Azure IaaS Overview

Workshop Petros | Transpetro | TBG

Ricardo Martins
Cloud Solution Architect
ricardo.martins@microsoft.com
https://aka.ms/workshop-grupopetrobras
Introduction to Azure
Infrastructure Services
Agenda
Kickoff / Fundamentals of Cloud: Azure Overview (60 Minutes)

Governance (60 Minutes)

Azure Infrastructure as a Service / Reference Proof of Concept (120 Minutes)

ARM Fundamentals (60 Minutes)

Security (60 Minutes)

Wrap Up (20 Minutes)

Fundamentals of Cloud: Azure
Overview
Objectives
Define IaaS, PaaS, SaaS Terminology

Locate Azure Regions and Datacenters

Understand what Hybrid cloud scenarios mean

Identify different Azure Resources that can be used

Confidently navigate the Azure Portal & Documentation

Hybrid Productive Intelligent Trusted
IaaS, PaaS, SaaS
Azure Compute Platform Overview
Power Azure Web/
Service Apps Functions Mobile Rapid
PaaS Media Stream
Fabric Development
Services Analytics
Apps App Service

Docker
DC/OS
Azure Swarm Others:
Azure Cloud
Service OpenShift,
Batch Foundry
Fabric Kubernetes,
(General,
Jelastic,
Pivotal)
Apprenda
VM Scale Sets
VM Extensions
High
IaaS Virtual Machines Control
Azure
 Security & Platform Services Hybrid
Management Cloud
Media & CDN Application Platform Data Azure AD
Security Center Health Monitoring
Media Media Content Web Mobile SQL SQL Data DocumentDB
Services Analytics Delivery Apps Apps Database Warehouse AD Privileged
Portal
Network
Identity
Azure Active Management
API Cloud
Directory Integration Apps Services
SQL Server Redis Storage Azure
Stretch Database Cache Tables Search Domain Services
API BizTalk
Azure AD Management Services Service Notification
B2C Fabric Hubs
Multi-Factor Logic
Apps
Intelligence Backup
Service Bus Functions
Authentication
Cognitive Services Bot Framework Cortana
Automation
Operational

Scheduler
Compute Services Developer Services Analytics & IoT Analytics

HDInsight Machine Import/Export

VM Visual Studio Mobile Learning Stream Analytics
Kubernetes Engagement
Scale Sets
Key Vault Service

Data Data Lake Azure Site

Store or VS Team Services Catalog Analytics Service Data Lake Store
Batch Container Instances Xamarin Recovery
Marketplace

VM Image Gallery Application HockeyApp Event Data Power BI StorSimple

Container Registry Insights IoT Hub Hubs Factory
and VM Depot Dev/Test Lab Embedded

Infrastructure Services
Compute Storage Networking
Virtual Load Express Traffic VPN App
Virtual Containers Blob Queues Files Disks DNS
Network Balancer Route Manager Gateway Gateway
Machines

Datacenter Infrastructure
Azure regions
Achieve global scale, in local regions

More info at https://azure.microsoft.com/regions/

Most comprehensive

VM SLA VM SLA VM SLA Regions

99.9% 99.95% 99.99%

Single VM Availability sets Availability zones Region pairs

Protection with Protection against failures Protection from entire Protection from disaster with
Premium Storage within datacenters datacenter failures Data Residency compliance
 Geographies, Region and AZ’s
Geographies
• Azure regions are organized into geographies. An Azure geography ensures that
data residency, sovereignty, compliance, and resiliency requirements are honored
within geographical boundaries.
Region
• A region is a set of datacenters deployed within a latency-defined perimeter and
connected through a dedicated regional low-latency network.

Availability Zone
• Availability Zones are physically separate locations within an Azure region. Each
Availability Zone is made up of one or more datacenters equipped with
independent power, cooling, and networking.

https://azure.microsoft.com/en-us/global-infrastructure/regions/
Geographies, Regions and AZ’s
Paired regions for geo-redundancy
Paired regions provide: North Central US South Central US

• Isolation and replication East US West US

West US 2 West Central US
• Region order recovery
US East 2 Central US
• Sequential updates
Canada Central Canada East
• Data residency North Europe West Europe
UK West UK South
Germany Central Germany Northeast
South East Asia East Asia
East China North China
Japan East Japan West
Australia Southeast Australia East
India South India Central
Brazil South (Primary) South Central US
Hybrid cloud with Azure
Azure Active Azure management Azure data Azure
Directory and security services services

Clouds

Integrated
Common Consistent Data Unified Cloud
Management
Identity Platform Platform
and Security

