Instructor

Rithin

Skaria

Certification Roadmap

AZ-900 (Azure Fundamentals is optional). Passing score for AZ-104 is 700

Exam AZ-104 : Skills Measured

As an administrator, you need to implement, manage and administer compute, network, storage, identity, governance and monitoring. This includes creating,

updating, resizing, and deleting resources in cloud infrastructure as needed.

One of the prerequisites for the course is basic knowledge of Azure services and strong knowledge of compute, storage, and network concepts. In large enterprise

organizations, you will be a part of a team which focuses on administering one or more Azure services.

Manage

identities and

governance

15-20%

Implement

and manage

storage

15-20%

Deploy and

manage

compute

resources

20-25%

Configure and

manage

virtual

networking

25-30%

Monitor and

backup

resources

10-15%

Exam AZ-104: Microsoft Azure Administrator

Understand the basics of Azure Active Directory and how it’s

different from traditional AD. Along with learn user management

and group management in Azure AD.

Managing Azure Subscriptions and implementing governance

using Azure Policy, Azure Tags and Role Based Access Control.

Learn how to manage Azure Virtual Networks and some of the

core networking concepts such as User Defined Routes, Azure

DNS, Azure Firewall and Network Security Groups.

Start planning and deploy your virtual machines to Azure.

Understand how to set up scaling and high availability for Azure VMs.

Load Balancing is required to balance the requests between our

Azure workloads. Explore different load balancing solutions

available in Azure

Learn how to deploy Azure-to-Azure connectivity and Azure-to-on-

premises connectivity.

Start automating resource deployment using ARM templates and

configure your VMs with the help of VM Extensions.

Learn how to secure your Azure Storage Accounts

Understand how to work storage services like Azure Blobs and

Azure Files.

Get familiarized with tools that can be used to manage Azure

Storage. Explore Azure Storage Explorer, AZCopy, and Import/Export

service

Learn Azure App Service Plans and Azure App Service

Explore Azure Container Instances and Azure Kubernetes Service..

Learn how to setup backup and disaster recovery in Azure

Set up network monitoring tools to troubleshoot network related issues

Configure monitoring for Azure resources.

Manage

identities and

governance

15-20%

Implement

and manage

storage

15-20%

Deploy and

manage

compute

resources

20-25%

Configure and

manage

virtual

networking

25-30%

Monitor and

backup

resources

10-15%

Managing Azure

Active Directory

Subscription and

Governance

Securing storage

Administering Azure

Blobs and Azure Files

Managing Storage

Configure Virtual

Machines

Automating deployment

and configuration

Azure App Services

Configuring

containers

Implementing virtual

networking

Load Balancing

Intersite connectivity

Implement backup

and recovery

Network Monitoring

Resource Monitoring

Identity

Learn how to use Azure Active Directory to secure your identities. Also, understand how users and groups are implemented in Azure AD.

Azure Active Directory

Overview of Azure AD and concepts

related to Azure AD

Azure AD Join

Joining and registering devices to Azure

Self-Service Password

Reset

Enabling users to reset their passwords

without reaching out to IT helpdesk.

User Accounts

Managing users and bulk user

operations in Azure AD.

Group Accounts

Group Management in Azure AD

Multi-tenant

environments

Managing multiple tenants or directories

Managing Azure Active

directory

objects

Single Sign on

& Core IAM

B2B

collaboration

Free

User Accounts

User accounts are used for

authentication and

authorization, all users must

have an account.

All users can be accessed

from Azure Active Directory

> Users > All Users.

Each user account can

have optional properties

such as address,

department etc.

We can also perform bulk

operations like bulk create,

bulk invite, and bulk

delete.

Cloud Identities

These are users exist only in azure

AD. Can be Azure AD or external

Azure AD as well.

Guest Accounts

These are users exist outside of Azure and

they are invited for collaboration. Microsoft

accounts, Live accounts etc.

Directory synchronized

users

These users are synchronized from your

on-premises Windows AD. We cannot

create directory synchronized users; they

need to be synchronized.

Managing User Accounts

Create a user: This will create a user in your Azure AD. The

identity created as part of this process will have a sign in name

from your tenant.

User can be deleted if needed. Deleted users will be retained for

30 days and can be restored during this window.

Invite a user: This will help us to invite guest users to collaborate

with your organization. An invitation will be triggered to the email

address, and they must accept the invitation to start

collaborating.

All sign in and audit log can be tracked.

Bulk Operations

User Accounts – Bulk Operations

Bulk operations will let you download a CSV template where

you add users you want to create, delete, or invite. Using bulk

operation, we can easily work on these operations rather than

doing one by one.

Bulk create: Create users in bulk

Bulk invite: Invite external users for collaboration in bulk.

Bulk delete: Delete existing users in bulk

Download users: Creates export of all users in the directory

Group Account

Group Accounts

Security groups

Microsoft 365 groups

Group Types

Assigned

Dynamic user

Dynamic device (only for Security group type)

Assignment Types

Azure AD Join

Single sign-on

Enable SSO for your

apps, services, and SaaS

solutions

Access to Microsoft

Store for Business

Publish your internal

applications to

Microsoft Store for

Business for internal

users.

Enterprise State

Roaming

Synchronize your user

settings and

configuration across

devices

Windows Hello

support

For supported Windows

devices, users can use

facial or biometric sign

in.

Device Management

Check device

compliance and restrict

access to applications

Access to on-prem

apps

Enable seamless access

to on-premises

applications and

resources.

Single sign-on

Microsoft

Store for

Business

Enterprise

state roaming

Device

Management

On-premises

access

Windows Hello

Self service password

reset (SSPR)

Self service password reset (SSPR)

Enables users to reset

password without the

need to call IT helpdesk.

Requires Premium P2

license as this a premium

feature.

Setup multiple methods

for resetting the

password.

Target all users or a group

of users and enable SSPR.

For admin accounts, SSPR

is enabled by default.

Step 1

Enable SSPR for all users or for

selected groups

Step 2

Setup the number of authentication

methods requires for reset and the

available methods

Step 3

Users will be requested to register for

SSPR during next sign in where they can

enable their reset method.

Multi tenant

environments

Multi tenant environments

Each Azure AD organization or tenant

is fully independent. There is no

parent-child relationship between

these tenants. Each tenant will be

considered as a separate entity.

Relationship

Creation or deletion of a resource in

one tenant has no impact on any

resource in another tenant.

Resource

Independence

The level of permissions of the user is

only valid within the tenant. If a user is

Global Administrator in one tenant

and non-admin user in another

tenant , that user will not have admin

rights in the tenant where the user

non-admin.

Administration

independence

We can setup synchronization of

account data for each Azure AD

tenant independently.

Synchronization

independence

Managing Subscriptions

Azure Subscriptions

Logical container that defines the

billing boundary for the usage.

Subscriptions can also help in setting

up environmental boundaries

Resources deployed in Azure will be

mapped to an Azure subscription

Every subscription will have a unique

ID and it’s called the subscription ID.

An account can have multiple

subscriptions.

Identities that are part of Azure AD or an

identity from any trusted Microsoft cloud

service can sign up for a subscription

There are different types of subscriptions

based on the use case scenario.

Subscription also act as a scope for

access management.

Subscription offer types

Enterprise Agreements

Recommended for organizations with

500 or more users or devices that

offers the cloud services and software

licenses at discounted rates

Cloud Solution Provider

Subscriptions licensed via Microsoft

Partners, ideal for small to medium

organizations. Billing is managed by

the partner.

Pay-as-you-go

Ideal for small organizations,

where they don’t have the budget

to make upfront agreements

Azure for Students

Students are eligible for $100

credit for 12 months upon

verification of student credentials

Free Trial

$200 credit for 30 days and free

limited access for 12 months.

Visual Studio

Credit based subscriptions offered

to Visual Studio Professional and

Enterprise subscribers.

Understanding the

hierarchy

Understanding the hierarchy

Management groups

Subscriptions

Resource groups

Resources

Management groups offers a scope above

subscriptions by which you will be able to group

subscriptions together.

Each subscription will contain one or more resources

groups for logically grouping resources like virtual

machines, databases etc.

Root Management group is created by default, and

you have up to 6 levels of nested groups excluding the

root group.

Hierarchy helps in implementing policies, access

and cost management

Root management group

Finance

Production

Dev

Subscription A

Subscription C

Subscription B

Working with Role Based

Access Control

Role Based Access Control

Enables administrators to grant access to Azure resources and to segregate duties within the team.

Who?

What?

Where?

Assignment

Security Principal

Any identity which is requesting for

access. It could be a user, group,

service principal or managed identity.

Role Definition

Defines a set of operations that a

particular role can perform.

Written in JSON format.

Scope

Limit of access, defines

a boundary.

Role Assignment

When we attach a role definition to a

service principal at a particular

scope, then it becomes a role

assignment. Max: 2000 in each

subscription.

“The Principle of Least Privilege”

Role Definition

Owner

Contributor

Reader

------

User Access Administrator

Virtual Machine Contributor

Helpdesk Admin

Webapps Operator

Built-in roles

Custom roles

{

"Name": "Contributor",

"Id": "b24988ac-6180-42a0-ab88-20f7382dd24c",

"IsCustom": false,

"Description": "Grants full access to manage all

resources, but does not allow you to assign roles in

Azure RBAC, manage assignments in Azure Blueprints

, or share image galleries.",

"Actions": [

"*"

"NotActions": [

"Microsoft.Authorization/*/Delete",

"Microsoft.Authorization/*/Write",

"Microsoft.Authorization/elevateAccess/Action",

"Microsoft.Blueprint/blueprintAssignments/write",

"Microsoft.Blueprint/blueprintAssignments/delete",

"Microsoft.Compute/galleries/share/action"

"DataActions": [

"NotDataActions": [

"AssignableScopes": [

"/"

]

}

Contributor

Scope

Resources

Management Group

Subscription

Resource Group

Azure RBAC vs Azure AD Roles

COMPARISON

Used to manage access to Azure

resources

Role assignments can be managed

via Azure Portal, Azure PowerShell,

Azure CLI, ARM templates, and REST

API

Scopes include Management groups,

Subscriptions, Resource Groups, and

Resources

Example roles includes Owner, Contributor,

Reader, User Access Administrator etc.

Used to manage Azure AD

features

Roles can be managed via Azure Portal,

M365 Admin Portal, Microsoft Graph

API, Azure AD and Graph PS module.

Scope is at the Azure AD

tenant level

Example roles includes Global

Administrator, Billing Administrator,

Global Reader etc.

Azure RBAC vs Azure AD Roles

/ Root

Resource Group

Azure Active

Directory Tenant

Root Management

Group

Azure AD

Admin Roles

Global admin

Application admin

Application developer

Billing admin

…

Azure RBAC

Roles

Owner

Contributor

Reader

User access admin

…

Management

Group

Global Admin/

User Access Admin

(elevated access)

Azure RBAC

Roles

Subscription

Resource

Image source: https://docs.microsoft.com/en-us/azure/role-based-access-control/rbac-and-directory-admin-roles?WT.mc_id=modinfra-28824-socuff

Built-in-roles and Custom

Roles

Built-in roles

Built-in roles are roles offered by Azure which we can assign to users, groups, service principals, and managed identities. Following are the

fundamental roles that you need to be aware of.

Owner

Full access to all resources and can

delegate access to other users.

Contributor

Create and manage all types of

resources, however, cannot grant

access to others.

Reader

Read access to all resources, no

permission to make changes to the

resources.

