Microsoft Azure Administrator Exam Prep (AZ-104)

Telegram Channel : @IRFaraExam


MicrosoftAzureAdministrator

ExamPrep(AZ-104)

MakeYourCareerwithMicrosoftAzurePlatform

UsingAzureAdministeredExamPrep

LalitRawat

www.bpbonline.com


http://www.bpbonline.com

FIRSTEDITION2021

Copyright©BPBPublications,IndiaISBN:978-93-89898-767

AllRightsReserved.Nopartofthispublicationmaybereproduced,distributedortransmittedinanyformor by anymeans or stored in a database or retrieval system,without the priorwritten permission of thepublisher with the exception to the program listings which may be entered, stored and executed in acomputersystem,buttheycannotbereproducedbythemeansofpublication,photocopy,recording,orbyanyelectronicandmechanicalmeans.

LIMITSOFLIABILITYANDDISCLAIMEROFWARRANTY

Theinformationcontainedinthisbookistruetocorrectandthebestofauthor’sandpublisher’sknowledge.Theauthorhasmadeeveryefforttoensuretheaccuracyofthesepublications,butpublishercannotbeheldresponsibleforanylossordamagearisingfromanyinformationinthisbook.AlltrademarksreferredtointhebookareacknowledgedaspropertiesoftheirrespectiveownersbutBPBPublicationscannotguaranteetheaccuracyofthisinformation.

Distributors:

BPBPUBLICATIONS20,AnsariRoad,DaryaGanj

NewDelhi-110002Ph:23254990/23254991

MICROMEDIA

ShopNo.5,MahendraChambers,150DNRd.NexttoCapitalCinema,

V.T.(C.S.T.)Station,MUMBAI-400001Ph:22078296/22078297

DECCANAGENCIES

4-3-329,BankStreet,Hyderabad-500195

Ph:24756967/24756400

BPBBOOKCENTRE376OldLajpatRaiMarket,


Delhi-110006

Ph:23861747

Published byManish Jain for BPB Publications, 20 Ansari Road, Darya Ganj, New Delhi-110002 andPrintedbyhimatReproIndiaLtd,Mumbai

www.bpbonline.com


http://www.bpbonline.com/

DedicatedtoNarendraKumarRawatandNarmadaRawat

TomyParents:Thankyouforyourunconditionalsupportinanyandevery

situation.Thanksforyourblessingsandsupport.RadhikaandMayraRawat

Mydaughterswhohavemademylifeeasy!


AbouttheAuthorLalit is a Cloud Architect, Azure MVP, MCT, and author of the ‘AzureInterview Q and A’ book. He likes to share his knowledge through his blog(https://azure4you.com/) and share his technical skills in awider communitylikeAzureTalk,LocalMeetupGroup,andsoon.HehaswrittenseveralarticlesonMicrosoftAzureandchangedmanylivesfromhisarticlesandhishands-ontrainingprogramsandworkshops.He is “Speaker” and delivered the session on a big platform, including MSGlobalBootcamp,Localusergroup,ExpertLiveIndia,andotherevents.Moreover, and to his credit, he has delivered 500+ training sessions toprofessionals worldwide in Microsoft Azure technologies and othertechnologies, including SCOM and Windows Server. He has also providedinstructor-ledonlinetrainingandhands-onworkshops.His technical prowess and capability of exploring new frontiers of technologyand imparting them to his aspiring team members is his trademark. Hisexecutionispricelessandbringingforthhisapproachwillhelpyourealizeyourdreams,goals,andaspirationsintoreality.


https://azure4you.com/

AbouttheReviewersGauravAroraa is a serial entrepreneur and start-upmentor. He has done anMPhil in computer science. He is aMicrosoftMVP award recipient. He is alifetime member of the Computer Society of India (CSI) and an advisorymemberandseniormentoratIndiaMentor.HeiscertifiedasaScrumtrainerandcoach,ITIL-Fcertified,andPRINCE-FandPRINCE-Pcertified.Heisanopensourcedeveloperandcontributortothecommunity.Pulakesh Mahanta is a technology addict and always feels happy when helearns new things, explores new technology, or shares personal IT experience.Hiscareerstartedasadesktopengineerwaybackin2007andheworkedasaSystemAdministrator formore than6years.For the last5years,hehasbeenworkingonpublic cloud.He isMicrosoftAzure andAWSCertifiedArchitecthaving extensive experience in data center design, implementation,consolidation, andmigration.Hebelieves in automation and integrationof thenewclouddigitalplatformHeishighlyskilledinthenewdigitalplatformwhichalso demands EUC (End User Experience) such as AWS Workspace andAppStream,CitrixVDI,AzureWVD(WindowsVirtualDesktop),Self-Bot,andsoon.ArunPachehra is a certifiedAzureArchitect and hasmore than 11 years ofindustryexperience.Heiscurrentlyworkingwithoneofthebestcloudserviceproviders in theworldwhichdealswithallkindsofpublicandprivateclouds.Hehasbeenworkingwithpubliccloudtechnologiesformorethan5years.Hisfocusareasincludecloudconsulting,architecture,designing,andmigration.Hecomes from a Windows background; hence, Azure is always welcoming.However,heisalwaysexploringandlearningnewthings.Hehasalsocompletedthe AWS certification, and nowadays, he is exploring the modernization ofapplicationwithDocker,Kubernetes,andDevOps.HeiswellversedinIACviaTerraform.HebelievesinknowledgesharingandalsohoststechnicalblogsandYouTubechannels.


AcknowledgementThere are a few people I would like to thank for the continued and ongoingsupporttheyhavegivenmeduringthewritingofthisbook.Firstandforemost,Iwould like to thankmywife, Punita Rawat, and two daughters, Radhika andMayra, for putting up with me while I was spending many weekends andevenings on writing. I could have never completed this book without theirsupport.Thisbookwouldn’thavehappenedifIhadn’tgot thesupportfrommyfamily,followers, friends, and so on.My gratitude goes to the AzureTalk core team,especiallyNiraj Kumar, for providing valuable insights into some of the newfeaturesandprovidingmentorshipandguidance.Iwould like to thankGauravAroraa for hiswonderful support, guidance andhelpingmewhilewritingtheAzureAdministratorbook.Thankyou,DeepakRajendranSir,forprovidingyourguidancetodosomethingnewandcontributemoreandmore.Finally, Iwould like to thankGauravandBPBPublicationsforgivingme thisopportunitytowritemyfirstbookforthem.


PrefaceMicrosoft Azure is a platform where you can start your journey of cloudlearning.InthisbookAzureAdministration(AZ-104),wehaveexplainedaboutthe day-to-day tasks which you can take up and learn about Azureadministration.WehaveexplainedAzurecoreconceptsinthischapterandaddthelab-basedscenario,whichwillhelpyouclearthecoreconceptsofMicrosoftAzure.Wehaveincludedapprox.60to70questionswhichwillhelpyoucheckyour knowledge and provide a glimpse of the Azure administration examquestions.ThiswillhelpyouprepareforyourAzureadministrationexam.In this book, we have explained how to use the Azure Active Directory andcreateusersintheAzuresubscription.WehavealsoexplainedabouttheAzurestorage account, networking component like Azure Vnet, Subnet, and how toimplementthenetworksecuritygrouptorestrictthetraffictosecuretheAzureenvironments.Wehavealsoexplained loadbalancemechanics to loadbalanceyour application. We have also explained about the Azure role-based accesscontrolwhichwillhelpyoufinegrain theAzuresubscriptionaccess.WehavedefinedtheAzuresubscriptionusageandhowtosavecostmanagement.Inthisbook, you will also learn how to create the WebApps and Azurecontainer/Kubernetesserviceswhichwillhelpyouto learnthesame,andit’satoptrendingsubjectinthemarkettoday.Wehavealsocoveredinthischapteraboutthehybridconnectivityusingthesitetositeconnectionandexpressroute.WehaveexplainedwhatisthecomponentwhichbeenusedtocreatetheAzurevirtualmachine.Once you have all of the azure resources, then azure monitoring will alsoimportant to monitor the Azure Resources. We have nicely explained andprovided the step by step solutions for Azure monitor to clear you Azuremonitoring concepts.We have explained how to analysis theAzure resourcesetc.The primary goal of this book is to provide information and skills that arenecessarytobuildanddeploytheAzureinfrastructureinyourownenvironment.Thisbookcontainsreal-lifeexamplesthatwillshowyouhowtocleartheAzureAdministrationexamaswellashowtointegrateanon-premisesenvironmenttoAzure.Youwilllearnthefollowingtopicsinthisbook:


Chapter1ManagingAzureADObjects,introducestheAzureADobjectanddiscusseshow tocreateusers inAzureAD,group,andsoon,whichwillhelpyouunderstandtheAzureAD.Thiswillhelpyouintheexamaswell.Chapter 2 Implementing and Managing Hybrid Identities, discusses theAzureADconnectandhowtoconnecton-premisesADtoAzureADandsyncthe users. It provides the step-by-step instructions using an actual screenshotfromanAzurelabenvironment.Chapter3ManagingRoleAssignmentsThroughtheRBACPolicy,discussestheAzure role-basedaccess tocontrolhow tomanage theaccess in theAzuresubscriptionanddefinestheaccesslevelinyourorganization.Chapter 4 Managing Azure Subscription and Resource Management,explainstheAzuresubscriptionanditstype.ItalsodiscusseshowtomanagetheAzuresubscriptionandreducethecostofyoursubscription.Chapter5ManagingandConfiguringofAzureStorageAccounts,discusses,indepth,whatanAzurestorageaccount isandhowtouse it. Ithelpsusers toallowthemtosavetheirowndatainanAzurestorageaccountandmanagethedata.ItalsodiscusseshowtoconnecttheAzurestorageaccountusingtheAzureStorageExplorer.Chapter 6ManageData inAZURE Storage, describes how to manage thedata andmigrate the petabytes of the data using theAzure export and importservices. It discusses the Azure databox and Azure AzCopy command-lineutility tomove the data fromon-premise to theAzure storage account or onestorageaccounttoanother.Chapter 7 The Azure File Share, introduces the Azure file share, which isdesigned to integrate your on-premises systems to migrate the files to Azureautomatically using the Azure file sync. It explains the core concepts of theAzurefileshareandhowtoconnecttoyouron-premisesservers.Chapter8CreatingandConfiguringofAzureVMs,describeshowtocreatetheAzurevirtualmachine,explainsitscomponents,andhowtoconfigureit.ItprovidesexampleswithWindows/LinuxOS.Chapter9AutomatingDeploymentofVMs,describeshowtocreatetheVMautomaticallyusingtheAzureArmtemplate.Chapter 10 Creating and Configuring Container, describes how to createcontainersandconfiguretheminAzuresubscriptions.Chapter11CreatingandConfiguringWebApps,describeshowtocreateandconfigureAzureWebApps.ItdescribestheAppservices,Appservicesplan,and


soon.Chapter 12ConfiguringVirtualNetworking and IntegratingOn-PremisestoAzureNetwork,discusseshowtoconfigurevirtualnetworkingandintegratean on-premises to the Azure network. It explains Azure Vnet and configuresVnet-to-Vnetpeering.Chapter 13 Configuring Load Balancing Securing Access to VirtualNetworks, discusses how to configureAzure load balancing and provides theAzureloadbalancer,Applicationgateway,andDNSservices.Chapter 14 Securing Access to Virtual Networks, discusses how to secureaccesstovirtualnetworksusingtheAzurenetworksecuritygroupandanAzurefirewall.ItexplainsAzureBastionservices.Chapter 15 Monitoring and Troubleshooting of Virtual Networking,discusseshow tomonitor and troubleshootvirtualnetworkingusing theAzurenetworkwatcher.Chapter16AnalyzingResourceUtilizationandConsumption,discusseshowtoanalyze resourceutilizationusing theAzuremonitorandexplainsanalyzingmetricsacrosssubscriptionandserviceshealth.Chapter 17 Implementation of Azure Backup and Disaster Recovery,discusses how to implement ofAzure backup and protect theAzureVMs foraccidentaldeletion.ItexplainshowtoperformtheAzurebackupandrestorationprocess.Chapter 18 Exam PreparationGuidelines and Assessment Based on LiveQuestions,describesexampreparationguidelinesandassessmentsbasedonlivequestionswhichwillhelpyouinyourexampreparation.Itcoversmorethan70questions,whichincludesthescenario-basedquestionsaswell.


Downloadingthecolouredimages:Pleasefollowthelinktodownloadthe

ColouredImagesofthebook:

https://rebrand.ly/z8zq95n

Errata

We take immense pride in our work at BPB Publications and follow bestpractices to ensure the accuracy of our content to provide with an indulgingreadingexperience tooursubscribers.Ourreadersareourmirrors,andweusetheir inputs to reflect and improve upon human errors, if any, that may haveoccurredduringthepublishingprocessesinvolved.Toletusmaintainthequalityandhelpusreachouttoanyreaderswhomightbehavingdifficultiesduetoanyunforeseenerrors,pleasewritetousat:[email protected] support, suggestions and feedbacks are highly appreciated by the BPBPublications’Family.

DidyouknowthatBPBofferseBookversionsofeverybookpublished,withPDFandePubfilesavailable?YoucanupgradetotheeBookversionatwww.bpbonline.comandasaprintbookcustomer,youareentitledtoa discount on the eBook copy. Get in touch with us [email protected],youcanalsoreadacollectionoffreetechnicalarticles, sign up for a range of free newsletters, and receive exclusivediscountsandoffersonBPBbooksandeBooks.


https://rebrand.ly/z8zq95n

mailto:[email protected]




BPBissearchingforauthorslikeyouIf you're interested in becoming an author for BPB, please visitwww.bpbonline.com and apply today.Wehaveworkedwith thousandsof developers and tech professionals, just like you, to help them sharetheir insight with the global tech community. You can make a generalapplication,applyforaspecifichottopicthatwearerecruitinganauthorfor,orsubmityourownidea.The code bundle for the book is also hosted on GitHub athttps://github.com/bpbpublications/Microsoft-Azure-Administrator-Exam-Prep-AZ-104. In case there's an update to the code, it will beupdatedontheexistingGitHubrepository.We also have other code bundles from our rich catalog of books andvideos available at https://github.com/bpbpublications. Check themout!

PIRACYIf you come across any illegal copies of ourworks in any formon theinternet,wewouldbegratefulifyouwouldprovideuswiththelocationaddressorwebsitename.Pleasecontactusatbusiness@bpbonline.comwithalinktothematerial.

IfyouareinterestedinbecominganauthorIf there is a topic that you have expertise in, and you are interested ineitherwritingorcontributingtoabook,pleasevisitwww.bpbonline.com.

REVIEWSPlease leavea review.Onceyouhavereadandused thisbook,whynotleavea reviewon the site thatyoupurchased it from?Potential readerscanthenseeanduseyourunbiasedopiniontomakepurchasedecisions,we atBPB can understandwhat you think about our products, and ourauthorscanseeyourfeedbackontheirbook.Thankyou!



https://github.com/bpbpublications/Microsoft-Azure-Administrator-Exam-Prep-AZ-104

https://github.com/bpbpublications



FormoreinformationaboutBPB,pleasevisitwww.bpbonline.com.



TableofContents1.ManagingAzureADObjects

StructureObjectivesBulkusercreationUsercreationGroupcreationGroupmanagementGuestusermanagementSelf-servicepasswordresetAzureADjoinConclusionReferences

2.ImplementingandManagingHybridIdentitiesStructureObjectivesAzureADConnectAzureADConnectinstallationPre-requisites

ManageAzureADConnectPasswordwritebackEnablingthepasswordwritebackfromtheAzureADEnablingpasswordwritebackfromtheportalPasswordsyncConclusionReferences

3.ManagingRoleAssignmentsThroughtheRBACPolicyStructureObjectiveRole-basedaccesscontrol(RBAC)RBACaccessconfigurationSubscriptionaccessusingtheRBACpolicyResourcegroupaccessusingtheRBACpolicy


ResourceaccessusingtheRBACpolicyCustomRBACroleCreatingthecustomrole

ConclusionReferences

4.ManagingAzureSubscriptionandResourceManagementStructureObjectiveAzuresubscriptionsEnterpriseagreementsubscriptionEnterpriseDepartmentsAccountsSubscriptions

AzuresubscriptionssupportplanAzuredevelopersupportProfessionaldirectsupportStandardsupportAzuretenant

CreatingafreeAzuresubscriptionGlobaladministratorpermissionResourcesgroupAzureresourcegroupmanagerCostmanagementConfigurationofthebudgetalertsAzuresubscriptionpolicyAzurepolicycreation,configuration,andassignmentAzurequotaResourcetagUsageoftheresourcetagConfigurationofaresourcelockResourcesmovementfromoneresourcegrouptoanotherRemovingaresourcegroupCreatingandconfiguringthemanagementgroupsConclusionReferences


5.ManagingandConfiguringofAzureStorageAccountsStructureObjectiveAzurestorageaccountAzurestorageaccountcreationandconfigurationImplementAzurestoragereplicationGenerateandmanagethesharedaccesssignatureManagingthestorageaccountaccesskeyConfigurenetworkaccesstothestorageaccountInstallationandconfigurationofthestorageexplorerConclusionReferences

6.ManageDatainAZUREStorageStructureObjectivesImportandexportjobsinAzureConfiguringAzureBlobstorageCreatingtheimportandexportjobinAzureStorageAzuredataboxConfiguringAzureADauthenticationforastorageaccountCopyingdatausingAzCopyConclusionReferences

7.TheAzureFileShareStructureObjectivesAzureFileshareCreatingandconfiguringtheAzureFileshareConfigurationofAzureFilesyncAzureFileSyncgroup

AzureFilesynctroubleshootingConclusionReferences

8.CreatingandConfiguringofAzureVMsStructure


ObjectivesAzurevirtualmachineVirtualmachinecomponentsPre-requisitesCreatingaWindowsvirtualmachineCreatingLinuxVMsAzurevirtualmachinescalesetcreationConfigureAzurediskencryptionRedeployaVMConclusionReferences

9.AutomatingDeploymentofVMsStructureObjectivesAzureARMtemplateModifyingtheARMtemplateTemplatedeploymentsConclusionReferences

10.CreatingandConfiguringContainerStructureObjectiveAzureContainerUseofanAzureContainerCreateacontainerAzureKubernetesCreateAzureKubernetesConclusionReferences

11.CreatingandConfiguringWebAppsStructureObjectivesAppserviceAppservicesplanCreateandconfiguretheappservice


CustomdomainconfigurationAppservicessecurityAppservicesbackupConclusionReferences

12.ConfiguringVirtualNetworkingandIntegratingOn-PremisestoAzureNetwork

StructureObjectivesAzurevirtualnetworkAzurevirtualnetworkcreationAzureVNetpeeringVirtualnetworkgatewaySite-to-siteVPNSite-to-siteVPNconnectioncreationVNet-to-VNetconnectivitycreationExpressRouteconnectionExpressRouteconfigurationConclusionReferences

13.ConfiguringLoadBalancingStructureObjectivesAzureDNSAzureDNScreationAzureDNSrecordcreationAzureloadbalancerAzureinternalloadbalancerFront-endIPconfigurationAzurebackendpoolHealthprobesApplicationgatewayAzuretrafficmanagerConclusionReferences


14.SecuringAccesstoVirtualNetworksStructureObjectivesConfigurationofprivateandpublicIPaddressesNetworksecuritygroupNetworksecuritygroupassociationRoutetableConfigureanddeploytheAzurefirewallConfigureanddeployAzureBastionservicesEvaluateeffectivesecurityrulesConclusionReferences

15.MonitoringandTroubleshootingofVirtualNetworkingStructureObjectivesNetworkwatcherNetworkwatchertopologyMonitoron-premisesconnectivityIPflowverifyNexthopNetworkperformancemonitorConclusionReferences

16.AnalyzingResourceUtilizationandConsumptionStructureObjectivesAzureMonitorSetupandconfigurationofAzurealertsAzureMetricsAzureServicesHealthDiagnosticlogsEnablingthediagnosticsettings

AzureLogAnalyticsCreatetheAzureworkspaceUtilizelogsearchqueryfunctionsConclusion


References

17.ImplementationofAzureBackupandDisasterRecoveryStructureObjectivesAzurebackupAzurebackupvaultcreationAzureVMsbackupconfigurationAzurebackuppolicyAzurebackupreportAzurerestorationofVMsAzurebackupoperationdetailsUsesoftdeletetorecoverAzureVMsSite-to-siterecoverybyusingAzuresiterecoveryConclusionReferences

18.ExamPreparationGuidelinesandAssessmentBasedonLiveQuestionsExampreparationguidelinesAZ-104examtipsExamregistrationDummyobjectiveexamquestionsDummyscenario-basedexamquestions

Index


T

CHAPTER1ManagingAzureADObjects

hisbookwillcoveralltheAZ-104examprospectivestudymaterialwhichwillhelpyoutocleartheexam.Wewillprovideadditionalinformationin

thischapterwhichwillcovervarioustopicsandhelpyougetanunderstandingofthetopicsindetail.ThesechapterswillhelpyouunderstandtheAzureenvironmentseasilyandhelpyoucleartheAZ-104exam.