Active On-premises SQL Azure

Directory infrastructure Server Stack
Hybrid cloud with Azure
Azure stack – power of Azure in your datacenter

Azure services in your

Developers
datacenter
Portal | PowerShell | Dev-ops tools Portal | PowerShell | Dev-ops tools
Unified app
Azure Resource Manager Azure Resource Manager
development

Azure IaaS | Azure PaaS Azure IaaS | Azure PaaS One Azure ecosystem

Cloud infrastructure Cloud-inspired infrastructure

Microsoft Azure Stack

Microsoft Azure Public Private | Hosted
Demo: Azure Regions
https://azure.microsoft.com/regions
Azure is an open cloud
DevOps
DevOps Clients
Clients

Management
Management

PaaS and
PaaS and
Applications
Applications DevOps
DevOps

App frameworks
App frameworks
and tools
and tools

Databases and
Databases and
middleware
middleware

Infrastructure
Infrastructure
Open Source Investments are Fueling the Momentum
Our Products Our Offerings
Azure Marketplace
60% of all images in Azure
Marketplace are based on
SQL Server on Linux Acquisition Linux/OSS

1 out of 3 VMs on Azure run

Linux, and more than half of all
C:\Users\markhill> bash
root@localhost: # 1 out of 3 new VMs run Linux
HD Insight managed
service on Linux Run Linux on Windows natively

Our Partnerships Our Employees

Ross Gardler Brendan Burns

Partnership Jenkins project on Azure President Apache Kubernetes Creator
SW Foundation

Partnership with the Lines of open source code

Linux Foundation 600 Million+ submitted to GitHub by
Microsoft joins for Linux on Azure Microsoft Open Source Hub Microsoft engineers
Eclipse Foundation certification
 Enable
Enable Linux and Open
Source technology to be first
class citizens on Microsoft
Platforms
Integrate
Embrace leading Open
Source ecosystems and
integrate Microsoft products
with agility and consistency
Release
Release key Microsoft
technologies into the
Open Source domain to
build a strong ecosystem
Participate
Microsoft engineers to
participate in communities
and contribute to key
Open Source projects

R Server autorest
.NET Core PowerBI Visuals
Roslyn Office UI Fabric
TypeScript Tools plugins
F#

Ubuntu, RedHat, CentOS, Bash on Windows Powershell Linux Foundation

Containers (Kubernetes, Swarm, Marathon) CosmosDB (MongoDB, Gremlin) Deep Learning Cloud Foundry
OMS SQL on LInux (R, Python, FreeBSD) Dot net core Kubernetes
App Service PaaS Runtime Apache
MySQL/PostGres Azure IP Advantage Hadoop
Openshift CNTK Docker
HDInsight Open JDK
Redis
Azure Marketplace

Certified, pre- configured

for Microsoft Azure
Solutions in Azure
Marketplace
Walkthrough: Portal & Azure Docs
https://portal.azure.com
https://docs.microsoft.com/en-us/azure
Governance
Objectives
Understand Subscriptions, Resource Groups, Locks, and RBAC

Review Naming Conventions

Identify Monitoring Options

Review Automation Strategies

Azure Governance

Resource Tags Resource Locks

Azure
Resource
Policy and
Audit
Resource Groups
Pillars
Foundation
Core Azure Automation
Naming
Standards

Roles Based
Azure Security Center
Access Controls

Subscriptions
Account/Enterprise Agreement
Azure Enterprise Scaffold
Define your Hierarchy
The foundation: enterprise enrollment
…and departments/accounts and most importantly: subscriptions
Enterprise enrollment

Department A Department B

Account A Account B Account C

Subscription 1 Subscription 2 Subscription 3 Subscription 4

FINANCE/BUSINESS SECURITY/RISK MANAGEMENT TECHNOLOGY PRO

Concerned with how costs can Concerned about everything Concerned with how they will manage
be monitored and rolled up and …but mostly looking to ensure that the growth and where to put
ultimately correctly allocated appropriate controls are in place resources
Common patterns for Azure Enrollments
Functional Business Division Geographic

Enterprise Enterprise Enterprise Enterprise

North
Department Finance IT Auto Aerospace
America
Europe

Acct Acct Acct Acct Acct Acct

Account Owner Owner Owner Owner Owner Owner

Project 1 Project 1 Production Application Application Application

Subscriptions Dev Test Web Sites 1 2 3
Project 1 Project 2 Project 3
 Azure Cloud Shell
An interactive, browser-accessible shell for
managing Azure resources. In the Azure portal: In the mobile app:

