Download as:
Rating : ⭐⭐⭐⭐⭐
Price: $10.99
Language:EN
Pages: 210

And edit storage resources view and edit blob

AZ-300T01
Deploying and Configuring Infrastructure

Contents

Module 0 Start Here . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Welcome to Deploying and Configuring Infrastructure . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . . .

Exploring Monitoring Capabilities in Azure

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

22

Network Watcher . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

34

Subscriptions and Accounts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Review Questions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

Module 2 Module Implementing and Managing Storage

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

57

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Data Replication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Storing and Accessing Data . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

Monitoring Storage

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

89

Review Questions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Module 3 Module Deploying and Managing Virtual Machines (VMs) . . . . . . . . . . . . . . . . . . . .
Creating Virtual Machines . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Backup and Restore . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Virtual Machine Extensions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

126

Monitoring Virtual Machines . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

130

Review Questions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Module 4 Module Configuring and Managing Virtual Networks . . . . . . . . . . . . . . . . . . . . . . . .

141

Azure Virtual Networks

Review of IP Addressing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Network Routing

155

Intersite Connectivity . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

161

Virtual Network Peering . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Review Questions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Managing Azure Active Directory (AAD) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

179

Implementing and Managing Hybrid Identities . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

190

Welcome to Deploying and Configuring Infra-structure

About This Course: Deploying and Configuring Infrastruc-ture

ED 2

Module 0 Start Here

MCT USE ONLY. STUDENT USE PROHIBIT

You will become skilled with the monitoring tools and capabilities provided by Azure, including Azure

Alerts and Activity Logs. In addition to alerts and logs, you will be introduced to Log Analytics as an
effective data analytics solution for understanding system status and health. And perhaps the most
exciting thing you will discover is how to utilize the Azure Resource Manager deployment model to

as well as an introduction to key tools used in the Azure environment, such as the Cloud Shell and

Resource Explorer. Emphasis is focused on PowerShell and the command line interface (CLI) as important

Log Analytics. You will learn to query, analyze, and interpret the data viewed in Log Analytics.

Module 1 online lab:

Module 3 - Deploying and Managing Virtual Machines (VMs)

In this module you will learn how to do the following:

Monitor Virtual Machines (VM)s

Additionally, you will learn how to protect data using backups at regular intervals, using snapshots, Azure

In this module you will create and implement virtual networks using the Azure Portal as well as Azure

PowerShell and CLI. You will receive an overview on how to assign IP addresses to Azure resources to

Virtual network peering for regional and global considerations

Gateway transit to allow gateway transit for the virtual network to communicate with resources

Module 5 online lab:

● This module contains the lab Implementing User-Assigned Managed Identities.

Module 1 Module Managing Azure Subscrip-tions and Resources

Exploring Monitoring Capabilities in Azure

ED 6

Module 1 Module Managing Azure Subscriptions and Resources

MCT USE ONLY. STUDENT USE PROHIBIT

stores for metrics and logs, which are the two fundamental types of data use by Azure Monitor. On the

left are the sources of monitoring data that populate these data stores. On the right are the different

Monitoring data platform

All data collected by Azure Monitor fits into one of two fundamental types, metrics and logs. Metrics are

For many Azure resources, you'll see data collected by Azure Monitor right in their Overview page in the

Azure portal. Have a look at any virtual machine for example, and you'll see several charts displaying

performance metrics. Click on any of the graphs to open the data in Metric explorer in the Azure portal,

Exploring Monitoring Capabilities in Azure 7

Analytics page in the Azure portal and then either directly analyze the data using these tools or save queries for use with visualizations or alert rules.

● Guest OS monitoring data: Data about the operating system on which your application is running. This could be running in Azure, another cloud, or on-premises.

● Azure resource monitoring data: Data about the operation of an Azure resource.

Add an instrumentation package to your application, to enable Application Insights to collect detailed information about your application including page views, application requests, and exceptions. Further verify the availability of your application by configuring an availability test to simulate user traffic.

Custom sources

Exploring Monitoring Capabilities in Azure 9

Logs contain different kinds of data organized into records with different sets of properties for each

Log data collected by Azure Monitor is stored in Log Analytics which includes a rich query language2 to quickly retrieve, consolidate, and analyze collected data. You can create and test queries using the Log Analytics page in the Azure portal and then either directly analyze the data using these tools or save queries for use with visualizations or alert rules.

Azure Monitor uses a version of the Data Explorer3 query language that is suitable for simple log queries but also includes advanced functionality such as aggregations, joins, and smart analytics. You can quickly learn the query language using multiple lessons. Particular guidance is provided to users who are already familiar with SQL and Splunk.

ED 10

Module 1 Module Managing Azure Subscriptions and Resources

MCT USE ONLY. STUDENT USE PROHIBIT

subscription, as well as data about the health and operation of Azure itself.

Azure tenant monitoring data: Data about the operation of tenant-level Azure services, such as

Extend the data you're collecting into the actual operation of the resources by enabling diagnostics and

adding an agent to compute resources. This will collect telemetry for the internal operation of the

through other sources.

For more information, you can see:

Azure Fridays, Azure Monitor - https://channel9.msdn.com/Shows/Azure-Friday/Azure-Monitor/

updates on Service Health events.

With the Activity Log, you can determine the ‘what, who, and when’ for any write operations (PUT, POST,

When the operation occurred.

The status of the operation.

Query the Activity Log

Event initiated by. The ‘caller,’ or user who performed the operation.

Administrative. This category contains the record of all create, update, delete, and action operations performed through Resource Manager. Examples of the types of events you would see in this catego- ry include “create virtual machine” and "delete network security group". The Administrative category also includes any changes to role-based access control in a subscription.

Security. This category contains the record of any alerts generated by Azure Security Center. An example of the type of event you would see in this category is “Suspicious double extension file executed.”

Policy and Resource Health. These categories do not contain any events; they are reserved for future use.

ED 14
MCT USE ONLY. STUDENT USE PROHIBIT

The Monitor Alerts experience has many benefits.

View Log Analytics alerts in Azure portal. You can now also see Log Analytics alerts in your sub-

scription. Previously these were in a separate portal.

Separation of Fired Alerts and Alert Rules. Alert Rules (the definition of the condition that triggers
Better workflow. The new alerts authoring experience guides the user along the process of configur-

The new alerts experience in Azure Monitor - https://docs.microsoft.com/en-us/azure/monitor-

ing-and-diagnostics/monitoring-overview-unified-alerts

Alert rules are separated from alerts and the actions that are taken when an alert fires. The alert rule captures the target and criteria for alerting. The alert rule can be in an enabled or a disabled state. Alerts only fire when enabled. The key attributes of an alert rule are:
Target Resource – Defines the scope and signals available for alerting. A target can be any Azure resource. Example targets: a virtual machine, a storage account, a virtual machine scale set, a Log Analytics workspace, or an Application Insights resource. For certain resources (like Virtual Machines), you can specify multiple resources as the target of the alert rule.

Severity – The severity of the alert once the criteria specified in the alert rule is met. Severity can range from 0 to 4.

Action – A specific action taken when the alert is fired. See the Action Groups topic coming up.

ED 16
MCT USE ONLY. STUDENT USE PROHIBIT

you to identify and address issues before the users of your system notice them. Alerts consists of alert

rules, action groups, and monitor conditions.

Alert rules are separated from alerts and the actions that are taken when an alert fires. The alert rule

resource. Example targets: a virtual machine, a storage account, a virtual machine scale set, a Log

Analytics workspace, or an Application Insights resource. For certain resources (like Virtual Machines),

Percentage CPU > 70%; Server Response Time > 4 ms; and Result count of a log query > 100.

Alert Name – A specific name for the alert rule configured by the user.

Alert Description – A description for the alert rule configured by the user.

An action group is a collection of notification preferences defined by the owner of an Azure subscription.

Azure Monitor and Service Health alerts use action groups to notify users that an alert has been trig-

Email – Emails will be sent to the email addresses. Ensure that your email filtering is configured

Function App – The function keys for Function Apps configured as actions are read through the

Functions API.

period for a response is 10 seconds. The webhook call will be retried a maximum of 2 times when the

following HTTP status codes are returned: 408, 429, 503, 504 or the HTTP endpoint does not respond.

Azure Alerts 19

Section

Lists each action taken by the alert and any changes made to the alert. Currently limited to state changes.

Smart group

Azure Alerts 21

5. Define the Alert logic. This will determine the logic which the metric alert rule will evaluate. 6. If you are using a static threshold, the metric chart can help determine what might be a reasonable threshold. If you are using a Dynamic Thresholds, the metric chart will display the calculated thresh- olds based on recent data.

7. Click Done.

Administrative - This category contains the record of all create, update, delete, and action operations performed through Resource Manager. Examples of the types of events you would see in this catego- ry include "create virtual machine" and "delete network security group" Every action taken by a user or application using Resource Manager is modeled as an operation on a particular resource type. If the operation type is Write, Delete, or Action, the records of both the start and success or fail of that operation are recorded in the Administrative category. The Administrative category also includes any changes to role-based access control in a subscription.

Service Health - This category contains the record of any service health incidents that have occurred in Azure. An example of the type of event you would see in this category is "SQL Azure in East US is experiencing downtime." Service health events come in five varieties: Action Required, Assisted Recovery, Incident, Maintenance, Information, or Security, and only appear if you have a resource in the subscription that would be impacted by the event.

Security - This category contains the record of any alerts generated by Azure Security Center. An example of the type of event you would see in this category is "Suspicious double extension file executed."

Policy - This category does not contain any events; it is reserved for future use.

5

Azure Activity Logs and Log Analytics 25

Export the Activity Log with a Log Profile9

● How long the Activity Log should be retained in a Storage Account.

