Вы находитесь на странице: 1из 152

© 2019 Skylines Academy, LLC. All rights reserved.

AZ-103: Azure Administrator


© 2019 Skylines Academy, LLC. All rights reserved.

Azure Quick Overview


© 2019 Skylines Academy, LLC. All rights reserved.

Traditional Datacenter
Cloud Computing Overview
© 2019 Skylines Academy, LLC. All rights reserved.

Cloud Service Models


© 2019 Skylines Academy, LLC. All rights reserved.
© 2019 Skylines Academy, LLC. All rights reserved.

Regions Overview
© 2019 Skylines Academy, LLC. All rights reserved.

Region Pairs
Resource Group Overview
© 2019 Skylines Academy, LLC. All rights reserved.

DESTROYED
Web App Virtual Machines Database
© 2019 Skylines Academy, LLC. All rights reserved.

Networking

VNET

Subnet A
Subnet B
Accessing Azure
© 2019 Skylines Academy, LLC. All rights reserved.

http://portal.azure.com PowerShell and Azure CLI


© 2019 Skylines Academy, LLC. All rights reserved.

Module:
Manage Azure Subscriptions
Azure Account Hierarchy
Azure Enterprise http://ea.azure.com
© 2019 Skylines Academy, LLC. All rights reserved.

Departments

Accounts http://account.azure.com

Subscriptions http://portal.azure.com

Resources Groups

Resources
© 2019 Skylines Academy, LLC. All rights reserved.

Account to Subscription Relationships


© 2019 Skylines Academy, LLC. All rights reserved.

Enterprise Hierarchy Example


© 2019 Skylines Academy, LLC. All rights reserved.

Common Scenarios
EA Breakdown
Enterprise Department Service
© 2019 Skylines Academy, LLC. All rights reserved.

Admin Admin Account Owner Admin


Add other admins Enterprise Admins, Account Owners Add Service Admins No
Department Admins,
and Account Owners

Departments Add/Edit Departments Edit Department X X

Add or associate Yes Yes – to the No No


accounts to the department
enrollment

Add Subscriptions No – but can add No Yes No


themselves as AO

View usage and Across all Accounts Across Department Across Account No
charges data and Subscriptions

View remaining Yes No No No


balances
© 2019 Skylines Academy, LLC. All rights reserved.

Module:

Consumption
Analyze Resource Usage and
Azure Monitoring Overview
© 2019 Skylines Academy, LLC. All rights reserved.

Monitor & Query and Setup & Alert


Visualize Metrics Analyze Logs Actions

Metrics are numerical Logs are activity logs, Alerts notify you of critical
values available from Azure diagnostic logs, and conditions and potentially
Resources helping you telemetry from monitoring take corrective automated
understand the health, solutions; Analytics queries actions based on triggers
operation, and help with troubleshooting from metrics or logs.
performance of your and visualizations.
systems.
Log Analytics Key Features
© 2019 Skylines Academy, LLC. All rights reserved.

Other Log
Central Role in Analytics Sources
Data Sources
Monitoring (Security Center
and App Insights)

Search Queries Output Options


© 2019 Skylines Academy, LLC. All rights reserved.

Log Search Use Cases


© 2019 Skylines Academy, LLC. All rights reserved.

Log Analytics Architecture


© 2019 Skylines Academy, LLC. All rights reserved.

Data Sources
© 2019 Skylines Academy, LLC. All rights reserved.

Data Organization
Summary Data Sources
© 2019 Skylines Academy, LLC. All rights reserved.

Data Source Event Type Description


Custom logs <LogName>_CL Text files on Windows or Linux agents
containing log information.
Windows Event logs Event Events collected from the event logon
Windows computers.
Windows Performance Perf Performance counters collected from
counters Windows computers.
Linux Performance counters Perf Performance counters collected from
Linux computers.
IIS logs W3CIISLog Internet Information Services logs in
W3C format.
Syslog Syslog Syslog events on Windows or Linux
computers.
Search Query Fundamentals
© 2019 Skylines Academy, LLC. All rights reserved.

• Start with the source table (e.g. Event)


• Follow on with a series of operators
• Separate out additional operations by using pipe |
• Join other tables and workspaces using “union”

https://docs.microsoft.com/en-us/azure/log-analytics/log-analytics-tutorial-viewdata
© 2019 Skylines Academy, LLC. All rights reserved.

Module:
Manage Resource Groups
Azure Resource Locks
© 2019 Skylines Academy, LLC. All rights reserved.

• Mechanism for locking down


resources you want to ensure
have an extra layer of protection
before they can be deleted
• 2 options available:
– CanNotDelete: Authorized users can
read and modify but not delete the
resource
– ReadOnly: Authorized users can read
the resource but cannot update or delete
Azure Policies
© 2019 Skylines Academy, LLC. All rights reserved.

Assigned to
Enforce Built-in or
Subscriptions or Create > Assign
Governance Custom Code
Resource Groups
© 2019 Skylines Academy, LLC. All rights reserved.

Module:
Create and Configure Storage
Azure Blob Storage Overview
© 2019 Skylines Academy, LLC. All rights reserved.