• Get authenticated shell access to Azure from

virtually anywhere
• Use common tools and programming
languages in a shell that’s updated and
maintained by Microsoft
• Persist your files across sessions in attached
Azure files
Linux users can opt for a Bash experience, while
Windows users can opt for PowerShell

https://azure.microsoft.com/en-us/features/cloud-shell/

http://aka.ms/CloudShell

© Microsoft Corporation
Naming Standards
• •

•
•

Microsoft has published great guidance here: https://azure.microsoft.com/en-gb/documentation/articles/guidance-naming-conventions/

 Importance
Describes type of resource
in the subscription
• Places the naming pattern in
an order that allows easier
application level grouping for
potential
showback/chargeback billing
• Automation
Consideration
Some resource names are:
• Constrained unique across
entire Azure
• Constrained by length
• Constrained to
alpha-numeric
• Constrained unique
within account
• Cannot include upper
case characters
• Cannot contain offensive or
forbidden substrings
Requirements
Ensure:
• Unique Azure naming
• Case sensitivity requirements
• Application association
• Environment association
• Region association
• Instance association
• Object association
Policies
A default allow system
Described via policy definitions
Policy definitions can be created

Policies are applied via policy assignments

Start small with policy configuration

aka.ms/Azure/Policies
 {
"if" : {
<condition> | <logical operator>
},
"then" : {
"effect" : "deny | audit | append“
}
}

Link to Azure Resource Manager policy introduction: https://azure.microsoft.com/en-us/documentation/articles/resource-manager-policy/

• Chargeback: Require departmental tags
• Geo compliance: Ensure resource locations
• Service curation: Select your service catalog
• Convention: Enforce naming
Resource Group
Resource group
• Container for multiple Resource groups
(web + DB, VM, Storage) in one group
resources that share the
same life cycle
• Resources exist in one
resource group
• Resource groups can span OR
regions
• Secure at the resource group
(or resource) level - using
RBAC

Web and DB Virtual machine Storage

resource group resource group resource group
Resource Tags
Organizing resources with tags
Resource tags
• Name-value pairs assigned to
resources or resource groups
• Subscription-wide taxonomy
• Each resource can have up to 15
tags
• Tags roll up to your Azure bill
OR
OR

owner: joe
department: marketing cost-center: marketing
environment: production
Tag is your metadata store
Example:

Tags are essential for 3rd party management solutions

aka.ms/Azure/tags
• Set tags in approved template
• Set tags at resource group level
• Use deny policy to enforce tags
• Use audit policy to audit resources missing tags
• Use append policy to append default tags
• Use Azure Automation to apply tags
• Names are object name
• Names are surfaced at the top level of the portal
• Names are used in PowerShell cmdlets
• Tags are metadata for the object
• Names/tags can be used for billing drilldown
• Names/tags can be used for data analysis
• Tags are used to provide context that a name cannot
Role-Based Access Control
Role-Based Access Control (RBAC)
Enables allowing or disallowing
access to the Azure portal, and
controlling access to resources Azure
Active Directory
• Fine-grained access management
• Segregate duties within your team
and grant only the amount of
access to users that they need to Azure

perform their jobs subscription

User Apps User groups

Resource group

Resource group
Role-Based Access Control (RBAC)
Roles
• Owner has full access to all
resources including the right to Azure
Active Directory
delegate access to others
• Contributor can create and manage
all types of Azure resources but can’t
grant access to others Azure

• Reader can view existing Azure

subscription

resources User Apps User groups

Resource group
• Other built-in roles for specific
Azure resources
Resource group
• Ability to create custom roles
Three primary roles:

40+ resource-specific roles:

Custom roles:

https://docs.microsoft.com/en-us/azure/active-directory/role-based-access-built-in-roles
Role-Based Access Control (RBAC)
Hierarchy and Inheritance

SUBSCRIPTION

AAD USER(S) AAD USER AAD GROUP

ACCESS INHERITANCE
CONTRIBUTORS OWNER READERS

RESOURCE GROUP

AAD GROUP AAD USER AAD GROUP

CONTRIBUTORS OWNER READERS

RESOURCES

AAD GROUP AAD USER AAD GROUP

CONTRIBUTORS OWNER READERS
Best Practice: Least Privileged

Goal

Best practices
• Designed to work together
• User must get past RBAC restrictions first
• Policy can restrict the actions you can perform in addition
to RBAC rights
Resource Locks
Resource Locks
Ensures stability of subscriptions by locking key resources from deletion or
modification
• Read-only (can’t modify or delete)
• Delete (can modify but can’t delete)
Governance: Monitoring
Azure Service Health
• Provides
personalized
guidance and
support when issues
in Azure services
affect you
• Helps you prepare for
upcoming planned
maintenance
• Data sourced from
https://azure.microso
ft.com/en-us/status/.