User Access Administrator

User access to Azure resources can be

managed using this role.

O C

R U

Custom RBAC Roles

Custom RBAC roles can be used to create fine tuned roles for

your environment, if the built-in roles doesn’t meet your specific

needs

Each directory can have up to 5000 custom roles

Custom roles can be created from Azure Portal, Azure PowerShell,

Azure CLI and REST API

We can assign custom roles to users, groups, and service

principals to any scope; same way we work with built-in roles.

Multi tenant Managing

access using Azure Portal

Azure Tags

Using tags we can add metadata to

our subscription, resource groups,

and resources

Adding metadata

Logical grouping

With tags, we can logically filter our

resources for management

purposes

Name-value pair

Tags uses a name value pair. Tag

name is limited to 512 characters

and tag value is limited to 256

character. Maximum number of

tags we can assign is limited to 50.

Cost Management

Tags can be used to filter Azure

usage and cost management. The

tags added to resources will be

propagated to Azure Billing system.

Tags doesn’t follow inheritance by default, we can use Azure Policy to inherit tags from resource group or subscription.

Resource Locks

Avoids accidental

changes

With the help of resource locks, we can protect

our resources from accidental changes or

deletion.

Inheritance

Locks can be applied at the subscription, resource

group, and resource level. The lock will inherit to

the lower scopes.

Read-only locks

Resources with read-only locks cannot be

modified and this will prevent any changes to the

resource.

Delete locks

Resources with delete lock can be modified,

however, they cannot be deleted. Ideal for

resources which you would like to modify and at

the same time, prevent accidental deletion.

Analyzing costs

Cost Analysis

We can analyze the current spending and see cost

forecast. We can also connect our AWS cost to

Azure Cost Management

Budgets and

Recommendations

Using Cost Management, we can define fine tuned

budgets targeting specific scopes and further narrow it

down using filters. We can also generate cost related

recommendations.

Export data

We can export our cost data to a storage account

in Azure. The data can be exported as a one-time

export or a recurring export which works based on

the schedule we define.

Cost savings

100%

PAYG

60%

Azure

80%

Azure

RI +

AHUB

Azure Reserved

Instances (RI)

For instances that are planned for long term and

is running 24x7 can be reserved. Reservations can

be purchased for 1 year or 3 year with upfront

payment or equated monthly payments.

Azure Hybrid Benefit

(AHUB)

You can purchase Windows and SQL licenses from

Software Assurance can use with your Azure VMs

and PaaS services. AHUB is cheaper than PAYG

licensing cost

Credits

Credit based subscriptions such Visual Studio

Enterprise, Visual Studio Professional, MPN could

provide you monthly credits that can be used for

testing and developing solutions on Azure.

Regions

In Azure, every region has a different pricing.

When you deploying resources, choose low-cost

regions. While selecting low-cost regions, make

sure you are not comprising the compliance or

performance of your workloads.

Azure Policy

Helps us to create, manage, and assign policies. Policies can be used to define organizational standards and identify non-compliant resources

Definition

Policy definition is a JSON document

which is used to define the policy and

its effect. Azure has built-in policies

that we can use, or you can write your

own custom policies

Scope

Like RBAC, we must specify the scope

to which we want to enforce the

policy. We can scope to management

group, subscription, or to resource

group.

Assignment

Assignment is the process assigning a

policy definition to a scope. Once it’s

assigned policy enforcement is done.

Compliance

After assigning the policy, we can

evaluate the compliance to

understand compliant and non-

compliant resources.

Azure Policy – Use cases

Allowed resources

types

Defines a set of resources that can

be created in the selected scope

Allowed virtual

machine SKUs

Defines a set of VM SKUs that can

be deployed.

Allowed locations

Defines a set of cloud locations

where we can deploy resources.

Require tags

Enforce tags that needs to be

added to the resources

Inherit tags

Inherit tags from subscription or

resource group

Allowed resource

group locations

List of locations where you can

create resource groups.

Initiative

Chaining policy definitions so that they can assigned as single item and the compliance can be evaluated

Cosmos DB, ExpressRoute,

Redis Cache, Cognitive

Services

Not allowed

resource types

CostCenter

Require a tag

on resources

East US, West US and

Central US

Allowed

locations

Audit all VMs and

make sure VM

Backup is enabled

Azure Backup

should be enabled

for Virtual

Machines

BS, DSv2, DSv3, F, FS

Allowed Virtual

Machine SKUs

Azure Initiative

Creating and configuring

virtual networks

Virtual Networks

Representation of

cloud network

Logical representation of your network in

the cloud. Azure Virtual Networks (VNets)

helps us to create and manage networking

in Azure

Dedicated instance

Every VNet instance in Azure is private and

dedicated

Hybrid scenarios

With the help of VNets, we can extend our

communication to on-premises datacenters

and other cloud providers securely.

Connectivity between

Azure services

Virtual Network is responsible for facilitating

connectivity between Azure Virtual Machines and

other Azure services. Also, enables Azure VMs to

connect to Internet.

Virtual Network Concepts

Region

Virtual Network

(192.168.0.0/16)

GatewaySubnet

192.168.0.0/24

frontendSubnet

192.168.1.0/24

databaseSubnet

192.168.2.0/24

Each virtual network we create should have

address space. You can use private or public

(RFC 1918) addresses for your address

space. The thumb rule is do not let your

address space overlap with other VNet

address spaces or your on-premises address

space. Whenever we create a resource in the

VNet, the IP address is given from this

address space.

Subnets helps us to segment our VNet address space to smaller

subnetworks. Each of these subnetworks can be used to host

different types of workloads. Every resource in the subnet will

get an IP address from the address allocated to the subnet.

Azure regions represents a set of datacenters which

are part of different availability zones. Each Azure

region can contain one or more virtual networks

based on your requirement

Private and Public IP

addresses

Private IP addresses

Virtual Network

(192.168.0.0/16)

GatewaySubnet

192.168.0.0/24

frontendSubnet

192.168.1.0/24

databaseSubnet

192.168.2.0/24

192.168.0.4

192.168.1.4 192.168.1.5

192.168.1.6 192.168.1.7

192.168.2.4

192.168.2.5

192.168.2.6

192.168.2.7

Static

Helps in setting up static IP address for domain controllers, web servers

and DNS servers which do not change even if the servers are rebooted.

Also used with services such internal LBs and Application Gateways.

Dynamic

This is the default option, where the IP address is dynamically allocated from

the address pool. If you restart a server and if the previous IP address is not

available, Azure will assign another available IP address from the address

space.

Allocation methods

Used within Azure Virtual Network, and with hybrid scenarios involving VPN Gateways and ExpressRoute connections

Virtual Network

(192.168.1.0/24)

Public IP addresses

Used in VNet and on-premises

connections (VPN gateway or

ExpressRoute)

Private IP address

192.168.1.4

default

(192.168.1.0/24)

Internet and public

facing services

Public IP address

Feature

Basic SKU

Standard SKU

IP Allocation

Static/Dynamic

Static

Security

By default, open

By default, closed

Resources

Virtual Machine NIC, VPN Gateways, Public

Load Balancers, Application Gateways

Virtual Machine NIC, Public

Load Balancers, Application

Gateways

Redundancy

No zone redundancy

Zone redundant

Allocation types : Static and Dynamic

SKU: Basic and Standard

User Defined Routes

frontendSubnet

192.168.1.0/24

databaseSubnet

192.168.2.0/26

Virtual Network

(192.168.0.0/16)

Communication between VMs in the same subnet

Communication from VM to the Internet

Communication between VMs in different subnets in the same virtual network.

Communication via Site-to-Site and ExpressRoute connection while using VPN gateways

System routes

User Defined Routes

frontendSubnet

192.168.1.0/24

databaseSubnet

192.168.2.0/26

Virtual Network

(192.168.0.0/16)

System route

Route table

NVA

dmzSubnet

192.168.0.0/24

The next hope can be a virtual network gateway, virtual network, internet,

or virtual appliance

Service Endpoints

Virtual Network

(192.168.0.0/16)

workloadSubnet

192.168.1.0/24

Azure Storage Service

Virtual Machine

192.168.1.4

Storage account

kodekloud

Public IP

Service Endpoints

Service Endpoint

Source IP : VM Private IP

Allow : VNet - workloadSubnet

Access Azure services with better security

Ease of setup and management

Leverages Microsoft backbone network

Supported services include Azure Storage, Azure SQL Database, Azure Synapse Analytics, Azure Database for PostgreSQL server, Azure

Database for MySQL server, Azure Database for MariaDB server, Azure Cosmos DB, Azure Key Vault, Azure Service Bus, Azure Event

Hubs, ADLS Gen1, Azure App Service, Azure Cognitive Services, and Azure Container Registry (preview)

Benefits

Private Link

Virtual Network

(192.168.0.0/16)

workloadSubnet

192.168.1.0/24

Azure Storage Service

Virtual Machine

192.168.1.4

Storage account

kodekloud

Private Link

Service Endpoint

Connect to Azure services via private connection

Eliminates risk of data exfiltration

Seamless integration with on-premises and peered networks

Direct availability in Azure VNets

Benefits

Private Link

Private Endpoint

Azure DNS

DNS hosting

Azure DNS will help us host safe and

reliable DNS zones for name resolution.

We will be creating records inside this DNS

zone.

Naming convention

The zone name should be unique within the

resource group. You can have same zone within

multiple resource groups, in this case the name

servers will be different for these zones.

Delegation

You can create delegated DNS zones in

your on-premises DNS servers can provide

the Azure DNS name servers for name

resolution.

Record Sets

Records having the same name and type are

grouped together to form record sets. Maximum

number of records allowed to a record set is 20

and they need to be unique.

kodekloud.org

On-premises DNS servers

DNS query for azure.kodekloud.org

kodekloud.org

Delegated DNS zone

Query delegated to Azure DNS NS

dig @ns1-09.azure-dns.com.

azure.kodekloud.org A

Private zones

Private DNS zones

Name resolution for services deployed in Azure Virtual Network

Private DNS zone

kodekloud-internal.com

vnet-a

10.0.0.0/24

vnet-b

10.1.0.0/24

vm-01

10.0.0.4

Name IP

vm-01 10.0.0.4

vm-02 10.0.0.5

vm-03 10.0.0.6

vm-04 10.1.0.4

vm-05 10.1.0.5

vm-06 10.1.0.6

vm-02

10.0.0.5

vm-03

10.0.0.6

vm-04

10.1.0.4

vm-05

10.1.0.5

vm-06

10.1.0.6

Network Security Groups

Filter traffic

NSG operate at layer 4 and allows us to filter the

incoming and outgoing traffic from a virtual

network

Rule set

NSG comprises a set of priority-based rules that

can be used to allow or deny inbound or

outbound traffic.

Association

NSGs can be associated to subnets and network

interfaces. You can associate multiple subnets

and network interfaces to a single NSG.

Evaluation

Rules applied at subnet and network interface

level is evaluated separately. Traffic requires

“allow” rule at both levels to be admitted.

Rules are evaluated based on the priority. There is a set of

default rules which cannot be modified or deleted.

Nevertheless, we can override these rules by creating rules with

higher priority. Rules can be created based on the following

attributes besides the IP details:

Service: You can choose custom or predefined services such as

HTTP, HTTPS, RDP, SSH etc to allow the respective ports.

Port range: You can configure ports or a port range.

Priority: Lower the number higher the priority. Values range from

100-4096. Values in 65000 range is for default rules.