Storage Account

Container Container

IMAGE.JPG VIDEO.AVI IMAGE.JPG VIDEO.AVI


Storage Account Types
© 2019 Skylines Academy, LLC. All rights reserved.

General Purpose General Purpose


v1 Blob Account v2
(GPV1) (GPV2)
Block Blobs vs. Page Blobs

Block Blob Page Blob


© 2019 Skylines Academy, LLC. All rights reserved.

• Ideal for storing text or • Efficient for read/write


binary files operations
• A single block blob can • Used by Azure VMs
contain up to 50,000 blocks • Up to 8 TB in size
of up to 100 MB each, for a
total size of 4.75 TB
• Append blobs are optimized
for append operations (e.g.
logging)
Storage Tiers
© 2019 Skylines Academy, LLC. All rights reserved.

Hot Cold Archive

• Higher storage costs • Lower storage costs • Lowest storage costs


• Lower access costs • Higher access costs • Highest retrieval costs
• Intended for data that • When a blob is in
will remain cool for 30 archive storage it is
days or more offline and cannot be
read
Choosing Between Blobs, Files, and Disks
© 2019 Skylines Academy, LLC. All rights reserved.

• Access application data from anywhere


Blobs • Large amount of objects to store, images, videos etc.

• Access files across multiple machines


Files • Jumpbox scenarios for shared development scenarios

• Do not need to access the data outside of the VM


Disks • Lift-and-shift of machines from on-premises
• Disk expansion for application installations
Manage Access: Container Permissions
© 2019 Skylines Academy, LLC. All rights reserved.

Private
(No Anonymous Access)

Blob
(Anonymous read access for
blobs only)

Container
(Anonymous read access for
containers and blobs)
Managing Access: SAS Overview
© 2019 Skylines Academy, LLC. All rights reserved.

Shared Access Account SAS Service SAS


Encrypted
Signature (SAS) Tokens Tokens

• It is a query string that • Granted at the account • Grants access to a • Utilizes hash-based
we add on to the URL level to grant specific service within a message authentication
of a storage resource. permissions to services Storage Account.
within the account.
• The string informs
Azure what access
should be granted.
SAS Breakdown
© 2019 Skylines Academy, LLC. All rights reserved.

Storage Resource URI

https://slsasdemo.blob.core.windows.net/images/image.jpg

SAS Token

?sv=2017-07-29&ss=bfqt&srt=sco&sp=rwdlacup&se=2018-02-24T01:21:26Z&st=2018-02-
23T17:21:26Z&spr=https&sig=dctAWsi39LncBNC1ZRn%2FQMjMMA5CPByLzagfsF7MVYc
%3D
SAS Breakdown (continued)
© 2019 Skylines Academy, LLC. All rights reserved.

• https://slsasdemo.blob.core.windows.net/images/image.jpg The Blob

• sv=2017-07-29 Storage Service Version

• ss=bfqt Signed Services

• srt=sco Signed Resource Types

• sp=rwdlacup Signed Permission

• se=2018-02-24T01:21:26Z&st=2018-02-23T17:21:26Z Signed Expiry & Start

• spr=https Signed Protocol

• sig=dctAWsi39LncBNC1ZRn%2FQMjMMA5CPByLzagfsF7MVYc%3D Signature
Stored Access Policies
© 2019 Skylines Academy, LLC. All rights reserved.

• Method for controlling SAS


• Group shared access signatures and provide additional restrictions
• Can be used to change the start time, expiry time, permissions, or
revoke it after it has been issued
• Only supported on service SAS
– Blob containers
– File shares
– Queues
– Tables
Custom Domains
© 2019 Skylines Academy, LLC. All rights reserved.

Resource Type Default URL Custom Domain URL

Storage account http://mystorageaccount.blob.core.windows.net http://skylinesacademy.com

Blob http://mystorageaccount.blob.core.windows.net http://skylinesacademy.com/my


/mycontainer/myblob container/myblob

Root container http://mystorageaccount.blob.core.windows.net http://skylinesacademy.com/my


/mycontainer container
Custom Domain Mapping

Create a CNAME record with your DNS provider that


© 2019 Skylines Academy, LLC. All rights reserved.

points from…
1. Your domain 2. The ”asverify” subdomain
• Such as www.skylinesacademy.com to • Such as as verify.skylinesacademy.com to
sldscdemo.blob.core.windows.net. asverify.sldscdemo.blob.core.windows.net.
• This method is simpler, but results in a brief • After this step completes, you can create a
downtime while Azure verifies the domain CNAME record that points to
registration. sldscdemo.blob.core.windows.net.
• This method does not incur any downtime.
• To use this method, select the "Use Indirect
CNAME Validation" checkbox.
© 2019 Skylines Academy, LLC. All rights reserved.

Module:
Import and Export Data to Azure
Azure Import/Export Use Cases
© 2019 Skylines Academy, LLC. All rights reserved.

Data Migration to Content


Backup Data Recovery
Cloud Distribution

Move large amounts of Sending data to customer Backing up your on- Recover data from storage
data to Azure quickly. sites. premises data to store it in and send back to your on-
Azure. premises datacenter.
e.g. Large migration from
your datacenter.
Import/Export Components
© 2019 Skylines Academy, LLC. All rights reserved.