https://azure.microsoft.com/en-us/features/service-health/
Full observability for your infra, app and network

Metrics Logs

Common Store

Unified Monitoring Data Driven Insights Workflow Integrations

A common platform for Advanced diagnostics and Rich ecosystem of popular

all metrics, logs and other analytics powered by machine DevOps, issue management,
monitoring telemetry learning capabilities SIEM, and ITSM tools
 Azure Monitor

Insights
Application Containers VM Monitoring
Solutions

Application
Visualize
Operating System Dashboards Views Power BI Workbooks
Metrics

Azure Resources
Analyze
Azure Subscription Metrics Explorer Log Analytics
Logs

Azure Tenant

Respond
Custom Sources Alerts Autoscale

Integrate
Event Hubs Logic Apps Ingest &
Export APIs
Azure Monitor for VMs
Monitor VMs @ Scale
Identify & isolate host-level or
guest-level health problems
Visualize service dependencies
& connection failures in Maps
On board VMs at Scale using
PowerShell and/or Azure Policy
Azure Monitor for Containers
Monitor multi-cluster health &
node/pod status
Monitor containers on demand in
AKS with virtual nodes
Drill through Kube events
On board monitoring using az aks
cli commands
Azure Monitor Logs
Log Analytics advanced query
experience now in Azure
Portal
Utilize ML algorithms for
clustering and anomaly
detection
RBAC per type
http://aka.ms/kqlpluralsight
Azure Monitor for VMs

Pre-defined health monitors to

jump-start VM monitoring

Near real-time monitoring of core

VM components (CPU, Memory,..)

Health diagnostics, that helps to

localize the issue fast

KB articles on common causes and

resolution

Customizable alerting thresholds on

health monitors
Azure Monitor for VMs

Aggregation of VM metrics across

thousands of VMs

Top N performance views identify

resource constrained VMs @ scale

Drill through performance

diagnostics for root cause analysis

Drill through to advanced analytics

on VM logs

Built in views for key performance

indicators
Azure Monitor for VMs

Visualize VMs and process

interaction for resource groups, VM
scale sets and subscriptions

Identify surprise dependencies and

connection failures

Live connection metrics between

processes and VMs identifying
spikes in network traffic

Drill through dependent VMs to

Alerts and Logs
Azure Monitor for VMs

Built-in monitoring policy to on

board Azure VMs @ scale

Policy supports existing VMs and

new VMs created

Remediation policy to on board

VMs falling out of compliance
Azure Monitor Alerts

One Alert Mgmt experience

Configure Alerts at Scale

Multi-resource alerting

Unified Alert lifecycle Management

Smart grouping to reduce noise

Dynamic threshold base Alerting

Azure Monitor for Containers

Cross subscription multi-cluster

health roll up view NEW!

View overall health and perf across

nodes, controllers and containers
Drill down monitoring experience with
namespace, service, and node filters
Analyze Kubernetes event &
container logs for troubleshooting
Monitor containers on demand for
AKS with virtual nodes NEW!

Integrated in Azure DevOps Project NEW!

Azure Monitor Logs

Log Analytics advanced query

experience now in Azure Portal

RBAC per type

Run analytics queries for

investigations, statistics, and root
cause + trend analysis

Utilize ML algorithms for clustering

and anomaly detection

Training:
http://aka.ms/kqlpluralsight
Azure Network Watcher
Network
Topology Metric Logs
Diagnostics
Measure and view
Diagnostic tools for
Visualize your your network Configure and view
networking related
network topology performance and your logs
issues
health
Variable Packet
Capture Network Security
IP Flow Verify Group Flow logs
Network
Topology Single place to
Security Group View Subscription Limits
configure all logs
Next Hop and Alerts
VPN Troubleshoot
Azure Advisor
• Personalized Cloud
Consultant
• Actionable
recommendations
to improve resource
availability, security,
performance, and cost
• Implement fixes
quickly from inline
recommendations

https://azure.microsoft.com/en-us/services/advisor/
 Use a cost effective solution to manage performance goals of
multiple SQL databases

Optimize virtual machine spend by resizing underutilized instances

Cost Management
Previously Cloudyn, this SaaS solution is our new end-to-end service to
monitor, allocate, and optimize cloud spend.
Governance: Automation
Azure Automation
• Help users to automate manual, long-running, error-prone, and frequently
repeated tasks
• Saves time and increases the reliability of regular administrative tasks
• Ability to schedule tasks to be automatically performed at regular intervals
• Automate processes using Runbooks or automate configuration
management using Desired State Configuration
Demo: Monitoring Tools
Break – 15 Minutes
Azure Infrastructure
Objectives
Deploy to existing Networks

