Microsoft Azure Administrator: @androdagger
Microsoft Azure Administrator: @androdagger
Microsoft Azure Administrator: @androdagger
C
T
U
S
E
ON
LY
.
S
T
U
AZ-104T00 D
E
Microsoft Azure N
Administrator T
II Disclaimer
Information in this document, including URL and other Internet Web site references, is subject to change
without notice. Unless otherwise noted, the example companies, organizations, products, domain names,
e-mail addresses, logos, people, places, and events depicted herein are fictitious, and no association with
any real company, organization, product, domain name, e-mail address, logo, person, place or event is
intended or should be inferred. Complying with all applicable copyright laws is the responsibility of the
user. Without limiting the rights under copyright, no part of this document may be reproduced, stored in
or introduced into a retrieval system, or transmitted in any form or by any means (electronic, mechanical,
photocopying, recording, or otherwise), or for any purpose, without the express written permission of
Microsoft Corporation.
Microsoft may have patents, patent applications, trademarks, copyrights, or other intellectual property
rights covering subject matter in this document. Except as expressly provided in any written license
agreement from Microsoft, the furnishing of this document does not give you any license to these
patents, trademarks, copyrights, or other intellectual property.
The names of manufacturers, products, or URLs are provided for informational purposes only and
Microsoft makes no representations and warranties, either expressed, implied, or statutory, regarding
these manufacturers or the use of the products with any Microsoft technologies. The inclusion of a
manufacturer or product does not imply endorsement of Microsoft of the manufacturer or product. Links
may be provided to third party sites. Such sites are not under the control of Microsoft and Microsoft is
not responsible for the contents of any linked site or any link contained in a linked site, or any changes or
updates to such sites. Microsoft is not responsible for webcasting or any other form of transmission
received from any linked site. Microsoft is providing these links to you only as a convenience, and the
inclusion of any link does not imply endorsement of Microsoft of the site or the products contained
therein.
IV EULA
Courseware. These classes are not advertised or promoted to the general public and class attend-
ance is restricted to individuals employed by or contracted by the corporate customer.
14. “Trainer” means (i) an academically accredited educator engaged by a Microsoft IT Academy
Program Member to teach an Authorized Training Session, and/or (ii) a MCT.
15. “Trainer Content” means the trainer version of the Microsoft Instructor-Led Courseware and
additional supplemental content designated solely for Trainers’ use to teach a training session
using the Microsoft Instructor-Led Courseware. Trainer Content may include Microsoft PowerPoint
presentations, trainer preparation guide, train the trainer materials, Microsoft One Note packs,
classroom setup guide and Pre-release course feedback form. To clarify, Trainer Content does not
include any software, virtual hard disks or virtual machines.
2. USE RIGHTS. The Licensed Content is licensed not sold. The Licensed Content is licensed on a one
copy per user basis, such that you must acquire a license for each individual that accesses or uses the
Licensed Content.
● 2.1 Below are five separate sets of use rights. Only one set of rights apply to you.
1. If you are a Microsoft IT Academy Program Member:
1. Each license acquired on behalf of yourself may only be used to review one (1) copy of the
Microsoft Instructor-Led Courseware in the form provided to you. If the Microsoft Instruc-
tor-Led Courseware is in digital format, you may install one (1) copy on up to three (3)
Personal Devices. You may not install the Microsoft Instructor-Led Courseware on a device
you do not own or control.
2. For each license you acquire on behalf of an End User or Trainer, you may either:
1. distribute one (1) hard copy version of the Microsoft Instructor-Led Courseware to one
(1) End User who is enrolled in the Authorized Training Session, and only immediately
prior to the commencement of the Authorized Training Session that is the subject matter
of the Microsoft Instructor-Led Courseware being provided, or
2. provide one (1) End User with the unique redemption code and instructions on how they
can access one (1) digital version of the Microsoft Instructor-Led Courseware, or
3. provide one (1) Trainer with the unique redemption code and instructions on how they
can access one (1) Trainer Content, provided you comply with the following:
3. you will only provide access to the Licensed Content to those individuals who have acquired
a valid license to the Licensed Content,
4. you will ensure each End User attending an Authorized Training Session has their own valid
licensed copy of the Microsoft Instructor-Led Courseware that is the subject of the Author-
ized Training Session,
5. you will ensure that each End User provided with the hard-copy version of the Microsoft
Instructor-Led Courseware will be presented with a copy of this agreement and each End
7. you will only use qualified Trainers who have in-depth knowledge of and experience with
the Microsoft technology that is the subject of the Microsoft Instructor-Led Courseware
being taught for all your Authorized Training Sessions,
8. you will only deliver a maximum of 15 hours of training per week for each Authorized
Training Session that uses a MOC title, and
9. you acknowledge that Trainers that are not MCTs will not have access to all of the trainer
resources for the Microsoft Instructor-Led Courseware.
2. If you are a Microsoft Learning Competency Member:
1. Each license acquired on behalf of yourself may only be used to review one (1) copy of the
Microsoft Instructor-Led Courseware in the form provided to you. If the Microsoft Instruc-
tor-Led Courseware is in digital format, you may install one (1) copy on up to three (3)
Personal Devices. You may not install the Microsoft Instructor-Led Courseware on a device
you do not own or control.
2. For each license you acquire on behalf of an End User or MCT, you may either:
1. distribute one (1) hard copy version of the Microsoft Instructor-Led Courseware to one
(1) End User attending the Authorized Training Session and only immediately prior to
the commencement of the Authorized Training Session that is the subject matter of the
Microsoft Instructor-Led Courseware provided, or
2. provide one (1) End User attending the Authorized Training Session with the unique
redemption code and instructions on how they can access one (1) digital version of the
Microsoft Instructor-Led Courseware, or
3. you will provide one (1) MCT with the unique redemption code and instructions on how
they can access one (1) Trainer Content, provided you comply with the following:
3. you will only provide access to the Licensed Content to those individuals who have acquired
a valid license to the Licensed Content,
4. you will ensure that each End User attending a Private Training Session has their own valid
licensed copy of the Microsoft Instructor-Led Courseware that is the subject of the Private
Training Session,
5. you will ensure that each End User provided with a hard copy version of the Microsoft
Instructor-Led Courseware will be presented with a copy of this agreement and each End
User will agree that their use of the Microsoft Instructor-Led Courseware will be subject to
the terms in this agreement prior to providing them with the Microsoft Instructor-Led
Courseware. Each individual will be required to denote their acceptance of this agreement
in a manner that is enforceable under local law prior to their accessing the Microsoft
Instructor-Led Courseware,
6. you will ensure that each MCT teaching an Authorized Training Session has their own valid
licensed copy of the Trainer Content that is the subject of the Authorized Training Session,
7. you will only use qualified MCTs who also hold the applicable Microsoft Certification
credential that is the subject of the MOC title being taught for all your Authorized Training
Sessions using MOC,
www.androdagger.com Telegram: @androdagger
8. you will only provide access to the Microsoft Instructor-Led Courseware to End Users, and
9. you will only provide access to the Trainer Content to MCTs.
1. distribute one (1) hard copy version of the Microsoft Instructor-Led Courseware to one
(1) End User attending the Private Training Session, and only immediately prior to the
commencement of the Private Training Session that is the subject matter of the Micro-
soft Instructor-Led Courseware being provided, or
2. provide one (1) End User who is attending the Private Training Session with the unique
redemption code and instructions on how they can access one (1) digital version of the
Microsoft Instructor-Led Courseware, or
3. you will provide one (1) Trainer who is teaching the Private Training Session with the
unique redemption code and instructions on how they can access one (1) Trainer
Content, provided you comply with the following:
3. you will only provide access to the Licensed Content to those individuals who have acquired
a valid license to the Licensed Content,
4. you will ensure that each End User attending a Private Training Session has their own valid
licensed copy of the Microsoft Instructor-Led Courseware that is the subject of the Private
Training Session,
5. you will ensure that each End User provided with a hard copy version of the Microsoft
Instructor-Led Courseware will be presented with a copy of this agreement and each End
User will agree that their use of the Microsoft Instructor-Led Courseware will be subject to
the terms in this agreement prior to providing them with the Microsoft Instructor-Led
Courseware. Each individual will be required to denote their acceptance of this agreement
in a manner that is enforceable under local law prior to their accessing the Microsoft
Instructor-Led Courseware,
6. you will ensure that each Trainer teaching a Private Training Session has their own valid
licensed copy of the Trainer Content that is the subject of the Private Training Session,
7. you will only use qualified Trainers who hold the applicable Microsoft Certification creden-
tial that is the subject of the Microsoft Instructor-Led Courseware being taught for all your
Private Training Sessions,
8. you will only use qualified MCTs who hold the applicable Microsoft Certification credential
that is the subject of the MOC title being taught for all your Private Training Sessions using
MOC,
Instructor-Led Courseware on up to three (3) Personal Devices. You may also print one (1) copy
of the Microsoft Instructor-Led Courseware. You may not install the Microsoft Instructor-Led
Courseware on a device you do not own or control.
5. If you are a Trainer.
1. For each license you acquire, you may install and use one (1) copy of the Trainer Content in
the form provided to you on one (1) Personal Device solely to prepare and deliver an
Authorized Training Session or Private Training Session, and install one (1) additional copy
on another Personal Device as a backup copy, which may be used only to reinstall the
Trainer Content. You may not install or use a copy of the Trainer Content on a device you do
not own or control. You may also print one (1) copy of the Trainer Content solely to prepare
for and deliver an Authorized Training Session or Private Training Session.
2. You may customize the written portions of the Trainer Content that are logically associated
with instruction of a training session in accordance with the most recent version of the MCT
agreement. If you elect to exercise the foregoing rights, you agree to comply with the
following: (i) customizations may only be used for teaching Authorized Training Sessions
and Private Training Sessions, and (ii) all customizations will comply with this agreement. For
clarity, any use of “customize” refers only to changing the order of slides and content, and/
or not using all the slides or content, it does not mean changing or modifying any slide or
content.
● 2.2 Separation of Components. The Licensed Content is licensed as a single unit and you may
not separate their components and install them on different devices.
● 2.3 Redistribution of Licensed Content. Except as expressly provided in the use rights above,
you may not distribute any Licensed Content or any portion thereof (including any permitted
modifications) to any third parties without the express written permission of Microsoft.
● 2.4 Third Party Notices. The Licensed Content may include third party code that Microsoft, not
the third party, licenses to you under this agreement. Notices, if any, for the third party code are
included for your information only.
● 2.5 Additional Terms. Some Licensed Content may contain components with additional terms,
conditions, and licenses regarding its use. Any non-conflicting terms in those conditions and
licenses also apply to your use of that respective component and supplements the terms described
in this agreement.
3. LICENSED CONTENT BASED ON PRE-RELEASE TECHNOLOGY. If the Licensed Content’s subject
matter is based on a pre-release version of Microsoft technology ("Pre-release"), then in addition to
the other provisions in this agreement, these terms also apply:
1. Pre-Release Licensed Content. This Licensed Content subject matter is on the Pre-release version
of the Microsoft technology. The technology may not work the way a final version of the technolo-
gy will and we may change the technology for the final version. We also may not release a final
version. Licensed Content based on the final version of the technology may not contain the same
information as the Licensed Content based on the Pre-release version. Microsoft is under no
obligation to provide you with any further content, including any Licensed Content based on the
final version of the technology.
VIII EULA
to license its technology, technologies, or products to third parties because we include your
feedback in them. These rights survive this agreement.
3. Pre-release Term. If you are a Microsoft IT Academy Program Member, Microsoft Learning
Competency Member, MPN Member or Trainer, you will cease using all copies of the Licensed
Content on the Pre-release technology upon (i) the date which Microsoft informs you is the end
date for using the Licensed Content on the Pre-release technology, or (ii) sixty (60) days after the
commercial release of the technology that is the subject of the Licensed Content, whichever is
earliest ("Pre-release term"). Upon expiration or termination of the Pre-release term, you will
irretrievably delete and destroy all copies of the Licensed Content in your possession or under
your control.
4. SCOPE OF LICENSE. The Licensed Content is licensed, not sold. This agreement only gives you some
rights to use the Licensed Content. Microsoft reserves all other rights. Unless applicable law gives you
more rights despite this limitation, you may use the Licensed Content only as expressly permitted in
this agreement. In doing so, you must comply with any technical limitations in the Licensed Content
that only allows you to use it in certain ways. Except as expressly permitted in this agreement, you
may not:
● access or allow any individual to access the Licensed Content if they have not acquired a valid
license for the Licensed Content,
● alter, remove or obscure any copyright or other protective notices (including watermarks), brand-
ing or identifications contained in the Licensed Content,
● modify or create a derivative work of any Licensed Content,
● publicly display, or make the Licensed Content available for others to access or use,
● copy, print, install, sell, publish, transmit, lend, adapt, reuse, link to or post, make available or
distribute the Licensed Content to any third party,
● work around any technical limitations in the Licensed Content, or
● reverse engineer, decompile, remove or otherwise thwart any protections or disassemble the
Licensed Content except and only to the extent that applicable law expressly permits, despite this
limitation.
5. RESERVATION OF RIGHTS AND OWNERSHIP. Microsoft reserves all rights not expressly granted to
you in this agreement. The Licensed Content is protected by copyright and other intellectual property
laws and treaties. Microsoft or its suppliers own the title, copyright, and other intellectual property
rights in the Licensed Content.
6. EXPORT RESTRICTIONS. The Licensed Content is subject to United States export laws and regula-
tions. You must comply with all domestic and international export laws and regulations that apply to
the Licensed Content. These laws include restrictions on destinations, end users and end use. For
additional information, see www. microsoft. com/exporting.
7. SUPPORT SERVICES. Because the Licensed Content is “as is”, we may not provide support services for
it.
www.androdagger.com Telegram: @androdagger
8. TERMINATION. Without prejudice to any other rights, Microsoft may terminate this agreement if you
fail to comply with the terms and conditions of this agreement. Upon termination of this agreement
for any reason, you will immediately stop all use of and delete and destroy all copies of the Licensed
Content in your possession or under your control.
9. LINKS TO THIRD PARTY SITES. You may link to third party sites through the use of the Licensed
Content. The third party sites are not under the control of Microsoft, and Microsoft is not responsible
for the contents of any third party sites, any links contained in third party sites, or any changes or
updates to third party sites. Microsoft is not responsible for webcasting or any other form of transmis-
sion received from any third party sites. Microsoft is providing these links to third party sites to you
only as a convenience, and the inclusion of any link does not imply an endorsement by Microsoft of
the third party site.
10. ENTIRE AGREEMENT. This agreement, and any additional terms for the Trainer Content, updates and
supplements are the entire agreement for the Licensed Content, updates and supplements.
11. APPLICABLE LAW.
1. United States. If you acquired the Licensed Content in the United States, Washington state law
governs the interpretation of this agreement and applies to claims for breach of it, regardless of
conflict of laws principles. The laws of the state where you live govern all other claims, including
claims under state consumer protection laws, unfair competition laws, and in tort.
2. Outside the United States. If you acquired the Licensed Content in any other country, the laws of
that country apply.
12. LEGAL EFFECT. This agreement describes certain legal rights. You may have other rights under the
laws of your country. You may also have rights with respect to the party from whom you acquired the
Licensed Content. This agreement does not change your rights under the laws of your country if the
laws of your country do not permit it to do so.
13. DISCLAIMER OF WARRANTY. THE LICENSED CONTENT IS LICENSED"AS-IS"AND"AS AVAILABLE.
"YOU BEAR THE RISK OF USING IT. MICROSOFT AND ITS RESPECTIVE AFFILIATES GIVES NO
EXPRESS WARRANTIES, GUARANTEES, OR CONDITIONS. YOU MAY HAVE ADDITIONAL CON-
SUMER RIGHTS UNDER YOUR LOCAL LAWS WHICH THIS AGREEMENT CANNOT CHANGE. TO
THE EXTENT PERMITTED UNDER YOUR LOCAL LAWS, MICROSOFT AND ITS RESPECTIVE AFFILI-
ATES EXCLUDES ANY IMPLIED WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICU-
LAR PURPOSE AND NON-INFRINGEMENT.
14. LIMITATION ON AND EXCLUSION OF REMEDIES AND DAMAGES. YOU CAN RECOVER FROM
MICROSOFT, ITS RESPECTIVE AFFILIATES AND ITS SUPPLIERS ONLY DIRECT DAMAGES UP TO
US$5.00. YOU CANNOT RECOVER ANY OTHER DAMAGES, INCLUDING CONSEQUENTIAL, LOST
PROFITS, SPECIAL, INDIRECT OR INCIDENTAL DAMAGES.
This limitation applies to
● anything related to the Licensed Content, services, content (including code) on third party Internet
sites or third-party programs; and
● claims for breach of contract, breach of warranty, guarantee or condition, strict liability, negligence,
or other tort to the extent permitted by applicable law.
It also applies even if Microsoft knew or should have known about the possibility of the damages. The
above limitation or exclusion may not apply to you because your country may not allow the exclusion
or limitation of incidental, consequential or other damages.
Please note: As this Licensed Content is distributed in Quebec, Canada, some of the clauses in this
agreement are provided below in French.
Remarque: Ce le contenu sous licence étant distribué au Québec, Canada, certaines des clauses
dans ce contrat sont fournies ci-dessous en français.
www.androdagger.com Telegram: @androdagger
EXONÉRATION DE GARANTIE. Le contenu sous licence visé par une licence est offert « tel quel ». Toute
utilisation de ce contenu sous licence est à votre seule risque et péril. Microsoft n’accorde aucune autre
garantie expresse. Vous pouvez bénéficier de droits additionnels en vertu du droit local sur la protection
dues consommateurs, que ce contrat ne peut modifier. La ou elles sont permises par le droit locale, les
X EULA
Start Here
About this Course
Course Description
This course teaches IT Professionals how to manage their Azure subscriptions, secure identities, adminis-
ter the infrastructure, configure virtual networking, connect Azure and on-premises sites, manage
network traffic, implement storage solutions, create and scale virtual machines, implement web apps and
containers, back up and share data, and monitor your solution.
Level: Intermediate
Audience
This course is for Azure Administrators. Azure Administrators manage the cloud services that span
storage, networking, and compute cloud capabilities, with a deep understanding of each service across
the full IT lifecycle. They take end-user requests for new cloud applications and make recommendations
on services to use for optimal performance and scale, as well as provision, size, monitor and adjust as
appropriate. This role requires communicating and coordinating with vendors. Azure Administrators use
the Azure Portal and as they become more proficient they use PowerShell and the Command Line
Interface.
Prerequisites
Successful Azure Administrators start this role with experience on operating systems, virtualization, cloud
infrastructure, storage structures, and networking.
Expected learning
● Secure identities with Azure Active Directory and users and groups.
● Manage subscriptions, accounts, Azure policies, and Role-Based Access Control.
● Administer Azure using the Resource Manager, Azure portal, Cloud Shell, Azure PowerShell, CLI, and
ARM templates.
● Configure virtual networks including planning, IP addressing, Azure DNS, Network Security Groups,
and Azure Firewall.
● Configure intersite connectivity solutions like VNet Peering, virtual network gateways, and Site-to-Site
VPN connections.
● Manage network traffic using network routing and service endpoints, Azure load balancer, and Azure
Application Gateway.
● Implement, manage and secure Azure storage accounts, blob storage, and Azure files with File Sync.
● Plan, create, and scale virtual machines.
● Administer Azure App Service, Azure Container Instances, and Kubernetes.
● Backup files, folders, and virtual machines.
● Monitor the Azure infrastructure with Azure Monitor, Azure alerts, Log Analytics, and Network Watch-
er.
Syllabus
The course content includes a mix of content, demonstrations, hands-on labs, reference links, and
module review questions.
Module 01 - Identity
In this module, you will learn how to secure identities with Azure Active Directory, and implement users
and groups. This module includes:
● Azure Active Directory
● Users and Groups
● Lab 01 - Manage Azure Active Directory Identities
Module 02 – Governance and Compliance
In this module, you will learn about managing your subscriptions and accounts, implementing Azure
policies, and using Role-Based Access Control. This module includes:
● Subscriptions and Accounts
● Azure Policy
● Role-based Access Control (RBAC)
www.androdagger.com Telegram: @androdagger
● Lab 02a - Manage Subscriptions and RBAC
● Lab 02b - Manage Governance via Azure Policy
Module 03 – Azure Administration
In this module, you will learn about the tools an Azure Administrator uses to manage their infrastructure.
This includes the Azure Portal, Cloud Shell, Azure PowerShell, CLI, and Resource Manager Templates. This
module includes:
● Resource Manager
● Azure Portal and Cloud Shell
● Azure PowerShell and CLI
● ARM Templates
● Lab 03a - Manage Azure resources by Using the Azure Portal
● Lab 03b - Manage Azure resources by Using ARM Templates
● Lab 03c - Manage Azure resources by Using Azure PowerShell
● Lab 03d - Manage Azure resources by Using Azure CLI
Module 04 – Virtual Networking
In this module, you will learn about basic virtual networking concepts like virtual networks and subnet-
ting, IP addressing, Azure DNS, network security groups, and Azure Firewall. This module includes:
● Virtual Networks
● IP Addressing
● Network Security groups
● Azure Firewall
● Azure DNS
● Lab 04 - Implement Virtual Networking
Module 05 – Intersite Connectivity
In this module, you will learn about intersite connectivity features including VNet Peering, Virtual Network
Gateways, and VPN Gateway Connections. This module includes:
● VNet Peering
● VPN Gateway Connections
● ExpressRoute and Virtual WAN
● Lab 05 - Implement Intersite Connectivity
Module 06 – Network Traffic Management
In this module, you will learn about network traffic strategies including network routing and service
endpoints, Azure Load Balancer, and Azure Application Gateway. This module includes:
● Network Routing and Endpoints
● Azure Load Balancer
● Azure Application Gateway
In this module, you will learn about basic storage features including storage accounts, blob storage,
Azure files and File Sync, storage security, and storage tools. This module includes:
● Storage Accounts
● Blob Storage
● Storage Security
● Azure Files and File Sync
● Managing Storage
● Lab 07 - Manage Azure storage
Module 08 – Azure Virtual Machines
In this module, you will learn about Azure virtual machines including planning, creating, availability and
extensions. This module includes:
● Virtual Machine Planning
● Creating Virtual Machines
● Virtual Machine Availability
● Virtual Machine Extensions
● Lab 08 - Manage Virtual Machines
Module 09 - Serverless Computing
In this module, you will learn administer serverless computing features like Azure App Service, Azure
Container Instances, and Kubernetes. This module includes:
● Azure App Service Plans
● Azure App Services
● Container Services
● Azure Kubernetes Services
● Lab 09a - Implement Web Apps
● Lab 09b - Implement Azure Container Instances
● Lab 09c - Implement Azure Kubernetes Service
Module 10 – Data Protection
In this module, you will learn about backing up files and folders, and virtual machine backups. This
module includes:
● File and Folder Backups
● Virtual Machine Backups
● Log Analytics
● Network Watcher
● Lab 11 - Implement Monitoring
Microsoft Learn
Microsoft Learn provides self paced skills training on a variety of topics. These Learn modules cover the
content you have just learned. You can also search for additional content that might be helpful.
Module 01 - Identity
● Create Azure users and groups in Azure Active Directory2
● Manage users and groups in Azure Active Directory3
● Secure your Azure resources with role-based access control4
● Secure Azure Active Directory users with Multi-Factor Authentication5
● Allow users to reset their password with Azure Active Directory self-service password reset6
● Secure your application by using OpenID Connect and Azure AD7
9 https://docs.microsoft.com/en-us/learn/modules/predict-costs-and-optimize-spending/
10 https://docs.microsoft.com/en-us/learn/modules/control-and-organize-with-azure-resource-manager/
11 https://docs.microsoft.com/en-us/learn/modules/intro-to-governance/
12 https://docs.microsoft.com/en-us/learn/modules/create-custom-azure-roles-with-rbac/
13 https://docs.microsoft.com/en-us/learn/modules/manage-subscription-access-azure-rbac/
14 https://docs.microsoft.com/en-us/learn/modules/secure-azure-resources-with-rbac/
www.androdagger.com Telegram: @androdagger
15 https://docs.microsoft.com/en-us/learn/modules/tour-azure-portal/
16 https://docs.microsoft.com/en-us/learn/modules/control-and-organize-with-azure-resource-manager/
17 https://docs.microsoft.com/en-us/learn/modules/build-azure-vm-templates/
18 https://docs.microsoft.com/en-us/learn/modules/automate-azure-tasks-with-powershell/
19 https://docs.microsoft.com/en-us/learn/modules/manage-virtual-machines-with-azure-cli/
20 https://docs.microsoft.com/en-us/learn/modules/network-fundamentals/
21 https://docs.microsoft.com/en-us/learn/modules/design-ip-addressing-for-azure/
22 https://docs.microsoft.com/en-us/learn/modules/secure-and-isolate-with-nsg-and-service-endpoints/
23 https://docs.microsoft.com/en-us/learn/modules/integrate-vnets-with-vnet-peering/
24 https://docs.microsoft.com/en-us/learn/modules/connect-on-premises-network-with-vpn-gateway/
25 https://docs.microsoft.com/en-us/learn/modules/connect-on-premises-network-with-expressroute/
26 https://docs.microsoft.com/en-us/learn/modules/control-network-traffic-flow-with-routes/
27 https://docs.microsoft.com/en-us/learn/modules/improve-app-scalability-resiliency-with-load-balancer/
28 https://docs.microsoft.com/en-us/learn/modules/load-balance-web-traffic-with-application-gateway/
29 https://docs.microsoft.com/en-us/learn/modules/distribute-load-with-traffic-manager/
30 https://docs.microsoft.com/en-us/learn/modules/create-azure-storage-account/
31 https://docs.microsoft.com/en-us/learn/modules/secure-azure-storage-account/
32 https://docs.microsoft.com/en-us/learn/modules/optimize-archive-costs-blob-storage/
33 https://docs.microsoft.com/en-us/learn/modules/ha-application-storage-with-grs/
34 https://docs.microsoft.com/en-us/learn/modules/copy-blobs-from-command-line-and-code/
35 https://docs.microsoft.com/en-us/learn/modules/move-data-with-azure-data-box/
● Scale an App Service web app to efficiently meet demand with App Service scale up and scale
out44
● Dynamically meet changing web app performance requirements with autoscale rules45
● Capture and view page load times in your Azure web app with Application Insights46
● Run Docker containers with Azure Container Instances47
● Introduction to the Azure Kubernetes Service48
Module 11 - Monitoring
● Analyze your Azure infrastructure by using Azure Monitor logs53
● Improve incident response with alerting on Azure54
● Monitor the health of your Azure virtual machine by collecting and analyzing diagnostic data55
● Monitor, diagnose, and troubleshoot your Azure storage56
✔️ These links are also found at the end of each Module.
44 https://docs.microsoft.com/en-us/learn/modules/app-service-scale-up-scale-out/
45 https://docs.microsoft.com/en-us/learn/modules/app-service-autoscale-rules/
46 https://docs.microsoft.com/en-us/learn/modules/capture-page-load-times-application-insights/
47 https://docs.microsoft.com/en-us/learn/modules/run-docker-with-azure-container-instances/
48 https://docs.microsoft.com/en-us/learn/modules/intro-to-azure-kubernetes-service/
● Azure Tuesdays with Corey60. Corey Sanders answers your questions about Microsoft Azure - Virtual
Machines, Web Sites, Mobile Services, Dev/Test etc.
● Azure Fridays61. Join Scott Hanselman as he engages one-on-one with the engineers who build the
services that power Microsoft Azure, as they demo capabilities, answer Scott's questions, and share
their insights.
● Microsoft Azure Blog62. Keep current on what's happening in Azure, including what's now in preview,
generally available, news & updates, and more.
● Azure Documentation63. Stay informed on the latest products, tools, and features. Get information
on pricing, partners, support, and solutions.
12 Module 1 Identity
Azure AD Concepts
● Identity. A thing that can get authenticated. An identity can be a user with a username and password.
Identities also include applications or other servers that might require authentication through secret
keys or certificates.
● Account. An identity that has data associated with it. You cannot have an account without an identity.
● Azure AD Account. An identity created through Azure AD or another Microsoft cloud service, such as
Office 365. Identities are stored in Azure AD and accessible to your organization's cloud service
subscriptions. This account is also sometimes called a Work or school account.
1 https://docs.microsoft.com/en-us/azure/active-directory/
● Azure AD directory. Each Azure tenant has a dedicated and trusted Azure AD directory. The Azure
AD directory includes the tenant's users, groups, and apps and is used to perform identity and access
management functions for tenant resources.
14 Module 1 Identity
Azure AD Join
Azure Active Directory (Azure AD) enables single sign-on to devices, apps, and services from anywhere.
2 https://azure.microsoft.com/en-us/pricing/details/active-directory
Azure AD Join is designed provide access to organizational apps and resources and to simply Windows
deployments of work-owned devices. AD Join has these benefits.
● Single-Sign-On (SSO) to your Azure managed SaaS apps and services. Your users will not have
additional authentication prompts when accessing work resources. The SSO functionality is available
even when users are not connected to the domain network.
● Enterprise compliant roaming of user settings across joined devices. Users don’t need to connect to
a Microsoft account (for example, Hotmail) to observe settings across devices.
● Access to Microsoft Store for Business using an Azure AD account. Your users can choose from an
inventory of applications pre-selected by the organization.
● Windows Hello support for secure and convenient access to work resources.
● Restriction of access to apps from only devices that meet compliance policy.
● Seamless access to on-premise resources when the device has line of sight to the on-premises
domain controller.
Connection options
To get a device under the control of Azure AD, you have two options:
● Registering a device to Azure AD enables you to manage a device’s identity. When a device is
registered, Azure AD device registration provides the device with an identity that is used to authenti-
cate the device when a user signs-in to Azure AD. You can use the identity to enable or disable a
device.
● Joining a device is an extension to registering a device. This means, it provides you with all the
benefits of registering a device and in addition to this, it also changes the local state of a device.
Changing the local state enables your users to sign-in to a device using an organizational work or
school account instead of a personal account.
✔️ Registration combined with a mobile device management (MDM) solution such as Microsoft Intune,
provides additional device attributes in Azure AD. This allows you to create conditional access rules that
enforce access from devices to meet your standards for security and compliance.
✔️ Although AD Join is intended for organizations that do not have on-premises Windows Server Active
Directory infrastructure it can be used for other scenarios like branch offices.
3 https://docs.microsoft.com/en-us/azure/active-directory/device-management-introduction
16 Module 1 Identity
The security of MFA two-step verification lies in its layered approach. Compromising multiple authentica-
tion factors presents a significant challenge for attackers. Even if an attacker manages to learn the user's
password, it is useless without also having possession of the additional authentication method. Authenti-
cation methods include:
● Something you know (typically a password)
● Something you have (a trusted device that is not easily duplicated, like a phone)
● Something you are (biometrics)
MFA Features
Get more security with less complexity. Azure MFA helps safeguard access to data and applications
and helps to meet customer demand for a simple sign-in process. Get strong authentication with a range
of easy verification options—phone call, text message, or mobile app notification—and allow customers
to choose the method they prefer.
Mitigate threats with real-time monitoring and alerts. MFA helps protect your business with security
monitoring and machine-learning-based reports that identify inconsistent sign-in patterns. To help
mitigate potential threats, real-time alerts notify your IT department of suspicious account credentials.
Use with Office 365, Salesforce, and more. MFA for Office 365 helps secure access to Office 365
applications at no additional cost. Multi-Factor Authentication is also available with Azure Active Directo-
ry Premium and thousands of software-as-a-service (SaaS) applications, including Salesforce, Dropbox,
and other popular services.
Add protection for Azure administrator accounts. MFA adds a layer of security to your Azure adminis-
trator account at no additional cost. When it's turned on, you need to confirm your identity to create a
virtual machine, manage storage, or use other Azure services.
Authentication Methods
Method Description
Call to phone Places an automated voice call. The user answers
the call and presses # in the phone keypad to
authenticate. The phone number is not synchro-
nized to on-premises Active Directory. A voice call
to phone is important because it persists through
a phone handset upgrade, allowing the user to
register the mobile app on the new device.
Text message to phone Sends a text message that contains a verification
code. The user is prompted to enter the verifica-
tion code into the sign-in interface. This process is
called one-way SMS. Two-way SMS means that the
user must text back a particular code. Two-way
SMS is deprecated and not supported after
November 14, 2018. Users who are configured for
two-way SMS are automatically switched to call to
phone verification at that time.
Notification through mobile app Sends a push notification to your phone or
registered device. The user views the notification
and selects Approve to complete verification. The
Microsoft Authenticator app is available for
Windows Phone, Android, and iOS. Push notifica-
tions through the mobile app provide the best
user experience.
Verification code from mobile app The Microsoft Authenticator app generates a new
OATH verification code every 30 seconds. The user
enters the verification code into the sign-in
interface. The Microsoft Authenticator app is
available for Windows Phone, Android, and iOS.
Verification code from mobile app can be used
when the phone has no data connection or cellular
signal.
✔️ There is also a selection to cache passwords so that users do not have to authenticate on trusted
devices. The number of days before a user must re-authenticate on trusted devices can also be config-
ured with the value from 1 to 60 days. The default is 14 days.
For more information, Multi-Factor Authentication4
4 https://azure.microsoft.com/en-us/services/multi-factor-authentication/
18 Module 1 Identity
In the Password reset properties there are three options: None, Selected, and All.
The Selected option is useful for creating specific groups who have self-service password reset enabled.
The Azure documentation recommends creating a specific group for purposes of testing or proof of
concept before deploying to a larger group within the Azure AD tenant. Once you are ready to deploy
this functionality to all users with accounts in your AD Tenant, you can change the setting to All.
Authentication methods
After enabling password reset for user and groups, you pick the number of authentication methods
required to reset a password and the number of authentication methods available to users.
At least one authentication method is required to reset a password, but it is a good idea to have addi-
tional methods available. You can choose from email notification, a text or code sent to user’s mobile or
office phone, or a set of security questions.
✔️ Azure Administrator accounts will always be able to reset their passwords no matter what this optionis
set to.
20 Module 1 Identity
Azure Portal
You can add new users through the Azure Portal. In addition to Name and User name, there is profile
information like Job Title and Department.
If you are going to use a CSV file here are some things to think about:
● Naming conventions. Establish or implement a naming convention for usernames, display names
and aliases. For example, a user name could consist of last name, period, first name: Smith.John@
contoso.com.
● Passwords. Implement a convention for the initial password of the newly created user. Figure out a
way for the new users to receive their password in a secure way. Methods commonly used for this are
generating a random password and emailing it to the new user or their manager.
22 Module 1 Identity
2. Create a new Password Profile for the new users. The password for the new users needs to conform to
the password complexity rules you have set for your directory.
3. Use Import-CSV to import the csv file. You will need to specify the path and file name of the CSV file.
4. Loop through the users in the file constructing the user parameters required for each user. For
example, User Principal Name, Display Name, Given Name, Department, and Job Title.
5. Use New-AzADUser to create each user. Be sure to enable each account.
For more information, Importing data into my directory5
Group Accounts
Azure AD allows you to define two different types of groups.
● Security groups. These are the most common and are used to manage member and computer access
to shared resources for a group of users. For example, you can create a security group for a specific
security policy. By doing it this way, you can give a set of permissions to all the members at once,
instead of having to add permissions to each member individually. This option requires an Azure AD
administrator.
● Office 365 groups. These groups provide collaboration opportunities by giving members access to a
shared mailbox, calendar, files, SharePoint site, and more. This option also lets you give people
outside of your organization access to the group. This option is available to users as well as admins.
5 https://docs.microsoft.com/en-us/powershell/azure/active-directory/importing-data?view=azureadps-2.0
Azure AD Connect
Azure AD Connect will integrate your on-premises directories with Azure Active Directory. This allows you
to provide a common identity for your users for Office 365, Azure, and SaaS applications integrated with
Azure AD.
24 Module 1 Identity
Azure Active Directory (Azure AD) Connect Health provides robust monitoring of your on-premises
identity infrastructure. It enables you to maintain a reliable connection to Office 365 and Microsoft Online
Services. This reliability is achieved by providing monitoring capabilities for your key identity components.
Also, it makes the key data points about these components easily accessible.
Azure AD Connect Health helps you:
● Monitor and gain insights into AD FS servers, Azure AD Connect, and AD domain controllers.
● Monitor and gain insights into the synchronizations that occur between your on-premises AD DS and
Azure AD.
● Monitor and gain insights into your on-premises identity infrastructure that is used to access Office
365 or other Azure AD applications
With Azure AD Connect the key data you need is easily accessible. You can view and act on alerts, setup
email notifications for critical alerts, and view performance data.
✔️ Using AD Connect Health works by installing an agent on each of your on-premises sync servers.
Resource independence
26 Module 1 Identity
Azure AD B2C
Azure Active Directory B2C provides business-to-customer identity as a service. Your customers use their
preferred social, enterprise, or local account identities to get single sign-on access to your applications
and APIs. Azure Active Directory B2C (Azure AD B2C) is a customer identity access management (CIAM)
solution capable of supporting millions of users and billions of authentications per day. It takes care of
the scaling and safety of the authentication platform, monitoring and automatically handling threats like
denial-of-service, password spray, or brute force attacks.
4. After the user is created, review additional information about the user.
Explore group accounts
1. Select the Groups blade.
2. Add a New group.
28 Module 1 Identity
Lab scenario
In order to allow Contoso users to authenticate by using Azure AD, you have been tasked with provision-
ing users and group accounts. Membership of the groups should be updated automatically based on the
user job titles. You also need to create a test Azure AD tenant with a test user account and grant that
account limited permissions to resources in the Contoso Azure subscription.
Objectives
In this lab, you will:
● Task 1: Create and configure Azure AD users.
● Task 2: Create Azure AD groups with assigned and dynamic membership.
● Task 3: Create an Azure Active Directory (AD) tenant.
● Task 4: Manage Azure AD guest users.
✔️ Consult with your instructor for how to access the lab instructions and lab environment (if provided).
Review Question 2
Your network contains an Active Directory Domain Services (AD DS) domain named contoso.com and an
Azure Active Directory (Azure AD) domain named contoso.onmicrosoft.com.
Azure AD Connect is installed and Active Directory Federation Services (AD FS) is configured. Pass-
word-writeback is enabled. You need to monitor synchronization events generated by Azure AD Connect.
Select one.
Install Azure AD Connect Health.
Deploy a domain controller for contoso.com on a virtual machine in the
contoso.onmicrosoft.com tenant.
Configure Authentication Caching.
Launch Synchronization Service Manager and edit the properties of the connector.
Review Question 3
Identify three differences from the following list between Azure Active Directory (AD) and Active Directory
Domain Services (AD DS). Select three.
Azure AD uses HTTP and HTTPS communications
Azure AD uses Kerberos authentication
There are no Organizational Units (OUs) or Group Policy Objects (GPOs) in Azure AD
Azure AD includes Federation Services
Azure AD can be queried through LDAP
Review Question 4
You would like to add a user who has a Microsoft account to your subscription. Which type of user account is
this? Select one.
Cloud identity
Directory-Synchronized
Provider identity
Guest User
Hosted identity
Review Question 5
You are configuring Self-service Password Reset. Which of the following is not a validation method? Select
one.
An email notification.
30 Module 1 Identity
Review Question 6
You are assigning Azure AD roles. Which role will allow the user to manage all the groups in your Teams
tenants and be able to assign other administrator roles? Select one.
Global administrator
Password administrator
Security administrator
User administrator
Additional Study
Microsoft Learn provides self paced skills training on a variety of topics. These Learn modules cover the
content you have just learned. You can search for additional modules by product, role, or level.
● Create Azure users and groups in Azure Active Directory7
● Manage users and groups in Azure Active Directory8
● Secure your Azure resources with role-based access control9
● Secure Azure Active Directory users with Multi-Factor Authentication10
● Allow users to reset their password with Azure Active Directory self-service password reset11
● Secure your application by using OpenID Connect and Azure AD12
Answers
Review Question 1
Your users want to sign-in to devices, apps, and services from anywhere. They want to sign-in using an
organizational work or school account instead of a personal account. You must ensure corporate assets
are protected and that devices meet standards for security and compliance. Specifically, you need to be
able to enable or disable a device. What should you do? Select one.
Enable the device in Azure AD.
■ Join the device to Azure AD.
Connect the device to Azure AD.
Register the device with Azure AD.
Explanation
Join the device to Azure AD. Joining a device is an extension to registering a device. This means, it provides
you with all the benefits of registering a device, like being able to enable or disable the device. In addition, it
also changes the local state of a device. Changing the local state enables your users to sign-in to a device
using an organizational work or school account instead of a personal account.
Review Question 2
Your network contains an Active Directory Domain Services (AD DS) domain named contoso.com and an
Azure Active Directory (Azure AD) domain named contoso.onmicrosoft.com.
Azure AD Connect is installed and Active Directory Federation Services (AD FS) is configured. Pass-
word-writeback is enabled. You need to monitor synchronization events generated by Azure AD Connect.
Select one.
■ Install Azure AD Connect Health.
Deploy a domain controller for contoso.com on a virtual machine in the
contoso.onmicrosoft.com tenant.
Configure Authentication Caching.
Launch Synchronization Service Manager and edit the properties of the connector.
Explanation
Install Azure AD Connect Health. Azure AD Connect Health is a feature that will monitor on-premises AD
DS identities and provide alerts. This requires an agent on each server being monitored.
32 Module 1 Identity
Review Question 3
Identify three differences from the following list between Azure Active Directory (AD) and Active Directory
Domain Services (AD DS). Select three.