Action: Allow or Deny

Network Security Group Rules

Effective Security Rules

Subnet

NSG

HTTP

NSG

HTTP

Inbound traffic : Source → Subnet NSG → Network Interface NSG

Outbound traffic : VM → Network interface NSG → Subnet NSG

Azure Firewall

Highly available

and scalable

Redundancy

Multiple types

of rules

Threat

Intelligence

Public IP support

Azure Firewall

CentralVNet

SpokeNetworkA

SpokeNetworkB

AzureFirewallSubnet

Connected VNets

Azure Firewall

Internet

Traffic is denied by default

Traffic allowed using rules and

Threat Intelligence

Connectivity to on-premises

Planning VMs

Shared responsibility model

Image source: https://docs.microsoft.com/en-us/azure/security/fundamentals/shared-responsibility

Virtual Machine Planning

We need to plan certain aspects before deploying our virtual machines

Networking

We need to plan our networking address spaces

based on the number of virtual machines you are

planning to create. Also, make sure the network

address spaces are not overlapping.

Naming

Naming convention helps us in recognizing VMs by

looking their names. Try adding environment, role,

service, and region details to VM names. For

example, we could name production webserver in

East US as “web-prod-eus”

Location

You need to check the availability of VM sizes in

Azure regions. Choose low-cost regions if you are

flexible with data residency. Also, for production

resources choose regions closer to your customers

to avoid performance issues. Azure has 60+ regions

to choose from.

Pricing

Consider pricing models such as Pay-As-You-Go and

Reserved Instances. For low priority development

workloads choose Spot VMs. Licensing cost can be

reduced by using Azure Hybrid Benefit.

N N

L P

Managing VM sizes

Virtual Machine Sizing

Choosing the virtual machine size and family depends on what type of workload you are running. Azure offers different VM families targeting different types of workloads

Type

Sizes

Targeted workloads

General Purpose

B, Dsv3, Dv3, Dasv4, Dav4, DSv2, Dv2,

Av2, DC, DCv2, Dv4, Dsv4, Ddv4, Ddsv4,

Dv5, Dsv5, Ddv5, Ddsv5, Dasv5, Dadsv5

Balanced CPU

-to-memory ratio. Ideal for testing and

development, small to medium databases, and low to medium

traffic web servers.

Compute optimized

F, Fs, Fsv2, FX

High CPU

-to-memory ratio. Good for medium traffic web

servers, network appliances, batch processes, and application

servers.

Memory optimized

Esv3, Ev3, Easv4, Eav4, Ebdsv5, Ebsv5,

Ev4, Esv4, Edv4, Edsv4, Ev5, Esv5, Edv5,

Edsv5, Easv5, Eadsv5, Mv2, M, DSv2, Dv2

High memory

-to-CPU ratio. Great for relational database

servers, medium to large caches, and in

-memory analytics.

Storage optimized

LSv2

High disk throughput and IO ideal for Big Data, SQL, NoSQL

databases, data warehousing and large transactional

databases.

GPU

NC, NCv2, NCv3, NCasT4_v3, ND, NDv2,

NV, NVv3, NVv4, NDasrA100_v4,

NDm_A100_v4

Specialized virtual machines targeted for heavy graphic

rendering and video editing, as well as model training and

inferencing (ND) with deep learning. Available with single or

multiple GPUs.

HPC

HB, HBv2, HBv3, HC, H

Our fastest and most powerful CPU virtual machines with

optional high

-throughput network interfaces (RDMA).

Confidential computing

DCsv2, DCsv3, and DCdsv3

Confidential computing allows you to isolate your sensitive

data while it's being processed. Ideal for banks and hospitals

which handle customer PII.

Microsoft documentation – VM sizes

Virtual Machine Storage

Virtual Machine

OS Disk Temporary disk

Data disk

Azure Blob Storage

Performance tiers

Azure disks can be created in different performance tiers such as Standard

HDD, Standard SSD, Premium SSD or Ultra SSD. Based on the tiers the

IOPS and performance will vary. Standard HDD is the cheapest option. You

can change tier even after creating the disks. Premium SSD is required for

IO intensive applications.

Management

When creating VMs, you can choose between, Managed disks and

Unmanaged disks. In Unmanaged disks, customer needs to take care of

the underlying storage account which is used to store the VHD file. In

case of Managed disks, the underlying storage account will be managed

by Microsoft, and you can use the service. Microsoft recommends to use

Managed disks.

Creating VMs

Creating Virtual Machine (Portal)

Basics (mandatory): Subscription, Resource group,

Region, VM Image, Size, Port rules

Networking: Virtual Network, subnet, NSG, load

balancing

Disks: Disk type, size, data disks

Management: Monitoring, Diagnostic Account,

Azure AD login, Backup, Auto-shutdown

Creating Virtual Machine (PowerShell & Azure CLI)

>_ PowerShell

PS > New-AzVm `

-ResourceGroupName "web-rg" `

-Name "vm-01" `

-Location "East US" `

-VirtualNetworkName "vm-01-vnet" `

-SubnetName "default" `

-SecurityGroupName "vm-01-nsg" `

-PublicIpAddressName "vm-01-pip"

>_ Azure CLI

$ az vm create \

--name vm-01 \

--resource-group web-rg \

--image UbuntuLTS \

--location EastUS2 \

--admin-username adminuser \

--admin-password Pa$$w0rd1234

Connecting to VMs

Connecting to Virtual Machines

Virtual Network

(192.168.0.0/16)

workloadSubnet

192.168.1.0/24

Virtual Machine

192.168.1.4

Public IP

Jumpbox

Azure Bastion

Public IP

jumboxSubnet

192.168.0.0/24

Virtual Machine

192.168.0.4

Connection via Private IP

AzureBastionSubnet

192.168.0.0/24

Bastion Host

Connection via Bastion

Connecting to Virtual Machines

Password

Certificates

RDP (TCP/3389)

WinRM (TCP5986)

Password SSH (TCP/22)

Operating System Protocol/ Port Authentication Method

Configuring high

availability

Configuring High Availability

Unplanned Hardware

Maintenance

Unexpected downtime

Planned maintenance

Region A

Configuring High Availability

Availability Zone

Region B

Region C

Region D

G E O G R A P H Y

Availability Set

Datacenter

FD0

UD0

FD1 FD2

UD2

UD1 UD4

UD3

Region A

Availability zones

Availability Zone Availability Zone

Availability Zone

Deploying VM Scale Sets

Vertical Scaling

Adding or removing compute power to an instance is called vertical

scaling. Increasing compute power is called scale up and decreasing

compute power is called scale down. This process is usually manual.

Horizontal Scaling

Increasing or decreasing number of instances is called horizontal

scaling. This is usually automated with the help of some criteria like

metrics or schedule; hence it’s also called autoscaling. Increasing

instances is called scale out and decreasing instances is called scale in.

Scale down Scale up

Current size

Current

instance count

Scale out

Scale in

Deploying VM Scale Sets

Azure Virtual Machine Scale set is used to create a group of load

balanced VMs and manage them. VMSS supports use of Azure

Load Balancer and Application Gateway

We can distribute the VMs in a scale set across availability zones

for high availability. If one VM becomes unavailable, customers

can access the application via other VMs in the scale set.

We can increase or decrease the number of instances based on

schedule, metrics, or on demand. All VMs in a scale set are

created from the same base OS and configuration.

For images from marketplace and custom images, scale set can

scale up to 1000 instances. If you create scale set using a

managed image, the limit is set to 600.

Azure Load Balancer

Azure Load Balancer is a Layer 4 load balancer which supports

Azure Virtual Machines and Azure Virtual Machine Scale Sets as

backend.

Supports all TCP/UDP protocols

Load Balancer is offered in two SKUs: Standard and Basic SKU

Security is managed with the help of Network Security Groups

Frontend

Backend

Load Balancer SKU

Feature

Basic

Standard

Backend pool size

Up to 300 instances

Up to 1000 instances

Health probes

TCP, HTTP

TCP, HTTP, HTTPS

Redundancy

Not available

Zone redundant and zonal

redundant

Multiple frontend

Inbound only

Inbound and outbound

Security

Open by default. NSG is

optional

Closed, unless traffic is

allowed by NSG

SLA

Not applicable

99.99%

Basic Load Balancer

Ideal for testing and development. No SLA offered

Standard Load Balancer

Recommended for production scenarios because of the SLA. Offers

HTTPS health probe

Public Load Balancer

Ideal for public facing workloads

• Public load balancer will have public IP address

• Incoming traffic’s public IP address and port number will be mapped to

the private IP address and port number of the backend servers.

• With the help of load balancing rules, we can distribute the traffic

across backend servers.

• Used in all public facing workloads which require load balancing.

Virtual Network

Port 80

WebSubnet

Public Load Balancer

Internal Load Balancer

Ideal for internal workloads

• Internal load balancer doesn’t have public IP address as frontend

• Incoming traffic inside the virtual network or from a VPN can be

distributed across the backend servers

• This load balancer is never exposed to the internet, so the IP addresses

and port numbers are not visible to the internet.

• Used in internal resources that needs to be accessed from Azure or on-

premises via VPN connection.

Virtual Network

Port 80

Virtual Network

WebSubnet

Public Load Balancer

DataSubnet

Internal Load Balancer

Load Balancer Rules

Load balancing rules

The incoming traffic to backend pools is distributed with the help of load

balancing rules. We can create frontend IP to backend IP port mapping and the

traffic is distributed accordingly.

Virtual Network

WebSubnet

Inbound NAT rules

Instead of backend pool, we can target a specific virtual machine and create a

NAT rule. Frontend IP and port combination is used to send traffic to IP and port

of the designated VM.

Outbound rule

Allows instances in the backend pool to communicate to the Internet and other

endpoint.

Load Balancing rule

Admin

Inbound NAT rule (30009:3389)

Users

Session Persistence

None (default)

Request will be routed based on a 5-tuple hash. Five tuple comprises of

Source IP, Source Port, Destination IP, Destination port, and Protocol.

Requests can be handled by any VM and the chances of getting a new VM for

every session is very high.

Client IP

Client IP is called two-tuple where the hash of source IP and destination IP is

used to route the traffic. Requests will be handled by the same VM if the

source IP or destination IP doesn’t change.

Client IP and protocol

This is also called as three-tuple hash, where the hash of source IP,

destination IP and protocol is used to route the traffic to the VM. Requests

coming from same IP and protocol will be handled by the same VM.

Azure Application

Gateway

Application Gateway

Layer 7 Load Balancer

Manages HTTP, HTTPS, HTTP/2, and WebSocket

requests. Requests will be routed to the backend pool.

Web Application Firewall can be added to Application

Gateway as an option component.

Routing and features

Requests can be routed to the backend pool based on URL

also known as path-based routing. Also, we can host multiple

sites behind an application gateway. Features includes URL

Redirect, SSL termination, Rewrite HTTP headers and Custom

error pages.

Backend pools

The web servers can be hosted in Azure Virtual

Machines, Azure Virtual Machine Scale Sets, Azure App

Services, and even on-premises servers.

POOL

Browser

Application

Gateway

HTTP/ HTTPS

Listener

Rule

VMSS

Servers

HTTP

Setting

Application Gateway - Components

Frontend IP

Listener

Rule

HTTP Setting

Custom Probe

Backend Pool

Port Certificate

Defines the VIP or ILB

For SSL

offloading

Backend Instances

Frontend listener on

a port, IP and

certificate

Settings for backend

traffic: probe, timeout,

stickiness etc.