Import/Export Service
• Accessed via the Azure Portal
• Used to track data import (upload) jobs
• Used to track data export (download) jobs
Import/Export Components
© 2019 Skylines Academy, LLC. All rights reserved.

• Command
WAI line tool Tool
Import/Export for:
• Preparing disk drives that are shipped
• Copying data to your drive
• Encrypts data with BitLocker
• Generates drive journal files
• Determines number of drives
• Use V1 for blob and V2 for files
Import/Export Components
© 2019 Skylines Academy, LLC. All rights reserved.

Disk
DiskDrives
Drives
•• HDDs
HDDs
•• SSDs
SSDs
•• Import
ImportJobs:
Jobs:You
Youship
shipdrives
drivescontaining
containingyour
yourdata.
data.
•• Export
ExportJobs:
Jobs:You
Youship
shipempty
emptydrives.
drives.
Supported Disks:
https://docs.microsoft.com/en-us/azure/storage/common/storage-import-export-
requirements#supported-hardware
Import Job Workflow
Import Job Workflow
© 2019 Skylines Academy, LLC. All rights reserved.

https://docs.microsoft.com/en-
us/azure/storage/common/storage-
import-export-service
© 2019 Skylines Academy, LLC. All rights reserved.

CDN

Theodore
Source
© 2019 Skylines Academy, LLC. All rights reserved.

CDN

Theodore

Other Users
Edge
Source
Azure CDN Offerings
© 2019 Skylines Academy, LLC. All rights reserved.

Standard Akamai Standard Verizon Premium Verizon

https://docs.microsoft.com/en-us/azure/cdn/cdn-overview
© 2019 Skylines Academy, LLC. All rights reserved.

Azure CDN Offerings


© 2019 Skylines Academy, LLC. All rights reserved.

Backup
Missing Module: Implement Azure
Business Continuity Strategies
Primary
© 2019 Skylines Academy, LLC. All rights reserved.

High Availability
Run another instance of apps in case of catastrophic failure

Primary Secondary

Disaster Recovery
Run apps in secondary datacenter if a failure occurs

Original Backup

Backup
Restore your data
Azure Backup Overview

• Backup solution purpose built for


© 2019 Skylines Academy, LLC. All rights reserved.

Cloud
• Unlimited Scaling
• Unlimited Data Transfer
• Multiple Storage Options
(LRS/GRS)
• Long Term Retention
• Application-Consistent Backups
• Data Encryption
Other Recovery Options
© 2019 Skylines Academy, LLC. All rights reserved.

Snapshot Recovery Geo-Replication


• Blob snapshots taken of VM page • Uses Azure Storage Geo-
blob Redundant Storage (GRS)
• Snapshots can be copied into the • Data is replicated to a paired
same or different regions region far away from the primary
• VMs get created from snapshot copy
• Application-consistent if VM was • Data Recovered in the event of an
shutdown, otherwise crash- outage or entire region
consistent unavailable
• RA-GRS option available as well
© 2019 Skylines Academy, LLC. All rights reserved.

Module:
Create and Configure a VM for
Windows or Linux
Introduction to Virtual Machines
© 2019 Skylines Academy, LLC. All rights reserved.

App App App

Application OS OS OS

Operating System Hypervisor

Hardware Hardware

CPU Memory Disk CPU Memory Disk


VM Types
© 2019 Skylines Academy, LLC. All rights reserved.

Type Purpose

A – Basic Basic version of the A series for testing and development.

A – Standard General-purpose VMs.

Burstable instances that can burst to the full capacity of the


B – Burstable
CPU when needed.
D – General Built for enterprise applications. DS instances offer
Purpose premium storage.
E – Memory High memory-to-CPU core ratio. ES instances offer
Optimized premium storage.
High CPU core-to-memory ratio. FS instances offer
F – CPU Optimized
premium storage.
Very large instances ideal for large databases and big data
G – Godzilla
use cases.
VM Types (continued)
© 2019 Skylines Academy, LLC. All rights reserved.

Type Purpose
H – High High performance compute instances aimed at very high-
performance end computational needs such as molecular modelling and
compute other scientific applications.
L – Storage Storage optimized instances which offer a higher disk
optimized throughput and IO.
M – Large memory Another large-scale memory option that allows for up to
3.5 TB of RAM.
N – GPU enabled GPU-enabled instances.
SAP HANA on Specialized instances purposely built and certified for
Azure Certified running SAP HANA.
Instances
VM Specializations
© 2019 Skylines Academy, LLC. All rights reserved.

S M R
Premium Storage Larger memory Supports remote
options available configuration of direct memory
instance type access (RDMA)
Example: DSv2 Example: Standard A2m_v2 Example: H16mr
Azure Compute Units (ACUs)
© 2019 Skylines Academy, LLC. All rights reserved.

Microsoft- A VM with an ACU


Way to compare
of 200 has twice the
CPU performance created
performance of a
between different performance VM with an ACU of
types/sizes of VM
benchmark 100
OS Reference Documentation
© 2019 Skylines Academy, LLC. All rights reserved.