StructureThefollowingtopicswillbecoveredinthischapter:

BulkusercreationUsercreationGroupcreationGroupmanagementGuestusermanagementSelf-servicepasswordresetAzureADJoin

ObjectivesIn thischapter,wewill explain thebulkusercreation inAzureADandgroupcreationandmanagement.Wewilldiscusshowtoprovideaccesstoguestusersand how tomanage guest users.Wewill cover how the users can reset theirpasswords using the self-service password and add the devices in Azure ADusingtheAzureADjointool.

BulkusercreationBulkusercreationwillhelpyourorganization in theonboardingprocess tobe


completedsoonandotherprospectstoimprovetheusercreation,whichhasbeenjoined your organization or existing users’ creation in Azure. It will reduceadministrativework. If youwant to create theusersor bulkofusers inAzureenvironments, you need a user administrator access in the Azure ActiveDirectory.Letus tryandcreatebulkusers inAzureAD.Followthegivensteps tocreatethebulkusers:

1. GotoAzureActiveDirectory.2. SelecttheUsersandclickonAllusers.3. ClickonBulkCreate.

Takealookatthefollowingscreenshotforbulkusercreation:

Figure1.1:BulkUserCreation

4. Whenyouclickonbulkcreate,itwillaskyoutodownloadtheCSVfile.5. Fillinthefollowingdetails:

Providethename,lastname,andusername.Provide the initial password and block sign-in (Yes/No)which is amandatoryfield.Providethedepartmentanduserlocation.Providethejobtitleandcountrycode.Providetheofficialphonenumber,mobilenumber,andsoon.

6. Youhavetoputallthedetailsinasinglelineasperthe.csvfile.Ihavechanged the column to show you the properties of theCSV file. Take alookatthefollowingscreenshotforbulkusercreationdetails:


Figure1.2:Bulkusercreationdetails

7. Onceyou fillall thedetailsandupload the.csv file, clickonSubmit. Itwillstartprocessingtheusercreation.Itwilltakesometimetocreatetheusers, and you can see all those users under the user's tab. Refer to thefollowingscreenshot:

Figure1.3:BulkusercreationSubmit


UsercreationInthebulkusercreation,Ihaveexplainedtheuseofthebulkusercreation,butletussayifyouwanttocreateanindividualuser,thenhowcanyoucreatetheuser?Pleasefollowthegivensteps:

1. GotoAzureActiveDirectory.2. SelecttheUsersandclickonAllusers.3. ClickontheNewuser.4. EntertheUsername.5. ProvidetheName,Firstname,andLastname.6. Youcanalsoprovidethedepartmentnumber,location,andJobtitle.7. Onceyouprovidealltheprecedingdetails,clickonCreateandyourusers

willbecreated.

Refertothefollowingscreenshotformoredetails:

Figure1.4:Usercreation

GroupcreationIfyouwouldliketocreatetheAzureADgroup,thenfollowthegivenstepsto


createtheAzureuser’sgroup:

1. ClickontheAzureAD.2. SelectthegroupsfromtheManagetab.3. SelectAllgroups.4. ClickontheNewgroup.

Pleasetakealookatthefollowingscreenshot:

Figure1.5:Groupcreation

5. When you click on group creation, select the following group type:SecurityorO365:

SecurityGroup: It helps to manage users and computer access tosharedresourcesforaspecificgroup.O365Group:Usingthisgroup,wecanprovideaccesstousersforasharedmailbox,calendar,files,SharePointsite,andsoon.

6. Youcanassigntheownertothegroupadministratorandthenclickonthemembership.

7. When you click on themembership, it will ask you to select as per thegivendetails:


Assigned:Theadministratorwilladdspecificuserstothegroup.Dynamicuser:Itallowsuserstousedynamicmembershiprulesandaddautomaticallytothegroup.Dynamicdevice:Itusesthedynamicgrouprulestoaddandremovethedevicesautomatically.

8. Please select the assignedmember as default as shown in the followingscreenshot:

Figure1.6:Groupcreationdetails

9. Onceyouclickoncreate,yourgroupswillbecreatedsuccessfully.Letusseehowtomanagethegroupanditsproperties.

GroupmanagementPerformthefollowingsteps:

1. Once the group is created, you can click on the group and see thepropertiesofthegrouplikemembershiptype,sourceID,andsoon.


Figure1.7:Groupmanagement

2. Basedontherequirements,userscanchangethegroup.3. ClickontheMemberstabandaddthenewmembers.4. PleaseclickontheOwnerstabandaddthemultipleowners.5. You can assign the application and see theAzure resourceswhich have

beenaccessedbythesegroupmembers.6. Youcanseetheapplicationaccessedbythisgroupandmanageit.

In this section, we discussed the Azure group creation and learned how tomanagethegroups.WeexplainedtheAzuresecuritygroupandO365group.We also discussed group management. Refer to the following screenshot formoredetails:


Figure1.8:Groupmanagementgeneralsettings

GuestusermanagementAzureAdsupportstheBusinesstoCustomer(B2C)andBusinesstoBusiness(B2B)userswherewecanallowcustomerstohaveaccesstoourAzureAD.Thecustomer ID can be their organization ID, Outlook, Facebook, LinkedIn,AmazonGmailID,andsoon.Youcaninvitethoseusersasguestsandprovideaccess as a request to perform the task. If youwant to invite guests, the usershouldhavetheuseradministratorroleassignedtohimtoinvitetheguestusers.Letusseehowtoinviteguestusers.Pleasefollowthegivensteps:

GotoAzureADandclickonAllusers.Intherightpane,clickonNewguestuser.



Figure1.9:Guestuseraccess

SelecttheInviteuser.

ProvidethenameandemailIDoftheuseryouwanttoinvite.Therestofthefieldsareoptional.YoucanthenclickonInvite.

Now,youwillbeabletoinvitealltheB2BandB2Cusers.Pleasetakealookatthefollowingscreenshot:



Figure1.10:GuestUserAccessInvite

Self-servicepasswordresetAzureself-servicepasswordresetwillhelpuserstoresettheirpasswordwithoutthe help of a help desk administrator. If the user account is locked or if thepassword expires, the user can unlock/reset the password using a self-servicepasswordreset.Ifyouwanttoconfiguretheself-servicepasswordreset,youshouldhaveglobaladministratorrightsinAzureAD.Pleasefollowthegivenstepstoconfiguretheself-servicepasswordreset:

1. PleasegotoyourAzureAD.2. ClickonthePasswordresettab.3. Select the users, either All or the selected one. If you click on selected

users,itwillaskyoutochoosethegroupname.4. Onceyouaredonewiththis,pleaseclickontheSavebuttonasshownin

thefollowingscreenshot:

Figure1.11:Passwordreset

PleasegotoAuthenticationmethodandfollowthegivensteps:

1. Please select the authentication method as 1 or 2 as per the followingmethods:

MobileappcodeEmailPhone-SMSonlyMobileappnotificationOfficephone


Securityquestion

2. Onceyouselecttheprecedingmethod,youruserwillbeabletoresetthepasswordusingthemultifactorauthentication.Refertothefollowingscreenshot:

Figure1.12:Authenticationmethod

Once you configure this, you can go tohttps://passwordreset.microsoftonline.comtoresetthepassword.Then,followthegivensteps:

1. PleaseprovideyouruserID.2. Enterthecharactersaspertheimageandclickonthenextasshowninthe

followingscreenshot:3. Now,youwillbeabletoresetthepassword.


https://passwordreset.microsoftonline.com

Figure1.13:Passwordresetmethod.

AzureADjoinAzureAD join provides the feature to register yourmobile, laptop, and otherdevicestoAzureADwithrespecttothesizeofthedeviceorindustry.AzureAdjoinworksinhybridenvironmentsaswell. Itenablesaccess tobothcloudandon-premisesapps.IfyouwanttomanageandconfiguretheAzureAdjoin,thenyouhavetousetheMDMandIntunesolutionwhichrequiresanAzureADP2license.WecanusetheAzureADjoininthefollowingfewscenarios:


Windowsdeploymentforyourowneddevices.Accesstoorganizationalappsandresourcesfromyourdevice.Cloud-basedmanagementofowneddevices.To configure the user sign in to their deviceswithAzureAD or syncedAzureADworkorschoolaccounts.

ConclusionIn thischapter,wediscussedhowtocreatebulkusersandgroupmanagement.Weexplainedhow to inviteguestusersandhow tomanage themusingAzureAD.WealsoexplainedAzureADjoinandlearnedhowtosetuptheself-servicepasswordreset.Inthenextchapter,wewilldiscussAzureADconnectanditsinstallation.We will also discuss how to manage Azure AD connect and learn how tomanagethepasswordsofusersandenablethepasswordwriteback.

ReferencesCreate a basic group and add members using Azure Active Directory:https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/active-directory-groups-create-azure-portalAzure Active Directory B2C: https://docs.microsoft.com/en-us/azure/active-directory-b2c/active-directory-b2c-overviewGuest user access in Azure Active Directory B2B:https://docs.microsoft.com/en-us/azure/active-directory/b2b/what-is-b2bAddorupdateauser'sprofile informationusingAzureActiveDirectory:https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/active-directory-users-profile-azure-portalAssign or remove licenses in the Azure Active Directory portal:https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/license-users-groupsAzureADjoineddevices:https://docs.microsoft.com/en-us/azure/active-directory/devices/concept-azure-ad-joinFormoredetails:Azure4youBlogPost:https://azure4you.com/


https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/active-directory-groups-create-azure-portal

https://docs.microsoft.com/en-us/azure/active-directory-b2c/active-directory-b2c-overview

https://docs.microsoft.com/en-us/azure/active-directory/b2b/what-is-b2b

https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/active-directory-users-profile-azure-portal

https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/license-users-groups

https://docs.microsoft.com/en-us/azure/active-directory/devices/concept-azure-ad-join


I

CHAPTER2ImplementingandManagingHybrid

Identitiesn the previous chapter, we discussed how to create bulk users and groupmanagement.Wealsodiscussedhowtoinvitetheguestusers.

Inthischapter,wewilldiscusshowtoimplementandmanagehybrididentities.WewillalsodiscusshowtoinstallandconfiguretheAzureADconnectandhowtoconfigurethefederationserviceswithon-premisesAD.Wewillalsocoverthemanagedpasswordsync,passwordwriteback,andsoon.


AzureADConnectAzureADConnectinstallationManageAzureADConnectPasswordwritebackPasswordsync

ObjectivesInthischapter,wewilldiscussAzureADConnectandseehowtoconfigureandsync the on-premises identity to Azure AD. We will explain the passwordwritebackandpasswordsync thatwillhelp tosync thepasswordAzure toon-premises.

AzureADConnectTheAzureADConnect service can be used to synchronize your on-premisesactive directory identities to Azure AD. It helps to connect your on-premisesuserstoAzureandotherapplicationstogetauthenticationwithAzureAD.Itis


calledhybridconnectivity.Integrating the on-premises identity with Azure AD provides the commonidentity for accessing cloud and on-premises resources.We can use the singleidentitytoaccesstheon-premisesandcloud-basedapplicationslikeOffice365,SharePointOnline,andsoon.Itprovidesthefollowingfeatures:

Password hash synchronization: It provides the single sign-on (SSO)method to synchronize the password of users by synchronizing thepasswordofon-premisesuserstoAzureADinthehashformat.Pass-throughauthentication:Itallowsuserstousethesamepasswordofon-premisesandcloudforsigningintoapplications.Onlythepass-throughagentgets installed,andasper thenumberofauthenticationspersecond,wemayneedmorethanoneagent.Federationintegration:Federationservicescanbeusedtoconfigurethesetupof thehybridenvironment andSSOwhile configuringon-premisesActive Directory Federation Services (ADFS) which require anadditionalserver.Synchronization: It helps to create users, groups, and other objects. Itverifiesiftheidentityinformationofon-premisesusersandgroupsmatchwiththecloudidentity.Itsynchronizespasswordhashesaswell.Healthmonitoring: AzureADConnect Health providesmonitoring forAzure AD Connect, and we can see Azure AD Connect health-relatedinformation/errorsontheAzureportal.

Azure AD Connect services can be installed in a separate server in the on-premisesADandcanbetightlyintegratedwithAzureADafterinstallationandconfiguration.Azure syncserviceswill sync theon-premiseADcomponent toAzureAD.On-premisesandAzureuserscanusethesamecredentialstologintoAzureandon-premises.Formoredetails,youcanrefertoAzureADConnect,whichhelpsyoutounderstandthecomponents.Pleasetakealookthefollowingdiagram:


Figure2.1:AzureADConnectarchitecture

AzureADConnectinstallationBeforeyouinstall theAzureADConnect,youneedtohavethefollowingpre-requisites.

Pre-requisitesYouneed tohave the followingpre-requisites;withoutwhich, youwill not beabletoconfiguretheAzureAD.Thefollowingrequirementsaremandatory.Wecanseethesepropertiesbeenaskedduringconfiguration:

You should have an Azure AD services/user account which has globaladminrightstoconfiguretheAzureADConnecttoAzureAD.You should have an on-premises services/user account which hasenterpriseadminrightstoconfiguretheAzureADConnecttoAzureAD.Please download the Azure AD Connect fromhttps://www.microsoft.com/en-us/download/details.aspx?id=47594.WheneveryouconfiguretheADConnect,thedomainnameshouldmatchwithapublicdomainname,orelseyouwillgetawarningmessage.

WehavecreatedlabenvironmentsfordemonstrationandcreatedtheVMs.WehaveinstalledtheADonthisserver.Youcanalsotryonlyfortestingpurpose.It’s not recommended for production, but the steps of the Azure ADconfigurationcanbeperformed.PleasefollowthegivenstepstoconfiguretheAzureADConnect:


https://www.microsoft.com/en-us/download/details.aspx?id=47594

1. Download the Azure AD Connect (https://www.microsoft.com/en-us/download/details.aspx?id=47594), or you can download it from theAzureportal.

2. Click on theADConnectMSI setup and then click on Install. Pleasetakealookatthefollowingscreenshot:

Figure2.2:AzureADConnectinstallation

3. OnceyouclickontheInstalloption,theinstallationwizardwillopen.4. Please agree to the license terms and policy and click on the Continue

buttonasshowninthefollowingscreenshot:


https://www.microsoft.com/en-us/download/details.aspx?id=47594

Figure2.3:AzureADConnectinstallationwizard

5. Once done, select the Express Settings to configure the Azure ADConnectasshowninthefollowingscreenshot:


Figure2.4:AzureADConnectinstallationexpresssettings

6. Whenyouclickontheuseexpresssettings,itwillaskyoutoprovidetheglobaladministratorcredentialswhichhave.onmicrosoft.comintheuserIDasshowninthefollowingscreenshot.It will connect to the Azure AD and verify the credentials before weproceedtothenextstepasshowninthefollowingscreenshot:


Figure2.5:AzureADConnectinstallationconnecttoAzureAD

7. Providetheservicesadmincredentialswhichhaveenterpriseadminrights.8. Whileprovidingthecredentials,pleasefollowdomainname.com\userid.9. Onceyouprovidethecredentials,clickontheNextbuttonasshowninthe

followingscreenshot:


Figure2.6:AzureADConnectinstallationconnecttoADDS

10. Then, itwill ask you to verify theUPN suffix, but if you are doing thisinstallation in production, then please match the UPN suffix and moveforward.Pleasetakealookatthefollowingscreenshot:


Figure2.7:AzureADConnectADsign-inconfiguration

11. OnceyouclickonNext,youarereadyforconfiguration.12. Startthesynchronizationprocesswhentheconfigurationiscompleted.But

inproduction,it’srecommendedthatyoustartthesynchronizationprocessonlyaftertheADConnectinstallation.Pleasetakealookatthefollowingscreenshot:


Figure2.8:AzureADConnectreadyconfiguration

13. Whenyouclickonnext,firstitwillverifytheconnectivitybetweenAzureADandon-premise.Then,itwillconfiguretheconnectionbetweenAzureADandon-premisesAD.

14. ItwillinstallthesyncservicesandverifytheAzureAD.15. Now,itwillconfiguretheAzureADandupdatethesync.16. Afterthat,itwillconfigurethesetuptotheon-premisedomain.17. Afterthat,itwillenablethepasswordhashsync.18. Now,itwillsavethesyncsettings.19. After that, the final stepswillbeperformedby theADConnect setup to

install and configure the AD Connect Health agent for sync services asshowninthefollowingscreenshot:


Figure2.9:AzureADConnectconfiguration

20. Now,thesetuphasbeencompleted.So,exitfromthesetupasshowninthefollowingscreenshot:


Figure2.10:AzureADConnectsetupcompleted

ManageAzureADConnectWecanmanagetheAzureADConnectfromtheportalafterinstallation,andwecanseetheconfigurationdetailsoftheon-premisesAD.Pleasefollowthegivensteps:

1. PleaselogintotheAzureportal.2. GotoAzureADConnectundertheManagetabandclickontheAzureAD

Connect.YouwillbeabletoseethelastsyncisLessthan1houragoandthesyncstatushasbeenenabledasshowninthefollowingscreenshot:


Figure2.11:ManagingAzureAD

3. We can also set up the Federation, Seamless single sign-on, andPass-throughauthenticationservices.

4. AzureADhealthservicescanbemanagedfromthesameportal.5. LetuscheckwhethertheusershavebeensyncedtoAzureADornot.6. We will go to the Users tab and check the on-premise users which are

syncedfromyouron-premisesAD.7. Now, in the following screenshot, you can see the user bpb32 source is

WindowsServerAD,andifyoucanseeAzureADusers, thesourcesareAzureAD:


Figure2.12:AzureADuserverification

PasswordwritebackPasswordwritebackwillhelpyoutosynchronizethepasswordwhichhasbeenchangedinAzureADtoon-premisesAD.Thisfeatureneedstobeenabledfromthe Azure AD Connect and provides the security mechanism to send thepassword from Azure AD to the on-premises AD. It provides the followingfeatures:

Enforcementofon-premisesADpasswordpolicies: Ifusers reset theirpasswords, thenit isensuredtomeetyouron-premisesADpolicybeforecommitting it to the directory. This review process includes history,complexity, age, password filters, and other password restrictions whichhavebeendefinedinyouron-premisesAD.Zero-delayfeedback:Passwordwritebacksyncstheoperationsandusersare notified immediately if their password doesn’t meet the passwordpolicyorcan’tbechangedforanyreason.Supports password changes from the access panel and Office 365:Whenfederatedorpasswordhashsynchronizedusersneedtochangetheirexpired or non-expired passwords, those passwords are written back toyourlocalADenvironment.Supports password writeback when an admin resets them from theAzure portal: When an admin resets a user’s password in the Azureportal, if that user is federated or password hash synchronized, thepassword iswrittenback toon-premisesAD,but this functionality isnotsupportedfromtheofficeadminportal.Doesn’trequireanyinboundfirewallrules:PasswordwritebackusesanAzure service relay as an underlying communication channel and allcommutationisoutboundoverport443.