● A retention of zero days means logs are kept forever. Otherwise, the value can be any number of days between 1 and 2147483647.

Log Analytics Scenarios

One of the challenges with any broad data analytics solution is figuring out where you’re going to see value for your organization. Out of all the things that are possible, what does your business need? What we hear from customers is that the following areas all have the potential to deliver significant business value:

9

10 https://docs.microsoft.com/en-us/azure/monitoring-and-diagnostics/monitoring-overview-activity-logs

Azure Activity Logs and Log Analytics 27

Connected Sources

Ensure you can locate each of the following.

● The Log Analytics service (1) collects data and stores it in the OMS repository (2). The OMS Repository is hosted in Azure. Connected Sources provide information to the Log Analytics service.

ED 28

Module 1 Module Managing Azure Subscriptions and Resources

T USE ONLY. STUDENT USE PROHIBIT

Data sources are the different kinds of data collected from each connected source. These can include

events and performance data from Windows and Linux agents, in addition to sources such as IIS logs and

When you configure the Log Analytics settings you can see the data sources that are available. Data

Logs, Custom Fields, Custom Logs, and Syslog. Each data source has additional configuration options. For

example, the Windows Event Log can be configured to forward Error, Warning, or Informational messag-

ics-data-sources

16 https://docs.microsoft.com/en-us/azure/log-analytics/log-analytics-windows-agents

To give a quick graphical view of the health of your overall environment, you can add visualizations for saved log searches to your dashboard. To analyze data outside of Log Analytics, you can export the data from the repository into tools such as Power BI or Excel. You can also leverage the Log Search API to build custom solutions that leverage Log Analytics data or to integrate with other systems.

The main query tables are: Event, Syslog, Heartbeat, and Alert.

Demonstration - Log Analytics
In this demonstration, you will work with the Log Analytics query language.

Access the demonstration environment
1. Access the Log Analytics Querying Demonstration17 page.

5. As you have time experiment with other Favorites and also Saved Queries.

✔️ Is there a particular query you are interested in?

Create a shared dashboard in the Azure portal. Visualize a performance log search.

Add a log search to a shared dashboard.
Customize a tile in a shared dashboard.

Take a few minutes to access the Log Analytics Querying Demonstration23 page. This page provides a live demonstration workspace where you can run and test queries. Some of the testing queries are:● See the volume of data collected in the last 24 hours in intervals of 30 minutes.

ED 34

Module 1 Module Managing Azure Subscriptions and Resources

MCT USE ONLY. STUDENT USE PROHIBIT

Network Watcher

issues without logging in to your virtual machines (VMs) using Network Watcher. Trigger packet

capture by setting alerts, and gain access to real-time performance information at the packet level.

helps you gather data for compliance, auditing and monitoring your network security profile.

common VPN Gateway and Connections issues. Allowing you, not only, to identify the issue but also

to use the detailed logs created to help further investigate.

Network Watcher - https://azure.microsoft.com/en-us/services/network-watcher/

Monitoring and Visualization

machine and an endpoint. The connection monitor capability monitors communication at a regular

For example, you might have a web server VM that communicates with a database server VM. Someone

in your organization may, unknown to you, apply a custom route or network security rule to the web

server or database server VM or subnet.

If an endpoint becomes unreachable, connection troubleshoot informs you of the reason. Potential
reasons might be DNS name resolution problem, the CPU, memory, or firewall within the operating

Network performance monitor is a cloud-based hybrid network monitoring solution that helps you monitor network performance between various points in your network infrastructure. It also helps you monitor network connectivity to service and application endpoints and monitor the performance of Azure ExpressRoute. Network performance monitor detects network issues like traffic blackholing, routing errors, and issues that conventional network monitoring methods aren't able to detect. The solution generates alerts and notifies you when a threshold is breached for a network link. It also ensures timely detection of network performance issues and localizes the source of the problem to a particular network segment or device.

Topology

Verify IP Flow Purpose: Quickly diagnose connectivity issues from or to the internet and from or to the on-premises environment. For example, confirming if a security rule is blocking ingress or egress traffic to or from a virtual machine.

Example

ED 36
MCT USE ONLY. STUDENT USE PROHIBIT
If IP flow verify does not return the expected behavior you can investigate the security rule that was

involved to determine what is going wrong and make an adjustment.

Next Hop Purpose: To determine if traffic is being directed to the intended destination by showing the

next hop. This will help determine if networking routing is correctly configured.

outbound traffic from all resources, such as VMs, deployed in a virtual network, are routed based on

next hop capability enables you to specify a source and destination IPv4 address. Next hop then tests the

communication and informs you what type of next hop is used to route the traffic. You can then remove,

VPN Diagnostics Purpose: Troubleshoot gateways and connections.

Example

ED 38

Module 1 Module Managing Azure Subscriptions and Resources

MCT USE ONLY. STUDENT USE PROHIBIT

NSG Flow Logs

look for the PT1H.JSON file.

Connection Troubleshoot

Azure Network Watcher Connection Troubleshoot is a more recent addition to the Network Watcher suite

of networking tools and capabilities. Connection Troubleshoot enables you to troubleshoot network

Identify configuration issues that are impacting reachability.

Provide all possible hop by hop paths from the source to destination.

tion, as shown in the following illustration.

Further examples of different supported network troubleshooting scenarios include:

● Checking the connectivity and latency to a remote endpoint, such as for websites and storage end- points.

ED 40
MCT USE ONLY. STUDENT USE PROHIBIT

Troubleshoot connections with Azure Network Watcher using the Azure portal - https://docs.microsoft.

com/en-us/azure/network-watcher/network-watcher-connectivity-portal

● Organizational alignment for your Azure subscriptions through custom hierarchies and grouping.

● Targeting of policies and spend budgets across subscriptions and inheritance down the hierarchies.

For more information, you can see:

Organize your resources with Azure management groups - https://docs.microsoft.com/en-us/azure/ azure-resource-manager/management-groups-overview

Typically to grant a user access to your Azure resources, you would add them to the Azure AD directory associated with your subscription. The user will now have access to all the resources in your subscription. This is an all-or-nothing operation that may give that user access to more resources than you anticipated.

✔️ Do you know how many subscriptions your organization has? Do you know how resources are organized into resource groups?

Any Enterprise Agreement25 customer can add Azure to their agreement by making an upfront mone-tary commitment to Azure. That commitment is consumed throughout the year by using any combina-tion of the wide variety of cloud services Azure offers from its global datacenters. Enterprise agreements have a 99.95% monthly SLA.

Reseller

25 https://azure.microsoft.com/en-us/pricing/enterprise-agreement/
26 https://www.microsoft.com/en-us/licensing/licensing-programs/open-license.aspx
27 https://azure.microsoft.com/en-us/offers/ms-azr-0111p/
28 https://azure.microsoft.com/en-us/partners/directory/

ED 44

Module 1 Module Managing Azure Subscriptions and Resources

For more information, you can see:

Solution providers - https://www.microsoft.com/en-us/solution-providers/home

Pay-As-You-Go

Enterprise Agreement

free. This is an excellent way for new users to get started. To set up a free subscription, you need a phone

number, a credit card, and a Microsoft account.

period. This subscription type is appropriate for a wide range of users, from individuals to small business-

es, and many large organizations as well.

agreement, with discounts for new licenses and Software Assurance. It's targeted at enterprise-scale

An Azure for Students subscription includes $100 in Azure credits to be used within the first 12 months

plus select free services without requiring a credit card at sign-up. You must verify your student status

is the Account Administrator for all subscriptions created in that account. That person is also the default

Service Administrator for the subscription.

There are three roles related to Azure accounts and subscriptions:

Account administrator

✔️ Account Administrators using a Microsoft account must log in every 2 years (or more frequently) to keep the account active. Inactive accounts are cancelled, and the related subscriptions removed. There are no login requirements if using a work or school account.

Check Resource Limits

ED 46
The limits shown are the limits for your subscription. If you need to increase a default limit, there is a

Request Increase link. You will complete and submit the support request. All resources have a maximum

limit listed in Azure limits30. If your current limit is already at the maximum number, the limit can't be

“Development” to your resources. After creating your tags, you associate them with the appropriate

resources.

With tags in place, you can retrieve all the resources in your subscription with that tag name and value.

Perhaps one of the best uses of tags is to group billing data. When you download the usage CSV for
services, the tags appear in the Tags column. For example, you could group virtual machines by cost

There are a few things to consider about tagging:

Each resource or resource group can have a maximum of 15 tag name/value pairs.

MC

Subscriptions and Accounts 47

Reservations helps you save money by pre-paying for one-year or three-years of virtual machine, SQL Database compute capacity, Azure Cosmos DB throughput, or other Azure resources. Pre-paying allows you to get a discount on the resources you use. Reservations can significantly reduce your virtual ma-chine, SQL database compute, Azure Cosmos DB, or other resource costs up to 72% on pay-as-you-go prices. Reservations provide a billing discount and don't affect the runtime state of your resources.

Online Lab - Exploring Monitoring Capabilities in Azure 49

Online Lab - Exploring Monitoring Capabilities in Azure

● Deploy Azure VM scale sets

● Implement monitoring and alerting by using Azure Monitor

1. Deploy an Azure VM scale set by using an Azure QuickStart template

2. Review autoscaling settings of the Azure VM scale set

● Subsciption: the name of the target Azure subscription

● Cloud Shell region: the name of the Azure region that is available in your subscription and which is closest to the lab location

ED 50
MCT USE ONLY. STUDENT USE PROHIBIT

4. From the Cloud Shell pane, run the following to identify a unique DNS domain name (substitute the

placeholder <custom-label> with any alphanumeric string starting with a letter and no longer than

until the command returns True.

6. Note the value of the that resulted in the successful outcome. You will need it in the next task.

Owner role in the target Azure subscription.

