Академический Документы
Профессиональный Документы
Культура Документы
Docker
DC/OS
Azure Swarm Others:
Azure Cloud
Service OpenShift,
Batch Foundry
Fabric Kubernetes,
(General,
Jelastic,
Pivotal)
Apprenda
VM Scale Sets
VM Extensions
High
IaaS Virtual Machines Control
Azure
Security & Platform Services Hybrid
Management Cloud
Media & CDN Application Platform Data Azure AD
Security Center Health Monitoring
Media Media Content Web Mobile SQL SQL Data DocumentDB
Services Analytics Delivery Apps Apps Database Warehouse AD Privileged
Portal
Network
Identity
Azure Active Management
API Cloud
Directory Integration Apps Services
SQL Server Redis Storage Azure
Stretch Database Cache Tables Search Domain Services
API BizTalk
Azure AD Management Services Service Notification
B2C Fabric Hubs
Multi-Factor Logic
Apps
Intelligence Backup
Service Bus Functions
Authentication
Cognitive Services Bot Framework Cortana
Automation
Operational
Scheduler
Compute Services Developer Services Analytics & IoT Analytics
Infrastructure Services
Compute Storage Networking
Virtual Load Express Traffic VPN App
Virtual Containers Blob Queues Files Disks DNS
Network Balancer Route Manager Gateway Gateway
Machines
Datacenter Infrastructure
Azure regions
Achieve global scale, in local regions
Availability Zone
• Availability Zones are physically separate locations within an Azure region. Each
Availability Zone is made up of one or more datacenters equipped with
independent power, cooling, and networking.
https://azure.microsoft.com/en-us/global-infrastructure/regions/
Geographies, Regions and AZ’s
Paired regions for geo-redundancy
Paired regions provide: North Central US South Central US
Clouds
Integrated
Common Consistent Data Unified Cloud
Management
Identity Platform Platform
and Security
Azure IaaS | Azure PaaS Azure IaaS | Azure PaaS One Azure ecosystem
Management
Management
PaaS and
PaaS and
Applications
Applications DevOps
DevOps
App frameworks
App frameworks
and tools
and tools
Databases and
Databases and
middleware
middleware
Infrastructure
Infrastructure
Open Source Investments are Fueling the Momentum
Our Products Our Offerings
Azure Marketplace
60% of all images in Azure
Marketplace are based on
SQL Server on Linux Acquisition Linux/OSS
R Server autorest
.NET Core PowerBI Visuals
Roslyn Office UI Fabric
TypeScript Tools plugins
F#
Azure
Resource
Policy and
Audit
Resource Groups
Pillars
Foundation
Core Azure Automation
Naming
Standards
Roles Based
Azure Security Center
Access Controls
Subscriptions
Account/Enterprise Agreement
Azure Enterprise Scaffold
Define your Hierarchy
The foundation: enterprise enrollment
…and departments/accounts and most importantly: subscriptions
Enterprise enrollment
Department A Department B
North
Department Finance IT Auto Aerospace
America
Europe
https://azure.microsoft.com/en-us/features/cloud-shell/
http://aka.ms/CloudShell
© Microsoft Corporation
Naming Standards
• •
•
•
aka.ms/Azure/Policies
{
"if" : {
<condition> | <logical operator>
},
"then" : {
"effect" : "deny | audit | append“
}
}
owner: joe
department: marketing cost-center: marketing
environment: production
Tag is your metadata store
Example:
Resource group
Role-Based Access Control (RBAC)
Roles
• Owner has full access to all
resources including the right to Azure
Active Directory
delegate access to others
• Contributor can create and manage
all types of Azure resources but can’t
grant access to others Azure
Custom roles:
https://docs.microsoft.com/en-us/azure/active-directory/role-based-access-built-in-roles
Role-Based Access Control (RBAC)
Hierarchy and Inheritance
SUBSCRIPTION
ACCESS INHERITANCE
CONTRIBUTORS OWNER READERS
RESOURCE GROUP
RESOURCES
Goal
Best practices
• Designed to work together
• User must get past RBAC restrictions first
• Policy can restrict the actions you can perform in addition
to RBAC rights
Resource Locks
Resource Locks
Ensures stability of subscriptions by locking key resources from deletion or
modification
• Read-only (can’t modify or delete)
• Delete (can modify but can’t delete)
Governance: Monitoring
Azure Service Health
• Provides
personalized
guidance and
support when issues
in Azure services
affect you
• Helps you prepare for
upcoming planned
maintenance
• Data sourced from
https://azure.microso
ft.com/en-us/status/.
