And edit storage resources view and edit blob

AZ-300T01
Deploying and Configuring Infrastructure

Contents

Welcome to Deploying and Configuring Infra-structure

About This Course: Deploying and Configuring Infrastruc-ture

Module 5 online lab:

● This module contains the lab Implementing User-Assigned Managed Identities.

Module 1 Module Managing Azure Subscrip-tions and Resources

Exploring Monitoring Capabilities in Azure

Exploring Monitoring Capabilities in Azure 7

Analytics page in the Azure portal and then either directly analyze the data using these tools or save queries for use with visualizations or alert rules.

● Guest OS monitoring data: Data about the operating system on which your application is running. This could be running in Azure, another cloud, or on-premises.

● Azure resource monitoring data: Data about the operation of an Azure resource.

Add an instrumentation package to your application, to enable Application Insights to collect detailed information about your application including page views, application requests, and exceptions. Further verify the availability of your application by configuring an availability test to simulate user traffic.

Custom sources

Exploring Monitoring Capabilities in Azure 9

Log data collected by Azure Monitor is stored in Log Analytics which includes a rich query language2 to quickly retrieve, consolidate, and analyze collected data. You can create and test queries using the Log Analytics page in the Azure portal and then either directly analyze the data using these tools or save queries for use with visualizations or alert rules.

Azure Monitor uses a version of the Data Explorer3 query language that is suitable for simple log queries but also includes advanced functionality such as aggregations, joins, and smart analytics. You can quickly learn the query language using multiple lessons. Particular guidance is provided to users who are already familiar with SQL and Splunk.

Query the Activity Log

● Administrative. This category contains the record of all create, update, delete, and action operations performed through Resource Manager. Examples of the types of events you would see in this catego- ry include “create virtual machine” and "delete network security group". The Administrative category also includes any changes to role-based access control in a subscription.

● Security. This category contains the record of any alerts generated by Azure Security Center. An example of the type of event you would see in this category is “Suspicious double extension file executed.”

● Policy and Resource Health. These categories do not contain any events; they are reserved for future use.

Alert rules are separated from alerts and the actions that are taken when an alert fires. The alert rule captures the target and criteria for alerting. The alert rule can be in an enabled or a disabled state. Alerts only fire when enabled. The key attributes of an alert rule are:
● Target Resource – Defines the scope and signals available for alerting. A target can be any Azure resource. Example targets: a virtual machine, a storage account, a virtual machine scale set, a Log Analytics workspace, or an Application Insights resource. For certain resources (like Virtual Machines), you can specify multiple resources as the target of the alert rule.

● Severity – The severity of the alert once the criteria specified in the alert rule is met. Severity can range from 0 to 4.

● Action – A specific action taken when the alert is fired. See the Action Groups topic coming up.

An action group is a collection of notification preferences defined by the owner of an Azure subscription.

Azure Monitor and Service Health alerts use action groups to notify users that an alert has been trig-

● Email – Emails will be sent to the email addresses. Ensure that your email filtering is configured

● Function App – The function keys for Function Apps configured as actions are read through the

Functions API.

period for a response is 10 seconds. The webhook call will be retried a maximum of 2 times when the

following HTTP status codes are returned: 408, 429, 503, 504 or the HTTP endpoint does not respond.

5. Define the Alert logic. This will determine the logic which the metric alert rule will evaluate. 6. If you are using a static threshold, the metric chart can help determine what might be a reasonable threshold. If you are using a Dynamic Thresholds, the metric chart will display the calculated thresh- olds based on recent data.

7. Click Done.

● Administrative - This category contains the record of all create, update, delete, and action operations performed through Resource Manager. Examples of the types of events you would see in this catego- ry include "create virtual machine" and "delete network security group" Every action taken by a user or application using Resource Manager is modeled as an operation on a particular resource type. If the operation type is Write, Delete, or Action, the records of both the start and success or fail of that operation are recorded in the Administrative category. The Administrative category also includes any changes to role-based access control in a subscription.

● Service Health - This category contains the record of any service health incidents that have occurred in Azure. An example of the type of event you would see in this category is "SQL Azure in East US is experiencing downtime." Service health events come in five varieties: Action Required, Assisted Recovery, Incident, Maintenance, Information, or Security, and only appear if you have a resource in the subscription that would be impacted by the event.

● Security - This category contains the record of any alerts generated by Azure Security Center. An example of the type of event you would see in this category is "Suspicious double extension file executed."

Azure Activity Logs and Log Analytics 25

Export the Activity Log with a Log Profile9

● How long the Activity Log should be retained in a Storage Account.

● A retention of zero days means logs are kept forever. Otherwise, the value can be any number of days between 1 and 2147483647.

Log Analytics Scenarios

One of the challenges with any broad data analytics solution is figuring out where you’re going to see value for your organization. Out of all the things that are possible, what does your business need? What we hear from customers is that the following areas all have the potential to deliver significant business value:

10 https://docs.microsoft.com/en-us/azure/monitoring-and-diagnostics/monitoring-overview-activity-logs

Azure Activity Logs and Log Analytics 27

Connected Sources

Ensure you can locate each of the following.

● The Log Analytics service (1) collects data and stores it in the OMS repository (2). The OMS Repository is hosted in Azure. Connected Sources provide information to the Log Analytics service.

To give a quick graphical view of the health of your overall environment, you can add visualizations for saved log searches to your dashboard. To analyze data outside of Log Analytics, you can export the data from the repository into tools such as Power BI or Excel. You can also leverage the Log Search API to build custom solutions that leverage Log Analytics data or to integrate with other systems.