Windows Virtual Machines Linux Virtual Machines


https://docs.microsoft.com/en- https://docs.microsoft.com/en-
us/azure/virtual- us/azure/virtual-machines/linux/
machines/windows/
Windows Server Support
OS Key Points
© 2019 Skylines Academy, LLC. All rights reserved.

Pre-Windows 2008 R2 (e.g. • Windows 2003 and later are supported for deployment.
Windows Server 2003) • Must bring own image.
• No marketplace support.
• Need to have your own custom support agreement (CSA).

Windows Server 2008 R2 • Supported.


• Specific support matrix for server roles.

Windows Server 2012 • Supported – Datacenter version in marketplace.


Windows Server 2016 • Supported – Datacenter and nano versions in marketplace.
Desktop OS • Windows 10 Pro and Enterprise in marketplace.

https://support.microsoft.com/en-us/help/2721672/microsoft-server-software-
support-for-microsoft-azure-virtual-machines
Linux-Supported Distributions
© 2019 Skylines Academy, LLC. All rights reserved.

https://docs.microsoft.com/en-
us/azure/virtual-
machines/linux/endorsed-distros
© 2019 Skylines Academy, LLC. All rights reserved.

Regional Limitations
Restricted Usernames
© 2019 Skylines Academy, LLC. All rights reserved.

administrator admin user user1

test user2 test1 user3

admin1 1 123 a You cannot use any


of these names for
actuser adm admin2 aspnet
your VM username
backup console david guest when creating an
john owner root server
Azure VM

sql support support_388945a0 sys

test2 test3 user4 user5


© 2019 Skylines Academy, LLC. All rights reserved.

Module:
Automate Deployment of VMs
VM Images
© 2019 Skylines Academy, LLC. All rights reserved.

Custom Images Marketplace Images


• Do-it-yourself image • Provided for you in the
• Windows - Sysprep Azure Marketplace
• Linux - sudo waagent – • Properties:
deprovision+user – Publisher
– Offer
• Generalize in Azure
– SKU
• Create image
Introduction to Configuration Management

App
© 2019 Skylines Academy, LLC. All rights reserved.

Configuration
Settings

Application Application
Installation Monitoring

Infrastructure
OS Settings
Monitoring

Antivirus &
Backup Agents
© 2019 Skylines Academy, LLC. All rights reserved.

Deployment
VM Extensions

DSC
VM Extensions
Scripts
Configuration Management
© 2019 Skylines Academy, LLC. All rights reserved.

Extensions available in Azure


Configuration Management (continued)
© 2019 Skylines Academy, LLC. All rights reserved.

Enterprise-level configuration
management for multiple nodes
PowerShell DSC Key Components
© 2019 Skylines Academy, LLC. All rights reserved.

Logical
Configurations Resources Configuration
Manager
PowerShell DSC Example
Configuration SkylinesWebSite The name of the configuration.
© 2019 Skylines Academy, LLC. All rights reserved.

{
Node 'localhost' Specifies which targets the
{
#Install IIS - Enabled via Windows configuration applies to.
feature
WindowsFeature IIS Declarative statement about what
{ we are configuring. In this case,
Ensure = “Present” we want IIS installed.
Name = “Web-Server”
} A second declarative statement.
#Install ASP.NET 4.5
WindowsFeature ASP This time to ensure .NET 4.5 is
{ installed.
Ensure = “Present”
Name = “Web-Asp-Net45”
}
}
}
Custom Script Extension
© 2019 Skylines Academy, LLC. All rights reserved.

• Execute VM Tasks without


logging into the VM
• Upload via Portal or download
scripts from Azure Blob storage
or GitHub
• Can be automated using
PowerShell
Custom Script Extension (continued)
© 2019 Skylines Academy, LLC. All rights reserved.

Benefits
• No local or domain credentials needed to login to
Azure VM
• VM does not need an accessible IP Address to
remotely connect
• Simple to implement

Drawbacks
• Must be enabled for each VM you want to run
your script on
• VMs will need internet access if using GitHub or
Blob storage for scripts
• Relatively slow
© 2019 Skylines Academy, LLC. All rights reserved.

Module:

Networking
Manage Azure VM Storage and
VM Storage Types
© 2019 Skylines Academy, LLC. All rights reserved.

Standard Storage Premium Storage


Backed by traditional
Backed by SSD drives
HDD

Most cost effective Higher performance

Max throughput – Max throughput –


60MB/S per disk 250MB/S per disk
Max IOPS – Max IOPS –
500 IOPS per disk 7500 IOPS per disk
Managed Disk – Standard Storage Sizes
© 2019 Skylines Academy, LLC. All rights reserved.

S4 S6 S10 S20 S30 S40 S50


Disk size 32 64 128 512 1024 2048 4095
(GB)
• Max IOPS for all sizes above is 300 IOPS/Disk
• Max throughput for all sizes is 60MB/s
Managed Disk – Premium Storage Sizes
© 2019 Skylines Academy, LLC. All rights reserved.

P4 P6 P10 P15 P20 P30 P40 P50


Disk 32 64 128 256 512 1024 2048 4095
size
(GB)
Max 120 240 500 1100 2300 5000 7500 7500
IOPS
Max 25 50 100 125 150 200 250 250
through MB/s MB/s MB/s MB/s MB/s MB/s MB/s MB/s
Managed vs. Unmanaged Disks
© 2019 Skylines Academy, LLC. All rights reserved.