https://azure.microsoft.com/en-us/features/service-health/
Full observability for your infra, app and network
Metrics Logs
Common Store
Insights
Application Containers VM Monitoring
Solutions
Application
Visualize
Operating System Dashboards Views Power BI Workbooks
Metrics
Azure Resources
Analyze
Azure Subscription Metrics Explorer Log Analytics
Logs
Azure Tenant
Respond
Custom Sources Alerts Autoscale
Integrate
Event Hubs Logic Apps Ingest &
Export APIs
Azure Monitor for VMs Azure Monitor for Containers Azure Monitor Logs
Monitor VMs @ Scale Monitor multi-cluster health & Log Analytics advanced query
node/pod status experience now in Azure
Identify & isolate host-level or Portal
guest-level health problems Monitor containers on demand in
AKS with virtual nodes Utilize ML algorithms for
Visualize service dependencies clustering and anomaly
& connection failures in Maps Drill through Kube events detection
On board VMs at Scale using On board monitoring using az aks RBAC per type
PowerShell and/or Azure Policy cli commands
http://aka.ms/kqlpluralsight
Azure Monitor for VMs
Training:
http://aka.ms/kqlpluralsight
Azure Network Watcher
Network
Topology Metric Logs
Diagnostics
Measure and view
Diagnostic tools for
Visualize your your network Configure and view
networking related
network topology performance and your logs
issues
health
Variable Packet
Capture Network Security
IP Flow Verify Group Flow logs
Network
Topology Single place to
Security Group View Subscription Limits
configure all logs
Next Hop and Alerts
VPN Troubleshoot
Azure Advisor
• Personalized Cloud
Consultant
• Actionable
recommendations
to improve resource
availability, security,
performance, and cost
• Implement fixes
quickly from inline
recommendations
https://azure.microsoft.com/en-us/services/advisor/
Use a cost effective solution to manage performance goals of
multiple SQL databases
DNS
Azure Load Balancing Options
Scale and Provide High Availability
Solution Feature Coverage Deployment
Application Layer 7
Dedicated
Gateway (HTTP/HTTPS)
10.0.0.1 10.0.0.2 10.0.0.3
Persistent disks for Fully Managed File Highly scalable, Massive auto-scaling Reliable queues at
Azure IaaS VMs Shares in the Cloud tiered, REST based NoSQL store scale for cloud
cloud object store services
Makes multiple
Stores three copies of Same as LRS, plus
synchronous copies of
data across multiple multiple asynchronous Same as GRS, plus
your data within a single
How it works datacenters within or copies to a second read access to the
datacenter
across regions datacenter in a region secondary datacenter
Recommended for VM hundreds of miles away
For block blobs only
Disks
Total copies 3 3 6 6
Storage media SSD (Solid State Drives) HDD (Hard Disk Drives )
Overview High-performance, low-latency Cost effective disk support for Dev/Test scenarios
IO-intensive enterprise workload, like databases Dev/test workload, non-critical, infrequent access
Target scenarios Migrating high performance mission critical Applications that are not affected by
workload to Azure latency/performance variations
Instance sizes Supports the DS, DSv2, GS, Ls, or FS VM series Supports all VM series
Upgrade from Standard to Premium
Update to
Update
Premium
Stop the VM storage type Reboot
capable VM
to Premium
size
Managed Disk Snapshots
• Read-only full copy of a Managed Disk
• Stored in a Standard (HDD) – by default, or Premium (SSD) account type
• Option to create new Managed Disks based on Snapshots
Managed
Managed Snapshot Disk 2
Disk 1 (Read-only)
Managed
Disk N
Images
• Create custom images from custom VHDs or generalized VMs
• VM needs to be deallocated
• Captures in a single image all managed disks associated with a VM (both
OS and data disks)
• Option to create new VMs based on your custom image
VM 1
VM 2
VM Image
(generalized)
(deallocated)
VM N
Azure Files
Lift and Shift
Variety of clients/protocols
• SMB 2.1, 3.0, REST