■ Azure AD uses HTTP and HTTPS communications
Azure AD uses Kerberos authentication
■ There are no Organizational Units (OUs) or Group Policy Objects (GPOs) in Azure AD
■ Azure AD includes Federation Services
Azure AD can be queried through LDAP
Explanation
Although the list is by no means conclusive, and you may identify others not listed, here are several charac-
teristics of Azure AD that make it different to AD DS: Azure AD is primarily an identity solution, and it is
designed for Internet-based applications by using HTTP and HTTPS communications; because Azure AD is
HTTP/HTTPS based, it cannot be queried through LDAP. Instead, Azure AD uses the REST API over HTTP
and HTTPS. Because Azure AD is HTTP/HTTPS based, it does not use Kerberos authentication. Instead, it
uses HTTP and HTTPS protocols such as SAML, WS-Federation, and OpenID Connect for authentication
(and OAuth for authorization). Azure AD users and groups are created in a flat structure, and there are no
Organizational Units (OUs) or Group Policy Objects (GPOs). While Azure AD includes federation services,
and many third-party services (such as Facebook), AD DS supports federation.
Review Question 4
You would like to add a user who has a Microsoft account to your subscription. Which type of user
account is this? Select one.
Cloud identity
Directory-Synchronized
Provider identity
■ Guest User
Hosted identity
Explanation
Guest user. Guest users are users added to Azure AD from a third party like Microsoft or Google.
Review Question 5
You are configuring Self-service Password Reset. Which of the following is not a validation method?
Select one.
An email notification.
A text or code sent to a user's mobile or office phone.
■ A paging service.
Review Question 6
You are assigning Azure AD roles. Which role will allow the user to manage all the groups in your Teams
tenants and be able to assign other administrator roles? Select one.
■ Global administrator
Password administrator
Security administrator
User administrator
Explanation
Global administrator. Only the global administrator can manage groups across tenants and assign other
administrator roles.
2 https://azure.microsoft.com/en-us/global-infrastructure/regions/
3 https://docs.microsoft.com/en-us/azure/best-practices-availability-paired-regions#what-are-paired-regions
Subscriptions help you organize access to cloud service resources. They also help you control how
resource usage is reported, billed, and paid for. Each subscription can have a different billing and pay-
ment setup, so you can have different subscriptions and different plans by department, project, regional
office, and so on. Every cloud service belongs to a subscription, and the subscription ID may be required
for programmatic operations.
Azure Accounts
Subscriptions have accounts. An Azure account is simply an identity in Azure Active Directory (Azure AD)
or in a directory that is trusted by Azure AD, such as a work or school organization. If you don't belong to
one of these organizations, you can sign up for an Azure account by using your Microsoft Account, which
is also trusted by Azure AD.
Getting a Subscription
There are several ways to get an Azure subscription: Enterprise agreements, Microsoft resellers, Microsoft
partners, and a personal free account.
Enterprise agreements
Any Enterprise Agreement4 customer can add Azure to their agreement by making an upfront monetary
commitment to Azure. That commitment is consumed throughout the year by using any combination of
the wide variety of cloud services Azure offers from its global datacenters. Enterprise agreements have a
99.95% monthly SLA.
Reseller
Buy Azure through the Open Licensing program5, which provides a simple, flexible way to purchase
cloud services from your Microsoft reseller. If you already purchased an Azure in Open license key,
activate a new subscription or add more credits now 6.
Partners
Find a Microsoft partner7 who can design and implement your Azure cloud solution. These partners
have the business and technology expertise to recommend solutions that meet the unique needs of your
business.
Subscription Usage
Azure offers free and paid subscription options to suit different needs and requirements. The most
commonly used subscriptions are:
● Free
● Pay-As-You-Go
● Enterprise Agreement
● Student
Cost Management
With Azure products and services, you only pay for what you use. As you create and use Azure resources,
you are charged for the resources. You use Azure Cost Management and Billing features to conduct
billing administrative tasks and manage billing access to costs. You also its features to monitor and
control Azure spending and to optimize Azure resource use.
Cost Management shows organizational cost and usage patterns with advanced analytics. Reports in Cost
Management show the usage-based costs consumed by Azure services and third-party Marketplace
offerings. Costs are based on negotiated prices and factor in reservation and Azure Hybrid Benefit
discounts. Collectively, the reports show your internal and external costs for usage and Azure Market-
place charges. Other charges, such as reservation purchases, support, and taxes are not yet shown in
reports. The reports help you understand your spending and resource use and can help find spending
anomalies. Predictive analytics are also available. Cost Management uses Azure management groups,
budgets, and recommendations to show clearly how your expenses are organized and how you might
reduce costs.
You can use the Azure portal or various APIs for export automation to integrate cost data with external
systems and processes. Automated billing data export and scheduled reports are also available.
you act on the recommendations, you change the way you use your resources to save money. To act,
you first view cost optimization recommendations to view potential usage inefficiencies. Next, you act
on a recommendation to modify your Azure resource use to a more cost-effective option. Then you
verify the action to make sure that the change you make is successful.
● Exporting cost management data. If you use external systems to access or review cost management
data, you can easily export the data from Azure. And you can set a daily scheduled export in CSV
format and store the data files in Azure storage. Then, you can access the data from your external
system.
Resource Tags
You can apply tags to your Azure resources to logically organize them by categories. Each tag consists of
a name and a value. For example, you can apply the name Environment and the value Production or
Development to your resources. After creating your tags, you associate them with the appropriate
resources.
With tags in place, you can retrieve all the resources in your subscription with that tag name and value.
This means, you can retrieve related resources from different resource groups.
Perhaps one of the best uses of tags is to group billing data. When you download the usage CSV for
services, the tags appear in the Tags column. You could then group virtual machines by cost center and
production environment.
Considerations
There are a few things to consider about tagging:
● Each resource or resource group can have a maximum of 50 tag name/value pairs.
● Tags applied to the resource group are not inherited by the resources in that resource group.
✔️ If you need to create a lot of tags you will want to do that programmatically. You can use PowerShell
or the CLI.
Cost Savings
Reservations helps you save money by pre-paying for one-year or three-years of virtual machine, SQL
www.androdagger.com Telegram: @androdagger
Database compute capacity, Azure Cosmos DB throughput, or other Azure resources. Pre-paying allows
you to get a discount on the resources you use. Reservations can significantly reduce your virtual ma-
chine, SQL database compute, Azure Cosmos DB, or other resource costs up to 72% on pay-as-you-go
prices. Reservations provide a billing discount and don't affect the runtime state of your resources.
Azure Hybrid Benefits is a pricing benefit for customers who have licenses with Software Assurance,
which helps maximize the value of existing on-premises Windows Server and/or SQL Server license
investments when migrating to Azure. There is a Azure Hybrid Benefit Savings Calculator to help you
determine your savings.
Azure Credits is monthly credit benefit that allows you to experiment with, develop, and test new
solutions on Azure. For example, as a Visual Studio subscriber, you can use Microsoft Azure at no extra
charge. With your monthly Azure credit, Azure is your personal sandbox for dev/test.
Azure regions pricing can vary from one region to another, even in the US. Double check the pricing in
various regions to see if you can save a little.
Budgets help you plan for and drive organizational accountability. With budgets, you can account for the
Azure services you consume or subscribe to during a specific period. They help you inform others about
their spending to proactively manage costs, and to monitor how spending progresses over time. When
the budget thresholds you've created are exceeded, only notifications are triggered. None of your
resources are affected and your consumption isn't stopped. You can use budgets to compare and track
spending as you analyze costs.
Additionally, consider:
The Pricing Calculator9 provides estimates in all areas of Azure including compute, networking, storage,
web, and databases.
Azure Policy
Management Groups
If your organization has several subscriptions, you may need a way to efficiently manage access, policies,
and compliance for those subscriptions. Azure management groups provide a level of scope above
subscriptions. You organize subscriptions into containers called management groups and apply your
governance conditions to the management groups. Management group enable:
● Organizational alignment for your Azure subscriptions through custom hierarchies and grouping.
● Targeting of policies and spend budgets across subscriptions and inheritance down the hierarchies.
● Compliance and cost reporting by organization (business/teams).
All subscriptions within a management group automatically inherit the conditions applied to the manage-
ment group. For example, you can apply policies to a management group that limits the regions available
for virtual machine (VM) creation. This policy would be applied to all management groups, subscriptions,
and resources under that management group by only allowing VMs to be created in that region.
● The Management Group ID is the directory unique identifier that is used to submit commands on
this management group. This identifier is not editable after creation as it is used throughout the Azure
system to identify this group.
● The Display Name field is the name that is displayed within the Azure portal. A separate display
name is an optional field when creating the management group and can be changed at any time.
✔️ Do you think you will want to use Management Groups?
For more information, Organize your resources with Azure management groups10
Azure Policy
Azure Policy is a service in Azure that you use to create, assign and manage policies. These policies
enforce different rules over your resources, so those resources stay compliant with your corporate
standards and service level agreements. Azure Policy does this by running evaluations of your resources
and scanning for those not compliant with the policies you have created.
The main advantages of Azure policy are in the areas of enforcement and compliance, scaling, and
remediation.
● Enforcement and compliance. Turn on built-in policies or build custom ones for all resource types.
Real time policy evaluation and enforcement. Periodic and on-demand compliance evaluation.
● Apply policies at scale. Apply policies to a Management Group with control across your entire
organization. Apply multiple policies and aggregate policy states with policy initiative. Define an
exclusion scope.
● Remediation. Real time remediation, and remediation on existing resources.
Azure Policy will be important to you if your team runs an environment where you need to govern:
● Multiple engineering teams (deploying to and operating in the environment)
● Multiple subscriptions
● Need to standardize/enforce how cloud resources are configured
● Manage regulatory compliance, cost control, security, or design consistency
10 https://docs.microsoft.com/en-us/azure/azure-resource-manager/management-groups-overview
● Specify a set of virtual machine SKUs that your organization can deploy.
● Restrict the locations your organization can specify when deploying resources.
● Enforce a required tag and its value.
● Audit if Azure Backup service is enabled for all Virtual machines.
For more information, Azure Policy Documentation11
Policy Definitions
There are many Built-in Policy Definitions for you to choose from. Sorting by Category will help you
locate what you need. For example,
● The Allowed Virtual Machine SKUs enables you to specify a set of virtual machine SKUs that your
organization can deploy.
● The Allowed Locations policy enables you to restrict the locations that your organization can specify
when deploying resources. This can be used to enforce your geo-compliance requirements.
If there isn't an applicable policy you can add a new Policy Definition. The easiest way to do this is to
Import a policy from GitHub12. New Policy Definitions are added almost every day.
✔️ Policy Definitions have a specific JSON format13. As a Azure Administrator you will not need to
create files in this format, but you may want to review the format, just so you are familiar.
You can select the Subscription, and then optionally a Resource Group.
Determine Compliance
Once your policy is in place you can use the Compliance blade to review non-compliant initiatives,
non-compliant policies, and non-compliant resources.
When a condition is evaluated against your existing resources and found true, then those resources are
marked as non-compliant with the policy. Although the portal does not show the evaluation logic, the
compliance state results are shown. The compliance state result is either compliant or non-compliant.
✔️ Policy evaluation happens about once an hour, which means that if you make changes to your policy
definition and create a policy assignment then it will be re-evaluated over your resources within the hour.
Concepts
● Security principal. Object that represents something that is requesting access to resources. Examples:
user, group, service principal, managed identity
● Role definition. Collection of permissions that lists the operations that can be performed. Examples:
Reader, Contributor, Owner, User Access Administrator
● Scope. Boundary for the level of access that is requested. Examples: management group, subscription,
resource group, resource
● Assignment. Attaching a role definition to a security principal at a particular scope. Users can grant
access described in a role definition by creating an assignment. Deny assignments are currently
read-only and can only be set by Azure.
Role Definitions
Each role is a set of properties defined in a JSON file. This role definition includes Name, Id, and Descrip-
tion. It also includes the allowable permissions (Actions), denied permissions (NotActions), and scope
(read access, etc.) for the role. For example,
Name: Owner
ID: 8e3af657-a8ff-443c-a75c-2fe8c4bcb65
IsCustom: False
Description: Manage everything, including access to resources
Actions: {*}
NotActions: {}
AssignableScopes: {/}
In this example the Owner role means all (asterisk) actions, no denied actions, and all (/) scopes.
The AssignableScopes property of the role specifies the scopes (subscriptions, resource groups, or
resources) within which the custom role is available for assignment. You can make the custom role
available for assignment in only the subscriptions or resource groups that require it, and not clutter the
user experience for the rest of the subscriptions or resource groups.
* /subscriptions/[subscription id]
* /subscriptions/[subscription id]/resourceGroups/[resource group name]
* /subscriptions/[subscription id]/resourceGroups/[resource group name]/
[resource]
Example 1
Make a role available for assignment in two subscriptions.
“/subscriptions/c276fc76-9cd4-44c9-99a7-4fd71546436e”, “/subscriptions/
e91d47c4-76f3-4271-a796-21b4ecfe3624”
Example 2
Makes a role available for assignment only in the Network resource group.
“/subscriptions/c276fc76-9cd4-44c9-99a7-4fd71546436e/resourceGroups/Net-
work”
Role Assignment
A role assignment is the process of attaching a role definition to a user, group, service principal, or
managed identity at a particular scope for the purpose of granting access. Access is granted by creating a
role assignment, and access is revoked by removing a role assignment.
This diagram shows an example of a role assignment. In this example, the Marketing group has been
assigned the Contributor role for the pharma-sales resource group. This means that users in the Market-
ing group can create or manage any Azure resource in the pharma-sales resource group. Marketing users
do not have access to resources outside the pharma-sales resource group, unless they are part of another
role assignment.
Notice that access does not need to be granted to the entire subscription. Roles can also be assigned for
resource groups as well as for individual resources. In Azure RBAC, a resource inherits role assignments
from its parent resources. So if a user, group, or service is granted access to only a resource group within
a subscription, they will be able to access only that resource group and resources within it, and not the
other resources groups within the subscription.
As another example, a security group can be added to the Reader role for a resource group, but be
added to the Contributor role for a database within that resource group.
✔️ Classic administrator roles should be avoided if you are using Azure Resource Manager.
RBAC Authentication
www.androdagger.com Telegram: @androdagger
RBAC includes many built-in roles, can be assigned at different scopes, and allows you to create your own
custom roles. To manage resources in Azure AD, such as users, groups, and domains, there are several
Azure AD administrator roles.
This diagram is a high-level view of how the Azure RBAC roles and Azure AD administrator roles are
related.
Do you see how Azure AD Admin roles and Azure RBAC roles work together to authenticate users?
● Role: Owner
● Select: Managers
● Save your changes.
3. Select Check access.
4. Select the user.
5. Notice the user is part of the Managers group and is an Owner.
6. Notice that you can Deny assignments.
Explore PowerShell commands
1. Open the Azure Cloud Shell.
2. Select the PowerShell drop-down.
3. List role definitions.
Get-AzRoleDefinition | FT Name, Description
Lab scenario
To improve the management of Azure resources in Contoso, you have been tasked with implementing
the following functionality:
● using management groups for the Contoso's Azure subscriptions.
● granting user permissions for submitting support requests. This user would only be able to create
support request tickets and view resource groups.
Objectives
In this lab, you will:
● Task 1: Implement Management Groups.
● Task 2: Create custom RBAC roles.
● Task 3: Assign RBAC roles.
✔️ Consult with your instructor for how to access the lab instructions and lab environment (if provided).
Lab scenario
To improve management of Azure resources in Contoso, you have been tasked with implementing the
following functionality:
● tagging resource groups that include only infrastructure resources (such as Cloud Shell storage
acccounts )
● ensuring that only properly tagged infrastructure resoures can be added to infrastructure resource
groups
Objectives
In this lab, we will:
● Task 1: Create and assign tags via the Azure portal.
● Task 2: Enforce tagging via an Azure policy.
Review Question 2
You would like to categorize resources and billing for different departments like IT and HR. The billing needs
to be consolidated across multiple resource groups and you need to ensure everyone complies with the
solution. What should you do? {Choose two to complete a solution}.
Create tags for each department.
Create a billing group for each department.
Create an Azure policy.
Add the groups into a single resource group.
Create a subscription account rule.
Review Question 3
Your company financial comptroller wants to be notified whenever the company is half-way to spending the
money allocated for cloud services. What should you do? Select one.
Create an Azure reservation.
Create a budget and a spending threshold.
Create a management group.
Enter workloads in the Total Cost of Ownership calculator.
Review Question 4
Your organization has several Azure policies that they would like to create and enforce for a new branch
office. What should you do? Select one.
Review Question 5
Your manager asks you to explain how Azure uses resource groups. You provide all of the following informa-
tion, except? Select one.
Resources can be in only one resource group.
Resources can be moved from one resource group to another resource group.
Resource groups can be nested.
Role-based access control can be applied to the resource group.
Review Question 6
Which of the following would be good example of when to use a resource lock? Select one.
An ExpressRoute circuit with connectivity back to your on-premises network.
A non-production virtual machine used to test occasional application builds.
A storage account used to temporarily store images processed in a development environment.
A resource group for a new branch office that is just starting up.
Review Question 7
Your company hires a new IT administrator. She needs to manage a resource group with first-tier web
servers including assigning permissions . However, she should not have access to other resource groups
inside the subscription. You need to configure role-based access. What should you do? Select one.
Assign her as a Subscription Owner.
Assign her as a Subscription Contributor.
Assign her as a Resource Group Owner.
Assign her as a Resource Group Contributor.
Review Question 8
You have three virtual machines (VM1, VM2, and VM3) in a resource group. The Helpdesk hires a new
employee. The new employee must be able to modify the settings on VM3, but not on VM1 and VM2. Your
solution must minimize administrative overhead. What should you do? Select one.
Assign the user to the Contributor role on the resource group.
Assign the user to the Contributor role on VM3.
Move VM3 to a new resource group and assign the user to the Contributor role on VM3.
Assign the user to the Contributor role on the resource group, then assign the user to the
www.androdagger.com Telegram: @androdagger
Owner roleon VM3.
Additional Study
Microsoft Learn provides self paced skills training on a variety of topics. These Learn modules cover the
content you have just learned. You can search for additional modules by product, role, or level.
● Analyze costs and create budgets with Azure Cost Management14
● Predict costs and optimize spending for Azure15
● Control and organize Azure resources with Azure Resource Manager16
● Apply and monitor infrastructure standards with Azure Policy17
● Create custom roles for Azure resources with role-based access control18
● Manage access to an Azure subscription by using Azure role-based access control19
● Secure your Azure resources with role-based access control20
Answers
Review Question 1
You need to target policies and review spend budgets across several subscriptions you manage. What
should you do? Select one.
Create resource groups
■ Create management groups
Create billing groups
Create Azure policies
Explanation
Create management groups. Management groups can be used to organize and manage subscriptions.
Review Question 2
You would like to categorize resources and billing for different departments like IT and HR. The billing
needs to be consolidated across multiple resource groups and you need to ensure everyone complies
with the solution. What should you do? {Choose two to complete a solution}.
■ Create tags for each department.
Create a billing group for each department.
■ Create an Azure policy.
Add the groups into a single resource group.
Create a subscription account rule.
Explanation
Create tags for each department and Create an Azure policy. You should create a tag with a key:value pair
like department:HR. You can then create an Azure policy which requires the tag be applied before a resource
is created.
Review Question 3
Your company financial comptroller wants to be notified whenever the company is half-way to spending
the money allocated for cloud services. What should you do? Select one.
Create an Azure reservation.
■ Create a budget and a spending threshold.
Create a management group.
Enter workloads in the Total Cost of Ownership calculator.
Explanation
Create a budget and a spending threshold. Billing Alerts help you monitor and manage billing activity for
your Azure accounts. You can set up a total of five billing alerts per subscription, with a different threshold
and up to two email www.androdagger.com Telegram:
recipients for each alert. Monthly @androdagger
budgets are evaluated against spending every four
hours. Budgets reset automatically at the end of a period.
MCT USE ONLY. STUDENT USE PROHIBITED
Module 02 Lab and Review Questions 61
Review Question 4
Your organization has several Azure policies that they would like to create and enforce for a new branch
office. What should you do? Select one.
■ Create a policy initiative
Create a management group
Create a resource group
Create a new subscriptions
Explanation
Create a policy initiative. A policy initiative would include all the policies of interest. Once your initiative is
created, you can assign the definition to establish its scope. A scope determines what resources or grouping
of resources the policy assignment gets enforced on.
Review Question 5
Your manager asks you to explain how Azure uses resource groups. You provide all of the following
information, except? Select one.
Resources can be in only one resource group.
Resources can be moved from one resource group to another resource group.
■ Resource groups can be nested.
Role-based access control can be applied to the resource group.
Explanation
Resource groups cannot be nested.
Review Question 6
Which of the following would be good example of when to use a resource lock? Select one.
■ An ExpressRoute circuit with connectivity back to your on-premises network.
A non-production virtual machine used to test occasional application builds.
A storage account used to temporarily store images processed in a development environment.
A resource group for a new branch office that is just starting up.
Explanation
An ExpressRoute circuit with connectivity back to your on-premises network. Resource locks prevent other
users in your organization from accidentally deleting or modifying critical resources.
Review Question 7
Your company hires a new IT administrator. She needs to manage a resource group with first-tier web
servers including assigning permissions . However, she should not have access to other resource groups
inside the subscription. You need to configure role-based access. What should you do? Select one.
Assign her as a Subscription Owner.
Assign her as a Subscription Contributor.
Review Question 8
You have three virtual machines (VM1, VM2, and VM3) in a resource group. The Helpdesk hires a new
employee. The new employee must be able to modify the settings on VM3, but not on VM1 and VM2.
Your solution must minimize administrative overhead. What should you do? Select one.
Assign the user to the Contributor role on the resource group.
■ Assign the user to the Contributor role on VM3.
Move VM3 to a new resource group and assign the user to the Contributor role on VM3.
Assign the user to the Contributor role on the resource group, then assign the user to the
Owner roleon VM3.
Explanation
Assign the user to the Contributor role on VM3. This means the user will not have access to VM1 or VM2.
The Contributor role will allow the user to change the settings on VM1.
Benefits
Resource Manager provides several benefits:
● You can deploy, manage, and monitor all the resources for your solution as a group, rather than
handling these resources individually.
● You can repeatedly deploy your solution throughout the development lifecycle and have confidence
your resources are deployed in a consistent state.
● You can manage your infrastructure through declarative templates rather than scripts.
● You can define the dependencies between resources so they're deployed in the correct order.
● You can apply access control to all services in your resource group because Role-Based Access Control
(RBAC) is natively integrated into the management platform.
● You can apply tags to resources to logically organize all the resources in your subscription.
● You can clarify your organization's billing by viewing costs for a group of resources sharing the same
tag.
Guidance
The following suggestions help you take full advantage of Resource Manager when working with your
solutions.
● Define and deploy your infrastructure through the declarative syntax in Resource Manager templates,
rather than through imperative commands.
● Define all deployment and configuration steps in the template. You should have no manual steps for
setting up your solution.
● Run imperative commands to manage your resources, such as to start or stop an app or machine.
Terminology
If you're new to Azure Resource Manager (ARM), there are some terms you might not be familiar with.
● resource - A manageable item that is available through Azure. Some common resources are a virtual
machine, storage account, web app, database, and virtual network, but there are many more.
● resource group - A container that holds related resources for an Azure solution. The resource group
can include all the resources for the solution, or only those resources that you want to manage as a
group. You decide how you want to allocate resources to resource groups based on what makes the
most sense for your organization.
● resource provider - A service that supplies the resources you can deploy and manage through
Resource Manager. Each resource provider offers operations for working with the resources that are
deployed. Some common resource providers are Microsoft.Compute, which supplies the virtual
machine resource, Microsoft.Storage, which supplies the storage account resource, and Microsoft.
Web, which supplies resources related to web apps.
● ARM template - A JavaScript Object Notation (JSON) file that defines one or more resources to
deploy to a resource group. It also defines the dependencies between the deployed resources. The
template can be used to deploy the resources consistently and repeatedly.
● declarative syntax - Syntax that lets you state “Here is what I intend to create” without having to
write the sequence of programming commands to create it. The Resource Manager template is an
example of declarative syntax. In the file, you define the properties for the infrastructure to deploy to
Azure.
Resource providers
Each resource provider offers a set of resources and operations for working with an Azure service. For
example, if you want to store keys and secrets, you work with the Microsoft.KeyVault resource provider.
This resource provider offers a resource type called vaults for creating the key vault.
The name of a resource type is in the format: {resource-provider}/{resource-type}. For example, the key
vault type is Microsoft.KeyVault/vaults.
✔️ Before getting started with deploying your resources, you should gain an understanding of the
available resource providers. Knowing the names of resource providers and resources helps you define
resources you want to deploy to Azure. Also, you need to know the valid locations and API versions for
each resource type.
Considerations
Resource Groups are at their simplest a logical collection of resources. There are a couple of small rules
for resource groups.
Lock types
There are two types of resource locks.
● Read-Only locks, which prevent any changes to the resource.
● Delete locks, which prevent deletion.
✔️ Only the Owner and User Access Administrator roles can create or delete management locks.
Moving Resources
Sometimes you may need to move resources to either a new subscription or a new resource group in the
same subscription.
When moving resources, both the source group and the target group are locked during the operation.
Write and delete operations are blocked on the resource groups until the move completes. This lock
means you can't add, update, or delete resources in the resource groups, but it doesn't mean the re-
sources are frozen. For example, if you move a virtual machine to a new resource group, an application
accessing the virtual machine experiences no downtime.
1 https://docs.microsoft.com/en-us/azure/azure-resource-manager/management/move-support-resources
Implementation
To move resources, select the resource group containing those resources, and then select the Move
button. Select the resources to move and the destination resource group. Acknowledge that you need to
update scripts.
✔️ Just because a service can be moved doesn’t mean there aren’t restrictions. For example, you can
move a virtual network, but you must also move its dependent resources, like gateways.
Removing Resources
You can also delete individual resources within a resource group. For example, here we are deleting a
virtual network. Notice you can change the resource group on this page.
Resource Limits
Azure provides the ability to observe the number of each network resource type that you've deployed in
your subscription and what your subscription limits are. The ability to view resource usage against limits
is helpful to track current usage, and plan for future use.
2 https://docs.microsoft.com/en-us/azure/azure-subscription-service-limits?toc=%2fazure%2fnetworking%2ftoc.json
3. View resource lock information. Notice the LockId that will be used in the next step to delete the lock.
Get-AzResourceLock
✔️ Configure resource locks, move resources across resource groups, and remove resource groups are
part of the certification exam.
● Stay connected to the cloud and check status and critical metrics anytime, anywhere. With the
Azure mobile app, you don't need to be in front of your computer to keep an eye on your Azure
resources such as VMs and web apps. Stay connected no matter where you are from your iOS or
Android mobile device.
● Diagnose and fix issues quickly with Azure Mobile. Check for alerts, view metrics, and take correc-
tive actions to fix common issues. Restart a web app or connect to a VM directly. Be agile and respond
to issues faster with the Azure mobile app.
● Run commands to manage your Azure resources. Want to use the command line? Run ad hoc
Azure CLI or PowerShell commands from the Azure mobile app. Stay in control of your resources and
take corrective actions, like starting and stopping VMs and web apps.
Azure PowerShell is also available two ways: inside a browser via the Azure Cloud Shell, or with a local
installation on Linux, macOS, or the Windows operating system. In both cases, you have two modes from
with to choose: you can use it in interactive mode in which you manually issue one command at a time,
or in scripting mode where you execute a script that consists of multiple commands.
What is the Az module?
Az is the formal name for the Azure PowerShell module containing cmdlets to work with Azure features.
It contains hundreds of cmdlets that let you control nearly every aspect of every Azure resource. You can
work with the following features, and more:
● Resource groups
● Storage
● VMs
● Azure AD
● Containers
● Machine learning
This module is an open source component available on GitHub3.
Note: You might have seen or used Azure PowerShell commands that used an -AzureRM format. In
December 2018 Microsoft released for general availability the AzureRM module replacement with the Az
module. This new module has several features, notably a shortened cmdlet noun prefix of -Az, which
replaces AzureRM. The Az module ships with backwards compatibility for the AzureRM module, so the
-AzureRM cmdlet format will work. However, going forward you should transition to the Az module and
www.androdagger.com Telegram: @androdagger
use the -Az commands.
✔️ Bookmark the Azure PowerShell Reference4
3 https://github.com/Azure/azure-powershell
4 https://docs.microsoft.com/en-us/powershell/module/az.compute/get-azvm?view=azps-3.3.0
Cmdlets are shipped in _modules. A PowerShell module is a DLL file that includes the code to process
each available cmdlet. You load cmdlets into PowerShell by loading the module containing them. You can
get a list of loaded modules using the Get-Module command:
Get-Module
through the Install-Module command. You need an elevated PowerShell shell prompt to install modules
from the PowerShell Gallery.
Note: If at any time you receive errors about running scripts is disabled be sure to set the execution
policy.
Set-ExecutionPolicy -ExecutionPolicy RemoteSigned -Scope LocalMachine
Install the Az module
1. Open the Start menu, and type Windows PowerShell.
2. Right-click the Windows PowerShell icon, and select Run as administrator.
3. In the User Account Control dialog, select Yes.
4. Type the following command, and then press Enter. This command installs the module for all users by
default. (It's controlled by the scope parameter.) AllowClobber overwrites the previous PowerShell
module.
Install-Module -Name Az -AllowClobber
Connect-AzAccount
Azure CLI
Azure CLI is a command-line program to connect to Azure and execute administrative commands on
Azure resources. It runs on Linux, macOS, and Windows, and allows administrators and developers to
execute their commands through a terminal or a command-line prompt, (or script!) instead of a web
browser. For example, to restart a VM, you would use a command such as the following:
az vm restart -g MyResourceGroup -n MyVm
Azure CLI provides cross-platform command-line tools for managing Azure resources. You can install this
locally on computers running the Linux, macOS, or Windows operating systems. You can also use Azure
CLI from a browser through Azure Cloud Shell.
In both cases, Azure CLI can be used interactively or through scripts:
● Interactive. First, for Windows operating systems, launch a shell such as cmd.exe, or for Linux or
macOS, use Bash. Then issue the command at the shell prompt.
● Scripted. Assemble the Azure CLI commands into a shell script using the script syntax of your chosen
shell. Then execute the script.
Azure CLI lets you control nearly every aspect of every Azure resource. You can work with resource
groups, storage, VMs, Azure Active Directory (Azure AD), containers, machine learning, and so on.
Commands in the CLI are structured in groups and subgroups. Each group represents a service provided
by Azure, and the subgroups divide commands for these services into logical groupings. For example, the
storage group contains subgroups including account, blob, storage, and queue.
So, how do you find the particular commands you need? One way is to use az find. For example, if you
want to find commands that might help you manage a storage blob, you can use the following find
command:
az find -q blob
If you already know the name of the command you want, the --help argument for that command will
get you more detailed information on the command, and for a command group, a list of the available
subcommands. For example, here's how you can get a list of the subgroups and commands for managing
blob storage:
5 https://docs.microsoft.com/en-us/cli/azure/?view=azure-cli-latest
Note: Running Azure CLI from PowerShell has some advantages over running Azure CLI from the Win-
dows command prompt. PowerShell provides more tab completion features than the command prompt.
Login to Azure
1. Because you're working with a local Azure CLI installation, you'll need to authenticate before you can
execute Azure commands. You do this by using the Azure CLI login command:
az login
2. Azure CLI will typically launch your default browser to open the Azure sign-in page. If this doesn't
work, follow the command-line instructions and enter an authorization code at https://aka.ms/
devicelogin.
3. After a successful sign in, you'll be connected to your Azure subscription.
Create a resource group
1. You'll often need to create a new resource group before you create a new Azure service, so we'll use
resource groups as an example to show how to create Azure resources from the CLI.
2. Azure CLI group create command creates a resource group. You must specify a name and location.
The name must be unique within your subscription. The location determines where the metadata for
your resource group will be stored. You use strings like “West US”, "North Europe", or “West India” to
specify the location; alternatively, you can use single word equivalents, such as westus, northeurope,
or westindia. The core syntax is:
az group create --name <name> --location <location>
2. To get a more concise view, you can format the output as a simple table:
az group list --output table
3. If you have several items in the group list, you can filter the return values by adding a query option.
Try this command:
az group list --query "[?name == '<rg name>']"
ARM Templates
Template Advantages
An Azure Resource Manager template precisely defines all the Resource Manager resources in a
deployment. You can deploy a Resource Manager template into a resource group as a single operation.
Using Resource Manager templates will make your deployments faster and more repeatable. For exam-
ple, you no longer have to create a VM in the portal, wait for it to finish, and then create the next VM.
Resource Manager takes care of the entire deployment for you.
Template Benefits
● Templates improve consistency. Resource Manager templates provide a common language for you
and others to describe your deployments. Regardless of the tool or SDK that you use to deploy the
template, the structure, format, and expressions inside the template remain the same.
● Templates help express complex deployments. Templates enable you to deploy multiple resources
in the correct order. For example, you wouldn't want to deploy a virtual machine prior to creating an
operating system (OS) disk or network interface. Resource Manager maps out each resource and its
dependent resources, and creates dependent resources first. Dependency mapping helps ensure that
the deployment is carried out in the correct order.
● Templates reduce manual, error-prone tasks. Manually creating and connecting resources can be
time consuming, and it's easy to make mistakes. Resource Manager ensures that the deployment
happens the same way every time.
● Templates are code. Templates express your requirements through code. Think of a template as a
type of Infrastructure as Code that can be shared, tested, and versioned similar to any other piece of
software. Also, because templates are code, you can create a “paper trail” that you can follow. The
template code documents the deployment. Most users maintain their templates under some kind of
revision control, such as GIT. When you change the template, its revision history also documents how
the template (and your deployment) has evolved over time.
● Templates promote reuse. Your template can contain parameters that are filled in when the template
runs. A parameter can define a username or password, a domain name, and so on. Template parame-
ters enable you to create multiple versions of your infrastructure, such as staging and production,
while still utilizing the exact same template.
● Templates are linkable. You can link Resource Manager templates together to make the templates
themselves modular. You can write small templates that each define a piece of a solution, and then
combine them to create a complete system.
● Templates simplify orchestration. You only need to deploy the template to deploy all of your
resources. Normally this would take multiple operations.
● A Boolean expression
● A list of values
● An object (which is a collection of other key-value pairs)
A Resource Manager template can contain sections that are expressed using JSON notation, but are not
related to the JSON language itself:
{
"$schema": "http://schema.management.azure.com/schemas/2019-04- 01/deploymentTemplate.
json#",
"contentVersion": "",
"parameters": {},
"variables": {},
"functions": [],
"resources": [],
"outputs": {}
}
6 https://docs.microsoft.com/en-us/azure/azure-resource-manager/resource-group-authoring-templates
Template Parameters
In the parameters section of the template, you specify which values you can input when deploying the
resources.
The available properties for a parameter are:
"parameters": {
"<parameter-name>" : {
"type" : "<type-of-parameter-value>",
"defaultValue": "<default-value-of-parameter>",
"allowedValues": [ "<array-of-allowed-values>" ],
"minValue": <minimum-value-for-int>,
"maxValue": <maximum-value-for-int>,
"minLength": <minimum-length-for-string-or-array>,
"maxLength": <maximum-length-for-string-or-array-parameters>,
"metadata": {
"description": "<description-of-the parameter>"
}
}
}
Here's an example that illustrates two parameters: one for a virtual machine's (VM's) username, and one
for its password:
"parameters": {
"adminUsername": {
"type": "string",
"metadata": {
"description": "Username for the Virtual Machine."
}
},
"adminPassword": {
"type": "securestring",
"metadata": {
"description": "Password for the Virtual Machine."
}
}
✔️ You're limited to 256 parameters in a template. You can reduce the number of parameters by using
objects that contain multiple properties.
Template Variables
www.androdagger.com Telegram: @androdagger
This template section is where you define values that are used throughout the template. Variables can
help make your templates easier to maintain. For example, you might define a storage account name one
time as a variable, and then use that variable throughout the template. If the storage account name
changes, you need to only update the variable once.
Here's an example that illustrates a few variables that describe networking features for a VM:
"variables": {
"nicName": "myVMNic",
"addressPrefix": "10.0.0.0/16",
"subnetName": "Subnet",
"subnetPrefix": "10.0.0.0/24",
"publicIPAddressName": "myPublicIP",
"virtualNetworkName": "MyVNET"
}
Template Functions
This section is where you define procedures that you don't want to repeat throughout the template.
Similar to variables, functions can help make your templates easier to maintain.
When defining a user function, there are some restrictions:
● The function can't access variables.
● The function can only use parameters that are defined in the function. When you use the parameters
function within a user-defined function, you're restricted to the parameters for that function.
● The function can't call other user-defined functions.
● The function can't use the reference function.
● Parameters for the function can't have default values.
Here's a function that creates a unique name. You could use this function when creating resources that
have globally unique naming requirements.
"functions": [
{
"namespace": "contoso",
"members": {
"uniqueName": {
"parameters": [
{
"name": "namePrefix",
"type": "string"
}
],
"output": {
"type": "string",
"value": "[concat(toLower(parameters('namePrefix')), uniqueString(resourceGroup().id))]"
}
}
}
}
],
{
"type": "Microsoft.Network/publicIPAddresses",
"name": "[variables('publicIPAddressName')]",
"location": "[parameters('location')]",
"apiVersion": "2018-08-01",
"properties": {
"publicIPAllocationMethod": "Dynamic",
"dnsSettings": {
"domainNameLabel": "[parameters('dnsLabelPrefix')]"
}
}
}
Template Outputs
This section is where you define any information you'd like to receive when the template runs. For
example, you might want to receive your VM's IP address or fully qualified domain name (FQDN),
information you do not know until the deployment runs.
Here is the structure of an output definition:
"outputs": {
"<output-name>": {
"condition": "<boolean-value-whether-to-output-value>",
"type": "<type-of-output-value>",
"value": "<output-value-expression>",
"copy": {
"count": <number-of-iterations>,
"input": <values-for-the-variable>
}
}
}
Here's an example that illustrates an output named hostname. The FQDN value is read from the VM's
public IP address settings:
✔️ It is a good practice to comment your templates. For inline comments, you can comment a single line
with //. You can comment a block of lines with /* ... */. This can vary across different tools so be sure to
check what works for you.
QuickStart Templates
Azure Quickstart templates7 are Resource Manager templates provided by the Azure community.
Templates provide everything you need to deploy your solution, while others might serve as a starting
point for your template. Either way, you can study these templates to learn how to best author and
structure your own templates.
● The README.md file provides an overview of what the template does.
● The azuredeploy.json file defines the resources that will be deployed.
● The azuredeploy.parameters.json file provides the values the template needs.
✔️ Take a few minutes to browse the available templates. Anything of interest?
7 https://azure.microsoft.com/en-us/resources/templates/
8 https://azure.microsoft.com/resources/templates?azure-portal=true
9 https://azure.microsoft.com/resources/templates/101-vm-simple-windows?azure-portal=true
Note: The Deploy to Azure button enables you to deploy the template directly through the Azure portal
if you wish.
Note: Scroll-down to the Use the template PowerShell code. You will need the TemplateURI in the next
demo. Copy the value. For example,
https://raw.githubusercontent.com/Azure/azure-quickstart-templates/mas-
ter/101-vm-simple-windows/azuredeploy.json
Get-AzContext
Set-AzContext -subscription < your subscription ID >
10 https://github.com/Microsoft/PartsUnlimited/blob/master/build.ps1?azure-portal=true
Get-AzVM -Name < your VM name i.e. SimpleWinVM > -resourcegroupname < your resource group
name >
3. You can also list the VMs in your subscription with the Get-AzVM -Status command. This can also
specify a VM with the -Name property. In the following example, we assign it to a PowerShell variable:
$vm = Get-AzVM -Name < your VM name i.e. SimpleWinVM > -ResourceGroupName < your resource
group name >
4. The interesting thing is that this is an object you can interact with. For example, you can take that
object, make changes, and then push changes back to Azure with the Update-AzVM command:
$ResourceGroupName = "ExerciseResources"
$vm = Get-AzVM -Name MyVM -ResourceGroupName $ResourceGroupName
$vm.HardwareProfile.vmSize = "Standard_A3"
Note: Depending on your datacenter location, you could receive an error related to the VM size not
being available in your region. You can modify the vmSize value to one that is available in your region.
✔️ PowerShell's interactive mode is appropriate for one-off tasks. In our example, we'll likely use the
same resource group for the lifetime of the project, which means that creating it interactively is reasona-
ble. Interactive mode is often quicker and easier for this task than writing a script and then executing it
only once.
Lab scenario
You need to explore the basic Azure administration capabilities associated with provisioning resources
and organizing them based on resource groups, including moving resources between resource groups.
You also want to explore options for protecting disk resources from being accidentally deleted, while still
allowing for modifying their performance characteristics and size.
Objectives
In this lab, we will:
● Task 1: Create resource groups and deploy resources to resource groups.
● Task 2: Move resources between resource groups.
● Task 3: Implement and test resource locks.
✔️ Consult with your instructor for how to access the lab instructions and lab environment (if provided).
Lab scenario
Now that you explored the basic Azure administration capabilities associated with provisioning resources
and organizing them based on resource groups by using the Azure portal, you need to carry out the
equivalent task by using Azure Resource Manager templates.
Objectives
In this lab, you will:
● Task 1: Review an ARM template for deployment of an Azure managed disk.
● Task 2: Create an Azure managed disk by using an ARM template.
Lab scenario
Now that you explored the basic Azure administration capabilities associated with provisioning resources
and organizing them based on resource groups by using the Azure portal and Azure Resource Manager
templates, you need to carry out the equivalent task by using Azure PowerShell. To avoid installing Azure
PowerShell modules, you will leverage PowerShell environment available in Azure Cloud Shell.
Objectives
In this lab, you will:
● Task 1: Start a PowerShell session in Azure Cloud Shell.
● Task 2: Create a resource group and an Azure managed disk by using Azure PowerShell.
● Task 3: Configure the managed disk by using Azure PowerShell.
✔️ Consult with your instructor for how to access the lab instructions and lab environment (if provided).