9. In the Azure Portal, on the Deploy VM Scale Set with Python Bottle server & AutoScale blade,

specify the following settings and initiate the deployment:

Vm Sku: Standard_D1_v2

Vmss Name: the custom label you identified when running Test-AzDnsAvailability earlier in

this task

Task 2: Review autoscaling settings of the Azure VM scale set

1. In Azure Portal, navigate to the blade representing the newly deployed Azure VM scale set.

Scale in: decrease instance count by 1 when average percentage of CPU < 30

Minimum number of instances: 1

Exercise 2: Implementing monitoring and alerting by us-ing Azure Monitor
The main tasks for this exercise are as follows:
1. Create Azure VM scale set metrics-based alerts
2. Configure Azure VM scale set autoscaling-based notifications
3. Test Azure VM scale set monitoring and alerting.

Task 1: Create Azure VM scale set metrics-based alerts 1. In the Azure portal, navigate to the blade representing the newly deployed Azure VM scale set and, from there, switch to the Monitoring - Metrics blade.

7. In the Condition section, click Add condition, select the Percentage CPU metric, leave the dimen-sion settings and condition type with their default values, set the condition to Greater than, set the time aggregation to Average, set the threshold to 60, set the period (grain) to Over the last 1 minutes, set the frequency to Every 1 minute and click done.

8. In the Action Groups section, click Create new, set the action group name to az30001 action group, set short name: az30001, select the Azure subscription you used in the previous exercise, accept the default name of the resource group of Default-ActivityLogAlerts (to be created), set the action name: az30001-email, and set the action type to Email/SMS/Push/Voice.

ED 52

Module 1 Module Managing Azure Subscriptions and Resources

MCT USE ONLY. STUDENT USE PROHIBIT

2. On the Scaling setting blade, click the Notify tab heading, configure the following settings, and save

tions about autoscaling events

Task 3: Test Azure VM scale set monitoring and alerting.

1. In the Azure portal, navigate to the blade representing the Load balancer set you deployed in the
3. From the lab computer, start Microsoft Edge and browse to *http://Public IP address*:9000 (where

4. On the Worker interface page, click the Start work link.

5. Use the CPU (average) chart on the VM scale set blade to monitor changes to the CPU utilization.
6. Note: Alternatively, you can navigate back to the Monitoring - Metrics blade and use the filter to

display Avg Percentage CPU metric of the VM scale set resource.

9. Note: Alternatively, you can navigate back to the Scaling blade, in the list of resources capable of

10. Note: Autoscaling should be triggered within a couple of minutes.

11. Switch to the Microsoft Edge window displaying worker instances page and click the Stop work link.

Exercise 3: Remove lab resources

Task 1: Delete resource group

3. Verify that the output contains only the resource groups you created in this lab. These groups will be

deleted in the next task.

Result: After you completed this exercise, you removed the resources used in this lab.

Review Questions 55

You should use Azure Monitor and Azure Advisor.

Azure Monitor provides the fastest metrics pipeline (5 minute down to 1 minute), so you should use it for time critical alerts and notifications. These metrics can be sent to Azure Log Analytics for trending and detailed analysis.

Azure Storage is Microsoft's cloud storage solution for modern data storage scenarios. Azure Storage offers a massively scalable object store for data objects, a file system service for the cloud, a messaging store for reliable messaging, and a NoSQL store. Azure Storage is:

Durable and highly available. Redundancy ensures that your data is safe in the event of transient hardware failures. You can also opt to replicate data across datacenters or geographical regions for additional protection from local catastrophe or natural disaster. Data replicated in this way remains highly available in the event of an unexpected outage.

Microsoft provides SDKs for Azure Storage in a variety of languages – .NET, Java, Node.js, Python, PHP, Ruby, Go, and others – as well as a mature REST API. Azure Storage supports scripting in Azure PowerShell or Azure CLI. And the Azure portal and Azure Storage Explorer offer easy visual solutions for working with your data.

Azure Storage is a service that you can use to store files, messages, tables, and other types of informa-tion. You can use Azure storage on its own—for example as a file share—but it is often used by develop-ers as a store for working data. Such stores can be used by websites, mobile apps, desktop applications,

Azure Storage Accounts 59

● Configuration files can be stored on a file share and accessed from multiple VMs. Tools and utilities used by multiple developers in a group can be stored on a file share, ensuring that everybody can find them, and that they use the same version.

● Diagnostic logs, metrics, and crash dumps are just three examples of data that can be written to a file share and processed or analyzed later.

Table storage

Azure Table storage is now part of Azure Cosmos DB. To see Azure Table storage documentation, see the Azure Table Storage Overview. In addition to the existing Azure Table storage service, there is a new Azure Cosmos DB Table API offering that provides throughput-optimized tables, global distribution, and automatic secondary indexes. To learn more and try out the new premium experience, please check out Azure Cosmos DB Table API.

Premium storage accounts are backed by solid state drives (SSD) and offer consistent low-latency perfor-mance. They can only be used with Azure virtual machine disks and are best for I/O-intensive applica-tions, like databases. Additionally, virtual machines that use Premium storage for all disks qualify for a 99.99% SLA, even when running outside an availability set.

Azure Storage Accounts 61

Storage Account Endpoints

Every object that you store in Azure Storage has a unique URL address. The storage account name forms the subdomain of that address. The combination of subdomain and domain name, which is specific to each service, forms an endpoint for your storage account.

✔️A Blob storage account only exposes the Blob service endpoint. And, you can also configure a custom domain name to use with your storage account.

For more information, you can see:

CNAME record

Target

Azure Storage Accounts 63

2. On the Storage Accounts window that appears, choose Add.

3. Select the subscription in which to create the storage account.

8. Leave these fields set to their default values:

9. Select Review + Create to review your storage account settings and create the account.

2. On the Storage Accounts window that appears, choose Add.

3. Select the subscription in which to create the storage account.

5 6
Azure Storage Accounts 65

view and edit Blob,
Queue, Table, File, Cosmos DB storage and Data Lake storage. Storage Explorer is available for Windows, Mac, and Linux.

Table storage
● Query entities with OData or query builder.

Add, edit, and delete entities.●
● Import and export tables and query results.

● View, add, and dequeue messages.

Clear queue.●
File storage
● Navigate files through directories.

Azure Storage Explorer has many uses when it comes to managing your storage. See the following articles to learn more.

7 8
Azure Storage Accounts 67

As mentioned previously, Storage Explorer lets you attach to external storage accounts so that storage accounts can be easily shared. To create the connection you will need the storage Account name and Account key. In the portal, the account key is called key1.

Demonstration - Storage Explorer

Note: If you have an older version of the Storage Explorer, be sure to upgrade. These steps use version 1.6.2.

2. After the installation, launch the tool.

3. Review the Release Notes and menu options.

Data Replication 69

Data Replication

Replication Options

Are there any costs to changing my account's replication strategy?

Data Replication 71

Zone Redundant Storage (ZRS) synchronously replicates your data across three (3) storage clusters in a single region. Each storage cluster is physically separated from the others and resides in its own availabili-ty zone. Each availability zone, and the ZRS cluster within it, is autonomous, with separate utilities and networking capabilities.

● ZRS may not protect your data against a regional disaster where multiple zones are permanently affected. Instead, ZRS offers resiliency for your data in the case of unavailability.

Support coverage and regional availability
ZRS currently supports standard general-purpose v2 account types. ZRS is available for block blobs, non-disk page blobs, files, tables, and queues.

✔️Consider ZRS for scenarios that require strong consistency, strong durability, and high availability even if an outage or natural disaster renders a zonal data center unavailable.

Geo-redundant storage

Data Replication 73

Task

Example

Retrieve a specific storage account or all the storage accounts in a resource group or subscription.

Get-AzureRmStorageAccount -ResourceGroupN-ame "RG01" -AccountName “mystorageaccount”

Create a storage account - https://docs.microsoft.com/en-us/azure/storage/common/storage-pow-ershell-guide-full#create-a-storage-account14

13 https://docs.microsoft.com/en-us/azure/storage/common/storage-redundancy-grs 14 https://docs.microsoft.com/en-us/azure/storage/common/storage-powershell-guide-full

Storing and Accessing Data 75

Disk Drives. You can ship Solid-state drives (SSDs) or Hard disk drives (HDDs) to the Azure datacenter.

When creating an import job, you ship disk drives containing your data. When creating an export job, you ship empty drives to the Azure datacenter.

Supported disks

Import and Export Tool
The Microsoft Azure Import/Export Tool is the drive preparation and repair tool that you can use with the Microsoft Azure Import/Export service. You can use the tool for the following functions:
● Before creating an import job, you can use this tool to copy data to the hard drives you are going to ship to an Azure datacenter.

● After an import job has completed, you can use this tool to repair any blobs that were corrupted, were missing, or conflicted with other blobs.

ED 76
MCT USE ONLY. STUDENT USE PROHIBIT

run the WAImportExport tool from that computer. The WAImportExport tool handles data copy, volume

encryption, and creation of journal files. Journal files are necessary to create an import/export job and

session. The state of the copy session is written to the journal file. If a copy session is interrupted (for

journal file on the command line.

For each hard drive that you prepare with the Azure Import/Export Tool, the tool will create a single

journal file with name DriveID.xml where DriveID is the serial number associated to the drive that the tool

dataset.csv>

PrepImport. Indicates the tool is preparing drives for an import job.

JournalFile. Path to the journal file that will be created. A journal file tracks a set of drives and records
DataSet. A CSV file that contains a list of directories and/or a list of files to be copied to target drives.

Import Jobs

An Import job securely transfers large amounts of data to Azure Blob storage (block and page blobs) and

Storing and Accessing Data 77

ED 78

Drives are shipped using your carrier account to the return address provided in the import job.