EnablingthepasswordwritebackfromtheAzureADPerformthefollowingsteps:

1. Logintoon-premisesmachineswhereyouhaveinstalledtheAzureAD.2. OpentheAzureADConnect,andyouwillseethewelcomewizard.3. ClickonConfigureasshowninthefollowingscreenshot:


Figure2.13:Passwordwriteback

4. ClickonCustomizesynchronizationoptionstoconfigurethepasswordwriteback.Pleasetakealookatthefollowingscreenshot:

Figure2.14:Customizethesyncoption

ItwillaskyoutoconnecttotheAzureADandprovidethecredentialstoconfigureitasshowninthefollowingscreenshot:


Figure2.15:ConnecttoAzureAD

Now,pleaseselect thetypeofthedirectoryandforest.ClickontheNextbuttonasshowninthefollowingscreenshot:

Figure2.16:Connectyourdirectories

Now,youcanselectSyncalldomainsandOUsandyourdomainaswellasshowninthefollowingscreenshot:


Figure2.17:DomainandOUfiltering

Please select the password writeback and click on the Next button asshowninthefollowingscreenshot:

Figure2.18:Passwordwritebackenable

5. OnceyouaredonewithNext,itwillverifyallthesettingsandbereadyforconfiguration.

6. ClickontheConfigurebutton.Itwilltakeafewminutestocompletethesyncprocessandenablethepasswordwriteback.Pleasetakealookatthefollowingscreenshot:


Figure2.19:Readytoconfigure

In this section,weexplainedanddemonstratedhowtoconfigure thepasswordwriteback. In the next section, we will demonstrate enabling the passwordwritebackfromtheportal.

EnablingpasswordwritebackfromtheportalPerformthefollowingsteps:

1. Forpasswordwriteback,weneedtheAzureADP1orP2license.2. Gototheportal.3. GotoAzureAD.

Under theManage tab, selectPasswordreset as shown in the followingscreenshot:


Figure2.20:Passwordreset

4. Inthepasswordreset,undertheManagetab,pleaseselecttheon-premisesintegration and enable the writeback password to your on-premisesdirectory.Pleasetakealookatthefollowingscreenshot:

Figure2.21:On-premisesintegration

Passwordsync


PasswordsyncwillbeenabledautomaticallyifweselecttheAzureADConnectexpresssettinginstallation.Ifyouchoosethecustomsetting,youcanselectthepasswordhashsyncontheusersign-inpage.Youcanenableit.

Figure2.22:PasswordHashsync

ConclusionInthischapter,wediscussedAzureADConnectandhowtointegrateitwithon-premises. We covered how to enable the password writeback from Azure aswell.Inthenextchapter,wewilllearnaboutAzureRBACrolesandutilizationoftheresources and how to apply the different types of RBAC roles using varioustypes of organization policies.Wewill also cover theAzureRBAC roles andcustomAzureRBACroles.

ReferencesAzure AD Connect: https://docs.microsoft.com/en-us/azure/active-directory/hybrid/whatis-azure-ad-connectCustom installation of Azure AD Connect:


https://docs.microsoft.com/en-us/azure/active-directory/hybrid/whatis-azure-ad-connect

https://docs.microsoft.com/en-us/azure/active-directory/hybrid/how-to-connect-install-customImplement passwordhash synchronizationwithAzureADConnect syncpassword: https://docs.microsoft.com/bs-cyrl-ba/azure/active-directory/hybrid/how-to-connect-password-hash-synchronizationUser sign-in with Azure Active Directory Pass-through authentication:https://docs.microsoft.com/en-us/azure/active-directory/hybrid/how-to-connect-ptaAzure AD Connect and federation: https://docs.microsoft.com/en-us/azure/active-directory/hybrid/how-to-connect-fed-whatisFormoredetails,visit:https://azure4you.com/


https://docs.microsoft.com/en-us/azure/active-directory/hybrid/how-to-connect-install-custom

https://docs.microsoft.com/bs-cyrl-ba/azure/active-directory/hybrid/how-to-connect-password-hash-synchronization

https://docs.microsoft.com/en-us/azure/active-directory/hybrid/how-to-connect-pta

https://docs.microsoft.com/en-us/azure/active-directory/hybrid/how-to-connect-fed-whatis


I

CHAPTER3ManagingRoleAssignmentsThrough

theRBACPolicyn this chapter, we will discuss Azure role-based access control (RBAC)roles and their utilization of the resources and how to apply the different

typesofRBACrolesusingvarioustypesoforganizationpolicies.WewillalsodiscusstheAzureRBACroles,customAzureRBACroles,andhowtoapplytheAzureRBACrolesusingPowerShell,andsoon.


Role-basedaccesscontrol(RBAC)RBACaccessconfigurationCustomRBACrole

ObjectiveWewilldiscussRBACimplementationinthischapterandseehowwecanuseitinourorganizationtoputcontrolforanonymousaccess.

Role-basedaccesscontrol(RBAC)“Role-based access control helps you to manage and provide access to yourresourceswiththerestrictedmanner.”Letussayinyourorganizationthesupportteam,applicationteam,DBteam,andsoonareusingthesamesubscriptionandtherecouldbeapossibilitythatifyouallow everyone access to subscriptions, then there might be some changesmistakenlyperformedbyanyoftheteammembers.Itcouldresultinadisruptiveimpactontheexistingenvironment/subscription(productionornon-production).Hence, thinking of all such scenariosMSAzure has come upwith a solution


calledRBACpolicywhich helps you to control the access. Let us say if youwanttoallowtheDBteamtoaccessonlyDBresourceswhichcanbepossibleonly throughRBAC.TheDB teamcanonly see theDB resources andcannotmakethechangestootherservices.So,usingRBAC,youcancontroltheaccess.AsperMSAzurerecommendation,thebestpracticethatyoucanprovideistheleast roleaccesswhichwillhelp theuser toprovide theexactaccesswhichheneeds.RBACcanbeappliedtogroups,applicationsorresources,andsoon.For any services, there are built-in RBAC roles defined as shown in thefollowingdiagram:

Figure3.1:AzureRBACrole

Now,letusunderstandeachterm:

Owner: The owner will have complete access of all your resources orspecificresourcesjustliketheadminofyoursubscription.Contributor: The contributorwill have equal access like the owner butcannotprovideaccess to resourcesorat the subscription level.However,hecancreateandmanagetheresources.Reader: In the reader role, a user will have access to read or viewpermission to specific resources or subscriptions. However, he is notallowedtochangeorcreateanynewresources.Useraccessadministrator:TheuseraccessadministratorwillhelpyoutomanageuseraccesstoAzureresources.


RBACaccessconfigurationRBACaccesscanbeconfiguredfromvarioustypeslikeAzureresources,Azuresubscriptions, andAzure resources group aswell. In this section,wewill seehowtoimplementthosescenariosusingRBAC.

SubscriptionaccessusingtheRBACpolicyWe will learn how to provide access to subscriptions as per the organizationpolicy.

1. GototheSubscriptionoption.2. Click on Access control (IAM) as highlighted in the following

screenshotandselectAddroleassignment:

Figure3.2:Addroleassignment

3. OnceyouclickonAddroleassignment:

1. Select the Owner, Contributor, or Reader role as per yourrequirements.

2. TypeandsearchtheuserIDforwhichyouwanttoprovidetheaccessasshowninthefollowingscreenshot:


Figure3.3:Roleselection

4. When you select all the required details, your screen will look like thefollowingscreenshot.ClickontheSavebuttontoapplythechanges.Oncedone,theuserwillbeabletologintothesubscriptionandaccesstheresources:


Figure3.4:Assigningroles

In this section, we learned how to assign the RBAC roles at the subscriptionlevel.

ResourcegroupaccessusingtheRBACpolicyWe will learn how to provide access to the resources group as per theorganizationpolicy.

1. GototheResourcegroupoption.2. Click on Access control (IAM) and select Add role assignment as

showninthefollowingscreenshot:


Figure3.5:Resourcesgrouproleassignment

3. OnceyouclickonAddroleassignment:


2. TypeandsearchtheuserIDforwhichyouwanttoprovidetheaccess.3. Onceyouselectalltherequireddetails,yourscreenwilllooklikethe

followingscreenshot.ClickontheSavebuttontoapplythechanges.4. Once done, the user will be able to see the resource group and its

resourceswhichresideintheresourcegroup:


Figure3.6:Resourcegroupcontributorroleassignment

Inthissection,welearnedhowtoassigntheRBACrolesattheresourcegrouplevel.

ResourceaccessusingtheRBACpolicyWewilllearnhowtoprovideaccesstoresourceslikeVirtualMachines(VMs),DB,andsoonaspertheorganizationpolicy.

1. Go to the resource forwhichyouwould like toprovideaccess likeVM,DBWebApps,andsoon.

2. ClickonAccesscontrol(IAM)andselectAddroleassignment:


Figure3.7:Resourcesroleassignment

3. When you click on Add role assignment, select the role you want toassigntheresourcesto:


2. TypeandsearchtheuserIDforwhichyouwanttoprovidetheaccess.3. Onceyouselectalltherequireddetails,yourscreenwilllooklikethe

followingscreenshot.ClickontheSavebuttontoapplythechanges.

4. Once done, the user will be able to see the resources and access theresources.


Figure3.8:RoleassignmentofVM

CustomRBACroleCustom roles come in the picture when the built-in roles do not meet yourcustomerororganizationrequirements.Inthatcase,youcancreateacustomroleusingPowerShell,AzureResourceManager(ARM) template,CLI,orRESTAPI. You can create up to 5000 custom roles in each tenant-level, but for agovernment cloud like,China,Germany, and soon,youcanonly createup to2000customrolespertenant.

CreatingthecustomroleInthissection,IwillexplainhowtocreatetheRBACcustomroleandhowtouseexistingbuilt-inrulestocreateanewcustomrole.If you want to allow any action to users, it should be listed in the Actionssection and the deny user action can be put in the NotActions sectionwhilecreatingthecustomRBAC.Ifyouwould like to seewhatpermission is available in theAzurecontributorrole,takealookatthefollowingscreenshotforthedefinitionofthecontributor


roleformoredetails:

Figure3.9:Definitionofacontributorrole

1. PleaserunthefollowingcommandinPowerShell:Get-AzRoleDefinition“Contributor”|ConvertTo-Json

Figure3.10:ContributorroleinJSONformat

Onceyougettheoutput,copythefileandchangetheactionornotactionruleaccordingly.IwillchangetheNotActionsruletoActionsandcreateacustomrole.SavethefileintheJSONformat:1.{

2."Name":"BPB_Contributor",

3."IsCustom":false,

4."Description":"Letsyoumanageeverythingexceptaccess


toresources.",

5."Actions":[

6."Microsoft.Authorization/*/Delete",

7."Microsoft.Authorization/*/Write",

"Microsoft.Authorization/elevateAccess/Action",

"Microsoft.Blueprint/blueprintAssignments/write","

8.],

9."NotActions":[

10."

11."Microsoft.Blueprint/blueprintAssignments/delete"

12."DataActions":[],

13."NotDataActions":[],

14."AssignableScopes":[

15."/"

16.]

17.}

2. Go to PowerShell and connect to the subscription using the followingcommand:Connect-AzSubscription

3. PleaseprovidetheuserIDandpasswordtogetauthenticated.Then,runthefollowingcommandtocreateanewrole:New-AzRoleDefinition-InputFile"C:\Temp\BPB_Role.json"

Oncedone,youwillbeable tocreateacustomrole. Itwill look like thefollowingscreenshot,whichIhadcreatedearlier:

Figure3.11:Contributorrole

ConclusionInthischapter,wecoveredthedifferenttypesofRBACrolesandlearnedhowtoassign the RBAC custom roles in the subscription, resources group, andresources.Wediscussedhowtocreatethecustomroletomatchtheorganizationorclientrequirements.In the next chapter, we will learn about the Azure subscription and resourcemanagement.Wewill focusondifferent typesofsubscriptionsandseehowtomanageAzureresources.


ReferencesCustom roles for Azure resources: https://docs.microsoft.com/en-us/azure/role-based-access-control/custom-rolesRBAC overview: https://docs.microsoft.com/en-us/azure/role-based-access-control/overviewCreate a custom role for Azure resources using Azure PowerShell:https://docs.microsoft.com/en-us/azure/role-based-access-control/tutorial-custom-role-powershellGrant user access toAzure resourcesusingRBACand theAzureportal:https://docs.microsoft.com/en-us/azure/role-based-access-control/quickstart-assign-role-user-portalGrantuseraccesstoAzureresourcesusingRBACandAzurePowerShell:https://docs.microsoft.com/en-us/azure/role-based-access-control/tutorial-role-assignments-user-powershellFormoredetails,visit:https://azure4you.com/


https://docs.microsoft.com/en-us/azure/role-based-access-control/custom-roles

https://docs.microsoft.com/en-us/azure/role-based-access-control/overview

https://docs.microsoft.com/en-us/azure/role-based-access-control/tutorial-custom-role-powershell

https://docs.microsoft.com/en-us/azure/role-based-access-control/quickstart-assign-role-user-portal

https://docs.microsoft.com/en-us/azure/role-based-access-control/tutorial-role-assignments-user-powershell


I

CHAPTER4ManagingAzureSubscriptionand

ResourceManagementn thischapter,wewill coverAzure subscriptionand resourcemanagement.WewillfocusontypesofsubscriptionandhowtomanageAzureresources.

Wewill learnhow tocreatea freesubscription, typesof subscriptions,how tomanageresourcesusing theRBACpolicy.What isaquotaandhowtheuseofthe resources lockwill help you fromaccidental deletion of resources?Let uslearnallthisinthischapter.

StructureWewillcoverthefollowingtopicsinthischapter:

AzuresubscriptionEnterpriseagreementssubscriptionSubscriptionsupportplanCreatingafreeAzuresubscriptionGlobaladministratorpermissionResourcesgroupCostmanagementAzuresubscriptionpolicyAzurequotaandresourcetaggingManagementgroup

ObjectiveIn this chapter, wewill discussAzure subscription, types of subscription.Wewill also discuss the step-by-step process to utilizeAzure subscription, and soon.Thiswillhelpall the levelsof readers togetabetterunderstandingof thistopic.


AzuresubscriptionsAzuresubscriptionsareacollectionof resourcesknownasbilling containers.EachsubscriptionhasauniqueIDthathasbeengeneratedbyMSautomaticallywhile creating the Azure subscription. If you need to create or access theresources,thenyouneedasubscriptionaccess.Withoutthesubscriptionaccess,youwillnotbeabletoaccesstheresourcesunderAzuresubscription.Let’stakealookatthedifferenttypesofsubscriptionsinthefollowingsection:

Freesubscription:MSprovidesthissubscription.Itisfreeforthefirst30dayswhichincludes$230creditandfree25servicesfor12months.It isusedforpracticalandlearningpurpose.Pay-as-you-go subscription: It is used widely in organizations and thepay-as-you-gosubscriptionhasaflexiblepaymentmethod,andthereisnolimit forpurposeorcommitments. Ifacustomerwants like tocancel thesubscription,he/shecancancelthesubscription.Microsoft resellers (Cloud solution provider -CSP): The CSPsubscriptionisusedonlyattheorganizationlevelwhereMSprovidesyouwiththeaccesstoworkwithpartnersdirectlytodesignandimplementthesolutionstomeetyourprojectrequirements.Open:ThissubscriptionprovidesyouwiththeflexibilitytoworkwiththesamevendorfromwhereyoupurchasedtheopenvolumelicenseprogramandactivatedyourAzuresubscription.Azure government customer: This subscription is used for USgovernment entities that are eligible to purpose Azure governmentservices,andtheycanusethepay-as-you-goservice.AzureGermanycustomers:ThissubscriptionisusedforEuropeanUnionor EFTA entities that are eligible to purposeAzure government servicesandtheycanusethepay-as-you-goservice.

EnterpriseagreementsubscriptionThe EA (Enterprise Agreement) is designed for organizations, and in thissubscription,thecustomerhastosignanagreementwithMicrosoftdirectlywiththe amount of consumption on your Azure resources. When an organizationsignsupfortheEAagreement,abillingaccountiscreatedandthebillingcanbedonemonthly,quarterly,oryearlybasedontheagreement.


EnterpriseIt is most commonly known as Enterprise agreement, and it is only used byorganizations.TheEAsubscription canbe accessed from theEnterpriseportal(https://ea.Azure.com)andused tocreatemultipledepartments tomanage thesubscription.

DepartmentsIt isasub-accountofAzureEAsubscriptionwherewedefine thedepartmentsandassociateasubscriptiontoit,anditcanbeusedbyspecificdepartments.Wecanaddmultipledepartmentsbasedontheorganizationalneedsandassignadepartmentownerwhocanmanagethedepartmentandsubscriptionunderit.It will also help us to add a cap on Azure consumption and based on thesubscriptionutilization,wecandecidethemonthlyoryearlybudget.

AccountsAccountscanbecreatedbyadifferentdepartmentandanaccountadministratorcanaddnewaccountstotheirdepartmentstoprovidethemaccesstotheAzureaccount.Evenanaccountadministratorcancreatethesubscriptionaswell.

SubscriptionsAsdefinedintheAzuresubscriptionlevel,thesubscriptionisabillingcontainer,andallthebillingforconsumedresourceshappensatthesubscriptionlevel.Youcan set upbilling alerts of the budget spent to get an early notification if youhaveconsumptionmoreduringaspecificperiod.Refer to the following figureformoredetails:


https://ea.Azure.com

Figure4.1:Enterprisesubscription

AzuresubscriptionssupportplanAlongwiththesubscriptionsdiscussedearlier,wecanalsooptforthefollowingsupport plan with a subscription which will help you to connect to the MSsupportteamtofixortroubleshoottheissue.

AzuredevelopersupportThis kind of subscription support plan is most commonly used for Azuredevelopment/testingpurposeswhereMSprovidesthediscountedratesonAzuretosupportyourongoingdevelopmentandtestingactivity.

ProfessionaldirectsupportThissubscriptionsupportplancanbeusedbycompanieswhereMSincludesitstechnical,billing,andotherteamstogetafasterresolutionandsupport.


StandardsupportThissubscriptionsupportplancanbeusedbycompanieswhereMSincludesitstechnical,billing,andotherteamstoresolveyourissuesfasterwith24/7support.MostofthecompaniesusethissubscriptiontofixthecriticaldependenceontheAzuresubscription.

AzuretenantAnAzuretenantisnothingbutAzureAD.It’sadedicatedinstanceofAzureADthatanorganizationreceivesandauthorizestheuserstovariouscloudservices.An Azure tenant can have multiple subscriptions. However, a subscriptioncannothavemultipletenants.Inthefollowingdiagram,youcanseefour3subscriptionsandonedirectory.Alltheothersaredifferent.Onceyoucreatethesubscription,thefirsttenant(AzureAD)willbecreated,andthenthesubscriptionwillbeassociatedwithit.Ifyouhaveatenant,thenyoucancreatemultiplesubscriptions.Let’stakealookatthefollowingfiguretogetanunderstandingofhowtenantsworkinAzure:

Figure4.2:Azuretenant

CreatingafreeAzuresubscription


Whilecreatingthefreesubscription,thefollowingbenefitsareprovidedbyMSAzure:

12monthsoffreepopularservices$200credittoexploreserviceswithin30days25servicesarealwaysfree

IfyouwouldliketocreatethefreeAzuresubscription,followthegivensteps:Step:1

1. GotheURLhttps://Azure.microsoft.com/en-us/free/.2. ClickonStartfreeasshowninthefollowingscreenshot:

Figure4.3:Freesubscription

Step:2

1. ItwillaskyourloginIDandpassword.2. Provide your Microsoft ID like ([email protected], [email protected]

[referenceemailID],andsoon).3. You can even log in through your organization ID like

[email protected],andsoon.4. Providethepasswordforthesame.5. Afterthis,youwillbeabletologintothesubscriberpage.6. Provideyourdetailsasshowninthefollowingscreenshot:


https://Azure.microsoft.com/en-us/free/




Figure4.4:Loginscreen

Step3

1. Clickonthefreesubscription.2. SelecttheFreeTrialasshowninthefollowingscreenshot:

Figure4.5:Selectthesubscription

Step4:


1. Selectthecountrycode.2. Providethemobilenumber.3. ClickonTextmeorCallmetogettheverificationcode.4. Once you get the verification code, put it in the Verification code

section.5. Clickontheverifycode.6. Once the code is verified, youwill bedirected to thenext tab to fill the

paymentinformation.