Lab scenario
Now that you explored the basic Azure administration capabilities associated with provisioning resources
and organizing them based on resource groups by using the Azure portal, Azure Resource Manager
templates, and Azure PowerShell, you need to carry out the equivalent task by using Azure CLI. To avoid
installing Azure CLI, you will leverage Bash environment available in Azure Cloud Shell.
Objectives
In this lab, you will:
● Task 1: Start a Bash session in Azure Cloud Shell.
Review Question 2
Which of the following is not true about the Cloud Shell?
Authenticates automatically for instant access to your resources.
Each user account can be assigned multiple machines.
Provides both Bash and PowerShell sessions.
Provides an editor.
Requires an Azure file share.
Review Question 3
You are managing Azure locally using PowerShell. You have launched the app as an Administrator. Which of
the following commands would you do first?
Connect-AzAccount
Get-AzResourceGroup
Get-AzSubscription
New-AzResourceGroup
Review Question 4
You have a new Azure subscription and need to move resoures to that subscription. Which of the following
resources cannot be moved? Select one.
Key vault
Storage account
Tenant
www.androdagger.com Telegram: @androdagger
Virtual machine
Review Question 5
Which of the following is not an element in the template schema? Select one.
Functions
Inputs
Outputs
Parameters
Review Question 6
Which of the following best describes the format of an Azure Resource Manager template? Select one.
A Markdown document with a pointer table
A JSON document with key-value pairs
A TXT document with key-value pairs
An XML document with element-value pairs
Review Question 7
You are reviewing your virtual machine usage. You notice that you have reached the limit for virtual
machines in the US East region. Which of the following provides the easiest solution? Select one.
Add another resource group
Change your subscription plan
Request support increase your limit
Resize your virtual machines to handle larger workloads
Additional Study
Microsoft Learn provides self paced skills training on a variety of topics. These Learn modules cover the
content you have just learned. You can search for additional modules by product, role, or level.
● Core Cloud Services - Manage services with the Azure portal11
● Control and organize Azure resources with Azure Resource Manager12
● Build Azure Resource Manager templates13
● Automate Azure tasks using scripts with PowerShell14
● Manage virtual machines with the Azure CLI15
Answers
Review Question 1
You are creating a new resource group to use for testing. Which two of the following parameters are
required when you create a resource group with PowerShell or the CLI? Select two.
■ Location
■ Name
Region
Subscription
Tag
Explanation
Location and Name are required by PowerShell (New-AzResourceGroup) and the CLI (az group create).
Review Question 2
Which of the following is not true about the Cloud Shell?
Authenticates automatically for instant access to your resources.
■ Each user account can be assigned multiple machines.
Provides both Bash and PowerShell sessions.
Provides an editor.
Requires an Azure file share.
Explanation
Each user account can be assigned multiple machines, is not true. The cloud shell is assigned one machine
per user account.
Review Question 3
You are managing Azure locally using PowerShell. You have launched the app as an Administrator. Which
of the following commands would you do first?
■ Connect-AzAccount
Get-AzResourceGroup
Get-AzSubscription
New-AzResourceGroup
Explanation
Connect-AzAccount. When you are working locally you are not automatically logged in to Azure. So, the
first thing you should do is to connect to Azure and provide your credentials.
Review Question 4
You have a new Azure subscription and need to move resoures to that subscription. Which of the follow-
ing resources cannot be moved? Select one.
Key vault
Storage account
■ Tenant
Virtual machine
Explanation
Tenant. A tenant cannot be moved between subscriptions.
Review Question 5
Which of the following is not an element in the template schema? Select one.
Functions
■ Inputs
Outputs
Parameters
Explanation
Inputs. Inputs is not a part of the template schema.
Review Question 6
Which of the following best describes the format of an Azure Resource Manager template? Select one.
A Markdown document with a pointer table
■ A JSON document with key-value pairs
A TXT document with key-value pairs
An XML document with element-value pairs
Explanation
A JSON document with key-value pairs. An Azure Resource Template is a JSON document with key-value
pairs.
Review Question 7
You are reviewing your virtual machine usage. You notice that you have reached the limit for virtual
machines in the US East region. Which of the following provides the easiest solution? Select one.
Add another resource group
Change your subscription plan
■ Request support increase your limit
Virtual Networks
Azure Networking Components
A major incentive for adopting cloud solutions such as Azure is to enable information technology (IT)
departments to move server resources to the cloud. This can save money and simplify operations by
removing the need to maintain expensive datacenters with uninterruptible power supplies, generators,
multiple fail-safes, clustered database servers, and so on. For small and medium-sized companies, which
might not have the expertise to maintain their own robust infrastructure, moving to the cloud is particu-
larly appealing.
Once the resources are moved to Azure, they require the same networking functionality as an on-premis-
es deployment, and in specific scenarios require some level of network isolation. Azure networking
components offer a range of functionalities and services that can help organizations design and build
cloud infrastructure services that meet their requirements. Azure has many networking components.
Virtual Networks
An Azure Virtual Network (VNet) is a representation of your own network in the cloud. It is a logical
isolation of the Azure cloud dedicated to your subscription. You can use VNets to provision and manage
virtual private networks (VPNs) in Azure and, optionally, link the VNets with other VNets in Azure, or with
your on-premises IT infrastructure to create hybrid or cross-premises solutions. Each VNet you create has
its own CIDR block and can be linked to other VNets and on-premises networks if the CIDR blocks do not
overlap. You also have control of DNS server settings for VNets, and segmentation of the VNet into
subnets.
● Create a dedicated private cloud-only VNet. Sometimes you don't require a cross-premises config-
uration for your solution. When you create a VNet, your services and VMs within your VNet can
communicate directly and securely with each other in the cloud. You can still configure endpoint
connections for the VMs and services that require internet communication, as part of your solution.
● Securely extend your data center With VNets. You can build traditional site-to-site (S2S) VPNs to
securely scale your datacenter capacity. S2S VPNs use IPSEC to provide a secure connection between
your corporate VPN gateway and Azure.
● Enable hybrid cloud scenarios. VNets give you the flexibility to support a range of hybrid cloud
scenarios. You can securely connect cloud-based applications to any type of on-premises system such
as mainframes and Unix systems.
For more information, Virtual Network Documentation1.
Subnets
A virtual network can be segmented into one or more subnets. Subnets provide logical divisions within
your network. Subnets can help improve security, increase performance, and make it easier to manage
the network.
Each subnet contains a range of IP addresses that fall within the virtual network address space. Each
subnet must have a unique address range, specified in CIDR format. The address range cannot overlap
with other subnets in the virtual network in the same subscription.
Considerations
● Service requirements. Each service directly deployed into virtual network has specific requirements
for routing and the types of traffic that must be allowed into and out of subnets. A service may
require, or create, their own subnet, so there must be enough unallocated space for them to do so.
For example, if you connect a virtual network to an on-premises network using an Azure VPN Gate-
way, the virtual network must have a dedicated subnet for the gateway.
● Virtual appliances. Azure routes network traffic between all subnets in a virtual network, by default.
You can override Azure's default routing to prevent Azure routing between subnets, or to route traffic
between subnets through a network virtual appliance. So, if you require that traffic between resources
in the same virtual network flow through a network virtual appliance (NVA), deploy the resources to
different subnets.
● Service endpoints. You can limit access to Azure resources such as an Azure storage account or
www.androdagger.com Telegram: @androdagger
Azure SQL database, to specific subnets with a virtual network service endpoint. Further, you can deny
access to the resources from the internet. You may create multiple subnets, and enable a service
endpoint for some subnets, but not others.
1 https://docs.microsoft.com/en-us/azure/virtual-network/
● Network security groups. You can associate zero or one network security group to each subnet in a
virtual network. You can associate the same, or a different, network security group to each subnet.
Each network security group contains rules, which allow or deny traffic to and from sources and
destinations.
✔️ Azure reserves the first three IP addresses and the last IP address in each subnet address range.
✔️ Always plan to use an address space that is not already in use in your organization, either on-premis- es
or in other VNets. Even if you plan for a VNet to be cloud-only, you may want to make a VPN connec-
tion to it later. If there is any overlap in address spaces at that point, you will have to reconfigure or
recreate the VNet. The next lesson will focus on IP addressing.
6. Return to the portal and verify your new virtual network with subnet was created.
IP Addressing
IP Addressing
You can assign IP addresses to Azure resources to communicate with other Azure resources, your
on-premises network, and the Internet. There are two types of IP addresses you can use in Azure. Virtual
networks can contain both public and private IP address spaces.
1. Private IP addresses: Used for communication within an Azure virtual network (VNet), and your
on-premises network, when you use a VPN gateway or ExpressRoute circuit to extend your network to
Azure.
2. Public IP addresses: Used for communication with the Internet, including Azure public-facing
services.
IP Version. Select IPv4 or IPv6 or Both. Selecting Both will result in 2 Public IP addresses being create- 1
IPv4 address and 1 IPv6 address.
SKU. You cannot change the SKU after the public IP address is created. A standalone virtual machine,
virtual machines within an availability set, or virtual machine scale sets can use Basic or Standard SKUs.
Mixing SKUs between virtual machines within availability sets or scale sets or standalone VMs is not
allowed.
Name. The name must be unique within the resource group you select.
IP address assignment
● Dynamic. Dynamic addresses are assigned only after a public IP address is associated to an Azure
resource, and the resource is started for the first time. Dynamic addresses can change if they're
assigned to a resource, such as a virtual machine, and the virtual machine is stopped (deallocated),
and then restarted. The address remains the same if a virtual machine is rebooted or stopped (but not
deallocated). Dynamic addresses are released when a public IP address resource is dissociated from a
resource it is associated to.
● Static. Static addresses are assigned when a public IP address is created. Static addresses are not
released until a public IP address resource is deleted. If the address is not associated to a resource,
you can change the assignment method after the address is created. If the address is associated to a
resource, you may not be able to change the assignment method. If you select IPv6 for the IP version,
the assignment method must be Dynamic for Basic SKU. Standard SKU addresses are Static for both
IPv4 and IPv6.
Public IP Addresses
A public IP address resource can be associated with virtual machine network interfaces, internet-facing
load balancers, VPN gateways, and application gateways.
Address SKUs
When you create a public IP address you are given a SKU choice of either Basic or Standard. Your SKU
choice affects the IP assignment method, security, available resources, and redundancy. This table
summarizes the differences.
Private IP Addresses
A private IP address resource can be associated with virtual machine network interfaces, internal load
balancers, and application gateways. Azure can provide an IP address (dynamic assignment) or you can
assign the IP address (static assignment).
Subnets
You can assign NSGs to subnets and create protected screened subnets (also called a DMZ). These NSGs
can restrict traffic flow to all the machines that reside within that subnet. Each subnet can have zero, or
one, associated network security groups.
Network Interfaces
You can assign NSGs to a NIC so that all the traffic that flows through that NIC is controlled by NSG rules.
Each network interface that exists in a subnet can have zero, or one, associated network security groups.
Associations
When you create an NSG the Overview blade provides information about the NSG such as, associated
subnets, associated network interfaces, and security rules.
✔️ Generally, this is used for specific VMs with Network Virtual Appliances (NVAs) roles, otherwise it is
recommended to link NSG to the subnet level and re-use across your VNETs and subnets.
For more information, Network Security Groups2.
NSG Rules
Security rules in network security groups enable you to filter the type of network traffic that can flow in
and out of virtual network subnets and network interfaces. Azure creates several default security rules
within each network security group.
You can add more rules by specifying Name, Priority, Port, Protocol (Any, TCP, UDP), Source (Any, IP
Addresses, Service tag), Destination (Any, IP Addresses, Virtual Network), and Action (Allow or Deny). You
2 https://docs.microsoft.com/en-us/azure/virtual-network/security-overview
Inbound rules
There are three default inbound security rules. The rules deny all inbound traffic except from the virtual
network and Azure load balancers.
Outbound rules
There are three default outbound security rules. The rules only allow outbound traffic to the Internet and
the virtual network.
In the above example if there was incoming traffic on port 80, you would need to have the NSG at subnet
level ALLOW port 80, and you would also need another NSG with ALLOW rule on port 80 at the NIC level.
For incoming traffic, the NSG set at the subnet level is evaluated first, then the NSG set at the NIC level is
evaluated. For outgoing traffic, it is the converse.
If you have several NSGs and are not sure which security rules are being applied, you can use the Effec-
tive security rules link. For example, you could verify the security rules being applied to a network
interface.
Service. The service specifies the destination protocol and port range for this rule. You can choose a
predefined service, like HTTPS and SSH. When you select a service the Port range is automatically com-
pleted. Choose custom to provide your own port range.
Port ranges. If you choose a custom service then provide a single port, such as 80; a port range, such as
1024-65635; or a comma-separated list of single ports and/or port ranges, such as 80, 1024-65535. This
specifies on which ports traffic will be allowed or denied by this rule. Provide an asterisk (*) to allow traffic
on any port.
Priority. Rules are processed in priority order. The lower the number, the higher the priority. We recom-
mend leaving gaps between rules – 100, 200, 300, etc. This is so it is easier to add new rules without
editing existing rules. Enter a value between 100-4096 that is unique for all security rules within the
network security group.
In the illustration, NIC1 and NIC2 are members of the AsgWeb ASG. NIC3 is a member of the AsgLogic
ASG. NIC4 is a member of the AsgDb ASG. Though each network interface in this example is a member of
only one ASG, a network interface can be a member of multiple ASGs, up to the Azure limits. None of the
network interfaces have an associated network security group. NSG1 is associated to both subnets and
contains the following rules:
● Allow-HTTP-Inbound-Internet
● Deny-Database-All
● Allow-Database-BusinessLogic
The rules that specify an ASG as the source or destination are only applied to the network interfaces that
are members of the ASG. If the network interface is not a member of an ASG, the rule is not applied to
● All network interfaces assigned to an ASG have to exist in the same virtual network that the first
network interface assigned to the ASG is in. For example, if the first network interface assigned to an
ASG named AsgWeb is in the virtual network named VNet1, then all subsequent network interfaces
assigned to ASGWeb must exist in VNet1. You cannot add network interfaces from different virtual
networks to the same ASG.
● If you specify an ASG as the source and destination in a security rule, the network interfaces in both
ASGs must exist in the same virtual network. For example, if AsgLogic contained network interfaces
from VNet1, and AsgDb contained network interfaces from VNet2, you could not assign AsgLogic as
the source and AsgDb as the destination in a rule. All network interfaces for both the source and
destination ASGs need to exist in the same virtual network.
Demonstration - NSGs
In this demonstration, you will explore NSGs and service endpoints.
Access the NSGs blade
1. Access the Azure Portal.
2. Search for and access the Network Security Groups blade.
3. If you have virtual machines, you may already have NSGs. Notice the ability to filter the list.
Add a new NSG
1. + Add a network security group.
Azure Firewall
Azure Firewall
Azure Firewall is a managed, cloud-based network security service that protects your Azure Virtual
Network resources. It's a fully stateful firewall as a service with built-in high availability and unrestricted
cloud scalability. You can centrally create, enforce, and log application and network connectivity policies
across subscriptions and virtual networks. Azure Firewall uses a static public IP address for your virtual
network resources allowing outside firewalls to identify traffic originating from your virtual network. The
service is fully integrated with Azure Monitor for logging and analytics.
1. Create the network infrastructure. In this case, we have one virtual network with three subnets.
2. Deploy the firewall. The firewall is associated with the virtual network. In this case, it is in a separate
subnet with a public and private IP address. The private IP address will be used in a new routing table.
3. Create a default route. Create a routing table to direct network workload traffic to the firewall. The
route will be associated with the workload subnet. All traffic from that subnet will be routed to the
firewall's private IP address.
4. Configure an application rule.
In production deployments, a Hub and Spoke model3 is recommended, where the firewall is in its own
VNET, and workload servers are in peered VNETs in the same region with one or more subnets.
Firewall Rules
There are three kinds of rules that you can configure in the Azure Firewall. Remember, by default, Azure
Firewall blocks all traffic, unless you enable it.
NAT Rules
You can configure Azure Firewall Destination Network Address Translation (DNAT) to translate and filter
inbound traffic to your subnets. Each rule in the NAT rule collection is used to translate your firewall
public IP and port to a private IP and port. Scenarios where NAT rules might be helpful are publishing
SSH, RDP, or non-HTTP/S applications to the Internet. A NAT rule that routes traffic must be accompa-
nied by a matching network rule to allow the traffic. Configuration settings include:
● Name: A label for the rule.
www.androdagger.com Telegram: @androdagger
● Protocol: TCP or UDP.
● Source Address: * (Internet), a specific Internet address, or a CIDR block.
3 https://docs.microsoft.com/en-us/azure/architecture/reference-architectures/hybrid-networking/hub-spoke
● Destination Address: The external address of the firewall that the rule will inspect.
● Destination Ports: The TCP or UDP ports that the rule will listen to on the external IP address of the
firewall.
● Translated Address: The IP address of the service (virtual machine, internal load balancer, and so on)
that privately hosts or presents the service.
● Translated Port: The port that the inbound traffic will be routed to by the Azure Firewall.
Network Rules
Any non-HTTP/S traffic that will be allowed to flow through the firewall must have a network rule. For
example, if if resources in one subnet must communicate with resources in another subnet, then you
would configure a network rule from the source to the destination. Configuration settings include:
● Name: A friendly label for the rule.
● Protocol: This can be TCP, UDP, ICMP (ping and traceroute) or Any.
● Source Address: The address or CIDR block of the source.
● Destination Addresses: The addresses or CIDR blocks of the destination(s).
● Destination Ports: The destination port of the traffic.
Application Rules
Application rules define fully qualified domain names (FQDNs) that can be accessed from a subnet. For
example, specify the Windows Update network traffic through the firewall. Configuration settings include:
● Name: A friendly label for the rule.
● Source Addresses: The IP address of the source.
● Protocol:Port: Whether this is for HTTP/HTTPS and the port that the web server is listening on.
● Target FQDNs: The domain name of the service, such as www.contoso.com. Note that wildcards can
be used. An FQDN tag represents a group of fully qualified domain names (FQDNs) associated with
well known Microsoft services. Example FQDN tags include Windows Update, App Service Environ-
ment, and Azure Backup.
Rule Processing
When a packet is being inspected to determine if it is allowed or not the rules are processed in this order:
1. Network Rules
2. Application Rules (network and application)
The rules are terminating. Once a positive match is found, allowing the traffic through, no more rules are
checked.
Azure DNS
Domains and Custom Domains
Initial domain name
By default, when you create an Azure subscription an Azure AD domain is created for you. This instance
of the domain has initial domain name in the form domainname.onmicrosoft.com. The initial domain
name, while fully functional, is intended primarily to be used as a bootstrapping mechanism until a
custom domain name is verified.
4 https://docs.microsoft.com/en-us/azure/active-directory/active-directory-domains-manage-azure-portal
So, after adding the custom domain name, you must demonstrate ownership of the domain name. This is
called verification. and is done by adding a DNS record (MX or TXT) that is provided by Azure into your
company’s DNS zone. Once this record is added, Azure will query the DNS domain for the presence of
the record. This could take several minutes or several hours. If Azure verifies the presence of the DNS
record, it will then add the domain name to the subscription.
Considerations
● The name of the zone must be unique within the resource group, and the zone must not exist already.
● The same zone name can be reused in a different resource group or a different Azure subscription.
● Where multiple zones share the same name, each instance is assigned different name server address-
es.
● Only one set of addresses can be configured with the domain name registrar.
✔️ You do not have to own a domain name to create a DNS zone with that domain name in Azure DNS.
However, you do need to own the domain to configure the domain.
DNS Delegation
To delegate your domain to Azure DNS, you first need to know the name server names for your zone.
Each time a DNS zone is created Azure DNS allocates name servers from a pool. Once the Name Servers
are assigned, Azure DNS automatically creates authoritative NS records in your zone.
Once the DNS zone is created, and you have the name servers, you need to update the parent domain.
Each registrar has their own DNS management tools to change the name server records for a domain. In
the registrar’s DNS management page, edit the NS records and replace the NS records with the ones
Azure DNS created.
✔️ When delegating a domain to Azure DNS, you must use the name server names provided by Azure
DNS. You should always use all four name server names, regardless of the name of your domain.
Child Domains
If you want to set up a separate child zone, you can delegate a sub-domain in Azure DNS. For example,
after configuring contoso.com in Azure DNS, you could configure a separate child zone for partners.
contoso.com.
Setting up a sub-domain follows the same process as typical delegation. The only difference is that NS
records must be created in the parent zone contoso.com in Azure DNS, rather than in the domain
registrar.
✔️ The parent and child zones can be in the same or different resource group. Notice that the record set
name in the parent zone matches the child zone name, in this case partners.
You can add up to 20 records to any record set. A record set cannot contain two identical records. Empty
record sets (with zero records) can be created, but do not appear on the Azure DNS name servers. Record
sets of type CNAME can contain one record at most.
The Add record set page will change depending on the type of record you select. For an A record, you
will need the TTL (Time to Live) and IP address. The time to live, or TTL, specifies how long each record is
cached by clients before being requeried.
If you specify a registration virtual network, the DNS records for the VMs from that virtual network that
are registered to the private zone are not viewable or retrievable from the Azure Powershell and Azure
CLI APIs, but the VM records are indeed registered and will resolve successfully.
internet. Furthermore, for the VMs within the VNET, you need Azure to automatically register them into
the DNS zone.
In this scenario, VNET1 contains two VMs (VM1 and VM2). Each of these VMs have Private IPs. So, if you
create a Private Zone named contoso.com and link this virtual network as a Registration virtual network,
Azure DNS will automatically create two A records in the zone. Now, DNS queries from VM1 to resolve
VM2.contoso.com will receive a DNS response that contains the Private IP of VM2. Furthermore, a
Reverse DNS query (PTR) for the Private IP of VM1 (10.0.0.1) issued from VM2 will receive a DNS response
that contains the FQDN of VM1, as expected.
With this setup, you will observe the following behavior for forward and reverse DNS queries:
1. DNS queries across the virtual networks are resolved. A DNS query from a VM in the Resolution
www.androdagger.com Telegram: @androdagger
VNet, for a VM in the Registration VNet, will receive a DNS response containing the Private IP of VM.
2. Reverse DNS queries are scoped to the same virtual network. A Reverse DNS (PTR) query from a
VM in the Resolution virtual network, for a VM in the Registration VNet, will receive a DNS response
containing the FQDN of the VM. But, a reverse DNS query from a VM in the Resolution VNet, for a
VM in the same VNet, will receive NXDOMAIN.
● Name: contoso.internal.com
● Subscription: <your subscription>
● Resource group: Select or create a resource group
● Location: Select your Location
4. Wait for the DNS zone to be created.
5. You may need to Refresh the page.
Add a DNS record set
1. Select +Record Set.
2. Use the Type drop-down to view the different types of records.
3. Notice how the required information changes as you change record types.
4. Change the Type to A and enter these values.
● Name: ARecord
● IP Address: 1.2.3.4
5. Notice you can add other records.
6. Click OK to save your record.
7. Refresh the page to observe the new record set.
8. Make a note of your resource group name.
Use PowerShell to view DNS information
1. Open the Cloud Shell.
2. Get information about your DNS zones. Notice the name servers and number of record sets.
Get-AzDnsZone -Name "contoso.internal.com" -ResourceGroupName <resourcegroupname>
5 https://docs.microsoft.com/en-us/azure/dns/private-dns-scenarios#scenario-split-horizon-functionality
Lab scenario
You need to explore Azure virtual networking capabilities. To start, you plan to create a virtual network in
Azure that will host a couple of Azure virtual machines. Since you intend to implement network-based
segmentation, you will deploy them into different subnets of the virtual network. You also want to make
sure that their private and public IP addresses will not change over time. To comply with Contoso security
requirements, you need to protect public endpoints of Azure virtual machines accessible from Internet.
Finally, you need to implement DNS name resolution for Azure virtual machines both within the virtual
network and from Internet.
Review Question 2
You are planning to configure networking in Microsoft Azure. Your company has a new Microsoft Azure
presence with the following network characteristics:
● 1 Virtual Network.
● 1 subnet using 192.168.0.0/23 (does not have existing resources).
The company intends to use 192.168.1.0/24 on-premises and 192.168.0.0/24 in Azure. You need to update
your company's environment to enable the needed functionality. What should you do? (Each answer
represents part of the solution. Choose two.)
Delete 192.168.0.0/23 from Azure.
Delete 192.168.1.0/24 in the on-premises environment.
Review Question 3
You are planning your Azure network implementation to support your company's migration to Azure. Your
first task is to prepare for the deployment of the first set of VMs. The first set of VMs that you are deploying
have the following requirements:
● Consumers on the internet must be able to communicate directly with the web application on the
VMs.
● The IP configuration must be zone redundant.
You need to configure the environment to prepare for the first VM. Additionally, you need to minimize costs,
whenever possible, while still meeting the requirements. What should you do? Select one.
Create a standard public IP address. During the creation of the first VM, associate the
public P
I address with the VM's NIC.
Create a standard public IP address. After the first VM is created, remove the private IP
address a
n
dassign the public IP address to the NIC.
Create a basic public IP address. During the creation of the first VM, associate the public IP address
with the VM.
Create a basic public IP address. After the first VM is created, remove the private IP address
and assignthe public IP address to the NIC.
Review Question 4
You deploy a new domain named contoso.com to domain controllers in Azure. You have the following
domain-joined VMs in Azure:
● VM1 at 10.20.30.10
● VM2 at 10.20.30.11
● VM3 at 10.20.30.12
● VM99 at 10.20.40.101
You need to add DNS records so that the hostnames resolve to their respective IP addresses. Additionally,
you need to add a DNS record so that intranet.contoso.com resolves to VM99. What should you do? (Each
answer presents part of the solution. Choose two.)
Add AAAA records for each VM.
Add A records for each VM.
Add a TXT record for intranet.contoso.com with the text of VM99.contoso.com.
Add an SRV record for intranet.contoso.com with the target pointing at VM99.contoso.com
Add a CNAME record for intranet.contoso.com with a value of VM99.contoso.com.
Review Question 5
Your company is preparing to move some services and VMs to Microsoft Azure. The company has opted to
use Azure DNS to provide name resolution. A project begins to configure the name resolution. The project
identifies the following requirements:
● A new domain will be used.
● The domain will have DNS records for internal and external resources.
● Minimize ongoing administrative overhead.
You need to prepare and configure the environment with a new domain name and a test hostname of
WWW. Which of the following steps should you perform? (Each answer presents part of the solution. Choose
three.)
Register a domain name with a domain registrar.
Register a domain name with Microsoft Azure.
Delegate the new domain name to Azure DNS.
Add an Address (A) record for Azure name servers in the zone.
Add DNS glue records to point to the Azure name servers.
Add a record for WWW.
Review Question 6
You have a VM with two NICs named NIC1 and NIC2. NIC1 is connected to the 10.10.8.0/24 subnet. NIC2 is
connected to the 10.20.8.0/24 subnet. You plan to update the VM configuration to provide the following
functionality:
● Enable direct communication from the internet to TCP port 443.
● Maintain existing communication across the 10.10.8.0/24 and 10.20.8.0/24 subnets.
● Maintain a simple configuration whenever possible.
You need to update the VM configuration to support the new functionality. What should you do? Select one.
Remove the private IP address from NIC2 and then assign a public IP address to it. Then, create an
inbound security rule.
Add a third NIC and associate a public IP address to it. Then, create an inbound security rule.
Associate a public IP address to NIC2 and create an inbound security rule.
Create an inbound security rule for TCP port 443.
Review Question 7
You're currently using network security groups (NSGs) to control how your network traffic flows in and out of
your virtual network subnets and network interfaces. You want to customize how your NSGs work. For all
incoming traffic, you need to apply your security rules to both the virtual machine and subnet level.
Which of the following options will let you accomplish this? (Choose two)
Configure the AllowVNetInBound security rule for all new NSGs.
Create rules for both NICs and subnets with an allow action.
Delete the default rules.
Add rules with a higher priority than the default rules.
Review Question 8
You need to ensure that Azure DNS can resolve names for your registered domain. What should you
implement? Select one.
zone delegation
a CNAME record
an MX record
a secondary zone
a primary zone with a NS record
Review Question 9
You are configuring the Azure Firewall. You need to allow Windows Update network traffic through the
firewall. Which of the following should you use?
Application rules
Destination inbound rules
NAT rules
Network rules
Additional Study
Microsoft Learn provides self paced skills training on a variety of topics. These Learn modules cover the
content you have just learned. You can search for additional modules by product, role, or level.
● Networking Fundamentals - Principals7
● Design an IP addressing schema for your Azure deployment8
● Secure and isolate access to Azure resources by using network security groups and service
endpoints9
Answers
Review Question 1
Your company has an existing Azure tenant named alpineskihouse.onmicrosoft.com. The company wants
to start using alpineskihouse.com for their Azure resources. You add a custom domain to Azure.
Now, you need to add a DNS record to prepare for verifying the custom domain. Which two of the
following record types could you create?
Add an PTR record to the DNS zone.
■ Add a TXT record to the DNS zone.
■ Add an MX record to the DNS zone.
Add an SRV record to the DNS zone.
Add a CNAME record to the DNS zone.
Explanation
By default, Azure will prompt you to create a custom TXT record in your DNS zone to verify a custom
domain. Optionally, you can use an MX record instead. The result is the same. Other record types are not
supported.
Review Question 2
You are planning to configure networking in Microsoft Azure. Your company has a new Microsoft Azure
presence with the following network characteristics:
The company intends to use 192.168.1.0/24 on-premises and 192.168.0.0/24 in Azure. You need to
update your company's environment to enable the needed functionality. What should you do? (Each
answer represents part of the solution. Choose two.)
■ Delete 192.168.0.0/23 from Azure.
Delete 192.168.1.0/24 in the on-premises environment.
Create a matching public subnet in Azure and in the on-premises environment.
Create a subnet for 192.168.0.0/23 in the on-premises environment.
■ Create a subnet for 192.168.0.0/24 in Azure.
Explanation
First, you need to delete 192.168.0.0/23 from Azure. It overlaps with 192.168.1.0/24, which you intend to use
for on-premises. Second, you need to create a subnet for 192.168.0.0/24 in Azure to enable usage in Azure.
Review Question 3
You need to configure the environment to prepare for the first VM. Additionally, you need to minimize
costs, whenever possible, while still meeting the requirements. What should you do? Select one.
■ Create a standard public IP address. During the creation of the first VM, associate the public IP
address with the VM's NIC.
Create a standard public IP address. After the first VM is created, remove the private IP
address a
n
dassign the public IP address to the NIC.
Create a basic public IP address. During the creation of the first VM, associate the public IP address
with the VM.
Create a basic public IP address. After the first VM is created, remove the private IP address
and assignthe public IP address to the NIC.
Explanation
To meet the requirement of communicating directly with consumers on the internet, you must use a public
IP address. To meet the requirement of having a zone redundant configuration, you must use a standard
public IP address. Of the answer choices, only the answer that creates the standard public IP address first,
then associates it during VM creation, functions and meets the requirements. You cannot configure a VM
with only a public IP address. Instead, all VMs have a private IP address and can optionally have one or
more public IP addresses.
Review Question 4
You deploy a new domain named contoso.com to domain controllers in Azure. You have the following
domain-joined VMs in Azure:
You need to add DNS records so that the hostnames resolve to their respective IP addresses. Additionally,
you need to add a DNS record so that intranet.contoso.com resolves to VM99. What should you do?
(Each answer presents part of the solution. Choose two.)
Add AAAA records for each VM.
■ Add A records for each VM.
Add a TXT record for intranet.contoso.com with the text of VM99.contoso.com.
Add an SRV record for intranet.contoso.com with the target pointing at VM99.contoso.com
■ Add a CNAME record for intranet.contoso.com with a value of VM99.contoso.com.
Explanation
In this scenario, the hostnames have IPv4 IP addresses. Thus, to resolve those hostnames, you must add A
records for each of the VMs. To enable intranet.contoso.com to resolve to VM99.contoso.com, you need to
add a CNAME record. A CNAME record is often referred to as an “alias”.
Review Question 5
Your company is preparing to move some services and VMs to Microsoft Azure. The company has opted
to use Azure DNS to provide name resolution. A project begins to configure the name resolution. The
project identifies the following requirements:
You need to prepare and configure the environment with a new domain name and a test hostname of
WWW. Which of the following steps should you perform? (Each answer presents part of the solution.
Choose three.)
■ Register a domain name with a domain registrar.
Register a domain name with Microsoft Azure.
■ Delegate the new domain name to Azure DNS.
Add an Address (A) record for Azure name servers in the zone.
Add DNS glue records to point to the Azure name servers.
■ Add a record for WWW.
Explanation
For private domain names, you must register with a registrar because Azure isn't a registrar. Thereafter, you
need to delegate the new domain name to Azure DNS, which enables Azure DNS to be authoritative for the
domain. After delegation, you should add a test hostname of WWW and test name resolution.
Review Question 6
You have a VM with two NICs named NIC1 and NIC2. NIC1 is connected to the 10.10.8.0/24 subnet. NIC2
is connected to the 10.20.8.0/24 subnet. You plan to update the VM configuration to provide the follow-
ing functionality:
You need to update the VM configuration to support the new functionality. What should you do? Select
one.
Remove the private IP address from NIC2 and then assign a public IP address to it. Then, create an
inbound security rule.
Add a third NIC and associate a public IP address to it. Then, create an inbound security rule.
■ Associate a public IP address to NIC2 and create an inbound security rule.
Create an inbound security rule for TCP port 443.
Explanation
To enable direct communication from the internet to the VM, you must have a public IP address. You also
need an inbound security rule. You can associate the public IP address with NIC1 or NIC2, although this
scenario only presents an option to associate it with NIC2 so that is the correct answer.
Review Question 7
You're currently using network security groups (NSGs) to control how your network traffic flows in and
out of your virtual network subnets and network interfaces. You want to customize how your NSGs work.
For all incoming traffic, you need to apply your security rules to both the virtual machine and subnet
level.
Which of the following options will let you accomplish this? (Choose two)
Configure the AllowVNetInBound security rule for all new NSGs.
■ Create rules for both NICs and subnets with an allow action.
Delete the default rules.
■ Add rules with a higher priority than the default rules.
Explanation
You should add rules with a higher priority than the default rules if needed, as you cannot delete the default
rules. Also, in order to meet the requirement to apply security rules to both VM and subnet level, you should
create rules with an allow action for both. There is no need to configure the AllowVnetInBound rule as it as
a default rule for any new security group you create.
Review Question 8
You need to ensure that Azure DNS can resolve names for your registered domain. What should you
implement? Select one.
■ zone delegation
a CNAME record
an MX record
a secondary zone
a primary zone with a NS record
Explanation
Once you create your DNS zone in Azure DNS, you need to set up NS records in the parent zone to ensure
that Azure DNS is the authoritative source for name resolution for your zone. For domains purchased from
a registrar, your registrar will offer the option to set up these NS records. When delegating a domain to
Azure DNS, you must use the name server names provided by Azure DNS. Domain delegation does not
require the name server name to use the same top-level domain as your domain.
Review Question 9
You are configuring the Azure Firewall. You need to allow Windows Update network traffic through the
firewall. Which of the following should you use?
■ Application rules
Destination inbound rules
NAT rules
Network rules
Explanation
Application rules.www.androdagger.com Telegram:
Application rules define fully qualified @androdagger
domain names (FQDNs) that can be accessed from
a subnet. That would be appropriate to allow Windows Update network traffic.
www.androdagger.com Telegram: @androdagger
MCT USE ONLY. STUDENT USE PROHIBITED
Module 5 Intersite Connectivity
VNet Peering
VNet Peering
Perhaps the simplest and quickest way to connect your VNets is to use VNet peering. Virtual network
peering enables you to seamlessly connect two Azure virtual networks. Once peered, the virtual networks
appear as one, for connectivity purposes. There are two types of VNet peering.
● Regional VNet peering connects Azure virtual networks in the same region.
● Global VNet peering connects Azure virtual networks in different regions. When creating a global
peering, the peered virtual networks can exist in any Azure public cloud region or China cloud regions,
but not in Government cloud regions. You can only peer virtual networks in the same region in Azure
Government cloud regions.
● Seamless. The ability to transfer data across Azure subscriptions, deployment models, and across
Azure regions.
● No disruption. No downtime to resources in either virtual network when creating the peering, or
after the peering is created.
When you Allow Gateway Transit the virtual network can communicate to resources outside the peering.
For example, the subnet gateway could:
● Use a site-to-site VPN to connect to an on-premises network.
www.androdagger.com Telegram: @androdagger
● Use a VNet-to-VNet connection to another virtual network.
● Use a point-to-site VPN to connect to a client.
In these scenarios, gateway transit allows peered virtual networks to share the gateway and get access to
resources. This means you do not need to deploy a VPN gateway in the peer virtual network.
1 https://docs.microsoft.com/en-us/azure/virtual-network/virtual-network-peering-overview
✔️ The default VNet peering configuration provides full connectivity. Network security groups can be
applied in either virtual network to block access to other virtual networks or subnets, if desired. When
configuring virtual network peering, you can either open or close the network security group rules
between the virtual networks.
Allow forwarded traffic. Allows traffic not originating from within the peer virtual network into your
virtual network.
Allow gateway transit. Allows the peer virtual network to use your virtual network gateway. The peer
cannot already have a gateway configured.
✔️ When you add a peering on one virtual network, the second virtual network configuration is automat-
ically added.
Service Chaining
VNet Peering is nontransitive. This means that if you establish VNet Peering between VNet1 and VNet2
and between VNet2 and VNet3, VNet Peering capabilities do not apply between VNet1 and VNet3.
However, you can leverage user-defined routes and service chaining to implement custom routing that
will provide transitivity. This allows you to:
● Implement a multi-level hub and spoke architecture.
● Overcome the limit on the number of VNet Peerings per virtual network.
Checking connectivity
You can check the status of the VNet peering. The peering is not successfully established until the peering
status for both virtual network peerings shows Updating.
● Updating. When you create the peering to the second virtual network from the first virtual network,
www.androdagger.com Telegram: @androdagger
the peering status is Initiated.
● Connected. When you create the peering from the second virtual network to the first virtual network,
the status is changed from Initiated to Connected.
3. Notice that a peering has automatically been created. The name is what you provided when the first
virtual network peering was configured.
4. Notice that the Peering Status is Connected.
5. Click the peering.
● Notice that Allow gateway transit cannot be selected.
● Use the informational icon to review the Use remote gateways setting.
6. Discard your changes.
on-premises network administrator to reserve an IP address range that you can use specifically for this
virtual network.
Specify the DNS server (optional). DNS is not required to create a Site-to-Site connection. However, if
you want to have name resolution for resources that are deployed to your virtual network, you should
specify a DNS server in the virtual network configuration.
✔️ Take time to carefully plan your network configuration. If a duplicate IP address range exists on both
sides of the VPN connection, traffic will not route the way you may expect it to.
✔️ When working with gateway subnets, avoid associating a network security group (NSG) to the
gateway subnet. Associating a network security group to this subnet may cause your VPN gateway to
stop functioning as expected.
✔️ This is the same step in configuring VNet Peering.
The VPN type you select must satisfy all the connection requirements for the solution you want to create.
For example, if you want to create a S2S VPN gateway connection and a P2S VPN gateway connection for
the same virtual network, you would use VPN type Route-based because P2S requires a Route-based
VPN type. You would also need to verify that your VPN device supported a Route-based VPN connection.
● Route-based VPNs. Route-based VPNs use routes in the IP forwarding or routing table to direct
packets into their corresponding tunnel interfaces. The tunnel interfaces then encrypt or decrypt the
packets in and out of the tunnels. The policy (or traffic selector) for Route-based VPNs are configured
as any-to-any (or wild cards).
● Policy-based VPNs. Policy-based VPNs encrypt and direct packets through IPsec tunnels based on
the IPsec policies configured with the combinations of address prefixes between your on-premises
network and the Azure VNet. The policy (or traffic selector) is usually defined as an access list in the
VPN device configuration. When using a Policy-based VPN, keep in mind the following limitations:
● Policy-Based VPNs can only be used on the Basic gateway SKU and is not compatible with other
gateway SKUs.
● You can have only 1 tunnel when using a Policy-based VPN.
● You can only use Policy-based VPNs for S2S connections, and only for certain configurations. Most
VPN Gateway configurations require a Route-based VPN.
✔️ Once a virtual network gateway has been created, you can't change the VPN type.
2 https://docs.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-download-vpndevicescript
3 https://docs.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-about-vpn-devices
Active/active
You can now create an Azure VPN gateway in an active-active configuration, where both instances of the
gateway VMs will establish S2S VPN tunnels to your on-premises VPN device.
In this configuration, each Azure gateway instance will have a unique public IP address, and each will
establish an IPsec/IKE S2S VPN tunnel to your on-premises VPN device specified in your local network
gateway and connection. Note that both VPN tunnels are actually part of the same connection. You will
still need to configure your on-premises VPN device to accept or establish two S2S VPN tunnels to those
two Azure VPN gateway public IP addresses.
Because the Azure gateway instances are in active-active configuration, the traffic from your Azure virtual
network to your on-premises network will be routed through both tunnels simultaneously, even if your on-
premises VPN device may favor one tunnel over the other. Note though the same TCP or UDP flow will
always traverse the same tunnel or path, unless a maintenance event happens on one of the instanc- es.
When a planned maintenance or unplanned event happens to one gateway instance, the IPsec tunnel
from that instance to your on-premises VPN device will be disconnected. The corresponding routes on
your VPN devices should be removed or withdrawn automatically so that the traffic will be switched over
to the other active IPsec tunnel. On the Azure side, the switch over will happen automatically from the
affected instance to the active instance.
ExpressRoute Connections
ExpressRoute
Azure ExpressRoute lets you extend your on-premises networks into the Microsoft cloud over a dedicated
private connection facilitated by a connectivity provider. With ExpressRoute, you can establish connec-
tions to Microsoft cloud services, such as Microsoft Azure, Office 365, and CRM Online.