For more information, you can see:

16 https://docs.microsoft.com/en-us/azure/storage/common/storage-import-export-service

● Create an export job in your source storage account using the Azure portal or the Import/Export REST API.

● Specify the source blobs or container paths of your data in the export job.

17 https://docs.microsoft.com/en-us/azure/storage/common/storage-import-export-service

ED 80

Module 2 Module Implementing and Managing Storage

Synchronize a file system to Azure Blob or vice versa. Ideal for incremental copy scenarios.

Supports Azure Data Lake Storage Gen2 APIs.

Supports wildcard patterns in a path as well as –include and –exclude flags.

Improved resiliency: every AzCopy instance will create a job order and a related log file. You can view

and restart previous jobs and resume failed jobs. AzCopy will also automatically retry a transfer after a

using Azure Active Directory. The user should have Storage Blob Data Contributor role assigned to

write to Blob storage using Azure Active Directory authentication.

AzCopy /?

The basic syntax for AzCopy commands is:

common/storage-use-azcopy#download-and-install-azcopy-on-windows18

Demonstration - AzCopy

copy-on-windows.

18 https://docs.microsoft.com/en-us/azure/storage/common/storage-use-azcopy

azcopy /?

1. Scroll to the top of the Help information and read about the Common options, like: source, destina- tion, source key, and destination key.

3. Select Access keys and copy the Key Key1 value. This will be the sourcekey: value.

4. Drill down to the blob of interest, and view the file Properties.

2. Verify the blob was downloaded to your local directory.

Upload files to Azure blob storage
Note: The example continues from the previous example and requires a local directory with files. 1. The source: for the command will be a local directory with files.

1. If you have errors, read them carefully and make corrections.

2. Verify your local files were copied to the Azure container.

Storing and Accessing Data 83

How CDN Works

3. The origin returns the file to the edge server, including optional HTTP headers describing the file's Time-to-Live (TTL).

4. The edge server caches the file and returns the file to the original requestor (Alice). The file remains cached on the edge server until the TTL expires. Azure CDN automatically applies a default TTL of seven days unless you've set up caching rules in the Azure portal.

Overview of the Azure Content Delivery Network - https://docs.microsoft.com/en-us/azure/cdn/ cdn-overview

Azure CDN POP locations by region - https://docs.microsoft.com/en-us/azure/cdn/cdn-pop-loca-tions

ED 84
MCT USE ONLY. STUDENT USE PROHIBIT

different internet domains, web applications, or storage accounts. You can create up to 8 CDN profiles

per subscription.

The CDN service is global and not bound to a location, however you must specify a resource group
Several pricing tiers are available. At the time of this writing, there are three tiers: Premium Verizon,

Standard Verizon, and Standard Akamai. Pricing is based on TBs of outbound data transfers. Be sure to

read about the pricing models in the link at the end of this topic.

CDN Endpoints

When you create a new CDN endpoint directly from the CDN profile blade you are prompted for CDN

There are four choices for Origin type: Storage, Cloud Service, Web App, and Custom origin. In this course we are focusing on storage CDNs.

Create a new CDN endpoint - https://docs.microsoft.com/en-us/azure/cdn/cdn-create-new-end-point#create-a-new-cdn-endpoint19

Troubleshooting CDN endpoints returning 404 statuses - https://docs.microsoft.com/en-us/azure/ cdn/cdn-troubleshoot-endpoint

Storing and Accessing Data 87

Compression behavior tables - https://docs.microsoft.com/en-us/azure/cdn/cdn-improve-perfor-mance#compression-behavior-tables22

Troubleshooting CDN file compression - https://docs.microsoft.com/en-us/azure/cdn/cdn-trouble-shoot-compression

Create a new CDN endpoint25.

Set Azure CDN caching rules

Monitoring Storage 89

Azure Monitor provides unified user interfaces for monitoring across different Azure services. Azure Storage integrates Azure Monitor by sending metric data to the Azure Monitor platform. With metrics on Azure Storage, you can analyze usage trends, trace requests, and diagnose issues with your storage account.

Azure Monitor provides multiple ways to access metrics. You can access them from the Azure Portal, Monitor APIs (REST, and .Net) and analysis solutions such as the Operation Management Suite and Event Hubs. Metrics are enabled by default, and you can access the past 30 days of data. If you need to retain data for a longer period, you can archive metrics data to an Azure Storage account.

Azure Storage metrics in Azure Monitor - https://docs.microsoft.com/en-us/azure/storage/common/ storage-metrics-in-azure-monitor?toc=%2fazure%2fstorage%2fblobs%2ftoc.json

Monitoring Azure applications and resources - https://docs.microsoft.com/en-us/azure/monitor-ing-and-diagnostics/monitoring-overview

Monitoring Storage 91

For more information, you can see:

The new alerts experience in Azure Monitor - https://docs.microsoft.com/en-us/azure/monitor-ing-and-diagnostics/monitoring-overview-unified-alerts

Target Resource – Defines the scope and signals available for alerting. A target can be any Azure resource. Example targets: a virtual machine, a storage account, a virtual machine scale set, a Log Analytics workspace, or an Application Insights resource. For certain resources (like Virtual Machines), you can specify multiple resources as the target of the alert rule.

Signal – Signals are emitted by the target resource and can be of several types. Metric, Activity log, Application Insights, and Log.

Monitoring Storage 93

Each action type is different in the details that must be provided. Here is a screenshot for the Email and SMS configuration.

Email – Emails will be sent to the email addresses. Ensure that your email filtering is configured appropriately. You may have up to 1000 email actions in an Action Group.

Monitoring Storage 95

Resource. Select the resource you want to monitor. For example, resource group, virtual machine, or storage account.

ED 96
MCT USE ONLY. STUDENT USE PROHIBIT

Alert rule name. Specify a name to identify your alert.

Description. Provide a description for your alert rule.

Demonstration - Alerts

In this demonstration, we will create an alert rule.

menu under Monitoring, you could create alerts from there as well.

Explore alert targets

include metrics. You can view the full list of resource types supported for metric alerts in this article.

3. Click Done when you have made your selection.

3. Optionally, refine the metric by adjusting Period and Aggregation. If the metric has dimensions, you

will see the Dimensions table presented.

olds based on recent data.

7. Click Done.

3. Click Done to save the metric alert rule.

Signal Types and Metrics

Support for multi-dimensional metrics: You can alert on dimensional metrics allowing you to monitor an interesting segment of the metric.

More control over metric conditions: You can define richer alert rules. The newer alerts support monitoring the maximum, minimum, average, and total values of metrics.

Activity Log

The Azure Activity Log is a subscription log that provides insight into subscription-level events that have occurred in Azure. This includes a range of data, from Azure Resource Manager operational data to updates on Service Health events. The Activity Log was previously known as “Audit Logs” or “Operational Logs”.

ED 98

resources in your subscription. For example, who stopped a service. It provides an audit trail of the

activities or operations performed on your resources by someone working on the Azure platform. You can

Query or manage events in the Portal, PowerShell, CLI, and REST API.

Stream information to Event Hub.

information about the operation of that resource (the "data plane").

Query the Activity Log

Resource (name). The name of a specific resource.

Resource type. The type of resource, for example, Microsoft.Compute/virtualmachines.





Timespan. The start and end time for events.

Once you have defined a set of filters, you can save it as a query that is persisted across sessions if you ever need to perform the same query with those filters applied again in the future. You can also pin a query to your Azure dashboard to always keep an eye on specific events.

For more information, you can see:

Administrative - This category contains the record of all create, update, delete, and action operations performed through Resource Manager. Examples of the types of events you would see in this catego- ry include “create virtual machine” and "delete network security group". The Administrative category also includes any changes to role-based access control in a subscription.

Service Health - This category contains the record of any service health incidents that have occurred in Azure. An example of the type of event you would see in this category is “SQL Azure in East US is experiencing downtime.” Service health events come in five varieties: Action Required, Assisted Recovery, Incident, Maintenance, Information, or Security.

Monitoring Storage 101

✔️ Log Analytics collects activity logs free of charge and stores the logs for 90 days free of charge. If you store logs for longer than 90 days, you will incur data retention charges for the data stored longer than 90 days. When you're on the Free pricing tier, activity logs do not apply to your daily data consumption.

For more information, you can see:

Advantages of this approach include:

Collect Azure Activity Logs into Log Analytics across subscriptions - https://docs.microsoft.com/en-us/ azure/log-analytics/log-analytics-activity-logs-subscriptions

39 https://docs.microsoft.com/en-us/azure/event-hubs/event-hubs-what-is-event-hubs 40 https://docs.microsoft.com/en-us/azure/logic-apps/logic-apps-overview

ED 102
MCT USE ONLY. STUDENT USE PROHIBIT

An organization deploy a business-critical application. The application must always be available to users,

even if a region-wide outage occurs.

tion strategy will provide you for a given type of event (or event of similar impact).

In this scenario, only the Geo-Replicated Storage option provides the functionality desired.

What should you do? How will your actions affect costs for the resource?

Suggested Answer ↓

Pricing for GPv2 accounts has been designed to deliver the lowest per gigabyte prices, and industry competitive transaction prices.

You can upgrade your GPv1 or Blob storage account to a GPv2 account using Azure portal, PowerShell, or Azure CLI.

Which tool should you use? How should you connect to client resources?

Suggested Answer ↓
Microsoft Azure Storage Explorer is a standalone app from Microsoft that allows you to easily work with Azure Storage data.

• Available for Windows, Mac, and Linux.

Module 3 Module Deploying and Managing Virtual Machines (VMs)

1. Select an image or disk to use for your new virtual machine. The image is from the Marketplace. The disk is a VHD you have created.