• Windows, Linux, Mac OS
Application Virtual machine
• Azure and on-premises access
Secure
• Encryption at rest
• Secure communication over
SMB
Client Azure Files
\\<account>.file.windows.net\<share>
SMB:
Port 445 outbound
On-premises Azure
Walkthrough: Create an Azure
Storage Account
https://docs.microsoft.com/en-us/azure/storage/common/storage-create-
storage-account
Compute
Compute options on IaaS
Entry Small General Compute GPU- Storage Large High Memory Memory SAP HANA
Level Workloads Purpose Optimized enabled optimized Memory Performance Optimized Optimized Large
instances
Dev/Test Small Common Gaming, Graphic No SQL Large Batch Database Large
Workloads Footprint Applications, Analytics based Databases Databases processing, Workloads enterprise OLTP, OLAP
Workloads Web servers applications, (Cassandra, fluid dynamics, applications
remote MongoDB), monte carlo including
visualization Datawarehousing simulation SAP HANA
Managed Disk
Data 1
Public IP
Internet Address
NIC
Managed Disk
Data 2
Logs storage
account
Availability sets
Logical group of resources that Azure places on physical fault domains and
update domains
Fault domains
• Ensures that the members of the
availability set have separate
power and network resources
Update domains UD 0 UD 1 UD 2
• Windows or Linux VM VM VM VM
• VM extensions
• Open PaaS platform …
Ease of management Scalable Scalable Extensions
• Focus on target instance NIC storage
count
• Updateable
Walkthrough: Create an Azure VM
Backup and Recovery Services
Azure Backup
Tier 2 Recovery Point
R3 1 2 3 4
Snapshot
… 1 3 3 1 2 3 4
Disks
Data Blocks
Lightning Fast Backups Ideal for Patch Scenarios Full Restore Fidelity
Azure Site Recovery
Private cloud to Azure Any Cloud Public cloud to Azure
Azure
Azure to Azure
MARS MARS
Optionally configure re- Hyper-v
Agent Agent
protection and Failback Hosts
Walkthrough: Configuring Azure
Virtual Machines for Backup
Proof of Concept: Deploying a
highly available application
https://github.com/Azure/onboarding-
guidance/blob/master/Scenarios/POC%20Scenario-HTTP.md
https://github.com/Azure/azure-quickstart-templates
Azure Components Needed
• Resource Group
• Virtual Network
• Network Security Group
• Load Balancer
• Availability Set
• Virtual Machines
• Storage Accounts
High Level Steps
• Pin frequently used Azure resources
• Create Resource Group
• Create a VNET & Subnet
• Create 2 VMs and add it to Availability Set
• Install IIS to make it Web Server
• Modify default web page on VMs to identify web server
• Create Public Load Balancer and assign Public, Static IP
• Assign a DNS name to Load Balancer
• Update NSG of two VMs NIC to allow HTTP Traffic
• Test the web site by going to Load Balancer DNS name
• LB will load balance the traffic between two web servers
ARM Fundamentals
Azure Resource Manager Overview
Vs
<root type="object">
<product type="string">pencil</product>
<price type="number">12</price>
</root>
{
"$schema": "http://schema..../deploymentTemplate.json#",
"contentVersion": "",
"parameters": { },
"variables": { },
"resources": [ ],
"outputs": { }
}
https://github.com/Azure/azure-
quickstart-templates/
"parameters": {
"<parameter-name>" : {
"type" : "<type-of-parameter-value>",
"defaultValue": "<default-value-of-parameter>",
Values that are provided when "allowedValues": [ "<array-of-allowed-values>" ],
deployment is executed to
customize resource deployment "minValue": <minimum-value-for-int>,
"maxValue": <maximum-value-for-int>,
"minLength": <minimum-length-for-string-or-array>,
"maxLength": <maximum-length-for-string-or-array-
parameters>,
"metadata": {
"description": "<description-of-the parameter>"
}
}
},
"variables": {
"environmentSettings": {
"test": {
"instancesSize": "Small",
"instancesCount": 1
},
"prod": {
"instancesSize": "Large",
"instancesCount": 4
}
},
"currentEnvironmentSettings":
"[variables('environmentSettings')[parameters('environment
Name')]]",