The main query tables are: Event, Syslog, Heartbeat, and Alert.

Demonstration - Log Analytics
In this demonstration, you will work with the Log Analytics query language.

Access the demonstration environment
1. Access the Log Analytics Querying Demonstration17 page.

5. As you have time experiment with other Favorites and also Saved Queries.

✔️ Is there a particular query you are interested in?

Take a few minutes to access the Log Analytics Querying Demonstration23 page. This page provides a live demonstration workspace where you can run and test queries. Some of the testing queries are:● See the volume of data collected in the last 24 hours in intervals of 30 minutes.

Network performance monitor is a cloud-based hybrid network monitoring solution that helps you monitor network performance between various points in your network infrastructure. It also helps you monitor network connectivity to service and application endpoints and monitor the performance of Azure ExpressRoute. Network performance monitor detects network issues like traffic blackholing, routing errors, and issues that conventional network monitoring methods aren't able to detect. The solution generates alerts and notifies you when a threshold is breached for a network link. It also ensures timely detection of network performance issues and localizes the source of the problem to a particular network segment or device.

Topology

Verify IP Flow Purpose: Quickly diagnose connectivity issues from or to the internet and from or to the on-premises environment. For example, confirming if a security rule is blocking ingress or egress traffic to or from a virtual machine.

Example

VPN Diagnostics Purpose: Troubleshoot gateways and connections.

Example

Further examples of different supported network troubleshooting scenarios include:

● Checking the connectivity and latency to a remote endpoint, such as for websites and storage end- points.

● Organizational alignment for your Azure subscriptions through custom hierarchies and grouping.

● Targeting of policies and spend budgets across subscriptions and inheritance down the hierarchies.

For more information, you can see:

Organize your resources with Azure management groups - https://docs.microsoft.com/en-us/azure/ azure-resource-manager/management-groups-overview

Typically to grant a user access to your Azure resources, you would add them to the Azure AD directory associated with your subscription. The user will now have access to all the resources in your subscription. This is an all-or-nothing operation that may give that user access to more resources than you anticipated.

✔️ Do you know how many subscriptions your organization has? Do you know how resources are organized into resource groups?

Any Enterprise Agreement25 customer can add Azure to their agreement by making an upfront mone-tary commitment to Azure. That commitment is consumed throughout the year by using any combina-tion of the wide variety of cloud services Azure offers from its global datacenters. Enterprise agreements have a 99.95% monthly SLA.

Reseller

25 https://azure.microsoft.com/en-us/pricing/enterprise-agreement/
26 https://www.microsoft.com/en-us/licensing/licensing-programs/open-license.aspx
27 https://azure.microsoft.com/en-us/offers/ms-azr-0111p/
28 https://azure.microsoft.com/en-us/partners/directory/

There are three roles related to Azure accounts and subscriptions:

Account administrator

✔️ Account Administrators using a Microsoft account must log in every 2 years (or more frequently) to keep the account active. Inactive accounts are cancelled, and the related subscriptions removed. There are no login requirements if using a work or school account.

Check Resource Limits

Subscriptions and Accounts 47

Reservations helps you save money by pre-paying for one-year or three-years of virtual machine, SQL Database compute capacity, Azure Cosmos DB throughput, or other Azure resources. Pre-paying allows you to get a discount on the resources you use. Reservations can significantly reduce your virtual ma-chine, SQL database compute, Azure Cosmos DB, or other resource costs up to 72% on pay-as-you-go prices. Reservations provide a billing discount and don't affect the runtime state of your resources.

Online Lab - Exploring Monitoring Capabilities in Azure 49

Online Lab - Exploring Monitoring Capabilities in Azure

● Deploy Azure VM scale sets

● Implement monitoring and alerting by using Azure Monitor

1. Deploy an Azure VM scale set by using an Azure QuickStart template

2. Review autoscaling settings of the Azure VM scale set

● Subsciption: the name of the target Azure subscription

● Cloud Shell region: the name of the Azure region that is available in your subscription and which is closest to the lab location

Exercise 2: Implementing monitoring and alerting by us-ing Azure Monitor
The main tasks for this exercise are as follows:
1. Create Azure VM scale set metrics-based alerts
2. Configure Azure VM scale set autoscaling-based notifications
3. Test Azure VM scale set monitoring and alerting.

Task 1: Create Azure VM scale set metrics-based alerts 1. In the Azure portal, navigate to the blade representing the newly deployed Azure VM scale set and, from there, switch to the Monitoring - Metrics blade.

7. In the Condition section, click Add condition, select the Percentage CPU metric, leave the dimen-sion settings and condition type with their default values, set the condition to Greater than, set the time aggregation to Average, set the threshold to 60, set the period (grain) to Over the last 1 minutes, set the frequency to Every 1 minute and click done.

8. In the Action Groups section, click Create new, set the action group name to az30001 action group, set short name: az30001, select the Azure subscription you used in the previous exercise, accept the default name of the resource group of Default-ActivityLogAlerts (to be created), set the action name: az30001-email, and set the action type to Email/SMS/Push/Voice.

Result: After you completed this exercise, you removed the resources used in this lab.

You should use Azure Monitor and Azure Advisor.

Azure Monitor provides the fastest metrics pipeline (5 minute down to 1 minute), so you should use it for time critical alerts and notifications. These metrics can be sent to Azure Log Analytics for trending and detailed analysis.