2. Provide required information such as host name, user name, and password for the new virtual machine.

ED 106
MCT USE ONLY. STUDENT USE PROHIBIT

Additional images are available by searching the Marketplace.

Disks - OS disk type, data disks

Networking - Virtual networks, load balancing

Guest config - Add additional configuration, agents, scripts or applications via virtual machine exten-

enabling hybrid scenarios and maximizing existing investments, including:

Unique hybrid capabilities with Azure to extend your datacenter and maximize investments, such as

Faster innovation for applications enabling Developers and IT Pros to create new and modernize their

Creating Virtual Machines 107

Terms of Use

ED 108

Module 3 Module Deploying and Managing Virtual Machines (VMs)

MCT USE ONLY. STUDENT USE PROHIBIT

Remote Desktop Protocol (RDP) allows you to establish a graphical user interface (GUI) session to

an Azure VM that runs any supported version of Windows. The Azure portal automatically enables the

from an unknown publisher. This is expected. When connecting be sure to credentials for the virtual

machine. The Azure PowerShell Get-AzRemoteDesktopFile cmdlet provides the same functionality.

Windows PowerShell scripts. WinRM facilitates additional session security by using certificates. You

can upload a certificate that you intend to use to Azure Key Vault prior to establishing a session. The

Identifying the URL of the certificate uploaded to the key vault.

Referencing the URL in the Azure VM configuration.

WinRM uses by TCP port 5986 by default, but you can change it to a custom value. In either case, you
must ensure that no network security groups are blocking inbound traffic on the port that you choose.

Create the virtual machine

1. Choose Create a resource in the upper left-hand corner of the Azure portal.

5. Under Instance details, type myVM for the Virtual machine name and choose East US for your Location. Leave the other defaults.

6.

ED 110
MCT USE ONLY. STUDENT USE PROHIBIT

10.

11. Move to the Management tab, and under Monitoring turn Off Boot Diagnostics. This will eliminate
12. Leave the remaining defaults and then select the Review + create button at the bottom of the page.

Connect to the virtual machine

Create a remote desktop connection to the virtual machine. These directions tell you how to connect to
your VM from a Windows computer. On a Mac, you need to install an RDP client from the Mac App Store.

1. Select the Connect button on the virtual machine properties page.

4. In the Windows Security window, select More choices and then Use a different account. Type the

OK.

5. You may receive a certificate warning during the sign-in process. Select Yes or Continue to create the

connection.

When done, close the RDP connection to the VM.

View the IIS welcome page

✔️ When no longer needed, you can delete the resource group, virtual machine, and all related resourc-es. To do so, select the resource group for the virtual machine, select Delete, then confirm the name of the resource group to delete.

PowerShell - Example (Part 1)

2. Create the initial configuration for the virtual machine with New-AzVMConfig:

In this demonstration, we will create a virtual machine using PowerShell.

Create the virtual machine

# create a resource group
New-AzResourceGroup -Name myResourceGroup -Location EastUS

# create the virtual machine
# when prompted, provide a username and password to be used as the logon credentials for the VM
New-AzVm `
-ResourceGroupName "myResourceGroup" `
-Name "myVM" `
-Location "East US" `
-VirtualNetworkName "myVnet" `
-SubnetName "mySubnet" `
-SecurityGroupName "myNetworkSecurityGroup" `
-PublicIpAddressName "myPublicIpAddress" `
-OpenPorts 80,3389

4. Notice this is a Windows machine in a new VNet and subnet.

5. Notice the command started the machine.

2. Create an RDP session from your local machine. Replace the IP address with the public IP address of your VM. This command runs from a cmd window.

ED 114

Module 3 Module Deploying and Managing Virtual Machines (VMs)

MCT USE ONLY. STUDENT USE PROHIBIT

ue to create the connection

4. When done, close the RDP connection to the VM.

Azure supports many Linux distributions and versions including CentOS by OpenLogic, Core OS, Debian,

Oracle Linux, Red Hat Enterprise Linux, and Ubuntu.

Manager), Portal, and Command Line Interface. You can manage your Linux virtual machines with a

host of popular open-source DevOps tools such as Puppet, and Chef.

linux/

Linux VM Connections

SSH is an encrypted connection protocol that allows secure sign-ins over unsecured connections. SSH is the default connection protocol for Linux VMs hosted in Azure. Although SSH itself provides an encrypt-ed connection, using passwords with SSH connections still leaves the VM vulnerable to brute-force attacks or guessing of passwords. A more secure and preferred method of connecting to a VM using SSH is by using a public-private key pair, also known as SSH keys.

● The public key is placed on your Linux VM, or any other service that you wish to use with public-key cryptography.

✔️ Azure currently requires at least a 2048-bit key length and the SSH-RSA format for public and private keys.

Demonstration - Connect to Linux Virtual Ma-chines
In this demonstration, we will create a Linux machine and access the machine with SSL.

4. Click the Generate button.

5. Move your mouse around the blank area in the window to generate some randomness.

Backup and Restore 117

Backup and Restore

Azure Site Recovery

VMware Virtual Machine Replication. You can perform the replication of virtual machines by VMware to a secondary site that is also running VMware. You also can replicate to Azure.

Physical Windows and Linux machines. You can replicate physical machines running either Windows or Linux to a secondary site or to Azure.

Automatically replicate to Azure. Automate the orderly recovery of services in the event of a site outage at the primary datacenter. Automate the orderly recovery of services in the event of a site outage at the primary datacenter.

Safeguard against outages of complex workloads. Protect applications in SQL Server, SharePoint, SAP, and Oracle.

Backup and Restore 119

It's important to understand the difference between images and snapshots. With managed disks, you can take an image of a generalized VM that has been deallocated. This image includes all of the disks at-tached to the VM. You can use this image to create a VM, and it includes all of the disks.

● A snapshot is a copy of a disk at the point in time the snapshot is taken. It applies only to one disk. If you have a VM that has one disk (the OS disk), you can take a snapshot or an image of it and create a VM from either the snapshot or the image.

There are several methods for backing up virtual machines.

1. Enable backup for individual Azure VMs. When you enable backup, Azure Backup installs an extension to the Azure VM agent that's running on the VM. The agent backs up the entire VM.

Backup and Restore 121

4. When you initiate a failover, the VMs are created in the target resource group, target virtual network, target subnet, and in the target availability set. During a failover, you can use any recovery point.

Recovery Services Vault VM Backup Options

ED 122
MCT USE ONLY. STUDENT USE PROHIBIT

Implementing VM Backups

1. Create a recovery services vault. To back up your files and folders, you need to create a Recovery

vault has geo-redundant storage. If you are using Azure as a primary backup storage endpoint, use

the default geo-redundant storage. If you are using Azure as a non-primary backup storage endpoint,

saved recovery points. A backup policy defines a matrix of when the data snapshots are taken, and

how long those snapshots are retained. When defining a policy for backing up a VM, you can trigger a

would not have the VM Agent installed. In such a case, the VM Agent needs to be installed.

For more information, you can see:

Once you trigger the restore operation, the Backup service creates a job for tracking the restore opera-tion. The Backup service also creates and temporarily displays notifications, so you monitor how the backup is proceeding.

Azure Backup Server

● Backing up to MABS/DPM provides app-aware backups optimized for common apps such as SQL Server, Exchange, and SharePoint, in additional to file/folder/volume backups, and machine state backups (bare-metal, system state).

Backup and Restore 125
ED 126

Module 3 Module Deploying and Managing Virtual Machines (VMs)

MCT USE ONLY. STUDENT USE PROHIBIT

Virtual Machine Extensions

Azure virtual machine extensions are small applications that provide post-deployment configuration and

automation tasks on Azure VMs. For example, if a virtual machine requires software installation, anti-virus

Bundled with a new VM deployment or run against any existing system. For example, they can be part

of a larger deployment, configuring applications on VM provision, or run against any supported

✔️ In this lesson we will focus on two extensions: Custom Script Extensions and Desired State Configura-

tion. Both tools are based on PowerShell.

Virtual machine extensions and features for Linux - https://docs.microsoft.com/en-us/azure/virtu-

al-machines/extensions/features-linux

Custom Script Extensions

Custom Script Extension (CSE) can be used to automatically launch and execute virtual machine cus-
tomization tasks post configuration. Your script extension may perform very simple tasks such as stop-

the CSE resource is created, you will provide a PowerShell script file. Your script file will include the Power-

Shell commands you want to execute on the virtual machine. Optionally, you can pass in arguments, such

Set-AzVmCustomScriptExtension -FileUri https://scriptstore.blob.core.

windows.net/scripts/Install_IIS.ps1 -Run "PowerShell.exe" -VmName vmName

Failure events. Be sure to account for any errors that might occur when running your script. For example, running out of disk space, or security and access restrictions. What will the script do if there is an error?

Sensitive data. Your extension may need sensitive information such as credentials, storage account names, and storage account access keys. How will you protect/encrypt this information?

In this example we are installing IIS on the localhost. The configuration will saved as a .ps1 file.

configuration IISInstall

Virtual Machine Extensions 129

Get-WindowsFeature -name Web-Server

Note: You could also use the PowerShell Set-AzVmCustomScriptExtension command to deploy the extension. You would need to upload the script to blob container and use the URI. We will do this in the next demonstration.

ED 130
MCT USE ONLY. STUDENT USE PROHIBIT

Azure Monitor for VMs monitors your Azure virtual machines (VM) and virtual machine scale sets at scale.

The service analyzes the performance and health of your Windows and Linux VMs, monitoring their

Logical components of Azure VMs that run Windows and Linux: Are measured against pre-configured

health criteria, and they alert you when the evaluated condition is met.