Unmanaged Disks Managed Disks

DIY option Simplest option

Management overhead Lower management


(20000 IOPS per storage overhead as Azure manages
account limit) the storage accounts

Supports all replication


Only LRS replication mode
modes
currently available
(LRS, ZRS, GRS, RA-GRS)
Replication Options
© 2019 Skylines Academy, LLC. All rights reserved.

Logically Zone Read Only


Geographically
Geographically
Replicated Replicated Replicated
Replicated
Storage Storage Storage
Storage
(LRS) (ZRS) (GRS)
(RA-GRS)
Replicated three times within Replicated three times across Replicates your data to a Same replication as per GRS
a storage scale unit one or two datacenters in second region that is but also provides read access
(collection of racks of addition to storing three hundreds of miles away from to the data in the other
storage nodes) hosted in a replicas similar to LRS. Data the primary region. Your data region.
datacenter in the same stored in ZRS is durable even is curable even in the event
region as your storage in the event that the primary of a complete region outage.
account was created. datacenter is unavailable or
unrecoverable.
Replication Strategies
© 2019 Skylines Academy, LLC. All rights reserved.

Replication Strategy LRS ZRS GRS RA-GRS

Data is replicated across No Yes Yes Yes


multiple datacenters?

Data can be read from a No No No Yes


secondary location and the
primary location?

Number of copies of data 3 3 6 6


maintained on separate nodes:
Disk Caching
© 2019 Skylines Academy, LLC. All rights reserved.

• Method for improving performance


of VHDs
• Utilizes local RAM and SSD drives
on underlying VM host
• Available on both standard and
premium disks
Disk Caching (continued)

Default and Allowed Settings


© 2019 Skylines Academy, LLC. All rights reserved.

Disk Type Default Cache Setting Allowed Settings

OS disk Read-Write Read-Only or Read-Write

Data disk None None, Read-Only, or Read-


Write

• Read-Only Caching
– Improve latency and potentially gain higher IOPS per disk
• Read-Write Caching
– Ensure you have a proper way to write data from cache to persistent
disks
© 2019 Skylines Academy, LLC. All rights reserved.

Module:
VM Availability
Availability Sets
© 2019 Skylines Academy, LLC. All rights reserved.

Potential for VM Impact Availability Sets


• Planned maintenance • Group two or more
• Unplanned hardware machines in a set
maintenance • Separated based on Fault
• Unexpected downtime Domains and Update
Domains
© 2019 Skylines Academy, LLC. All rights reserved.

FD 0
FD 1
Fault Domains and Update Domains

FD 2
Fault Domains and Update Domains
© 2019 Skylines Academy, LLC. All rights reserved.

FD 0 FD 1 FD 2

UD 0 UD 1

UD 2
Planning for Availability
© 2019 Skylines Academy, LLC. All rights reserved.

Web Tier App Tier Data Tier


Availability Set Availability Set Availability Set
Availability Zones
© 2019 Skylines Academy, LLC. All rights reserved.

• Offer 99.99% availability


• Minimize impact of
planned and unplanned
downtime
• Enforce them like
Availability Sets, but now
you choose your specific
zone in Azure
© 2019 Skylines Academy, LLC. All rights reserved.

Module:
VM Scale Sets
© 2019 Skylines Academy, LLC. All rights reserved.

Scale Sets

vs.
Define Virtual Machine Scale Set (VMSS)
© 2019 Skylines Academy, LLC. All rights reserved.

• Use Portal, PowerShell


or API
• Number of instances
you wish to run,
instance size, etc.
• Determine if you want
to auto-scale
Configure Autoscale Rules
© 2019 Skylines Academy, LLC. All rights reserved.

• Set minimum and maximum


instance counts
• Scale out based on a variety
of metrics – infrastructure
or application
• Scale out based on a
schedule
• Remember to account for
sessions when scaling in on
web servers
Scaling Up

Scaling Up Pairs Supported


© 2019 Skylines Academy, LLC. All rights reserved.

by Azure Automation
From To
Standard_A0 Standard_A11

Standard_D1 Standard_D14

Standard_DS1 Standard_DS14

Standard_D1v2 Standard_D15v2

Standard_G1 Standard_G5

Standard_GS1 Standard_GS5
© 2019 Skylines Academy, LLC. All rights reserved.

Module:
Azure Networking
Networking Overview
© 2019 Skylines Academy, LLC. All rights reserved.

Source: https://docs.microsoft.com/en-us/azure/virtual-network/virtual-networks-overview
Networking Overview (continued)
© 2019 Skylines Academy, LLC. All rights reserved.

Core VNet
VNet
Subnet A Subnet B Capabilities:
• Isolation
• Internet Access
• Azure Resources (VMs
and Cloud Services)
• VNet Connectivity
• On-Premises
Connectivity
• Traffic Filter
• Routing
VNets: Key Points
© 2019 Skylines Academy, LLC. All rights reserved.