ExpressRoute Capabilities
ExpressRoute is supported across all Azure regions and locations. The following map provides a list of
Azure regions and ExpressRoute locations. ExpressRoute locations refer to those where Microsoft peers
with several service providers. You will have access to Azure services across all regions within a geopoliti-
cal region if you connected to at least one ExpressRoute location within the geopolitical region.
ExpressRoute benefits
Layer 3 connectivity
Microsoft uses BGP, an industry standard dynamic routing protocol, to exchange routes between your
on-premises network, your instances in Azure, and Microsoft public addresses. We establish multiple BGP
sessions with your network for different traffic profiles.
Redundancy
Each ExpressRoute circuit consists of two connections to two Microsoft Enterprise edge routers (MSEEs)
from the connectivity provider/your network edge. Microsoft requires dual BGP connection from the
connectivity provider/your network edge – one to each MSEE. The graphic on the previous topics shows
the primary and secondary connection.
Connectivity to Microsoft cloud services
ExpressRoute connections enable access to the following services: Microsoft Azure services, Microsoft
Office 365 services, and Microsoft Dynamics 365. Office 365 was created to be accessed securely and
reliably via the Internet, so ExpressRoute requires Microsoft authorization.
4 https://azure.microsoft.com/en-us/services/expressroute/
You can connect to Microsoft in one of our peering locations and access regions within the geopolitical
region. For example, if you connect to Microsoft in Amsterdam through ExpressRoute, you'll have access
to all Microsoft cloud services hosted in Northern and Western Europe.
Global connectivity with ExpressRoute premium add-on
You can enable the ExpressRoute premium add-on feature to extend connectivity across geopolitical
boundaries. For example, if you connect to Microsoft in Amsterdam through ExpressRoute, you will have
access to all Microsoft cloud services hosted in all regions across the world (national clouds are excluded).
Across on-premises connectivity with ExpressRoute Global Reach
You can enable ExpressRoute Global Reach to exchange data across your on-premises sites by connecting
your ExpressRoute circuits. For example, if you have a private data center in California connected to
ExpressRoute in Silicon Valley, and another private data center in Texas connected to ExpressRoute in
Dallas, with ExpressRoute Global Reach, you can connect your private data centers together through two
ExpressRoute circuits. Your cross-data-center traffic will traverse through Microsoft's network.
Bandwidth options
You can purchase ExpressRoute circuits for a wide range of bandwidths from 50 Mbps to 10 Gbps. Be
sure to check with your connectivity provider to determine the bandwidths they support.
Flexible billing models
You can pick a billing model that works best for you. Choose between the billing models listed below.
● Unlimited data. Billing is based on a monthly fee; all inbound and outbound data transfer is included
free of charge.
● Metered data. Billing is based on a monthly fee; all inbound data transfer is free of charge. Outbound
data transfer is charged per GB of data transfer. Data transfer rates vary by region.
● ExpressRoute premium add-on. This add-on includes increased routing table limits, increased
number of VNets, global connectivity, and connections to Office 365 and Dynamics 365. Read more in
the FAQ link.
✔️ Currently, the deployment options for S2S and ExpressRoute coexisting connections are only possible
through PowerShell, and not the Azure portal.
Virtual WANs
Azure Virtual WAN is a networking service that provides optimized and automated branch connectivity
to, and through, Azure. Azure regions serve as hubs that you can choose to connect your branches to.
You can leverage the Azure backbone to also connect branches and enjoy branch-to-VNet connectivity.
There is a list of partners that support connectivity automation with Azure Virtual WAN VPN.
Azure Virtual WAN brings together many Azure cloud connectivity services such as site-to-site VPN, User
VPN (point-to-site), and ExpressRoute into a single operational interface. Connectivity to Azure VNets is
established by using virtual network connections. It enables global transit network architecture based on
a classic hub-and-spoke connectivity model where the cloud hosted network ‘hub’ enables transitive
connectivity between endpoints that may be distributed across different types of 'spokes'.
Lab scenario
Contoso has its datacenters in Boston, New York, and Seattle offices connected via a mesh wide-area
network links, with full connectivity between them. You need to implement a lab environment that will
reflect the the topology of the Contoso's on-premises networks and verify its functionality.
Objectives
In this lab, you will:
● Task 1: Provision the lab environment.
● Task 2: Configure local and global virtual network peering.
● Task 3: Test intersite connectivity.
✔️ Consult with your instructor for how to access the lab instructions and lab environment (if provided).
Review Question 2
Your company is preparing to implement a Site-to-Site VPN to Microsoft Azure. You are selected to plan and
implement the VPN. Currently, you have an Azure subscription, an Azure virtual network, and an Azure
gateway subnet. You need to prepare the on-premises environment and Microsoft Azure to meet the
prerequisites of the Site-to-Site VPN. Later, you will create the VPN connection and test it. What should you
do? (Each answer presents part of the solution. Select three.
Obtain a VPN device for the on-premises environment.
Obtain a VPN device for the Azure environment.
Create a virtual network gateway (VPN) and the local network gateway in Azure.
Create a virtual network gateway (ExpressRoute) in Azure.
Obtain a public IPv4 IP address without NAT for the VPN device.
Obtain a public IPv4 IP address behind NAT for the VPN device.
Review Question 3
Your company is preparing to implement persistent connectivity to Microsoft Azure. The company has a
single site, headquarters, which has an on-premises data center. The company establishes the following
requirements for the connectivity:
● Connectivity must be persistent.
● Connectivity must provide for the entire on-premises site.
You need to implement a connectivity solution to meet the requirements. What should you do? Select one.
Implement a Site-to-Site VPN.
Implement a Virtual Private Cloud (VPC).
www.androdagger.com Telegram: @androdagger
Implement a Virtual Private Gateway (VGW).
Implement a VNet-to-VNet VPN.
Implement a Point-to-Site VPN.
Review Question 4
You are configuring VNet Peering across two Azure two virtual networks, VNET1 and VNET2. You are
configuring the VPN Gateways. You want VNET2 to be able to use to VNET1's gateway to get to resources
outside the peering. What should you do? Select one.
Select allow gateway transit on VNET1 and use remote gateways on VNET2.
Select allow gateway transit on VNET2 and use remote gateways on VNET1.
Select allow gateway transit and use remote gateways on both VNET1 and VNET2.
Do not select allow gateway transit or use remote gateways on either VNET1 or VNET2.
Review Question 5
You are configuring a site-to-site VPN connection between your on-premises network and your Azure
network. The on-premises network uses a Cisco ASA VPN device. You have checked to ensure the device is
on the validated list of VPN devices. Before you proceed to configure the device what two pieces of informa-
tion should you ensure you have? Select two.
The shared access signature key from the recovery services vault.
The shared key you provided when you created your site-to-site VPN connection.
The gateway routing method provided when you created your site-to-site VPN connection.
The static IP address of your virtual network gateway.
The public IP address of your virtual network gateway.
The user and password for the virtual network gateway.
Review Question 6
You manage a large datacenter that is running out of space. You propose extending the datacenter to Azure
using a Multi-Protocol Label Switching virtual private network. Which connectivity option would you select?
Select one.
Point-to-Site
VPN Peering
Multi-site
Site-to-Site
ExpressRoute
VNet-to-VNet
Review Question 7
You are creating a connection between two virtual networks. Peformance is a key concern. Which of the
following will most influence performance? Select one.
Ensuring you select a route-based VPN.
Ensuring you select a policy-based VPN.
Ensuring you specify a DNS server.
Ensuring you select an appropriate Gateway SKU.
Review Question 8
Your manager asks you to verify some information about Azure Virtual WANs. Which of the following
statements are true? Select three.
Additional Study
Microsoft Learn provides self paced skills training on a variety of topics. These Learn modules cover the
content you have just learned. You can search for additional modules by product, role, or level.
● Distribute your services across Azure virtual networks and integrate them by using virtual
network peering6
● Connect your on-premises network to Azure with VPN Gateway7
● Connect your on-premises network to the Microsoft global network by using ExpressRoute8
Answers
Review Question 1
You want to connect different VNets in the same region as well as different regions and decide to use
VNet peering to accomplish this. Which of the following statements are true benefits of VNet peering?
Select two.
The virtual networks can exist in any Azure cloud region.
■ Network traffic between peered virtual networks is private.
■ Peering is easy to configure and manage, requiring little to no downtime.
Gateway transit can be configured regionally or globally.
Explanation
Peering is efficient as there is no downtime to resources in either virtual network when creating the peering,
or after the peering is created. Also, for security, Network traffic between peered virtual networks is private.
Traffic between the virtual networks is kept on the Microsoft backbone network. While virtual networks can
exist in any Azure public cloud region, they cannot exist in Azure national clouds. National clouds have very
specific customer requirements to their use and operation. These services are confined within the geographic
borders of specific countries and operated by local personnel. Gateway transit only applies to regional VNet
peering and not to global VNet peering.
Review Question 2
Your company is preparing to implement a Site-to-Site VPN to Microsoft Azure. You are selected to plan
and implement the VPN. Currently, you have an Azure subscription, an Azure virtual network, and an
Azure gateway subnet. You need to prepare the on-premises environment and Microsoft Azure to meet
the prerequisites of the Site-to-Site VPN. Later, you will create the VPN connection and test it. What
should you do? (Each answer presents part of the solution. Select three.
■ Obtain a VPN device for the on-premises environment.
Obtain a VPN device for the Azure environment.
■ Create a virtual network gateway (VPN) and the local network gateway in Azure.
Create a virtual network gateway (ExpressRoute) in Azure.
■ Obtain a public IPv4 IP address without NAT for the VPN device.
Obtain a public IPv4 IP address behind NAT for the VPN device.
Explanation
The prerequisites for a Site-to-Site VPN are having a compatible VPN device on-premises, having a public
IPv4 IP without NAT on the on-premises VPN device, and creating a VPN gateway and local network
gateway in Azure. IPv6 is not supported for VPNs. ExpressRoute is a different setup and not part of a
Site-to-Site VPN.
Review Question 3
Your company is preparing to implement persistent connectivity to Microsoft Azure. The company has a
single site, headquarters, which has an on-premises data center. The company establishes the following
www.androdagger.com Telegram: @androdagger
requirements for the connectivity:
You need to implement a connectivity solution to meet the requirements. What should you do? Select
one.
■ Implement a Site-to-Site VPN.
Implement a Virtual Private Cloud (VPC).
Implement a Virtual Private Gateway (VGW).
Implement a VNet-to-VNet VPN.
Implement a Point-to-Site VPN.
Explanation
In this scenario, only one of the answers provides persistent connectivity to Azure - the Site-to-Site VPN. A
VNet-to-VNet connects two Azure virtual networks together. A Point-to-Site VPN is used for individual
connections (such as for a developer). A VPC and VGW are relevant to Amazon AWS.
Review Question 4
You are configuring VNet Peering across two Azure two virtual networks, VNET1 and VNET2. You are
configuring the VPN Gateways. You want VNET2 to be able to use to VNET1's gateway to get to resources
outside the peering. What should you do? Select one.
■ Select allow gateway transit on VNET1 and use remote gateways on VNET2.
Select allow gateway transit on VNET2 and use remote gateways on VNET1.
Select allow gateway transit and use remote gateways on both VNET1 and VNET2.
Do not select allow gateway transit or use remote gateways on either VNET1 or VNET2.
Explanation
Select allow gateway transit on VNET1 and use remote gateways on VNET2. VNET1 will allow VNET2 to
transit external resources, and VNET2 will expect to use a remote gateway.
Review Question 5
You are configuring a site-to-site VPN connection between your on-premises network and your Azure
network. The on-premises network uses a Cisco ASA VPN device. You have checked to ensure the device
is on the validated list of VPN devices. Before you proceed to configure the device what two pieces of
information should you ensure you have? Select two.
The shared access signature key from the recovery services vault.
■ The shared key you provided when you created your site-to-site VPN connection.
The gateway routing method provided when you created your site-to-site VPN connection.
The static IP address of your virtual network gateway.
■ The public IP address of your virtual network gateway.
The user and password for the virtual network gateway.
Explanation www.androdagger.com Telegram: @androdagger
You will need two things: shared key and the public IP address of your virtual network gateway. The shared
key was provided when you created the site-to-site VPN connection.
MCT USE ONLY. STUDENT USE PROHIBITED
Module 05 Lab and Review 159
Review Question 6
You manage a large datacenter that is running out of space. You propose extending the datacenter to
Azure using a Multi-Protocol Label Switching virtual private network. Which connectivity option would
you select? Select one.
Point-to-Site
VPN Peering
Multi-site
Site-to-Site
■ ExpressRoute
VNet-to-VNet
Explanation
ExpressRoute is the best choice for extending the datacenter, as it can use an any-to-any (IPVPN) connectiv-
ity model. An MPLS VPN, as typically provided by an IPVPN network, enables connectivity between the
Microsoft cloud and your branch offices and datacenters.
Review Question 7
You are creating a connection between two virtual networks. Peformance is a key concern. Which of the
following will most influence performance? Select one.
Ensuring you select a route-based VPN.
Ensuring you select a policy-based VPN.
Ensuring you specify a DNS server.
■ Ensuring you select an appropriate Gateway SKU.
Explanation
The Gateway SKU selection directly affects performance. Gateway SKUs control the number of tunnels and
connections that are available. This affects the overall aggregate throughput of the connection.
Review Question 8
Your manager asks you to verify some information about Azure Virtual WANs. Which of the following
statements are true? Select three.
gateway, a virtual appliance, or the internet. If a matching route can't be found, then the packet is
dropped.
In these situations, you can configure user-defined routes (UDRs). UDRs control network traffic by
defining routes that specify the next hop of the traffic flow. This hop can be a virtual network gateway,
virtual network, internet, or virtual appliance.
✔️ Each route table can be associated to multiple subnets, but a subnet can only be associated to a
single route table. There are no additional charges for creating route tables in Microsoft Azure. Do you
think you will need to create custom routes?
For more information, Custom routes1.
Routing Example
Let’s review a specific network routing example. In this example you have a virtual network that includes
three subnets.
● The subnets are Private, DMZ, and Public. In the DMZ subnet there is a network virtual appliance
(NVA). NVAs are VMs that help with network functions like routing and firewall optimization.
● You want to ensure all traffic from the Public subnet goes through the NVA to the Private subnet.
A standard routing protocol is used to exchange routing and reachability information between two or
In summary, this route applies to any address prefixes in 10.0.1.0/24 (private subnet). Traffic headed to
these addresses will be sent to the virtual appliance with a 10.0.2.4 address.
✔️ In this example remember that the virtual appliance should not have a public IP address and IP
forwarding should be enabled on the device.
● Name: myRouteTablePublic
● Subscription: select your subscription
● Resource group: create or select a resource group
● Location: select your location
● Virtual network gateway route propagation: Enabled
4. Select Create.
5. Wait for the new routing table to be deployed.
Add a route
www.androdagger.com Telegram: @androdagger
1. Select your new routing table, and then select Routes.
2. Select + Add.
● Name: ToPrivateSubnet
Service Endpoints
A virtual network service endpoint provides the identity of your virtual network to the Azure service. Once
service endpoints are enabled in your virtual network, you can secure Azure service resources to your
virtual network by adding a virtual network rule to the resources.
Today, Azure service traffic from a virtual network uses public IP addresses as source IP addresses. With
service endpoints, service traffic switches to use virtual network private addresses as the source IP
addresses when accessing the Azure service from a virtual network. This switch allows you to access the
services without the need for reserved, public IP addresses used in IP firewalls.
● Simple to set up with less management overhead. You no longer need reserved, public IP address-
es in your virtual networks to secure Azure resources through IP firewall. There are no NAT or gateway
devices required to set up the service endpoints. Service endpoints are configured through a simple
click on a subnet. There is no additional overhead to maintaining the endpoints.
✔️ With service endpoints, the source IP addresses of the virtual machines in the subnet for service traffic
switches from using public IPv4 addresses to using private IPv4 addresses. Existing Azure service firewall
rules using Azure public IP addresses will stop working with this switch. Please ensure Azure service
firewall rules allow for this switch before setting up service endpoints. You may also experience temporary
interruption to service traffic from this subnet while configuring service endpoints.
Azure Storage. Generally available in all Azure regions. This endpoint gives traffic an optimal route to the
Azure Storage service. Each storage account supports up to 100 virtual network rules.
Azure SQL Database and Azure SQL Data Warehouse. Generally available in all Azure regions. A
firewall security feature that controls whether the database server for your single databases and elastic
pool in Azure SQL Database or for your databases in SQL Data Warehouse accepts communications that
Azure Cosmos DB with the identity of the subnet and Virtual Network. Once the Azure Cosmos DB service
endpoint is enabled, you can limit access to the subnet by adding it to your Azure Cosmos account.
Azure Key Vault. Generally available in all Azure regions. The virtual network service endpoints for Azure
Key Vault allow you to restrict access to a specified virtual network. The endpoints also allow you to
restrict access to a list of IPv4 (internet protocol version 4) address ranges. Any user connecting to your
key vault from outside those sources is denied access.
Azure Service Bus and Azure Event Hubs. Generally available in all Azure regions. The integration of
Service Bus with Virtual Network (VNet) service endpoints enables secure access to messaging capabili-
ties from workloads like virtual machines that are bound to virtual networks, with the network traffic path
being secured on both ends.
✔️ Adding service endpoints can take up to 15 minutes to complete. Each service endpoint integration
has its own Azure documentation page.
Private Link
Azure Private Link provides private connectivity from a virtual network to Azure platform as a service
(PaaS), customer-owned, or Microsoft partner services. It simplifies the network architecture and secures
the connection between endpoints in Azure by eliminating data exposure to the public internet.
● Private connectivity to services on Azure. Traffic remains on the Microsoft network, with no public
internet access. Connect privately to services running in other Azure regions. Private Link is global and
has no regional restrictions.
● Integration with on-premises and peered networks. Access private endpoints over private peering
or VPN tunnels from on-premises or peered virtual networks. Microsoft hosts the traffic, so you don’t
need to set up public peering or use the internet to migrate your workloads to the cloud.
● Protection against data exfiltration for Azure resources. Use Private Link to map private endpoints
to Azure PaaS resources. In the event of a security incident within your network, only the mapped
resource would be accessible, eliminating the threat of data exfiltration.
● Services delivered directly to your customers’ virtual networks. Privately consume Azure PaaS,
Microsoft partner, and your own services in your virtual networks on Azure. Private Link works across
Azure Active Directory (Azure AD) tenants to help unify your experience across services. Send, ap-
prove, or reject requests directly, without permissions or role-based access controls.
www.androdagger.com Telegram: @androdagger
How it works
Use Private Link to bring services delivered on Azure into your private virtual network by mapping it to a
private endpoint. Or privately deliver your own services in your customers’ virtual networks. All traffic to
the service can be routed through the private endpoint, so no gateways, NAT devices, ExpressRoute or
VPN connections, or public IP addresses are needed. Private Link keeps traffic on the Microsoft global
network.
For more information, Private Link Documentation3.
The Load Balancer can be used for inbound as well as outbound scenarios and scales up to millions of
TCP and UDP application flows.
✔️ Keep this diagram in mind since it covers the four components that must be configured for your load
balancer: Frontend IP configuration, Backend pools, Health probes, and Load balancing rules.
For more information, Load Balancer documentation4.
● For line-of-business applications. Load balancing for line-of-business applications that are hosted in
Azure without additional load balancer hardware or software. This scenario includes on-premises
servers that are in the set of computers whose traffic is load-balanced.
✔️ A public load balancer could be placed in front of the internal load balancer to create a multi-tier
application.
Considerations
● SKUs are not mutable. You may not change the SKU of an existing resource.
● A standalone virtual machine resource, availability set resource, or virtual machine scale set resource
can reference one SKU, never both.
● A Load Balancer rule cannot span two virtual networks. Frontends and their related backend instances
must be in the same virtual network.
● There is no charge for the Basic load balancer. The Standard load balancer is charged based on
number of rules and data processed.
✔️ New designs and architectures should consider using Standard Load Balancer.
www.androdagger.com Telegram: @androdagger
Backend Pools
To distribute traffic, a back-end address pool contains the IP addresses of the virtual NICs that are
connected to the load balancer.
How you configure the backend pool depends on whether you are using the Standard or Basic SKU.
✔️ In the Standard SKU you can have up to 1000 instances in the backend pool. In the Basic SKU you can
have up to 100 instances.
✔️ Load balancing rules can be used in combination with NAT rules. For example, you could use NAT
from the load balancer’s public address to TCP 3389 on a specific virtual machine. This allows remote
desktop access from outside of Azure. Notice in this case, the NAT rule is explicitly attached to a VM (or
network interface) to complete the path to the target; whereas a Load Balancing rule need not be.
Session Persistence
By default, Azure Load Balancer distributes network traffic equally among multiple VM instances. The
load balancer uses a 5-tuple (source IP, source port, destination IP, destination port, and protocol type)
hash to map traffic to available servers. It provides stickiness only within a transport session.
Session persistence specifies how traffic from a client should be handled. The default behavior (None) is
that successive requests from a client may be handled by any virtual machine. You can change this
behavior.
● None (default) specifies any virtual mahchine can handle the request.
● Client IP specifies that successive requests from the same client IP address will be handled by the
same virtual machine.
● Client IP and protocol specifies that successive requests from the same client IP address and proto-
col combination will be handled by the same virtual machine.
✔️ Keeping session persistence information is very important in applications that use a shopping cart.
Can you think of any other applications?
Health Probes
A health probe allows the load balancer to monitor the status of your app. The health probe dynamically
adds or removes VMs from the load balancer rotation based on their response to health checks. When a
probe fails to respond, the load balancer stops sending new connections to the unhealthy instances.
There are two main ways to configure health probes: HTTP and TCP.
HTTP custom probe. The load balancer regularly probes your endpoint (every 15 seconds, by default).
The instance is healthy if it responds with an HTTP 200 within the timeout period (default of 31 seconds).
Any status other than HTTP 200 causes this probe to fail. You can specify the port (Port), the URI for
requesting the health status from the backend (URI), amount of time between probe attempts (Interval),
and the number of failures that must occur for the instance to be considered unhealthy (Unhealthy
threshold).
www.androdagger.com Telegram: @androdagger
TCP custom probe. This probe relies on establishing a successful TCP session to a defined probe port. If
the specified listener on the VM exists, the probe succeeds. If the connection is refused, the probe fails.
You can specify the Port, Interval, and Unhealthy threshold.
✔️ There is also a guest agent probe. This probe uses the guest agent inside the VM. It is not recom-
mended when HTTP or TCP custom probe configurations are possible.
The Application Gateway will automatically load balance requests sent to the servers in each back-end
pool using a round-robin mechanism. However, you can configure session stickiness, if you need to
ensure that all requests for a client in the same session are routed to the same server in a back-end pool.
Load-balancing works with the OSI Layer 7 routing implemented by Application Gateway routing, which
means that it load balances requests based on the routing parameters (host names and paths) used by
the Application Gateway rules. In comparison, other load balancers, such as Azure Load Balancer, function
at the OSI Layer 4 level, and distribute traffic based on the IP address of the target of a request.
Operating at OSI Layer 7 enables load balancing to take advantage of the other features that Application
Gateway provides.
Additional features
● Support for the HTTP, HTTPS, HTTP/2 and WebSocket protocols.
● A web application firewall to protect against web application vulnerabilities.
● End-to-end request encryption.
● Autoscaling, to dynamically adjust capacity as your web traffic load change.
For more information, What is Azure Application Gateway5.
5 https://docs.microsoft.com/en-us/azure/application-gateway/overview
Path-based routing
Path-based routing enables you to send requests with different paths in the URL to a different pool of
back-end servers. For example, you could direct requests with the path /video/* to a back-end pool
containing servers that are optimized to handle video streaming, and direct /images/* requests to a pool
of servers that handle image retrieval.
Additional features
● Redirection. Redirection can be used to another site, or from HTTP to HTTPS.
● Rewrite HTTP headers. HTTP headers allow the client and server to pass additional information with
the request or the response.
● Custom error pages. Application Gateway allows you to create custom error pages instead of
displaying default error pages. You can use your own branding and layout using a custom error page.
Front-end IP address
Client requests are received through a front-end IP address. You can configure Application Gateway to
have a public IP address, a private IP address, or both. Application Gateway can't have more than one
public and one private IP address.
Listeners
Application Gateway uses one or more listeners to receive incoming requests. A listener accepts traffic
arriving on a specified combination of protocol, port, host, and IP address. Each listener routes requests
to a back-end pool of servers following routing rules that you specify. A listener can be Basic or Mul-
ti-site. A Basic listener only routes a request based on the path in the URL. A Multi-site listener can also
Routing rules
A routing rule binds a listener to the back-end pools. A rule specifies how to interpret the hostname and
path elements in the URL of a request, and direct the request to the appropriate back-end pool. A routing
rule also has an associated set of HTTP settings. These settings indicate whether (and how) traffic is
encrypted between Application Gateway and the back-end servers, and other configuration information
such as: Protocol, Session stickiness, Connection draining, Request timeout period, and Health probes.
Back-end pools
A back-end pool references a collection of web servers. You provide the IP address of each web server
and the port on which it listens for requests when configuring the pool. Each pool can specify a fixed set
of virtual machines, a virtual machine scale-set, an app hosted by Azure App Services, or a collection of
on-premises servers. Each back-end pool has an associated load balancer that distributes work across the
pool
Health probes
Health probes are an important part in assisting the load balancer to determine which servers are
available for load balancing in a back-end pool. Application Gateway uses a health probe to send a
request to a server. If the server returns an HTTP response with a status code between 200 and 399, the
server is deemed healthy.
If you don't configure a health probe, Application Gateway creates a default probe that waits for 30
seconds before deciding that a server is unavailable.
● Traffic Manager works by using the Domain Name System (DNS) to direct end-user requests to the
most appropriate endpoint. Service endpoints supported by Traffic Manager include Azure VMs, Web
Apps, and cloud services. You can also use Traffic Manager with external, non-Azure endpoints.
● Traffic Manager selects an endpoint based on the configured traffic-routing method. Traffic Manager
supports a range of traffic-routing methods to suit different application needs. Once the endpoint is
selected the clients then connect directly to the appropriate service endpoint.
● Traffic Manager provides endpoint health checks and automatic endpoint failover, enabling you to
build high-availability applications that are resilient to failure, including the failure of an entire Azure
region.
users by using Traffic Manager to direct traffic to alternative endpoints when maintenance is in
progress.
● Combine on-premises and Cloud-based applications. Traffic Manager supports external, non-Azure
endpoints enabling it to be used with hybrid cloud and on-premises deployments.
● Distribute traffic for large, complex deployments. Traffic-routing methods can be combined using
nested Traffic Manager profiles to create sophisticated and flexible traffic-routing configurations to
meet the needs of larger, more complex deployments.
For more information, Traffic Manager6
6 https://azure.microsoft.com/en-us/services/traffic-manager/
distance. Instead Traffic Manager determines closeness by measuring network latency. Traffic Manager
maintains an Internet Latency Table to track the round-trip time between IP address ranges and each
Azure datacenter. With this method Traffic Manager looks up the source IP address of the incoming DNS
request in the Internet Latency Table. Traffic Manager chooses an available endpoint in the Azure data-
center that has the lowest latency for that IP address range, then returns that endpoint in the DNS
response.
Geographic routing
When a Traffic Manager profile is configured for Geographic routing, each endpoint associated with that
profile needs will have a set of geographic locations assigned to it. Any requests from those regions gets
routed only to that endpoint. Some planning is required when you create a geographical endpoint. A
location cannot be in more than one endpoint. You build the endpoint from a:
Weighted routing
The Weighted traffic-routing method allows you to distribute traffic evenly or to use a pre-defined
weighting. In the Weighted traffic-routing method, you assign a weight to each endpoint in the Traffic
Manager profile configuration. The weight is an integer from 1 to 1000. This parameter is optional. If
omitted, Traffic Manager uses a default weight of ‘1’. The higher weight, the higher the priority.
✔️ Additonally, MultiValue routing distributes traffic only to IPv4 and IPv6 endpoints and Subnet routing
distributes traffic based on source IP ranges.
Lab scenario
You were tasked with testing managing network traffic targeting Azure virtual machines in the hub and
spoke network topology, which Contoso considers implementing in its Azure environment (instead of
creating the mesh topology, which you tested in the previous lab). This testing needs to include imple-
menting connectivity between spokes by relying on user defined routes that force traffic to flow via the
hub, as well as traffic distribution across virtual machines by using layer 4 and layer 7 load balancers. For
this purpose, you intend to use Azure Load Balancer (layer 4) and Azure Application Gateway (layer 7).
Objectives
In this lab, you will:
● Task 1: Provision the lab environment.
www.androdagger.com Telegram: @androdagger
● Task 2: Configure the hub and spoke network topology.
● Task 3: Test transitivity of virtual network peering.
● Task 4: Configure routing in the hub and spoke topology.
● Task 5: Implement Azure Load Balancer.
Review Question 2
Your company provides customers a virtual network in the cloud. You have dozens of Linux virtual machines
in another virtual network. You need to install an Azure load balancer to direct traffic between the virtual
networks. What should you do? Select one.
Install a private load balancer.
Install a public load balancer.
Install an external load balancer.
Install an internal load balancer.
Install a network load balancer.
Review Question 3
Your company has a popular regional web site. The company plans to move it to Microsoft Azure and host it
in the Canada East region. The web team has established the following requirements for managing the web
traffic:
● Evenly distribute incoming web requests across a farm of 10 Azure VMs.
● Support many incoming requests, including spikes during peak times.
● Minimize complexity.
● Minimize ongoing costs.
Which of the following would you select for this scenario? Select one.
Review Question 4
You deploy an internal load balancer between your web tier and app tier servers. You configure a custom
HTTP health probe. Which two of the following are not true? Select two.
The load balancer manages the health probe.
By default, the health probe checks the endpoint every 30 seconds.
The instance is healthy if it responds with an HTTP 200 error.
You can change the amount of time between health probe checks.
You can change the number of failures within a time period.
Review Question 5
Which criteria does Application Gateway use to route requests to a web server? Select one.
The hostname, port, and path in the URL of the request.
The IP address of the web server that is the target of the request.
The region in which the servers hosting the web application are located.
The users authentication information.
Review Question 6
Which load balancing strategy does the Application Gateway implement? Select one.
Distributes requests to each available server in a backend pool in turn, round-robin.
Distributes requests to the server in the backend pool with the lightest load.
Polls each server in the backend pool in turn, and sends the request to the first server that responds.
Uses one server in the backend pool until that server reaches 50% load, then moves to the next server.
Review Question 7
You have several websites and are using Traffic Manager to distribute the network traffic. You are bringing a
new endpoint online but are not sure that it is ready to accept a full load of requests. Which Traffic Manager
routing algorithm should you use? Select one.
Round robin
Priority
Geographic
Weighted
Review Question 8
Your company has a website that allows users to customize their experience by downloading an app.
Demand for the app has increased so you have added another virtual network with two virtual machines.
These machines are dedicated to serving the app downloads. You need to ensure the additional download
requests do not affect the website performance. Your solution must route all download requests to the two
new servers you have installed. What action will you recommend? Select one.
Configure Traffic Manager.
Add a user-defined route.
Create a local network gateway.
Configure a new routing table.
Add an application gateway.
Review Question 9
You are deploying the Application Gateway and want to ensure incoming requests are checked for common
security threats like cross-site scripting and crawlers. To address your concerns what should you do? Select
one.
Install an external load balancer
Install an internal load balancer
Install Azure Firewall
Install the Web Application Firewall
Additional Study
Microsoft Learn provides self paced skills training on a variety of topics. These Learn modules cover the
content you have just learned. You can search for additional modules by product, role, or level.
● Manage and control traffic flow in your Azure deployment with routes7
● Improve application scalability and resiliency by using Azure Load Balancer8
● Load balance your web service traffic with Application Gateway9
● Enhance your service availability and data locality by using Azure Traffic Manager10
Answers
Review Question 1
Which of the following two features of Azure networking provide the ability to redirect all Internet traffic
back to your company's on-premises servers for packet inspection? Select two.
■ User Defined Routes
Cross-premises network connectivity
Traffic Manager
■ Forced Tunneling
System Routes
Explanation
User defined routes and forced tunneling. You can use forced tunneling to redirect internet bound traffic
back to the company's on-premises infrastructure. Forced tunneling is commonly used in scenarios where
organizations want to implement packet inspection or corporate audits. Forced tunneling in Azure is
configured via virtual network user defined routes (UDR).
Review Question 2
Your company provides customers a virtual network in the cloud. You have dozens of Linux virtual
machines in another virtual network. You need to install an Azure load balancer to direct traffic between
the virtual networks. What should you do? Select one.
Install a private load balancer.
Install a public load balancer.
Install an external load balancer.
■ Install an internal load balancer.
Install a network load balancer.
Explanation
Install an internal load balancer. Azure has two types of load balancers: public and internal. An internal load
balancer directs traffic only to resources that are inside a virtual network or that use a VPN to access Azure
infrastructure.
Review Question 3
Your company has a popular regional web site. The company plans to move it to Microsoft Azure and
host it in the Canada East region. The web team has established the following requirements for managing
the web traffic:
Which of the following would you select for this scenario? Select one.
Azure Traffic Manager
■ Azure Load Balancer
Azure Application Gatewy
Azure Cloud Services
Explanation
Azure Load Balancer. In this scenario, the requirements call for load balancing of a web site with minimal
complexity and costs. The web site is in a single region, which rules out Azure Traffic Manager (which is
geared toward a distributed web application). Azure CDN is complex and expensive and it best suited for
delivering static web content at various locations worldwide (with maximum performance). Azure Cloud
Services are suited for applications and APIs, not for this scenario.
Review Question 4
You deploy an internal load balancer between your web tier and app tier servers. You configure a custom
HTTP health probe. Which two of the following are not true? Select two.
The load balancer manages the health probe.
■ By default, the health probe checks the endpoint every 30 seconds.
The instance is healthy if it responds with an HTTP 200 error.
You can change the amount of time between health probe checks.
■ You can change the number of failures within a time period.
Explanation
By default, the health probe checks the endpoints every 15 seconds, not 30 seconds. You can change the
number of consecutive failures, but you cannot specify a time period for the failures.
Review Question 5
Which criteria does Application Gateway use to route requests to a web server? Select one.
■ The hostname, port, and path in the URL of the request.
The IP address of the web server that is the target of the request.
The region in which the servers hosting the web application are located.
The users authentication information.
Explanation
The hostname, port, and path in the URL of the request.
Review Question 6
Which load balancing strategy does the Application Gateway implement? Select one.
■ Distributes requests to each available server in a backend pool in turn, round-robin.
Distributes requests to the server in the backend pool with the lightest load.
Polls each server in the backend pool in turn, and sends the request to the first server that responds.
Uses one server in the backend pool until that server reaches 50% load, then moves to the next server.
Explanation
The Application Gateway distributes requests to each available server in the backend pool using the
round-robin method.
Review Question 7
You have several websites and are using Traffic Manager to distribute the network traffic. You are bring-
ing a new endpoint online but are not sure that it is ready to accept a full load of requests. Which Traffic
Manager routing algorithm should you use? Select one.
Round robin
Priority
Geographic
■ Weighted
Performance
Explanation
Use the weighted routing algorithm. This will put the endpoint into the rotation with a minimum amount of
traffic.
Review Question 8
Your company has a website that allows users to customize their experience by downloading an app.
Demand for the app has increased so you have added another virtual network with two virtual machines.
These machines are dedicated to serving the app downloads. You need to ensure the additional down-
load requests do not affect the website performance. Your solution must route all download requests to
the two new servers you have installed. What action will you recommend? Select one.
■ Configure Traffic Manager.
Add a user-defined route.
Create a local network gateway.
Configure a new routing table.
Add an application gateway.
Explanation
You should use Traffic Manager. Traffic Manager lets you control the distribution of user traffic to your
endpoints running inwww.androdagger.com
different datacenters aroundTelegram: @androdagger
the world. Traffic Manager uses DNS and can route
traffic to your two new download servers.
MCT USE ONLY. STUDENT USE PROHIBITED
Module 06 Lab and Review 193
Review Question 9
You are deploying the Application Gateway and want to ensure incoming requests are checked for
common security threats like cross-site scripting and crawlers. To address your concerns what should you
do? Select one.
Install an external load balancer
Install an internal load balancer
Install Azure Firewall
■ Install the Web Application Firewall
Explanation
Install the Web Application Firewall. The web application firewall (WAF) is an optional component that
handles incoming requests before they reach a listener. The web application firewall checks each request for
many common threats, based on the Open Web Application Security Project (OWASP).
Storage Accounts
Azure Storage
Azure Storage is Microsoft's cloud storage solution for modern data storage scenarios. Azure Storage
offers a massively scalable object store for data objects, a file system service for the cloud, a messaging
store for reliable messaging, and a NoSQL store. Azure Storage is:
● Durable and highly available. Redundancy ensures that your data is safe in the event of transient
hardware failures. You can also opt to replicate data across datacenters or geographical regions for
additional protection from local catastrophe or natural disaster. Data replicated in this way remains
highly available in the event of an unexpected outage.
● Secure. All data written to Azure Storage is encrypted by the service. Azure Storage provides you with
fine-grained control over who has access to your data.
● Scalable. Azure Storage is designed to be massively scalable to meet the data storage and perfor-
mance needs of today's applications.
● Managed. Microsoft Azure handles hardware maintenance, updates, and critical issues for you.
● Accessible. Data in Azure Storage is accessible from anywhere in the world over HTTP or HTTPS.
Microsoft provides SDKs for Azure Storage in a variety of languages – .NET, Java, Node.js, Python,
PHP, Ruby, Go, and others – as well as a mature REST API. Azure Storage supports scripting in Azure
PowerShell or Azure CLI. And the Azure portal and Azure Storage Explorer offer easy visual solutions
for working with your data.
Azure Storage is a service that you can use to store files, messages, tables, and other types of informa-
www.androdagger.com Telegram: @androdagger
tion. You can use Azure storage on its own—for example as a file share—but it is often used by develop-
ers as a store for working data. Such stores can be used by websites, mobile apps, desktop applications,
and many other types of custom solutions. Azure storage is also used by IaaS virtual machines, and PaaS
cloud services. You can generally think of Azure storage in three categories.
● Storage for Virtual Machines. This includes disks and files. Disks are persistent block storage for
Azure IaaS virtual machines. Files are fully managed file shares in the cloud.
● Unstructured Data. This includes Blobs and Data Lake Store. Blobs are highly scaleable, REST based
cloud object store. Data Lake Store is Hadoop Distributed File System (HDFS) as a service.
● Structured Data. This includes Tables, Cosmos DB, and Azure SQL DB. Tables are a key/value, au-
to-scaling NoSQL store. Cosmos DB is a globally distributed database service. Azure SQL DB is a fully
managed database-as-a-service built on SQL.
General purpose storage accounts have two tiers: Standard and Premium.
● Standard storage accounts are backed by magnetic drives (HDD) and provide the lowest cost per GB.
They are best for applications that require bulk storage or where data is accessed infrequently.
● Premium storage accounts are backed by solid state drives (SSD) and offer consistent low-latency
performance. They can only be used with Azure virtual machine disks and are best for I/O-intensive
applications, like databases.
✔️ It is not possible to convert a Standard storage account to Premium storage account or vice versa. You
must create a new storage account with the desired type and copy data, if applicable, to a new storage
account.
For more information, Azure Storage1.
Azure Files
Azure Files enables you to set up highly available network file shares that can be accessed by using the
standard Server Message Block (SMB) protocol. That means that multiple VMs can share the same files
1 https://azure.microsoft.com/en-us/services/storage/
with both read and write access. You can also read the files using the REST interface or the storage client
libraries.
One thing that distinguishes Azure Files from files on a corporate file share is that you can access the files
from anywhere in the world using a URL that points to the file and includes a shared access signature
(SAS) token. You can generate SAS tokens; they allow specific access to a private asset for a specific
amount of time.
File shares can be used for many common scenarios:
● Many on-premises applications use file shares. This feature makes it easier to migrate those applica-
tions that share data to Azure. If you mount the file share to the same drive letter that the on-premis-
es application uses, the part of your application that accesses the file share should work with minimal,
if any, changes.
● Configuration files can be stored on a file share and accessed from multiple VMs. Tools and utilities
used by multiple developers in a group can be stored on a file share, ensuring that everybody can find
them, and that they use the same version.
● Diagnostic logs, metrics, and crash dumps are just three examples of data that can be written to a file
share and processed or analyzed later.
At this time, Active Directory-based authentication and access control lists (ACLs) are not supported, but
they will be at some time in the future. The storage account credentials are used to provide authentica-
tion for access to the file share. This means anybody with the share mounted will have full read/write
access to the share.
Queue storage
The Azure Queue service is used to store and retrieve messages. Queue messages can be up to 64 KB in
size, and a queue can contain millions of messages. Queues are generally used to store lists of messages
to be processed asynchronously.
For example, say you want your customers to be able to upload pictures, and you want to create thumb-
nails for each picture. You could have your customer wait for you to create the thumbnails while upload-
ing the pictures. An alternative would be to use a queue. When the customer finishes his upload, write a
message to the queue. Then have an Azure Function retrieve the message from the queue and create the
thumbnails. Each of the parts of this processing can be scaled separately, giving you more control when
tuning it for your usage.
Table storage
Azure Table storage is now part of Azure Cosmos DB. In addition to the existing Azure Table storage
service, there is a new Azure Cosmos DB Table API offering that provides throughput-optimized tables,
global distribution, and automatic secondary indexes. To learn more and try out the new premium
experience, please check out Azure Cosmos DB Table API.
Replication Strategies
The data in your Azure storage account is always replicated to ensure durability and high availability.
Azure Storage replication copies your data so that it is protected from planned and unplanned events
ranging from transient hardware failures, network or power outages, massive natural disasters, and so on.
You can choose to replicate your data within the same data center, across zonal data centers within the
same region, and even across regions. Replication ensures that your storage account meets the Ser-
vice-Level Agreement (SLA) for Storage even in the face of failures.