Takealookatthefollowingfigureformoredetails:

Figure4.6:Detailsforsubscription

Step:5

1. Providethecardholdername.2. Enterthecardnumber.3. Providetheexpirydate.


4. TypetheCVVnumber.5. ProvidetheaddressdetailsandclickontheNextbutton.6. UnderstandtheserviceusageandclickonNext.7. IfyouwanttoaddMSsupportplans,youcandoit.(It’schargeablesoit’s

bettertonotaddthisplan.)8. ClickontheAgreementsectionandclickontheSignupbutton.9. After10minutes,youwillreceivethesubscription.10. Now, you can utilize your subscription and create the services inAzure.

Providethedetailsasshowninthefollowingfigure:



Figure4.7:Paymentdetailsandagreement

Note: When you create the subscription, make sure you put all thedetailscorrectlyasthishaswillbeusedforMSinternalpurpose.Whenyouaddyourcardinitially,itwillchargeaminimalamountlikeRs2toverifyyourcreditcardandonlyafterthat,itwillallowyoutocreatethefreesubscription.

GlobaladministratorpermissionUsers who have global administrator permission can access all administrativeservices like Azure Active Directory, federate services to Azure ActiveDirectoriessuchasExchangeOnline,SharePointOnline,andSkypeforBusinessOnline.The first user ID who signs up for the Azure Active Directory tenant orsubscriptionbecomesaglobaladministrator.Only global administrators can assign other administrator roles.We can havemorethanoneglobaladministratorattheorganizationlevel.Globaladminscanresetthepasswordforusersandallotheradministrators.Followthegivenstepstoprovidetheglobaladminaccessstepbystep:

1. ClickontheAzureActiveDirectoryoption.2. GotoManageandclickontheUsersoption.3. ClickonAllusers.4. Selecttheuserorsearchtheusersyouwanttoassignthepermission.5. Select details, as shown in the following screenshot, for subscription

details:


Figure4.8:Globaladministratorrole

6. Clickontheuser'snameandthenclickonDirectoryrole.7. Then,clickonAddassignment.8. ClickonSearchandsearchforaGlobaladministratorrole.9. SelecttheGlobaladministratorrole.10. Click on the Save button, and your user will have global administrator

access.Followthestepsasshowninthefollowingscreenshot:

Figure4.9:Directory:globaladminrole

ResourcesgroupAnAzureresourcegroupisalogicalcontainerthatcontainstheAzureresourcesinit.Resourcesmanagetheresourceswithintheresourcesgrouptogetherasanentity.Ifyouhaveprovidedthepermissiontoaresourcegroup,thenyoucanalsoviewalltheresourceswhichareavailableintheresourcegroup.


You can even create or delete the resource group. If you delete the resourcegroup, then all the resources which are present in the resource group will bedeletedautomatically.Forabetterunderstanding,let’stakealookatthefollowingfigure:

Figure4.10:Azureresourcegroup

AzureresourcegroupmanagerAzureResourceManagerisadeploymentandmanagementserviceforAzure.It provides management layers that will help to create, update, modify, anddelete the resources within the subscription. We can utilize the features likeaccess control, lock, and tag.Refer to the following figure formoredetails inAzureresourcegroupmanager:


Figure4.11:Resourcegroupmanager

CostmanagementAzure cost management will help you to manage and control your cost.Organizations can utilize costmanagement to analyse andmanage the cost. Itgivesyouthebreakupcostofeachresourceandresourcegroup.Itusesadvancedanalytics to provide a customized cost to customers. The cost will be shownbasedontheconsumptionofeachserviceandthird-partyserviceslikeRedHat,Oraclecheckpointfirewall,andsoon.Exploringcostmanagement:Costmanagementwill addall the subscriptionswhichareunderonetenant.Togetthereportofeachtenantseparately,youneedtoperformthefollowingsteps:

1. ClickontheCostManagement+BillingoptionfromtheFAVORITESitemorsearchontheAzureportal.

2. ClickonOverview thatwillhelpyou togetall the subscriptionaccountsunderyourtenant.

3. Then,youwillbeabletoviewhowmuchyouhavespenteverymonth.Fora detailed analysis, use the cost management tool and follow the stepsperformedasshowninthefollowingscreenshot:


Figure4.12:Exploringcostmanagement

Cost management tools will help you to get more details of resourceservicescosts. Itwillhelpyou tosetupanalert foryourAzureaccount,andyoucandefinethebudgetaswell.Followthegivenstepstoconfigurethesame:

4. ClickonCostanalysis:

Youcanseethegraphicalviewofthecostanalysis.Youcanseetheusageofeachservice,region.Ifyouwanttogodeeper,thenclickoneachresourceandyouwillgetmoredetails.You can export the data inCSVorExcel file for your reference ortellypurpose.

Thefollowingscreenshotdisplaysasamplereport:

Figure4.13:Costmanagementgraphicalview

Thefollowingscreenshotdisplaysasamplereportwhichisshownincostviewmodels:


Figure4.14:Costmanagement-costseparationintoservices

ConfigurationofthebudgetalertsThe configuration of the budge alerts will help you get the alerts when yoursubscription cost gets utilized beyond the limit, and you can set an accountspending limits as well. Perform the following steps to configure the budgetalerts:

1. ClickontheBudgetsoptionintheleftpane.2. Once you click on the budget, you will get a window to provide the

information.3. Providethealertnameorbudgetname.4. Resettheperiodmonth/years/weeks.5. Providethestartdateandenddateofyourbudget.6. Providethenumberofyourbudget.7. Oncethisisdone,clickontheNextbuttontocreatethealert.8. Click on Alert conditions and set the alert % number based on your

budget.Letussayyourtotalbudgetis5K.Onceyouhavespentupto60%(3000INR),youwillgetanalert.Youcanchangethissettingaswell.

9. ProvidetheemailIDofyourusersorITteamtogetthebudgetalert.10. ClickonCreateandyouralertwillbecreatedsoon.11. Performthefollowingstepsasshowninthefollowingscreenshot:


Figure4.15:Alertscreation

12. Addtheconditionsasshowninthefollowingscreenshot:


Figure4.16:Alertcondition

AzuresubscriptionpolicyTheAzuresubscriptionpolicyorAzurepolicyisusedtoachievethecomplianceofyourorganization.IthelpsyoutocontroltheAzureenvironmentsasperyourorganization'scomplianceprospects.You can create, manage, modify, and assign the policy based on yourorganization standards. It will also help you to identify the non-complianceresourcesinyoursubscription.

Letus takeanexample thatyourorganizationneeds todeploya specificVM (VirtualMachine) instance size (VMsize) in your subscription, andyouwanttodisallowtherestofthem,thenyoucanachievethisusingthesubscriptionpolicy.ThesecondexamplewouldbeifyourcompanyresidesinAsiaortheUSregionwith few states. If youwant to allowaccess, users can create the


resourcesinthespecificregionandthenyoucanchoosetheallowlocationpolicy and allow only specific locations. All the other locations can bedenied automatically. The allow location policy will help health care,financial,governmentservices,andsoontoachievecompliancespecifictothelocation.

Azurepolicycreation,configuration,andassignmentIn this section, we will learn how to implement, manage, and implement thepolicy.FortheAzurepolicyconfiguration,followthegivensteps:

1. LogintoAzureportal(https://portal.Azure.com).2. Click on search or on the left-hand side of the page in the FAVORITES

section.Then,selecttheSubscriptionsoption.3. IntheSubscriptionssection,clickonthesettingsandselectpoliciesand

followthestepsasshowninthefollowingscreenshot:

Figure4.17:Selectsubscription

4. When you click on the Policies, you will be able to see the assignedpolicyinyoursubscription.

5. Asyoucansee,Ihaveappliedacoupleofpoliciesinthesubscription,andyoucansee thecompliance levelof thesubscription.Followthestepsasshowninthefollowingscreenshot:


https://portal.Azure.com

Figure4.18:Azurepolicy

6. Ifyouwanttocreatethenewpolicy,clickonAssignedpolicy.7. Itredirectsyoutoanewscreen,andherewecancreateanewpolicy.8. YoucanprovidethefollowingvaluesinyourAzurepolicy.Thepolicywill

becreatedforaspecificregion:Scope:Providethesubscriptionasshowninthefollowingscreenshot:

Figure4.19:Policycompliance

Exclusions: This option can be used if you want to exclude theresources from the policy. If you want to apply to the entiresubscription,thendonotselectanyresourcesintheexclusionpolicy.Policy definition: Policy definition will help you to choose thedefined policy from the policy gallery to control your resources.Followthestepsasshowninthefollowingscreenshot:


Figure4.20:Policyassignments

Ifyouareplanningtohavetheresourcesinaspecificlocation,thenclickontheAllowedlocationspolicy.If youwant to allow a specific SKU, then you can achieve this byusingtheAzurepolicy.Takealookatthefollowingspecificpolicy.Youcansearchandapplythepolicybasedonyourorganization'sstandardpolicy.Refer tothefollowingscreenshot:


Figure4.22:Azurepolicyconfiguration

Finally,wehavesuccessfullyimplementedthepolicy.

AzurequotaAnAzurequota isnothingbut the limitationofa specific subscriptionofhowmanyresourcescanbedeployed.Generally,aquotaisoftwotypes:


Softlimit:DefaultresourcesavailableinthesubscriptioncanbeincreasedbyraisingtherequestwiththeMSteam.Hardlimit:MaximumresourcescanbedeployedwithinthesubscriptionandevenraisingtherequestwiththeMSteamcannotbeincreased.

Ifyouwanttoseetheusagelimitandquotaofyoursubscription,thenclickonthesubscription.IntheSettingssection,clickonUsage+quotas,andyouwillbeabletoviewtheavailableservicesinyoursubscriptionandseethequotaaswell.Youcanseethedetailsofthesubscriptionlimitationinthefollowingscreenshot:

Figure4.23:Usageandquotalimitation

ResourcetagWe can use the Azure resource tag to add the extra fields to identify theresources and it can be used for billing purposes. Every tag contains thefollowingfields:

Name:ProductionApplicationOwner:LalitRawatDepartment:ITBillto:IT

Note: The preceding resource tags are just examples that can be


changed based on your organization’s policy. Based on that, you candefinethetagsandassociatespecificresources.

UsageoftheresourcetagLetussay ifyouareabigorganizationandhavedeployed4,000applications,thenhowyoucanunderstandwhichresourcesgroupbelongstowhichappandwho is theowner?Who tobill theusageof serviceswhich ispresented in theresourcesgroup?Hence,toidentifythebillingpurpose,resourcegrouptagscanbeused,andtheyare very helpful in the long term for a structured organization. Perform thefollowingsteps:

1. ClickonResourcegroups.2. UndertheOverviewtab,clickontheTagsoption.3. Providetheresourcename,application,owner,database,andsoon.4. Then, provide the values, where values is your application name like

Tomcat,Apache,SQLDB,andsoon.5. ClickonSaveasshowninthefollowingscreenshot:

Figure4.24:Resourcestag

ConfigurationofaresourcelockTheresourcelockwillhelpyouwithyouraccidentaldeletionofresources.Administrators can lock the resources to prevent others from deleting theresources.Inthesubscription,youcanfindtwotypesoflocks:

Delete: This lock prevents resources from users deleting the resource.


However,userscanstillreadandmodifytheresource.Read-only:Thislockprovidesaccesstoread-onlyresources;inthatcase,userscannotmodifyorchange the resources.However, theycanstill seetheresources.

Takealookatthefollowingscreenshot:

Figure4.25:Resourceslock

Ifyouwanttoapplyalockonyourresourcegroup,followthegivensteps.

1. LogintotheAzureportalbyopeninghttps://portal.Azure.com.2. SelectResourcegroups.3. Undertheresourcesgroup,clickonLocks.4. Createalock.5. After the lock creation, you can deploy the lock-in resource group

successfully.6. Performthefollowingstepsasshowninthefollowingscreenshot:


https://portal.Azure.com

Figure4.26:Resourceslockcreation

7. If you try to delete the resources, you will get the message that theresources group has been locked and cannot be deleted as shown in thefollowingscreenshot:

Figure4.27:Resourceslock

ResourcesmovementfromoneresourcegrouptoanotherIf you are planning tomove the resource group resource (VMs and so on) toanotherresourcegroup,thenthiscanbedoneeasily.Youcanalsomigratetheresourcesbetweensubscriptionsunderthesametenant,andthiscanbedoneusingtheportal.Ifyouwanttomovetheresources,performthefollowingsteps:

1. Clickontheresourcesgroupinwhichyouwanttomovetheresources.2. SelecttheMovebuttonatthetop-rightcornerofthescreenasshowninthe



Figure4.28:Resourcesmove

3. Select the resources you want to move from once resources group toanother.

4. ClickonOK.5. Itwilltake45to20minutesbasedonthesizeoftheresourcetocomplete

thetask.6. Followthegivenstepsasshowninthefollowingscreenshotandclickon

Movetomovetothenewresourcesgroup.


Figure4.29:Resourcesselectiontomove

7. Whenyouclickonyourresources,theresourceswillbemigratedtoanewresourcesgroup.

RemovingaresourcegroupAresourcegroupcanberemovedbyclickingonthedeleteresourcegroup.ThiscanbedonethroughtheAzureportal,CLI,PowerShell,andsoon.Takealookatthefollowingscreenshot:


Figure4.30:Resourcegroupdeletion

Performthefollowingsteps:

1. Clickonthedeleteresourcesgroup.2. Providetheresourcegroupname.3. Onceyouprovidetheresourcesgroupname,clickontheDeletebutton.4. Oncedone,theresourceswillbedeletedautomatically.

Takealookatthefollowingscreenshotformoredetails:


Figure4.31:Resourcegroupdeletionconfirmation

CreatingandconfiguringthemanagementgroupsThe management group will help you to manage multiple subscriptions in asingletenant.Wecanefficientlymanagetheaccess,policies,andcomplianceforthesesubscriptions.Wecanapply the singlepolicywithin the tenantgroup.The firstmanagementgroupwillactasatenant,andthepolicythatappliesonthissubscriptionwillbeinheritedtoothersubscriptionsaswell.If youwant to create and configure themanagement group, follow the givensteps:


1. Clickonallservices.2. Typemanagementinthesearchbox.3. Click on the Management groups option, as shown in the following

screenshot:

Figure4.32:Managementgroup

4. Onceyouclickonthemanagementgroup:

ClickonCreatenew.InManagementgroupID(Cannotbeupdatedaftercreation)*,providethename.Providethemanagementgroupdisplayname.ClickonSaveasshowninthefollowingscreenshot:

Figure4.33:Managementgroupcreation

5. OnceyouclickonSave, itwillstartcreating thefirstmanagementgroupwhichmighttakeupto15minutes.Refertothefollowingscreenshot:


Figure4.34:Groupcreation

6. Oncethemanagementgroupiscreated,youwillseethefollowingscreenasshowninthefollowingscreenshot:

Figure4.35:Managementgroupview

7. Ifyouwanttocreateanothermanagementgroup,thenclickonthe+Addmanagement group and create another group as shown in the followingscreenshot:


Figure4.36:Addmanagementgroup

8. Oncethemanagementgroupiscreated,youneedtoassignthesubscriptiontothemanagementgroupsothatwhenyouapplythepolicy, itshouldbeinherited to the subscriptionassociatedwith themanagementgroup.Youcanconfigureitasshowninthefollowingscreenshot:

9. Now,wewillcomplete this step toconfigure themanagementgroupandassociateitwiththesubscription:

Figure4.37:Addsubscriptiontothemanagementgroup

Conclusion


In this chapter, we learned how to create the free Azure subscription,subscriptionmanagement,andhowtoassignthepolicy.IfyouwanttoallowtheresourcesfromtheAzurepolicy,configuretheAzureresourcesgrouptagsandimplementtheresourcelock.Wecoveredthetypesofsubscriptions.Inthenextchapter,wewillcoverhowtomonitorresourcesinAzuresubscription.Inthenextchapter,wewillalsolearnaboutthemanagementandconfigurationofAzurestorageanditstypes,storageaccountreplication,andsoon.

ReferencesFreesubscriptioncreation:https://azure.microsoft.com/en-us/free/Associate or add an Azure subscription to your Azure Active Directorytenant: https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/active-directory-how-subscriptions-associated-directoryActivate Azure subscriptions and accounts with Cloudyn:https://docs.microsoft.com/en-us/azure/cost-management-billing/cloudyn/activate-subs-accountsCloudyn service : https://docs.microsoft.com/en-us/azure/cost-management-billing/cloudyn/overviewAzure cost management: https://docs.microsoft.com/en-us/azure/cost-management-billing/cloudyn/overviewAzure resourcemanager:https://docs.microsoft.com/en-us/azure/azure-resource-manager/management/overviewAzure4you-blog:https://azure4you.com/


https://azure.microsoft.com/en-us/free/

https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/active-directory-how-subscriptions-associated-directory

https://docs.microsoft.com/en-us/azure/cost-management-billing/cloudyn/activate-subs-accounts

https://docs.microsoft.com/en-us/azure/cost-management-billing/cloudyn/overview

https://docs.microsoft.com/en-us/azure/cost-management-billing/cloudyn/overview

https://docs.microsoft.com/en-us/azure/azure-resource-manager/management/overview


I

CHAPTER5ManagingandConfiguringofAzure

StorageAccountsnthischapter,wewillcoverhowtomanageandconfiguretheAzurestorageaccount.Inthischapter,youwilllearnaboutdifferenttypesofAzurestorage

accounts, theuseof storageaccounts,andcreationandconfigurationofAzurestorage accountswhichwill help you to understand how the storage accountswork inAzure.Wewill explain how to secure your storage account using theAzurefirewallconfigurationandintegrateitwithavirtualnetwork.WhatistheuseoftheAzurestorageexplorerandhowtomanagetheAzurestorageaccountaccesskey?MonitoringAzurestorageaccountusingloganalyticswillhelpyouunderstand if you need to troubleshoot your storage account if anything goeswrong.Wewillcovermoreaboutreplication,howthisreplicationwillwork,andhowyourdatacanbesyncedtoadifferentregion.


AzurestorageaccountGenerateandmanagethesharedaccesssignatureManagingstorageaccountaccesskeysInstallationandconfigurationofthestorageexplorer

ObjectiveInthischapter,youwilllearnhowtoconfigurethestorageaccountandhowtostoredatainAzure.Wewillprovideyouwithstep-by-stepinstructionsofhowtocreate and configure theAzure storage account, how to connect to theAzurestorage account using the Azure storage explorer, and how to use the Azurestoragekey.


AzurestorageaccountAnAzurestorageaccountisacloud-basedsolutionforstoringstructuralandun-structuraldata.It is also used to store the data disk of VMs, files, and so on. It is highlyavailable, durable, and secure. It can be accessed by HTTP/HTTPS fromanywhere. You can take a look at the following diagram for more details tounderstandaboutthestorageaccountdatastructure:

StorageforVMsdata:ThiskindofdatawillbestoredinablobstorageaccountunderthepageblobwhichstorestheVirtualHardDisk(VHD)fileofVMs.Structured data: It is a commonly used cosmos DB, table, and so onwherethedatawillbestoredstructurallyanditcangivetheresultseasily.Unstructureddata:Unstructured data can be used to store the data logfile,image,movieorarchivaldata,andsoon,whichisusedtodumpthedata. This does give results faster as this is not stored in a format orstructural way. Please take a look at the following diagram for moredetails:

Figure5.1:Azurestorageaccountdata

Azurestorageaccountsconsistofthefollowingthreetypes:

1. Blob storage account: Blob storage accounts are used for unstructureddatalikebackup,JPEG,AVIfiles,andsoon.Ablobstorageaccountoffersthreekindsofaccounts:coolstorage,hotstorage,andarchive.