• Primary building block for Azure networking


• Private network in Azure based on an address space prefix
• Create subnets in your VNet with your own IP ranges
• Bring your own DNS or use Azure-provided DNS
• Choose to connect the network to on-premises or the
internet
IP Addressing
© 2019 Skylines Academy, LLC. All rights reserved.

• DHCP – Azure-provided/managed service


• All addresses are DHCP-based
• Addresses are not allocated until Azure object is created
• Addresses are recovered when object is deallocated
IP Addressing (continued)
© 2019 Skylines Academy, LLC. All rights reserved.

• Static addresses are the equivalent DHCP reservations


• Address prefix comes from VNet/subnet definitions

• Azure reserves the first three and the last IP from the pool

• First address of a /24 is .4


© 2019 Skylines Academy, LLC. All rights reserved.

Module:
Create Connectivity Between Virtual
Networks
Hybrid Connectivity Options
© 2019 Skylines Academy, LLC. All rights reserved.

Point-to-Site
Site-to-Site (S2S) ExpressRoute
(P2S)
System Routes
© 2019 Skylines Academy, LLC. All rights reserved.

Every subnet has a route table that contains the following


minimum routes:

Route Description

Local VNet Route for local addresses (no next-hop value)

On-Premises Route for defined on-premises address space (VNet gateway is next-
hop address)

Internet Route for all traffic destined to the Internet (Internet Gateway is the
next-hop address)
Default Routing in a Subnet
© 2019 Skylines Academy, LLC. All rights reserved.

• If address is within the VNet address prefix – route


to local VNet

• If the address is within the on-premises address


prefixes or BGP published routes (BGP or Local
Site Network (LSN) for S2S) – route to gateway

• If the address is not part of the VNet or the BGP


or LSN routes – route to internet via NAT

• If destination is an Azure datacenter address and


ER public peering is enabled – it is routed to the
gateway

• If the destination is an Azure datacenter with S2S


or an ER without public peering enabled, it is
routed to the Host NAT for internet path, but it never
leaves the datacenter
User-Defined Routes
© 2019 Skylines Academy, LLC. All rights reserved.

https://docs.microsoft.com/en-us/azure/virtual-network/virtual-networks-udr-overview
© 2019 Skylines Academy, LLC. All rights reserved.

User-Defined Routes
(continued)
VNet Peering
© 2019 Skylines Academy, LLC. All rights reserved.

Customer
Apps
VNet

HUB –
Data Shared Inf
Services Services
VNet

Other VNet
S2S
© 2019 Skylines Academy, LLC. All rights reserved.

S2S

Multi-Site

https://docs.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-about-vpngateways
ExpressRoute
© 2019 Skylines Academy, LLC. All rights reserved.

https://docs.microsoft.com/en-us/azure/expressroute/expressroute-introduction
Hybrid Connection
© 2019 Skylines Academy, LLC. All rights reserved.

• Allows Web App to talk to


the datacenter
• Hybrid Connection can be
shared across Web Apps
and Mobile Apps
• All Web App Frameworks
supported
Hybrid Connection Scenarios
© 2019 Skylines Academy, LLC. All rights reserved.

.NET
.NET Framework Java Access to
PHP Access to Java Access to
Framework Access to SQL Server,
SQL Server, HTTP/HTTPS
Access to SQL HTTP/HTTPS MySQL and
MySQL Services
Server Services with Oracle
Web Client
Hybrid Connection Manager Requirements
© 2019 Skylines Academy, LLC. All rights reserved.

Hybrid Connection Manager can be installed on the


following operating systems:

•Windows Server 2008 R2 (.NET Framework 4.5+ and


Windows Management Framework 4.0+ required)

•Windows Server 2012 (Windows Management


Framework 4.0+ required)

•Windows Server 2012 R2


© 2019 Skylines Academy, LLC. All rights reserved.

Module:
Configure Name Resolution
Internet Access
© 2019 Skylines Academy, LLC. All rights reserved.

All resources in a Outbound


Private IP is Inbound
VNet can connectivity can
SNAT to a public connectivity
communicate to be restricted via
IP selected by without SNAT
the internet by routes or traffic
Azure requires public IP
default filtering
DNS in Azure
© 2019 Skylines Academy, LLC. All rights reserved.

Azure-provided DNS Customer DNS Server

IaaS Server with DNS Infoblox Virtual Appliance


DNS Scenarios and Recommendations
© 2019 Skylines Academy, LLC. All rights reserved.

Scenario Recommendation
Name resolution between role instances or virtual Azure provided DNS
machines in the same virtual network

Name resolution between role instances or virtual Customer-managed DNS Servers


machines in different virtual networks

Resolution of on-premises computers and service Customer-managed DNS Servers


names from role instances or virtual machines in
Azure
Resolution of Azure hostnames from on-premises Customer-managed DNS Servers
computers
Configuring Virtual Networking DNS
© 2019 Skylines Academy, LLC. All rights reserved.

• Select Virtual Network in


Azure
• Select DNS Servers from
the Settings section
• Choose Default (Azure-
Provided) to stick with
Note: VMs will require
Azure DNS
restart to utilize updated
• Choose Custom to input settings!
your own DNS Servers
• Add DNS Servers
(preferably more than 1)
• Save
© 2019 Skylines Academy, LLC. All rights reserved.