Azure Storage is Microsoft's cloud storage solution for modern data storage scenarios. Azure Storage offers a massively scalable object store for data objects, a file system service for the cloud, a messaging store for reliable messaging, and a NoSQL store. Azure Storage is:

● Durable and highly available. Redundancy ensures that your data is safe in the event of transient hardware failures. You can also opt to replicate data across datacenters or geographical regions for additional protection from local catastrophe or natural disaster. Data replicated in this way remains highly available in the event of an unexpected outage.

Microsoft provides SDKs for Azure Storage in a variety of languages – .NET, Java, Node.js, Python, PHP, Ruby, Go, and others – as well as a mature REST API. Azure Storage supports scripting in Azure PowerShell or Azure CLI. And the Azure portal and Azure Storage Explorer offer easy visual solutions for working with your data.

Azure Storage is a service that you can use to store files, messages, tables, and other types of informa-tion. You can use Azure storage on its own—for example as a file share—but it is often used by develop-ers as a store for working data. Such stores can be used by websites, mobile apps, desktop applications,

● Configuration files can be stored on a file share and accessed from multiple VMs. Tools and utilities used by multiple developers in a group can be stored on a file share, ensuring that everybody can find them, and that they use the same version.

● Diagnostic logs, metrics, and crash dumps are just three examples of data that can be written to a file share and processed or analyzed later.

Table storage

Azure Table storage is now part of Azure Cosmos DB. To see Azure Table storage documentation, see the Azure Table Storage Overview. In addition to the existing Azure Table storage service, there is a new Azure Cosmos DB Table API offering that provides throughput-optimized tables, global distribution, and automatic secondary indexes. To learn more and try out the new premium experience, please check out Azure Cosmos DB Table API.

Premium storage accounts are backed by solid state drives (SSD) and offer consistent low-latency perfor-mance. They can only be used with Azure virtual machine disks and are best for I/O-intensive applica-tions, like databases. Additionally, virtual machines that use Premium storage for all disks qualify for a 99.99% SLA, even when running outside an availability set.

Storage Account Endpoints

Every object that you store in Azure Storage has a unique URL address. The storage account name forms the subdomain of that address. The combination of subdomain and domain name, which is specific to each service, forms an endpoint for your storage account.

✔️A Blob storage account only exposes the Blob service endpoint. And, you can also configure a custom domain name to use with your storage account.

For more information, you can see:

2. On the Storage Accounts window that appears, choose Add.

3. Select the subscription in which to create the storage account.

8. Leave these fields set to their default values:

9. Select Review + Create to review your storage account settings and create the account.

2. On the Storage Accounts window that appears, choose Add.

3. Select the subscription in which to create the storage account.

view and edit Blob,
Queue, Table, File, Cosmos DB storage and Data Lake storage. Storage Explorer is available for Windows, Mac, and Linux.

Table storage
● Query entities with OData or query builder.

Add, edit, and delete entities.●
● Import and export tables and query results.

● View, add, and dequeue messages.

Clear queue.●
File storage
● Navigate files through directories.

Azure Storage Explorer has many uses when it comes to managing your storage. See the following articles to learn more.

As mentioned previously, Storage Explorer lets you attach to external storage accounts so that storage accounts can be easily shared. To create the connection you will need the storage Account name and Account key. In the portal, the account key is called key1.

Demonstration - Storage Explorer

Note: If you have an older version of the Storage Explorer, be sure to upgrade. These steps use version 1.6.2.

2. After the installation, launch the tool.

3. Review the Release Notes and menu options.

Data Replication

Replication Options

Are there any costs to changing my account's replication strategy?

Zone Redundant Storage (ZRS) synchronously replicates your data across three (3) storage clusters in a single region. Each storage cluster is physically separated from the others and resides in its own availabili-ty zone. Each availability zone, and the ZRS cluster within it, is autonomous, with separate utilities and networking capabilities.

● ZRS may not protect your data against a regional disaster where multiple zones are permanently affected. Instead, ZRS offers resiliency for your data in the case of unavailability.

Support coverage and regional availability
ZRS currently supports standard general-purpose v2 account types. ZRS is available for block blobs, non-disk page blobs, files, tables, and queues.

✔️Consider ZRS for scenarios that require strong consistency, strong durability, and high availability even if an outage or natural disaster renders a zonal data center unavailable.

Geo-redundant storage

Create a storage account - https://docs.microsoft.com/en-us/azure/storage/common/storage-pow-ershell-guide-full#create-a-storage-account14

13 https://docs.microsoft.com/en-us/azure/storage/common/storage-redundancy-grs 14 https://docs.microsoft.com/en-us/azure/storage/common/storage-powershell-guide-full

Storing and Accessing Data 75

● Disk Drives. You can ship Solid-state drives (SSDs) or Hard disk drives (HDDs) to the Azure datacenter.

When creating an import job, you ship disk drives containing your data. When creating an export job, you ship empty drives to the Azure datacenter.

Supported disks

Import and Export Tool
The Microsoft Azure Import/Export Tool is the drive preparation and repair tool that you can use with the Microsoft Azure Import/Export service. You can use the tool for the following functions:
● Before creating an import job, you can use this tool to copy data to the hard drives you are going to ship to an Azure datacenter.

● After an import job has completed, you can use this tool to repair any blobs that were corrupted, were missing, or conflicted with other blobs.

Storing and Accessing Data 77

● Create an export job in your source storage account using the Azure portal or the Import/Export REST API.

● Specify the source blobs or container paths of your data in the export job.

17 https://docs.microsoft.com/en-us/azure/storage/common/storage-import-export-service

azcopy /?

1. Scroll to the top of the Help information and read about the Common options, like: source, destina- tion, source key, and destination key.