"instancesSize":
"[variables('currentEnvironmentSettings').instancesSize]",
"instancesCount":
"[variables('currentEnvironmentSettings').instancesCount]"
}
"resources": [
{
"apiVersion": "<api-version-of-resource>",
"type": "<resource-provider-namespace/resource-type-
name>",
"name": "<name-of-the-resource>",
"location": "<location-of-resource>",
"tags": "<name-value-pairs-for-resource-tagging>",
"comments": "<your-reference-notes>",
"dependsOn": [
"<array-of-related-resource-names>"
],
"properties": "<settings-for-the-resource>",
"copy": {
"name": "<name-of-copy-loop>",
"count": "<number-of-iterations>"
},
"resources": [
"<array-of-child-resources>"
]
}
]
"outputs": {
"siteUri" : {
"type" : "string",
"value":
"[concat('http://',reference(resourceId('Microsoft.Web/sites',
parameters('siteName'))).hostNames[0])]"
}
}
Demo: Deploy an ARM Template:
http://aka.ms/workshop-arm-template
Security: Azure Datacenter
Microsoft Azure Security Video
• https://youtu.be/r1cyTL8JqRg
Security: Network Connected
Resources (IaaS)
User Defined Routes (UDR)
Control traffic flow in your
network with custom routes Internet
System
Route
VM/Appliance
UDR
“IP Forwarding”
Network Security Group (NSG)
Layer 3-4 VM1 VM2
AD
Management
Agent Metaverse
Contoso Microsoft
AD
Azure Active
Directory
Contoso.com Sync
Management
AD Agent
Management
Agent
Fabrikam
AD
Exchange
corp.fabrikam.local
Identity & access management
AZURE
• Uses Azure AD to govern access to the management
portal with granular access controls for users and groups
on subscription or resource groups
• Provides enterprise cloud identity and access management
for end users
Azure • Enables single sign-on across cloud applications
Active Directory Cloud apps
• Offers Multi-Factor Authentication for enhanced security
CUSTOMER
• Centrally manages users and access to Azure, O365, and
hundreds of pre-integrated cloud applications
• Builds Azure AD into their web and mobile applications
End Users &
Active
Administrators
• Can extend on-premises directories to Azure AD
Directory
Access monitoring and logging
Azure User Non-user
Customer X X X X X
https://azure.microsoft.com/en-us/blog/preview-the-new-enhancements-to-azure-security-center/
Security Dashboards
Deliver Rapid Insights into
Security State Across All
Workloads
API
Security Policies Recommendations Security Alerts
• Enable or Disable VM data collection • What has Security Center observed • What has Security Center detected
and send it to Azure Storage. in the Azure infrastructure and what in the Azure infrastructure and what
• Configured based on Prevention is the recommendation on these is the alert on these incidents for
Policy categories such as: incidents for Prevention purposes. Remediation purposes.
• System Updates • Based on advanced vs. basic threat • Provides report and remediation
• OS vulnerabilities analytics tier chosen steps
• Endpoint Protection • Auto-remediation steps available on • Alerts must be periodically scanned
each recommendation
• Disk Encryption
• Recommendations must be
• Network Security Groups
periodically scanned
• Etc.
• Created globally for a subscription,
which all resource groups will inherit.
Inheritance can be overwritten per
resource group.
• Email and SMS Text for incident
alerts.
Demo: Azure Security Center
Azure Certifications
New Azure Certifications
Azure Apps and Infrastructure certifications
Learning path for Azure Administrator role
Learning path for Azure Developer role
Learning path for Azure Solutions Architect role
Useful Links
https://www.microsoft.com/en-us/learning/exam-
AZ-900.aspx
https://www.microsoft.com/en-us/learning/azure-
administrator.aspx
https://www.microsoft.com/en-us/learning/azure-
developer.aspx
https://www.microsoft.com/en-us/learning/azure-
solutions-architect.aspx
http://aka.ms/azreadiness
Useful Links
http://aka.ms/learn
http://aka.ms/azure-pluralsight
http://ricardomartins.com.br
Wrap Up