Choose Azure Storage capabilities and sizing

Identify Virtual Machine Sizes

Understand DR and High Availability concepts on Azure

Core services of Azure IaaS

Compute Storage Networking Management

• Virtual machines • Disks • Virtual networks • Monitoring
• Availability sets • Blobs • VPN • Backup and Site
• VM scale sets • Files • ExpressRoute Recovery
• Load Balancer • Automation
• DNS
• Traffic Manager
Azure Network Overview
DNS

DNS
Azure Load Balancing Options
Scale and Provide High Availability
Solution Feature Coverage Deployment

Traffic Manager DNS Infrastructure Public IP 191.237.87.98

<publicDNSname>.<region>.cloudapp.azure.com

Load Balancer Layer 4 (TCP/UDP) Infrastructure

Application Layer 7
Dedicated
Gateway (HTTP/HTTPS)
10.0.0.1 10.0.0.2 10.0.0.3

3rd Party Layer 3-7 Appliance

Network Virtual Appliances
Walkthrough: Setting up Azure
Networks
https://docs.microsoft.com/en-us/azure/virtual-network/virtual-network-
get-started-vnet-subnet
Storage
Azure Storage services
IaaS PaaS
Virtual Existing Web Serverless
Storage Networking Microservices
machines frameworks and mobile compute

Disks Files Blobs Tables Queues

Standard | Premium Page | Block blobs

Persistent disks for Fully Managed File Highly scalable, Massive auto-scaling Reliable queues at
Azure IaaS VMs Shares in the Cloud tiered, REST based NoSQL store scale for cloud
cloud object store services

Azure Import/Export AZCopy ExpressRoute

Data transfer options

Replication options
Locally Read-Access Geo
Zone Redundant Geo Redundant
Redundant Redundant
Storage (ZRS) Storage (GRS)
Storage (LRS) Storage (RA-GRS)

Makes multiple
Stores three copies of Same as LRS, plus
synchronous copies of
data across multiple multiple asynchronous Same as GRS, plus
your data within a single
How it works datacenters within or copies to a second read access to the
datacenter
across regions datacenter in a region secondary datacenter
Recommended for VM hundreds of miles away
For block blobs only
Disks

Total copies 3 3 6 6

Provides read access to

For economical local An economical, higher For protection against data during an outage,
Why use it storage or data durability option for a major datacenter for maximum data
governance compliance block blob storage outage or disaster availability and
durability
Disks
Managed Disks
Managed Disks

OS Disk Page Blob in Storage Scale Unit 1

Data Disk Page Blob in Storage Scale Unit 2

• No management overhead with avoiding storage account Managed by Azure

IOPS limits. Temp Disk
• Disks scalability limits no longer bounded by storage
account limits. Disks are single objects which can scale up
to 10,000 per subscription, per region and per storage type.
Types of disks
Premium Storage Disks Standard Storage Disks

Storage media SSD (Solid State Drives) HDD (Hard Disk Drives )

Overview High-performance, low-latency Cost effective disk support for Dev/Test scenarios

IO-intensive enterprise workload, like databases Dev/test workload, non-critical, infrequent access
Target scenarios Migrating high performance mission critical Applications that are not affected by
workload to Azure latency/performance variations

Max IOPs and

7,500 IOPS and 250 MB/sec per disk 500 IOPS and 60 MB/sec per disk
throughput

Longer latency due to HDD

Performance Single digit millisecond latency for most IO’s
Performance is not provisioned.
expectations Consistency of provisioned performance
Allow warm up time for ramping up traffic

Instance sizes Supports the DS, DSv2, GS, Ls, or FS VM series Supports all VM series
Upgrade from Standard to Premium
Update to
Update
Premium
Stop the VM storage type Reboot
capable VM
to Premium
size
Managed Disk Snapshots
• Read-only full copy of a Managed Disk
• Stored in a Standard (HDD) – by default, or Premium (SSD) account type
• Option to create new Managed Disks based on Snapshots

Managed
Managed Snapshot Disk 2
Disk 1 (Read-only)

Managed
Disk N
Images
• Create custom images from custom VHDs or generalized VMs
• VM needs to be deallocated
• Captures in a single image all managed disks associated with a VM (both
OS and data disks)
• Option to create new VMs based on your custom image

VM 1

VM 2
VM Image
(generalized)
(deallocated)