3. Select Access keys and copy the Key Key1 value. This will be the sourcekey: value.

4. Drill down to the blob of interest, and view the file Properties.

2. Verify the blob was downloaded to your local directory.

Upload files to Azure blob storage
Note: The example continues from the previous example and requires a local directory with files. 1. The source: for the command will be a local directory with files.

1. If you have errors, read them carefully and make corrections.

2. Verify your local files were copied to the Azure container.

Storing and Accessing Data 83

How CDN Works

3. The origin returns the file to the edge server, including optional HTTP headers describing the file's Time-to-Live (TTL).

4. The edge server caches the file and returns the file to the original requestor (Alice). The file remains cached on the edge server until the TTL expires. Azure CDN automatically applies a default TTL of seven days unless you've set up caching rules in the Azure portal.

Overview of the Azure Content Delivery Network - https://docs.microsoft.com/en-us/azure/cdn/ cdn-overview

Azure CDN POP locations by region - https://docs.microsoft.com/en-us/azure/cdn/cdn-pop-loca-tions

There are four choices for Origin type: Storage, Cloud Service, Web App, and Custom origin. In this course we are focusing on storage CDNs.

Create a new CDN endpoint - https://docs.microsoft.com/en-us/azure/cdn/cdn-create-new-end-point#create-a-new-cdn-endpoint19

Troubleshooting CDN endpoints returning 404 statuses - https://docs.microsoft.com/en-us/azure/ cdn/cdn-troubleshoot-endpoint

Storing and Accessing Data 87

Compression behavior tables - https://docs.microsoft.com/en-us/azure/cdn/cdn-improve-perfor-mance#compression-behavior-tables22

Troubleshooting CDN file compression - https://docs.microsoft.com/en-us/azure/cdn/cdn-trouble-shoot-compression

● Create a new CDN endpoint25.

Set Azure CDN caching rules

Azure Monitor provides unified user interfaces for monitoring across different Azure services. Azure Storage integrates Azure Monitor by sending metric data to the Azure Monitor platform. With metrics on Azure Storage, you can analyze usage trends, trace requests, and diagnose issues with your storage account.

Azure Monitor provides multiple ways to access metrics. You can access them from the Azure Portal, Monitor APIs (REST, and .Net) and analysis solutions such as the Operation Management Suite and Event Hubs. Metrics are enabled by default, and you can access the past 30 days of data. If you need to retain data for a longer period, you can archive metrics data to an Azure Storage account.

Azure Storage metrics in Azure Monitor - https://docs.microsoft.com/en-us/azure/storage/common/ storage-metrics-in-azure-monitor?toc=%2fazure%2fstorage%2fblobs%2ftoc.json

Monitoring Azure applications and resources - https://docs.microsoft.com/en-us/azure/monitor-ing-and-diagnostics/monitoring-overview

For more information, you can see:

The new alerts experience in Azure Monitor - https://docs.microsoft.com/en-us/azure/monitor-ing-and-diagnostics/monitoring-overview-unified-alerts

● Target Resource – Defines the scope and signals available for alerting. A target can be any Azure resource. Example targets: a virtual machine, a storage account, a virtual machine scale set, a Log Analytics workspace, or an Application Insights resource. For certain resources (like Virtual Machines), you can specify multiple resources as the target of the alert rule.

● Signal – Signals are emitted by the target resource and can be of several types. Metric, Activity log, Application Insights, and Log.

Each action type is different in the details that must be provided. Here is a screenshot for the Email and SMS configuration.

● Email – Emails will be sent to the email addresses. Ensure that your email filtering is configured appropriately. You may have up to 1000 email actions in an Action Group.

● Resource. Select the resource you want to monitor. For example, resource group, virtual machine, or storage account.

3. Click Done to save the metric alert rule.

Signal Types and Metrics

● Support for multi-dimensional metrics: You can alert on dimensional metrics allowing you to monitor an interesting segment of the metric.

● More control over metric conditions: You can define richer alert rules. The newer alerts support monitoring the maximum, minimum, average, and total values of metrics.

Activity Log

The Azure Activity Log is a subscription log that provides insight into subscription-level events that have occurred in Azure. This includes a range of data, from Azure Resource Manager operational data to updates on Service Health events. The Activity Log was previously known as “Audit Logs” or “Operational Logs”.

Once you have defined a set of filters, you can save it as a query that is persisted across sessions if you ever need to perform the same query with those filters applied again in the future. You can also pin a query to your Azure dashboard to always keep an eye on specific events.

For more information, you can see:

● Administrative - This category contains the record of all create, update, delete, and action operations performed through Resource Manager. Examples of the types of events you would see in this catego- ry include “create virtual machine” and "delete network security group". The Administrative category also includes any changes to role-based access control in a subscription.

● Service Health - This category contains the record of any service health incidents that have occurred in Azure. An example of the type of event you would see in this category is “SQL Azure in East US is experiencing downtime.” Service health events come in five varieties: Action Required, Assisted Recovery, Incident, Maintenance, Information, or Security.

✔️ Log Analytics collects activity logs free of charge and stores the logs for 90 days free of charge. If you store logs for longer than 90 days, you will incur data retention charges for the data stored longer than 90 days. When you're on the Free pricing tier, activity logs do not apply to your daily data consumption.

For more information, you can see:

Advantages of this approach include:

Collect Azure Activity Logs into Log Analytics across subscriptions - https://docs.microsoft.com/en-us/ azure/log-analytics/log-analytics-activity-logs-subscriptions

39 https://docs.microsoft.com/en-us/azure/event-hubs/event-hubs-what-is-event-hubs 40 https://docs.microsoft.com/en-us/azure/logic-apps/logic-apps-overview

Pricing for GPv2 accounts has been designed to deliver the lowest per gigabyte prices, and industry competitive transaction prices.