Geo-redundant storage
Geo-redundant storage (GRS) replicates your data to a secondary region (hundreds of miles away from
the primary location of the source data). GRS costs more than LRS, but GRS provides a higher level of
durability for your data, even if there is a regional outage. GRS is designed to provide at least
99.99999999999999% (16 9's) durability. If your storage account has GRS enabled, then your data is
durable even in the case of a complete regional outage or a disaster in which the primary region isn't
recoverable.
For a storage account with GRS or RA-GRS enabled, all data is first replicated with locally redundant
storage (LRS). An update is first committed to the primary location and replicated using LRS. The update
is then replicated asynchronously to the secondary region using GRS. When data is written to the second-
ary location, it's also replicated within that location using LRS. Both the primary and secondary regions
manage replicas across separate fault domains and upgrade domains within a storage scale unit. The
storage scale unit is the basic replication unit within the datacenter. Replication at this level is provided by
LRS. If you opt for GRS, you have two related options to choose from:
● GRS replicates your data to another data center in a secondary region, but that data is available to be
read only if Microsoft initiates a failover from the primary to secondary region.
● Read-access geo-redundant storage (RA-GRS) is based on GRS. RA-GRS replicates your data to
another data center in a secondary region, and also provides you with the option to read from the
secondary region. With RA-GRS, you can read from the secondary regardless of whether Microsoft
initiates a failover from the primary to the secondary.
● Firewalls and Virtual Networks allows for restricting access to the Storage Account from specific
Subnets on Virtual Networks
● Subnets and Virtual Networks must exist in the same Azure Region or Region Pair as the Storage
Account
✔️ It is important to test and ensure the service endpoint is limiting access as expected.
2. For the Storage Account, use the Shared Access Signature blade to Generate SAS and connection
string.
3. Use Storage Explorer and the connection string to access the file share.
4. Ensure you can view your uploaded file.
Note: This part of the demonstration requires a virtual network with a subnet.
Create a subnet service endpoint
1. Select your virtual network, and then select a subnet in the virtual network.
2. Under Service Endpoints, view the Services drop-down and the different services that can be
secured with an endpoint.
3. Check the Microsoft.Storage option.
4. Save your changes.
Secure the storage to the service endpoint
1. Return to your storage account.
2. Select Firewalls and virtual networks.
3. Change to Selected networks.
4. Add existing virtual network, verify your subnet with the new service endpoint is listed.
5. Save your changes.
Test the storage endpoint
1. Return to the Storage Explorer.
2. Refresh the storage account.
3. You should now have an access error similar to this one:
Note: If you plan to use the storage account in other scenarios be sure to return the account to All
networks in the Firewalls and virtual networks blade.
Blob Storage
Blob Storage
Azure Blob storage is a service that stores unstructured data in the cloud as objects/blobs. Blob storage
can store any type of text or binary data, such as a document, media file, or application installer. Blob
storage is also referred to as object storage.
Common uses of Blob storage include:
● Serving images or documents directly to a browser.
● Storing files for distributed access, such as installation.
● Streaming video and audio.
● Storing data for backup and restore, disaster recovery, and archiving.
● Storing data for analysis by an on-premises or Azure-hosted service.
✔️ Within the storage account, you can group as many blobs as needed in a container. For
more information, Azure Blob Storage2.
Blob Containers
A container provides a grouping of a set of blobs. All blobs must be in a container. An account can
contain an unlimited number of containers. A container can store an unlimited number of blobs. You can
create the container in the Azure Portal.
Name: The name may only contain lowercase letters, numbers, and hyphens, and must begin with a letter
or a number. The name must also be between 3 and 63 characters long.
Public access level: Specifies whether data in the container may be accessed publicly. By default, con-
tainer data is private to the account owner.
● Use Private to ensure there is no anonymous access to the container and blobs.
● Use Blob to allow anonymous public read access for blobs only.
● Use Container to allow anonymous public read and list access to the entire container, including the
blobs.
✔️ You can also create the Blob container with PowerShell using the New-AzStorageContainer com-
mand.
✔️ Have you thought about how you will organize your containers?
● Cool. The Cool tier is optimized for storing large amounts of data that is infrequently accessed and
stored for at least 30 days. Storing data in the Cool tier is more cost-effective, but accessing that data
may be somewhat more expensive than accessing data in the Hot tier.
● Archive. The Archive tier is optimized for data that can tolerate several hours of retrieval latency and
will remain in the Archive tier for at least 180 days. The Archive tier is the most cost-effective option
for storing data, but accessing that data is more expensive than accessing data in the Hot or Cool
tiers.
✔️ If there is a change in the usage pattern of your data, you can switch between these access tiers at
any time.
Data sets have unique lifecycles. Early in the lifecycle, people access some data often. But the need for
access drops drastically as the data ages. Some data stays idle in the cloud and is rarely accessed once
stored. Some data expires days or months after creation, while other data sets are actively read and
modified throughout their lifetimes. Azure Blob storage lifecycle management offers a rich, rule-based
policy for GPv2 and Blob storage accounts. Use the policy to transition your data to the appropriate
access tiers or expire at the end of the data's lifecycle.
The lifecycle management policy lets you:
● Transition blobs to a cooler storage tier (hot to cool, hot to archive, or cool to archive) to optimize for
performance and cost.
● Delete blobs at the end of their lifecycles.
● Define rules to be run once per day at the storage account level.
the age of data, you can design the least expensive storage options for your needs. To achieve this
transition, lifecycle management policy rules are available to move aging data to cooler tiers.
Uploading Blobs
A blob can be any type and size file. Azure Storage offers three types of blobs: block blobs, page blobs,
and append blobs. You specify the blob type and access tier when you create the blob.
● Block blobs (default) consist of blocks of data assembled to make a blob. Most scenarios using Blob
storage employ block blobs. Block blobs are ideal for storing text and binary data in the cloud, like
files, images, and videos.
● Append blobs are like block blobs in that they are made up of blocks, but they are optimized for
append operations, so they are useful for logging scenarios.
● Page blobs can be up to 8 TB in size and are more efficient for frequent read/write operations. Azure
virtual machines use page blobs as OS and data disks.
✔️ Once the blob has been created, its type cannot be changed.
● Blobfuse is a virtual file system driver for Azure Blob storage. You can use blobfuse to access your
existing block blob data in your Storage account through the Linux file system.
● Azure Data Box Disk is a service for transferring on-premises data to Blob storage when large
datasets or network constraints make uploading data over the wire unrealistic. You can use Azure Data
Box Disk to request solid-state disks (SSDs) from Microsoft. You can then copy your data to those
disks and ship them back to Microsoft to be uploaded into Blob storage.
● The Azure Import/Export service provides a way to export large amounts of data from your storage
account to hard drives that you provide and that Microsoft then ships back to you with your data.
✔️ Of course, you can always use Azure Storage Explorer.
Storage Pricing
All storage accounts use a pricing model for blob storage based on the tier of each blob. When using a
storage account, the following billing considerations apply:
● Performance tiers: In addition to, the amount of data stored, the cost of storing data varies depend-
ing on the storage tier. The per-gigabyte cost decreases as the tier gets cooler.
● Data access costs: Data access charges increase as the tier gets cooler. For data in the cool and
archive storage tier, you are charged a per-gigabyte data access charge for reads.
● Transaction costs: There is a per-transaction charge for all tiers that increases as the tier gets cooler.
● Geo-Replication data transfer costs: This charge only applies to accounts with geo-replication
configured, including GRS and RA-GRS. Geo-replication data transfer incurs a per-gigabyte charge.
● Outbound data transfer costs: Outbound data transfers (data that is transferred out of an Azure
region) incur billing for bandwidth usage on a per-gigabyte basis, consistent with general-purpose
storage accounts.
● Changing the storage tier: Changing the account storage tier from cool to hot incurs a charge equal
to reading all the data existing in the storage account. However, changing the account storage tier
from hot to cool incurs a charge equal to writing all the data into the cool tier (GPv2 accounts only).
2. Select the container to show a list of blobs it contains. Since this container is new, it won't yet contain
any blobs.
3. Select the Upload button to upload a blob to the container.
4. Expand the Advanced section.
5. Notice the Authentication type, Blob type, Block size, and the ability to Upload to a folder.
6. Notice the default Authentication type type is SAS.
7. Browse your local file system to find a file to upload as a block blob, and select Upload.
8. Upload as many blobs as you like in this way. You'll observe that the new blobs are now listed within
the container.
Download a block blob
You can download a block blob to display in the browser or save to your local file system.
1. Navigate to the list of blobs that you uploaded in the previous section.
2. Right-click the blob you want to download, and select Download.
Storage Security
Storage Security
Azure Storage provides a comprehensive set of security capabilities that together enable developers to
build secure applications. In this lesson, we focus on Shared Access Signatures, but also cover storage
encryption and some best practices. Here are the high-level security capabilities for Azure storage:
● Encryption. All data written to Azure Storage is automatically encrypted using Storage Service
Encryption (SSE).
● Authentication. Azure Active Directory (Azure AD) and Role-Based Access Control (RBAC) are sup-
ported for Azure Storage for both resource management operations and data operations, as follows:
● You can assign RBAC roles scoped to the storage account to security principals and use Azure AD
to authorize resource management operations such as key management.
● Azure AD integration is supported for data operations on the Blob and Queue services.
● Data in transit. Data can be secured in transit between an application and Azure by using Client-Side
Encryption, HTTPS, or SMB 3.0.
● Disk encryption. OS and data disks used by Azure virtual machines can be encrypted using Azure
Disk Encryption.
● Shared Access Signatures. Delegated access to the data objects in Azure Storage can be granted
using Shared Access Signatures.
Authorization options
Every request made against a secured resource in the Blob, File, Queue, or Table service must be author-
ized. Authorization ensures that resources in your storage account are accessible only when you want
them to be, and only to those users or applications to whom you grant access. Options for authorizing
requests to Azure Storage include:
● Azure Active Directory (Azure AD). Azure AD is Microsoft's cloud-based identity and access man-
agement service. With Azure AD, you can assign fine-grained access to users, groups, or applications
via role-based access control (RBAC).
● Shared Key. Shared Key authorization relies on your account access keys and other parameters to
produce an encrypted signature string that is passed on the request in the Authorization header.
● Shared access signatures. Shared access signatures (SAS) delegate access to a particular resource in
your account with specified permissions and over a specified time interval.
● Anonymous access to containers and blobs. You can optionally make blob resources public at the
container or blob level. A public container or blob is accessible to any user for anonymous read
access. Read requests to public containers and blobs do not require authorization.
A SAS gives you granular control over the type of access you grant to clients who have the SAS, includ-
ing:
● An account-level SAS can delegate access to multiple storage services. For example, blob, file, queue,
and table.
● An interval over which the SAS is valid, including the start time and the expiry time.
● The permissions granted by the SAS. For example, a SAS for a blob might grant read and write
permissions to that blob, but not delete permissions.
Optionally, you can also:
● Specify an IP address or range of IP addresses from which Azure Storage will accept the SAS. For
example, you might specify a range of IP addresses belonging to your organization.
● The protocol over which Azure Storage will accept the SAS. You can use this optional parameter to
restrict access to clients using HTTPS.
✔️ There are two types of SAS: account and service. The account SAS delegates access to resources in
one or more of the storage services. The service SAS delegates access to a resource in just one of the
storage services.
✔️ A stored access policy can provide an additional level of control over service-level SAS on the server
side. You can group shared access signatures and provide additional restrictions for signatures that are
bound by the policy.
3 https://docs.microsoft.com/en-us/azure/storage/common/storage-dotnet-shared-access-signature-part-1?toc=%2fazure%2fstorage%2fbl
obs%2ftoc.json
● Permissions: Read
● Start and expiry date/time: Today's date to start, 1 year out for expiry
● Allowed protocols: HTTPS
● Signing key: Key1
6. Copy the Blob Server SAS URL and paste the URL into a browser.
7. Verify the blob file displays.
8. Review the different URL parameters that you learned about in the lesson.
Create a SAS at the account level
1. Return to your storage account.
2. Click Shared access signature.
3. Notice you can configure a variety of services, resource types, and permissions.
4. Click Generate SAS and connection string.
5. Review the connection string, SAS token, and URL information that is provided.
4 https://docs.microsoft.com/en-us/azure/storage/common/storage-dotnet-shared-access-signature-part-1?toc=%2fazure%2fstorage%2fbl
obs%2ftoc.json
automatically encrypts your data before persisting it to Azure Managed Disks, Azure Blob, Queue, Table
storage, or Azure Files, and decrypts the data before retrieval.
The handling of encryption, encryption at rest, decryption, and key management in Storage Service
Encryption is transparent to users. All data written to the Azure storage platform is encrypted through
256-bit AES encryption, one of the strongest block ciphers available.
✔️ SSE is enabled for all new and existing storage accounts and cannot be disabled. Because your data is
secured by default, you don't need to modify your code or applications.
✔️ To use customer-managed keys with SSE, you can either create a new key vault and key or you can
use an existing key vault and key. The storage account and the key vault must be in the same region, but
they can be in different subscriptions.
Recommendations
The following recommendations for using shared access signatures can help mitigate risks.
● Always use HTTPS to create or distribute a SAS. If a SAS is passed over HTTP and intercepted, an
attacker performing a man-in-the-middle attack is able to read the SAS and then use it just as the
intended user could have, potentially compromising sensitive data or allowing for data corruption by
the malicious user.
● Reference stored access policies where possible. Stored access policies give you the option to
revoke permissions without having to regenerate the storage account keys. Set the expiration on
these very far in the future (or infinite) and make sure it's regularly updated to move it farther into the
future.
● Use near-term expiration times on an ad hoc SAS. In this way, even if a SAS is compromised, it's
valid only for a short time. This practice is especially important if you cannot reference a stored access
policy. Near-term expiration times also limit the amount of data that can be written to a blob by
limiting the time available to upload to it.
● Have clients automatically renew the SAS if necessary. Clients should renew the SAS well before
the expiration, in order to allow time for retries if the service providing the SAS is unavailable. If your
SAS is meant to be used for a small number of immediate, short-lived operations that are expected to
be completed within the expiration period, then this may be unnecessary as the SAS is not expected
to be renewed. However, if you have a client that is routinely making requests via SAS, then the
possibility of expiration comes into play. The key consideration is to balance the need for the SAS to
be short-lived (as previously stated) with the need to ensure that the client is requesting renewal early
enough (to avoid disruption due to the SAS expiring prior to successful renewal).
● Be careful with SAS start time. If you set the start time for a SAS to now, then due to clock skew
(differences in current time according to different machines), failures may be observed intermittently
access to that single entity, and not read/write/delete access to all entities. This also helps lessen the
damage if a SAS is compromised because the SAS has less power in the hands of an attacker
● Understand that your account will be billed for any usage, including that done with SAS. If you
provide write access to a blob, a user may choose to upload a 200GB blob. If you've given them read
access as well, they may choose to download it 10 times, incurring 2 TB in egress costs for you. Again,
provide limited permissions to help mitigate the potential actions of malicious users. Use short-lived
SAS to reduce this threat (but be mindful of clock skew on the end time).
● Validate data written using SAS. When a client application writes data to your storage account, keep
in mind that there can be problems with that data. If your application requires that data be validated
or authorized before it is ready to use, you should perform this validation after the data is written and
before it is used by your application. This practice also protects against corrupt or malicious data
being written to your account, either by a user who properly acquired the SAS, or by a user exploiting
a leaked SAS.
● Don't assume SAS is always the correct choice. Sometimes the risks associated with a particular
operation against your storage account outweigh the benefits of SAS. For such operations, create a
middle-tier service that writes to your storage account after performing business rule validation,
authentication, and auditing. Also, sometimes it's simpler to manage access in other ways. For
example, if you want to make all blobs in a container publicly readable, you can make the container
Public, rather than providing a SAS to every client for access.
● Use Storage Analytics to monitor your application. You can use logging and metrics to observe any
spike in authentication failures due to an outage in your SAS provider service or to the inadvertent
removal of a stored access policy.
5 https://docs.microsoft.com/en-us/azure/storage/files/storage-files-introduction
6 https://msdn.microsoft.com/library/windows/desktop/aa365233.aspx
✔️ Ensure port 445 is open. Azure Files uses SMB protocol. SMB communicates over TCP port 445 - en-
sure your firewall is not blocking TCP ports 445 from the client machine.
Azure file shares can be mounted in Linux distributions using the CIFS kernel client. This can be done
on-demand with a mount command or on-boot (persistent) by creating an entry in /etc/fstab.
Share snapshot capability is provided at the file share level. Retrieval is provided at the individual file
level, to allow for restoring individual files. You cannot delete a share that has share snapshots unless you
delete all the share snapshots first.
Share snapshots are incremental in nature. Only the data that has changed after your most recent share
snapshot is saved. This minimizes the time required to create the share snapshot and saves on storage
costs. Even though share snapshots are saved incrementally, you need to retain only the most recent
share snapshot in order to restore the share.
Manage snapshots
1. Access your file share.
2. Select Create Snapshot.
3. Select View Snapshots and verify your snapshot was created.
4. Click the snapshot and verify it includes your uploaded file.
5. Click the file that is part of the snapshot and review the File properties.
6. Notice the choices to Download and Restore the snapshot file.
7. Access the file share and delete the file you previously uploaded.
8. Restore the file from the snapshot.
Create a file share (PowerShell)
1. Gather the storage account name and the storage account key.
Get-AzStorageAccount | fl *name*
Get-AzStorageAccount -ResourceGroupName "YourResourceGroupName" -Name "YourStorageAccount-
Name"
3. Create a context for your storage account and key. The context encapsulates the storage account
name and account key.
$storageContext = New-AzStorageContext -StorageAccountName "YourStorageAccountName" -Storage-
AccountKey $storageAccountKeys[0].value
4. Create the file share. The name of your file share must be all lowercase.
$share = New-AzStorageShare "YourFileShareName" -Context $storageContext
# The value given to the root parameter of the New-PSDrive cmdlet is the host address for the storage
account,
# storage-account.file.core.windows.net for Azure Public Regions. $fileShare.StorageUri.PrimaryUri.Host is
# used because non-Public Azure regions, such as sovereign clouds or Azure Stack deployments, will
have different
# hosts for Azure file shares (and other storage resources).
$password = ConvertTo-SecureString -String $storageAccountKeys[0].Value -AsPlainText -Force
$credential = New-Object System.Management.Automation.PSCredential -ArgumentList "AZURE\$($stor-
ageAccount.StorageAccountName)", $password
New-PSDrive -Name desired-drive-letter -PSProvider FileSystem -Root "\\$($fileShare.StorageUri.Prima-
ryUri.Host)\$($fileShare.Name)" -Credential $credential -Persist
When finished, you can dismount the file share by running the following command:
Remove-PSDrive -Name desired-drive-letter
File Sync
Use Azure File Sync to centralize your organization's file shares in Azure Files, while keeping the flexibili-
ty, performance, and compatibility of an on-premises file server. Azure File Sync transforms Windows
Server into a quick cache of your Azure file share. You can use any protocol that's available on Windows
Server to access your data locally, including SMB, NFS, and FTPS. You can have as many caches as you
need across the world.
8 https://docs.microsoft.com/en-us/azure/storage/files/storage-sync-files-planning
Sync group. A sync group defines the sync topology for a set of files. Endpoints within a sync group are
kept in sync with each other. If, for example, you have two distinct sets of files that you want to manage
with Azure File Sync, you would create two sync groups and add different endpoints to each sync group.
A Storage Sync Service can host as many sync groups as you need.
Registered server. The registered server object represents a trust relationship between your server (or
cluster) and the Storage Sync Service. You can register as many servers to a Storage Sync Service instance
as you want. However, a server (or cluster) can be registered with only one Storage Sync Service at a time.
Azure File Sync agent. The Azure File Sync agent is a downloadable package that enables Windows
Server to be synced with an Azure file share. The Azure File Sync agent has three main components:
● FileSyncSvc.exe: The background Windows service that is responsible for monitoring changes on
server endpoints, and for initiating sync sessions to Azure.
● StorageSync.sys: The Azure File Sync file system filter, which is responsible for tiering files to Azure
Files (when cloud tiering is enabled).
● PowerShell management cmdlets: PowerShell cmdlets that you use to interact with the Microsoft.
StorageSync Azure resource provider. You can find these at the following (default) locations:
● C:\Program Files\Azure\StorageSyncAgent\StorageSync.Management.PowerShell.Cmdlets.dll
● C:\Program Files\Azure\StorageSyncAgent\StorageSync.Management.ServerCmdlets.dll
Server endpoint. A server endpoint represents a specific location on a registered server, such as a folder
on a server volume. Multiple server endpoints can exist on the same volume if their namespaces do not
overlap (for example, F:\sync1 and F:\sync2). You can configure cloud tiering policies individually for each
server endpoint. You can create a server endpoint via a mountpoint. Note, mountpoints within the server
endpoint are skipped. You can create a server endpoint on the system volume but, there are two limita-
tions if you do so:
● Cloud tiering cannot be enabled.
● Rapid namespace restore (where the system quickly brings down the entire namespace and then
starts to recall content) is not performed.
Cloud endpoint. A cloud endpoint is an Azure file share that is part of a sync group. The entire Azure file
share syncs, and an Azure file share can be a member of only one cloud endpoint. Therefore, an Azure file
share can be a member of only one sync group. If you add an Azure file share that has an existing set of
files as a cloud endpoint to a sync group, the existing files are merged with any other files that are
already on other endpoints in the sync group.
2. Prepare Windows Server to use with Azure File Sync. For each server that you intend to use with
Azure File Sync, including server nodes in a Failover Cluster, you will need to configure the server.
Preparation steps include temporarily disabling Internet Explorer Enhanced Security and ensuring you
have latest PowerShell version.
3. Install the Azure File Sync Agent. The Azure File Sync agent is a downloadable package that enables
Windows Server to be synced with an Azure file share. The Azure File Sync agent installation package
should install relatively quickly. We recommend that you keep the default installation path and that
you enable Microsoft Update to keep Azure File Sync up to date.
4. Register Windows Server with Storage Sync Service. When the Azure File Sync agent installation is
finished, the Server Registration UI automatically opens. Registering Windows Server with a Storage
Sync Service establishes a trust relationship between your server (or cluster) and the Storage Sync
Service. Registration requires your Subscription ID, Resource Group, and Storage Sync Service (created
in step one). A server (or cluster) can be registered with only one Storage Sync Service at a time.
✔️ Once File Sync is configured you will need to setup file synchronization.
Managing Storage
Azure Storage Explorer
Azure Storage Explorer is a standalone app that makes it easy to work with Azure Storage data on
Windows, macOS, and Linux. With Storage Explorer you can access multiple accounts and subscriptions
and manage all your storage content.
To fully access resources after you sign in, Storage Explorer requires both management (Azure Resource
Manager) and data layer permissions. This means that you need Azure Active Directory (Azure AD)
permissions, which give you access to your storage account, the containers in the account, and the data
in the containers.
Connecting to storage
● Connect to storage accounts associated with your Azure subscriptions.
● Connect to storage accounts and services that are shared from other Azure subscriptions.
● Connect to and manage local storage by using the Azure Storage Emulator.
In addition, you can work with storage accounts in global and national Azure:
● Attach to external storage. Manage storage resources that belong to another Azure subscription or
that are under national Azure clouds by using the storage account's name, key, and endpoints (shown
below.)
● Attach a storage account by using an SAS. Manage storage resources that belong to another Azure
subscription by using a shared access signature (SAS).
● Attach a service by using an SAS. Manage a specific storage service (blob container, queue, or table)
that belongs to another Azure subscription by using an SAS.
● Connect to an Azure Cosmos DB account by using a connection string. Manage Cosmos DB
account by using a connection string.
To use a name and key from a national cloud, use the Storage endpoints domain drop-down to select
Other and then enter the custom storage endpoint domain.
✔️ Access keys to authenticate your applications when making requests to this Azure storage account.
Store your access keys securely - for example, using Azure Key Vault - and don't share them. We recom-
mend regenerating your access keys regularly. You are provided two access keys so that you can maintain
connections using one key while regenerating the other.
When you regenerate your access keys, you must update any Azure resources and applications that
access this storage account to use the new keys. This action will not interrupt access to disks from your
virtual machines. We will cover access keys in more detail later.
✔️ Notice this connection method provides access to the entire storage account.
For more information, Get started with Storage Explorer9.
www.androdagger.com Telegram: @androdagger
Import and Export Service
Azure Import/Export service is used to securely import large amounts of data to Azure Blob storage and
Azure Files by shipping disk drives to an Azure datacenter. This service can also be used to transfer data
from Azure Blob storage to disk drives and ship to your on-premises sites. Data from one or more disk
9 https://docs.microsoft.com/en-us/azure/vs-azure-tools-storage-manage-with-storage-explorer?tabs=windows
drives can be imported either to Azure Blob storage or Azure Files. With the Azure Import/Export service,
you supply your own disk drives and transfer data yourself.
Usage Cases
Consider using Azure Import/Export service when uploading or downloading data over the network is too
slow or getting additional network bandwidth is cost-prohibitive. Scenarios where this would be useful
include:
● Migrating data to the cloud. Move large amounts of data to Azure quickly and cost effectively.
● Content distribution. Quickly send data to your customer sites.
● Backup. Take backups of your on-premises data to store in Azure blob storage.
● Data recovery. Recover large amount of data stored in blob storage and have it delivered to your
on-premises location.
Import Jobs
An Import job securely transfers large amounts of data to Azure Blob storage (block and page blobs) and
Azure Files by shipping disk drives to an Azure datacenter. In this case, you will be shipping hard drives
containing your data.
Export Jobs
Export jobs transfer data from Azure storage to hard disk drives and ship to your on-premise sites.
10 https://azure.microsoft.com/en-us/documentation/articles/storage-import-export-service/
Data Box
Move stored or in-flight data to Azure quickly and cost-effectively. There are Data Box products for both
offline and online scenarios.
AzCopy
An alternative method for transferring data is AzCopy. AzCopy v10 is the next-generation command-line
utility for copying data to/from Microsoft Azure Blob and File storage, which offers a redesigned com-
www.androdagger.com Telegram: @androdagger
mand-line interface and new architecture for high-performance reliable data transfers. Using AzCopy, you
can copy data between a file system and a storage account, or between storage accounts.
11 https://azure.microsoft.com/en-us/services/storage/databox/
New features
Synchronize a file system to Azure Blob or vice versa. Ideal for incremental copy scenarios.
● Supports Azure Data Lake Storage Gen2 APIs.
● Supports copying an entire account (Blob service only) to another account.
● Account to account copy is now using the new Put from URL APIs. No data transfer to the client is
needed which makes the transfer faster.
● List/Remove files and blobs in a given path.
● Supports wildcard patterns in a path as well as –include and –exclude flags.
● Improved resiliency: every AzCopy instance will create a job order and a related log file. You can view
and restart previous jobs and resume failed jobs. AzCopy will also automatically retry a transfer after a
failure.
● General performance improvements.
Authentication options
● Azure Active Directory (Supported for Blob and ADLS Gen2 services). Use .\azcopy login to sign in
using Azure Active Directory. The user should have Storage Blob Data Contributor role assigned to
write to Blob storage using Azure Active Directory authentication.
● SAS tokens (supported for Blob and File services). Append the SAS token to the blob path on the
command line to use it.
Getting started
AzCopy has a simple self-documented syntax. Here's how you can get a list of available commands:
AzCopy /?
12 https://docs.microsoft.com/en-us/azure/storage/common/storage-use-azcopy
6. Paste your account name in the Account name text box, and paste your account key (the key1 value
from the Azure portal) into the Account key text box, and then select Next.
7. Verify your storage account is available in the navigation pane. You may need to refresh the page.
8. Right-click your storage account and notice the choices including Open in portal, Copy primary key,
and Add to Quick Access.
Generate a SAS connection string for the account you want to share
1. In Storage Explorer, right-click the storage account you want share, and then select Get Shared
Access Signature.
2. Specify the time frame and permissions that you want for the account, and then click the Create
button.
3. Next to the Connection String text box, select Copy to copy it to your clipboard, and then click Close.
Attach to a storage account by using a SAS Connection string
1. In Storage Explorer, open the Connect Dialog.
2. Choose Use a connection string and then click Next.
3. Paste your connection string into the Connection string: field. The Display name: field should
populate. Click the Next button.
4. Verify the information is correct, and select Connect.
5. After the storage account has successfully been attached, the storage account is displayed in the
Local and Attached node with (SAS) appended to its name.
Demonstration - AzCopy
In this demonstration, we will explore AzCopy.
Install the AzCopy tool
1. Download your version of AZCopy - Get started with AZCopy13
2. Install and launch the tool.
Explore the help
1. View the help.
azcopy /?
2. Scroll to the top of the Help information and read about the Common options, like: source, destina-
tion, source key, and destination key.
3. Scroll down the Samples section. We will be trying several of these examples. Are any of these
examples particularly interesting to you?
Download a blob from Blob storage to the file system
Note: This example requires an Azure storage account with blob container and blob file. You will also
www.androdagger.com Telegram: @androdagger
need to capture parameters in a text editor like Notepad.
1. Access the Azure portal.
2. Access your storage account with the blob you want to download.
13 https://docs.microsoft.com/en-us/azure/storage/common/storage-use-azcopy-v10
3. Select Access keys and copy the Key Key1 value. This will be the sourcekey: value.
4. Drill down to the blob of interest, and view the file Properties.
5. Copy the URL information. This will be the source: value.
6. Locate a local destination directory. This will be the dest: value. A filename is also required.
7. Construct the command using your values.
Lab scenario
You need to evaluate the use of Azure storage for storing files residing currently in on-premises data
stores. While majority of these files are not accessed frequently, there are some exceptions. You would
like to minimize cost of storage by placing less frequently accessed files in lower-priced storage tiers. You
also plan to explore different protection mechanisms that Azure Storage offers, including network access,
authentication, authorization, and replication. Finally, you want to determine to what extent Azure Files
service might be suitable for hosting your on-premises file shares.
Objectives
In this lab, you will:
● Task 1: Provision the lab environment.
● Task 2: Create and configure Azure Storage accounts.
● Task 3: Manage blob storage.
● Task 4: Manage authentication and authorization for Azure Storage.
● Task 5: Create and configure an Azure Files shares.
● Task 6: Manage network access for Azure Storage.
✔️ Consult with your instructor for how to access the lab instructions and lab environment (if provided).
You need to configure the storage to meet the requirements. What should you do? Select one.
Create a new container, move all the blobs to the new container, and then set the public
access levelto Blob.
Set the public access level to Blob on all the existing containers.
Create a new shared access signature for the storage account and then set the allowed
permissions o
tRead, set the allowed resource types to Object, and set the allowed services to Blob.
Create a new access key for the storage account and then provide the connection string in the
storageconnectivity information to the public.
Review Question 2
Your company is planning to storage log data, crash dump files, and other diagnostic data for Azure VMs in
Azure. The company has issued the following requirements for the storage:
● Administrators must be able to browse to the data in File Explorer.
● Access over SMB 3.0 must be supported.
● The storage must support quotas.
You need to choose the storage type to meet the requirements. Which storage type should you use? Select
one.
Azure Files
Table storage
Blob storage
Queue storage
Review Question 3
Your company provides cloud software to audit administrative access in Microsoft Azure resources. The
software logs all administrative actions (including all clicks and text input) to log files. The software is about
to be released from beta and the company is concerned about storage performance. You need to deploy a
storage solution for the log files to maximize performance. What should you do? Select one.
Deploy Azure Files using SMB 3.0.
Deploy Azure Table Storage.
Deploy Azure Queues Storage.
Deploy blob storage using block blobs.
Deploy blob storage using append blobs.
Review Question 4
Your company is building an app in Azure. The app has the following storage requirements:
● Storage must be reachable programmatically through a REST API.
● Storage must be globally redundant.
● Storage must be accessible privately within the company's Azure environment.
● Storage must be optimal for unstructured data.
Which type of Azure storage should you use for the app? Select one.
Azure Data Lake store
Azure Table Storage
Azure Blob Storage
Azure File Storage
Review Question 5
You use a Microsoft Azure storage account for storing large numbers of video and audio files. You create
containers to store each type of file and want to limit access to those files for specific periods. Additionally,
the files can only be accessed through shared access signatures (SAS).
You need the ability to revoke access to the files and to change the period for which users can access the
files. What should you do in order to accomplish this in the most simple and effective way? Select one.
Create an SAS for each user and delete the SAS when you want to prevent access.
Use Azure Rights Management Services (RMS) to control access to each file.
Implement stored access policies for each container to enable revocation of access or
change ofduration.
Periodically regenerate the account key to control access to the files.
www.androdagger.com Telegram: @androdagger
MCT USE ONLY. STUDENT USE PROHIBITED
Review Question 6
You need to provide a contingent staff employee temporary read-only access to the contents of an Azure
storage account container named media. It is important that you grant access while adhering to the security
principle of least-privilege. What should you do? Select one.
Set the public access level to Container.
Generate a shared access signature (SAS) token for the container.
Share the container entity tag (Etag) with the contingent staff member.
Configure a Cross-Origin Resource Sharing (CORS) rule for the storage account.
Review Question 7
Your organization maintains historical images for large media companies. There are thousands of photos
requiring over 600 TB of storage. Your datacenter has only limited bandwidth, and you need to quickly move
the data to Azure blob storage. Additionally, security of the data including chain of custody logs and 256-bit
encryption is required. Which of the following products would you recommend using? Select one.
CDN
Data Box
Data Box Heavy
Data Box Gateway
Data Box Edge
Import/Export
Review Question 8
You are using blob storage. Which of the following is true? Select one.
The cool access tier is for frequent access of objects in the storage account.
The hot access tier is for storing large amounts of data that is infrequently accessed.
The performance tier you select does not affect pricing.
You can switch between hot and cool performance tiers at any time.
Review Question 9
You are planning a delegation model for your Azure storage. The company has issued the following require-
ments for Azure storage access:
● Apps in the non-production environment must have automated time-limited access
● Apps in the production environment must have unrestricted access to storage resources
You need to configure storage access to meet the requirements. What should you do? (Each answer presents
part of the solution. Select two.
Use shared access signatures for the non-production apps.
Use shared access signatures for the production apps.
Use access keys for the non-production apps.
Use access keys for the production apps.
Use Stored Access Policies for the production apps.
Use Cross Origin Resource Sharing for the non-production apps.
Review Question 10
Your company has a file server named FS01. The server has a single shared folder that users' access to
shared files. The company wants to make the same files available from Microsoft Azure. The company has
the following requirements:
● Microsoft Azure should maintain the exact same data as the shared folder on FS01.
● Files deleted on either side (on-premises or cloud) shall be subsequently and automatically deleted
from the other side (on-premises or cloud).
You need to implement a solution to meet the requirements. What should you do? Select one.
Deploy DFS Namespaces.
Install and use AZCopy.
Deploy Azure File Sync.
Install and use Azure Storage Explorer.
Deploy storage tiering.
Review Question 11
Which of the following replicates your data to a secondary region, maintains six copies of your data, and is
the default replication option. Select one.
Locally-redundant storage
Geo-redundant storage
Read-access geo-redundant storage
Zone-redundant storage
Review Question 12
You have an existing storage account in Microsoft Azure. It stores unstructured data. You create a new
storage account. You need to move half of the data from the existing storage account to the new storage
account. What tool should you use? Select one.
Use the Azure portal
Use File Server Resource Manager
Use the Robocopy command-line tool
Use the AzCopy command-line tool
Additional Study
Microsoft Learn provides self paced skills training on a variety of topics. These Learn modules cover the
content you have just learned. You can search for additional modules by product, role, or level.
● Create an Azure Storage account14
● Secure your Azure Storage15
● Optimize storage performance and costs using Blob storage tiers16
● Make your application storage highly available with read-access geo-redundant storage17
● Copy and move blobs from one container or storage account to another from the command
line and in code18
● Move large amounts of data to the cloud by using Azure Data Box family19
● Monitor, diagnose, and troubleshoot your Azure storage20
Answers
Review Question 1
You work for an open source development company. You use Microsoft Azure for a variety of storage
needs. Up to now, all the storage was used for internal purposes only. It is organized in block blobs. Each
block blob is in its own container. Each container is set to default settings. In total, you have 50 block
blobs. The company has decided to provide read access to the data in the block blobs, as part of releas-
ing more information about their open source development efforts. You need to reconfigure the storage
to meet the following requirements:
You need to configure the storage to meet the requirements. What should you do? Select one.
■ Create a new container, move all the blobs to the new container, and then set the public access level
to Blob.
Set the public access level to Blob on all the existing containers.
Create a new shared access signature for the storage account and then set the allowed
permissions o
tRead, set the allowed resource types to Object, and set the allowed services to Blob.
Create a new access key for the storage account and then provide the connection string in the
storageconnectivity information to the public.
Explanation
In this scenario, you need to reconfigure 50 containers. While you can do that, it goes against the require-
ment to reduce the administrative overhead of future access changes. A shared access signature could work
here, but not with the settings outlined in the answer choice. An access key is meant for use by your apps
when communicating internally in Azure to the storage. In this scenario, you should create a new container,
move the existing blobs, and then set the public access level to Blob. In the future, when access changes are
required, you can configure the single container (which would contain all blobs).
Review Question 2
Your company is planning to storage log data, crash dump files, and other diagnostic data for Azure VMs
in Azure. The company has issued the following requirements for the storage:
You need to choose the storage type to meet the requirements. Which storage type should you use?
Select one.
■ Azure Files
Table storage
Blob storage
Queue storage
Explanation
Azure Files supports SMB 3.0, is reachable via File Explorer, and supports quotas. The other storage types do
not support the requirements. While blob storage is good for unstructured data, it cannot be accessed over
SMB 3.0.
www.androdagger.com Telegram: @androdagger
MCT USE ONLY. STUDENT USE PROHIBITED
Review Question 3
Your company provides cloud software to audit administrative access in Microsoft Azure resources. The
software logs all administrative actions (including all clicks and text input) to log files. The software is
about to be released from beta and the company is concerned about storage performance. You need to
deploy a storage solution for the log files to maximize performance. What should you do? Select one.
Deploy Azure Files using SMB 3.0.
Deploy Azure Table Storage.
Deploy Azure Queues Storage.
Deploy blob storage using block blobs.
■ Deploy blob storage using append blobs.
Explanation
Append blobs optimize append operations (writes adding onto a log file, for example). In this scenario, the
company needs to write data to log files, most often appending data (until a new log file is generated). Block
blobs are cost efficient but not designed specifically for append operations, so performance isn't as high.
Queue Storage is used for apps to communicate. Table Storage is a NoSQL database but not optimized for
this scenario. Azure Files is geared for SMB storage, such as from Windows Servers but doesn't offer the
optimized solution that append blobs do.
Review Question 4
Your company is building an app in Azure. The app has the following storage requirements:
Which type of Azure storage should you use for the app? Select one.
Azure Data Lake store
Azure Table Storage
■ Azure Blob Storage
Azure File Storage
Explanation
Azure Blob Storage is optimal for unstructured data and meets the requirements for the company's app.
Azure Data Lake supports some of the requirements, such as unstructured data and REST API access.
However, Azure Data Lake is geared for analytics workloads and is only available as locally-redundant (mul-
tiple copies of data in a single Azure region).
Review Question 5
You use a Microsoft Azure storage account for storing large numbers of video and audio files. You create
containers to store each type of file and want to limit access to those files for specific periods. Additional-
ly, the files can only be accessed through shared access signatures (SAS).
You need the ability to revoke access to the files and to change the period for which users can access the
files. What should you do in order to accomplish this in the most simple and effective way? Select one.
Create an SAS for each user and delete the SAS when you want to prevent access.
Use Azure Rights Management Services (RMS) to control access to each file.
■ Implement stored access policies for each container to enable revocation of access or change of
duration.
Periodically regenerate the account key to control access to the files.
Explanation
You should implement stored access policies which will let you change access based on permissions or
duration by replacing the policy with a new one or deleting it altogether to revoke access. While Azure RMS
would protect the files, there would be administrative complexity involved whereas stored access policies
achieves the goal in the simplest way. Creating a SAS for each user would also involve a great amount of
administrative overhead. Regenerating keys would prevent all users from accessing all files at the same
time.
Review Question 6
You need to provide a contingent staff employee temporary read-only access to the contents of an Azure
storage account container named media. It is important that you grant access while adhering to the
security principle of least-privilege. What should you do? Select one.
Set the public access level to Container.
■ Generate a shared access signature (SAS) token for the container.
Share the container entity tag (Etag) with the contingent staff member.
Configure a Cross-Origin Resource Sharing (CORS) rule for the storage account.
Explanation
You should generate a SAS token for the container which provides access either to entire containers or
blobs. You should not share the Etag with the contingent staff member. Azure uses Etags to control concur-
rent access to resources and do not deliver the appropriate security controls. Setting the public access level
to Container would not conform to the principle of least privilege as the container now becomes open to
public connections with no time limitation. CORS is a Hypertest Transfer Protocol (HTTP) mechanism that
enables cross-domain resource access but does not provide security-based resource access control.
Review Question 7
Your organization maintains historical images for large media companies. There are thousands of photos
requiring over 600 TB of storage. Your datacenter has only limited bandwidth, and you need to quickly
move the data to Azure blob storage. Additionally, security of the data including chain of custody logs
and 256-bit encryption is required. Which of the following products would you recommend using? Select
one.
CDN
Data Box
■ Data Box Heavy
Data Box Gateway
Data Box Edge
Import/Export
Explanation
Data Box Heavy. This product supports 1 PB total capacity per order and up to 800 TB usable capacity per
order.
Review Question 8
You are using blob storage. Which of the following is true? Select one.
The cool access tier is for frequent access of objects in the storage account.
The hot access tier is for storing large amounts of data that is infrequently accessed.
The performance tier you select does not affect pricing.
■ You can switch between hot and cool performance tiers at any time.
Explanation
You can switch between peformance tiers at any time. Changing the account storage tier from cool to hot
incurs a charge equal to reading all the data existing in the storage account. However, changing the
account storage tier from hot to cool incurs a charge equal to writing all the data into the cool tier (GPv2
accounts only).