Pre-defined, trending performance charts: Display core performance metrics from the guest VM

sets. The Performance and Map features support both Azure VMs and virtual machines that are hosted in

your environment or other cloud provider.

deliver an aggregated view of your VMs. This view is based on each feature's perspective:

Health: The VMs are related to a resource group.

Data usage

When you deploy Azure Monitor for VMs, the data that's collected by your VMs is ingested and stored in

The alert rules that are created.

The notifications that are sent.

Monitoring Virtual Machines 131

Monitoring

✔️Take a few minutes to navigate the Overview page and the Monitoring section to see what is available for your virtual machine.

Online Lab - Implementing custom Azure VM images 133

Objectives
After completing this lab, you will be able to:

● Install and configure HashiCorp Packer

Password: Pa55w.rd

Exercise 1: Installing and configuring HashiCorp Packer The main tasks for this exercise are as follows:

2. In the Azure portal, in the Microsoft Edge window, start a Bash session within the Cloud Shell.

3. If you are presented with the You have no storage mounted message, configure storage using the following settings:

ED 134
MCT USE ONLY. STUDENT USE PROHIBIT

Storage account: a name of a new storage account

File share: a name of a new file share

unzip packer_1.3.1_linux_amd64.zip

Task 2: Configure HashiCorp Packer prerequisites

2. From the Cloud Shell pane, run the following to create a service principal that will be used by Packer

and store the JSON output in a variable:

Result: After you completed this exercise, you have downloaded HashiCorp Packer and configured its

1. Configure a Packer template

2. Build a Packer-based image

2. From the Cloud Shell pane, run the following to retrieve the value of the service principal password

and store it in a variable

TENANT_ID=$(echo $AAD_SP | jq .tenant | tr -d '"')

4. From the Cloud Shell pane, run the following to retrieve the value of the subscription ID and store it in a variable:
SUBSCRIPTION_ID=$(az account show --query id | tr -d '"')

9. From the Cloud Shell pane, run the following to replace the placeholder for the value of the tenant_id parameter with the value of the $TENANT_ID variable in the Packer template:
sed -i.bak3 's/"$TENANT_ID"/"'"$TENANT_ID"'"/' ~/template03.json

10. From the Cloud Shell pane, run the following to replace the placeholder for the value of the subscrip-tion_id parameter with the value of the $SUBSCRIPTION_ID variable in the Packer template: sed -i.bak4 's/"$SUBSCRIPTION_ID"/"'"$SUBSCRIPTION_ID"'"/' ~/template03.

3. Note: The build process might take about 10 minutes.

Result: After you completed this exercise, you have created a Packer template and used it to build a custom image.

| xargs -L1 bash -c 'az group delete --name $0 --no-wait --yes'

2. Close the Cloud Shell prompt at the bottom of the portal. Result: In this exercise, you removed the resources used in this lab.

ED 138
MCT USE ONLY. STUDENT USE PROHIBIT

A company hires a new administrator to manage Azure resources. You are reviewing the following virtual

machine (VM) deployment script:

New-AzureRmResourceGroup -Name $resourceGroup -Location $location

$subnetConfig = New-AzureRmVirtualNetworkSubnetConfig -Name mySubnet -AddressPrefix

-Name "mypublicdns$(Get-Random)" -AllocationMethod Static -IdleTimeoutInMinutes 4

$nsgRuleRDP = New-AzureRmNetworkSecurityRuleConfig -Name myNetworkSecurityGroupRuleRDP

-Protocol Tcp `

`

-Name myNetworkSecurityGroup -SecurityRules $nsgRuleRDP

Set-AzureRmVMOperatingSystem -Windows -ComputerName $vmName -Credential $cred | `

Set-AzureRmVMSourceImage -PublisherName MicrosoftWindowsServer -Offer WindowsServer -Skus

2016-Datacenter -Version latest | `

• OS Version: Windows Server 2016 standard

Which changes should be made to the Azure PowerShell script? Wich part of the PowerShell script

You need to move a VM that supports an application to Azure.

What steps should you perform? Which configuration options should you consider?

You need to move the classic VMs to Azure Resource Groups to improve administration and delegation.

How can you move the VMs to resource groups? What restrictions are there to moving the VMS?

Azure Networking Components

A major incentive for adopting cloud solutions such as Azure is to enable information technology (IT) departments to move server resources to the cloud. This can save money and simplify operations by removing the need to maintain expensive datacenters with uninterruptible power supplies, generators, multiple fail-safes, clustered database servers, and so on. For small and medium-sized companies, which might not have the expertise to maintain their own robust infrastructure, moving to the cloud is particu-larly appealing.

ED 142
MCT USE ONLY. STUDENT USE PROHIBIT

An Azure Virtual Network (VNet) is a representation of your own network in the cloud. It is a logical

isolation of the Azure cloud dedicated to your subscription. You can use VNets to provision and manage

subnets.

Azure Virtual Networks 143

Enable hybrid cloud scenarios. VNets give you the flexibility to support a range of hybrid cloud scenarios. You can securely connect cloud-based applications to any type of on-premises system such as mainframes and Unix systems.

For more information, you can see:

✔️ Always plan to use an address space that is not already in use in your organization, either on-premis-es or in other VNets. Even if you plan for a VNet to be cloud-only, you may want to make a VPN connec-tion to it later. If there is any overlap in address spaces at that point, you will have to reconfigure or recreate the VNet. The next lesson will focus on IP addressing.

For more information, you can see:
What is Azure Virtual Network - https://docs.microsoft.com/en-us/azure/virtual-network/virtu-al-networks-overview
Networking Limits - https://docs.microsoft.com/en-us/azure/azure-subscription-service-limits#net-working-limits-1







Name: myVNet1.

3. Leave the rest of the default settings and select Create.
4. Verify your virtual network was created.

Create a virtual network using PowerShell
1. Create a virtual network. Use values as appropriate.

The VM size determines the number of NICS that you can create for a VM.

The following limitations are applicable when using the multiple NIC feature:

Demonstration - Create VMs with Multiple NICs

In this demonstration, you will learn how to create and configure multiple NICs and then attach those NICs to a VM. You can replace example parameter names with your own values if you prefer.

1. Using az network vnet subnet create a subnet for the back-end traffic named mySubnetBackEnd:

az network vnet subnet create \
--resource-group myResourceGroup \
--vnet-name myVnet \
--name mySubnetBackEnd \
--address-prefix 10.0.2.0/24

ED 148

Module 4 Module Configuring and Managing Virtual Networks

MCT USE ONLY. STUDENT USE PROHIBIT

--vnet-name myVnet \

--subnet mySubnetFrontEnd \

to a VM. Using az vm create, create a Linux VM named myVM:

az vm create \

--admin-username azureuser \

--generate-ssh-keys \

Overview of IP Addressing

You can assign IP addresses to Azure resources to communicate with other Azure resources, your on-premises network, and the Internet. There are two types of IP addresses you can use in Azure. Virtual networks can contain both public and private IP address spaces.

A public IP address resource can be associated with virtual machine network interfaces, internet-facing load balancers, VPN gateways, and application gateways. Azure can provide an IP address (dynamic assignment) or you can assign the IP address (static assignment). The type of resource affects the assign-ment.

Public IP addresses

NIC

Yes

Front-end configuration

VPN Gateway

Gateway IP configura-tion

Front-end configuration

No

Address SKUs

Review of IP Addressing 151

2. Notice in the IpConfigurations area there is a PrivateIPAddress and the PrivateIpAllocationMethod is static.

Remove a static private IP address

1. Review the output.

2. Notice in the IpConfigurations area, The PrivateIPAllocationMethod is now Dynamic.

Why use a service endpoint?

Improved security for your Azure service resources. VNet private address space can be overlap- ping and so, cannot be used to uniquely identify traffic originating from your VNet. Service endpoints provide the ability to secure Azure service resources to your virtual network, by extending VNet identity to the service. Once service endpoints are enabled in your virtual network, you can secure Azure service resources to your virtual network by adding a virtual network rule to the resources. This provides improved security by fully removing public Internet access to resources, and allowing traffic only from your virtual network.

ED 152
MCT USE ONLY. STUDENT USE PROHIBIT

endpoints provide optimal routing for Azure traffic.

Endpoints always take service traffic directly from your virtual network to the service on the

forced-tunneling, without impacting service traffic. Learn more about user-defined routes and
Simple to set up with less management overhead. You no longer need reserved, public IP address-

devices required to set up the service endpoints. Service endpoints are configured through a simple

click on a subnet. There is no additional overhead to maintaining the endpoints.

interruption to service traffic from this subnet while configuring service endpoints.

Service Endpoint Services

Azure Storage service. Each storage account supports up to 100 virtual network rules.

Azure SQL Database and Azure SQL Data Warehouse. Generally available in all Azure regions. A

Azure Database for PostgreSQL server and MySQL. Generally available in Azure regions where data-

space of a Virtual Network to your Azure Database for PostgreSQL server and MySQL server.

Azure Cosmos DB. Generally available in all Azure regions. You can configure the Azure Cosmos account

to allow access only from a specific subnet of virtual network (VNet). By enabling Service endpoint to
access Azure Cosmos DB on the subnet within a virtual network, the traffic from that subnet is sent to

Azure Service Bus and Azure Event Hubs. Generally available in all Azure regions. The integration of Service Bus with Virtual Network (VNet) service endpoints enables secure access to messaging capabili-ties from workloads like virtual machines that are bound to virtual networks, with the network traffic path being secured on both ends.

Azure Data Lake Store Gen 1. Generally available in all Azure regions where ADLS Gen1 is available. This feature helps to secure your Data Lake Storage account from external threats.

✔️ It is important to test and ensure the service endpoint is limiting access as expected.