You can upgrade your GPv1 or Blob storage account to a GPv2 account using Azure portal, PowerShell, or Azure CLI.

Which tool should you use? How should you connect to client resources?

Suggested Answer ↓
Microsoft Azure Storage Explorer is a standalone app from Microsoft that allows you to easily work with Azure Storage data.

• Available for Windows, Mac, and Linux.

Module 3 Module Deploying and Managing Virtual Machines (VMs)

1. Select an image or disk to use for your new virtual machine. The image is from the Marketplace. The disk is a VHD you have created.

2. Provide required information such as host name, user name, and password for the new virtual machine.

Creating Virtual Machines 107

Terms of Use

5. Under Instance details, type myVM for the Virtual machine name and choose East US for your Location. Leave the other defaults.

✔️ When no longer needed, you can delete the resource group, virtual machine, and all related resourc-es. To do so, select the resource group for the virtual machine, select Delete, then confirm the name of the resource group to delete.

PowerShell - Example (Part 1)

2. Create the initial configuration for the virtual machine with New-AzVMConfig:

In this demonstration, we will create a virtual machine using PowerShell.

Create the virtual machine

# create a resource group
New-AzResourceGroup -Name myResourceGroup -Location EastUS

# create the virtual machine
# when prompted, provide a username and password to be used as the logon credentials for the VM
New-AzVm `
-ResourceGroupName "myResourceGroup" `
-Name "myVM" `
-Location "East US" `
-VirtualNetworkName "myVnet" `
-SubnetName "mySubnet" `
-SecurityGroupName "myNetworkSecurityGroup" `
-PublicIpAddressName "myPublicIpAddress" `
-OpenPorts 80,3389

4. Notice this is a Windows machine in a new VNet and subnet.

5. Notice the command started the machine.

2. Create an RDP session from your local machine. Replace the IP address with the public IP address of your VM. This command runs from a cmd window.

SSH is an encrypted connection protocol that allows secure sign-ins over unsecured connections. SSH is the default connection protocol for Linux VMs hosted in Azure. Although SSH itself provides an encrypt-ed connection, using passwords with SSH connections still leaves the VM vulnerable to brute-force attacks or guessing of passwords. A more secure and preferred method of connecting to a VM using SSH is by using a public-private key pair, also known as SSH keys.

● The public key is placed on your Linux VM, or any other service that you wish to use with public-key cryptography.

✔️ Azure currently requires at least a 2048-bit key length and the SSH-RSA format for public and private keys.

Demonstration - Connect to Linux Virtual Ma-chines
In this demonstration, we will create a Linux machine and access the machine with SSL.

4. Click the Generate button.

5. Move your mouse around the blank area in the window to generate some randomness.

Backup and Restore

Azure Site Recovery

● VMware Virtual Machine Replication. You can perform the replication of virtual machines by VMware to a secondary site that is also running VMware. You also can replicate to Azure.

● Physical Windows and Linux machines. You can replicate physical machines running either Windows or Linux to a secondary site or to Azure.

● Automatically replicate to Azure. Automate the orderly recovery of services in the event of a site outage at the primary datacenter. Automate the orderly recovery of services in the event of a site outage at the primary datacenter.

● Safeguard against outages of complex workloads. Protect applications in SQL Server, SharePoint, SAP, and Oracle.

It's important to understand the difference between images and snapshots. With managed disks, you can take an image of a generalized VM that has been deallocated. This image includes all of the disks at-tached to the VM. You can use this image to create a VM, and it includes all of the disks.

● A snapshot is a copy of a disk at the point in time the snapshot is taken. It applies only to one disk. If you have a VM that has one disk (the OS disk), you can take a snapshot or an image of it and create a VM from either the snapshot or the image.

There are several methods for backing up virtual machines.

1. Enable backup for individual Azure VMs. When you enable backup, Azure Backup installs an extension to the Azure VM agent that's running on the VM. The agent backs up the entire VM.

4. When you initiate a failover, the VMs are created in the target resource group, target virtual network, target subnet, and in the target availability set. During a failover, you can use any recovery point.

Recovery Services Vault VM Backup Options

Once you trigger the restore operation, the Backup service creates a job for tracking the restore opera-tion. The Backup service also creates and temporarily displays notifications, so you monitor how the backup is proceeding.

Azure Backup Server

● Backing up to MABS/DPM provides app-aware backups optimized for common apps such as SQL Server, Exchange, and SharePoint, in additional to file/folder/volume backups, and machine state backups (bare-metal, system state).

Set-AzVmCustomScriptExtension -FileUri https://scriptstore.blob.core.

windows.net/scripts/Install_IIS.ps1 -Run "PowerShell.exe" -VmName vmName

● Failure events. Be sure to account for any errors that might occur when running your script. For example, running out of disk space, or security and access restrictions. What will the script do if there is an error?

● Sensitive data. Your extension may need sensitive information such as credentials, storage account names, and storage account access keys. How will you protect/encrypt this information?

In this example we are installing IIS on the localhost. The configuration will saved as a .ps1 file.

configuration IISInstall

Virtual Machine Extensions 129

Get-WindowsFeature -name Web-Server

Note: You could also use the PowerShell Set-AzVmCustomScriptExtension command to deploy the extension. You would need to upload the script to blob container and use the URI. We will do this in the next demonstration.