Access tiers: Access tiers have the functionality to determine howfrequently data can be accessed. Based on the tiers, your storageaccountbillwillbecharged:

Hotstorage:Thistypeofstorageaccountcanbeusedwhenyouneedtoaccessthedatafrequentlysuchasday-to-dayoperations.Coolstorage:Thistypeofstorageaccountcanbeusedfordatathat is infrequently accessed and stored for a minimum of 30days.Letussayifyouhaveanolderbackuporfileyoujustwanttostoretoastorageaccount,andyouneedtoaccessitmonthlyonceortwice.Archivestorage:This typeof storage account is used to storethedatawhichhasbeen accessed rarely and stored for at least180dayssuchasanolderbackupwithmore than5or10-yearcompliancedata.

Pleaseseethefollowingscreenshotformoredetails:

Figure5.2:Azureblobstorageaccounttier

2. GeneralpurposeV1:GPv1storageaccountsarelegacyaccountsandtheyhavebeenusedforblobs(namechangedtoacontainer),filesqueues,andtables. They aremost commonly used and support replication like LRS,GRS,andRA-GRS.Pleasetakealookatthefollowingscreenshot:

Figure5.3:AzureGPv1account

3. GeneralpurposeV2:GPv2storageaccountsare recommended touseasthey areupgradedversions.Theyareused forblobs (namechanged to a


container), files queue, and tables. They support replication like LRS,GRS,RA-GRS,andZRS.Theyalsohavethefeatureforcold/hotstorageaccountwhichyoucangetonlyintheblobstorageaccount.Recently, MS Azure has released new replications like GZRS-zoneredundant storage and read-access geo-zone-redundant storage (RA-GZRS). It is in the preview feature. Please take a look at the followingscreenshot:

Figure5.4:GPv2

4. Premiumstorageaccounts:PremiumstorageaccountsusetheSSDdiskandprovidehighperformanceandlowlatencydisksupport.Thepremiumstorage account is mainly used for mission-critical applications orproductionenvironments.1TBdiskprovidesthe7500IOPSand250MBthroughputforthedisk.Pleasetakealookatthefollowingscreenshot:

Figure5.5:Premiumstorageaccount


AzurestorageaccountcreationandconfigurationIfyouwanttocreateastorageaccount,followthegivensteps:

1. PleaseclickonCreatearesource.2. SearchforStorageaccount.3. Click on the Create button to create a storage account as shown in the


Figure5.6:Storageaccountcreation

4. Please select the subscription for which you want to create the Azurestorageaccount.

5. Pleasecreate thenewresourcesgrouporuseanexistingresourcesgroupfromthedrop-downmenu.

6. ProvidetheAzurestorageaccountname(namewillonlybeinlowercaseandinnumbers).

7. Selecttheregionyouwanttodeploythestorageaccount.8. Performance type can either be Standard or Premium as per customer

requirements.9. Fortheaccountkind,youcanselect:GPv1,GPv2,orblobstorageaccount.

IhaveselectedGPv2asitslatestversion.10. For replication, you can select the default RA-GRS but based on the


requirements,youcanchangetoGRS,LRS,orZRS(ifavailable inyourregion).

11. Selecttheaccesstier:HotorCool.Inmycase,IhaveselectedHot.12. ClickonNext:Networking> for further configuration as shown in the


Figure5.7:Storageaccountconfigurationdetails

13. Basedontherequirements,youcanonlyenablethefollowingendpoints:

Publicendpoint(allnetwork):Opentoallnetworks.Publicendpoint(selectednetworks):Foraselectednetwork.Private endpoint: Integrate the VNet and make it available foryournetworkonlyasshowninthefollowingscreenshot:


Figure5.8:Storageaccountnetworkingconfiguration

Pleaseclickon theAdvanced tab,andhere,youcanset thesecuritylike secure transfer required and data protection settings, etc. Formoredetails,takealookatthefollowingscreenshot.PleaseclickonTagsandassignthetagsforbillingpurposesasshowninthefollowingscreenshot:

Figure5.9:Storageaccountadvancesettings

14. Oncethevalidationiscomplete,youwillseethegreenmark.15. Pleaseverify thedetailsonemore timeandclickonCreate tocreate the

account.16. After that, the deployment will start and your storage account will be

created within 5 to 10 minutes. Please take a look at the followingscreenshot:


Figure5.10:Storageaccountverificationandcreation

In this session, I have explained the Azure storage account data type and itsusage.Ihavebrieflyexplainedhowtocreatethestorageaccountandsoon.Now,youwillbeabletounderstandandcreatethestorageaccount.

ImplementAzurestoragereplicationInAzurestoragereplication,wehavereplicationpoliciesaspartofthestorageaccount replication. Ithelpsus tomaintain thecompliancepart and secure thedataonit:


Locallyredundant storage (LRS)account: Itmaintains threecopiesofyourdatawithinasingledatacenterinasingleregion.Itsusagedatacanbereconstructed, and it help in your complincae for regional governancerequirements.Zone redundant storage (ZRS): It maintains three copies of your datawithin2or3datacentersinasingleregionoracrosstheregion.Datawillbe replicatedacross the three-storageclusters ina single region. It isnotavailableinAzureoftheregion.Geo redundant storage (GRS) account: It maintains six copies of thedataanddatathathasbeenreplicatedthreetimeswithintheprimaryregionandthreetimesinthesecondaryregion100milesawayfromtheprimaryregion.Datawillbeavailabletoread-onlyduringafailure.Read-only geo-redundant storage (GRS) account: It maintains sixcopiesofthedataandworksinthesamewayasyourGRS,butitprovidesthereadaccesstoyoursecondaryregionevenwithoutthefailover.

If you would like to implement or change the replication, then you need tofollowthegivensteps:

1. PleaseselecttheAzurestorageaccount.2. GotoConfiguration.3. SelecttheappropriatereplicationfromtheReplicationdrop-downmenu.4. ClickonChange.Ifyouclickonchange,thechangesmightbeapplicable

basedonthereplicationyouselect.5. ClickonSaveasshowninthefollowingscreenshot:


Figure5.11:Storageaccountreplication

6. Onceyouchangethereplication,clickonGeo-replication.7. In this section, you will able to see the primary and secondary regions

whereyourdatahasbeencopiedasshowninthefollowingscreenshot:

Figure5.12:Storageaccountreplicationwithasecondaryendpoint

GenerateandmanagethesharedaccesssignatureAshared access signaturewill help you to provide the restricted access to thestorageaccountifanydeveloperoranyonerequeststogainaccesstothestorage


account.Youcanprovideaccesswithtimelimitation,andafterthesetduration,theaccesswillgetexpired.YoucangeneratetheSASaccessusingyourprimarystorageaccountkeyorsecondarystorageaccountkey.IfyouneedtogeneratetheSASkey,selecttheSharedaccesssignature tabunderSettings:

1. PleaseselecttheallowedserviceslikeBlob,File,Table,orQueue.2. SelecttheallowedresourcetypeslikeService,Container,orObject.3. AllowpermissionlikeRead,Write,andsoonbasedontherequirements.4. YoucanselectthespecificIPtoallowyourstorageaccount.5. SelecttheHTTPorHTTPSselection.6. ClickontheGenerateSASandconnectionstringbutton.7. After a fewseconds,keyswillbegenerated, and theuser canaccess the

key.Pleasetakealookatthefollowingscreenshot:

Figure5.13:Generatingsharedaccesssignature

ManagingthestorageaccountaccesskeyTheAzure storage account key is used to access the storage account from thestorage explorer or if you want to access it publicly. It is just like a storage


accountpasswordwhichyoucanchangeanytimewhileclickingontheRefreshbutton.

Youwillhaveaprimaryandsecondarykey.WhileclickingontheRefreshbutton,youcangeneratethenewkeywhichismarkedinaredcircleasshowninthefollowingscreenshot:Youcanusetheconnectionstringtoconnecttothestorageaccount:

Figure5.14:ManagingtheAzurestorageaccountkey

ConfigurenetworkaccesstothestorageaccountEnablingtheVNettotheAzurestorageaccountwillprovideanadditionallayerof security to your storage account which has your critical data. Afterintegration, thestorageaccountcanbeaccessedwithinVNetnotpubliclyuntilthepublicendpointorpublicIPisnotadded:

1. PleaseselectthestorageaccountforwhichyouwanttoenabletheVNet.2. SelectFirewallsandvirtualnetworksunderSettings.3. SelectthenetworkandclickontheAddnewvirtualnetworkoption,or

you can add the existing network as well as shown in the followingscreenshot:


Figure5.15:AzureStorageaccountnetworkconfiguration

4. OnceyouselecttheexistingVNetorcreateanewVNet,clickonokto5. PleaseprovidetheVNetnameandrangeofIP.6. Providetheresourcesgroupandregion.7. ProvidethesubnetnameandrangeofIP.8. Provide the locationandclickonCreate.Pleasecheckout thedetails in



Figure5.16:Azurestorageaccount-VNetcreation

Once theVet is associatedwith a storageaccount, clickon theSave button tosavetheconfiguration.Afterthat,youwillbeabletosuccessfullyconfigurethenetworkwithastorageaccount.Pleasetakealookatthefollowingscreenshot:


Figure5.17:AzurestorageaccountVNetassociation

InstallationandconfigurationofthestorageexplorerTheAzure storage explorer is an application that will help you to connect tostorage accounts andmove the data froman on-premises system to theAzureblob,file,queue,andtablestorageaccount.Youcan easilyupload, download, andmanageAzureblobs, files, queues, andtablesstorageaccount,AzureCosmosDB,andAzureDataLakeStoragedata.Itiseasytomanageandaccessfromyoursystem.YoucanaccessvirtualmachinedisksfromtheARMorclassicstorageaccounts.IfyouwanttoinstalltheAzurestorageexplorer,thenfollowthegivensteps:

1. Please go to https://Azure.microsoft.com/en-in/features/storage-explorer/todownloadtheAzurestorageexplorer.

2. Please select theOS (Windows/Linux orMAC) from the drop-downmenubasedontherequirements.Pleasetakealookatthefollowingscreenshot:


https://Azure.microsoft.com/en-in/features/storage-explorer/

Figure5.18:Azurestorageexplorer

3. Onceyoudownloadthestorageaccountfile,doubleclickonitandfollowtheinstructions.

4. Oncedone,youwillbeabletosuccessfullyinstallthestorageexplorer.5. PleaseopentheAzureStorageExplorer.6. ClickontheUsericon.7. ClickonAddanaccount…asshowninthefollowingscreenshot.8. LoginwiththeAzureaccount,connectionstringorSASURI,oranyother

optionmentionedinthefollowingscreenshot.9. ClickonNext:


Figure5.19:Azurestorageexplorersignin

10. Now,youcancopyandpastethestorageaccountstringsasshowninthefollowingscreenshot.

11. ForConnectionstring,pleasecheckthetopicmanagedaccesskey.12. Oncedone,youwillbeabletologinsuccessfullytothestorageaccount:


Figure5.20:Azurestorageexplorerloginmethod

Now,youwillsuccessfullybeabletologintotheAzurestorageexplorerasshowninthefollowingscreenshot:


Figure5.21:Azurestorageinexplorer

13. Now,youcanuploadthedatatotheAzureblobstorageaccounts.14. Youcancreatethecontainer.15. Now,youcanuploadthedatausingtheUploadoption.16. YoucandownloadthedatabyclickingontheDownloadoption.17. Createanewfolderifrequired.18. Youcanselectallthedocumentsandupdatethenecessarychanges.19. The same storage account can work for your file storage, and you can

createthequeueandtableaswell.Formoredetails,refertothefollowingscreenshot:


Figure5.22:Azurestorageinexplorerusage

ConclusionIn this chapter,wecovered thedifferent typesof storage accounts andhow tousethosestorageaccounts.Weexplainedthereplicationpolicyandlearnedhowit can help you in your compliancewith the data or to replicate the data.Welearned how to create the storage account and what are the GPv1 and GPv2storageaccounts.Wecoveredthepremiumstorageaccountanditsusage.In thenextchapter,wewilldiscusshowto importandexportdataandhowtomovethedatausingtheAzureAzCopycommand-lineutility.

ReferencesAzure storage account overview: https://docs.microsoft.com/en-us/azure/storage/common/storage-account-overviewBlob storage accounts: https://docs.microsoft.com/en-us/azure/storage/blobs/storage-blobs-introductionBlob file-disk: https://docs.microsoft.com/en-us/azure/storage/common/storage-introduction


https://docs.microsoft.com/en-us/azure/storage/common/storage-account-overview

https://docs.microsoft.com/en-us/azure/storage/blobs/storage-blobs-introduction

https://docs.microsoft.com/en-us/azure/storage/common/storage-introduction

Storage scalability and performance: https://docs.microsoft.com/en-us/azure/storage/common/scalability-targets-standard-accountFormoredetails,visit:Azure4youblogpost:https://azure4you.com/


https://docs.microsoft.com/en-us/azure/storage/common/scalability-targets-standard-account


I

CHAPTER6ManageDatainAZUREStorage

nthischapter,wewilldiscusshowtomigratelargedatatotheAzurestorageaccountusingtheAzureimportandexportservices.Wewillalsodiscussthe

AzureDataBoxandconfigurationofAzureADauthentication for the storageaccountusage.WewillcoverhowtousetheAzcopycommandwhichwillhelpyoutomovethedatafromon-premisestotheAzurestorageaccount.


ImportandexportjobsinAzure

ConfiguringAzureBlobstorageCreatingtheimportandexportjobsinAzurestorage

AzureDataBox

ConfiguringAzureADauthenticationforastorageaccountCopydatausingAzCopy

ObjectivesTheobjectivesofthischapteristoexplainhowtomigratethepetabytesofthedata using the Azure export/import utility and Azure Data Box solutions andhowtotransferthedatatoablobstorageaccountusingtheAzCopycommand-lineutility.

ImportandexportjobsinAzureWecancreatetheimportandexportjobsusingtheAzurestorageaccountwhichrequiresablobstorageaccountwherewecankeepthedata.Importandexportjobs can be used to send large data toAzureBlobs; for example, terabytes orpetabytesofdata.


Ifyourequireadatadisktocopythedataandconfiguretheservices,thendatawillneedtobeshippedtoMicrosoft,andMicrosoftwillcopythedatatoAzureBlob as per the customer’s request, and thedatawill be encrypted end to endusingBitLockerwhiletheconfigurationofimportandexportjobs.

ConfiguringAzureBlobstorageIn Chapter 5, Managing and Configuration of Storage Accounts, I haveexplainedabouttheblobanditsusage.Ifyouwanttocreatetheblob(container)underthestorageaccount,followthegivensteps:

1. Logintotheportal.2. Select the storageaccount forwhichyouwant to create theblob storage

(container).3. ClickonContainers.

Note: The blob storage name has been changed recently tocontainerduetonewmodificationsmadebyMicrosoftAzure,butthe terminology andusage are the same.Take a look at theblobcreationinthestorageaccountinthefollowingscreenshot.

Figure6.1:Blobcreationinthestorageaccount

4. ClickontheContainerbutton.5. Providethenameofthecontainer.


6. For Public access level: Select any of the following based on therequirements:

Private(noanonymousaccess)

Blob(anonymousreadaccessforblobsonly)

Container(anonymousreadaccessforcontainersandblobs)

Thefollowingscreenshotshowsthecontainercreation:

Figure6.2:Containercreation

7. Onceyourcontaineriscreated,youwillbereadytoconfiguretheimportandexportjobs.Youcanalsouploadthedatadirectly.Takealookatthecontainerconfiguration:


Figure6.3:Containerconfiguration

CreatingtheimportandexportjobinAzureStorageIfyouwanttocreateanimportjob,followthegivensteps:

1. Logintosubscription.2. GotoAllservicesandsearchforImport/exportjobs.


Figure6.4:Importandexportsearch

3. Oncedone,youcanprovidethebasicconfigurationsetting.4. SelecttheImportintoAzureoption.5. Provide the subscription and resource group name. Take a look at the



Figure6.5:Importbasicconfiguration

6. ClickonJobdetails.7. DownloadandinstalltheWAImportExporttooltogeneratethe.jrnfile.8. Now,youcanuploadtheJRNorXMLfile.9. Onceitisuploaded,selectthestorageaccount.10. Thelocationwillbethedefault.11. Click on the OK button and provide the return shipping information and

configurethereturnshippingdetails.12. ClickonOKandyourimportjobswillbecreated.



Figure6.6:Importjobsdetails

Aftercreatingtheimportjob,IwillnowexplainhowtocreateanexportjobinAzure.Now,youneedtofollowthesamestepsyoufollowedintheimportjob.Intheconfiguration,youcanexportthejobratherthanimportthejob:

1. Afteryoucreatethejob,youcanprovidethebasicconfigurationsetting.2. SelecttheExporttabfromtheAzureoption.3. Providethesubscriptionandtheresourcegroupname.



Figure6.7:Exportbasicconfiguration

4. Selectthedatasourceandselectthestorageaccount.5. ClickonExportall,Selectedcontainersandblobs,orExportfrom

thebloblistfile(XMLformat)basedontherequirements.Takealookatthefollowingscreenshot:

Figure6.8:Exportjobdetails


6. ProvidethecouriernamesuchasBlueDart,DHL,FedEx,andsoon.7. Then,addthename,address,phonenumber,andotherdetailsasshownin


Figure6.9:Exportjobshippingdetails

Now,youaresuccessfullyabletocreatetheexportjob,andthecourierguyswillpickupthecourierandsent it toyourdatacenter torecover thedata.Youcansecurely transfer the data using the data box. Each data box has the storagecapacityof80TBdata.

AzuredataboxAzureDataBoxwillhelpyoutomigratetheterabytesofdatatoAzurequickly,and it is a less expensive and reliable solution. It is a Data Box device(hardware)thatneedstobesetupandconfigured.Itisusedfordifferentscenarios:

One-timemigration:Ifyouhavealargeamountofon-premisesdataandyouwanttomovetoAzure:

Youcanmove themedia libraryfromyouron-premisesandbackup


tapes.It will help if you want to migrate your VM, SQL Server, andapplicationstoAzure.Ifyouwanttomovehistoricaldatafromon-premisestoAzureforin-depthanalysis,andsoon.

Initialbulktransfer:InitialbulktransferisdoneusingDataBox(seed),anditprovidesincrementaltransfersoverthenetwork.Periodicuploads: If your organization generates a large amount of dataperiodicallyandifitneedstobemovedtoAzure,thentheDataBoxwillhelpyoudothis.

The Data Box supports a large amount of data to migrate to Azure. It is aMicrosoft device that can be configured in your on-premises data center andconnectedtotheAzureDataBoxsolution.

ConfiguringAzureADauthenticationforastorageaccountInthissection,wewilldiscusshowtoconfiguretheauthenticationofAzureADusersforastorageaccount.Followthegivenstepstoconfigureit.It helps to manage a single identity to access the blob storage account andprovideaccess to it, soyoudonothave todependon the storageaccountkeyandprovidethegranularaccessusingAzureADauthentication.

1. GotothestorageaccountandthenclickonContainers.2. Select thecontainerandclickon thecontainerasshownin thefollowing

screenshot:

Figure6.10:AzureADauthenticationtothestorageaccount

3. One you get an insight into the Azure storage container, click on the


Access control (IAM) in figure 6.11 and select the appropriate role asfollows.ItcanalsobedonefromthestorageaccountIAMaswell.