Review Question 9
You are planning a delegation model for your Azure storage. The company has issued the following
requirements for Azure storage access:
You need to configure storage access to meet the requirements. What should you do? (Each answer
presents part of the solution. Select two.
■ Use shared access signatures for the non-production apps.
Use shared access signatures for the production apps.
Use access keys for the non-production apps.
■ Use access keys for the production apps.
Use Stored Access Policies for the production apps.
Use Cross Origin Resource Sharing for the non-production apps.
Explanation
Shared access signatures provide a way to provide more granular storage access than access keys. For
example, you can limit access to “read only” and you can limit the services and types of resources. Shared
access signatures can be configured for a specified amount of time, which meets the scenario’s require-
ments. Access keys provide unrestricted access to the storage resources, which is the requirement for
production apps in this scenario.
Review Question 10
Your company has a file server named FS01. The server has a single shared folder that users' access to
shared files. The company wants to make the same files available from Microsoft Azure. The company has
the following requirements:
You need to implement a solution to meet the requirements. What should you do? Select one.
Deploy DFS Namespaces.
Install and use AZCopy.
■ Deploy Azure File Sync.
Install and use Azure Storage Explorer.
Deploy storage tiering.
Explanation
In this scenario, only Azure File sync can keep FS01 and Azure synced up and maintaining the same data.
While AZCopy can copy data, it isn't a sync solution to have both sources maintain the exact same files.
Storage tiering is used for internal tiering (SSD and HDD, for example). While DFS Replication could fit here,
DFS Namespace doesn't offer the replication component. Storage Explorer is a tool for managing different
storage platforms.
Review Question 11
Which of the following replicates your data to a secondary region, maintains six copies of your data, and
is the default replication option. Select one.
Locally-redundant storage
Geo-redundant storage
www.androdagger.com Telegram: @androdagger
■ Read-access geo-redundant storage
Zone-redundant storage
Explanation
Read-access geo-redundant storage (GRS) is the default replication option.
Review Question 12
You have an existing storage account in Microsoft Azure. It stores unstructured data. You create a new
storage account. You need to move half of the data from the existing storage account to the new storage
account. What tool should you use? Select one.
Use the Azure portal
Use File Server Resource Manager
Use the Robocopy command-line tool
■ Use the AzCopy command-line tool
Explanation
The key in this scenario is that you need to move data between storage accounts. The AzCopy tool can work
with two different storage accounts. The other tools do not copy data between storage accounts. Alterna-
tively, although not one of the answer choices, you can use Storage Explorer to copy data between storage
accounts.
Planning Checklist
Provisioning VMs to Azure requires planning. Before you create a single VM be sure you have thought
about the following:
● Start with the network
● Name the VM
● Decide the location for the VM
● Determine the size of the VM
● Understanding the pricing model
● Storage for the VM
● Select an operating system
Name the VM
One piece of information people often don't put much thought into is the name of the VM. The VM
name is used as the computer name, which is configured as part of the operating system. You can specify
a name of up to 15 characters on a Windows VM and 64 characters on a Linux VM.
This name also defines a manageable Azure resource, and it's not trivial to change later. That means you
should choose names that are meaningful and consistent, so you can easily identify what the VM does. A
good convention is to include the following information in the name:
Compute costs - Compute expenses are priced on a per-hour basis but billed on a per-minute basis. For
example, you are only charged for 55 minutes of usage if the VM is deployed for 55 minutes. You are not
charged for compute capacity if you stop and deallocate the VM since this releases the hardware. The
hourly price varies based on the VM size and OS you select. The cost for a VM includes the charge for the
Windows operating system. Linux-based instances are cheaper because there is no operating system
license charge.
Storage costs - You are charged separately for the storage the VM uses. The status of the VM has no
relation to the storage charges that will be incurred; even if the VM is stopped/deallocated and you aren’t
billed for the running VM, you will be charged for the storage used by the disks.
You're able to choose from two payment options for compute costs:
1. Consumption-based - With the consumption-based option, you pay for compute capacity by the
second. You're able to increase or decrease compute capacity on demand as well as start or stop at
any time. Prefer this option if you run applications with short-term or unpredictable workloads that
cannot be interrupted. For example, if you are doing a quick test, or developing an app in a VM, this
would be the appropriate option.
2. Reserved Virtual Machine Instances -The Reserved Virtual Machine Instances (RI) option is an
advance purchase of a virtual machine for one or three years in a specified region. The commitment is
made up front, and in return, you get up to 72% price savings compared to pay-as-you-go pricing. RIs
are flexible and can easily be exchanged or returned for an early termination fee. Prefer this option if
the VM has to run continuously, or you need budget predictability, and you can commit to using the
VM for at least a year.
Temporary Disk
Every VM contains a temporary disk, which is not a managed disk. The temporary disk provides short-
term storage for applications and processes and is intended to only store data such as page or swap files.
Data on the temporary disk may be lost during a maintenance event or when you redeploy a VM. During
a standard reboot of the VM, the data on the temporary drive should persist. However, there are cases
where the data may not persist, such as moving to a new host. Therefore, any data on the temp drive
should not be data that is critical to the system.
● On Windows virtual machines, this disk is labeled as the D: drive by default and it used for storing
pagefile.sys.
● On Linux virtual machines, the disk is typically /dev/sdb and is formatted and mounted to /mnt by the
Azure Linux Agent.
✔️ Don’t store data on the temporary disk. It provides temporary storage for applications and processes
and is intended to only store data such as page or swap files.
Data Disks
A data disk is a managed disk that's attached to a virtual machine to store application data, or other data
you need to keep. Data disks are registered as SCSI drives and are labeled with a letter that you choose.
Each data disk has a maximum capacity of 4,095 gibibytes (GiB). The size of the virtual machine deter-
mines how many data disks you can attach to it and the type of storage you can use to host the disks.
Storage Operations
Azure Premium Storage delivers high-performance, low-latency disk support for virtual machines (VMs)
with input/output (I/O)-intensive workloads. VM disks that use Premium Storage store data on solid-state
drives (SSDs). To take advantage of the speed and performance of premium storage disks, you can
migrate existing VM disks to Premium Storage.
Unmanaged disks
The original method is to use unmanaged disks. In an unmanaged disk, you manage the storage ac-
counts that you use to store the virtual hard disk (VHD) files that correspond to your VM disks. VHD files
are stored as page blobs in Azure storage accounts.
Managed disks
An Azure managed disk is a virtual hard disk (VHD). You can think of it like a physical disk in an on-prem-
ises server but, virtualized. Azure managed disks are stored as page blobs, which are a random IO storage
object in Azure. We call a managed disk ‘managed’ because it is an abstraction over page blobs, blob
containers, and Azure storage accounts. With managed disks, all you have to do is provision the disk, and
Azure takes care of the rest. When you select to use Azure managed disks with your workloads, Azure
creates and manages the disk for you. The available types of disks are Ultra Solid State Drives (SSD),
Premium SSD, Standard SSD, and Standard Hard Disk Drives (HDD).
✔️ For the best performance for your application, we recommend that you migrate any VM disk that
requires high IOPS to Premium Storage. If your disk does not require high IOPS, you can help limit costs
by keeping it in standard Azure Storage. In standard storage, VM disk data is stored on hard disk drives
(HDDs) instead of on SSDs.
✔️ Managed disks are required for the single instance virtual machine SLA (99.95%).
3 https://support.microsoft.com/en-us/help/2721672/microsoft-server-software-support-for-microsoft-azure-virtual-machines
4 https://docs.microsoft.com/en-us/azure/virtual-machines/linux/endorsed-distros
Bastion Connections
The Azure Bastion service is a new fully platform-managed PaaS service that you provision inside your
virtual network. It provides secure and seamless RDP/SSH connectivity to your virtual machines directly in
the Azure portal over SSL. When you connect via Azure Bastion, your virtual machines do not need a
public IP address.
Bastion provides secure RDP and SSH connectivity to all VMs in the virtual network in which it is provi-
sioned. Using Azure Bastion protects your virtual machines from exposing RDP/SSH ports to the outside
world while still providing secure access using RDP/SSH. With Azure Bastion, you connect to the virtual
machine directly from the Azure portal. You don't need an additional client, agent, or piece of software.
Latest Images
● Windows Server 2019 is the latest Long-Term Servicing Channel (LTSC) release with five years of
mainstream support + five years of extended support. Choose the image that is right for your applica-
tion needs: 1) Server with Desktop Experience includes all roles including the graphical user interface
(GUI), 2) Server Core omits the GUI for a smaller OS footprint, or 3) Containers option includes the
Server with Desktop Experience, plus ready-made container images.
● Windows Server 2019 Datacenter - Server with Desktop Experience
● Windows Server 2019 Datacenter - with Containers
● Windows Server 2019 Datacenter - Server Core
● Windows Server 2019 Datacenter - Server Core with Containers
Windows Server Semi-Annual Channel releases deliver new operating system capabilities at a faster pace
and are based on the Server Core installation option of the Datacenter edition. A new release comes out
every six months and is supported for 18 months. Check the Lifecycle Support Page for support dates and
always use the latest release if possible.
✔️ There are also a large number of Windows Server 2016 and Windows Server 2012 images.
For more information, Windows Virtual Machines Documentation5.
Windows VM Connections
To manage an Azure Windows VM, you can use the same set of tools that you used to deploy it. Howev-
er, you will also want to interact with an operating system (OS) running within the VM. The methods you
can use to accomplish this are OS-specific and include the following options:
● Remote Desktop Protocol (RDP) allows you to establish a graphical user interface (GUI) session to
an Azure VM that runs any supported version of Windows. The Azure portal automatically enables the
Connect button on the Azure Windows VM blade if the VM is running and accessible via a public or
private IP address, and if it accepts inbound traffic on TCP port 3389. After you click this button, the
portal will automatically provision an .rdp file, which you can either open or download. Opening the
file initiates an RDP connection to the corresponding VM. You will get a warning that the .rdp file is
from an unknown publisher. This is expected. When connecting be sure to use credentials for the
virtual machine. The Azure PowerShell Get-AzRemoteDesktopFile cmdlet provides the same func-
tionality.
5 https://docs.microsoft.com/en-us/azure/virtual-machines/windows/
Linux VM Connections
When you create a Linux VM, you can decide to authenticate with an SSH public key or Password.
SSH connections
SSH is an encrypted connection protocol that allows secure sign-ins over unsecured connections. SSH is
the default connection protocol for Linux VMs hosted in Azure. Although SSH itself provides an encrypt-
ed connection, using passwords with SSH connections still leaves the VM vulnerable to brute-force
attacks or guessing of passwords. A more secure and preferred method of connecting to a VM using SSH
is by using a public-private key pair, also known as SSH keys.
● The public key is placed on your Linux VM, or any other service that you wish to use with public-key
cryptography.
● The private key remains on your local system. Protect this private key. Do not share it.
When you use an SSH client to connect to your Linux VM (which has the public key), the remote VM tests
the client to make sure it possesses the private key. If the client has the private key, it's granted access to
the VM.
Depending on your organization's security policies, you can reuse a single public-private key pair to
access multiple Azure VMs and services. You do not need a separate pair of keys for each VM or service
you wish to access.
Your public key can be shared with anyone, but only you (or your local security infrastructure) should
possess your private key.
✔️ Azure currently requires at least a 2048-bit key length and the SSH-RSA format for public and private
keys.
6. Copy the text of the Public key for pasting into authorized keys file.
7. Optionally you can specify a Key passphrase and then Confirm passphrase. You will be prompted for
the passphrase when you authenticate to the VM with your private SSH key. Without a passphrase, if
someone obtains your private key, they can sign in to any VM or service that uses that key. We recom-
mend you create a passphrase. However, if you forget the passphrase, there is no way to recover it.
8. Click Save private key.
9. Choose a location and filename and click Save. You will need this file to access the VM.
Create the Linux machine and assign the public SSH key
1. In the portal create a Linux machine of your choice.
2. Choose SSH Public Key for the Authentication type (instead of Password ).
3. Provide a Username.
4. Paste the public SSH key from PuTTY into the SSH public key text area. Ensure the key validates with
a checkmark.
5. Create the VM. Wait for it to deploy.
6. Access the running VM.
7. From the Overview blade, click Connect.
8. Make a note of your login information including user and public IP address.
Access the server using SSH
1. Open the PuTTY tool.
2. Enter username@publicIpAddress where username is the value you assigned when creating the VM
and publicIpAddress is the value you obtained from the Azure portal.
3. Specify 22 for the Port.
4. Choose SSH in the Connection Type option group.
5. Navigate to SSH in the Category panel, then click Auth.
6. Click the Browse button next to Private key file for authentication.
7. Navigate to the private key file saved when you generated the SSH keys and click Open.
8. From the main PuTTY screen click Open.
9. You will now be connected to your server command line.
An Unplanned Hardware Maintenance event occurs when the Azure platform predicts that the hard-
ware or any platform component associated to a physical machine, is about to fail. When the platform
predicts a failure, it will issue an unplanned hardware maintenance event. Azure uses Live Migration
technology to migrate the Virtual Machines from the failing hardware to a healthy physical machine. Live
Migration is a VM preserving operation that only pauses the Virtual Machine for a short time, but perfor-
mance might be reduced before and/or after the event.
Unexpected Downtime is when the hardware or the physical infrastructure for the virtual machine fails
unexpectedly. This can include local network failures, local disk failures, or other rack level failures. When
detected, the Azure platform automatically migrates (heals) your virtual machine to a healthy physical
machine in the same datacenter. During the healing procedure, virtual machines experience downtime
(reboot) and in some cases loss of the temporary drive.
Planned Maintenance events are periodic updates made by Microsoft to the underlying Azure platform
to improve overall reliability, performance, and security of the platform infrastructure that your virtual
machines run on. Most of these updates are performed without any impact upon your Virtual Machines
or Cloud Services.
Note: Microsoft does not automatically update your VM's OS or software. You have complete control and
responsibility for that. However, the underlying software host and hardware are periodically patched to
ensure reliability and high performance at all times.
✔️ What plans do you have in place to minimize the effect of downtime?
Availability Sets
An Availability Set is a logical feature used to ensure that a group of related VMs are deployed so that
they aren't all subject to a single point of failure and not all upgraded at the same time during a host
operating system upgrade in the datacenter. VMs placed in an availability set should perform an identical
set of functionalities and have the same software installed.
Azure ensures that the VMs you place within an Availability Set run across multiple physical servers,
compute racks, storage units, and network switches. If a hardware or Azure software failure occurs, only a
subset of your VMs are impacted, and your overall application stays up and continues to be available to
your customers.
www.androdagger.com Telegram: @androdagger
Availability Sets are an essential capability when you want to build reliable cloud solutions. When creating
Availability sets keep these principles in mind.
● For redundancy, configure multiple virtual machines in an Availability Set.
● Configure each application tier into separate Availability Sets.
Update domains
An upgrade domain (UD) is a group of nodes that are upgraded together during the process of a
service upgrade (rollout). An update domain allows Azure to perform incremental or rolling upgrades
across a deployment. Each update domain contains a set of virtual machines and associated physical
hardware that can be updated and rebooted at the same time. During planned maintenance, only one
update domain is rebooted at a time. By default, there are five (non-user-configurable) update domains,
but you configure up to twenty update domains.
Fault domains
A fault domain (FD) is a group of nodes that represent a physical unit of failure. A fault domain defines a
group of virtual machines that share a common set of hardware, switches, that share a single point of
failure. For example, a server rack serviced by a set of power or networking switches. VMs in an availabili-
ty set are placed in at least two fault domains. This mitigates against the effects of hardware failures,
network outages, power interruptions, or software updates. Think of a fault domain as nodes belonging
to the same physical rack.
✔️ Placing your virtual machines into an availability set does not protect your application from operating
system or application-specific failures. For that, you need to review other disaster recovery and backup
techniques.
Availability Zones
Availability Zones is a high-availability offering that protects your applications and data from datacenter
failures.
● The physical separation of Availability Zones within a region protects applications and data from
datacenter failures.
● Zone-redundant services replicate your applications and data across Availability Zones to protect from
single-points-of-failure.
● With Availability Zones, Azure offers industry best 99.99% VM uptime SLA.
Implementation
An Availability Zone in an Azure region is a combination of a fault domain and an update domain. For
example, if you create three or more VMs across three zones in an Azure region, your VMs are effectively
distributed across three fault domains and three update domains. The Azure platform recognizes this
distribution across update domains to make sure that VMs in different zones are not updated at the same
time.
Build high-availability into your application architecture by co-locating your compute, storage, network-
ing, and data resources within a zone and replicating in other zones.
Azure services that support Availability Zones fall into two categories:
● Zonal services. Pin the resource to a specific zone (for example, virtual machines, managed disks,
Standard IP addresses), or
● Zone-redundant services. Platform replicates automatically across zones (for example, zone-redun-
dant storage, SQL Database).
✔️ To achieve comprehensive business continuity on Azure, build your application architecture using the
combination of Availability Zones with Azure region pairs.
Scaling Concepts
Generally, there are two types of scaling: vertical scaling and horizontal scaling.
Vertical scaling
Vertical scaling, also known as scale up and scale down, means increasing or decreasing virtual machine
sizes in response to a workload. Vertical scaling makes the virtual machines more (scale up) or less (scale
down) powerful. Vertical scaling can be useful when:
● A service built on virtual machines is under-utilized (for example at weekends). Reducing the virtual
machine size can reduce monthly costs.
Horizontal Scaling
Horizontal scaling, also referred to as scale out and scale in, where the number of VMs is altered depend-
ing on the workload. In this case, there is a increase (scale out) or decrease (scale in) in the number of
virtual machine instances.
Considerations
● Vertical scaling generally has more limitations. It's dependent on the availability of larger hardware,
which quickly hits an upper limit and can vary by region. Vertical scaling also usually requires a virtual
machine to stop and restart.
● Horizontal scaling is generally more flexible in a cloud situation as it allows you to run potentially
thousands of virtual machines to handle load.
● Reprovisioning means removing an existing virtual machine and replacing it with a new one. Do you
need to retain your data?
Scale Sets
Virtual machine scale sets are an Azure Compute resource you can use to deploy and manage a set of
identical VMs. With all VMs configured the same, VM scale sets are designed to support true auto-scale
– no pre-provisioning of VMs is required – and as such makes it easier to build large-scale services
targeting big compute, big data, and containerized workloads. So, as demand goes up more virtual
machine instances can be added, and as demand goes down virtual machines instances can be removed.
The process can be manual or automated or a combination of both.
● Initial instance count. Number of virtual machines in the scale set (0 to 1000).
● Instance size. The size of each virtual machine in the scale set.
● Azure spot instance. Low-priority VMs are allocated from Microsoft Azure's excess compute capacity,
enabling several types of workloads to run for a significantly reduced cost.
● Use managed disks. Managed disks hide the underlying storage accounts and instead shows the
abstraction of a disk. Unmanaged disks expose the underlying storage accounts and VHD blobs.
● Enable scaling beyond 100 instances. If No, the scale set will be limited to 1 placement group and
can have a max capacity of 100. If Yes, the scale set can span multiple placement groups. This allows
for capacity to be up to 1,000 but changes the availability characteristics of the scale set.
● Spreading algorithm. We recommend deploying with max spreading for most workloads, as this
approach provides the best spreading in most cases.
Autoscale
An Azure virtual machine scale set can automatically increase or decrease the number of VM instances
that run your application. This means you can dynamically scale to meet changing demand.
Autoscale benefits
www.androdagger.com Telegram: @androdagger
● Automatically adjust capacity. Let’s you create rules that define the acceptable performance for a
positive customer experience. When those defined thresholds are met, autoscale rules act to adjust
the capacity of your scale set.
● Scale out. If your application demand increases, the load on the VM instances in your scale set
increases. If this increased load is consistent, rather than just a brief demand, you can configure
autoscale rules to increase the number of VM instances in the scale set.
● Scale in. On an evening or weekend, your application demand may decrease. If this decreased load is
consistent over a period of time, you can configure autoscale rules to decrease the number of VM
instances in the scale set. This scale-in action reduces the cost to run your scale set as you only run
the number of instances required to meet the current demand.
● Schedule events. Schedule events to automatically increase or decrease the capacity of your scale set
at fixed times.
● Less overhead. Reduces the management overhead to monitor and optimize the performance of your
application.
✔️ Autoscale minimizes the number of unnecessary VM instances that run your application when demand
is low, while customers continue to receive an acceptable level of performance as demand grows and
additional VM instances are automatically added.
Implementing Autoscale
When you create a scale set you can enable Autoscale. You should also define a minimum, maximum, and
default number of VM instances. When your autoscale rules are applied, these instance limits make sure
that you do not scale out beyond the maximum number of instances or scale in beyond the minimum of
instances.
● Number of VMs to increase by. The number of virtual machines to add to the scale set when the
scale out autoscale rule is triggered.
● Scale in CPU threshold. The CPU usage percentage threshold for triggering the scale in autoscale
rule.
● Number of VMs to decrease by. The number of virtual machines to remove to the scale set when the
scale in autoscale rule is triggered.
For more information, Best Practices for Autoscale7.
✔️ In this lesson we will focus on two extensions: Custom Script Extensions and Desired State Configura-
tion. Both tools are based on PowerShell.
For more information, Virtual machine extensions and features for Windows8 and Virtual machine
www.androdagger.com Telegram: @androdagger
extensions and features for Linux9.
8 https://docs.microsoft.com/en-us/azure/virtual-machines/extensions/features-windows?toc=%2Fazure%2Fvirtual-
machines%2Fwindows%2Ftoc.json
9 https://docs.microsoft.com/en-us/azure/virtual-machines/extensions/features-linux
You could also use the PowerShell Set-AzVmCustomScriptExtension command. You need to upload the
script file to a blob container and provide the URI in the command like this:
Set-AzVmCustomScriptExtension -FileUri https://scriptstore.blob.core.windows.net/scripts/Install_IIS.ps1
-Run "PowerShell.exe" -VmName vmName -ResourceGroupName resourceGroup -Location "location"
Considerations
● Timeout. Custom Script extensions have 90 minutes to run. If your deployment exceeds this time, it is
marked as a timeout. Keep this in mind when designing your script. And, of course, your virtual
machine must be running to perform the tasks.
● Dependencies. If your extension requires networking or storage access, make sure that content is
available.
● Failure events. Be sure to account for any errors that might occur when running your script. For
example, running out of disk space, or security and access restrictions. What will the script do if there
is an error?
● Sensitive data. Your extension may need sensitive information such as credentials, storage account
names, and storage account access keys. How will you protect/encrypt this information?
✔️ Can you think of any custom script extensions that you might want to create?
DSC centers around creating configurations. A configuration is an easy-to-read script that describes an
environment made up of computers (nodes) with specific characteristics. These characteristics can be as
simple as ensuring a specific Windows feature is enabled or as complex as deploying SharePoint. Use
DSC when the CSE will not work for your application.
In this example we are installing IIS on the localhost. The configuration will saved as a .ps1 file.
configuration IISInstall
{
Node “localhost”
{
WindowsFeature IIS
{
Ensure = “Present”
Name = “Web-Server”
}}}
Note: You could also use the PowerShell Set-AzVmCustomScriptExtension command to deploy the
extension. You would need to upload the script to blob container and use the URI. We will do this in the
next demonstration.
Lab scenario
You were tasked with identifying different options for deploying and configuring Azure virtual machines.
First, you need to determine different compute and storage resiliency and scalability options you can
implement when using Azure virtual machines. Next, you need to investigate compute and storage
resiliency and scalability options that are available when using Azure virtual machine scale sets. You also
want to explore the ability to automatically configure virtual machines and virtual machine scale sets by
using the Azure Virtual Machine Custom Script extension.
Objectives
In this lab, you will :
● Task 1: Deploy zone-resilient Azure virtual machines by using the Azure portal and an Azure Resource
Manager template.
● Task 2: Configure Azure virtual machines by using virtual machine extensions.
● Task 3: Scale compute and storage for Azure virtual machines.
● Task 4: Deploy zone-reslient Azure virtual machine scale sets by using the Azure portal.
● Task 5: Configure Azure virtual machine scale sets by using virtual machine extensions.
● Task 6: Scale compute and storage for Azure virtual machine scale sets.
✔️ Consult with your instructor for how to access the lab instructions and lab environment (if provided).
Review Question 2
You are researching Microsoft Azure for your company. The company is considering deploying Win-
dows-based VMs in Azure. However, before moving forward, the management team has asked you to
research the costs associated with Azure VMs. You need to document the configuration options that are
likely to save the company money on their Azure VMs. Which options should you document? (Each answer
presents part of the solution. Select four.
Use HDD instead of SSD for VM storage.
Use unmanaged premium storage instead of managed standard storage.
Bring your own Windows custom images.
Use different Azure regions.
Use the least powerful VMs that meet your requirements.
Place all VMs in the same resource group.
Bring your own Windows license for each VM.
Review Question 3
You are planning to deploy several Linux VMs in Azure. The security team issues a policy that Linux VMs
must use an authentication system other than passwords. You need to deploy an authentication method for
the Linux VMs to meet the requirement. Which authentication method should you use? Select one.
SSH key pair
Azure multi-factor authentication
Access keys
Shared access signature
Security vault certificate
Review Question 4
Your company has Windows Server 2012 R2 VMs and Ubuntu Linux VMs in Microsoft Azure. The company
has a new project to standardize the configuration of servers across the Azure environment. The company
opts to use Desired State Configuration (DSC) across all VMs. You need to ensure that DSC can be used
across all the VMs. What two things should you do? Select two.
Replace the Ubuntu VMs with Red Hat Enterprise Linux VMs.
Deploy the DSC extension for Windows Server VMs.
Deploy the DSC extension for Linux VMs.
Replace the Windows Server 2012 R2 VMs with Windows Server 2016 VMs.
Review Question 5
Another IT administrator creates an Azure virtual machine scale set with 5 VMs. Later, you notice that the
VMs are all running at max capacity with the CPU being fully consumed. However, additional VMs are not
deploying in the scale set. You need to ensure that additional VMs are deployed when the CPU is 75%
consumed. What should you do? Select one.
Enable the autoscale option.
Increase the instance count.
Add the scale set automation script to the library.
Deploy the scale set automation script.
Review Question 6
Your company is preparing to deploy an application to Microsoft Azure. The app is a self-contained unit that
runs independently on several servers. The company is moving the app to the cloud to provide better
performance. To get better performance, the team has the following requirements:
● If the CPU across the servers goes above 85%, a new VM should be deployed to provide additional
resources.
● If the CPU across the servers drops below 15%, an Azure VM running the app should be decommis-
sioned to reduce costs.
You need to deploy a solution to meet the requirements while minimizing the administrative overhead to
implement and manage the solution. What should you do? Select one.
Deploy the app in a virtual machine scale set.
Deploy the app in a virtual machine availability set.
Deploy the app by using a resource manager template.
Deploy the app and use PowerShell Desired State Configuration (DSC).
Review Question 7
Your company is deploying a critical business application to Microsoft Azure. The uptime of the application
is of utmost importance. The application has the following components:
● 2 web servers
● 2 application servers
● 2 database servers
You need to deploy the VMs to meet the requirements. What should you do? Select one.
Deploy 1 VM from each tier into one availability set and the remaining VMs into a separate
availabilityset.
Deploy the VMs from each tier into a dedicated availability set for the tier.
Deploy the application and database VMs in one availability set and the web VMs into a
separateavailability set.
Deploy a load balancer for the web VMs and an availability set to hold the application and
databaseVMs.
Review Question 8
Your organization has a security policy that prohibits exposing SSH ports to the outside world. You need to
connect to an Azure Linux virtual machine to install software. What should you do? Select one.
Configure the Bastion service
Configure a Guest configuration on the virtual machine
Create a custom script extension
Work offline and then reimage the virtual machine.
Additional Study
Microsoft Learn provides self paced skills training on a variety of topics. These Learn modules cover the
content you have just learned. You can search for additional modules by product, role, or level.
● Build a scalable application with virtual machine scale sets10
● Deploy Azure virtual machines from VHD templates11
● Choose the right disk storage for your virtual machine workload12
● Add and size disks in Azure virtual machines13
● Protect your virtual machine settings with Azure Automation State Configuration14
Answers
Review Question 1
You host a service with two Azure virtual machines. You discover that occasional outages cause your
service to fail. What two actions can you do to minimize the impact of the outages? Select two.
■ Add a load balancer.
■ Put the virtual machines in an availability set.
Put the virtual machines in a scale set.
Add a network gateway.
Add a third instance of the virtual machine.
Explanation
To minimize the impact put the virtual machines in an availability set and add a load balancer.
Review Question 2
You are researching Microsoft Azure for your company. The company is considering deploying Win-
dows-based VMs in Azure. However, before moving forward, the management team has asked you to
research the costs associated with Azure VMs. You need to document the configuration options that are
likely to save the company money on their Azure VMs. Which options should you document? (Each
answer presents part of the solution. Select four.
■ Use HDD instead of SSD for VM storage.
Use unmanaged premium storage instead of managed standard storage.
Bring your own Windows custom images.
■ Use different Azure regions.
■ Use the least powerful VMs that meet your requirements.
Place all VMs in the same resource group.
■ Bring your own Windows license for each VM.
Explanation
In this scenario, you need to document which of the options presented are likely to save the company
money for their Azure VMs. While this isn’t an exhaustive list, the correct money-saving configuration
options are: Use HDD instead of SSD, use different Azure regions, use the least powerful VMs that meet your
requirements, and bring your own Windows license (instead of paying for a license with the VM). The other
options usually increase cost.
Review Question 3
You are planning to deploy several Linux VMs in Azure. The security team issues a policy that Linux VMs
must use an authentication system other than passwords. You need to deploy an authentication method
for the Linux VMs to meet the requirement. Which authentication method should you use? Select one.
■ SSH key pair
Azure multi-factor authentication
Access keys
Shared access signature
Security vault certificate
Explanation
Azure supports two authentication methods for Linux VMs - passwords and SSH (via an SSH key pair).
Access keys and shared access signatures are access methods for Azure storage, not for Azure VMs. In this
scenario, you need to use an SSH key pair to meet the requirement.
Review Question 4
Your company has Windows Server 2012 R2 VMs and Ubuntu Linux VMs in Microsoft Azure. The compa-
ny has a new project to standardize the configuration of servers across the Azure environment. The
company opts to use Desired State Configuration (DSC) across all VMs. You need to ensure that DSC can
be used across all the VMs. What two things should you do? Select two.
Replace the Ubuntu VMs with Red Hat Enterprise Linux VMs.
■ Deploy the DSC extension for Windows Server VMs.
■ Deploy the DSC extension for Linux VMs.
Replace the Windows Server 2012 R2 VMs with Windows Server 2016 VMs.
Explanation
Desired State Configuration (DSC) is available for Windows Server and Linux-based VMs. In this scenario,
you just need to deploy the extensions to the existing VMs to start using DSC.
Review Question 5
Another IT administrator creates an Azure virtual machine scale set with 5 VMs. Later, you notice that the
VMs are all running at max capacity with the CPU being fully consumed. However, additional VMs are not
deploying in the scale set. You need to ensure that additional VMs are deployed when the CPU is 75%
consumed. What should you do? Select one.
■ Enable the autoscale option.
Increase the instance count.
Add the scale set automation script to the library.
Deploy the scale set automation script.
Explanation
When you have a scale set, you can enable automatic scaling with the autoscale option. When you enable
the option, you define the parameters for when to scale. To meet the requirements of this scenario, you
need to enable thewww.androdagger.com Telegram:
autoscale option so that additional @androdagger
VMs are created when the CPU is 75% consumed.
Note that the automation script is used to automate the deployment of scale sets and not related to
automating the building of additional VMs in the scale set.
MCT USE ONLY. STUDENT USE PROHIBITED
Review Question 6
Your company is preparing to deploy an application to Microsoft Azure. The app is a self-contained unit
that runs independently on several servers. The company is moving the app to the cloud to provide
better performance. To get better performance, the team has the following requirements:
You need to deploy a solution to meet the requirements while minimizing the administrative overhead to
implement and manage the solution. What should you do? Select one.
■ Deploy the app in a virtual machine scale set.
Deploy the app in a virtual machine availability set.
Deploy the app by using a resource manager template.
Deploy the app and use PowerShell Desired State Configuration (DSC).
Explanation
In this scenario, you should use a scale set for the VMs. Scale sets can scale up or down, based on defined
criteria (such as the existing set of VMs using a large percentage of the available CPU). This meets the
scenario’s requirements.
Review Question 7
Your company is deploying a critical business application to Microsoft Azure. The uptime of the applica-
tion is of utmost importance. The application has the following components:
You need to design the layout of the VMs to meet the following requirements:
You need to deploy the VMs to meet the requirements. What should you do? Select one.
Deploy 1 VM from each tier into one availability set and the remaining VMs into a separate
availabilityset.
■ Deploy the VMs from each tier into a dedicated availability set for the tier.
Deploy the application and database VMs in one availability set and the web VMs into a
separateavailability set.
Deploy a load balancer for the web VMs and an availability set to hold the application and
databaseVMs.
Explanation
An availability set should hold VMs in the same tier because that ensures that the VMs are not dependent
on the same physical hardware. If you deploy VMs in a single tier across multiple availability sets, then you
have a chance of a tier becoming unavailable due to a hardware issue. In this scenario, each tier should
have a dedicated availability set (Web availability set, app availability set, database availability set).
Review Question 8
Your organization has a security policy that prohibits exposing SSH ports to the outside world. You need
to connect to an Azure Linux virtual machine to install software. What should you do? Select one.
■ Configure the Bastion service
Configure a Guest configuration on the virtual machine
Create a custom script extension
Work offline and then reimage the virtual machine.
Explanation
Configure the Bastion service. The Azure Bastion service is a new fully platform-managed PaaS service that
you provision inside your virtual network. It provides secure and seamless RDP and SSH connectivity to your
virtual machines directly in the Azure portal over SSL. When you connect via Azure Bastion, your virtual
machines do not need a public IP address.
Bastion provides secure RDP and SSH connectivity to all VMs in the virtual network in which it is provi-
sioned. Using Azure Bastion protects your virtual machines from exposing RDP and SSH ports to the outside
world while still providing secure access using RDP and SSH. With Azure Bastion, you connect to the virtual
machine directly from the Azure portal. You don't need an additional client, agent, or piece of software.
Considerations
Since you pay for the computing resources your App Service plan allocates, you can potentially save
money by putting multiple apps into one App Service plan. You can continue to add apps to an existing
plan as long as the plan has enough resources to handle the load. However, keep in mind that apps in
the same App Service plan all share the same compute resources. To determine whether the new app has
the necessary resources, you need to understand the capacity of the existing App Service plan, and the
expected load for the new app. Overloading an App Service plan can potentially cause downtime for your
new and existing apps. Isolate your app into a new App Service plan when:
● The app is resource-intensive.
● You want to scale the app independently from the other apps in the existing plan.
● The app needs resource in a different geographical region.
For more information, Azure App Service plan overview 1.
1 https://docs.microsoft.com/en-us/azure/app-service/overview-hosting-plans
● Premium. The Premium service plan is designed to provide enhanced performance for production
apps. The upgraded Premium plan, Premium v2, features Dv2-series VMs with faster processors, SSD
storage, and double memory-to-core ratio compared to Standard. The new Premium plan also
supports higher scale via increased instance count while still providing all the advanced capabilities
found in the Standard plan. The first generation of Premium plan is still available for existing custom-
ers’ scaling needs.
● Isolated. The Isolated service plan is designed to run mission critical workloads, that are required to
run in a virtual network. The Isolated plan allows customers to run their apps in a private, dedicated
environment in an Azure datacenter using Dv2-series VMs with faster processors, SSD storage, and
double the memory-to-core ratio compared to Standard. The private environment used with an
Isolated plan is called the App Service Environment. The plan can scale to 100 instances with more
available upon request.
For more information, App Service Plan Pricing2.
Scale up. Get more CPU, memory, disk space, and extra features like dedicated virtual machines (VMs),
custom domains and certificates, staging slots, autoscaling, and more. You scale up by changing the
pricing tier of the App Service plan that your app belongs to.
Scale out: Increase the number of VM instances that run your app. You can scale out to as many as 30
instances, depending on your pricing tier. App Service Environments in Isolated tier further increases your
scale-out count to 100 instances. The scale instance count can be configured manually or automatically
(autoscale). Autoscale is based on predefined rules and schedules.
2 https://azure.microsoft.com/en-us/pricing/details/app-service/windows/
Other considerations
● The scale settings take only seconds to apply and affect all apps in your App Service plan. They don't
require you to change your code or redeploy your application.
● If your app depends on other services, such as Azure SQL Database or Azure Storage, you can scale up
these resources separately. These resources aren't managed by the App Service plan.
Autoscale settings
An autoscale setting is read by the autoscale engine to determine whether to scale up or down. Autoscale
settings are grouped into profiles.
Rules inlude a trigger and a scale action (up or down). The trigger can be metric-based or time-based.
● Metric-based. Metric-based rules measure application load and add or remove VMs based on that
load. For example, do this action when CPU usage is above 50%. Examples of metrics are CPU time,
Average response time, and Requests.
● Time-based. Timr-based (schedule-based) rules allow you to scale when you see time patterns in
your load and want to scale before a possible load increase or decrease occurs. For example, trigger a
webhook every 8am on Saturday in a given time zone.
Considerations
● Having a minimum instance count makes sure your application is always running even under no load.
www.androdagger.com Telegram: @androdagger
● Having a maximum instance count limits your total possible hourly cost.
● You can automatically scale between the minimum and maximum using rules you create.
● Ensure the maximum and minimum values are different and have an adequate margin between them.
● Always use a scale-out and scale-in rule combination that performs an increase and decrease.
● Choose the appropriate statistic for your diagnostics metric (Average, Minimum, Maximum and Total).
● Always select a safe default instance count. The default instance count is important because autoscale
scales your service to that count when metrics are not available.
● Always configure autoscale notifications.
Notification settings
A notification setting defines what notifications should occur when an autoscale event occurs based on
satisfying the criteria of one of the autoscale setting’s profiles. Autoscale can notify one or more email
addresses or make calls to one or more webhooks.
Setting Value
Subscription Choose your subscription
Resource Group myRGAppServices (create new)
Name AppServicePlan1
Operating System Windows
Region East US
4. Click Review + Create and then Create.
5. Wait for your new App Service plan to deploy.
Review Pricing Tiers
1. Locate your new App Service plan.
2. Under Settings, click Scale up (App Service Plan).
3. Notice there are three tiers: Dev/Test, Production, and Isolated.
4. Click each tier and review the included features and included hardware.
5. How do the tiers compare?
Review autoscaling
1. Under Settings click Scale out (App Service Plan).
2. Notice the default is Manual scale.
3. Notice you can specify an instance count depending on your App Service plan selection.
4. Click Custom autoscale.
www.androdagger.com Telegram: @androdagger
5. Notice two scale modes: Scale based on a metric and Scale to a specific instance count.
6. Click Add a rule.
3 http://portal.azure.com/
Note: This rule will add an instance when the CPU percentages is greater than 80% for 10 minutes.
Setting Value
Time aggregation Average
Metric name CPU percentage
Operator Greater than
Threshold 80
Duration 10 minutes
Operation Increase count by
Instance count 1
Cool down 5 minutes
7. Add your rule changes.
8. Review the Instance limits: Minimum, Maximum, and Default.
9. Notice that you can add a Schedule and Specify start/end dates and Repeat specific days.
10. Do you see how you can create different App Service plans for your apps?
● Name. The name must be unique and will used to locate your app. For example, webappces1.
azurewebsites.net. You can map a custom domain name, if you prefer to use that instead.
● Publish. The App service can host either Code or a Docker Container.
● Runtime stack. The software stack to run the app, including the language and SDK versions. For
Linux apps and custom container apps, you can also set an optional start-up command or file. Choices
include: .NET Core, .NET Framework, Node.js, PHP, Python, and Ruby. Various versions of each are
available.
● Operating system. Choices are Linux and Windows.
● Region. Your choice will affect app service plan availability.
Application settings
Once your app service is created, additional Configuration information is available.
Certain configuration settings can be included in the developer's code or configurated in the app service.
4 https://docs.microsoft.com/en-us/azure/app-service/overview
● Connection strings. Connection strings are encrypted at rest and transmitted over an encrypted
channel.
Continuous Deployment
The Azure portal provides out-of-the-box continuous integration and deployment with Azure DevOps,
GitHub, Bitbucket, FTP, or a local Git repository on your development machine. Connect your web app
with any of the above sources and App Service will do the rest for you by auto-syncing code and any
future changes on the code into the web app. Furthermore, with Azure DevOps, you can define your own
build and release process that compiles your source code, runs the tests, builds a release, and finally
deploys the release into your web app every time you commit the code. All that happens implicitly
without any need to intervene.
Automated deployment
Automated deployment, or continuous integration, is a process used to push out new features and bug
fixes in a fast and repetitive pattern with minimal impact on end users. Azure supports automated
deployment directly from several sources. The following options are available:
● Azure DevOps: You can push your code to Azure DevOps (previously known as Visual Studio Team
Services), build your code in the cloud, run the tests, generate a release from the code, and finally,
push your code to an Azure Web App.
● GitHub: Azure supports automated deployment directly from GitHub. When you connect your GitHub
repository to Azure for automated deployment, any changes you push to your production branch on
GitHub will be automatically deployed for you.
● Bitbucket: With its similarities to GitHub, you can configure an automated deployment with Bitbuck-
et.
● CLI: webapp up is a feature of the az command-line interface that packages your app and deploys it.
Unlike other deployment methods, az webapp up can create a new App Service web app for you if
you haven't already created one.
● Zipdeploy: Use curl or a similar HTTP utility to send a ZIP of your application files to App Service.
● Visual Studio: Visual Studio features an App Service deployment wizard that can walk you through
the deployment process.
● FTP/S: FTP or FTPS is a traditional way of pushing your code to many hosting environments, including
App Service.