Monitoring Virtual Machines 131

Monitoring

✔️Take a few minutes to navigate the Overview page and the Monitoring section to see what is available for your virtual machine.

Online Lab - Implementing custom Azure VM images 133

Objectives
After completing this lab, you will be able to:

● Install and configure HashiCorp Packer

Password: Pa55w.rd

Exercise 1: Installing and configuring HashiCorp Packer The main tasks for this exercise are as follows:

2. In the Azure portal, in the Microsoft Edge window, start a Bash session within the Cloud Shell.

3. If you are presented with the You have no storage mounted message, configure storage using the following settings:

TENANT_ID=$(echo $AAD_SP | jq .tenant | tr -d '"')

4. From the Cloud Shell pane, run the following to retrieve the value of the subscription ID and store it in a variable:
SUBSCRIPTION_ID=$(az account show --query id | tr -d '"')

9. From the Cloud Shell pane, run the following to replace the placeholder for the value of the tenant_id parameter with the value of the $TENANT_ID variable in the Packer template:
sed -i.bak3 's/"$TENANT_ID"/"'"$TENANT_ID"'"/' ~/template03.json

10. From the Cloud Shell pane, run the following to replace the placeholder for the value of the subscrip-tion_id parameter with the value of the $SUBSCRIPTION_ID variable in the Packer template: sed -i.bak4 's/"$SUBSCRIPTION_ID"/"'"$SUBSCRIPTION_ID"'"/' ~/template03.

3. Note: The build process might take about 10 minutes.

Result: After you completed this exercise, you have created a Packer template and used it to build a custom image.

| xargs -L1 bash -c 'az group delete --name $0 --no-wait --yes'

2. Close the Cloud Shell prompt at the bottom of the portal. Result: In this exercise, you removed the resources used in this lab.

You need to move a VM that supports an application to Azure.

What steps should you perform? Which configuration options should you consider?

You need to move the classic VMs to Azure Resource Groups to improve administration and delegation.

How can you move the VMs to resource groups? What restrictions are there to moving the VMS?

Azure Networking Components

A major incentive for adopting cloud solutions such as Azure is to enable information technology (IT) departments to move server resources to the cloud. This can save money and simplify operations by removing the need to maintain expensive datacenters with uninterruptible power supplies, generators, multiple fail-safes, clustered database servers, and so on. For small and medium-sized companies, which might not have the expertise to maintain their own robust infrastructure, moving to the cloud is particu-larly appealing.

Azure Virtual Networks 143

● Enable hybrid cloud scenarios. VNets give you the flexibility to support a range of hybrid cloud scenarios. You can securely connect cloud-based applications to any type of on-premises system such as mainframes and Unix systems.

For more information, you can see:

✔️ Always plan to use an address space that is not already in use in your organization, either on-premis-es or in other VNets. Even if you plan for a VNet to be cloud-only, you may want to make a VPN connec-tion to it later. If there is any overlap in address spaces at that point, you will have to reconfigure or recreate the VNet. The next lesson will focus on IP addressing.

For more information, you can see:
What is Azure Virtual Network - https://docs.microsoft.com/en-us/azure/virtual-network/virtu-al-networks-overview
Networking Limits - https://docs.microsoft.com/en-us/azure/azure-subscription-service-limits#net-working-limits-1

3. Leave the rest of the default settings and select Create.
4. Verify your virtual network was created.

Create a virtual network using PowerShell
1. Create a virtual network. Use values as appropriate.

The following limitations are applicable when using the multiple NIC feature:

Demonstration - Create VMs with Multiple NICs

In this demonstration, you will learn how to create and configure multiple NICs and then attach those NICs to a VM. You can replace example parameter names with your own values if you prefer.

1. Using az network vnet subnet create a subnet for the back-end traffic named mySubnetBackEnd:

az network vnet subnet create \
--resource-group myResourceGroup \
--vnet-name myVnet \
--name mySubnetBackEnd \
--address-prefix 10.0.2.0/24

Overview of IP Addressing

You can assign IP addresses to Azure resources to communicate with other Azure resources, your on-premises network, and the Internet. There are two types of IP addresses you can use in Azure. Virtual networks can contain both public and private IP address spaces.

A public IP address resource can be associated with virtual machine network interfaces, internet-facing load balancers, VPN gateways, and application gateways. Azure can provide an IP address (dynamic assignment) or you can assign the IP address (static assignment). The type of resource affects the assign-ment.

Address SKUs

Review of IP Addressing 151

2. Notice in the IpConfigurations area there is a PrivateIPAddress and the PrivateIpAllocationMethod is static.

Remove a static private IP address

1. Review the output.

2. Notice in the IpConfigurations area, The PrivateIPAllocationMethod is now Dynamic.

Why use a service endpoint?

● Improved security for your Azure service resources. VNet private address space can be overlap- ping and so, cannot be used to uniquely identify traffic originating from your VNet. Service endpoints provide the ability to secure Azure service resources to your virtual network, by extending VNet identity to the service. Once service endpoints are enabled in your virtual network, you can secure Azure service resources to your virtual network by adding a virtual network rule to the resources. This provides improved security by fully removing public Internet access to resources, and allowing traffic only from your virtual network.

Azure Service Bus and Azure Event Hubs. Generally available in all Azure regions. The integration of Service Bus with Virtual Network (VNet) service endpoints enables secure access to messaging capabili-ties from workloads like virtual machines that are bound to virtual networks, with the network traffic path being secured on both ends.

Azure Data Lake Store Gen 1. Generally available in all Azure regions where ADLS Gen1 is available. This feature helps to secure your Data Lake Storage account from external threats.