Demonstration - Service Endpoints

2. Within the Storage Account, create a file share, and upload a file.

3. For the Storage Account, use the Shared Access Signature blade to Generate SAS and connection string.

Network Routing 155

Network Routing

Information about the system routes is recorded in a route table. A route table contains a set of rules, called routes, that specifies how packets should be routed in a virtual network. Route tables are associat-ed to subnets, and each packet leaving a subnet is handled based on the associated route table. Packets are matched to routes using the destination. The destination can be an IP address, a virtual network gateway, a virtual appliance, or the internet. If a matching route can't be found, then the packet is dropped.

For more information, you can see:

ED 156
MCT USE ONLY. STUDENT USE PROHIBIT

In these situations, you can configure user-defined routes (UDRs). UDRs control network traffic by

think you will need to create custom routes?

For more information, you can see:

and Public. In the DMZ subnet there is a network virtual appliance (NVA). You want to ensure all traffic

from the Public subnet goes through the NVA to the Private subnet.

✔️ There is practice exercise that includes a complete set of steps for this scenario, including creating the virtual appliance and testing.

Create Route Table

Border gateway protocol - https://docs.microsoft.com/en-us/azure/virtual-network/virtual-net-works-udr-overview#border-gateway-protocol

Overview of BGP with Azure VPN Gateways - https://docs.microsoft.com/en-us/azure/vpn-gateway/ vpn-gateway-bgp-overview?toc=%2fazure%2fvirtual-network%2ftoc.json

ED 158
MCT USE ONLY. STUDENT USE PROHIBIT

Notice this route applies to any address prefixes in 10.0.1.0/24 (private subnet). Traffic headed to these

addresses will be sent to the virtual appliance with a 10.0.2.4 address.

✔️ In this case the virtual appliance should not have a public IP address and IP forwarding should be ena-

bled. Be sure to try the practice.

For example, if the destination address is 10.0.0.5 and there are two routes: One route specifies the

10.0.0.0/24 address prefix, while the other route specifies the 10.0.0.0/16 address prefix. In this case,

System

10.0.0.0/24

Route priorities
When the address prefixes are the same, Azure selects the route type, based on the following priority: 1. User-defined route
2. BGP route
3. System route
In our example, address 10.0.0.5, Azure selects the route with the User source, because user-defined routes are higher priority than system default routes.

Note: This demonstration requires a virtual network with at least one subnet.

Create a routing table
1. Access the Azure portal.

4. Select Create.

5. Wait for the new routing table to be deployed.

Intersite Connectivity 161

VNet-to-VNet Connections

You can connect your VNets with a VNet-to-VNet VPN connection. Using this connection method, you create a VPN gateway in each virtual network. The VPN gateway can also be used to provide a connec-tion to an on-premises network. This is called a Site-to-Site (S2S) connection. In both cases a secure tunnel using IPsec/IKE provides the communication between the networks.

Regional multi-tier applications with isolation or administrative boundary

● Within the same region, you can set up multi-tier applications with multiple virtual networks connect- ed together due to isolation or administrative requirements.

VNet-to-VNet Connectivity - https://docs.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-howto-vnet-vnet-resource-manager-portal#vnet-to-vnet

Site-to-Site Connectivity - https://docs.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-how-to-site-to-site-resource-manager-portal

ED 162

configuring the VPN Gateway. You still need to create VNets, subnets, and a gateway subnet in each

virtual network. When everything is configured you will need to test and verify.

VPN Type. Most VPN types are Route-based.

SKU. Use the drop-down to select a gateway SKU2. Your choice will affect the number of tunnels you

configure the gateway subnet. Each virtual network will need its own VPN gateway.

IP Address. The gateway needs a public IP address to its IP configuration to enable it to communicate

For more information, you can see:

Create a virtual network gateway - https://docs.microsoft.com/en-us/azure/vpn-gateway/vpn-gate-

2

Configuring Gateway Connections

Once your VPN gateways are created, you can create the connection between them. If your VNets are in the same subscription, you can use the portal.

For more information, you can see:

Configure the TestVNet1 gateway connection - https://docs.microsoft.com/en-us/azure/vpn-gate-way/vpn-gateway-howto-vnet-vnet-resource-manager-portal#TestVNet1Connection

3
Intersite Connectivity 165

Name and Gateway Type. Name your gateway and use the VPN Gateway type.

VPN Type. Most VPN types are Route-based.

✔️ After the gateway is created, view the IP address that has been assigned to it by looking at the virtual network in the portal. The gateway should appear as a connected device. In this last step you will create a connection for the device.

VPN Types

Policy-based VPNs. Policy-based VPNs encrypt and direct packets through IPsec tunnels based on the IPsec policies configured with the combinations of address prefixes between your on-premises

ED 166

Module 4 Module Configuring and Managing Virtual Networks

MCT USE ONLY. STUDENT USE PROHIBIT

You can have only 1 tunnel when using a Policy-based VPN.

You can only use Policy-based VPNs for S2S connections, and only for certain configurations. Most

as any-to-any (or wild cards).

Once a virtual network gateway has been created, you can't change the VPN type.

Aggregate Throughput Benchmark is based on measurements of multiple tunnels aggregated through a

These connection limits are separate. For example, you can have 128 SSTP connections and also 250
✔️ The Basic SKU is considered a legacy SKU. The Basic SKU has certain feature limitations. You can't

resize a gateway that uses a Basic SKU to one of the new gateway SKUs, you must instead change to a

new SKU, which involves deleting and recreating your VPN gateway.

IP Address. The public IP address of the local gateway.

Address Space. One or more IP address ranges (in CIDR notation) that define your local network's address space. For example: 192.168.0.0/16. If you plan to use this local network gateway in a BGP-ena-bled connection, then the minimum prefix you need to declare is the host address of your BGP Peer IP address on your VPN device.

A shared key. This is the same shared key that you will specify when creating the VPN connection (next step).

The public IP address of your VPN gateway. When you created the VPN gateway you may have configured a new public IP address or used an existing IP address.

4
Intersite Connectivity 169

PowerShell
To verify your connection with PowerShell, use the Get-AzVirtualNetworkGatewayConnection cmdlet. For example,

Get-AzVirtualNetworkGatewayConnection -Name MyGWConnection -ResourceGroupN-ame MyRG

2. Select + Gateway subnet.

Notice the name of the subnet cannot be changed.

Perhaps the simplest and quickest way to connect your VNets is to use VNet peering. Virtual network peering enables you to seamlessly connect two Azure virtual networks6. Once peered, the virtual networks appear as one, for connectivity purposes. There are two types of VNet peering.

Regional VNet peering connects Azure virtual networks in the same region.

Performance. A low-latency, high-bandwidth connection between resources in different virtual networks.

Communication. The ability for resources in one virtual network to communicate with resources in a different virtual network, once the virtual networks are peered.

Virtual network peering - https://docs.microsoft.com/en-us/azure/virtual-network/virtual-net-work-peering-overview

Configure VNet Peering

6

To deploy a gateway in your virtual network simply add a gateway subnet.

PowerShell Example - https://docs.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-peer-ing-gateway-transit?toc=%2fazure%2fvirtual-network%2ftoc.json#powershell-sample7

Hub and spoke - https://docs.microsoft.com/en-us/azure/architecture/reference-architectures/ hybrid-networking/hub-spoke

Initiated. When you create the peering to the second virtual network from the first virtual network, the peering status is Initiated.

Connected. When you create the peering from the second virtual network to the first virtual network, its peering status is Connected. If you view the peering status for the first virtual network, you see its status changed from Initiated to Connected.

7

User-defined routes and service chaining

Virtual network peering enables the next hop in a user-defined route to be the IP address of a virtual

ED 176
MCT USE ONLY. STUDENT USE PROHIBIT

Review Questions

Module 4 Review Questions

You need to add several new applications to the environment.

What issues might you face? How should you resolve the issues?

You manage the Azure environment for your organization. You deploy a new application server virtual

machine (VM).

The application server must communicate with internal on-premises resources , and must also respond to

must delete and recreate the VM. To deploy a VM that has multiple NICs you must use Azure PowerShell.

Av2, Dv2/Dv3 or DSv2/DSv3 series VM sizes all support multiple NICs

You manage the Azure environment for your organization. You deploy a new server application virtual

External users must be directed to an inventory page and must not be required to sign in.

What should you do?

al routes to a subnet's route table. In Azure, you create a route table, then associate the route table to

depending on the IP address that attempts to access the resource.

Module 5 Module Managing Identities

Identity manage capabilities and integration

ED 180
MCT USE ONLY. STUDENT USE PROHIBIT

cloud based SaaS applications.

✔️ If you are an Office365, Azure or Dynamics CRM Online customer, you might not realize that you are

en-us/azure/active-directory/active-directory-whatis

Azure Active Directory Benefits

Single sign-on to any cloud or on-premises web app. Azure Active Directory provides secure single

existing work credentials—and have the same experience whether they’re working on iOS, Mac OS X,

Android, and Windows devices.

Easily extend Active Directory to the cloud. Connect Active Directory and other on-premises

directories to Azure Active Directory in just a few clicks and maintain a consistent set of users, groups,

tions and risk-based policies to protect your business from current and future threats.

Reduce costs and enhance security with self-service capabilities. Delegate important tasks such as

resetting passwords and the creation and management of groups to your employees. Providing

✔️ What reasons do you have for considering Azure Active Directory?

Active Directory Domain Services (AD DS)

Identity solution. Azure AD is primarily an identity solution, and it is designed for Internet-based applications by using HTTP and HTTPS communications.

REST API Querying. Because Azure AD is HTTP/HTTPS based, it cannot be queried through LDAP. Instead, Azure AD uses the REST API over HTTP and HTTPS.

Choosing Between Azure AD and Azure AD DS

One of the main differences between Azure AD and Azure AD DS is the way devices are registered and joined.

Windows Hello for Business
Restricted access to apps and resources from devices compliant with corporate policy.