Module:
Create and Configure a Network
Security Group (NSG)
Network Security Groups (NSGs)
© 2019 Skylines Academy, LLC. All rights reserved.

• Is a network filter
• Used to allow or restrict traffic
to resources in your Azure
network
• Inbound rules
• Outbound rules
• Associated to subnet or NIC
(and individual VMs in classic)
NSGs (continued)
© 2019 Skylines Academy, LLC. All rights reserved.

VNet
• Can be applied
Subnet A Subnet B to network
interface or
subnet
• Subnet rules
apply to ALL
resources in
subnet
NSG Properties
© 2019 Skylines Academy, LLC. All rights reserved.

Source and Source and


destination port destination
Protocol
range address prefix
(e.g. TCP, UDP)
(1-65535 or (use ranges or
* for all) default tags)

Direction
Access
(inbound or Priority
(allow/deny)
outbound)
NSG Rule Priority
© 2019 Skylines Academy, LLC. All rights reserved.

Rules are Lower numbers


Range from 100
enforced based have higher
to 4096
on priority priority
NSG Default Tags
© 2019 Skylines Academy, LLC. All rights reserved.

System-provided
Azure Load
to identify groups Virtual network Internet
Balancer
of IP addresses
NSG Default Rules
Destination Destination
© 2019 Skylines Academy, LLC. All rights reserved.

Name Priority Source IP Source Port Protocol


IP Port
INBOUND

AllowVNet
65000 VirtualNetwork * VirtualNetwork * *
InBound

AllowAzure
AzureLoad
LoadBalancer 65001 * * * *
Balancer
InBound

DenyAll
65500 * * * * *
InBound

Destination Destination
Name Priority Source IP Source Port Protocol
OUTBOUND

IP Port

AllowVnet
65000 VirtualNetwork * VirtualNetwork * *
OutBound

AllowInternetO
65001 * * Internet * *
utBound

DenyAll
65500 * * * * *
OutBound
Networking Limits
The following limits apply only for networking resources managed through ARM per region per subscription:
© 2019 Skylines Academy, LLC. All rights reserved.

Resource Default Limit Maximum Limit


Virtual networks per subscription 50 500
DNS Servers per virtual network 9 25
Virtual machines and role instances per virtual network 2048 2048
Concurrent TCP connections for a virtual machine or role instance 500k 500k
Network Interfaces (NIC) 300 1000
Network Security Groups (NSG) 100 400
NSG rules per NSG 200 500
User defined route tables 100 400
User defined routes per route table 100 500
Public IP addresses (dynamic) 60 Contact Support
Reserved public IP adresses 20 Contact Support
Load balancers (internal and internet facing) 100 Contact Support
Load balancer rules per load balancer 150 150
Public front end IP per load balander 5 Contact Support
Private front end IP per load balancer 1 Contact Support
Application Gateways 50 50
© 2019 Skylines Academy, LLC. All rights reserved.

Module:
Manage Azure Active Directory (AAD)
Azure AD Overview
© 2019 Skylines Academy, LLC. All rights reserved.

https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/active-directory-whatis
Azure AD Features
© 2019 Skylines Academy, LLC. All rights reserved.

Multifactor
Enterprise
Single Sign-On Authentication Self Service
Identity Solution
(MFA)

Create a single identity for Provide single sign-on Enhance security with Empower your users to
users and keep them in access to applications and additional factors of complete password resets
sync across the enterprise. infrastructure services. authentication. themselves, as well as
request access to specific
apps and services.
© 2019 Skylines Academy, LLC. All rights reserved.

Missing Module:
Implement and Manage Hybrid Identities
© 2019 Skylines Academy, LLC. All rights reserved.

AD Connect Overview
AD Connect Components
© 2019 Skylines Academy, LLC. All rights reserved.

Active Directory
Synchronization Federation Health
Services Services Monitoring
(optional)
AD Connect Sync Features
© 2019 Skylines Academy, LLC. All rights reserved.

Password hash Password


Filtering
syncronization writeback

Prevent accidental Automatic


Device writeback
deletes upgrade
Password Sync Options
© 2019 Skylines Academy, LLC. All rights reserved.

• Password Sync – Ensures user passwords are the same in


both directories (AD DS and Azure AD)
• Passthrough Authentication – Easy method to keep users
and passwords aligned. When a user logs into Azure AD,
the request is forwarded to AD DS. Essentially, a single
source.
• AD FS – Use AD Federation Services server to fully
federate across AD DS and Azure AD, along with other
services.
Single Sign On
© 2019 Skylines Academy, LLC. All rights reserved.

• Provided by Azure AD Connect for users using password


sync or passthrough authentication
• Company device with modern browser required
• User not required to authenticate with Azure AD if they
are logged on with their AD DS credentials
Multifactor Authentication (MFA)
© 2019 Skylines Academy, LLC. All rights reserved.

• Works by requiring 2 or more of


the following verification
methods:
– Something you know (Password)
– Something you have (e.g.
Cellphone)
– Something you are (Biometrics)
Multifactor Authentication (MFA)
© 2019 Skylines Academy, LLC. All rights reserved.