✔️ It is important to test and ensure the service endpoint is limiting access as expected.

Demonstration - Service Endpoints

2. Within the Storage Account, create a file share, and upload a file.

3. For the Storage Account, use the Shared Access Signature blade to Generate SAS and connection string.

Network Routing

Information about the system routes is recorded in a route table. A route table contains a set of rules, called routes, that specifies how packets should be routed in a virtual network. Route tables are associat-ed to subnets, and each packet leaving a subnet is handled based on the associated route table. Packets are matched to routes using the destination. The destination can be an IP address, a virtual network gateway, a virtual appliance, or the internet. If a matching route can't be found, then the packet is dropped.

For more information, you can see:

✔️ There is practice exercise that includes a complete set of steps for this scenario, including creating the virtual appliance and testing.

Create Route Table

Border gateway protocol - https://docs.microsoft.com/en-us/azure/virtual-network/virtual-net-works-udr-overview#border-gateway-protocol

Overview of BGP with Azure VPN Gateways - https://docs.microsoft.com/en-us/azure/vpn-gateway/ vpn-gateway-bgp-overview?toc=%2fazure%2fvirtual-network%2ftoc.json

Route priorities
When the address prefixes are the same, Azure selects the route type, based on the following priority: 1. User-defined route
2. BGP route
3. System route
In our example, address 10.0.0.5, Azure selects the route with the User source, because user-defined routes are higher priority than system default routes.

Note: This demonstration requires a virtual network with at least one subnet.

Create a routing table
1. Access the Azure portal.

4. Select Create.

5. Wait for the new routing table to be deployed.

VNet-to-VNet Connections

You can connect your VNets with a VNet-to-VNet VPN connection. Using this connection method, you create a VPN gateway in each virtual network. The VPN gateway can also be used to provide a connec-tion to an on-premises network. This is called a Site-to-Site (S2S) connection. In both cases a secure tunnel using IPsec/IKE provides the communication between the networks.

Regional multi-tier applications with isolation or administrative boundary

● Within the same region, you can set up multi-tier applications with multiple virtual networks connect- ed together due to isolation or administrative requirements.

VNet-to-VNet Connectivity - https://docs.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-howto-vnet-vnet-resource-manager-portal#vnet-to-vnet

Site-to-Site Connectivity - https://docs.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-how-to-site-to-site-resource-manager-portal

Configuring Gateway Connections

Once your VPN gateways are created, you can create the connection between them. If your VNets are in the same subscription, you can use the portal.

For more information, you can see:

Configure the TestVNet1 gateway connection - https://docs.microsoft.com/en-us/azure/vpn-gate-way/vpn-gateway-howto-vnet-vnet-resource-manager-portal#TestVNet1Connection

● Name and Gateway Type. Name your gateway and use the VPN Gateway type.

● VPN Type. Most VPN types are Route-based.

✔️ After the gateway is created, view the IP address that has been assigned to it by looking at the virtual network in the portal. The gateway should appear as a connected device. In this last step you will create a connection for the device.

VPN Types

● Policy-based VPNs. Policy-based VPNs encrypt and direct packets through IPsec tunnels based on the IPsec policies configured with the combinations of address prefixes between your on-premises

IP Address. The public IP address of the local gateway.

Address Space. One or more IP address ranges (in CIDR notation) that define your local network's address space. For example: 192.168.0.0/16. If you plan to use this local network gateway in a BGP-ena-bled connection, then the minimum prefix you need to declare is the host address of your BGP Peer IP address on your VPN device.

● A shared key. This is the same shared key that you will specify when creating the VPN connection (next step).

● The public IP address of your VPN gateway. When you created the VPN gateway you may have configured a new public IP address or used an existing IP address.

PowerShell
To verify your connection with PowerShell, use the Get-AzVirtualNetworkGatewayConnection cmdlet. For example,

Get-AzVirtualNetworkGatewayConnection -Name MyGWConnection -ResourceGroupN-ame MyRG

2. Select + Gateway subnet.

Notice the name of the subnet cannot be changed.

Perhaps the simplest and quickest way to connect your VNets is to use VNet peering. Virtual network peering enables you to seamlessly connect two Azure virtual networks6. Once peered, the virtual networks appear as one, for connectivity purposes. There are two types of VNet peering.

● Regional VNet peering connects Azure virtual networks in the same region.

● Performance. A low-latency, high-bandwidth connection between resources in different virtual networks.

● Communication. The ability for resources in one virtual network to communicate with resources in a different virtual network, once the virtual networks are peered.

Virtual network peering - https://docs.microsoft.com/en-us/azure/virtual-network/virtual-net-work-peering-overview

Configure VNet Peering

To deploy a gateway in your virtual network simply add a gateway subnet.

PowerShell Example - https://docs.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-peer-ing-gateway-transit?toc=%2fazure%2fvirtual-network%2ftoc.json#powershell-sample7

Hub and spoke - https://docs.microsoft.com/en-us/azure/architecture/reference-architectures/ hybrid-networking/hub-spoke

● Initiated. When you create the peering to the second virtual network from the first virtual network, the peering status is Initiated.

● Connected. When you create the peering from the second virtual network to the first virtual network, its peering status is Connected. If you view the peering status for the first virtual network, you see its status changed from Initiated to Connected.

User-defined routes and service chaining

Virtual network peering enables the next hop in a user-defined route to be the IP address of a virtual

Module 5 Module Managing Identities

Identity manage capabilities and integration

✔️ What reasons do you have for considering Azure Active Directory?