Azure AD Directories (Tenants)

A tenant is a dedicated instance of an Azure AD directory which is created whenever you sign up for a Microsoft cloud service, such as Office 365 or Azure. It is important to note; a tenant is not the same as a subscription. A subscription is typically tied to a credit card for billing, where a tenant is an instance of Active Directory. You can have multiple tenants in your organization, such as Contoso1.com and Conto-so2.com .

ED 184

Resource independence

If you create or delete a resource in one tenant, it has no impact on any resource in another tenant,

By default, the user who creates a tenant is added as an external user in that new tenant and assigned

the global administrator role in that tenant.

Synchronization independence. You can configure each Azure AD tenant independently to get data

Built-in Roles

Azure AD provides many built-in roles2 to cover the most common security scenarios. To understand

how the roles work we will examine three roles that apply to all resource types:

Each role is a set of properties defined in a JSON file. This role definition includes Name, Id, and Descrip-

tion. It also includes the allowable permissions (Actions), denied permissions (NotActions), and scope

(read access, etc.) for the role.

For the Owner role that means all (*) actions, no denied actions, and all (/) scopes. This information is
2

✔️ Take a minute to open the Azure Portal, open the Subscriptions or Resource Group blade, and click Access Control (IAM). Click Add and take a few minutes to review the built-in roles and see which role you would be most interested in using.

Role Definitions

Actions and NotActions

AssignableScopes

ED 186
MCT USE ONLY. STUDENT USE PROHIBIT

experience for the rest of the subscriptions or resource groups.

/subscriptions/[subscription id]

“/subscriptions/c276fc76-9cd4-44c9-99a7-4fd71546436e”,

“/subscriptions/e91d47c4-76f3-4271-a796-21b4ecfe3624”

assign it to a user. Can you see how for your organization which role assignments you would need?

For more information, you can see:

#Role assignment properties

$roleName = “Contributor”

eeName -ResourceGroupName $resourceGroupName

CLI

az role assignment create –role $roleName –assignee $assigneeName –re-

#PowerShell

New-AzureRmRoleDefinition -InputFile .\sysops.json

To configure self-service password reset, you first determine who will be enabled to use self-service password reset. From your existing Azure AD tenant, on the Azure Portal under Azure Active Directory select Password reset.

In the Password reset properties there are three options: None, Selected, and All.

After enabling password reset for user and groups, you pick the number of authentication methods required to reset a password and the number of authentication methods available to users.

At least one authentication method is required to reset a password, but it is a good idea to have addi-tional methods available. You can choose from email notification, a text or code sent to user’s mobile or office phone, or a set of security questions.

1. On the Ready to configure page, select Configure and wait for the process to finish.

2. When you see the configuration finish, select Exit.

ED 190
MCT USE ONLY. STUDENT USE PROHIBIT

Azure AD Connect

Azure AD Connect will integrate your on-premises directories with Azure Active Directory. This allows you

Password hash synchronization. A sign-in method that synchronizes a hash of a users on-premises

AD password with Azure AD.

Pass-through authentication. A sign-in method that allows users to use the same password

management capabilities such as certificate renewal and additional AD FS server deployments.

Synchronization. Responsible for creating users, groups, and other objects. As well as, making sure

identity information for your on-premises users and groups is matching the cloud. This synchroniza-

Sync Services. This component is responsible for creating users, groups, and other objects. It is also responsible for making sure identity information for your on-premises users and groups matches what’s in the cloud.

Authentication Options

Choosing an Azure AD Authentication method is important as it is one of the first important decisions when moving to the cloud as it will be the foundation of your cloud environment and is difficult to change at a later date.

Implementing and Managing Hybrid Identities 193

● Reduce your helpdesk costs.

How does this work?

Azure AD Pass-through Authentication (PTA) is an alternative to Azure AD Password Hash Synchroniza-tion, and provides the same benefit of cloud authentication to organizations. PTA allows users to sign in to both on-premises and cloud-based applications using the same user account and passwords. When users sign-in using Azure AD, Pass-through authentication validates the users’ passwords directly against an organizations on-premise Active Directory.

ED 194

Module 5 Module Managing Identities

MCT USE ONLY. STUDENT USE PROHIBIT
Supports user sign-in into all web browser-based applications and into Microsoft Office client applica-

attribute configured in Azure AD Connect (known as Alternate ID).

Works seamlessly with conditional access features such as Multi-Factor Authentication to help secure

your users.

on-premises Active Directory and password protection by banning commonly used passwords.

PTA can be enabled via Azure AD Connect.

PTA uses a lightweight on-premises agent that listens for and responds to password validation

of size, can implement a hybrid identity solution. Pass-through authentication is not only for user sign-in

but allows an organization to use other Azure AD features, such as password management, role-based

directory where their users exist. How does Microsoft support keeping traditional on-premises Active

Password writeback is a feature enabled with Azure AD Connect that allows password changes in the

cloud to be written back to an existing on-premises directory in real time.

Zero-delay feedback. Password writeback is a synchronous operation. Your users are notified imme- diately if their password did not meet the policy or could not be reset or changed for any reason.

Supports password changes from the access panel and Office 365. When federated or password hash synchronized users come to change their expired or non-expired passwords, those passwords are written back to your local Active Directory environment.

Federation is a collection of domains that have established trust. The level of trust may vary, but typically includes authentication and almost always includes authorization. A typical federation might include a number of organizations that have established trust for shared access to a set of resources.

Azure AD Connect Health

When you integrate your on-premises directories with Azure AD, your users are more productive because there's a common identity to access both cloud and on-premises resources. However, this integration creates the challenge of ensuring that this environment is healthy so that users can reliably access resources both on premises and in the cloud from any device.

With Azure AD Connect the key data you need is easily accessible. You can view and act on alerts, setup email notifications for critical alerts, and view performance data.

Azure Active Directory (Azure AD) enables single sign-on to devices, apps, and services from anywhere.

The proliferation of devices - including Bring Your Own Device (BYOD) – empowers end users to be productive wherever and whenever. But, IT administrators must ensure corporate assets are protected and that devices meet standards for security and compliance.

Online Lab - Implementing User-Assigned Managed Identities for Azure Resources 199

Objectives
After completing this lab, you will be able to:

● Create and configure user-assigned managed identities

Exercise 1: Creating and configuring a user-assigned man-aged identity.

The main tasks for this exercise are as follows:

Task 1: Deploy an Azure VM running Windows Server 2016 Datacenter
1. From the lab virtual machine, start Microsoft Edge and browse to the Azure portal at http://portal.

azure.com and sign in by using the Microsoft account that has the Owner role in the target Azure subscription.

ED 200
MCT USE ONLY. STUDENT USE PROHIBIT

Subscription: the name of the target Azure subscription

Cloud Shell region: the name of the Azure region that is available in your subscription and which is

4. From the Cloud Shell pane, create a resource group by running (replace the <Azure region>

placeholder with the name of the Azure region that is available in your subscription and which is

6. From the Cloud Shell pane, upload the parameter file \allfiles\AZ-300T01\Module_05\azurede-

ploy05.parameters.json into the home directory.

7. From the Cloud Shell pane, deploy the two Azure VMs hosting Windows Server 2016 Datacenter into

Task 2: Create a user-assigned managed identity and assign it to the Azure VM.

1. From the Cloud Shell pane, run the following to create a user-assigned managed identity:

2. From the Cloud Shell pane, run the following to assign the user-assigned managed identity to the

Task 3: Configure RBAC referencing the user-assigned man-aged identity.

1. From the Cloud Shell pane, run the following to create a resource group (replace the <Azure re-

gion> placeholder with the name of the Azure region into which you deployed the Azure VM in this

3. From the az3000502-LabRG - Access control (IAM) blade, assign the Owner role to the newly created user-assigned managed identity.

Result: After you completed this exercise, you have created and configured a user-assigned managed identity.

Task 1: Configure an Azure VM for authenticating via user-as-signed managed identity.

1. In the Azure portal, navigate to the az3000501-vm blade.

4. From the PowerShell prompt, run the following to install the latest version of the PowerShellGet module (press Enter if prompted for confirmation):

Install-Module -Name PowerShellGet -Force

Install-Module -Name PowerShellGet -AllowPrerelease

8. From the PowerShell prompt, run the following to install the the pre-release version of the AzureRM. ManagedServiceIdentity module:

Online Lab - Implementing User-Assigned Managed Identities for Azure Resources 203

3. Verify that the output contains only the resource groups you created in this lab. These groups will be

xargs -L1 bash -c 'az group delete --name $0 --no-wait --yes'

2. Close the Cloud Shell prompt at the bottom of the portal.

ED 204
MCT USE ONLY. STUDENT USE PROHIBIT

Active Directory Domain Services (AD DS)

You manage the Azure subscription for an organization. You migrate an on-premises service to Azure.

The service requires Kerberos for authentication.

instead, unless you are targeting IaaS workloads that depend on AD DS specifically.

Communication Protocols. Because Azure AD is HTTP/HTTPS based, it does not use Kerberos authentica-

You decide to implement Azure Self-Service Password Reset.

What must you do to implement this service? Which authentication methods are supported?

At least one authentication method is required to reset a password, but it is a good idea to have addi-

office phone, or a set of security questions.

Regarding the security questions, these can be configured to require a certain number of questions to be

in parallel with an on-premises Active Directory Domain Services (AD DS) environment. You configure

Azure AD SSO.

You must implement Azure AD Connect Health to monitor the environment.

• Monitor and gain insights into AD FS servers, Azure AD Connect, and AD domain controllers.

• Monitor and gain insights into the synchronizations that occur between your on-premises AD DS and Azure AD.

Copyright © 2009-2023 UrgentHomework.com, All right reserved.