VM N
Azure Files
Lift and Shift
Variety of clients/protocols
• SMB 2.1, 3.0, REST
• Windows, Linux, Mac OS
Application Virtual machine
• Azure and on-premises access
Secure
• Encryption at rest
• Secure communication over
SMB
Client Azure Files
\\<account>.file.windows.net\<share>
SMB:
Port 445 outbound

On-premises Azure
Walkthrough: Create an Azure
Storage Account
https://docs.microsoft.com/en-us/azure/storage/common/storage-create-
storage-account
Compute
 Compute options on IaaS

VM VM Scale Set Containers Marketplace

Legacy applications Scale out Efficiency and Flexibility

No change speed

Lift and shift Elasticity Improved DevOps Managed Service

 Compute families

Entry Small General Compute GPU- Storage Large High Memory Memory SAP HANA
Level Workloads Purpose Optimized enabled optimized Memory Performance Optimized Optimized Large
instances
Dev/Test Small Common Gaming, Graphic No SQL Large Batch Database Large
Workloads Footprint Applications, Analytics based Databases Databases processing, Workloads enterprise OLTP, OLAP
Workloads Web servers applications, (Cassandra, fluid dynamics, applications
remote MongoDB), monte carlo including
visualization Datawarehousing simulation SAP HANA

HIGHEST VALUE LARGEST SCALE-UP

More info at https://docs.microsoft.com/azure/virtual-machines/windows/sizes

Azure Virtual Machine considerations
• VM Size (Company Family)
• VM Extensions
• Availability Set & Availability Zones
• Standard or Premium disks
• Marketplace, Image Gallery or bring your own
• Pricing
• Reserved Instances
• Hybrid Benefit
Azure single virtual machine architecture
Virtual Network
Resource
Group Subnet OS

Managed Disk
Data 1
Public IP
Internet Address
NIC
Managed Disk
Data 2

Temp Managed Disk

Diagnostic Physical SSD

logs on host

Logs storage
account
Availability sets
Logical group of resources that Azure places on physical fault domains and
update domains
Fault domains
• Ensures that the members of the
availability set have separate
power and network resources
Update domains UD 0 UD 1 UD 2

• Ensures that members of the UD 3 UD 4

availability set are not brought
down for maintenance at the
same time
• For all Virtual Machines that have two or more instances deployed in the same Availability Set, we guarantee you will have
Virtual Machine Connectivity to at least one instance at least 99.95% of the time
• For any Single Instance Virtual Machine using premium storage for all Operating System Disks and Data Disks, we
guarantee you will have Virtual Machine Connectivity of at least 99.9%
High Availability (SLA 99.95)
https://wikiazure.azureedge.net/wp-content/uploads/2017/09/Availability-Zones-Infographic.pdf
Virtual Machine Disks and Availability Sets
• VM fault domains aligned with
Managed Disk fault domains
MANAGED
AVAILABILITY
SET
MANAGED DISKS
• Disks on separate storage
stamps VM Availability Set

• Avoid single point of failure at

disk level

STORAGE UNIT 0 STORAGE UNIT 1 STORAGE UNIT 2

MANAGED DISK MANAGED DISK MANAGED DISK

Virtual machine scale sets
Auto-scalable Resource group
VNET
Fast Subnet

Customizable Scale set

• Windows or Linux VM VM VM VM
• VM extensions
• Open PaaS platform …
Ease of management Scalable Scalable Extensions
• Focus on target instance NIC storage
count
• Updateable
Walkthrough: Create an Azure VM
Backup and Recovery Services
Azure Backup
Tier 2 Recovery Point

Azure IaaS VM Tier 1 Recovery Point Azure Backup Vault

R3 1 2 3 4

Backup Storage R2 1 2 3 4 Recovery

Points
Extension Account
R1 1 2 3 4
Storage Account

Snapshot

… 1 3 3 1 2 3 4
Disks
Data Blocks

Lightning Fast Backups Ideal for Patch Scenarios Full Restore Fidelity
Azure Site Recovery
Private cloud to Azure Any Cloud Public cloud to Azure

Azure
Azure to Azure

VMware Hyper-V Physical AWS AWS to Azure

Windows Any OS Linux

Azure Site Recovery
Create a Recovery Services
Vault Azure Site
Recovery
Install and Register
On-premises Software
Add VMM, Hyper-V, Physical,
or vCenter Servers
Create and Associate a Primary Site Firewall
Replication Policy