Active Directory Domain Services (AD DS)

● Identity solution. Azure AD is primarily an identity solution, and it is designed for Internet-based applications by using HTTP and HTTPS communications.

● REST API Querying. Because Azure AD is HTTP/HTTPS based, it cannot be queried through LDAP. Instead, Azure AD uses the REST API over HTTP and HTTPS.

Choosing Between Azure AD and Azure AD DS

One of the main differences between Azure AD and Azure AD DS is the way devices are registered and joined.

Azure AD Directories (Tenants)

A tenant is a dedicated instance of an Azure AD directory which is created whenever you sign up for a Microsoft cloud service, such as Office 365 or Azure. It is important to note; a tenant is not the same as a subscription. A subscription is typically tied to a credit card for billing, where a tenant is an instance of Active Directory. You can have multiple tenants in your organization, such as Contoso1.com and Conto-so2.com .

✔️ Take a minute to open the Azure Portal, open the Subscriptions or Resource Group blade, and click Access Control (IAM). Click Add and take a few minutes to review the built-in roles and see which role you would be most interested in using.

Role Definitions

Actions and NotActions

AssignableScopes

#PowerShell

New-AzureRmRoleDefinition -InputFile .\sysops.json

To configure self-service password reset, you first determine who will be enabled to use self-service password reset. From your existing Azure AD tenant, on the Azure Portal under Azure Active Directory select Password reset.

In the Password reset properties there are three options: None, Selected, and All.

After enabling password reset for user and groups, you pick the number of authentication methods required to reset a password and the number of authentication methods available to users.

At least one authentication method is required to reset a password, but it is a good idea to have addi-tional methods available. You can choose from email notification, a text or code sent to user’s mobile or office phone, or a set of security questions.

1. On the Ready to configure page, select Configure and wait for the process to finish.

2. When you see the configuration finish, select Exit.

Sync Services. This component is responsible for creating users, groups, and other objects. It is also responsible for making sure identity information for your on-premises users and groups matches what’s in the cloud.

Authentication Options

Choosing an Azure AD Authentication method is important as it is one of the first important decisions when moving to the cloud as it will be the foundation of your cloud environment and is difficult to change at a later date.

Implementing and Managing Hybrid Identities 193

● Reduce your helpdesk costs.

How does this work?

Azure AD Pass-through Authentication (PTA) is an alternative to Azure AD Password Hash Synchroniza-tion, and provides the same benefit of cloud authentication to organizations. PTA allows users to sign in to both on-premises and cloud-based applications using the same user account and passwords. When users sign-in using Azure AD, Pass-through authentication validates the users’ passwords directly against an organizations on-premise Active Directory.

● Zero-delay feedback. Password writeback is a synchronous operation. Your users are notified imme- diately if their password did not meet the policy or could not be reset or changed for any reason.

● Supports password changes from the access panel and Office 365. When federated or password hash synchronized users come to change their expired or non-expired passwords, those passwords are written back to your local Active Directory environment.

Federation is a collection of domains that have established trust. The level of trust may vary, but typically includes authentication and almost always includes authorization. A typical federation might include a number of organizations that have established trust for shared access to a set of resources.

Azure AD Connect Health

When you integrate your on-premises directories with Azure AD, your users are more productive because there's a common identity to access both cloud and on-premises resources. However, this integration creates the challenge of ensuring that this environment is healthy so that users can reliably access resources both on premises and in the cloud from any device.

With Azure AD Connect the key data you need is easily accessible. You can view and act on alerts, setup email notifications for critical alerts, and view performance data.

Azure Active Directory (Azure AD) enables single sign-on to devices, apps, and services from anywhere.

The proliferation of devices - including Bring Your Own Device (BYOD) – empowers end users to be productive wherever and whenever. But, IT administrators must ensure corporate assets are protected and that devices meet standards for security and compliance.

Online Lab - Implementing User-Assigned Managed Identities for Azure Resources 199

Objectives
After completing this lab, you will be able to:

● Create and configure user-assigned managed identities

Exercise 1: Creating and configuring a user-assigned man-aged identity.

The main tasks for this exercise are as follows:

Task 1: Deploy an Azure VM running Windows Server 2016 Datacenter
1. From the lab virtual machine, start Microsoft Edge and browse to the Azure portal at http://portal.

azure.com and sign in by using the Microsoft account that has the Owner role in the target Azure subscription.

3. From the az3000502-LabRG - Access control (IAM) blade, assign the Owner role to the newly created user-assigned managed identity.

Result: After you completed this exercise, you have created and configured a user-assigned managed identity.

Task 1: Configure an Azure VM for authenticating via user-as-signed managed identity.

1. In the Azure portal, navigate to the az3000501-vm blade.

4. From the PowerShell prompt, run the following to install the latest version of the PowerShellGet module (press Enter if prompted for confirmation):

Install-Module -Name PowerShellGet -Force

Install-Module -Name PowerShellGet -AllowPrerelease

8. From the PowerShell prompt, run the following to install the the pre-release version of the AzureRM. ManagedServiceIdentity module:

Online Lab - Implementing User-Assigned Managed Identities for Azure Resources 203

3. Verify that the output contains only the resource groups you created in this lab. These groups will be

xargs -L1 bash -c 'az group delete --name $0 --no-wait --yes'

2. Close the Cloud Shell prompt at the bottom of the portal.

• Monitor and gain insights into AD FS servers, Azure AD Connect, and AD domain controllers.

• Monitor and gain insights into the synchronizations that occur between your on-premises AD DS and Azure AD.