Deployment Slots
When you deploy your web app, web app on Linux, mobile back end, or API app to Azure App Service,
you can use a separate deployment slot instead of the default production slot when you're running in the
Standard, Premium, or Isolated App Service plan tier. Deployment slots are live apps with their own
hostnames. App content and configurations elements can be swapped between two deployment slots,
including the production slot.
✔️ Each App Service plan mode supports a different number of deployment slots.
For more information, Set up staging environments5
New deployment slots can be empty or cloned. When you clone a configuration from another deploy-
ment slot, the cloned configuration is editable. Some configuration elements follow the content across a
swap (not slot specific), whereas other configuration elements stay in the same slot after a swap (slot
specific). Deployment slot settings fall into three categories.
● Slot-specific app settings and connection strings, if applicable.
● Continuous deployment settings, if enabled.
● App Service authentication settings, if enabled.
Settings that are swapped:
● General settings, such as framework version, 32/64-bit, web sockets
● App settings (can be configured to stick to a slot)
● Connection strings (can be configured to stick to a slot)
● Handler mappings
● Public certificates
● WebJobs content
● Hybrid connections *
● Virtual network integration *
● Service endpoints *
● Azure Content Delivery Network *
Features marked with an asterisk (*) are planned to be unswapped.
Settings that aren't swapped:
● Publishing endpoints
● Custom domain names
5 https://docs.microsoft.com/en-us/azure/app-service/web-sites-staged-publishing?toc=%2Fazure%2Fapp-service%2Ftoc.json
● IP restrictions
● Always On
● Diagnostic log settings
● Cross-origin resource sharing (CORS)
How it works
The authentication and authorization module runs in the same sandbox as your application code. When
it's enabled, every incoming HTTP request passes through it before being handled by your application
code. This module handles several things for your app:
● Authenticates users with the specified provider.
● Validates, stores, and refreshes tokens.
● Manages the authenticated session.
● Injects identity information into request headers.
The module runs separately from your application code and is configured using app settings. No SDKs,
specific languages, or changes to your application code are required.
2. Allow only authenticated requests: The option is Log in with <provider>. App Service redirects all
anonymous requests to /.auth/login/<provider> for the provider you choose. If the anony-
mous request comes from a native mobile app, the returned response is an HTTP 401 Unauthor-
ized. With this option, you don't need to write any authentication code in your app.
Caution: Restricting access in this way applies to all calls to your app, which may not be desirable for
apps wanting a publicly available home page, as in many single-page applications.
Configuration steps
1. Reserve your domain name. If you haven't already registered for an external domain name (i.e. not
*.azurewebsites.net) already, the easiest way to set up a custom domain is to buy one directly in the
Azure Portal. The process enables you to manage your web app's domain name directly in the Portal
instead of going to a third-party site to manage it. Likewise, configuring the domain name in your
web app is greatly simplified. If you do not use the portal you can use any domain registrar. When
you sign up, their site will walk you through the process.
2. Create DNS records that map the domain to your Azure web app. The Domain Name System
(DNS) uses data records to map domain names into IP addresses. There are several types of DNS
records. For web apps, you’ll create either an A record or a CNAME record. If the IP address changes, a
www.androdagger.com Telegram: @androdagger
CNAME entry is still valid, whereas an A record must be updated. However, some domain registrars do
not allow CNAME records for the root domain or for wildcard domains. In that case, you must use an
A record.
● An A (Address) record maps a domain name to an IP address.
● A CNAME (Canonical Name) record maps a domain name to another domain name. DNS uses the
second name to look up the address. Users still see the first domain name in their browser. For
example, you could map contoso.com to yourwebapp.azurewebsites.net.
3. Enable the custom domain. After obtaining your domain and creating your DNS record, you can use
the portal to validate the custom domain and add it to your web app. Be sure to test.
✔️ To map a custom DNS name to a web app, the web app's App Service plan must be a paid tier.
Considerations
● The Backup and Restore feature requires the App Service plan to be in the Standard tier or Premium
tier.
Application Insights
Application Insights, a feature of Azure Monitor, monitors your live applications. It will automatically
detect performance anomalies, and includes powerful analytics tools to help you diagnose issues and to
understand what users actually do with your app. It's designed to help you continuously improve perfor-
mance and usability. It works for apps on a wide variety of platforms including .NET, Node.js and Java EE,
hosted on-premises, hybrid, or any public cloud. It integrates with your DevOps process, and has connec-
tion points to a variety of development tools. It can monitor and analyze telemetry from mobile apps by
integrating with Visual Studio App Center.
6 https://docs.microsoft.com/en-us/azure/azure-monitor/app/app-insights-overview
7 http://portal.azure.com/
Setting Value
Publish Docker Container
Operating System Linux
Region East US (ignore any service plan availability
warnings)
4. Click Next > Docker and configure the container information. The startup command is optional and
not needed in this exercise.
Setting Value
Options Single container
Image Source Quickstart
Sample Python Hello World
Setting Value
Name DEVELOPMENT
Clone Settings From myLinuxWebAppXXXX
4. Click Add.
5. If the Add a slot blade remains open, click Close.
9. Click on the URL to open the new browser tab and display the “Hello World, App Service!” page.
Note: The process of cloning the Web App settings to the new Deployment Slot, includes cloning the
base Docker Image from the initial deployment.
10. Click the X in the top right corner of the DEVELOPMENT Deployment Slot blade. This will return you
to the Deployment Slots blade of the myLinuxWebAppXXXX Web App.
Configure Backup
1. From the Web App blade, click Backups.
2. On the Backups blade, click Configure. This will open up the Backup Configuration blade.
3. From the Backup Configuration blade, under Backup Storage, click Storage not configured to
configure a Storage Account for backups.
4. On the Storage accounts blade, click + Storage account.
5. From the Create storage account blade, configure the following settings.
Setting Value
Name webappxxxxstorage (unique)
Account kind Storage (general purpose v1)
Performance Standard
Replication Locally-redundant storage (LRS)
Location (US) East US)
6. Click OK.
7. On the Storage accounts blade, click the Storage Account, webappxxxxstorage, that you created in
the previous step.
8. From the Containers blade, click + Container, enter backups for the name of the New Container, and
set the Public access level to Private (no anonymous access).
9. Click OK.
10. From the Containers blade, click backups, and click Select to choose the newly created Container.
This will take you back to the Backup Configuration blade.
11. On the Backup Configuration blade, click On next to Scheduled backup, and configure the follow-
ing settings.
Setting Value
Backup Every 1 Hours
Start backup schedule from Configure custom start time
Retention (Days) 30
Keep at least one backup Yes
www.androdagger.com Telegram: @androdagger
12. Click Save.
Container Services
Containers vs Virtual Machines
Hardware virtualization has made it possible to run multiple isolated instances of operating systems
concurrently on the same physical hardware. Containers represent the next stage in the virtualization of
computing resources. Container-based virtualization allows you to virtualize the operating system. This
way, you can run multiple applications within the same instance of an operating system, while maintain-
ing isolation between the applications. This means that containers within a VM provide functionality
similar to that of VMs within a physical server. To better understand this concept, it is helpful to compare
containers and virtual machines.
Container advantages
Containers offer several advantages over physical and virtual machines, including:
● Increased flexibility and speed when developing and sharing the application code.
www.androdagger.com Telegram: @androdagger
● Simplified application testing.
● Streamlined and accelerated application deployment.
● Higher workload density, resulting in improved resource utilization.
Feature Description
Fast Startup Times Containers can start in seconds without the need
to provision and manage virtual machines.
Public IP Connectivity and DNS Names Containers can be directly exposed to the internet
with an IP address and a FQDN.
Hypervisor-level Security Container applications are as isolated in a contain-
er as they would be in a virtual machine.
Custom Sizes Container nodes can be scaled dynamically to
match actual resource demands for an application.
Persistent Storage Containers support direct mounting of Azure File
Shares.
Linux and Windows Containers Container instances supports scheduling of
multi-container groups that share host machine
resources.
8 https://docs.microsoft.com/en-us/virtualization/windowscontainers/about/containers-vs-vm
Container Groups
The top-level resource in Azure Container Instances is the container group. A container group is a
collection of containers that get scheduled on the same host machine. The containers in a container
group share a lifecycle, resources, local network, and storage volumes. It's similar in concept to a pod in
Kubernetes.
Deployment options
Here are two common ways to deploy a multi-container group: use a Resource Manager template or a
YAML file. A Resource Manager template is recommended when you need to deploy additional Azure
service resources (for example, an Azure Files share) when you deploy the container instances. Due to the
YAML format's more concise nature, a YAML file is recommended when your deployment includes only
container instances.
Resource allocation
Azure Container Instances allocates resources such as CPUs, memory, and optionally GPUs to a mul-
ti-container group by adding the resource requests of the instances in the group. Taking CPU resources
as an example, if you create a container group with two container instances, each requesting 1 CPU, then
the container group is allocated 2 CPUs.
within the group share a port namespace, port mapping isn't supported. A container group's IP address
and FQDN will be released when the container group is deleted.
Common scenarios
Multi-container groups are useful in cases where you want to divide a single functional task into a small
number of container images. These images can then be delivered by different teams and have separate
resource requirements. Example usage could include:
● A container serving a web application and a container pulling the latest content from source control.
● An application container and a logging container. The logging container collects the logs and metrics
output by the main application and writes them to long-term storage.
● An application container and a monitoring container. The monitoring container periodically makes a
request to the application to ensure that it's running and responding correctly, and raises an alert if
it's not.
● A front-end container and a back-end container. The front end might serve a web application, with
the back end running a service to retrieve data.
Docker
Docker is a platform that enables developers to host applications within a container. A container is
essentially a standalone package that contains everything that is needed to execute a piece of software.
This means it includes things like:
● The application executable code.
● The runtime environment (such as .NET Core).
● System tools.
● Settings.
The Docker platform is available on both Linux and Windows and can be hosted on Azure. The key thing
that a Docker provides is the guarantee that the containerized software will always run the same, regard-
Docker terminology
You should be familiar with the following key terms before using Docker and Container Instances to
create, build, and test containers:
● Container. This is an instance of a Docker image. It represents the execution of a single application,
process, or service. It consists of the contents of a Docker image, an execution environment, and a
standard set of instructions. When scaling a service, you create multiple instances of a container from
the same image. Or a batch job can create multiple containers from the same image, passing different
parameters to each instance.
● Container image. This refers to a package with all the dependencies and information required to
create a container. The dependencies include frameworks and the deployment and execution configu-
ration that a container runtime uses. Usually, an image derives from multiple base images that are
layers stacked on top of each other to form the container's file system. An image is immutable once it
has been created.
● Build. This refers to the action of building a container image based on the information and context
provided by its Dockerfile, plus additional files in the folder where the image is built. You can build
images by using the Docker docker build command.
● Pull. This refers to the process of downloading a container image from a container registry.
● Push. This refers to the process of uploading a container image to a container registry.
● Dockerfile. This refers to a text file that contains instructions on how to build a Docker image. It's like
a batch script; the first line states the base image, followed by instructions to install required pro-
grams, copy files, and so on until you get the working environment you need.
Features
Feature Description
Flexible deployment options Azure Kubernetes Service offers portal, command
line, and template driven deployment options
(Resource Manager templates and Terraform).
When deploying an AKS cluster, the Kubernetes
master and all nodes are deployed and configured
for you. Additional features such as advanced
networking, Azure Active Directory integration,
and monitoring can also be configured during the
deployment process.
Identity and security management AKS clusters support Role-Based Access Control
(RBAC). An AKS cluster can also be configured to
integrate with Azure Active Directory. In this
configuration, Kubernetes access can be config-
ured based on Azure Active Directory identity and
group membership.
Integrated logging and monitoring Container health gives you performance visibility
by collecting memory and processor metrics from
containers, nodes, and controllers. Container logs
are also collected. This data is stored in your Log
Analytics workspace, and is available through the
Azure portal, Azure CLI, or a REST endpoint.
Cluster node scaling As demand for resources increases, the nodes of
an AKS cluster can be scaled out to match. If
resource demand drops, nodes can be removed by
scaling in the cluster. AKS scale operations can be
completed using the Azure portal or the Azure CLI.
Cluster node upgrades Azure Kubernetes Service offers multiple Kuber-
netes versions. As new versions become available
in AKS, your cluster can be upgraded using the
Azure portal or Azure CLI. During the upgrade
process, nodes are carefully cordoned and drained
to minimize disruption to running applications.
HTTP application routing The HTTP Application Routing solution makes it
easy to access applications deployed to your AKS
cluster. When enabled, the HTTP application
routing solution configures an ingress controller in
your AKS cluster. As applications are deployed,
publically accessible DNS names are auto config-
ured.
Feature Description
Development tooling integration Kubernetes has a rich ecosystem of development
and management tools such as Helm, Draft, and
the Kubernetes extension for Visual Studio Code.
These tools work seamlessly with Azure Kubern-
tees Service. Additionally, Azure Dev Spaces
provides a rapid, iterative Kubernetes develop-
ment experience for teams. With minimal configu-
ration, you can run and debug containers directly
in Azure Kubernetes Service (AKS).
Virtual network integration An AKS cluster can be deployed into an existing
VNet. In this configuration, every pod in the cluster
is assigned an IP address in the VNet, and can
directly communicate with other pods in the
cluster, and other nodes in the VNet. Pods can
connect also to other services in a peered VNet,
and to on-premises networks over ExpressRoute
and site-to-site (S2S) VPN connections.
Private container registry Integrate with Azure Container Registry (ACR) for
private storage of your Docker images.
AKS Terminology
Cluster master
When you create an AKS cluster, a cluster master is automatically created and configured. This cluster
master is provided as a managed Azure resource abstracted from the user. There is no cost for the cluster
master, only the nodes that are part of the AKS cluster.
AKS Networking
www.androdagger.com Telegram: @androdagger
To allow access to your applications, or for application components to communicate with each other,
Kubernetes provides an abstraction layer to virtual networking. Kubernetes nodes are connected to a
virtual network, and can provide inbound and outbound connectivity for pods. The kube-proxy compo-
nent runs on each node to provide these network features.
In Kubernetes, Services logically group pods to allow for direct access via an IP address or DNS name and
on a specific port. You can also distribute traffic using a load balancer. More complex routing of applica-
tion traffic can also be achieved with Ingress Controllers. Security and filtering of the network traffic for
pods is possible with Kubernetes network policies.
The Azure platform also helps to simplify virtual networking for AKS clusters. When you create a Kuber-
netes load balancer, the underlying Azure load balancer resource is created and configured. As you open
network ports to pods, the corresponding Azure network security group rules are configured. For HTTP
application routing, Azure can also configure external DNS as new ingress routes are configured.
Services
To simplify the network configuration for application workloads, Kubernetes uses Services to logically
group a set of pods together and provide network connectivity. The following Service types are available:
● Cluster IP - Creates an internal IP address for use within the AKS cluster. Good for internal-only
applications that support other workloads within the cluster.
● NodePort - Creates a port mapping on the underlying node that allows the application to be ac-
cessed directly with the node IP address and port.
● LoadBalancer - Creates an Azure load balancer resource, configures an external IP address, and
connects the requested pods to the load balancer backend pool. To allow customers traffic to reach
the application, load balancing rules are created on the desired ports.
For additional control and routing of the inbound traffic, you may instead use an Ingress controller.
● ExternalName - Creates a specific DNS entry for easier application access.
The IP address for load balancers and services can be dynamically assigned, or you can specify an existing
www.androdagger.com Telegram: @androdagger
static IP address to use. Both internal and external static IP addresses can be assigned. This existing static
IP address is often tied to a DNS entry.
Both internal and external load balancers can be created. Internal load balancers are only assigned a
private IP address, so can't be accessed from the Internet.
Pods
Kubernetes uses pods to run an instance of your application. A pod represents a single instance of your
application. Pods typically have a 1:1 mapping with a container, although there are advanced scenarios
where a pod might contain multiple containers. These multi-container pods are scheduled together on
the same node, and allow containers to share related resources.
When you create a pod, you can define resource limits to request a certain amount of CPU or memory
resources. The Kubernetes Scheduler attempts to schedule the pods to run on a node with available
resources to meet the request. You can also specify maximum resource limits that prevent a given pod
from consuming too much compute resource from the underlying node.
Note: A best practice is to include resource limits for all pods to help the Kubernetes Scheduler under-
stand what resources are needed and permitted.
A pod is a logical resource, but the container (or containers) is where the application workloads run. Pods
are typically ephemeral, disposable resources. Therefore, individually scheduled pods miss some of the
high availability and redundancy features Kubernetes provides. Instead, pods are usually deployed and
managed by Kubernetes controllers, such as the Deployment controller.
AKS Storage
Applications that run in Azure Kubernetes Service (AKS) may need to store and retrieve data. For some
application workloads, this data storage can use local, fast storage on the node that is no longer needed
when the pods are deleted. Other application workloads may require storage that persists on more
regular data volumes within the Azure platform. Multiple pods may need to share the same data volumes,
or reattach data volumes if the pod is rescheduled on a different node. Finally, you may need to inject
sensitive data or application configuration information into pods.
This section introduces the core concepts that provide storage to your applications in AKS:
● Volumes
● Persistent volumes
Volumes
Applications often need to be able to store and retrieve data. As Kubernetes typically treats individual
pods as ephemeral, disposable resources, different approaches are available for applications use and
persist data as necessary. A volume represents a way to store, retrieve, and persist data across pods and
through the application lifecycle.
Traditional volumes to store and retrieve data are created as Kubernetes resources backed by Azure
Storage. You can manually create these data volumes to be assigned to pods directly, or have Kubernetes
automatically create them. These data volumes can use Azure Disks or Azure Files:
● Azure Disks can be used to create a Kubernetes DataDisk resource. Disks can use Azure Premium
storage, backed by high-performance SSDs, or Azure Standard storage, backed by regular HDDs. For
most production and development workloads, use Premium storage. Azure Disks are mounted as
ReadWriteOnce, so are only available to a single node. For storage volumes that can be accessed by
multiple nodes simultaneously, use Azure Files.
● Azure Files can be used to mount an SMB 3.0 share backed by an Azure Storage account to pods. Files
let you share data across multiple nodes and pods. Currently, Files can only use Azure Standard
storage backed by regular HDDs.
Persistent volumes
Volumes are defined and created as part of the pod lifecycle only exist until the pod is deleted. Pods
often expect their storage to remain if a pod is rescheduled on a different host during a maintenance
event, especially in StatefulSets. A persistent volume (PV) is a storage resource created and managed by
the Kubernetes API that can exist beyond the lifetime of an individual pod.
Azure Disks or Files are used to provide the PersistentVolume. As noted in the previous section on
Volumes, the choice of Disks or Files is often determined by the need for concurrent access to the data or
the performance tier.
A PersistentVolume can be statically created by a cluster administrator, or dynamically created by the
Kubernetes API server. If a pod is scheduled and requests storage that is not currently available, Kuber-
netes can create the underlying Azure Disk or Files storage and attach it to the pod. Dynamic provision-
ing uses a StorageClass to identify what type of Azure storage needs to be created.
Storage classes
To define different tiers of storage, such as Premium and Standard, you can create a StorageClass. The
StorageClass also defines the reclaimPolicy. This reclaimPolicy controls the behavior of the underlying
Azure storage resource when the pod is deleted and the persistent volume may no longer be required.
The underlying storage resource can be deleted, or retained for use with a future pod.
In AKS, two initial StorageClasses are created:
● default - Uses Azure Standard storage to create a Managed Disk. The reclaim policy indicates that the
www.androdagger.com Telegram: @androdagger
underlying Azure Disk is deleted when the pod that used it is deleted.
● managed-premium - Uses Azure Premium storage to create Managed Disk. The reclaim policy again
indicates that the underlying Azure Disk is deleted when the pod that used it is deleted.
If no StorageClass is specified for a persistent volume, the default StorageClass is used. Take care when
requesting persistent volumes so that they use the appropriate storage you need. You can create a
StorageClass for additional needs using kubectl. The following example uses Premium Managed Disks
and specifies that the underlying Azure Disk should be retained when the pod is deleted:
This section introduces the core concepts that secure your applications in AKS:
● Master components security
● Node security
● Cluster upgrades
● Network security
● Kubernetes Secrets
Master security
In AKS, the Kubernetes master components are part of the managed service provided my Microsoft. Each
AKS cluster has their own single-tenanted, dedicated Kubernetes master to provide the API Server,
Scheduler, etc. This master is managed and maintained by Microsoft
By default, the Kubernetes API server uses a public IP address and with fully qualified domain name
(FQDN). You can control access to the API server using Kubernetes role-based access controls and Azure
Active Directory.
The Azure platform automatically applies OS security patches to the nodes on a nightly basis. If an OS
security update requires a host reboot, that reboot is not automatically performed. You can manually
reboot the nodes, or a common approach is to use Kured9, an open-source reboot daemon for Kuber-
netes. Kured runs as a [DaemonSet][aks-daemonset] and monitors each node for the presence of a file
indicating that a reboot is required. Reboots are managed across the cluster using the same cordon and
drain process as a cluster upgrade.
Nodes are deployed into a private virtual network subnet, with no public IP addresses assigned. For
troubleshooting and management purposes, SSH is enabled by default. This SSH access is only available
using the internal IP address. Azure network security group rules can be used to further restrict IP range
access to the AKS nodes. Deleting the default network security group SSH rule and disabling the SSH
service on the nodes prevents the Azure platform from performing maintenance tasks.
To provide storage, the nodes use Azure Managed Disks. For most VM node sizes, these are Premium
disks backed by high-performance SSDs. The data stored on managed disks is automatically encrypted at
rest within the Azure platform. To improve redundancy, these disks are also securely replicated within the
Azure datacenter.
Cluster upgrades
For security and compliance, or to use the latest features, Azure provides tools to orchestrate the up-
grade of an AKS cluster and components. This upgrade orchestration includes both the Kubernetes
master and agent components. You can view a list of available Kubernetes versions for your AKS cluster.
To start the upgrade process, you specify one of these available versions. Azure then safely cordons and
drains each AKS node and performs the upgrade.
Network security
For connectivity and security with on-premises networks, you can deploy your AKS cluster into existing
Azure virtual network subnets. These virtual networks may have an Azure Site-to-Site VPN or Express
Route connection back to your on-premises network. Kubernetes ingress controllers can be defined with
private, internal IP addresses so services are only accessible over this internal network connection.
9 https://github.com/weaveworks/kured
nodes. As you create services with load balancers, port mappings, or ingress routes, AKS automatically
modifies the network security group for traffic to flow appropriately.
Kubernetes Secrets
A Kubernetes Secret is used to inject sensitive data into pods, such as access credentials or keys. You first
create a Secret using the Kubernetes API. When you define your pod or deployment, a specific Secret can
be requested. Secrets are only provided to nodes that have a scheduled pod that requires it, and the
Secret is stored in tmpfs, not written to disk. When the last pod on a node that requires a Secret is
deleted, the Secret is deleted from the node's tmpfs. Secrets are stored within a given namespace and
can only be accessed by pods within the same namespace.
The use of Secrets reduces the sensitive information that is defined in the pod or service YAML manifest.
Instead, you request the Secret stored in Kubernetes API Server as part of your YAML manifest. This
approach only provides the specific pod access to the Secret.
With Azure AD-integrated AKS clusters, you can grant users or groups access to Kubernetes resources
within a namespace or across the cluster. To obtain a kubectl configuration context, a user can run the
az aks get-credentials command. When a user then interacts with the AKS cluster with kubectl,
they are prompted to sign in with their Azure AD credentials. This approach provides a single source for
user account management and password credentials. The user can only access the resources as defined
by the cluster administrator.
AKS Scaling
As you run applications in Azure Kubernetes Service (AKS), you may need to increase or decrease the
amount of compute resources. As the number of application instances you need change, the number of
underlying Kubernetes nodes may also need to change. You may also need to quickly provision a large
number of additional application instances.
When you configure the horizontal pod autoscaler for a given deployment, you define the minimum and
maximum number of replicas that can run. You also define the metric to monitor and base any scaling
decisions on, such as CPU usage.
Cluster autoscaler
To respond to changing pod demands, Kubernetes has a cluster autoscaler that adjusts the number of
nodes based on the requested compute resources in the node pool. By default, the cluster autoscaler
checks the API server every 10 seconds for any required changes in node count. If the cluster autoscale
determines that a change is required, the number of nodes in your AKS cluster is increased or decreased
accordingly. The cluster autoscaler works with RBAC-enabled AKS clusters that run Kubernetes 1.10.x or
higher.
Cluster autoscaler is typically used alongside the horizontal pod autoscaler. When combined, the horizon-
tal pod autoscaler increases or decreases the number of pods based on application demand, and the
cluster autoscaler adjusts the number of nodes as needed to run those additional pods accordingly.
Scale up events
If a node does not have sufficient compute resources to run a requested pod, that pod cannot progress
through the scheduling process. The pod cannot start unless additional compute resources are available
within the node pool.
When the cluster autoscaler notices pods that cannot be scheduled due to node pool resource con-
straints, the number of nodes within the node pool is increased to provide the additional compute
resources. When those additional nodes are successfully deployed and available for use within the node
pool, the pods are then scheduled to run on them.
To rapidly scale your AKS cluster, you can integrate with Azure Container Instances (ACI). Kubernetes has
built-in components to scale the replica and node count. However, if your application needs to rapidly
scale, the horizontal pod autoscaler may schedule more pods than can be provided by the existing
compute resources in the node pool. If configured, this scenario would then trigger the cluster autoscaler
to deploy additional nodes in the node pool, but it may take a few minutes for those nodes to successful-
ly provision and allow the Kubernetes scheduler to run pods on them.
ACI lets you quickly deploy container instances without additional infrastructure overhead. When you
connect with AKS, ACI becomes a secured, logical extension of your AKS cluster. The Virtual Kubelet
component is installed in your AKS cluster that presents ACI as a virtual Kubernetes node. Kubernetes can
then schedule pods that run as ACI instances through virtual nodes, not as pods on VM nodes directly in
your AKS cluster.
Your application requires no modification to use virtual nodes. Deployments can scale across AKS and ACI
and with no delay as cluster autoscaler deploys new nodes in your AKS cluster.
Virtual nodes are deployed to an additional subnet in the same virtual network as your AKS cluster. This
virtual network configuration allows the traffic between ACI and AKS to be secured. Like an AKS cluster,
an ACI instance is a secure, logical compute resource that is isolated from other users.
In this example of a Kubernetes cluster, virtual kubelet is used to allow us to back our Kubernetes cluster
with services such as Container Instances and Azure Batch. These services then host our individual nodes
on behalf of the cluster.
The virtual kubelet registers itself as a node and allows developers to deploy pods and containers with
their own APIs. This lets the virtual kubelet provide a shim layer with a pseudo-kubelet implementation
enabling you to use other services for your individual instances.
Provider list
● Azure Batch
● Container Instances
● Alibaba Cloud Elastic Container Instance (ECI)
● AWS Fargate
● Kubernetes Container Runtime Interface (CRI)
● Huawei Cloud Container Instance (CCI)
● HashiCorp Nomad
● OpenStack Zun
● Custom provider
10 http://portal.azure.com/
● Cluster details: Enter a Kubernetes cluster name, such as myAKSCluster. Select a Region, Kubernetes
version, and DNS name prefix for the AKS cluster.
● Primary node pool: Select a VM Node size for the AKS nodes. The VM size can't be changed once an
AKS cluster has been deployed. - Select the number of nodes to deploy into the cluster. For this
demonstration, set Node count to 1. Node count can be adjusted after the cluster has been deployed.
4. On the Scale page, review and keep the default options. At the bottom of the screen, click Next:
Authentication.
5. On the Authentication page, configure the following options:
● Create a new service principal by leaving the Service Principal field with (new) default service principal.
Or you can choose Configure service principal to use an existing one. If you use an existing one, you
will need to provide the SPN client ID and secret.
● Enable the option for Kubernetes role-based access controls (RBAC). This will provide more fine-
grained control over access to the Kubernetes resources deployed in your AKS cluster.
6. By default, Basic networking is used, and Azure Monitor for containers is enabled. Click Review +
create and then Create when validation completes.
7. It takes a few minutes to create the AKS cluster.
Connect to the cluster
1. To manage a Kubernetes cluster, you use kubectl, the Kubernetes command-line client. The kubectl
client is pre-installed in the Azure Cloud Shell.
2. Open the Cloud Shell, select the Bash shell.
3. Connect to the cluster, downloads your credentials, and configure the Kubernetes CLI to use them.
4. Verify the connection to your clusterand return a list of the cluster nodes. Make sure that the status of
the nodes is Ready.
kubectl get nodes
11 https://docs.microsoft.com/en-us/azure/aks/kubernetes-walkthrough-portal#run-the-application
3. Wait until the EXTERNAL-IP address changes from pending to an actual public IP address. Use Ctrl + C
to break out of the command.
4. To see the Azure Vote app in action, open a web browser to the external IP address of your service.
5. Return to the Azure portal and your myAKSCluster resource.
6. Under Monitoring choose Insights. Review the available information.
7. As you have time review other areas of the cluster.
Lab scenario
You need to evaluate the use of Azure Web apps for hosting Contoso's web sites, hosted currently in the
company's on-premises data centers. The web sites are running on Windows servers using PHP runtime
stack. You also need to determine how you can implement DevOps practices by leveraging Azure web
apps deployment slots.
Objectives
In this lab, you will:
● Task 1: Create an Azure web app.
● Task 2: Create a staging deployment slot.
● Task 3: Configure web app deployment settings.
● Task 4: Deploy code to the staging deployment slot.
● Task 5: Swap the staging slots.
● Task 6: Configure and test autoscaling of the Azure web app.
✔️ Consult with your instructor for how to access the lab instructions and lab environment (if provided).
Lab scenario
Contoso wants to find a new platform for its virtualized workloads. You identified a number of container
images that can be leveraged to accomplish this objective. Since you want to minimize container man-
agement, you plan to evaluate the use of Azure Container Instances for deployment of Docker images.
Objectives
In this lab, you will:
● Task 1: Deploy a Docker image by using the Azure Container Instance
Lab scenario
Contoso has a number of multi-tier applications that are not suitable to run by using Azure Container
Instances. In order to determine whether they can be run as containerized workloads, you want to
evaluate using Kubernetes as the container orchestrator. To further minimize management overhead, you
want to test Azure Kubernetes Service, including its simplified deployment experience and scaling
capabilities.
Objectives
In this lab, you will:
● Task 1: Deploy an Azure Kubernetes Service cluster
● Task 2: Deploy pods into the Azure Kubernetes Service cluster
● Task 3: Scale containerized workloads in the Azure Kubernetes service cluster
✔️ Consult with your instructor for how to access the lab instructions and lab environment (if provided).
Review Question 2
Which of the following settings are not not swapped when you swap an an app? Select three.
Handler mappings
Publishing endpoints
General settings, such as framework version, 32/64-bit, web sockets
Always On
Review Question 3
You are administering a production web app. The app requires scaling to five instances, 40GB of storage,
and a custom domain name. Which App Service Plan should you select? Select one.
Free
Shared
Basic
Standard
Premium
Review Question 4
You are backing up your App Service. Which of the following is included in the backup? Select two.
App configuration
Azure database for MySQL
Files and database content totalling 15GB
Firewall enabled-storage account
SSL enabled Azure Database for MySQL
Review Question 5
You decide to move all your services to Azure Kubernetes service. Which of the following components will
contribute to your monthly Azure charge? Select one.
Master node
Pods
Node virtual machines
Tables
Review Question 6
Which of the following is not true about container groups? Select one.
Is scheduled on a multiple host machines.
Is assigned a DNS name label.
Exposes a single public IP address, with one exposed port.
Consists of two containers.
Includes two Azure file shares as volume mounts.
Review Question 7
Which of the following is the Kubernetes agent that processes the orchestration requests from the cluster
master, and schedules running the requested containers? Select one.
controller master
container runtime
kube-proxy
kubelet
Review Question 8
You are configuring networking for the Azure Kubernetes service. Which of the following maps incoming
direct traffic to the pods? Select one.
AKS node
ClusterIP
Load Balancer
NodePort
Review Question 9
What method does Microsoft Azure App Service use to obtain credentials for users attempting to access an
app? Select one.
credentials that are stored in the browser
pass-through authentication
redirection to a provider endpoint
synchronization of accounts across providers
Additional Study
Microsoft Learn provides self paced skills training on a variety of topics. These Learn modules cover the
content you have just learned. You can search for additional modules by product, role, or level.
● Host a web application with Azure App service12
● Stage a web app deployment for testing and rollback by using App Service deployment slots13
● Scale an App Service web app to efficiently meet demand with App Service scale up and scale
out14
● Dynamically meet changing web app performance requirements with autoscale rules15
www.androdagger.com Telegram: @androdagger
● Capture and view page load times in your Azure web app with Application Insights16
● Introduction to Docker containers17
12 https://docs.microsoft.com/en-us/learn/modules/host-a-web-app-with-azure-app-service/
13 https://docs.microsoft.com/en-us/learn/modules/stage-deploy-app-service-deployment-slots/
14 https://docs.microsoft.com/en-us/learn/modules/app-service-scale-up-scale-out/
15 https://docs.microsoft.com/en-us/learn/modules/app-service-autoscale-rules/
16 https://docs.microsoft.com/en-us/learn/modules/capture-page-load-times-application-insights/
17 https://docs.microsoft.com/en-us/learn/modules/intro-to-docker-containers/
Answers
Review Question 1
You have multiple apps running in a single App Service plan. True or False: Each app in the service plan
can have different scaling rules.
True
■ False
Explanation
False. The App Service plan is the scale unit of the App Service apps. If the plan is configured to run five VM
instances, then all apps in the plan run on all five instances. If the plan is configured for autoscaling, then all
apps in the plan are scaled out together based on the autoscale settings.
Review Question 2
Which of the following settings are not not swapped when you swap an an app? Select three.
Handler mappings
■ Publishing endpoints
General settings, such as framework version, 32/64-bit, web sockets
■ Always On
■ Custom domain names
Explanation
Publishing endpoints, Always on, and Custom domain names. Some configuration elements follow the
content across a swap (not slot specific), whereas other configuration elements stay in the same slot after a
swap (slot specific).
Review Question 3
You are administering a production web app. The app requires scaling to five instances, 40GB of storage,
and a custom domain name. Which App Service Plan should you select? Select one.
Free
Shared
Basic
■ Standard
Premium
Explanation
Standard. The Standard App Service Plan meets the requirements at the least cost.
Review Question 4
You are backing up your App Service. Which of the following is included in the backup? Select two.
■ App configuration
■ Azure database for MySQL
Files and database content totalling 15GB
Firewall enabled-storage account
SSL enabled Azure Database for MySQL
Explanation
App configuration and Azure database for MySQL. App Service can back up: app configuration, file content,
and a database connected to your app (SQL Database, Azure Database for MySQL, Azure Database for
PostgreSQL, MySQL in-app). Backups can be up to 10 GB of app and database content. Using a firewall
enabled storage account as the destination for your backups is not supported. SSL enabled Azure Database
for MySQL does not get backed up.
Review Question 5
You decide to move all your services to Azure Kubernetes service. Which of the following components will
contribute to your monthly Azure charge? Select one.
Master node
Pods
■ Node virtual machines
Tables
Explanation
Node virtual machines. You only pay for the virtual machines instances, storage, and networking resources
consumed by your Kubernetes cluster.
Review Question 6
Which of the following is not true about container groups? Select one.
■ Is scheduled on a multiple host machines.
Is assigned a DNS name label.
Exposes a single public IP address, with one exposed port.
Consists of two containers.
Includes two Azure file shares as volume mounts.
Explanation
Is scheduled on a multiple host machines. A container group is scheduled on a single host machine.
Review Question 7
Which of the following is the Kubernetes agent that processes the orchestration requests from the cluster
master, and schedules running the requested containers? Select one.
controller master
container runtime
kube-proxy
■ kubelet
Explanation
kubelet. The kubelet process the orchestration requests from the cluster master, and schedules the running
the requested containers.
Review Question 8
You are configuring networking for the Azure Kubernetes service. Which of the following maps incoming
direct traffic to the pods? Select one.
AKS node
ClusterIP
Load Balancer
■ NodePort
Explanation
NodePort. NodePort maps incoming direct traffic to the pods.
Review Question 9
What method does Microsoft Azure App Service use to obtain credentials for users attempting to access
an app? Select one.
credentials that are stored in the browser
pass-through authentication
■ redirection to a provider endpoint
synchronization of accounts across providers
Explanation
Redirection to a provider endpoint. Microsoft Azure App Service apps redirect requests to an endpoint that
signs in users for that provider. The App Service can automatically direct all unauthenticated users to the
endpoint that signs in users. Course: Module 4
Key benefits
● Offload on-premises backup. Azure Backup offers a simple solution for backing up your on-premises
resources to the cloud. Get short and long-term backup without the need to deploy complex
on-premises backup solutions.
● Back up Azure IaaS VMs. Azure Backup provides independent and isolated backups to guard against
accidental destruction of original data. Backups are stored in a Recovery Services vault with built-in
management of recovery points. Configuration and scalability is simple, backups are optimized, and
you can easily restore as needed.
● Get unlimited data transfer. Azure Backup does not limit the amount of inbound or outbound data
you transfer, or charge for the data that is transferred.
www.androdagger.com Telegram: @androdagger
Outbound data refers to data transferred from a Recovery Services vault during a restore operation.
If you perform an offline initial backup using the Azure Import/Export service to import large amounts
of data, there is a cost associated with inbound data.
● Keep data secure. Data encryption allows for secure transmission and storage of your data in the
public cloud. You store the encryption passphrase locally, and it is never transmitted or stored in
Azure. If it is necessary to restore any of the data, only you have encryption passphrase, or key.
● Get app-consistent backups. An application-consistent backup means a recovery point has all
required data to restore the backup copy. Azure Backup provides application-consistent backups,
which ensure additional fixes are not required to restore the data. Restoring application-consistent
data reduces the restoration time, allowing you to quickly return to a running state.
● Retain short and long-term data. You can use Recovery Services vaults for short-term and long-term
data retention. Azure doesn't limit the length of time data can remain in a Recovery Services vault. You
can keep it for as long as you like. Azure Backup has a limit of 9999 recovery points per protected
instance.
● Automatic storage management. Hybrid environments often require heterogeneous storage - some
on-premises and some in the cloud. With Azure Backup, there is no cost for using on-premises
storage devices. Azure Backup automatically allocates and manages backup storage, and it uses a
pay-as-you-use model, so that you only pay for the storage you consume.
● Multiple storage options. Azure Backup offers two types of replication to keep your storage/data
highly available.
● Locally redundant storage (LRS) replicates your data three times (it creates three copies of your
data) in a storage scale unit in a datacenter. All copies of the data exist within the same region. LRS
is a low-cost option for protecting your data from local hardware failures.
● Geo-redundant storage (GRS) is the default and recommended replication option. GRS replicates
your data to a secondary region (hundreds of miles away from the primary location of the source
data). GRS costs more than LRS, but GRS provides a higher level of durability for your data, even if
there is a regional outage.
✔️ What are some of the reasons your organization might choose Azure Backup? Is your organization
using Azure Backup?
For more information, What is Azure Backup?1
1 https://docs.microsoft.com/en-us/azure/backup/backup-overview#why-use-azure-backup
✔️ Within an Azure subscription, you can create up to 25 Recovery Services vaults per region.
✔️ Notice your backup choices for virtual machines. This will be covered in the next lesson.
1. Create the recovery services vault. Within your Azure subscription you will need to create a recovery
services vault for the backups.
2. Download the agent and credential file. The recovery services vault provides a link to download the
Azure Backup Agent. The Backup Agent will be installed on the local machine. There is also a creden-
tials file that is required during the installation of the agent. You must have the latest version of the
agent. Versions of the agent below 2.0.9083.0 must be upgraded by uninstalling and reinstalling the
agent.
3. Install and register agent. The installer provides a wizard to configure the installation location, proxy
server, and passphrase information. The downloaded credential file will be used to register the agent.
4. Configure the backup. Use the agent to create a backup policy including when to backup, what to
backup, how long to retain items, and settings like network throttling.
6. By default, the MARSagentinstaller.exe file is saved to your Downloads folder. When the installer
completes, a pop-up asking if you want to run the installer, or open the folder. You don't need to
install the agent yet. You can install the agent after you have downloaded the vault credentials.
7. Return to your recovery services vault, check the box Already downloaded or using the latest
recovery services agent.
8. Click Download. After the vault credentials finish downloading, a pop-up asking if you want to open
or save the credentials. Click Save. If you accidentally click Open, let the dialog that attempts to open
the vault credentials, fail. You cannot open the vault credentials. Proceed to the next step. The vault
credentials are in the Downloads folder.
Note: You must have the latest version of the MARS agent. Versions of the agent below 2.0.9083.0 must
be upgraded by uninstalling and reinstalling the agent.
Install and register the agent
1. Locate and double-click the MARSagentinstaller.exe from the Downloads folder (or other saved
location). The installer provides a series of messages as it extracts, installs, and registers the Recovery
Services agent.
2. To complete the wizard, you need to:
different retention policies based on when the backup occurs. You can modify the daily, weekly,
monthly, and yearly retention policies to meet your needs.
● Choose your initial backup type page as Automatically. Notice there is a choice for offline
backup.
● Confirm your choices and Finish the wizard.
Backup files and folders
1. Click Back Up Now to complete the initial sending over the network.
2. In the wizard, confirm your settings, and then click Back Up.
3. You may Close the wizard. It will continue to run in the background.
4. The Status of your backup will show on the first page of the agent.
5. You can View Details for more information.
Explore the recover settings
1. Click Recover data.
2. Walkthrough the wizard making selections based on your backup settings.
3. Notice your choices to restore from the current server or another server.
4. Notice you can backup individual files and folders or an entire volume.
5. Select a volume and Mount the drive. This can take a couple of minutes.
6. Verify the mounted volume can be accessed in File Explorer and that your backup files are available.
7. Unmount the drive.
Explore the backup properties
1. Click Change Properties.
2. Explore the different tabs.
3. On the Encryption tab you can change the passphrase.
4. On the Proxy Configuration tab you can add proxy information.
5. On the Throttling tab you can enable internet bandwidth usage throttling. Throttling controls how
network bandwidth is used during data transfer. This control can be helpful if you need to back up
data during work hours but do not want the backup process to interfere with other Internet traffic.