Bridge between frontend

and backend

Application Gateway – Routing Rules

Path based routing

Based on the path in the URL, we can route the request

to different backend pools. Ideal for routing requests to

different backend pools optimized for different paths.

Multiple-site routing

Multiple sites can be hosted behind a single application

gateway. Based on the domain, the request can be routed to

the backend pool hosting the requested domain.

Image source: https://docs.microsoft.com/en-us/learn/modules/configure-azure-application-gateway/3-determine-routing

Other load balancing

solutions

Other load balancing solutions

Azure Front Door

Modern CDN solution that provides reliable, fast content delivery .

Azure Front Door is a global solution which leverages the Microsoft’s

global edge network with hundreds of global and local point-of-

presence locations. These endpoints are distributed across the

globe and closer to your customers.

We can deploy our solutions in multiple regions and load balance

using the Azure Front Door. Path based routing and multiple-site

routing is available.

Web Application Firewall can be added as an optional component.

Azure Traffic Manager

ATM or Azure Traffic Manager is a DNS based load balancer. Traffic coming to

your public facing applications can be distributed across the globe with the

help of ATM.

As this is a DNS load balancer, it uses DNS to direct the client request to an

endpoint based on the routing rule we configure. Traffic Manager finds the best

endpoint for you based on the routing and returns a DNS response with the

endpoint name. Client then directly reaches out to the endpoint.

ATM can be used with the public facing services deployed in Azure or non-

Azure environments. Routing methods includes Priority, Weighted, Geography,

Performance and Nested Profile.

Comparing Load Balancing Solutions

Feature Application Gateway Front Door Load Balancer Traffic Manager

Usage

Optimize delivery from

application server farms

while increasing

application security with

web application firewall.

Scalable, security

enhanced delivery point

for global, micro service

based web applications.

Balance inbound and

outbound connections

and requests to your

applications or server

endpoints.

Distribute traffic optimally

to services across global

Azure regions, while

providing high availability

and responsiveness.

Protocols

HTTP, HTTPS, HTTP2 HTTP, HTTPS, HTTP2 TCP, UDP Any

Internal support

Yes Yes

Cross Region

Yes Preview Yes

Environment

Azure, non-

Azure cloud,

on premises

Azure, non-Azure cloud,

on premises

Azure Azure, non-Azure cloud,

on premises

Security

WAF WAF, NSG NSG -

Reference architecture examples

Azure Bastion

Virtual Network

AzureBastionSubnet

Admins

Subnet

Azure Bastion

Public IP is not required

Since we are connecting via Bastion Host, there is no need to main

public IP addresses for our virtual machines.

Direct RDP and SSH in Azure Portal

No need to deploy or download SSH and RDP clients to

your computer, you can RDP/SSH from browser.

Port scanning protection

Since we are not exposing any public IPs, attackers cannot perform

port scanning.

No need to tweak NSGs

No need to manage and write complex rules in your NSG

as Bastion is connecting to private IP address

Hardening

Bastion is a platform managed service and hardening in

one place only.

Basic and Standard SKUs

Basic SKU provides base functionality as in direct RDP/SSH access. The Standard

SKU enables premium features that allow Azure Bastion to manage remote

connectivity at a larger scale.

Intersite connectivity

Intersite Connectivity – Azure-to-Azure

connectivity

VNet-B (172.16.0.0/16)

Subnet

(172.16.1.0/24)

subnet

(192.16.1.0/24)

VNet-A (192.16.0.0/16)

GatewaySubnet

(192.16.0.0/24)

GatewaySubnet

(172.16.0.0/24)

VNet-to-Vnet Connection

Peering

Intersite Connectivity – Azure-to-on premises

connectivity

subnet

(192.16.1.0/24)

VNet-A (192.16.0.0/16) On-premises (192.17.0.0/16)

GatewaySubnet

(192.16.0.0/24)

Site-to-Site Connection

ERSubnet

(192.16.2.0/24)

ExpressRoute Connection

Virtual Network Peering

VNet-A

Peering

VNet-B

VNet-A

Global VNet Peering

VNet-B VNet-C

Regional VNet Peering

Region X Region Y

Types of peering: Global VNet Peering and Regional VNet

Peering.

Provides connectivity between Azure virtual networks. The virtual

networks can reside in the same region, different region, same

subscription, different subscription, same tenant or different

tenant

High speed data transfer, easy configuration and great

performance

Uses Microsoft backbone network for data transfer, so privacy

and low latency is offered in peering

VPN Gateway

VNet A

VNet B

Point-to-SitePoint-to-Site

Site-to-Site

VNet-to-VNet

NYCLON

VPN Gateway SKUs

Gen

SKU

S2S/VNet

-to-VNet Tunnels

P2S IKEv2 Connections

Throughput Benchmark

Gen 1

VpnGw1/Az

Max. 30

Max. 250

650 Mbps

Gen 1

VpnGw2/Az

Max. 30

Max. 500

1.0 Gbps

Gen 2

VpnGw2/Az

Max. 30

Max. 500

1.25 Gbps

Gen 1

VpnGw3/Az

Max. 30

Max. 1000

1.25 Gbps

Gen 2

VpnGw3/Az

Max. 30

Max. 1000

2.5 Gbps

Gen 2

VpnGw4/Az

Max. 100

Max. 5000

5.0 Gbps

Gen 2

VpnGw5/Az

Max. 100

Max. 10000

10.0 Gbps

SKU selection

SKU is selected based on the number of

connections and throughput you require.

Resizing

Within generation, we can resize the VPN gateway

based on the requirement.

Basic SKU

In addition to the above SKUs, we have Basic SKU

which is considered as legacy and should not be

used.

VNet-to-VNet Connection

Establish VNet-to-VNet connection using VPN gateways

Create Gateway Subnet in

both virtual networks.

Create the VPN gateway in

both virtual networks

Create the VPN connection

VPN Gateways requires a

dedicated subnet to deploy the

gateway. First, we need to create

Gateway Subnet in both of our

virtual networks.

Gateway Subnet

Once the Gateway Subnet is

created, we will deploy the

VPN gateway to the subnet.

Creating a VPN gateway would

take around approx.: 40

minutes.

VPN Gateway

After creating the VPN

gateway, then we need to

create VNet-to-VNet

connection from the VPN

Gateway

VNet-to-VNet connection

VNet Peering v/s VNet-to-VNet Connection

Property

VNet Peering

VNet

-to-VNet Connection

Number of connections

Up to 500 VNet peerings per VNet

One VNet can have only VPN Gateway and

connection count is SKU dependent

Pricing

Ingress + Egress

Gateway hourly cost + egress

Encryption

No encryption. Software level is

recommended.

IPsec/IKE

Bandwidth

No restrictions

SKU dependent

Route

Routed via Microsoft backbone network and

is private

Routed via public internet, however encrypted

Public IP

No public IP or internet is used

Public IP is involved

Transitivity

Nontransitive

Transitive (BGP enabled)

Initial setup time

Fast

~ 30

-40 minutes

Use cases

Data replication, database

failover, and other scenarios

needing frequent backups of

large data.

Scenarios where encryption is needed and not

latency/bandwidth sensitive.

Site-to-Site and Point-to-

Site

Site-to-Site connection

Connecting to your virtual network to an on-premises site or non-Azure site.

Create Gateway

Subnet in Azure

Virtual Network to

deploy the VPN

Gateway.

Gateway

Subnet

Deploy VPN Gateway

to the Gateway

Subnet in Azure

virtual network

VPN Gateway

Create LNG in

Azure by providing

the IP address or

FQDN of your on-

premises VPN

device

Local

Network

Gateway

Provide Public IP

address of your

Azure VPN Gateway

in on-premises VPN

device

On-premises

VPN device

Create Site-to-Site

VPN connection

Site-to-Site

Point-to-Site connection

Connecting to your virtual network from a device

Create Gateway

Subnet in Azure

Virtual Network to

deploy the VPN

Gateway.

Gateway

Subnet

Deploy VPN Gateway

to the Gateway

Subnet in Azure

virtual network

VPN Gateway

From your

Windows, Linux,

macOS or mobile

clients; connect to

the VPN

Connect

Configure your P2S

in VPN gateway by

selecting the

address pool and

authentication

method

P2S

configuration

Download the VPN

client configuration

to your client

machine

Download

Gateway Transit

vnet-a vnet-b vnet-c

On-premises network

Site-to-Site

Gateway Transit

hub-vnet

vnet-a

On-premises network

Peering

vnet-b

vnet-c

Peering

S2S

High Availability

Active/standby

Active/Active

Azure VPN Gateway

Active

Standby

On-premises

Azure VPN Gateway

Active

On-premises

Device 1

Device 2

Default count

There will be always two instances of VPN

Gateway, default selection is Active/standby

High availability

High availability can be ensured by enabling

Active/active configuration. You should make sure

that you have similar setup in on-premises.

Cost

The cost of the gateway includes the cost of two

instances. Regardless of whether it’s

active/standby or active/active cost will be same.

ExpressRoute

Private connectivity

ExpressRoute offers private connectivity between

on-premises infrastructure and Microsoft

datacenters.

Partner network

Traffic is routed with the help of partner network

and public internet is not used.

Features

Reliable, secure, low latency and high-speed

connection.

Image source: https://docs.microsoft.com/en-us/learn/modules/configure-expressroute-virtual-wan/2-determine-expressroute-uses

ExpressRoute

Redundant L3 connectivity

Within a geography, connectivity is available to all regions

Bandwidth options vary from 50 Mbps to 100 Gbps

ExpressRoute circuit is offered in Local, Standard and Premium

SKUs

With the addition of premium add-on, you can get global

connectivity.

In Local SKU, you will be charged under the Unlimited plan. In

unlimited outbound data transfer is free.

With Standard and Premium SKU, you can select between a

Metered or an Unlimited data plan. In metered, you will be

charged for outbound data transfer.

Image source: https://docs.microsoft.com/en-us/learn/modules/configure-expressroute-virtual-wan/3-determine-expressroute-capabilities

ExpressRoute connectivity models

Co-located at a cloud exchange

If your facility is already co-located with cloud exchange, then

virtual cross connections to Microsoft cloud can be provisioned

through the co-location provider’s Ethernet exchange. L2 and

managed L3 cross connections are supported.

Point-to-Point Ethernet connection

By leveraging point-to-point Ethernet links, you can connect

your on-premises network to Microsoft cloud. L2 or managed

L3 connections are supported.

Any-to-Any (IPVPN)

With the integration of your WAN to Microsoft cloud, you

can make it look like Microsoft cloud is one of your branch

offices. Supports managed L3 connectivity.

Direct model

Establish connectivity by directly connecting to Microsoft’s

global network at a peering location nearby.

Image source: https://docs.microsoft.com/en-us/azure/expressroute/expressroute-connectivity-models

Co-existing ExpressRoute and Site-to-Site

ExpressRoute Gateway

VPN Gateway

ExpressRoute

Site-to-Site

Corp HQ

Branch office

Failover path

Though ExpressRoute has redundant connection,

we can use S2S connection as a failover path for

ExpressRoute

Branch office connectivity

We can use S2S connectivity to connect to branch

offices or other sites which are not connected to

ExpressRoute.

Separate gateways

ExpressRoute and VPN requires separate

gateways for communication.

Image source: https://docs.microsoft.com/en-us/learn/modules/configure-expressroute-virtual-wan/4-coexist-site-to-site-expressroute

Virtual WAN

Brings together all connections

We can connect Point-to-Site, Site-to-Site, Virtual

Network and ExpressRoute connections to VWAN.