StorageBlobDataOwner:Itisusedtosetownershipandmanageaccesscontrol forAzureDataLakeStorageGen2 and the storageaccount.Storage Blob Data Contributor: It is used to grantread/write/deletepermissionstoblobstorageresources.Storage Blob Data Reader: It is used to grant read-onlypermissionstoblobstorageresources.Storage Queue Data Contributor: It is used to provide theread/write/deletepermissionstoAzurequeues.Storage Queue Data Reader: It is used to provide read-onlypermissionstoAzurequeues.StorageQueueDataMessageProcessor:Itisusedtograntpeek,retrieve,anddeletepermissionstomessagesinAzurestoragequeues.Storage Queue Data Message Sender: It is used to provide thepermissionstomessagesinAzurestoragequeues.

4. Onceyou select the roles to assign, clickonOK to provide the access asshowninthefollowingscreenshot:

Figure6.11:AzureADauthenticationrole

Onceyouprovidethepermission,theuserwillhaveaspecificroleandwillbeabletoaccessthedataorstorageaccountaspertheassociaterole.


NowletuslearnhowtoenabletheActiveDirectoryDomainServices(ADDS)intheAzurestorageaccounttoaccessanAzurefileshare.

1. ClickonStorageaccount.2. Inthestorageaccount,clickonConfiguration.3. SelectIdentity-basedaccessforfileshares.4. Click on Enabled and save the settings as shown in the following

screenshot:

Figure6.12:Identity-basedaccessforafileshare

CopyingdatausingAzCopyAzCopy is a command-line utility that is designed to copy the data from theAzureBlob,file,andtablestorageaccount.ItusestheAzureADorSAS-basedauthenticationtoconnecttotheAzurestorageaccount.WecanusetheutilityinWindows,Mac,orLinuxOS.Itcanalsobeusedifyouwant tomove or copy your blob storage account fromone storage account toanother.Letusseehowwecanrun thesecommand-lineutilities tomakesurewecopythedata from theblobstorageorupload thedata in theblobstorage.Youcan


download the utility from https://docs.microsoft.com/en-us/azure/storage/common/storage-use-azcopy-v10.

1. UsethefollowingcommandtologintoyourAzureADtenant:“azCopylogin--tenant-id=aeXXXX-XXXX-XXX”

2. Then,clickonEnter.3. Once theURLcomesup in the command line, select andpressEnter to

copy the URL (https://microsoft.com/devicelogin). Go to the URL andbrowseitandprovidethecodewhichcomeswiththeURLasshowninthefollowingscreenshot:

Figure6.13:AzCopylogin

4. Providetheauthenticationcodeasshowninthefollowingscreenshot:

Figure6.14:AzCopyloginauth-code

5. Once you enter the auth-code, youwill be able to log in to theAzcopyconsoleasshowninthefollowingscreenshot:


https://docs.microsoft.com/en-us/azure/storage/common/storage-use-azcopy-v10

https://microsoft.com/devicelogin

Figure6.15:AzCopyloginsuccessful

6. Usethefollowingcommandtocopythedatatotheblobstorageaccount:azCopycopy'C:\bpbfolder\bpbTextFile.txt'

'https://bobstorage.blob.core.windows.net/bpb/bpbTextFile.txt'

7. OnceyouclickonEnter,youwillbeabletocopythedataandmakesureyouusethecorrectblobstorageaccountanddestinationtocopythedata.

ConclusionInthischapter,wediscussedtheuseoftheimportandexportservicesandhowto migrate the petabytes of data to Azure. We also discussed the Azure ADauthenticationwhichwillhelpyoutodefinethefine-grainedaccesstotheAzurestorageaccount.UsingtheAzureAzCopycommandutility,youcantransferthedata from one blob storage account to another and you can transfer from on-premisessystemsaswell.In the next chapter, we will discuss Azure file configuration and see how toaccesstheAzurefileshare.WewilllearnabouttheAzurefilesyncaswellandthedetailsofusageandconfigurationinthenextchapter.

ReferencesAzure storage account overview: https://docs.microsoft.com/en-us/azure/storage/common/storage-account-overviewAzure storage introduction: https://docs.microsoft.com/en-us/azure/storage/common/storage-introductionAzure Blob storage: https://docs.microsoft.com/en-us/azure/storage/blobs/storage-blobs-overviewAzureDataLakeStorage:https://docs.microsoft.com/en-us/azure/data-lake-store/data-lake-store-overviewFor more details, visit: beginning-modern-c-and-net-development-scorm2004_4-7OiO-Aea.zip


https://docs.microsoft.com/en-us/azure/storage/common/storage-account-overview

https://docs.microsoft.com/en-us/azure/storage/common/storage-introduction

https://docs.microsoft.com/en-us/azure/storage/blobs/storage-blobs-overview

https://docs.microsoft.com/en-us/azure/data-lake-store/data-lake-store-overview

I

CHAPTER7TheAzureFileShare

nthischapter,wewilldiscussAzurefileshareandhowtocreatetheAzureFileshareandmapanetworkdrive.WewillusetheAzureFilesyncservices

and see how to troubleshoot them.Wewill also discuss the different types ofAzureFilesyncgroups.


AzureFileshare

CreatingandconfiguringtheAzureFileshareConfiguringtheAzureFilesyncAzureFilesyncgroup

AzureFilesynctroubleshooting

ObjectivesInthischapter,wewillexplaintheAzureFileshareandhowtocreatetheAzureFile share.TheAzureFile share canbeused as anetworkdrive, andyoucanmapittoyourserversandsynctheon-premisesfilestoAzure.WewillexplaintheAzure File sync andAzure File syncwill help customers transfer the on-premisesfilestoAzure.Itprovidesflexibility,performance,andcompatibility.

AzureFileshareTheAzureFilesharecanbeusedfornetworksharingjustlikeyourmapnetworkdrives.ItworksonSMBport445port,anditcanbeusedtokeepthedatawithregardstoVirtualHardDisk(VHD),backup,andsharingthedata.Youcankeepamaximumof5TBdataperfileshare.Ifyouwanttokeepmoredatainit,thenyoumustcreatemorefilesharestorageaccounttokeepthedata.


ThereisalimitationintheAzureFileshare,notAzurestorageaccount.Inonestorageaccount,youcancreatemultiplefilesharesandkeepthedataandapplydifferentkindsofsecuritypolicies.TheAzureFilesharehelpsus toprovidethestoragespacewithoutaddinganyadditionalstorageon-premises.

CreatingandconfiguringtheAzureFileshareIn Chapter 5, Managing and Configuration of Storage Accounts, I haveexplainedhowtocreateastorageaccount,itstype,anditsusage.Ifyouwanttocreatethefileshareinthestorageaccount,followthegivensteps:

1. Logintotheportal.2. Select the storage account for which you want to create the Azure File

share.3. ClickontheFilesharesoption.

TakealookattheAzureFilesharecreatedinthestorageaccountasshowninthefollowingscreenshot:

Figure7.1:AzureFilesharecreationinastorageaccount

4. ClickontheFilesharebutton.5. Providethenameasshowninthefollowingscreenshot.6. Setthequotalimitasperthecustomer’srequirements.


7. ClickontheCreatebutton.Let’stakealookatthefollowingscreenshot:

Figure7.2:Filesharecreation

8. Youcancreatethefileshareup5TBeachandthisisalimitationfromMSAzureend.Let’stakealookatthefollowingscreenshot:

Figure7.3:AzureFilesharelimitation

9. Oncethefileshareiscreated,itwilllooklikethefollowingscreenshot:

Figure7.4:AzureFileshare


10. Onceyouclickonthefolder,youwillgettheoptiontouploadthedata.11. ClickontheUploadtab.12. Selectthefileandbrowsethefoldertouploadthedocuments.13. Oncedone,clickontheUploadbuttontouploadthedocuments:

Adddirectory:Userforfoldercreationorusetoaddfolderinthefileshare.Refresh:Ifthedataisnotreflecting,youcanrefreshthebutton.Deleteshare:Thiscanbeusedtodeletethecompletesharefolder.Quota:Thiswillhelpincreaseordecreasethequotalimit.View snapshots: This can be used to see a snapshot of your fileshare.CreateSnapshot:Thiscanbeusedtocreatethebackupofyourfileshareorcreatethesnapshotwithinastorageaccount

Figure7.5:AzureFilesharefileupload

Now, I will show you how to connect the file share with your on-premisemachineorlocaldesktopPC:

1. ClickontheConnectoption.2. Oncedone,itwillaskyoutocopythepathandrunitinPowerShell.3. TheAzureFilesharesupportsWindows,Linux,andMacOSestoconnect

tothefileshare.4. Based on the OS, you can copy the command line and follow the

instructionstoconnect.5. Makesureyouallow445portfromyourFirewallandNSGtoconnectto

thefileshare.Let’stakealookatthefollowingscreenshot:


Figure7.6:AzureFileshareconnect

Now, you can connect the Azure File share and upload the data which willautomaticallysynctoanAzureFileshare.

ConfigurationofAzureFilesyncAzureFilesyncwillhelpyoumanagethedocumentscentralizedjust likeyournetwork share. It provides flexibility and high performance with your on-premises fileserver. It supportsprotocols likeSMB,NFS,andFTPS toaccessyourdatalocallyandprovidesthecachetotheAzureFileshare.

Note:Fornow,itsupportsonlyWindowsServerandnootherplatformaspertheMSdocumentation.PleasetakealookatthedocumentationformoreclarificationonAzureFilesyncsupportandfeatures.

Ifyouwant tocreate theAzureFileshare, followthegivensteps tocreate theAzureFilesync:

1. GotoMarketplaceandsearchforAzureFileSync.2. Selecttheservices.3. Providethenameofthefilesyncservices.


4. ClickoncreateAzureFilesync.5. Selecttheresourcesgroup.6. ClickonReview+Create.7. Oncedone,youwillbeabletocreatefilesyncservices.

Let’stakealookatthefollowingscreenshot:

Figure7.7:AzureFilesynccreation

8. Now,youcancreatetheAzureFilesync.Next,wewillcreatetheAzureFilesyncgroup.

AzureFileSyncgroupAzureFilesyncprovidesasetofsynctopologytoasetoffilestokeepthedatasyncingthroughtheendpointwhichhasbeencreatedduringtheAzureFilesyncgroup creation.The sync group helps to sync files frommultiple endpoints tokeepsyncing.Tocreatethesyncgroup,let’sfollowthegivensteps:

1. SelecttheAzureFilesync.2. GototheSynctabandclickontheSyncgroupoption.



Figure7.8:Syncgroupcreation

3. Providethesyncgroupname.4. Selectthesubscription.5. ClickonthestorageaccountandselecttheAzurestorageaccount,andthen

youcanselecttheDataBoxaswellforthesamesolution.6. SelecttheAzureFilesharefromthedrop-downmenu.7. ClickonCreate.Oncedone,yoursyncgroupwillbecreated.Let’stakea

lookatthefollowingscreenshot:


Figure7.9:Syncgroupcreationsteps

Now, you can create the Azure sync group. Once the sync group is created,pleaseregistertheserversyouwanttotransferthedatato:

1. ClickontheSynctab.2. ClickonRegisteredservers.3. ClickontheDownloadAzureFileSyncagentandinstallitonall

serversyouwanttosyncoption.4. Oncetheagentisinstalled,yourserverswillbeshowntoregisterservers.5. Youwillbeabletotransferthefilesandfoldersautomatically.Let’stakea



Figure7.10:Registeredservers

AzureFilesynctroubleshootingAzureFilesynctroubleshootingwillhelpyoutofigureoutthecommonissuesyoufacetoconnecttotheAzureFileshare.YoumighthaveaproblemdeletingthefilesfromtheAzureFileshareoragentinstallation.Youmighthaveanissuewithregisteredservers’additionorremovalprocess.I sometimes face an issue of the server been already added and had totroubleshootandfixtheissue.Sometimes,youmightfacetheissueofthesyncgroupnotworkingorMgmtServerJobFailed.For all these issues, Microsoft Azure has written a wonderful documentation(https://docs.microsoft.com/en-us/azure/storage/files/storage-sync-files-troubleshoot?tabs=portal1%2Cazure-portal),sofollowthisdocumentationtofixtheissue.

ConclusionIn this chapter, we explained the usage of the Azure File share and how toconnect and transfer the files in the Azure File share.We also explained thelimitation of the Azure File share. We discussed the Azure File syncconfiguration and explained the components as well. In Azure File sync, wediscussedaboutthesyncgroupandhowtoregistertheservers.Ifyougetstuckonsomeissues,thenyoucanusetheAzureFilesynctroubleshootingstepstofixtheissue.In the next chapter, we will discuss the implementation of the Azure virtualmachineandhowtocreateandconfiguretheAzurevirtualmachine.We will discuss the high Azure availability and disk encryption and how toredeploytheAzureVManditsusage.


https://docs.microsoft.com/en-us/azure/storage/files/storage-sync-files-troubleshoot?tabs=portal1%2Cazure-portal

ReferencesAzure File share: https://docs.microsoft.com/en-us/azure/storage/files/storage-files-introductionCreate and manage Azure Files share with Windows virtual machines:https://docs.microsoft.com/en-us/azure/storage/files/storage-files-quick-create-use-windowsEnable and create large file shares: https://docs.microsoft.com/en-us/azure/storage/files/storage-files-how-to-create-large-file-shareDeploy Azure File sync: https://docs.microsoft.com/en-us/azure/storage/files/storage-sync-files-deployment-guide?tabs=azure-portalAzure File sync proxy and firewall settings:https://docs.microsoft.com/en-us/azure/storage/files/storage-sync-files-firewall-and-proxyTroubleshoot Azure File Sync: https://docs.microsoft.com/en-us/azure/storage/files/storage-sync-files-troubleshoot?tabs=portal1%2Cazure-portalFormoredetails,visit:https://azure4you.com/


https://docs.microsoft.com/en-us/azure/storage/files/storage-files-introduction

https://docs.microsoft.com/en-us/azure/storage/files/storage-files-quick-create-use-windows

https://docs.microsoft.com/en-us/azure/storage/files/storage-files-how-to-create-large-file-share

https://docs.microsoft.com/en-us/azure/storage/files/storage-sync-files-deployment-guide?tabs=azure-portal

https://docs.microsoft.com/en-us/azure/storage/files/storage-sync-files-firewall-and-proxy

https://docs.microsoft.com/en-us/azure/storage/files/storage-sync-files-troubleshoot?tabs=portal1%2Cazure-portal


I

CHAPTER8CreatingandConfiguringofAzureVMsnthischapter,wewillbediscussingtheuseofAzureVMs,howtoconfigurethehighavailability,andhowtomonitortheAzureVMsusageoftheAzure

storage and what kind of disk required while creating the VMs. I will beexplaining about the Azure scale set as well. How to scale-in the Azureenvironments usingAzure scale set.Wewill be discussing how to choose theAzureVMsizeandmuchmorestuff.


AzureVirtualMachine(VM)AzureVMscalesetsConfigureAzurediskencryptionRedeployVM

ObjectivesWewill be explaining in this chapter, creating theAzureWindows andLinuxVM inAzure subscriptionwhich can be used for your test, development, andproduction environments. Configuring the high availability will help you toreducethedowntimeoftheAzureVMs.Wehavealsoexplainedhowtosetupthemonitoring, storage,VM size, and configure the disk encryption inAzureVM,whichwillhelptoencryptthediskandsecurethediskdata.

AzurevirtualmachineTheAzureVMprovides flexibility invirtualenvironmentswithoutbuyingon-premisehardwareorsoftwarelicenses.Itprovideshighavailability,andwecanuse it as on-premise servers. You can even perform tasks like softwareinstallationpatchingandothertasksasperthecustomer’srequirements.


AzureVMsaremainlyusedforapplicationtesting,developmentwork,orhybridcloudscenarios.Ifyouneedtoextendyouron-premisesenvironmentstoAzure,youcandothataswell.MicrosoftAzuresupportsWindows,Linux,andanothercustomOSversionaspermarketplacestandards.MicrosoftAzuresupportsthevarioustypesofVMsizessothatcustomerscandeploytheVMsbasedontheirrequiredconfiguration.ItalsosupportshighlevelofVMsizesforSAPandSAPHANAaswell.

VirtualmachinecomponentsIfyouareplanningtocreateaVM,thenyouneedtofollowthegivenstepsandcompleteafewpre-requisites.PleasefollowthegivenstepstocreateVMs.

Pre-requisitesFirst, I will explain a few of the components under the pre-requisite section.Onceyouunderstandthecomponents,itwillbeeasyforyoutocreatetheVMs:

Subscription:YouneedtoselectthecorrectsubscriptionwhereyouwanttodeploytheVMs.Resourcegroup:Pleaseselect thecorrectresourcesgroupforwhichyouwant to deploy theVMs.Formore details, refer toChapter 4, ResourceGroupManagement.Virtualmachinename:Followyourorganizationnamingconventionorgetthedetailsfromyourcustomer/project.Providethemachinename.Region: The region is equal to yourAzure data center location. If yourcustomer is from theUS, you can choose a location likeEastUS,EastUS2,WestUS,orCentralUS.Basedon thecustomer location,youcanchoosetheregionwhichwillhelptoreducethelatency.Availabilityset:The availability set is a logical groupingofyourAzureVMswhichprovideshighavailabilityofyourVMsincaseofunexpectedhardware failure, unplanned hardware or software maintenance, and ifthereisanyplannedmaintenancefromMicrosoftAzure.

FaultDomain:Faultdomainsharesthecommonpowersourcesandphysicalnetworkswitch.Thismeansthat ifanythinghappensinthehardwareornetworklayer,thenitwillhelpyourVMstokeepalive.Update Domain: Update domain will help you in case of anyplannedorunplannedsoftwaremaintenancefromMicrosoftAzure.It


ensures your application VMs reboot at the time within theavailabilityset.Takealookatthefollowingdiagram:

Figure8.1:Azureavailabilityset

Availability zone: The availability zone is another option that provideshigh availability in caseof data center failurewithin the zone.The zonehasbeendesignedwithonemoredatacenter;whichprovidestheresiliencyandavailabilityofyourdataandapplicationservices.Pleasetakealookatthefollowingdiagram:

Figure8.2:Azureavailabilityzone

Image:Imagesarenothing,butyouroperatingsystemthatyoucanchoosewhile creating theVMs. Images canhaveWindows,Linux,Ubuntu, and


customizedimagesthatareavailableintheAzuremarketplace.Pleasetakealookatthefollowingscreenshot:

Figure8.3:Azureimageoptions

Administrator accounts: The administrator account is used to log inlocallyintheVMs.YoucanusetheVMcredentialsthatwillhelpyoutoconnecttheVMstotheRemoteDesktopProtocol(RDP)orSecureShell(SSH).Disktype:ThedisktypeiswhereyourdataandOSarestored.Itconsistsofthefollowingtypes:

HDD:Harddiskdriveisbackedbyamagneticdiskanditprovides500IOPS/1TB. It isusedforanyworkloadbasedon thecustomer’srequirements.SSD: It isalsocalledapremiumdiskwhich isbackedby thesolid-


state drive and provides 7500 IOPS/1TB. It is mainly used forproductionworkload.Standard SSD: It is a combination of SSD and HDD disk, whichprovides faster performance and provides 500 IOPS/1TB. It can beusedfordevelopmentandUATenvironments.

AzureVMssize:AzureVMssizeisacollectionofthecapacity(memory,disk,IOPS,andsoon)andfeaturessupportedbyyourAzureVMsinstancelike2GBRAMwith120GBdisk space asyouron-premiseshardware.Youcanchoosebasedontherequirements.ItsupportslargeinstancesizeswhichcanbeusedforGPU-basedsystemsorSAPVMs.Pleasetakealookatthefollowingscreenshot:

Figure8.4:Azureinstancesize

Network component: Azure network components are mainly used toconnectyourVMs/services toyournetwork.Forexample,whilecreatingVMs,youneed toselect thevirtualnetworkandsubnetwhichdefine thenetworkboundaryofyourVMs.PublicIP:ApublicIPaddressisusedifyouwanttoconnectyourVMstotheinternetoraccessandconnectapplicationspublicly.NSG(inboundandoutboundport):Thenetworksecuritygroupdefinesthe rules for ports that need to be allowed or denied and based on therequirements,youcanallowtheports.