Throttling applies to back up and restore activities.
Delete your backup schedule
1. Click Schedule Backup.
2. In the wizard, select Stop using this backup schedule and delete all the stored backups.
3. Verify your choices and click Finish.
www.androdagger.com Telegram: @androdagger
4. You will be prompted for a recovery services vault security pin.
5. In the Azure portal locate your recovery services vault.
6. Select Properties and then Security PIN Generate.
7. Copy the PIN into the Backup agent to finish deleting the schedule.
Azure Backup
For backing up Azure VMs running production workloads, use Azure Backup. Azure Backup supports
application-consistent backups for both Windows and Linux VMs. Azure Backup creates recovery points
that are stored in geo-redundant recovery vaults. When you restore from a recovery point, you can
restore the whole VM or just specific files. The topics in this lesson will focus on Azure Backup.
Images
Managed disks also support creating a managed custom image. You can create an image from your
custom VHD in a storage account or directly from a generalized (sysprepped) VM. This process captures a
single image. This image contains all managed disks associated with a VM, including both the OS and
data disks. This managed custom image enables creating hundreds of VMs using your custom image
without the need to copy or manage any storage accounts.
An Azure backup job consists of two phases. First, a virtual machine snapshot is taken. Second, the virtual
machine snapshot is transferred to the Azure Recovery Services vault.
A recovery point is considered created only after both steps are completed. As a part of this upgrade, a
● The Recovery Services vault can be used to backup on-premises virtual machines including: Hyper-V,
VmWare, System State, and Bare Metal Recovery.
Implementing VM Backups
Backing up Azure virtual machines using Azure Backup is easy and follows a simple process.
1. Create a recovery services vault. To back up your files and folders, you need to create a Recovery
Services vault in the region where you want to store the data. You also need to determine how you
want your storage replicated, either geo-redundant (default) or locally redundant. By default, your
vault has geo-redundant storage. If you are using Azure as a primary backup storage endpoint, use
the default geo-redundant storage. If you are using Azure as a non-primary backup storage endpoint,
then choose locally redundant storage, which will reduce the cost of storing data in Azure.
2. Use the Portal to define the backup. Protect your data by taking snapshots of your data at defined
intervals. These snapshots are known as recovery points, and they are stored in recovery services
vaults. If or when it is necessary to repair or rebuild a VM, you can restore the VM from any of the
saved recovery points. A backup policy defines a matrix of when the data snapshots are taken, and
how long those snapshots are retained. When defining a policy for backing up a VM, you can trigger a
backup job once a day.
Implementing VM Restore
Once your virtual machine snapshots are safely in the recovery services vault it is easy to recover them.
Once you trigger the restore operation, the Backup service creates a job for tracking the restore opera-
tion. The Backup service also creates and temporarily displays notifications, so you monitor how the
backup is proceeding.
Advantages
The advantages of backing up machines and apps to MABS/DPM storage, and then backing up DPM/
MABS storage to a vault are as follows:
● Backing up to MABS/DPM provides app-aware backups optimized for common apps such as SQL
Server, Exchange, and SharePoint, in additional to file/folder/volume backups, and machine state
3 https://docs.microsoft.com/en-us/azure/backup/backup-azure-vms-introduction
● You can manage backups for multiple machines that you gather into protection groups in a single
console. This is particularly useful when apps are tiered over multiple machines and you want to back
them up together.
Backup steps
1. Install the DPM or MABS protection agent on machines you want to protect. You then add the
machines to a DPM protection group.
2. To protect on-premises machines, the DPM or MABS server must be located on-premises.
3. To protect Azure VMs, the MABS server must be located in Azure, running as an Azure VM.
4. With DPM/MABS, you can protect backup volumes, shares, files, and folders. You can also protect a
machine's system state (bare metal), and you can protect specific apps with app-aware backup
settings.
5. When you set up protection for a machine or app in DPM/MABS, you select to back up to the MABS/
DPM local disk for short-term storage and to Azure for online protection. You also specify when the
backup to local DPM/MABS storage should run and when the online backup to Azure should run.
6. The disk of the protected workload is backed up to the local MABS/DPM disks, according to the
schedule you specified.
7. The DPM/MABS disks are backed up to the vault by the MARS agent that's running on the DPM/
MABS server.
Soft Delete
Azure Storage now offers soft delete for blob objects so that you can more easily recover your data when
it is erroneously modified or deleted by an application or other storage account user.
Configuration settings
When you create a new account, soft delete is off by default. Soft delete is also off by default for existing
storage accounts. You can toggle the feature on and off at any time during the life of a storage account.
You will still be able to access and recover soft deleted data when the feature is turned off, assuming that
soft deleted data was saved when the feature was previously turned on. When you turn on soft delete,
you also need to configure the retention period.
The retention period indicates the amount of time that soft deleted data is stored and available for
recovery. For blobs and blob snapshots that are explicitly deleted, the retention period clock starts when
the data is deleted. For soft deleted snapshots generated by the soft delete feature when data is over-
written, the clock starts when the snapshot is generated. Currently you can retain soft deleted data for
www.androdagger.com Telegram: @androdagger
between 1 and 365 days.
You can change the soft delete retention period at any time. An updated retention period will only apply
to newly deleted data. Previously deleted data will expire based on the retention period that was config-
ured when that data was deleted. Attempting to delete a soft deleted object will not affect its expiry time.
✔️ Soft delete is backwards compatible, so you don't have to make any changes to your applications to
take advantage of the protections this feature affords.
Replications Scenarios
● Replicate Azure VMs from one Azure region to another.
● Replicate on-premises VMware VMs, Hyper-V VMs, physical servers (Windows and Linux), Azure Stack
VMs to Azure.
● Replicate AWS Windows instances to Azure.
● Replicate on-premises VMware VMs, Hyper-V VMs managed by System Center VMM, and physical
servers to a secondary site.
Features
● Using Site Recovery, you can set up and manage replication, failover, and failback from a single
location in the Azure portal.
● Replication to Azure eliminates the cost and complexity of maintaining a secondary datacenter.
● Site Recovery orchestrates replication without intercepting application data. When you replicate to
Azure, data is stored in Azure storage, with the resilience that provides. When failover occurs, Azure
VMs are created, based on the replicated data.
● Site Recovery provides continuous replication for Azure VMs and VMware VMs, and replication
www.androdagger.com Telegram: @androdagger
frequency as low as 30 seconds for Hyper-V.
● You can replicate using recovery points with application-consistent snapshots. These snapshots
capture disk data, all data in memory, and all transactions in process.
● You can run planned failovers for expected outages with zero-data loss, or unplanned failovers with
minimal data loss (depending on replication frequency) for unexpected disasters. You can easily fail
back to your primary site when it's available again.
● Site Recovery integrates with Azure for simple application network management, including reserving
IP addresses, configuring load-balancers, and integrating Azure Traffic Manager for efficient network
switchovers.
✔️ Are you considering using Azure Site Recovery and are you interested in any of these specific fea-
tures? Which one is most important to you?
For more information, Azure Site Recovery documentation4.
When you enable replication for an Azure VM, the following happens:
1. The Site Recovery Mobility service extension is automatically installed on the VM. The extension
registers the VM with Site Recovery. Continuous replication begins for the VM. Disk writes are imme-
diately transferred to the cache storage account in the source location.
2. Site Recovery processes the data in the cache, and sends it to the target storage account, or to the
replica managed disks.
3. After the data is processed, crash-consistent recovery points are generated every five minutes.
App-consistent recovery points are generated according to the setting specified in the replication
policy.
4. When you initiate a failover, the VMs are created in the target resource group, target virtual network,
target subnet, and in the target availability set. During a failover, you can use any recovery point.
Lab scenario
You have been tasked with evaluating the use of Azure Recovery Services for backup and restore of files
hosted on Azure virtual machines and on-premises computers. In addition, you want to identify methods
of protecting data stored in the Recovery Services vault from accidental or malicious data loss.
Objectives
In this lab, you will:
● Task 1: Provision the lab environment.
● Task 2: Create a Recovery Services vault.
● Task 3: Implement Azure virtual machine-level backup.
● Task 4: Implement File and Folder backup.
● Task 5: Perform file recovery by using Azure Recovery Services agent.
● Task 6: Perform file recovery by using Azure virtual machine snapshots.
● Task 7: Review the Azure Recovery Services soft delete functionality.
✔️ Consult with your instructor for how to access the lab instructions and lab environment (if provided).
Review Question 2
You are responsible for creating a disaster recovery plan for your data center. You must be able to recreate
virtual machines from scratch. This includes the Operating System, its configuration/ settings, and patches.
Which of the following will provide a bare metal backup of your machines? Select one.
Azure Backup (MARS) agent
Enable disk snapshots
Azure Site Recovery
Azure Backup Server
Review Question 3
You have several Azure VMs that are currently running production workloads. You have a mix of Windows
Server and Linux servers and you need to implement a backup strategy for your production workloads.
Which feature should you use in this case? Select one.
Managed snapshots.
Azure Backup.
Azure Site Recovery.
Azure Migrate.
Review Question 4
You plan to use Azure Backup to protect your virtual machines and data and are ready to create a backup.
What is the first thing you need to do? Select one.
Define recovery points.
Create a Recovery Services vault.
Create a Backup policy.
Install the Azure VM Agent.
Review Question 5
You deploy several virtual machines (VMs) to Azure. You are responsible for backing up all data processed
by the VMs. In the event of a failure, you need to restore the data as quickly as possible. Which of these
options would you recommend to restore a database used for development on a data disk? Select one.
Virtual machine backup
Azure Site Recovery
Review Question 6
You deploy several virtual machines (VMs) to Azure. You are responsible for backing up all data processed
by the VMs. In the event of a failure, you need to restore the data as quickly as possible. Which of these
options would you recommend to restore the entire virtual machine or files on the virtual machine? Select
one.
Virtual machine backup
Azure Site Recovery
Disk image backup
Disk snapshot
Review Question 7
Your organization needs a way to create application aware snapshots, and backup Linux virtual machines
and VMware virtual machines. You have files, folders, volumes,and workloads to protect. You recommend
which of the following solutions? Select one.
Azure Backup (MARS) agent
Azure Backup Server
Enable disk snapshots
Enable backup for individual Azure VMs
Review Question 8
You plan to use virtual machine soft delete. Which of the following statements are true? Select two.
Additional Study
Microsoft Learn provides self paced skills training on a variety of topics. These Learn modules cover the
content you have just learned. You can search for additional modules by product, role, or level.
● Protect your virtual machines by using Azure Backup5
● Back up and restore your Azure SQL database6
● Protect your Azure infrastructure with Azure Site Recovery7
5 https://docs.microsoft.com/en-us/learn/modules/protect-virtual-machines-with-azure-backup/
6 https://docs.microsoft.com/en-us/learn/modules/backup-restore-azure-sql/
7 https://docs.microsoft.com/en-us/learn/modules/protect-infrastructure-with-site-recovery/
8 https://docs.microsoft.com/en-us/learn/modules/protect-on-premises-infrastructure-with-azure-site-recovery/
Answers
Review Question 1
You need to backup files and folders to Azure. Which three steps must you perform?
■ Download, install and register the backup agent.
Synchronize configuration.
■ Back up files and folders.
Create a backup services vault.
■ Create a recovery services vault.
Explanation
Review Question 2
You are responsible for creating a disaster recovery plan for your data center. You must be able to
recreate virtual machines from scratch. This includes the Operating System, its configuration/ settings,
and patches. Which of the following will provide a bare metal backup of your machines? Select one.
Azure Backup (MARS) agent
Enable disk snapshots
Azure Site Recovery
■ Azure Backup Server
Explanation
Azure Backup Server provides a bare metal backup capability.
Review Question 3
You have several Azure VMs that are currently running production workloads. You have a mix of Windows
Server and Linux servers and you need to implement a backup strategy for your production workloads.
Which feature should you use in this case? Select one.
Managed snapshots.
■ Azure Backup.
Azure Site Recovery.
Azure Migrate.
Explanation
For backing up Azure virtual machines running production workloads, use Azure Backup. Azure Backup
supports application-consistent backups for both Windows and Linux virtual machines. Azure Site Recovery
coordinates virtual-machine and physical-server replication, failover, and failback, but Azure Backup will
protect and restore data at a more granular level. Managed snapshots provide a read-only full copy of a
managed disk, and is an ideal solution in development and test environments, but Azure Backup is the
www.androdagger.com
better option for your production workloads. Telegram: @androdagger
MCT USE ONLY. STUDENT USE PROHIBITED
Module 10 Lab and Review Questions 355
Review Question 4
You plan to use Azure Backup to protect your virtual machines and data and are ready to create a backup.
What is the first thing you need to do? Select one.
Define recovery points.
■ Create a Recovery Services vault.
Create a Backup policy.
Install the Azure VM Agent.
Explanation
When performing a virtual machine backup, you must first create a Recovery Services vault in the region
where you want to store the data. Recovery points are stored in the Recovery Services vault. While creating
a backup policy is a good practice, it is not a dependency to creating a backup. The Azure VM agent is
required on an Azure virtual machine for the Backup extension to work. However, if the VM was created
from the Azure gallery, then the VM Agent is already present on the virtual machine.
Review Question 5
You deploy several virtual machines (VMs) to Azure. You are responsible for backing up all data processed
by the VMs. In the event of a failure, you need to restore the data as quickly as possible. Which of these
options would you recommend to restore a database used for development on a data disk? Select one.
Virtual machine backup
Azure Site Recovery
Disk image backup
■ Disk snapshot
Explanation
You can use snapshots to quickly restore the database data disks.
Review Question 6
You deploy several virtual machines (VMs) to Azure. You are responsible for backing up all data processed
by the VMs. In the event of a failure, you need to restore the data as quickly as possible. Which of these
options would you recommend to restore the entire virtual machine or files on the virtual machine?
Select one.
■ Virtual machine backup
Azure Site Recovery
Disk image backup
Disk snapshot
Explanation
Use Azure backup to restore a VM to a specific point in time, and to restore individual files. Azure Backup
supports application-consistent backups for both Windows and Linux VMs.
Review Question 7
Your organization needs a way to create application aware snapshots, and backup Linux virtual machines
and VMware virtual machines. You have files, folders, volumes,and workloads to protect. You recommend
which of the following solutions? Select one.
Azure Backup (MARS) agent
■ Azure Backup Server
Enable disk snapshots
Enable backup for individual Azure VMs
Explanation
Azure backup server provides app aware snapshots, support for Linux virtual machines and VMware virtual
machines. Backup server can protect files, folders, volumes, and workloads.
Review Question 8
You plan to use virtual machine soft delete. Which of the following statements are true? Select two.
Azure Monitor
Azure Monitor Service
Monitoring is the act of collecting and analyzing data to determine the performance, health, and availa-
bility of your business application and the resources that it depends on. An effective monitoring strategy
helps you understand the detailed operation of the components of your application. It also helps you
increase your uptime by proactively notifying you of critical issues so that you can resolve them before
they become problems.
Azure includes multiple services that individually perform a specific role or task in the monitoring space.
Together, these services deliver a comprehensive solution for collecting, analyzing, and acting on teleme-
try from your application and the Azure resources that support them. They can also work to monitor
critical on-premises resources to provide a hybrid monitoring environment. Understanding the tools and
data that are available is the first step in developing a complete monitoring strategy for your application.
The next diagram gives a high-level view of Azure Monitor. At the center of the diagram are the data
stores for metrics and logs, which are the two fundamental types of data use by Azure Monitor. On the
left are the sources of monitoring data that populate these data stores. On the right are the different
functions that Azure Monitor performs with this collected data such as analysis, alerting, and streaming to
external systems.
Key Capabilities
● Monitor and visualize metrics. Metrics are numerical values available from Azure resources helping
you understand the health, operation and performance of your system.
● Query and analyze logs. Logs are activity logs, diagnostic logs, and telemetry from monitoring
solutions; analytics queries help with troubleshooting and visualizations.
● Setup alerts and actions. Alerts notify you of critical conditions and potentially take automated
corrective actions based on triggers from metrics or logs.
Log Data
Log data collected by Azure Monitor is stored in Log Analytics which includes a rich query language3 to
quickly retrieve, consolidate, and analyze collected data. You can create and test queries using the Log
Analytics page in the Azure portal and then either directly analyze the data using these tools or save
queries for use with visualizations or alert rules.
Azure Monitor uses a version of the Data Explorer4 query language that is suitable for simple log queries
but also includes advanced functionality such as aggregations, joins, and smart analytics. You can quickly
learn the query language using multiple lessons. Particular guidance is provided to users who are already
familiar with SQL and Splunk.
Data Types
Azure Monitor can collect data from a variety of sources. You can think of monitoring data for your
applications in tiers ranging from your application, any operating system and services it relies on, down
to the platform itself. Azure Monitor collects data from each of the following tiers:
● Application monitoring data: Data about the performance and functionality of the code you have
written, regardless of its platform.
● Guest OS monitoring data: Data about the operating system on which your application is running.
This could be running in Azure, another cloud, or on-premises.
● Azure resource monitoring data: Data about the operation of an Azure resource.
● Azure subscription monitoring data: Data about the operation and management of an Azure
subscription, as well as data about the health and operation of Azure itself.
● Azure tenant monitoring data: Data about the operation of tenant-level Azure services, such as
Azure Active Directory.
As soon as you create an Azure subscription and start adding resources such as virtual machines and web
apps, Azure Monitor starts collecting data. Activity Logs record when resources are created or modified.
Metrics tell you how the resource is performing and the resources that it's consuming.
Extend the data you're collecting into the actual operation of the resources by enabling diagnostics and
adding an agent to compute resources. This will collect telemetry for the internal operation of the
resource and allow you to configure different data sources to collect logs and metrics from Windows and
Linux guest operating systems.
✔️ Azure Monitor can collect log data from any REST client using the Data Collector API. This allows youto
create custom monitoring scenarios and extend monitoring to resources that don't expose telemetry
through other sources.
Azure Advisor
Advisor is a personalized cloud consultant that helps you follow best practices to optimize your Azure
deployments. It analyzes your resource configuration and usage telemetry and then recommends
solutions that can help you improve the cost effectiveness, performance, high availability, and security of
your Azure resources.
The Advisor cost recommendations page helps you optimize and reduce your overall Azure spend by
identifying idle and underutilized resources.
Activity Log
The Azure Activity Log is a subscription log that provides insight into subscription-level events that have
occurred in Azure. This includes a range of data, from Azure Resource Manager operational data to
updates on Service Health events.
With the Activity Log, you can determine the ‘what, who, and when’ for any write operations (PUT, POST,
DELETE) taken on the resources in your subscription. You can also understand the status of the operation
and other relevant properties. Through activity logs, you can determine:
● What operations were taken on the resources in your subscription.
● Who started the operation.
● When the operation occurred.
● The status of the operation.
● The values of other properties that might help you research the operation.
✔️ Activity logs are kept for 90 days. You can query for any range of dates, as long as the starting date
isn't more than 90 days in the past. You can retrieve events from your Activity Log using the Azure portal,
CLI, PowerShell cmdlets, and Azure Monitor REST API.
In the Azure portal, you can filter your Activity Log by these fields:
● Subscription. One or more Azure subscription names.
● Timespan. The start and end time for events.
● Event Severity. The severity level of the event (Informational, Warning, Error, Critical).
● Resource group. One or more resource groups within those subscriptions.
● Resource (name). The name of a specific resource.
● Resource type. The type of resource, for example, Microsoft.Compute/virtualmachines.
● Operation name. The name of an Azure Resource Manager operation, for example, Microsoft.SQL/
servers/Write.
● Event initiated by. The ‘caller,’ or user who performed the operation.
● Search. This is an open text search box that searches for that string across all fields in all events.
Event categories
● Administrative. This category contains the record of all create, update, delete, and action operations
performed through Resource Manager. Examples of the types of events you would observe in this
category include “create virtual machine” and "delete network security group". The Administrative
category also includes any changes to role-based access control in a subscription.
● Service Health. This category contains the record of any service health incidents that have occurred
in Azure. An example of the type of event you would observe in this category is “SQL Azure in East US
is experiencing downtime.” Service health events come in five varieties: Action Required, Assisted
Recovery, Incident, Maintenance, Information, or Security.
● Resource Health. This category contains the record of any resource health events that have occurred
to your Azure resources. An example of the type of event you would see in this category is “Virtual
Machine health status changed to unavailable.” Resource health events can represent one of four
health statuses: Available, Unavailable, Degraded, and Unknown.
● Alert. This category contains the record of all activations of Azure alerts. An example of the type of
event you would observe in this category is “CPU % on myVM has been over 80 for the past 5 min-
utes.”
● Autoscale. This category contains the record of any events related to the operation of the autoscale
engine based on any autoscale settings you have defined in your subscription. An example of the type
of event you would observe in this category is “Autoscale scale up action failed.”
● Recommendation. This category contains recommendation events from certain resource types, such
as web sites and SQL servers. These events offer recommendations for how to better utilize your
resources.
● Security. This category contains the record of any alerts generated by Azure Security Center. An
Azure Alerts
Azure Monitor Alerts
Managing Alerts
You can alert on metrics and logs as described in monitoring data sources. These include but are not
limited to:
● Metric values
● Log search queries
● Activity Log events
● Health of the underlying Azure platform
Alert states
You can set the state of an alert to specify where it is in the resolution process. When the criteria specified
in the alert rule is met, an alert is created or fired, it has a status of New. You can change the status when
you acknowledge an alert and when you close it. All state changes are stored in the history of the alert.
The following alert states are supported.
State Description
New The issue has just been detected and has not yet
been reviewed.
Acknowledged An administrator has reviewed the alert and
started working on it.
Closed The issue has been resolved. After an alert has
been closed, you can reopen it by changing it to
another state.
✔️ Alert state is different and independent of the monitor condition. Alert state is set by the user. Monitor
condition is set by the system. When an alert fires, the alert's monitor condition is set to fired. When the
underlying condition that caused the alert to fire clears, the monitor condition is set to re- solved. The
alert state isn't changed until the user changes it.
For more information, The new alerts experience in Azure Monitor5
Alert rules are separated from alerts and the actions that are taken when an alert fires. The alert rule
captures the target and criteria for alerting. The alert rule can be in an enabled or a disabled state. Alerts
only fire when enabled. The key attributes of an alert rule are:
● Target Resource – Defines the scope and signals available for alerting. A target can be any Azure
resource. Example targets: a virtual machine, a storage account, a virtual machine scale set, a Log
Analytics workspace, or an Application Insights resource. For certain resources (like Virtual Machines),
you can specify multiple resources as the target of the alert rule.
● Signal – Signals are emitted by the target resource and can be of several types. Metric, Activity log,
Application Insights, and Log.
● Criteria – Criteria is a combination of Signal and Logic applied on a Target resource. Examples: *
Percentage CPU > 70%; Server Response Time > 4 ms; and Result count of a log query > 100.
● Alert Name – A specific name for the alert rule configured by the user.
● Alert Description – A description for the alert rule configured by the user.
● Severity – The severity of the alert once the criteria specified in the alert rule is met. Severity can
range from 0 to 4.
● Action – A specific action taken when the alert is fired. Tje Action Groups topic is coming up.
Action Groups
An action group is a collection of notification preferences defined by the owner of an Azure subscription.
Azure Monitor and Service Health alerts use action groups to notify users that an alert has been trig-
gered. Various alerts may use the same action group or different action groups depending on the user's
requirements.
When an action is configured to notify a person by email or SMS the person will receive a confirmation
indicating they have been added to the action group.
● Automation runbook - An automation runbook is the ability to define, build, orchestrate, manage,
and report on workflows that support system and network operational processes. A runbook workflow
can potentially interact with all types of infrastructure elements, such as applications, databases, and
hardware.
● Azure Function – Azure functions is a serverless compute service that lets you run event-triggered
code without having to explicitly provision or manage infrastructure.
● Email Azure Resource Manager role – Send email to the members of the subscription's role. Email
will only be sent to Azure AD user members of the role. Email will not be sent to Azure AD groups or
service principals.
● Email/SMS/Push/Voice - Specify any email, SMS, push, or voice actions.
● ITSM – Connect Azure and a supported IT Service Management (ITSM) product/service. This requires
an ITSM Connection.
● Logic App – Logic apps connect your business-critical apps and services by automating your work-
flows.
● Webhook – A webhook is a HTTP endpoint that allows external applications to communicate with
your system.
✔️ Always check the documentation for the number of actions you can create.
2. Click Alerts then click + New alert rule. As most resource blades also have Alerts in their resource
menu under Monitoring, you could create alerts from there as well.
Explore alert targets
1. Click Select under Target, to select a target resource that you want to alert on. Use Subscription and
Resource type drop-downs to find the resource you want to monitor. You can also use the search bar
to find your resource.
2. If the selected resource has metrics you can create alerts on, Available signals on the bottom right will
include metrics. You can view the full list of resource types supported for metric alerts in this article.
3. Click Done when you have made your selection.
Explore alert conditions
1. Once you have selected a target resource, click on Add condition.
2. You will observe a list of signals supported for the resource, select the metric you want to create an
alert on.
3. Optionally, refine the metric by adjusting Period and Aggregation. If the metric has dimensions, the
Dimensions table will be presented.
4. Observe a chart for the metric for the last 6 hours. Adjust the Show history drop-down.
5. Define the Alert logic. This will determine the logic which the metric alert rule will evaluate.
6. If you are using a static threshold, the metric chart can help determine what might be a reasonable
threshold. If you are using a Dynamic Thresholds, the metric chart will display the calculated thresh-
olds based on recent data.
7. Click Done.
8. Optionally, add another criteria if you want to monitor a complex alert rule.
Explore alert details
1. Fill in Alert details like Alert Rule Name, Description and Severity.
2. Add an action group to the alert either by selecting an existing action group or creating a new action
group.
3. Click Done to save the metric alert rule.
Log Analytics
Log Analytics
Log Analytics is a service in that helps you collect and analyze data generated by resources in your cloud
and on-premises environments.
Log queries helps you to fully leverage the value of the data collected in Azure Monitor Logs. A powerful
query language allows you to join data from multiple tables, aggregate large sets of data, and perform
complex operations with minimal code. Virtually any question can be answered and analysis performed
as long as the supporting data has been collected, and you understand how to construct the right query.
Some features in Azure Monitor such as insights and solutions process log data without exposing you to
the underlying queries. To fully leverage other features of Azure Monitor, you should understand how
queries are constructed and how you can use them to interactively analyze data in Azure Monitor Logs.
from a specific account, users installing unapproved software, unexpected system reboots or shutdowns,
evidence of security breaches, or specific problems in loosely coupled applications.
Create a Workspace
To get started with Log Analytics you need to add a workspace.
Connected Sources
Connected Sources are the computers and other resources that generate data collected by Log Analytics.
This can include agents installed on Windows6 and Linux7 computers that connect directly or agents in a
connected System Center Operations Manager management group8 . Log Analytics can also collect
data from Azure storage9.
This following diagram shows how Connected Sources flow data to the Log Analytics service.
Data Sources
Data sources are the different kinds of data collected from each connected source. These can include
events and performance data from Windows and Linux agents, in addition to sources such as IIS logs and
custom text logs. You configure each data source that you want to collect, and the configuration is
www.androdagger.com Telegram: @androdagger
automatically delivered to each connected source.
When you configure the Log Analytics settings the available data sources are shown. Data sources
include: Windows Event Logs, Windows Performance Counters, Linux Performance Counters, IIS Logs,
Custom Fields, Custom Logs, and Syslog. Each data source has additional configuration options. For
example, the Windows Event Log can be configured to forward Error, Warning, or Informational messag-
es.
To give a quick graphical view of the health of your overall environment, you can add visualizations for
saved log searches to your dashboard. To analyze data outside of Log Analytics, you can export the data
from the repository into tools such as Power BI or Excel. You can also leverage the Log Search API to build
custom solutions that leverage Log Analytics data or to integrate with other systems.
For example, this query returns a count of the top 10 errors in the Event log during the last day. The
results are in descending order.
Event
| where (EventLevelName == "Error")
| where (TimeGenerated > ago(1days))
| summarize ErrorCount = count() by Computer
| top 10 by ErrorCount desc
● summarize - Produces a table that aggregates the content of the input table.
T | where fruit=="apple"
10 https://docs.microsoft.com/en-us/azure/azure-monitor/log-query/query-language
11 https://portal.loganalytics.io/demo
Network Watcher
Network Watcher
Network Watcher provides tools to monitor, diagnose, view metrics, and enable or disable logs for
resources in an Azure virtual network. Network Watcher is a regional service that enables you to monitor
and diagnose conditions at a network scenario level.
● Automate remote network monitoring with packet capture. Monitor and diagnose networking
issues without logging in to your virtual machines (VMs) using Network Watcher. Trigger packet
capture by setting alerts, and gain access to real-time performance information at the packet level.
When you observe an issue, you can investigate in detail for better diagnoses.
● Gain insight into your network traffic using flow logs. Build a deeper understanding of your
network traffic pattern using Network Security Group flow logs. Information provided by flow logs
helps you gather data for compliance, auditing and monitoring your network security profile.
● Diagnose VPN connectivity issues. Network Watcher provides you the ability to diagnose your most
common VPN Gateway and Connections issues. Allowing you, not only, to identify the issue but also
to use the detailed logs created to help further investigate.
Connection monitor
Connection monitor is a feature of Network Watcher that can monitor communication between a virtual
machine and an endpoint. The connection monitor capability monitors communication at a regular
interval and informs you of reachability, latency, and network topology changes between the VM and the
endpoint.
For example, you might have a web server VM that communicates with a database server VM. Someone
in your organization may, unknown to you, apply a custom route or network security rule to the web
server or database server VM or subnet.
If an endpoint becomes unreachable, connection troubleshoot informs you of the reason. Potential
reasons might be DNS name resolution problem, the CPU, memory, or firewall within the operating
system of a VM, or the hop type of a custom route, or security rule for the VM or subnet of the outbound
connection. Connection monitor also provides the minimum, average, and maximum latency observed
over time.
12 https://azure.microsoft.com/en-us/services/network-watcher/
Verify IP Flow: Quickly diagnose connectivity issues from or to the internet and from or to the on-prem-
ises environment. For example, confirming if a security rule is blocking ingress or egress traffic to or from
a virtual machine. IP flow verify is ideal for making sure security rules are being correctly applied. When
used for troubleshooting, if IP flow verify doesn’t show a problem, you will need to explore other areas
such as firewall restrictions.
Next Hop: To determine if traffic is being directed to the intended destination by showing the next hop.
This will help determine if networking routing is correctly configured. Next hop also returns the route
table associated with the next hop. If the route is defined as a user-defined route, that route is returned.
Otherwise, next hop returns System Route. Depending on your situation the next hop could be Internet,
Virtual Appliance, Virtual Network Gateway, VNet Local, VNet Peering, or None. None lets you know that
while there may be a valid system route to the destination, there is no next hop to route the traffic to the
destination. When you create a virtual network, Azure creates several default outbound routes for
network traffic. The outbound traffic from all resources, such as VMs, deployed in a virtual network, are
routed based on Azure's default routes. You might override Azure's default routes or create additional
routes.
VPN Diagnostics: Troubleshoot gateways and connections. VPN Diagnostics returns a wealth of informa-
tion. Summary information is available in the portal and more detailed information is provided in log files.
The log files are stored in a storage account and include things like connection statistics, CPU and
memory information, IKE security errors, packet drops, and buffers and events.
NSG Flow Logs: NSG Flow Logs maps IP traffic through a network security group. These capabilities can
be used in security compliance and auditing. You can define a prescriptive set of security rules as a model
for security governance in your organization. A periodic compliance audit can be implemented in a
programmatic way by comparing the prescriptive rules with the effective rules for each of the VMs in
your network.
Connection Troubleshoot. Azure Network Watcher Connection Troubleshoot is a more recent addition
to the Network Watcher suite of networking tools and capabilities. Connection Troubleshoot enables you
www.androdagger.com Telegram: @androdagger
to troubleshoot network performance and connectivity issues in Azure.
Example
When you deploy a VM, Azure applies several default security rules to the VM that allow or deny traffic to
or from the VM. You might override Azure's default rules or create additional rules. At some point, a VM
may become unable to communicate with other resources, because of a security rule.
The IP flow verify capability enables you to specify a source and destination IPv4 address, port, protocol
(TCP or UDP), and traffic direction (inbound or outbound). IP flow verify then tests the communication
and informs you if the connection succeeds or fails. If the connection fails, IP flow verify tells you which
security rule allowed or denied the communication, so that you can resolve the problem.
✔️ IP flow verify is ideal for making sure security rules are being correctly applied. When used for
troubleshooting, if IP flow verify doesn’t show a problem, you will need to explore other areas such as
firewall restrictions.
Next hop also returns the route table associated with the next hop. If the route is defined as a user-de-
fined route, that route is returned. Otherwise, next hop returns System Route. Depending on your
situation the next hop could be Internet, Virtual Appliance, Virtual Network Gateway, VNet Local, VNet
Peering, or None. None lets you know that while there may be a valid system route to the destination,
there is no next hop to route the traffic to the destination.
● Source. Any, or an individual IP address, classless inter-domain routing (CIDR) block (10.0.0.0/24, for
example), service tag, or application security group. Specifying a range, a service tag, or application
security group, enables you to create fewer security rules.
● Protocol. TCP, UDP, ICMP or Any.
● Action. Allow or deny.
VPN Troubleshoot returns a wealth of information. Summary information is available in the portal and
more detailed information is provided in log files. The log files are stored in a storage account and
include things like connection statistics, CPU and memory information, IKE security errors, packet drops,
and buffers and events.
✔️ You can select multiple gateways or connections to troubleshoot simultaneously or you can focus on
an individual component.
Network Watcher packet capture allows you to create capture sessions to track traffic to and from a
virtual machine. Filters are provided for the capture session to ensure you capture only the traffic you
want. Packet capture helps to diagnose network anomalies, both reactively, and proactively. Other uses
include gathering network statistics, gaining information on network intrusions, to debug client-server
communication, and much more. Being able to remotely trigger packet captures, eases the burden of
running a packet capture manually on a desired virtual machine, which saves valuable time.
✔️ This feature now supports (January 2020) firewalled storage accounts and service endpoints for
storage.
ture. You can use the topology tool to visualize and understand the infrastructure you're dealing with
before you start troubleshooting.
Network Watcher's Topology capability enables you to generate a visual diagram of the resources in a
virtual network, and the relationships between the resources. The following picture shows an example
topology diagram for a virtual network that has three subnets, two VMs, network interfaces, public IP
addresses, network security groups, route tables, and the relationships between the resources:
The topology tool generates a graphical display of your Azure virtual network, its resources, its intercon-
nections, and their relationships with each other.
✔️ To generate the topology, you need a Network Watcher instance in the same region as the virtual
network.
Lab scenario
You need to evaluate Azure functionality that would provide insight into performance and configuration
of Azure resources, focusing in particular on Azure virtual machines. To accomplish this, you intend to
examine the capabilities of Azure Monitor, including Log Analytics.
Objectives
In this lab, you will:
● Task 1: Provision the lab environment.
● Task 2: Create and configure an Azure Log Analytics workspace and Azure Automation-based solu-
tions.
● Task 3: Review default monitoring settings of Azure virtual machines.
● Task 4: Configure Azure virtual machine diagnostic settings.
● Task 5: Review Azure Monitor functionality.
● Task 6: Review Azure Log Analytics functionality.
✔️ Consult with your instructor for how to access the lab instructions and lab environment (if provided).
Review Question 2
Your organization has an app that is used across the business. The performance of this app is critical to day
to day operations. Because the app is so important, four IT administrators have been identified to address
any issues. You have configured an alert and need to ensure the administrators are notified if there is a
problem. In which area of the portal will you provide the administrator email addresses? Select one.
Activity log
Performance group
Signal Type
Action Group
Review Question 3
Your organization has several Linux virtual machines. You would like to use Log Analytics to retrieve error
messages for these machines. You plan to automate the process, so you create a search query. You begin the
query by identifying the source table. Which source table do you use? Select one.
Event
SysLog
Heartbeat
MyLog_CL
Alert
Review Question 4
You are analyzing the company virtual network and think it would helpful to get a visual representation of
the networking elements. Which feature can you use? Select one.
Network Watcher Auditing
Network Watcher Connection Troubleshoot
Network Watcher Flows
Network Watcher Next Hop
Network Watcher Views
Network Watcher Topology
Review Question 5
Your company has a website and users are reporting connectivity errors and timeouts. You suspect that a
security rule may be blocking traffic to or from one of the virtual machines. You need to quickly trouble-
shoot the problem, so you do which of the following? Select one.
Configure IIS logging and review the connection errors.
Turn on virtual machine diagnostic logging and use Log Analytics.
Use Network Watcher's VPN Diagnostics feature.
Use Network Watcher's IP Flow Verify feature.
Configure Windows performance counters and use Performance Monitor.
Review Question 6
You are interested in finding a single tool to help identity high VM CPU utilization, DNS resolution failures,
firewall rules that are blocking traffic, and misconfigured routes. Which tool can you use? Select one.
Network Watcher Auditing
Network Watcher Connection Troubleshoot
Network Watcher Flows
Network Watcher Next Hop
Network Watcher Views
Network Watcher Topology
Review Question 7
You are reviewing the Alerts page and notice an alert has been Acknowledged. What does this mean? Select
one.
The issue has just been detected and has not yet been reviewed.
An administrator has reviewed the alert and started working on it.
The issue has been resolved.
The issue has been closed.
Review Question 8
You need to determine who deleted a network security group through Resource Manager. You are viewing
the Activity Log when another Azure Administrator says you should use this event category to narrow your
search. Select one.
Administrative
Service Health
www.androdagger.com Telegram: @androdagger
Alert
Recommentation
Policy
Additional Study
Microsoft Learn provides self paced skills training on a variety of topics. These Learn modules cover the
content you have just learned. You can search for additional modules by product, role, or level.
● Analyze your Azure infrastructure by using Azure Monitor logs13
● Improve incident response with alerting on Azure14
● Monitor the health of your Azure virtual machine by collecting and analyzing diagnostic data15
● Monitor, diagnose, and troubleshoot your Azure storage16
Answers
Review Question 1
Your organization has a very large web farm with more than 100 virtual machines. You would like to use
Log Analytics to ensure these machines are responding to requests. You plan to automate the process so
you create a search query. You begin the query by identifying the source table. Which source table do
you use? Select one.
Event
SysLog
■ Heartbeat
MyLog_CL
Alert
Explanation
The Heartbeat table will help you identify computers that haven't had a heartbeat in a specific time frame,
for example, the last six hours.
Review Question 2
Your organization has an app that is used across the business. The performance of this app is critical to
day to day operations. Because the app is so important, four IT administrators have been identified to
address any issues. You have configured an alert and need to ensure the administrators are notified if
there is a problem. In which area of the portal will you provide the administrator email addresses? Select
one.
Activity log
Performance group
Signal Type
■ Action Group
Explanation
When creating the alert, you will select Email as the Action Type. You will then be able to provide the
administrator email addresses as part of the Action Group.
Review Question 3
Your organization has several Linux virtual machines. You would like to use Log Analytics to retrieve error
messages for these machines. You plan to automate the process, so you create a search query. You begin
the query by identifying the source table. Which source table do you use? Select one.
Event
■ SysLog
Heartbeat
MyLog_CL
Review Question 4
You are analyzing the company virtual network and think it would helpful to get a visual representation
of the networking elements. Which feature can you use? Select one.
Network Watcher Auditing
Network Watcher Connection Troubleshoot
Network Watcher Flows
Network Watcher Next Hop
Network Watcher Views
■ Network Watcher Topology
Explanation
Network Watcher's Topology feature provides a visual representation of your networking elements.
Review Question 5
Your company has a website and users are reporting connectivity errors and timeouts. You suspect that a
security rule may be blocking traffic to or from one of the virtual machines. You need to quickly trouble-
shoot the problem, so you do which of the following? Select one.
Configure IIS logging and review the connection errors.
Turn on virtual machine diagnostic logging and use Log Analytics.
Use Network Watcher's VPN Diagnostics feature.
■ Use Network Watcher's IP Flow Verify feature.
Configure Windows performance counters and use Performance Monitor.
Explanation
Diagnosing connectivity issues is ideal for Network Watcher's IP Flow Verify feature. The IP Flow Verify capa-
bility enables you to specify a source and destination IPv4 address, port, protocol (TCP or UDP), and traffic
direction (inbound or outbound). IP Flow Verify then tests the communication and informs you if the
connection succeeds or fails.
Review Question 6
You are interested in finding a single tool to help identity high VM CPU utilization, DNS resolution
failures, firewall rules that are blocking traffic, and misconfigured routes. Which tool can you use? Select
one.
Network Watcher Auditing
■ Network Watcher Connection Troubleshoot
Network Watcher Flows
Network Watcher Next Hop
Review Question 7
You are reviewing the Alerts page and notice an alert has been Acknowledged. What does this mean?
Select one.
The issue has just been detected and has not yet been reviewed.
■ An administrator has reviewed the alert and started working on it.
The issue has been resolved.
The issue has been closed.
Explanation
An alert status of Acknowledged means an administrator has reviewed the alert and started working on it.
Alert state is different and independent of the monitor condition. Alert state is set by the user. Monitor
condition is set by the system.
Review Question 8
You need to determine who deleted a network security group through Resource Manager. You are
viewing the Activity Log when another Azure Administrator says you should use this event category to
narrow your search. Select one.
■ Administrative
Service Health
Alert
Recommentation
Policy
Explanation
Administrative. This category contains the record of all create, update, delete, and action operations
performed through Resource Manager. Examples of the types of events you would observe in this category
include "create virtual machine" and "delete network security group". The Administrative category also
includes any changes to role-based access control in a subscription.