Seamless connectivity

Connects Azure virtual networks and resources to

the hub seamlessly.

Advanced architecture

With the help VWAN, we can advance our hub-

spoke architecture. End-to-end traffic flow can be

visualized.

Image source: https://docs.microsoft.com/en-us/learn/modules/configure-expressroute-virtual-wan/6-determine-uses

Creating ARM template

Azure Resource Manager

Management layer

Azure Resource Manager or ARM is the

management layer responsible for creating,

updating and managing resources.

Way to deploy resources

Regardless of whether you are using Azure Portal,

Azure PowerShell, Azure CLI or REST API; Azure

Resource Manager offers a way to deploy and

manage the resources.

Features

Access Control, Locks, Tags, Resource Groups,

and Templates are some of the features offered

by ARM, which was not available in the previous

model – Azure Service Manager

Image source: https://docs.microsoft.com/en-us/azure/azure-resource-manager/management/overview

Azure Resource Manager (ARM) Templates

Declarative automation

ARM templates uses JSON file. In declarative automation, you need to

declare the resources but not how to create them. Creating the

resources is Resource Manager’s responsibility.

Consistent and reusable

Environments deployed via ARM template will be consistent. With the

help of parameters, we can share and reuse the template to create

environment from scratch.

Visual Studio Code

{

"$schema":

"https://schema.management.azure.com/schemas/

2019-04-01/deploymentTemplate.json#",

"contentVersion": "1.0.0.0",

"parameters": {},

"functions": [],

"variables": {},

"resources": [],

"outputs": {}

}

Error prone tasks and simplify deployment

If we are creating environment manually chances of human error will

be there and with ARM templates, we can deploy all the resources we

define in a single operation.

Linkable and helps complex deployment

You can write small ARM templates and link them to a parent

template. This helps in managing different parts of the template

efficiently. With ARM templates, we can deploy complex environments

in the correct dependency order.

ARM template design

Virtual Machine

App Service

SQL Database

Template

reference()

Virtual Machine

App Service

SQL Database

reference()

Nested VM

template

Nested App

Service

template

Template

Nested SQL

template

ARM template design

Virtual Machine

App Service

SQL Database

reference()

App Service

template

SQL

template

ARM template design

ARM Extension for VS Code (optional)

ARM Template structure

Visual Studio Code

{

"$schema":

"https://schema.management.azure.com/schema

s/2019-04-01/deploymentTemplate.json#",

}

References the location of the JSON file schema that describes the version of the template language. We can

deploy ARM templates to different scopes like tenant, management groups, subscriptions; based on the scope

that we are selecting the schema will change.

$schema*

ARM Template structure

Visual Studio Code

"contentVersion": "1.0.0.0",

Used to version the template, the default value is 1.0.0.0. Any value can be given to this element. Content

version is useful if you are storing your templates in a source control and would like to keep the changes

tracked in different versions. Proper versioning will help users to pick the latest version of your template.

contentVersion*

ARM Template structure

Visual Studio Code

"parameters": {

"location": {

"type": "string",

"allowedValues" :[

"East US",

"West US"

"defaultValue": "East US",

"metadata": {

"description": "Location of the resource"

}

During resource deployment, the parameter value can be provided as an input to the template. Parameters

helps making the templates reusable, where users can supply different values during execution without the

need to modify the template.

parameters

ARM Template structure

Visual Studio Code

"variables": {

"publicIPAddressName": “app-gw-pip"

Variables can be used to hardcode value to the templates. If you are referencing a value with the help of

variables and if that value needs to be modified; instead of updating all occurrences, you just need to update

the value of the variable.

variables

ARM Template structure

Visual Studio Code

"functions": [

{

"namespace": "userspace",

"members": {

"VMNameGenerator": {

"parameters": [

{

"name": "userstring",

"type": "string"

}

"output": {

"value": "function-return-value",

"type": "string"

}

We can create user defined functions in ARM templates that can be used to replace repeated code blocks.

functions

ARM Template structure

Visual Studio Code

"resources": [

{

"name": "appServicePlan1",

"type": "Microsoft.Web/serverfarms",

"apiVersion": "2020-12-01",

"location": "[parameters('location')]",

"sku": {

"name": "F1",

"capacity": 1

"tags": {

"displayName": "appServicePlan1"

"properties": {

"name": "appServicePlan1"

}

]

Resources we intend to create, or update will be declared inside this element. Here, we can reference the

parameters, variables, and functions we created earlier.

resources*

ARM Template structure

Visual Studio Code

"outputs": {

"hostname": {

"type": "string",

"value":"[reference(resourceId('Microsoft.Network/publicI

PAddresses',variables('publicIPAddressName'))).dnsSettings.fqd

n]"

}

Display values that are returned after deployment.

outputs

Azure Quickstart Templates

Deploy ARM template

Azure CLI

Azure PowerShell

>_ Azure CLI

$ az group deployment create \

-g <resource-group-name>

--template-file <path-to-file>

>_ Azure PowerShell

$ New-AzResourceGroupDeployment `

-ResourceGroupName <resourcegroup> `

-TemplateFile <path-to-file>

Azure Portal

Exporting deployments

as ARM template

Exporting deployments as ARM template

Azure CLI

Azure PowerShell

>_ Azure CLI

$ az group export \

--name <resource-group-name>

>_ Azure PowerShell

$ Export-AzResourceGroup `

-ResourceGroupName <resource-group>

Azure Portal

Creating VHD Templates

Operating

System State

Virtual Machine

Extensions

Virtual Machine Extensions

Small applications

Automation tasks and post deployment configuration can be done with

the help of extension.

Management

Extensions can be managed with Azure Portal, Azure PowerShell,

Azure CLI and ARM templates..

Scope

Extensions can be used for post-deployment configuration during the

VM deployment or on existing VMs.

Platform

Extensions and their availability will vary based on the operating

system. We have different extensions available for Windows and Linux

VMs.

Custom Script Extension

Supported scenarios

Custom Script extension can be used for simple and complex scripts.

Scripts will not continue execution if the workflow includes reboot.

PowerShell scripts can be selected and optionally arguments can be

passed.

Duration

Script can run up to 90 minutes, if the script takes more than 90

minutes to execute, then it will be a timed-out operation. Also, the VM

should be in running state to execute the script.

Dependency access

Storage and network access is required by the extension. For successful

execution of the script, we need to make sure that the content is

available.

Error handling and data sensitivity

Plan for error handling and how to handle sensitive data such as

passwords, connection strings, storage account keys etc.

Desired State Configuration

Supported scenarios

DSC uses PowerShell DSC which will help you to carry out complex deployments which

includes reboot as well. DSC will ensure that the state is achieved.

Configuration

Easy to read scripts called configuration is created in a declarative way. Configuration is

saved in PS1 format.

When to use DSC?

If your post deployment configuration includes complex steps such as reboots, then CSE is

not the right choice. Choose DSC in all complex scenarios where CSE is not supported.

Blocks

Configuration block is the outermost script block, we will give a name to the configuration

define the script. Node block defines the computers that are under the scope of the

configuration. Each node block has one or more resource where we define the configuration.

>_ configuration.ps1

Configuration IISConfiguration

{

Node "localhost"

{

WindowsFeature WebServer

{

Name = "Web-Server"

Ensure = "Present"

}

WindowsFeature IISManagementTools

{

Name = "Web-Mgmt-Tools"

Ensure = "Present"

}

WindowsFeature IISDefaultDoc

{

Name = "Web-Default-Doc"

Ensure = "Present"

}

Storage accounts

Microsoft Azure’s storage solution for object storage, file storage, message queue and a NoSQL store for meeting modern application requirements.

High availability and durability

Storage account comes with different redundancies to fulfill your durability requirements.

Data stored in the storage account can be replicated to different datacenters and even across

regions ensuring high availability for the data.

Security

By default, all data written to the storage account is encrypted by Storage Encryption Service.

To access the data storage accounts, provide different authorization methods such as storage

keys, shared access signature, and Azure AD.

Scalability and Managed

Azure Storage is a platform managed service, depending upon the requirement it will

automatically scale the storage and performance.

Access

HTTP or HTTPS can be used to access the data that is stored in Azure Storage. With the help

SDKs provided by Microsoft, developers can easily integrate Azure Storage with their code.

Azure Storage also supports Azure PowerShell, Azure CLI and REST API.

Standard Premium

Storage for VMs

Unstructured data

Structured data

Storage services

Container

Files

Table

Queue

Blobs

Directories

Entities

Messages

Documents Backup files

Images Databases

Video Log files

Audio Big Data

resizeImage

cropImage

processImage

Name = Sandy

Country= US

State= TX

ZIP= 03445

*.txt

*.exe

*.*

An object store with immense scaling capability.

Ideal for storing unstructured data such as text or

binary data.

Azure Containers

Managed file share

Used to provision highly available file shares in cloud

that can be mounted to cloud and on-premises

machines.

Azure Files

NoSQL datastore

Ideal for storing structured non-relational data

Azure Tables

Messaging store

Used to store messages and retrieve messages

between application components that needs to be

processed asynchronously.

Azure Queues

Storage account types

Type

Services

Performance tiers

Replication options

Blob storage

Blob

Standard

LRS, GRS, RA

-GRS

General Purpose V1

Blob, File, Queue, Table,

and Disk

Standard, Premium

LRS, GRS, RA

-GRS

General Purpose V2

Blob, File, Queue, Table,

and Disk

Standard, Premium

LRS, ZRS, GRS, RA

-GRS,

GZRS, RA

-GZRS

Block blob storage

Blob

Premium

LRS, ZRS

File storage

Files

Premium

LRS, ZRS

Storage redundancy

Storage replication – Locally Redundant Storage

Region

Datacenter

Storage account - LRS

Replication

Data is replicated and will retain three copies of

data across fault domain within a single datacenter.

Since the data is replicated only within a single data

center, LRS is the cheapest option.

Durability

LRS offers 99.99999999999 (11 9’s) of durability.

Data stored in LRS is protected from hardware

failures as the data is stored in different fault

domains.

Chances of failure

As the replicated copies are stored within a

single datacenter, if the entire datacenter

is down, then the data will not be available

Region

Zone CZone B

Storage replication – Zone Redundant Storage

Zone A

Storage account – ZRS

Replication

Data is replicated and will retain three copies of

data across availability zones within a single region.

Durability

ZRS offers 99.999999999999 (12 9’s) of durability.

Data stored in ZRS is protected from datacenter

failures as each zone where the datacenter resides

is physically separated from each other.

Chances of failure

As the replicated copies are stored within a

single region, if the entire region goes

down, then the data will not be available

Storage replication – Geo Redundant Storage

Replication

Data is replicated across three fault domains in a

datacenter which is part of the primary region and is

asynchronously replicated to secondary region where we

will have three copies across fault domains.

Durability

GRS offers 99.9999999999999999 (16 9’s) of

durability. If the primary region goes down, a

failover will happen, and secondary region will

become available for read requests.

Considerations

The primary region will be available for all

operations and secondary will be only

available after failover. The failover can be

Microsoft initiated or customer initiated.

Secondary Region

Datacenter

Storage account - GRS

Primary Region

Datacenter

Geo-replication

Failover

Storage replication – Read access Geo

Redundant Storage

Replication

Data is replicated across three fault domains in a

datacenter which is part of the primary region and is

asynchronously replicated to secondary region where we

will have three copies across fault domains.

Durability

RAGRS offers 99.9999999999999999 (16 9’s) of

durability.