Replicate Virtual Machines

VM1 VM3
Configure VM properties or SCVMM MASR Agent
Network VM2 VM4

Create Recovery Plan Firewall

VM1 VM3

Perform Failover VM2 VM4

MARS MARS
Optionally configure re- Hyper-v
Agent Agent
protection and Failback Hosts
Walkthrough: Configuring Azure
Virtual Machines for Backup
Proof of Concept: Deploying a
highly available application
https://github.com/Azure/onboarding-
guidance/blob/master/Scenarios/POC%20Scenario-HTTP.md

https://github.com/Azure/azure-quickstart-templates
Azure Components Needed
• Resource Group
• Virtual Network
• Network Security Group
• Load Balancer
• Availability Set
• Virtual Machines
• Storage Accounts
High Level Steps
• Pin frequently used Azure resources
• Create Resource Group
• Create a VNET & Subnet
• Create 2 VMs and add it to Availability Set
• Install IIS to make it Web Server
• Modify default web page on VMs to identify web server
• Create Public Load Balancer and assign Public, Static IP
• Assign a DNS name to Load Balancer
• Update NSG of two VMs NIC to allow HTTP Traffic
• Test the web site by going to Load Balancer DNS name
• LB will load balance the traffic between two web servers
ARM Fundamentals
Azure Resource Manager Overview

ARM Templates – Overview

ARM Templates – Design Considerations

ARM templates – Recommended Practices

{"product":"pencil","price":12}

Vs

<root type="object">
<product type="string">pencil</product>
<price type="number">12</price>
</root>
 {
"$schema": "http://schema..../deploymentTemplate.json#",
"contentVersion": "",
"parameters": { },
"variables": { },
"resources": [ ],
"outputs": { }
}

https://github.com/Azure/azure-
quickstart-templates/
 "parameters": {
"<parameter-name>" : {
"type" : "<type-of-parameter-value>",
"defaultValue": "<default-value-of-parameter>",
Values that are provided when "allowedValues": [ "<array-of-allowed-values>" ],
deployment is executed to
customize resource deployment "minValue": <minimum-value-for-int>,
"maxValue": <maximum-value-for-int>,
"minLength": <minimum-length-for-string-or-array>,
"maxLength": <maximum-length-for-string-or-array-
parameters>,
"metadata": {
"description": "<description-of-the parameter>"
}
}
},
"variables": {
"environmentSettings": {
"test": {
"instancesSize": "Small",
"instancesCount": 1
},
"prod": {
"instancesSize": "Large",
"instancesCount": 4
}
},
"currentEnvironmentSettings":
"[variables('environmentSettings')[parameters('environment
Name')]]",
"instancesSize":
"[variables('currentEnvironmentSettings').instancesSize]",
"instancesCount":
"[variables('currentEnvironmentSettings').instancesCount]"
}
"resources": [
{
"apiVersion": "<api-version-of-resource>",
"type": "<resource-provider-namespace/resource-type-
name>",
"name": "<name-of-the-resource>",
"location": "<location-of-resource>",
"tags": "<name-value-pairs-for-resource-tagging>",
"comments": "<your-reference-notes>",
"dependsOn": [
"<array-of-related-resource-names>"
],
"properties": "<settings-for-the-resource>",
"copy": {
"name": "<name-of-copy-loop>",
"count": "<number-of-iterations>"
},
"resources": [
"<array-of-child-resources>"
]
}
]
"outputs": {
"siteUri" : {
"type" : "string",
"value":
"[concat('http://',reference(resourceId('Microsoft.Web/sites',
parameters('siteName'))).hostNames[0])]"
}
}
Demo: Deploy an ARM Template:
http://aka.ms/workshop-arm-template
Security: Azure Datacenter
Microsoft Azure Security Video
• https://youtu.be/r1cyTL8JqRg
Security: Network Connected
Resources (IaaS)
User Defined Routes (UDR)
Control traffic flow in your
network with custom routes Internet

• Send traffic to an IPS or IDS

to inspect and audit activity Virtual Network
System
• Leveraging corporate proxy Route
for compliance UDR
“IP Forwarding”
Frontend Subnet Backend Subnet

System
Route

VM/Appliance

UDR

“IP Forwarding”
Network Security Group (NSG)
Layer 3-4 VM1 VM2

• Control ingress and egress

traffic leaving a VM’s NIC or
Subnet NSG 1

• Prioritized set of rules based

on a 5-tuple ruleset
Pri Access Src Port Dst Port Protocol

• Newly Released Features

• Augmented Rules Virtual Subnet
• Service Tags NSG 2
• Application Security Groups
Pri Access Src Port Dst Port Protocol
Network Security Group (NSG)
DDoS
L3/L4 adaptive tuning
• DDoS Protection
understands your resources
and resource configuration
• Virtual Network builds
a profile of normal traffic
• Profile adjusts as traffic
changes over time
• Protection policies define protection limits
• No user configuration is required