Inboundport:ThetrafficwhichyouwanttoallowfromtheinternettoyourVMs.Outboundport:ThetrafficwhichyouwanttoallowfromyourVMs


totheinternet.

Bootdiagnostics:Itisusedtocapturetheconsoleoutputandhelpyoutoprovide the screenshots of the VM running on a host in case of anoccurrenceofanissue.OS guest diagnostics: It helps to collect the metrics of your virtualmachine.So,youcanuseandcreatealertstoupdateyourteams.Diagnosticaccounts:Thediagnosticsaccountisnothingbutyourstorageaccount where you want to store the diagnostics logs for furthertroubleshooting.Autoshutdownconfiguration:IthelpstoshutdowntheVMsafteryourbusinesshoursautomatically. It is recommended thatyoudonotuse thisoptionforyourproductionenvironments.Dedicatedhost: It is a new feature that is launchedbyMicrosoftAzureandallowsadedicatedhostintheAzuredatacentertoprovisiontheVMswithinadedicatedhost.ItprovidesisolatedenvironmentsandhelpsinanymaintenanceinitiatedbyMicrosoftAzure.However,itisnotnecessarytochoosethesame.Proximity placement group: It allows users to group Azure resourcesphysicallyclosertogetherwithinthesameregion.Resourcegrouptag:Itisusedforbillingpurposesandyoucantagyourresourcesbasedonyourrequirementslikeacostcenter,applicationname,productteam,andsoon.Reviewandcreate:Finally,youwillseealltherequireddetailsinthistab,andyoucanreviewandcreatetheVMs.

AsIhaveexplainedallthecomponents,letusunderstandandcreatetheAzureVMs.

CreatingaWindowsvirtualmachineTocreatetheWindowsVM,performthefollowingsteps:

1. Providethefollowing-requireddetails:

Subscription:Providethesubscriptionname.Resource group: Provide the resources group name based on theorganizationstandards.


Virtualmachinename:ProvidetheVMname.Region:ProvidethelocationyouwanttodeploytheVMto.Availability set: Provide the availability set based on therequirements.Availability zone: Provide the availability zones based on therequirements.Image:SelecttheimageWindows,Linux,orcustomimage.Lookatthefollowingscreenshot:

Figure8.5:AzureVMdetails

2. Then,addthefollowingdetails:

Administratoraccount:Provide theadminaccountusernameandpassword.Size:ProvidethesizeoftheVMsbasedontherequirements.Pleasetakealookatthefollowingscreenshot:


Figure8.6:AzureVMscredentials

3. Specify thediskbasedontherequirements likePremiumSSD,StandardHDD,orStandardSSD.

4. Youcanaddanadditionaldiskusingadvanceoptions.Takealookat thefollowingscreenshot:

Figure8.7:AzureVMsdiskspecification

5. Selectthevirtualnetworknameandsubnet.6. IfyouneedPublicIP,thenclickonCreatenewandprovidethename.


7. SelecttheportsyouwanttoallowtoconnecttoVMslike3389or22,andsoon.Takealookatthefollowingscreenshot:

Figure8.8:AzureVMsnetworkconfiguration

8. ProvidethebootandOSdiagnosticsaccounts.9. SelecttheDiagnosticstorageaccountfromthedrop-downmenu.10. Enabletheauto-shutdownoptionforVMsthatarenotproductionVMs.11. ProvidetheemailIDandtimezoneandsoon.Takealookatthefollowing

screenshot:


Figure8.9:AzureVMsdiagnosticsconfiguration

12. SelecttheAdvancedtabandclickonNexttoselecttheTagsoption.Takealookatthefollowingscreenshot:

Figure8.10:AzureVMsresourcestag


13. VerifyReview+createtheVMs.Itwilltake8to10minutestocreatetheVMs. Now, the VM creation process is complete. Take a look at thefollowingscreenshot:



Figure8.11:AzureVMscreationreview

Now,youwillbeabletocreatetheWindowsVM,andIwillshowyouhowtotakecareoftheLinuxVMs.

CreatingLinuxVMsIfyouneed tocreate theLinuxVMs,pleasechange the imagenametoLinux,RedHatEnterprise,andsoon,followedbytheprecedingstepsasprovidedfortheWindowsvirtualVMcreation:

Figure8.12:AzureLinuxVMs

Once you complete all the steps, click onCreate and yourLinuxVMwill becreated.YoucanrefertotheVMcreationsectiontogetmoredetails.

AzurevirtualmachinescalesetcreationTheAzurescalesethelpsyoutocreateagroupofVMsandmanagethem.ItisautomaticallymanagedtoincreaseordecreasetheVMsbasedontheCPUusageor other rules which you have to define in a scale set. It provides highavailabilityofyourapplicationwhileauto-scalingtheVMbasedontherequiredconfiguration. It provides redundancy and improves the performance of your


applicationswhichisdistributedacrossmultipleinstances.It is easy to create a scale set and high availability and application resiliency.Youcanscaletheinstancebasedonapplicationdemands.

1. Letusconfigureanddeploythescalesetandfollowthegivensteps:

Virtualmachinescalesetname:BPBScalesetOperating system disk image: Windows Server 2016

Datacenter

Subscription:Selectasubscription.Resourcegroup:BPB

Location:(US)EastUS

Availabilityzone:Selectifrequiredorleaveittodefault.Username:BPBuserPassword:Providethepassword.Pleasetakealookatthefollowingscreenshot:

Figure8.13:Azurescalesetconfiguration

Instance count: The default value is 2 and based on therequirement,youcanincreasethecount.


Instancesize:StandardB1SUsemanageddisks:SelectYes,ifitisrequired.Enablethescalesetwhilecreatingoryoucanselectaftercreatingitaswell.


Figure8.14:Azurescalesetauto-scaleconfiguration

2. Ifyouwanttoselecttheapplicationgateway,pleaseselectthesame.3. Selectthevirtualnetwork.4. SelectPublicIPifrequired.5. Publicinboundportsarerequired.6. Enablethebootdiagnostics.7. ClickontheCreatebutton.




Figure8.15:Azurescalesetnetworkconfiguration


ConfigureAzurediskencryptionTheAzurediskencryptionwilluseaBitLocker feature toenable the fulldiskencryptionoftheWindowsOSanddatadisk.WecanconfiguretheAzurediskencryptionusingtheAzureportal,PowerShell,andAzureCLI.TheAzurekeyvaultisintegratedwithAzureencryptiontohelpyoutomanagetheaccessandcontroltheencrypteddisk.For Linux, the Azure VM uses a DM encrypt feature to provide the volumeencryption to theOS and data disk of theLinuxVM.TheAzure key vault isintegrated with the Azure encryption to help you to manage the access andcontrolthekeysandsecrets.ItsupportsthefollowsOSes:

Windows8andlaterOSversionServers2008R2andlaterOSversionRedHat,Ubuntu,andsoonasperLinuxOSdiskencryptionsupported

Letusjustseehowtoconfigurethediskencryption:

1. GototheVMtowhichyouwanttoenablethediskencryption.2. UnderSettings,clickontheDisksoption.3. On the right-hand side of the tab, click on Encryption as shown in the


Figure8.16:Azurediskencryption

4. Once you click on Encryption, it will open another tab to provide the


detailstoencryptthedisk.Followthegivendetails:

Selectthefollowingdiskoptionfromthedrop-downmenu:

None

OSdisk

OSanddatadisks

Onceyouselectthisoption,youneedtoselectthekeyvault,key,andkeyversionasshowninthefollowingscreenshot:

Figure8.17:Azurediskencryptionsettings

5. Once you fill all the parameters, click onSave at the top to encrypt thedisk. Itwill pop up themessage theVMmight reboot, and you need toreboottheVM.

6. ClickonYesandyourdiskwillstartencryptingasshowninthefollowingscreenshot:


Figure8.18:Azurediskencryptionsave

7. Onceyoulogintoyoursystem,youwillobservethatyouhaveenabledthediskencryption.Then,youwillseethatthediskhasalocksignwhichisaBitLocker encryption symbol. Hence, your disk has been encrypted asshowninthefollowingscreenshot:

Figure8.19:Azurediskencryptionverification

Now,wehavesuccessfullyverified that theAzurediskencryption isdoneandunderstandsthewholeprocess.

RedeployaVMAzure VM redeploy can be used if you are facing an RDP connectiontroubleshootingissueorapplicationconnectivityissueintheAzureVM.Azureredeploywillhelpyoutomovethemtoanewnode,andinthisprocess,theVMwillbeshutdownandretaintheentireconfiguration, includingyourdatadisk,butthetemporarydiskdatawillbedeleted.LetusseehowtoprocesswiththeAzurevirtualmachineredeployVMoption.


1. Go to the VM for which you want to perform the Azure VM redeployoption.

2. GotoSupport+troubleshooting.3. Then,clickontheRedeployoptionasshowninthefollowingscreenshot:

Figure8.20:AzureVMredeploy

4. OnceyouclickontheRedeployoption,clickontheRedeploybuttonandtheprocesswillstartandthenyoucangothroughtheinstructionasshowninthefollowingscreenshot:

Figure8.21:AzureVMredeployinstruction

It will take up to 15 to 20 minutes to complete the process. Once this iscomplete,youcanseeyourVMupandrunningfineandyoucanconnecttoappsorVMs.


ConclusionIn this chapter, we discussed the Azure virtual machine and its usage. WedescribedtheAzurevirtualmachineandscalesetcomponentsindetail.Wealsodiscussedhow to implement theAzure disk encryption and encrypt your diskandhowtotroubleshoottheissueusingtheAzureVMredeployoption.In the next chapter,wewill discuss how to deploy theAzure virtualmachineautomatically using the Azure template.We will also discuss how to use theARMtemplateandmodifythesame.

ReferencesCompute-optimizedvirtualmachinesizes:https://docs.microsoft.com/en-us/azure/virtual-machines/linux/sizes-computeSizesforLinuxvirtualmachinesinAzure:https://docs.microsoft.com/en-us/azure/virtual-machines/linux/sizesCreateaLinuxvirtualmachineinanavailabilityzonewiththeAzureCLI:https://docs.microsoft.com/en-us/azure/virtual-machines/linux/create-cli-availability-zoneWhat are availability zones in Azure: https://docs.microsoft.com/en-us/azure/availability-zones/az-overviewDeploy VMs to dedicated hosts using the portal:https://docs.microsoft.com/en-us/azure/virtual-machines/windows/dedicated-hosts-portalManage the availability of Windows virtual machines in Azure:https://docs.microsoft.com/en-us/azure/virtual-machines/windows/manage-availabilityFormoredetails,visit:Azure4you


https://docs.microsoft.com/en-us/azure/virtual-machines/linux/sizes-compute

https://docs.microsoft.com/en-us/azure/virtual-machines/linux/sizes

https://docs.microsoft.com/en-us/azure/virtual-machines/linux/create-cli-availability-zone

https://docs.microsoft.com/en-us/azure/availability-zones/az-overview

https://docs.microsoft.com/en-us/azure/virtual-machines/windows/dedicated-hosts-portal

https://docs.microsoft.com/en-us/azure/virtual-machines/windows/manage-availability

I

CHAPTER9AutomatingDeploymentofVMs

nthischapter,wewilldiscusstheautomationofAzureVMs,howtodeploytheVMs using theARM template, how to configure the location ofVMs,

howtoconfiguretheARMtemplate,andhowtosavethetemplateanddeploytheVMs.


AzureARMtemplateModifyingtheARMtemplateTemplatedeployment

ObjectivesIn this chapter,wewill learn about theARM template and how to create theAzureVMusingthetemplate.WewillalsolearnhowtogenerateanddeploytheARMtemplateinanAzuresubscription

AzureARMtemplateThe Azure ARM template defines an automated way to deploy the AzureinfrastructureliketheAzurevirtualmachinestorageaccount,andsoon.Thisismanaged by theAPI, called theARMAPI or resourcemanager, and used todeploy the infrastructure code. You can use the Azure portal, PowerShell, orCLI,bycallingtheAPIdirectlyandbycreatingARMtemplates.WecancreatetheARMtemplateintheJSONformat,andwecanuseitfortherepeateddeploymentofyourresources.Itcanalsobeusedtodeployresourcesacrossthesubscriptionenvironments.

Note: Many templates are available in the GitHub and Microsoftdocumentationwhich can be used andmodified for your deployment.


Refer to the ARM GitHub at https://github.com/Azure/azure-quickstart-templates.

ModifyingtheARMtemplateInthissection,IwilldeployanAzurevirtualmachineandyouwillseehowtousetheARMtemplatedeploymentfromthetemplate.YouwillunderstandhowtogenerateandmodifytheAzuretemplate.Ifyouneedtocreatethetemplate,followthegivensteps:

1. Logintotheportal.2. Selectthevirtualmachineandprovidetheparameters.3. Selectthesubscription.4. SelecttheResourcesgroupname:

VMnameAzurediskVNetSubnet

5. Once the process is complete, download the template as shown in thefollowingscreenshot:


https://github.com/Azure/azure-quickstart-templates

Figure9.1:ResourcestemplateCreate

6. OnceyouclickonDownloadatemplateforautomation,youwillgetmultipleoptionsasfollows:

DownloadthetemplateAddtoARMlibraryDeployusingthesametemplate

7. Youcansee the templatebeencreated in theJSONformat. Ithasstringsandvaluesinthetemplate.

8. Ifyouneedtoeditthetemplate,thenyouwillhavecertaineditparameterssuch as $schema, contentVersion, Parameters, Variables,

Resources,andOutput.Onceyousetall theseparameters,yourtemplateisreadyfordeployment.Let’stakealookatthefollowingscreenshot:


Figure9.2:Resourcestemplatedownload

ThetemplatewillbedownloadedintheZIPfolder,andyoucanopenitintheARMeditorsoftware.

9. Now,youcanseethetemplateparameters,andyoucanevensetthevaluethatcouldberequiredforfurthertemplatedeployment,andsoon.Youcanseethefollowingvalues:

LocationRDPPorts



Figure9.3:Resourcestemplateparameter

10. Search for the deployments and select the Deploy a custom templateoption.Takealookatthefollowingscreenshot:

Figure9.4:Resourcestemplatecustomdeployment

11. Onceyouselect thetemplate,youwillgetanoptiontoedit thetemplate.Youcanchoose the template from theGitHubdirectly andclickonedit.Pleasetakealookatthefollowingscreenshot:


Figure9.5:Templateeditordeployment

12. OnceyouclickonEdittemplate,youwillbedirectedtothenextsection.Then,selecttheLoadfileoptionandtryanduploadthefile:


Figure9.6:ARMtemplateloadfile

13. Onceyouadd the template, itwilladdyourparameters,andyouneed toverifytheparameters.Then,clickonSave:

Figure9.7:ARMtemplateedits

TemplatedeploymentsTodeploythetemplate,performthefollowingsteps:

1. OnceyouclickonSave,itwillautomaticallygotothedeploymentscreen.2. Providealltheparametersasperyourrequirements.3. Onceyouaredonewiththeparameters,clickonPurchaseandyouwillbe

abletodeploytheVMs.4. It will take 10 to 15 minutes to deploy the VMs. After this, your


deploymentwillbecompleted.Takealookatthefollowingscreenshot:

Figure9.8:ARMtemplatedeployment

ConclusionInthischapter,wediscussedhowtodeploytheAzurevirtualmachineusingtheARMautomation,whichwillhelpyoutodeployyourbiginfrastructurequicklyandsaveyourtime.In the next chapter, we will discuss how to create and configure the Azurecontainers and use of the Kubernetes services.Wewill give you step-by-stepinstructionsonhowtodeploytheKubernetesandcontainerservicesinanAzuresubscription.

ReferencesGitHub ARM template: https://github.com/Azure/azure-quickstart-templatesAzure Resource Manager templates overview:


https://github.com/Azure/azure-quickstart-templates

https://docs.microsoft.com/en-us/azure/azure-resource-manager/template-deployment-overviewCreateanddeployAzureresourcemanager templatesbyusing theAzureportal: https://docs.microsoft.com/en-us/azure/azure-resource-manager/resource-manager-quickstart-create-templates-use-the-portalAzureresourcemanagertemplatesformanagementfeaturescodesamples:https://docs.microsoft.com/en-us/azure/azure-resource-manager/template-samplesFormoredetailsonAzure4youblogpost,visit:https://azure4you.com/


https://docs.microsoft.com/en-us/azure/azure-resource-manager/template-deployment-overview

https://docs.microsoft.com/en-us/azure/azure-resource-manager/resource-manager-quickstart-create-templates-use-the-portal

https://docs.microsoft.com/en-us/azure/azure-resource-manager/template-samples


I

CHAPTER10CreatingandConfiguringContainer

n this chapter, we will learn about the Azure Container and Kubernetesservices and how to create these services and their usage. We will also

discussanAzureContaineranditsuses.


AzureContainer

UseofanAzureContainerCreateacontainer

AzureKubernetes

CreateAzureKubernetes

ObjectiveThe objective of this chapter is to create and configure Azure ContainerInstances(ACI)andAzureKubernetesService(AKS).

AzureContainerAn Azure Container is a standard package of software which helps you topackage the code, dependencies, and configuration of a particular application.Containers help to split the monolithic applications into individual serviceswhichmakeupthesolution.

UseofanAzureContainerThefollowingaretheusesofanAzurecontainer:

Itisusedtoscaleuptheapplication.


Itprovidesthelightweightandimmutableinfrastructureforpackagingtheapplicationanddeployment.It provides better performance and removes the OS, versions, anddependencies.

CreateacontainerLetusseehowtocreatethecontainerservicesusingthefollowingsteps:

1. ClickonCreatearesource.2. SearchforContainerInstances.3. ClickonCreateforcreatingthecontainerinstance:

Figure10.1:Containerinstancecreate

4. Providethefollowingdetails:

Thesubscriptionandtheresourcesgroupname.Theregionforwhichyouwanttocreatethecontainer.Selecttheimagesourcesfromanyofthefollowingoptions:

Quickstartimages

AzureContainerRegistry

DockerHuborotherregistry

Selectthesizeofthecontainerinstance.

5. Click on the Next: Networking > button as shown in the followingscreenshot:


Figure10.2:Containerinstancedetails

6. IntheNetworkingtab,providethefollowingdetails:

Selectthenetworkingtypefromthefollowingoptions:

Public: It will create a public IP address and assign it to thecontainerforpublicaccess.Private: If you want to integrate a VNet with the container,selectthisoption.

ProvidetheDNScustomname.Verifytheportnumber.


7. Once done, click on the Next: Advanced > button as shown in thefollowingscreenshot:

Figure10.3:Containernetworking

8. IntheNetworkingtab,followthegivensteps:

Clickonanyoftherestartpolicy:

Onfailure

Always

Never

Setuptheenvironmentvariableifyouwanttosetupthecontainer.Youcansetacommandlinetooverrideifrequired.



Figure10.4:Containeradvancesettings

9. ClickonCreateafterthevalidationofthecontainerservicesasshowninthefollowingscreenshot:


Figure10.5:Containerinstancecreation

Thecontainerwillbecreatedinafewminutesafterperformingthesesteps,andyoucanmakeuseofit.

AzureKubernetesKubernetes is an open source portable platform for automatic deployment,scaling, and management of containerized workload. It is managed andorchestrated by the container in difference compute environments. Thisorchestration platform provides the ease of use and flexibility with PaaS andIaaSenvironments.

CreateAzureKubernetes


LetusseehowtocreateAzureKubernetesbyfollowingthegivensteps:

1. ClickonCreatearesource.2. SearchforKubernetesService.3. SelecttheserviceandclickonCreate:

Figure10.6:Kubernetesservices

4. OnceyouclickoncreatetheKubernetesservices,itwillaskyoutofillthefollowingdetails:

Subscription

Resourcegroup

Providetheclusterdetailsasfollows:

Kubernetes cluster name: Set of node machines calledKubernetesforrunningcontainerizedapplications.RegionYouwanttodeploytheservices.TheversionofKubernetesservicesyouwanttodeploy.