Considerations

The secondary region will be always

available for reach operations regardless

whether there is a failover or not.

Secondary Region

Datacenter

Storage account - RAGRS

Primary Region

Datacenter

Geo-replication

Primary Region

Zone

Storage replication –Geo Zone Redundant

Storage

Replication

Three copies will be spread across availability zones within

the primary region and is asynchronously replicated to

secondary region where we will have three copies across

fault domains.

Durability

GZRS offers 99.9999999999999999 (16 9’s) of

durability. If the primary region goes down, a

failover will happen, and secondary region will

become available for read requests.

Considerations

As we saw in the case of GRS, the primary region will be

available for all operations and secondary will be only

available after failover. The failover can be Microsoft

initiated or customer initiated

Secondary Region

Datacenter

Storage account - GZRS

Zone

Geo-replication

Failover

Primary Region

Zone

Storage replication –Read Access Geo Zone

Redundant Storage

Replication

Three copies will be spread across availability zones within

the primary region and is asynchronously replicated to

secondary region where we will have three copies across

fault domains.

Durability

GZRS offers 99.9999999999999999 (16 9’s) of

durability

Considerations

Here secondary region will be always available

regardless of whether there is a failover or not.

Secondary Region

Datacenter

Storage account - GZRS

Zone

Geo-replication

Accessing storage endpoints

Based on the storage account name and the service, every service has its own unique endpoint

<protocol>://<storage account name>.<service>.core.windows.net

http, https

Your storage account name

blob, queue, file, table

For a storage account named “kodekloud”, the endpoints will be:

Service

Endpoint

Container service

https://kodekloud.blob.core.windows.net

Queue service

https://kodekloud.queue.core.windows.net

File service

https://kodekloud.file.core.windows.net

Table service

https://kodekloud.table.core.windows.net

If needed, we can use our own custom domain with CNAME mapping

DNS CNAME entry

Alias

blobs.kodekloud.com

kodekloud.blob.core.windows.net

Securing storage

endpoints

Securing storage endpoints

Control public access to

storage account

Restrict access to specific VNets

using service endpoints

Allow IP ranges from internet or

on-premises

Setup Private Endpoint

Storage security capabilities

By default, without any

additional configuration, all

data written to the storage

account is encrypted by Storage

Service Encryption (SSE)

Encryption

With help of Azure AD and

RBAC, we can authenticate

and requests and provide

authorization to storage

services.

Authentication

OS and Data disks of Linux

and Windows VMs can be

encrypted using Azure Disk

Encryption (ADE).

Disk encryption

Fine tuned granular access

can be given to storage

services with the help of SAS.

Shared access signature

Client-side encryption,

HTTPS, and SMB 3.0 is used

to secure data in transit.

Data in transit

Storage Service

Encryption (SSE) and

Azure Disk Encryption

(ADE)

Storage Service Encryption (SSE)

Protection

Data at rest is protected using SSE. All data

written to Azure Disks, Blob, File, Queue, and

Table is encrypted using SSE and is decrypted

when the data is retrieved.

Compliance

Organizations doesn't need develop in-house

encryption methods to encrypt data stored in Azure

storage. Using SSE organizations can meet their

compliance and security requirements.

Strong cipher

SSE uses 256-bit AES encryption to encrypt the

data. The encryption, decryption, data

management and key management is done by

storage service. SSE cannot be disabled.

Bring your own keys

If you would like to control the encryption keys and their

rotation, you replace Microsoft managed keys with

Customer Managed Keys. You need to create an Azure Key

Vault to store the key and the storage service will retrieve

the key from Key Vault for encryption and decryption.

Azure Disk Encryption (ADE)

Encrypt disks

Using ADE, we can encrypt OS and Data Disks of

Windows and Linux virtual machines. ADE uses

BitLocker for Windows and DM-Crypt for Linux to

encrypting the disks. Encryption keys are stored in

Azure Key Vault.

Restrict access

Since the disk is encrypted, only the VM owner will be

able to retrieve the data stored in the VM. If anyone

downloads the VHD and attaches to another VM,

without the keys, they will not be able to read the data.

Encrypted backup

When you are using Azure Backup, the encryption

keys are backed up to the recovery service vault.

Also, the backups are encrypted. ASE uses AES

256-bit encryption.

Considerations

If you are encrypting both OS and Data disk, there will be a

small performance impact due to the encryption and

decryption activity. The impact is very minimal, however, if

your application is CPU intensive then you can skip the OS

disk and encrypt data disk only to enhance performance.

Storage security -

Authorization

Storage security - Authorization

Azure AD

Using Azure AD and RBAC we can

authenticate and authorize requests from

users. Currently Azure AD authentication is

supported by Blobs, Queues, and Tables

only. For Files, SMB access can be given

with the help of AAD Domain Services.

Shared access signature

Delegate access to storage at a very

granular level. SAS are generated

using account keys but with fine

tuned access.

Storage Account Keys

Two 512-bit keys will be generated for

every storage account, and this can

be rotated. Account keys are like root

passwords, and we need to secure

them to avoid unauthorized access.

Anonymous

We can enable anonymous access to

our blobs and containers. As the

request is anonymous, we don’t need

pass any authorization header.

Storage Account

Keys

Account key is like the root password, the user possessing the

account keys can perform any action against the storage

account. Microsoft recommends to save the key to Azure Key

Vault and regularly rotate them.

Be cautious with the account key!

Azure provides two 512-bit keys for every storage account. You can either

one of these in your API calls in your authorization header. Users with

permission to Microsoft.Storage/storageAccounts/listkeys/action can

view, read or copy the key via Azure Portal, Azure CLI, and Azure

PowerShell.

Two keys

Storage Account

Keys

Shared Access

Signature

Instead of giving full access via account keys we can fine tune the

access via SAS. We can control the allowed services, allowed

resource types, permissions, start time, end time, IP address and

protocol using SAS

Fine tuned access

✓ User delegation SAS

✓ Service SAS

✓ Account SAS

Three types of SAS keys

Shared Access

Signature

Shared Access Signature

Name

Excerpt

Explanation

Resource URI

https://kodekloud.blob.core.windo

ws.net

Blob endpoint

Storage service version

sv=2020

-08-04

Version of the storage service

Services

ss=

bftq

SAS applies to blob, file, table and queue

Resource type

srt

=sc

SAS applies to service and container level operations

Permissions

=rwdlacup

Supports read, write, delete, list, add, create, and update

Start time

=2022-05-19T06:31:40Z

Start date and time in UTC

End time

se=2022

-05-19T14:31:40Z

End date and time in UTC

IP address range

sip=168.11.12.13

-168.11.12.19

Allowed IP range

Protocol

spr

=https

Only HTTPS requests are allowed

Signature

sig=66iXqzZSakarJO5J210%2ByoPRV

XTeT%2FTJcHHSEkUjHr0%3D

Unique signature which is HMAC computed over a string to sign and key using

SHA256, then Base64 encoding on top of that.

URI

Resource Endpoint

https://kodekloud.blob.core.windows.net

SAS token

?sv=2020-08-04&ss=bfqt&srt=sc&sp=rwdlacup……

https://kodekloud.blob.core.windows.net?sv=2020-08-04&ss=bfqt&srt=sc&sp=rwdlacup&se=2022-05-

19T14:31:40Z&st=2022-05-19T06:31:40Z&sip=168.11.12.13-

168.11.12.19&spr=https&sig=66iXqzZSakarJO5J210%2ByoPRVXTeT%2FTJcHHSEkUjHr0%3D

Azure AD

Authentication

Microsoft recommends using Azure AD authentication for

accessing Blobs, Queues and Tables. Azure AD integrates

features such as MFA, Conditional Access to enhance the request

to access storage.

Secure way of authenticating

Even if you are the Owner or Contributor of the subscription, you would

still require storage specific RBAC to authorize storage access requests.

These RBAC can be assigned to any scope and the access will be

inherited. Example: Storage Blob Data Owner, Storage Queue Data

Contributor.

Requires dedicated RBAC roles

Azure AD

Authentication

Storage Blob Data

Contributor

Storage Blob

Container

POST: Login

200: Bearer Token

Anonymous access to

blobs

Anonymous access can be granted to blobs and containers. Read

request to blobs and containers with anonymous access

enabled, doesn’t require any sort of authorization.

Public access without authorization

Used to share documents, images, or any unstructured data stored in

blob storage to public.

Ideal for public facing content

Anonymous

access

Creating Azure File share

Creating Azure File Share

Enterprise grade file share

With file shares, we can share files across virtual machines and non-Azure

workloads. Any number of Azure or non-Azure virtual machines can mount

and work on the file share simultaneously. Also supports backup and

snapshot for data recovery.

Supports Windows, Linux and macOS

Azure provides easy to use scripts to mount the file share to Windows, Linux

and macOS computers. Computers can interact with Azure file share as they

work with on-premises file shares. Port 445 needs to be open for SMB traffic.

Use cases

Firstly, we can decommission on-premises file share and migrate to Azure

Files. It can be used for storing diagnostic data, tool and utilities which needs

to be shared with teams.

Configuring Azure File

Sync service

Azure File Sync

💽 💽 💽

💽

Lift and shift

Centralize your file share and provide

access to file shares across Windows

Servers and Azure Files. Helps to

share files across multiple sites at

ease.

Adding new offices

You can easily onboard new branch

offices and share files with them.

BCDR

Azure Backup will backup your on-

premises data once the sync is

established. Restoring data after a

catastrophic failure will be quick.

Archiving

File Sync caches data that has been

used recently. Data which is not in

consumption will be stored in Azure

Files and is retrieved only upon

request. You can control this using the

cloud tiering feature.

Without losing the flexibility, performance, and compatibility for your on-premises file servers, extend and centralize your file shares in Azure Files using Azure File Sync.

Use SMB, NFS, and FTPS to connect with your file shares.

Azure File Sync - Components

Storage Sync Service

Marketing Sync

Group

Finance Sync

Group

Registered Server File

Sync Agent

D:\Marketing

Server Endpoint

D:\Finance

Server Endpoint

Cloud Endpoint Cloud Endpoint

Storage Account

File Share

//Marketing

File Share

//Finance

Azure Backup

Azure File Sync - Implementation

Deploy the Storage Sync Service Prepare Windows File Servers Installing File Sync agent Registering Windows Server

In the Azure Portal, we need to

create a Storage Sync Service.

This will be deployed to a

resource group like the storage

account

Deploy the Storage Sync

Service

All servers we are planning to

prerequisites include disabling IE

Enhanced Security and installing

latest version of PowerShell

Prepare Windows File

Servers

Once the agent is installed, you

will be redirected to the server

registration window. Registration

is required to establish trust with

the Storage Sync Service.

Server

File Sync Agent needs to be

installed on the prepared

Windows Server. Agent is

responsible for the sync to

Azure file share.

Installing File Sync

Agent

Configuring Azure Blob

Storage

Azure Containers (Blob Storage)

Storage Account Container Blob

Document1.pdf

IntroVideo.mp4

Document2.pdf

Documents

Videos

webfiles

Embed images or documents in webpages

Stream video and audio directly to

browser

Act as a disaster recovery site for your on-

premises site

Strong files for distribution for example

installation packages on websites

Provides storage for storing unstructured data as in any type of text or binary data. Blob Storage is referred to as “object storage”

Backup, recovery and archiving

Store data for analysis which can be

accessed by tools like Power BI

Creating Containers

Storage Account Container Blob

Document1.pdf

IntroVideo.mp4

Document2.pdf

Documents

Videos

webfiles

All objects or blobs we upload should be in a container. A storage account can have unlimited number of containers and each container can have unlimited blobs.

