba Cloud RAM supports the following two types of authorization policies:
- System access policies: A group of commonly used permission sets created and managed by Alibaba Cloud, such as the read-only permission for ECS and the complete permission for ECS. You can use these policies, but cannot modify them.
- Custom access policies: A group of permission sets created and managed by the user. They can be used to expand and supplement system authorization policies.
In Azure AD, you can use authorized access control polices to completely stop access, or you can limit to allowing access only when other access conditions are met. Azure AD has multi-factor access policy controls, primarily including the following:
- Multi-factor authentication: Using multi-factor authentication helps protect resources from being accessed by an unauthorized user who might have gained access to a valid user’s primary credentials.
- Compliant device: You can configure conditional access policies that are device-based. The objective of a device-based conditional access policy is to grant access to the configured resources only from managed devices.
- Custom controls: These controls allow the use of certain external or custom services as conditional access controls and generally extend the capabilities of Conditional Access.
Alibaba Cloud RAM does not charge service fees. If you meet the activation criteria and have activated this service, you can use it immediately.
Free and paid versions (only billed for required functions) are available in Azure. The free version comes in four editions: Basics, Premium P1, Premium P2 and Office 365.
3 Key management service
Alibaba Cloud Key Management Service (KMS) is a secure and easy-to-use service to create, control, and manage encryption keys used to secure your data. KMS enables you to protect the confidentiality, integrity, and availability of keys while also saving on costs.
Azure Key Vault helps safeguard and manage cryptographic keys and secrets used by cloud applications and services. By using Key Vault, you can encrypt keys and secrets using keys protected by Hardware Security Modules (HSMs).
3.1 Main functions comparison
|Service Type||Azure Key Vault||Alibaba Cloud KMS|
|Key management||Centralized management||Fully-managed|
|Key protection||Keys are safeguarded by Azure, using industry-standard algorithms, key lengths, and HSMs.||KMS combines a distributed system and cryptographic hardware to achieve high reliability.|
|Authorized access||Azure Active Directory is used to perform authentication||Integrates RAM and supports unified authorization management|
|Security||Symmetric Data Encryption Keys (DEKs) are used to encrypt data||It can integrate with a variety of Alibaba Cloud services (such as ApsaraDB for RDS and OSS) and support integration with third-party services.|
3.2 API & SDK Support
Alibaba Cloud KMS allows you to generate and manage master keys using APIs as well as encrypt and decrypt small volume of data by directly using APIs. You can call KMS API interfaces by sending HTTP POST and GET requests to the KMS API server address, with corresponding request parameters included in these requests according to the interface instructions. The system will return the processing results based on the processing of the requests. Currently, Alibaba Cloud provides SDKs in four language versions: Java, Python, PHP and C#.
Managing your key vaults as well as the keys, secrets, and certificates within your key vaults can be accomplished through a REST API. You can use PowerShell to create a key vault and then store a secret in the newly created vault. Currently SDKs in NET, Java, Python and Node.js are supported by Azure Key Vault.
3.3 Key management and protectionAlibaba cloud KMS combines a distributed system and cryptographic hardware to achieve high reliability. KMS enables easy data key encryption and decryption by using Customer Master Keys (CMKs) stored in KMS and supports APIs that are based on the envelope encryption technology and open to KMS. KMS can integrate with your services and encrypt/decrypt your data keys using a master key that you specify, easily meeting the “no plain text in storage devices” requirement. KMS eliminates the risk of storing plain text directly in storage devicesCentralizing storage of application secrets in Azure Key Vault allows you to control their distribution. Keys are safeguarded by Azure, using industry-standard algorithms, key lengths, and HSMs. Access to a key vault requires proper authentication and authorization before a caller (user or application) can get access.
3.4 Access authorization
When RAM is used to implement KMS resource authorization, a user’s primary account has full operation permissions to its own resources. In the event of a sub-account, however, a user needs to grant your sub-account the corresponding resource operation permissions by using the RAM authorization.
Applications that use a Azure key vault must authenticate by using a token from Azure Active Directory. To do this, the owner of the application must first register the application in their Azure Active Directory.
3.5 Service integration
KMS allows you to integrate with a variety of Alibaba Cloud services (such as ApsaraDB for RDS and OSS) or use the RESTful API to integrate with third-party services, so that you can encrypt critical information including certificates and keys stored with these services. You can use these keys securely and conveniently, and focus on developing encryption/decryption function scenarios.
The Azure Key Vault (AKV) service is designed to improve the security and management of these keys in a secure and highly available location. For example, for SQL Server in Azure VMs, you can save time by using the AKV Integration feature. After enabling Azure Key Vault Integration, you can enable SQL Server encryption on your SQL VM.
Alibaba Cloud KMS in foreign regions has not been commercialized and therefore is now available for free. KMS in China provides three billing scenarios (charges depend on billing scenarios). 1. Common key management charges 2. Service keys management charges 3 API calling charges.
AKV offers two service tiers—standard and premium. Each service tier contains different billing items.For more information, please see Key Vault Pricing.