Verification Method Description


Phone call A call is placed to a user’s registered phone. The user enters a PIN if
necessary then presses the # key.
Text message A text message is sent to a user’s mobile phone with a six-digit code.
The user enters this code on the sign-in page.
Mobile app notification A verification request is sent to a user’s smart phone. The user enters a
PIN if necessary then selects Verify on the mobile app.
Mobile app verification code The mobile app, which is running on a user’s smart phone, displays a
verification code that changes every 30 seconds. The user finds the most
recent code and enters it on the sign-in page.

Third-party tokens Azure Multi-Factor Authentication Server can be configured to accept


third-party verification methods.
Azure AD B2C

• Cloud Identity Solution for Web and Mobile Apps


© 2019 Skylines Academy, LLC. All rights reserved.

• Highly scalable to hundreds of millions of


identities
Application Azure AD B2C

• Enables authentication for:


– Social Accounts
– Enterprise Accounts
– Local Accounts
Azure AD B2B
© 2019 Skylines Academy, LLC. All rights reserved.

• Allows you to collaborate with partners outside of your


organization
• Users receive an email with a confirmation link upon
invitation
• Imported users are “Azure AD External User Objects”
• Access to shared apps, resources, documents, etc.
• Partners access with their own credentials
• Enterprise-level security
© 2019 Skylines Academy, LLC. All rights reserved.

Module:
Azure Resource Manager (ARM)
Resource Manager Overview
© 2019 Skylines Academy, LLC. All rights reserved.

Resource
Resource Resource Group ARM Templates
Provider

Individual manageable item Container where you can Provider of services you Files used to define
available to you in Azure house your resources for can deploy in Azure resources you wish to
management e.g. Microsoft.Compute deploy to a resource
group
ARM Templates Overview
© 2019 Skylines Academy, LLC. All rights reserved.

{
"$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",

• Apply Infrastructure as
"parameters": {
},
"variables": {
},
"resources": [
{
"name": "[concat('storage', uniqueString(resourceGroup().id))]",
Code
"type": "Microsoft.Storage/storageAccounts",

• Download templates
"apiVersion": "2016-01-01",
"sku": {
"name": "Standard_LRS"
},
"kind": "Storage",
"location": "North Central US",
"tags": {},
from Azure Portal
"properties": {}

• Author new templates


}
],
"outputs": { }
}

• Use Quickstart
templates, provided by
Resource
(E.g. Storage Account)
Microsoft
Quickstart Templates
© 2019 Skylines Academy, LLC. All rights reserved.

https://azure.microsoft.com/en-us/resources/templates/

https://github.com/Azure/azure-quickstart-templates
ARM File Types
© 2019 Skylines Academy, LLC. All rights reserved.

ARM Template ARM Template Deployment


File Parameter File Scripts

Describe the configuration Separate your parameters E.g. PowerShell for


of your infrastructure via a (optional) Deployment
JSON file
ARM Template Constructs
© 2019 Skylines Academy, LLC. All rights reserved.

Parameters Variables Resources Outputs

Define the inputs you want Values that you can use Define the resources you Specify values that are
to pass into the ARM throughout your template. wish to deploy or update. returned after the ARM
template during Used to simplify your deployment is completed.
deployment. template by creating reuse
of values.
Linking Templates
© 2019 Skylines Academy, LLC. All rights reserved.

Main Template

Optional Shared Member


Resource Resource Resource
Template Template Template

Reusable Scripts

Custom Scripts
Linking Templates (continued)
© 2019 Skylines Academy, LLC. All rights reserved.

• Inline
– Create entire ARM
template in body of
existing template
• External
– Link to an external
template with an
INLINE or
EXTERNAL parameter
set
Inline Example
© 2019 Skylines Academy, LLC. All rights reserved.

"resources": [
{
"apiVersion": "2017-05-10",
"name": "nestedTemplate",
"type": "Microsoft.Resources/deployments",
"properties": {
"mode": "Incremental",
"template": {
"$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {},
New Template
"variables": {},
"resources": [
{
created in the
"type": "Microsoft.Storage/storageAccounts",
"name": "[variables('storageName')]",
"apiVersion": "2015-06-15",
body of the
"location": "EAST US",
"properties": {
"accountType": "Standard_LRS"
current ARM
template
}
}
]
},
"parameters": {}
}
}
]
External Example
© 2019 Skylines Academy, LLC. All rights reserved.

"resources": [
{
"apiVersion": "2017-05-10",
"name": "linkedTemplate",
"type": "Microsoft.Resources/ deployments",
"properties": {
"mode": "incremental",
"templateLink": {
"uri":"https://mystorageaccount.blob.core.windows.net/azuretemplates/newSt orageAccount.json",
"contentVersion":"1.0.0.0"
},
"parametersLink": {
"uri":"https://skylinesacademy.blob.core.windows.net/azuretemplates/newSto rageAccount.parameters.json",
"contentVersion":"1.0.0.0"
}
}
}
]

Template and parameters linked inside current ARM


templates
© 2019 Skylines Academy, LLC. All rights reserved.

Copy
Key ARM Functions

copyIndex()
dependsOn
© 2019 Skylines Academy, LLC. All rights reserved.