Containers provides logical grouping of blobs, acts as a scope of assign RBAC and public access level

No anonymous access to data stored in the container

Private

Anonymous read access to blobs only

Blob

Permission to read and list entire container, which includes all the blobs

Container

Storage Tiers

Blob Access Tiers

Based on the frequency of access, we can optimize storage cost using access tiers.

Ideal for storing data that is frequently accessed.

Hot

Ideal for storing large amounts data that is not accessed frequently and is stored for at

least 30 days.

Cool

Ideal for that can tolerate several hours of retrieval latency and will remain the archive

tier for at least 180 days.

Archive

$$$

Access tiers can be switched any time as required

Lifecycle Management

Blob Lifecycle Management

We can transition blobs to cooler tiers automatically based on the last

modified date.

Policy based transition

Besides transitioning to cooler tiers, LCM can be used to delete blobs and blob

snapshots after X number of days if they are not modified.

Delete blobs and snapshots

We can apply the policy to all the blobs in the storage or limit blobs with filters

Filtering option

LCM can target block blobs and append blobs and further apply to sub types

such as base blobs, versions and snapshots.

Target different types

Code View

{

"rules": [

{

"enabled": true,

"name": "rule",

"type": "Lifecycle",

"definition": {

"actions": {

"baseBlob": {

"tierToCool": {

"daysAfterModificationGreaterThan": 60

"tierToArchive": {

"daysAfterModificationGreaterThan": 180

"delete": {

"daysAfterModificationGreaterThan": 365

}

"filters": {

"blobTypes": [

"blockBlob"

]

}

]

}

Import/Export Service

Create an Import job in Azure

Portal referencing your

destination storage account.

Upload the journal files.

Identifying that data that needs

to moved to Azure. Using the

WAImportExport tool, prepare

the disks and copy the contents

to the disk. This will generate

the journal files.

Ship the drives to the Azure

datacenter and update the

Import job with the tracking ID

of the package. Also provide the

return address for Microsoft to

return the drives

Hard drives are delivered to

the datacenter and drives are

processed.

Data is copied from the

hard drive to the storage

account.

The hard drives are returned to

you and your data is in Azure

Storage

Import workflow

Import/Export Service

Ship your drives to Azure

datacenter and the carrier

delivers them.

Identify the data that you want

to move and create an export

job in Azure Portal

Drives are processed at the

datacenter and the data from

storage account is copied to the

hard drives

The hard drives are

encrypted with BitLocker and

the job will be updated with

the keys

The hard drives are

packed, and they are

ready for shipping

Hard drives are shipped back to

the customer, and they can

decrypt the disk using the keys in

the job

Export workflow

Azure Storage Explorer

AzCopy

Supports multiple scenarios

AzCopy can be used as a multi-cloud datar transfer tool. It supports

Azure Blobs, Azure Files, Amazon S3, GCP, ADLS Gen2 APIs etc. Data

movement between these and on—premises is supported by azcopy.

Enhanced resiliency

Every instance will create a job ID and related log file. If your job is

getting failed, you can restart or review the logs to understand what

went wrong.

>_ Terminal

#Get help

azcopy /?

#Copy files

azcopy copy <source> <destination> [options]

azcopy copy ./myfiles/visio.png

https://kodekloud.blob.core.windows.net/files

/files?sv=2020-08-

04&ss=bfqt&srt=sc&sp=rwdlacup&se=2022-05-

19T14:31:40Z&st=2022-05-

19T06:31:40Z&sip=168.11.12.13-

168.11.12.19&spr=https&sig=66iXqzZSakarJO5J21

0%2ByoPRVXTeT%2FTJcHHSEkUjHr0%3D

#Copy using AAD

azcopy login --tenant-id xxxx-xxxx-xxxxx-

xxxxxxx-xxxxx

azcopy copy ./myfiles/visio.png

https:///kodekloud.blob.core.windows.net/file

s/files

Supports include, exclude, wildcards and

recursive

We can use include or exclude flags along with wildcard patterns.

Recursive can be used to copy all files within a folder. We can also list

or remove blobs in a given path.

Authentication and suppport

AzCopy can be authenticated using SAS tokens or Azure Active

Directory. AzCopy can be installed on Windows, Linux or macOS

computers.

Creating an App Service

Application & Data

App Service Plans

Compute

Performance tier

We can run multiple apps on a single App Service Plan. We can choose a different App

Service Plan if you need to deploy your apps in a different region, requires a different OS

or higher performance.

Host multiple apps

Considerations

Storage/Network/Compute

Virtual Machine

Operating System

Runtime

Applications

Data & access

Linux App Service Plan

ASP.NET Core

Python

Application & Data

App Service Plan defines a set of compute resources required to run our

App Service.

Like VMs, App Service Plans also come in different tiers. These tiers represents the

performance, features, size and the price you pay.

Regardless of the number of apps you run, you have to pay the cost of the

App Service Plans. We need to choose the plans wisely to optimize the cost

App Service Plans

Selected Features

Free

Shared

Basic

Standard

Premium

Isolated

Web, mobile, or API apps

100

Unlimited

Disk space

1 GB

10 GB

50 GB

250 GB

1 TB

Auto Scale

–

Supported

Deployment Slots

Max Instances

–

Up to 3

Up to 10

Up to 30

Up to 100

Shared Compute (Free & Shared): Run apps on the shared Azure VM infrastructure where your app will be placed

along with other apps.

Dedicated Compute (Basic, Standard, and Premium): Dedicated VMs will be provisioned, and your apps will be

running on that

Isolated: Dedicated VMs will be provisioned in dedicated virtual networks.

App Service Plans

Scale up: Adding more CPU, memory, disk and features

(basically, changing plan tier)

Scale out: Manual (fixed number of instances)

Auto scale (increasing/decreasing based on metrics or schedule)

App Service

Single plan

Fully managed PaaS solution

Developer can run .NET, .NET core, Node.js, PHP, Java, Python, and even

containerized applications on App Service.

Support multiple languages

Security and Compliance

Using App Service Plan, we can host web apps, API apps, mobile

apps, and serverless apps.

Developers can focus on enhancing their code, while Microsoft

will take care of the underlying virtual machines and

infrastructure

Enterprise compliance standards such as ISO, SOC, and PCI is there for App

Service. Also, we can setup authentication with Azure AD or social login.

CI/CD and Visual Studio Integration

Support CI/CD from source control and we can directly publish

our code from Visual Studio.

Marketplace templates

We can use templates like WordPress, Drupal etc. from Azure

Marketplace with App Service, making our deployments easier.

API and mobile features

Features like CORS support, offline data sync, push notifications

making it best candidate for hosting mobile apps.

Run Function apps

Functions can be run on your existing app service plan without the

need to provision additional infrastructure.

Securing an App Service

Securing App Service

Enable authentication for Azure App Service. Supports Microsoft,

Apple, Facebook, GitHub, Google, Twitter, or any service that’s

using OpenID Connect. Default selection will be anonymous,

where users can access the app without presenting any

credentials.

Authentication

• SSL certificates

• Diagnostic settings for troubleshooting

• Network ACL

• Integrate keys with Azure Key Vault

Security

Custom Domains

Custom Domains in App Service

Branding

By default, Azure creates an entry in azurewebsites.net

domain. You can bring in your own domain and add to

your app service. You need to validate the domain,

before you could add to the App Service

Supports A or CNAME mapping

Requires to create TXT record to prove domain

ownership. Once that’s done, you can add an A record

or CNAME record to map the custom domain to App

Service.

Plan dependent

Custom domains are supported from Basic plan

onwards.

Backup App Service

Manual and scheduled backups

Backup supports manual or scheduled backup which

includes the backup of configuration, file contents,

and the connected database.

Filters and multiple restore options

Backup can be up to 10 GB of app and database. Full

and partial backups can be configured. We can restore

the app to a previous restore point or create a new app

altogether.

Plan dependent

Backup requires Standard or Premium plan

CI/CD and Deployment

slots

CI/CD

Automated deployment (CI/CD) is where developers will be push

new code which includes features, patches and bug fixed with

minimal impact to end users. These features will be immediately

updated in Azure App Service. We can integrate App Services with

GitHub, Bitbucket, Local Git and Azure Repos

Automated Deployment

Manual Deployment is where developers can store their code in a

remote cloud storage like OneDrive/Dropbox or to an external git.

In manual deployment, developers need to manually push the

code to the location for the App Service to update.

Manual Deployment

Deployment slots

commit

CI/CD

Swap

Staging

Production

Slots representing different environments

Unique URLs

Developers get a chance to test and validate their code in App Service before

pushing to production.

Test before swapping

Auto swap

With the help of deployment slots, we can run different versions

of our application like prod, qa, dev etc.

Deployments slots will have their own unique URL like your App

Service

We can configure auto-swap in scenarios where validation is not needed.

Reduces downtime and rollback strategy

As we are swapping, deployment slots avoids cold start and

hence eliminate service disruption. Since this is a swap, we can

always swap and roll back to the last known good configuration.

Plan dependent

Number of slots supported depends on the service plan. Free, Shared, and

Basic plan doesn’t support deployment slots. Standard supports up to 5,

Premium supports up to 20 and Isolated supports up to 20 slots.

Deployment slots - considerations

commit

CI/CD

Swap

Staging

Production

Decision

Understand the list of settings that can be swapped and cannot be swapped.

Understand what will be swapped or not

Decide whether you want to clone an app configuration, clone

from another deployment slot or do no copy anything.

Settings that can be swapped

General settings

WebJobs contents

App Settings & Path mappings

Hybrid connections

Connection strings

Service Endpoints

Handler mappings

Azure CDN

Settings that aren’t swapped

Publishing

endpoints

Scale settings

CORS

Custom domain

names

IP restrictions

VNet integration

Non

-public

certificates

Always On

Managed identities

TLS/SSL settings

Diagnostic

settings

Settings that end with

_EXTENSION_VERSION

suffix

Azure Container

Instances

Virtual Machines v/s Containers

Server

Host OS

Hypervisor

Virtual Machine Virtual Machine

Libs/Bin

App A App B

Libs/Bin

Guest OSGuest OS

Server

Host OS

Container Runtime

Container

Libs/Bin

App A

Container

Libs/Bin

App A

Deployment

Fault tolerance

Isolation and runs the user mode

Storage

Azure Container Instances

Virtual Network

Container Host

Port 80

(Public IP)

Port 80

Faster startup

Unlike Virtual Machines, containers can startup in seconds

Host internet facing applications

ACI supports Public IP and DNS name which is ideal for exposing

your container apps to the internet.

Isolation

Containers are isolated from each other even if they are deployed

on the same container host.

Scalability

You can choose custom sizes as per your resource requirements.

Persistent storage

Container storage is ephemeral, using Azure Files we can create

persistent storage for ACI.

OS and VNet

ACI can be directly deployed to virtual networks. Both Windows

and Linux containers are supported by ACI.

Container Groups

Container groups

Container Host

1433

Collection of containers that get scheduled on the same container host machine they share resources, lifecycle, local network, and storage volumes.

Deployment options

Container Groups can be deployed

using ARM templates or YAML file. If

your container group includes Azure

resources like a file share, then ARM

template is the better option.

Resource allocation

Resource requests of the container

group is calculated by summing up

resource request of individual

containers that’s part of the container

group.

Shared networking

Public IP address, one or more ports,

and DNS label can be shared within

container group. In order to reach the

containers from internet, we need to

expose the port to the internet.