• Mitigation is performed when protection

policies are exceeded
Application Gateway
Layer 7 Appliance
• WAF Support VNET 1
On-premise
• HTTP Load Balancing XSS attack Application VM

• Cookie-Based Affinity × Gateway

VM1
• SSL Offloading
• End-to-End SSL VNET 2

• URL Based Routing Valid request WAF

• Multi-site routing VM4

• Websock Support VM2

• Health Monitoring SQL Injection

• Advanced diagnostics × L7 LB VM3

• Security Center
Integration Cloud
Service
Cloud
Service
Security: Identity and Access
Management
 Hybrid Identity

AD
Management
Agent Metaverse
Contoso Microsoft
AD
Azure Active
Directory
Contoso.com Sync
Management
AD Agent
Management
Agent
Fabrikam

AD

Exchange

corp.fabrikam.local
Identity & access management
AZURE
• Uses Azure AD to govern access to the management
portal with granular access controls for users and groups
on subscription or resource groups
• Provides enterprise cloud identity and access management
for end users
Azure • Enables single sign-on across cloud applications
Active Directory Cloud apps
• Offers Multi-Factor Authentication for enhanced security

CUSTOMER
• Centrally manages users and access to Azure, O365, and
hundreds of pre-integrated cloud applications
• Builds Azure AD into their web and mobile applications
End Users &
Active
Administrators
• Can extend on-premises directories to Azure AD
Directory
Access monitoring and logging
Azure User Non-user

• Uses password hashes for

synchronization X X X X X X X X X X

• Offers security reporting that tracks

inconsistent traffic patterns, including:
– Sign-ins from unknown sources
– Multiple failed sign-ins
– Sign-ins from multiple geographies
in short timeframes
– Sign-ins from suspicious IP
addresses and suspicious devices

Customer X X X X X

• Reviews reports and mitigates

potential threats
• Can enable Multi-Factor Authentication
Security: Azure Security Center
Azure Security Center
• Central view of your
security posture
• Connect with partner
security solutions
• Keep same MMA Agent
(used by SCOM and OMS).
• Search data using Log
Analytics query language
(used by OMS)
• New: Hybrid Cloud
Protection for On-Prem and
Azure VMs
Azure Security Center
• Monitor the security state
of resources
• Prioritized
recommendations
• Easily deploy partner
security solutions
• Security policies for
subscriptions and
resource groups
• Central view of your
security posture
• Prioritized security alerts
Azure Security Center
Advanced Prevention
• Application whitelisting
• Just-in-time network access
to VMs
Advanced Threat Detection
• Brute force detections
• Outboard DDoS Botnet
Detection
• New behavioral analytics
servers and VMs to identify
suspicious activity
• Azure SQL database threat
detection

https://azure.microsoft.com/en-us/blog/preview-the-new-enhancements-to-azure-security-center/
 Security Dashboards
Deliver Rapid Insights into
Security State Across All
Workloads

API
 Security Policies Recommendations Security Alerts

• Enable or Disable VM data collection • What has Security Center observed • What has Security Center detected
and send it to Azure Storage. in the Azure infrastructure and what in the Azure infrastructure and what
• Configured based on Prevention is the recommendation on these is the alert on these incidents for
Policy categories such as: incidents for Prevention purposes. Remediation purposes.
• System Updates • Based on advanced vs. basic threat • Provides report and remediation
• OS vulnerabilities analytics tier chosen steps
• Endpoint Protection • Auto-remediation steps available on • Alerts must be periodically scanned
each recommendation
• Disk Encryption
• Recommendations must be
• Network Security Groups
periodically scanned
• Etc.
• Created globally for a subscription,
which all resource groups will inherit.
Inheritance can be overwritten per
resource group.
• Email and SMS Text for incident
alerts.
Demo: Azure Security Center
Azure Certifications
New Azure Certifications
Azure Apps and Infrastructure certifications
Learning path for Azure Administrator role
Learning path for Azure Developer role
Learning path for Azure Solutions Architect role
Useful Links

https://www.microsoft.com/en-us/learning/exam-
AZ-900.aspx

https://www.microsoft.com/en-us/learning/azure-
administrator.aspx

https://www.microsoft.com/en-us/learning/azure-
developer.aspx

https://www.microsoft.com/en-us/learning/azure-
solutions-architect.aspx

http://aka.ms/azreadiness
Useful Links

http://aka.ms/learn

http://aka.ms/azure-pluralsight

http://ricardomartins.com.br
Wrap Up

© Copyright Microsoft Corporation. All rights reserved.