Azure Kubernetes Service

Azure Kubernetes Services

Azure managed node (Master)

Customer managed node

kubelet Container Runtime

Container Runtime

Containers

kube-proxyvNIC

Customer managed node

kubelet

Receives requests from Azure managed node for scheduling containers

kube-proxy

Routes traffic and manages IP addresses of pods and services

Container Runtime

Allows containers to be created and interact with networking and storage components

Azure managed node

This node is created automatically when we create an AKS cluster.

This node is not visible to the end user and run Kubernetes master

node services

Customer managed nodes

These nodes run your containerized applications and services. You

only pay for the number of nodes.

AKS Terminology

Pool

Node

Node Node

Pools

Logical grouping of nodes with identical configuration

Nodes

VMs that are running containerized application. Nodes are managed by

Kubernetes master node which is not visible to the end user.

Pods

Smallest unit of deployment which is a collection of one or more

containers representing a single instance of your application.

Deployment

Creates one or more identical replicas of your pod

Manifest

YAML or JSON file used for deployment

Deployment

Pod

Pod Pod

AKS Networking

Pods

Internal traffic

Incoming direct traffic

Incoming non-direct traffic

AKS Node

NodePort

ClusterIP

:80

:31000

:80

Services in Kubernetes provide internal and external network connectivity to pods

ClusterIP

Facilitates internal communication with other

apps in your cluster. There is no external access.

ClusterIP is the default Kubernetes service

NodePort

Open a specific port on the node and forward

traffic to pod via the service. You can choose port

numbers 30000-32767 and number of services is

limited to one service per port

LoadBalancer

Creates an Azure Load Balancer which will route

the traffic from external to the service. This is the

standard way to expose your applications to the

internet.

AKS Networking

AKS Storage

AKS Cluster

API Server

Azure managed node Customer managed node

Pod

Persistent

Volume Claim

Persistent Volume

Azure managed disk

(Premium)

Azure Files

(Standard)

Volumes

Volumes can be used to store, retrieve, and persist data. Local storage is

fast and easy to use, on the other hand, Kubernetes treats pods as

ephemeral. If needed, we can create persistent volume using Azure Files or

Azure Managed Disk.

Persistent Volumes

Volume created along with pod is deleted when the pod is deleted. With

the help of persistent volume (PV) we can persist the storage even after

deleting the pod.

Storage class

While creating storage, we can use StorageClasses to define the tier of the

storage required. You can select Premium or Standard. With the help of

reclaimPolicy parameter, we can define if the storage needs to be persisted

or not.

Persistent Volume Claims

Using PVC, we can request Azure Managed Disk or Azure File for a specific

tier (via StorageClass), access mode and size.

AKS Scaling

For best scaling, we need to use both cluster autoscaler and HP

AKS Scaling

Manual scale

Based on the requirement, you can independently increase the number of

pods replicas or increase the number of nodes.

Cluster autoscaler

Cluster autoscaler can increase the number of nodes in the cluster

automatically based on demand. API server checks every 10 seconds for

validate if there are any changes required on the node count.

Horizontal Pod Autoscaler

Based on the demand, HPA will automatically increase the number of pod

replicas. Metrics API checks every 30 seconds to see if there any changes

required on the replica count.

AKS Cluster

Cluster Autoscaler

Node

NodeNode

Node

Pod Pod Pod

Horizontal Pod Autoscaler

Scale

out

Scale

out

Pod

AKS Bursting

AKS Cluster

Virtual

Node

We can use ACI as a virtual node to rapidly scale AKS cluster

AKS Bursting

Cluster Autoscaler

Node

NodeNode

Node

Pod

Horizontal Pod Autoscaler

Pod Pod

Scale

out

Scale

out

Pod

Azure Container

Instance

Pod

Azure Demonstration

File and Folder Backup

Recovery Services Vault

On-premises

Windows Server

MARS agent

Azure Files

Virtual Machine Backup

Managed disks

Virtual Machine Backup – Azure VMs

Instant Recovery Snapshot

Azure Backup Service

Recovery Services Vault

Backup Policy Management

Incremental Blocks

HTTPS

Configure

Backup

Snapshot

Transfer

Virtual Machine Backup – On-premises VMs

Specialized Workloads

Files/Folders/Volumes

Physical servers

Virtual Machines on VMWare & Hyper-V

2012 and 2012 R2

2008 and 2008 R2

2003 and 2003 R2

Windows XP

Windows 7

Windows 8 and 8.1

Windows 10 and 11

(Physical server)

MABS or DPM

Backup

Recovery Services vault

Azure Site Recovery

vnet

Azure Site Recovery

Source Environment (Region A)

Availability Set

Subnet

Disks

Target Environment (Region B)

vnet-asr

Availability Set

Subnet

Cache storage

account

vnet

Source Environment (Region A)

Availability Set

Subnet

Disks

Cache storage

account

Failover

Network Watcher

Network Watcher is a regional service that can be used to diagnose, monitor, and setup logging for resources that are

deployed in Azure Virtual Network

Network Watcher

IP Flow verify is used

to verify inbound

and outbound

connectivity from or

to a VM from a

remote IP address

Next hop is used to

identify the next

destination the

traffic will be routed

to.

VPN diagnostics will

help you diagnose

VPN connectivity

issues and

troubleshoot them.

Connectionn

troubleshoot can be

used to identify

network

performance and

connectivity issues

NSG Flow Logs will

store the details of

the traffic through

an NSG in a storage

account.

Topology can be

used to see the

topology of your

Azure infrastructure.

Azure Monitor

Application

Azure Resources

Custom

Azure Monitor

Monitor and visualize metrics

Query and analyze logs

Alerting and notifications

Azure Subscription

Azure Tenant

…

Application Container VM Network

EXPERIENCES

Workbooks Dashboard

VISUALIZE

Metric Explorer Log Analytics

ANALYZE

Alerts & Actions

Auto Scale

RESPOND

Logic Apps

Import/ Export APIs

Event Hubs

INTEGRATE

Image source: https://docs.microsoft.com/en-us/azure/azure-monitor/data-platform

Metrics

Zero configuration required

Metrics are collected from Azure resources without

any additional configuration. Thus, collected data

is displayed in the Overview blade of the resource

and we can analyze further with the help of Metrics

Explorer.

Time series

Metrics are plotted on a time axis to

represent the state of a system at a point in

time.

Near real time data

As Metrics can visualize real time data which

represents the state of our system, it’s easy to

monitor and troubleshoot issues.

Azure Monitor

Logs

Requires additional configuration

Logs collected are stored in Log Analytics and this

collection requires agents to be configured on the

source.

Rich query language

Log Analytics supports Kusto Query

Language (KQL) for querying the data stored

in the repository. KQL supports simple

queries and complex queries where you can

perform joins, aggregations, and analytics.

Organized as records

Logs represent data that are organized into

different records. Each record represents an event

or information

Data Sources

Azure Resources

Custom

Azure Subscription

Azure Tenant

Application

• Instrumentation Package

• Availability Test

• Azure Monitor agent

• Azure diagnostic extension

• Metrics

• Resource Logs

• Service Health

• Activity Log

• Active Directory

• Instrumentation Package

• Application

Non-compute resource only

Compute resource only

Azure Activity Log

Application Logs

Diagnostic Logs

Activity Logs

Application

Guest OS

Host VM

Azure Infrastructure

Resource

Activity Logs

Diagnostic Logs

Subscription level logging

All subscription level events will be logged in

Azure Activity Logs. The ingested data includes all

ARM operations and service health events.

Auditing

Activity Log provides insights into what operations

were taken on the resource, who started it, when

did that happen, status and other raw data, that

could help in auditing.

Retention

Activity Log is enabled by default and as retention

period of 90 days, if needed, we can extend by

sending the data to a storage account.

Querying data

Filters like Subscriptions, Timespan, Severity,

Resource group, Resource, Operation, Event

initiated by, and Search for keywords

Azure Activity Log – Event Categories

Administrative

All Resource Manager create, update, delete, and

action operations are categorized under

Administrative

Security

All security alerts generated by Microsoft Defender

for cloud will be mapped under this category.

Service Health

Any service health incidents happened to Azure

Resources, this may or not may not include your

resources.

Alert

Any alerts triggered in Azure Alerts.

Recommendation

All recommendations generated in Azure Advisor

Policy

All policy effects will be mapped to this category.

Autoscale

This category contains all scale in and out events

Resource Health

Health events associated your Azure resources.

Azure Alerts

Azure Monitor Alerts

Unified Authoring Experience

We can create alerts for Activity Logs, Service

Health Events, Log Analytics, Metrics etc. In all

these scenarios the authoring experience is same.

Classify based on severity and response

Azure Alerts supports severity (0-4), so you easily

prioritize the alerts. Secondly, we can categorize

by user response New, Acknowledged or Closed.

Integrate with Action Groups

Define your notification and automation

preferences with the help of Action Groups.

Azure Monitor Alerts

Scope

Defines the scope for alert

Rule details

Specify name, severity, region, resource group and

subscription for the alert.

Condition

Helps you to define the signal and criteria for alert

Actions

Integrate alerts with Action Groups

Action Groups

Notification

• Email Azure Resource Manager Role ( Owner/

Contributor/ Reader/ Monitoring Contributor/

Monitoring Reader)

• Email/ SMS/ Push/ Voice

Actions

• Automation Runbook

• Azure Function

• Event Hub

• ITSM

• Logic App

• Secure Webhook

• Webhook

Log Analytics

Data collection

Data generated from resources in cloud and on-

premises can be collected to Azure Log Analytics

workspace.

Reporting and visualization

Use KQL to create rich reports and visualization

Workspace

A workspace should be created for data ingestion.

You can create one or more workspaces in

different regions as per your requirement.

Pricing

Cost is for data ingestion (GB) and data retention

(days). Log Analytics offers 30 days of cost-free

data retention.

Log Analytics Workspace

Workspace

Resource created in Azure to collect, analyze,

aggregate, and visualize the data from onboarded

resources.

Data isolation

You can create workspaces in different regions to

meet compliance and data residency

requirements.

Stores Insights and Sentinel data

Data ingested by other services like Application

Insights and Sentinel use Log Analytics Workspace

to store data.

Querying Log Analytics Workspace

Windows Events

Logs

Syslog

Agents

Performance metrics

Custom Logs

Alerts

Event

Syslog

Heartbeat

Perf

CustomLog_01

Alert

Syslog

| union Event

| where SeverityLevel == “Error”

Heartbeat

| where ComputerIP startswith "52"

and Computer startswith "DC"

| where OSType == "Windows" and

OSName contains "2016"

Perf

| where CounterName == "Available

MBytes" and Computer == "JBOX00"

| project TimeGenerated,

CounterValue

| sort by TimeGenerated asc

| render timechart

Application Insights

namespace DemoWebApp.Controllers

{

public class HomeController : Controller

{

public ActionResult Index()

{

return View();

}

public ActionResult About()

{

ViewBag.Message = "Your application description page.";

return View();

}

public ActionResult Contact()

{

ViewBag.Message = "Your contact page.";

return View();

}

Alerts

Power BI

Visual Studio

REST API

Continuous Export

Continuous Monitoring

Ability to monitor failures and unavailability of our

applications continuously.

Availability test

Ability to perform availability test from different

geographic regions to observe latency and

performance.

Supports Azure and non-Azure applications

We can install the instrumentation package on

Azure and non-Azure environment to monitor our

applications.