Node:A node is a physical or virtualmachine that depends on theclusterconfiguration.Providethenodesizeandnodecount.YouwanttoaddanadditionalKubernetescluster.



Figure10.7:Kubernetesservicesdetails

5. Onceyouaredonewith theprecedingconfiguration,go theNodepoolssectionandprovidethefollowingdetails:

AddthenodepoolanditsinstancesizewiththeOS.Selectthevirtualnodetobeenabledordisabled.SelecttheVMscalesettobeenabled.


6. GototheAuthenticationtabasshowninthefollowingscreenshot:

Figure10.8:Kubernetesservicesnodepool

7. IntheAuthenticationtab,selectthefollowingdetails:

Select the authentication method Service Principal or system-assignedmanagedidentity.

In Kubernetes authentication and authorization, enable the RBACrole.Selecttheencryptiontypeasdefault.

8. ClickontheNetworkingtabasshowninthefollowingscreenshot:


Figure10.9:Kubernetesservicesauthentication

9. OnceyouclickontheNetworkingtab,providethefollowingdetails:

Selectthenetworkconfiguration:BasicorAdvancedDNSnameprefix

Loadbalancer

Privatecluster:EnabledorDisabled

Networkpolicy

HTTPapplicationrouting:YesorNo

Gotothenexttabasshowninthefollowingscreenshot:


Figure10.10:Kubernetesservicesnetworking

10. Once you click on the Integration tab, select the Log Analytics

workspaceundertheAzureMonitorsection.11. ClickontheNext:Tags>buttonasshowninthefollowingscreenshot:


Figure10.11:Kubernetesservicesintegration

12. Here, provide the tag name and click on create theKubernetes services.After the validation, click on next to create the Kubernetes services asshowninthefollowingscreenshot:



Figure10.12:Kubernetesservicescreation

Itwilltake10to15minstocreatetheKubernetesservices.Afterthis,wewillbeabletousetheservicesasperourrequirements.

ConclusionInthischapter,wediscussedthecreationandconfigurationofAzureContainerandKubernetes.Wealsocovered theKubernetes resources,how tosetupandconfigure the container and Kubernetes, and how it will help you and thecustomertomanagethelargerapplications.Inthenextchapter,wewilldiscussAzureappservicesandseehowtocreateanddeploy the app services in yourAzure environments.Wewill also discuss theconfiguration part on WebApps which will help you to learn the WebAppsservicesmoreeasily.

ReferencesContainer: https://azure.microsoft.com/en-in/overview/what-is-a-container/Kubernetes: https://docs.microsoft.com/en-us/azure/aks/intro-kubernetesContainer services: https://azure.microsoft.com/en-in/product-categories/containers/Kubernetes services: https://docs.microsoft.com/en-us/learn/modules/intro-to-azure-kubernetes-service/2-what-is-azure-kubernetes-serviceDeployanAzureKubernetesService(AKS)clusterusingtheAzureportal:https://docs.microsoft.com/en-us/azure/aks/kubernetes-walkthrough-portal


https://azure.microsoft.com/en-in/overview/what-is-a-container/

https://docs.microsoft.com/en-us/azure/aks/intro-kubernetes

https://azure.microsoft.com/en-in/product-categories/containers/

https://docs.microsoft.com/en-us/learn/modules/intro-to-azure-kubernetes-service/2-what-is-azure-kubernetes-service

https://docs.microsoft.com/en-us/azure/aks/kubernetes-walkthrough-portal

I

CHAPTER11CreatingandConfiguringWebApps

n this chapter, we will discuss the benefits of Azure app services, how tocreatetheappservices,andhowtoconfiguretheappservicesplan.Wewill

alsodiscuss theAzureappsservicescomponentsandhowtousethewebappsslotandcustomdomainconfiguration.WewilldiscusshowtosecureyourAzurewebapps.


AppservicesCreateandconfigureappservices

CustomdomainconfigurationAppservicesecurityAppservicebackup

ObjectivesThemainobjectiveof thischapter is to learnaboutAzureappservicesand itsusecases.Wewilldiscussthepropertiesofitsappservicesandseehowtocreateand configure the app services using the Azure portal. So, the customer canutilizetheAzureappservicesbasedontheirrequirements.

AppserviceAzure app services are HTTP-based services which are used to host theapplication similar to your on-premise IIS server. We can develop ourapplication using .NET, .NET Core, Java, Ruby, Node.js, PHP, or Pythonlanguage.Theappservicesautomaticallymanagethepatches,OS,andlanguageframework.


AppservicesplanTheappservicesplandefines theSKU/sizeof theAzureappservices instancebased on the app services plan. You will be able to utilize the features likecustomdomain,VNet-integration,loadbalancing,andsizeofappservicessuchas2GBand100ACU,andsoon.Letusseehowtocreatetheappservicesplan:

1. Clickonthe+Createaresourceoption.2. SearchforAppServicePlan.3. ClickonCreateasshowninthefollowingscreenshot:

Figure11.1:Appserviceplan

Beforewecreate theappservicesplan, letusseehowmanyplanswehave inappservicesanditsusage:

Sharedcompute:Inthisplan,youwillgetthefreeappsservicesplanandsharedservicesplanwhichcanbeusedforthedev/testpurposeasshowninthefollowingtable:

Selectedfeatures Free Shared

Web,mobile,orAPIapps 10 100

Diskspace 1GB 1GB

Autoscale NA NA

Deploymentslots NA NA

Maxinstances NA NA

Table11.1:Webservicessharedplan

Dedicatedcompute: It is used for production purpose. In this plan, you


willgetabasic,standard,premium,andpremiumV2tier.Thiscanbeseeninthefollowingtable:

Selectedfeatures Basic Standard Premium

Web,mobile,orAPIapps Unlimited Unlimited Unlimited

Diskspace 10GB 50GB 250GB

Autoscale NA Supported Supported

Deploymentslots NA 5 20

Maxinstances Upto3 Upto10 Upto30

Table11.2:Webservicesdedicatedplan

Isolated: It will provide the dedicated VM instance which is integratedwith the dedicated VNet. It provides complete isolation as well. Take alookatthefollowingtable:

Selectedfeatures Isolated

Web,mobile,orAPIapps Unlimited

Diskspace 1TB

Autoscale Supported

Deploymentslots 20

Maxinstances Upto100

Table11.3:Webservicesisolatedplans



Figure11.2:Appservicesplansize

OnceyouclickonCreateappservice,followthegivensteps:

1. Selecttheresourcegroup.2. Pleaseprovidethenameoftheappservice.3. PleaseselecttheOS:Windows/Linuxasperyourrequirements.4. PleaseclickonReview+createasshowninthefollowingscreenshot:


Figure11.3:Appserviceplancreation

OnceyouclickonReview+create,yourappserviceplanwillbecreatedin5to10minutes.

CreateandconfiguretheappserviceLetusnowcreate theappservicesaswehavealreadycreatedandunderstoodtheappservicesplan.Todothis,followthegivensteps:

1. Clickon+Createaresource.2. SearchforAzureappservices.3. ClickonWebAppasshowninthefollowingscreenshot:


Figure11.4:Webapp

4. OnceyouclickonWebApp,providethefollowingdetailstocreatethenewappservices:

SubscriptionResourcegroupProvidethenameoftheinstancePublish can be Code or Docker Container as per yourcustomer/projectrequirements

5. Selecttheruntimestackas..NETCORE3.1(LTS).6. SelecttheOS;eitherWindowsorLinux.7. Selecttheregion.8. ClickonwindowssizeorAppServicePlaninappservices.Takealook

atthefollowingscreenshot:


Figure11.5:Webappdetails

9. ClickonNext:Monitoring>andselecttheMonitoringtabandcreateanewapplicationinsightformonitoringofappservices.

10. Oncethisisdone,clickonReview+create,andafter10minutes,yourappserviceswillbecreated.Takealookatthefollowingscreenshot:


Figure11.6:Webappcreation

CustomdomainconfigurationAcustomdomain isused toconfigureyourowncustomdomain foryourwebapps.Forexample,ifyouwanttoconfigurethexyz.comtobpb.com,thenyouneedtoconfigurethecustomdomain.Now,wewillconfigure thecustomdomain forappservices.Please follow thegivensteps:

1. GotoAppService.2. ClickonCustomdomains.3. Clickon+Addcustomdomain.4. Providethecustomdomainname.5. ClickontheValidatebutton.

OnceyouclickonValidate, add theArecord andTXTrecord in your publicdomainregistrationtovalidate,andthentrytovalidate.Iwillsuccessfullyvalidateafterthat,andnowyoucanconfiguretheAzurewebappsservices.Takealookatthefollowingscreenshot:


Figure11.7:Customdomain

AppservicessecurityThe app services security will help you to reduce the attack and enable theauthenticationtoyourwebappsforyourusers.Forexample,youcanintegrateitwithAzureAD,Facebook,Microsoftaccount,Google,andTwitteraccount.Formoredetails,pleasetakealookatthefollowingscreenshot:


Figure11.8:Authentication

WecanevenenabletheTransportLayerSecurity(TLS)toservicesandaddtheTLS/SSL certificate binding for theHTTPS configuration under the TLS/SSLsettingsconfiguration.

TLS:Itstandsfortransportlayersecuritywhichisdesignedtoprovidetheprivacyanddatasecurityofcommunicationovertheinternet.SSL: It is a secure socket layer that helps to protect the connectionbetween the server and client while encrypting the link. The examplesinclude websites, main servers, browsers, and so on. Take a look at thefollowingscreenshot:

Figure11.9:TLS/SSLsettings

AppservicesbackupIfyouneedtoenablethebackupofAzureappservices,itisnotsimpletoenableitdirectlyfromthebackupvault,buttheappservicescanusethebackupvaultwith their configuration. Please follow the given steps to configure the appservicesbackup:

1. GotoAppService.2. ClickontheBackupsoption.3. ClickonBackuptoconfigureashighlightedinthefollowingscreenshot:


Figure11.10:Appbackup

4. ClickontheStoragetabandselectthestorageaccountforbackup.5. SelecttheOnbuttonforenablingthebackup.6. Setupthebackupfrequency.7. Pleasementionthebackupschedulestart.8. Selecttheretentionperiod.9. Clickon theSave button, andyour app servicesbackupwillbe enabled.

Takealookatthefollowingscreenshotformoredetails:


Figure11.11:Appbackupconfigure

ConclusionInthischapter,wediscussedtheAzureappservicesandappservicesplan.Wealso discussed how to configure the Azure app services backup and customdomain.Wecoveredtheappservicessecurityaswellinthischapter.Inthenextchapter,wewilldiscusshowtointegratetheon-premisesnetworktoAzureusing thesite-to-siteconnectionandexpress route.Wewill alsodiscusstheVNet-to-VNetpeeringandmore.

ReferencesApp service overview: https://docs.microsoft.com/en-us/azure/app-


https://docs.microsoft.com/en-us/azure/app-service/overview

service/overviewWeb apps: https://docs.microsoft.com/en-us/rest/api/appservice/webappsCreate an ASP.NET core web app in Azure:https://docs.microsoft.com/en-us/azure/app-service/app-service-web-get-started-dotnetCreate a web app in an app service environment v1:https://docs.microsoft.com/en-us/azure/app-service/environment/app-service-web-how-to-create-a-web-app-in-an-ase


https://docs.microsoft.com/en-us/rest/api/appservice/webapps

https://docs.microsoft.com/en-us/azure/app-service/app-service-web-get-started-dotnet

https://docs.microsoft.com/en-us/azure/app-service/environment/app-service-web-how-to-create-a-web-app-in-an-ase

I

CHAPTER12ConfiguringVirtualNetworkingand

IntegratingOn-PremisestoAzureNetwork

n this chapter, we will discuss the networking services and use theircomponentssuchastheAzurevirtualnetworkandseehowtocreateanduse

theseservices.WewillalsocovertheVNetpeeringthatcanbeusedtoconnecttoVNet,howtoconfiguretheVNet-to-VNetconnectivityandtheAzurevirtualnetwork gateway. Let us start with all of these topics and learn how to usenetworkingservices.


AzurevirtualnetworkExpressRouteconnectionExpressRouteconfiguration

ObjectivesIn this chapter, you will learn how to define the network in your AzuresubscriptionusingAzureVNetandsubnet.Wewilldiscusshowtoconfigureasite-to-site connection and on-premises to Azure connectivity usingExpressRoute.

AzurevirtualnetworkAn Azure virtual network is defined as the Azure network within yoursubscription.VNetintegrationenablesyoutoaccessAzureresourceslikeAzurevirtual machine, SQLDB, and so on securely to the Azure network or on-premises network. It is just like your on-premises network that you have


configured and have access to in your data center. Please take a look at thefollowingcomponentsthatarerequiredtocreatethevirtualnetwork:

Addressspace:An address space is nothing but a range of your virtualnetworkIPaddress.Subnet:A subnet is a collectionof the IP addresswhich canbeused toassign an Azure virtual machine. Please take a look at the followingdiagram:

Figure12.1:Azureaddressspaceandsubnet

AzurevirtualnetworkcreationIfyouneedtocreatetheAzurevirtualnetwork,thenfollowthegivensteps:

1. Logintotheportal.2. GotoAllservicesandclickonNetworking.3. SelectVirtualnetworksasshowninthefollowingscreenshot:

Figure12.2:Azurevirtualnetwork


4. Providethevirtualnetworkname.5. Mentiontheaddressspaceasperyourrequirements.6. Selectthesubscription,location,andresourcesgroup.7. Providethenameofthesubnet.8. Then,providetherangeofthesubnetwithintheaddressspacerange.9. ClickonCreate,andafterthat,itwilltakesometimetocreatethevirtual

network.Pleasetakealookatthefollowingscreenshot:


Figure12.3:Azurevirtualnetworkdetails

Once thevirtual network is created, youcan see the followingdetails asshowninthefollowingscreenshot

Figure12.4:VNetconfiguration

AzureVNetpeeringTheAzurevirtualnetworkcanbeusedtoconnecttwodifferentvirtualnetworks.ItprovidesaseamlessconnectivityfromtheMicrosoftbackboneinfrastructure.VNetpeeringcanconnecttwodifferentVNets,anditprovideslow-latencyandhigh-bandwidth.AzureVNetpeeringareoftwotypes:

VNetpeering:Itisusedtoconnecttwovirtualnetworkswithinthesameregion.GlobalVNetpeering: It is used to connect two virtual networks acrossregions.

Pleasetakealookatthefollowingdiagram:

Figure12.5:VNetpeering


Now, we have understood the use of Azure VNet peering, so let us nowunderstandhowtocreatetheAzureVNetpeering.SupposeifyouhavemultipleVNetsfromvariousenvironmentsandyouwanttocommunicatewith all theVNets, then you can haveVNet peering. ForVNetpeering, we require a minimum of two VNets either in the same region ordifferentregion.LetusseehowtocreatetheVNetpeering:

1. Log in to the portal and choose the two VNets in which you want toconfiguretheVNetpeering.

2. SelecttheVNetyouwanttopeer.3. PleaseselecttheVNet.4. UndertheSettingstab,selectthePeeringsoption.5. Clickon+Add.TakealooktoconfiguretheVNetpeeringasshowninthe


Figure12.6:VNetpeeringconfiguration

6. ProvidetheVNetpeeringname.7. Select thedeploymentResourcesmanager asdefault.The classicmodel

canbeusedifyouhaveresourcesintheclassicmode(it isanoldmodelandMShasstoppedsupportingthismodel).

8. Then, select the secondvirtual network name from the drop-downmenuforwhichyouwanttoenabletheVNetpeering.


9. Provide the name of VNet peering again for the second VNetconfiguration.Takealookatthefollowingscreenshot:

Figure12.7:VNetpeeringconfigurationdetails

10. Pleaseselect theconfigurationsetting toenable toallow theVNet trafficfromVNet1toVNet2.YoucanevenenabletrafficfromVNet2to1ifrequiredbyyourorganization.ThegatewaytransitisonlyrequiredifVNetisconfiguredwithavirtualnetworkgateway.

11. ClickontheOKbuttontoconfigureit.12. OnceyouclickonOk,itwilltakesometimetoconfigure,anditwillallow

trafficinboththeVNets.Refertothefollowingscreenshot:


Figure12.8:VNetpeeringconfigurationsettings

13. OncetheVNetpeeringisdone,verifytheconnectivityunderthePeeringssectionasshowninthefollowingscreenshot:

Figure12.9:VNetconnectivityverification

VirtualnetworkgatewayTheAzurevirtualnetworkgatewayisusedtosendtheencryptedtrafficfromtheAzurenetwork to theon-premisesnetwork. Inotherwords, it isused tocreateconnectivity between the Azure and on-premise network. A virtual network


gateway isused to send theencrypted trafficover theMicrosoftnetwork. Inasingle VNet, you can configure only one VPN gateway, and if you want toconnectfrommultipleconnections,thenyoucanusethesameVPNgateway.Fortheconfiguration,thefollowingarepre-requisites:

AzureVNetYoumight need a gateway subnet under the sameVNet if you want toconfigurethevirtualnetworkgateway.You might need a gateway in which you can choose either a VPN orexpressroutebasedonyourrequirements.ItrequiresapublicIPaswell.

Before we create the virtual network, please make sure to understand theconnectivity you want to use. If you need VNet-to-VNet and site-to-siteconnection,youcanusetheVPN,butifyouwanttoconfigurewiththeexpressroute,thenselectthegatewaytypeasEXPRESSROUTE.LetusseehowtoconfiguretheAzurevirtualnetworkgateway:

1. Please go to the marketplace and search for the Azure virtual networkgateway.

2. Select Virtual network gateway and click on Create. The followingscreenshotshowstheVNetnetworkgatewaycreation:

Figure12.10:VNetnetworkgatewaycreation

3. Providethesubscriptionandresourcegroupnameofyourvirtualnetworkresources.

4. Then,providethevirtualnetworkgatewaynameandregionforwhichyouwanttocreatetheVNetgateway,anditwillprovidethesamelocationasyourVNet.


5. ChoosetheVNetgatewaytypeasfollows:

VPN: It is used to connect the VNet-to-VNet and site-to-siteconnectivity.Expressroute:Ifyouareplanningfortheexpressrouteconnectivity,thenpleaseselect theexpressroutegatewaytype.Iwillexplainthislaterinthischapter.TheVPNtypeisexplainedasfollows:

Policy-based: It is a combination of both the networks andbasedonthefirewallpolicy.Itwillfiltertheencrypted/decryptedtraffic. It is a built-in firewall device which performs trafficfiltering.Inanotherway,itisastaticVPNdeviceconfigurationandithassomelimitations.Pleasetakealookatthefollowingdiagram:

Figure12.11:VPNtypepolicy-based

Route-based:Inthisscenario,VPNdevicesareusedtosendthetrafficorroute/filterthetrafficfromanydevicetoanydeviceorinternetbyan IPsec tunnel.Please takea lookat the followingdiagram:


Figure12.12:VPNtyperoute-based

6. Please select the VPN SKU; it is nothing but a VNet device capabilityconfiguration. For more details, please take a look at the followingscreenshot:

Figure12.13:VPNSKU

7. Onceyouprovideallthedetailsandselecttheoption,itwilllooklikethefollowingscreenshot:


Figure12.14:VPNgatewayconfiguration

8. SelectthegenerationwhichisGeneration1,andletitbethedefault.9. Selectthevirtualnetworkfromthedrop-downmenu.10. ProvidethepublicIPnameoruseanexistingone.11. SelectEnableactive-activemodewhichwillbethedefaultvalue,butif

youwant to configure it, then you need to add another public IP in theconfiguration.

12. SelectthedefaultoptioninConfigureBGPASNasDisabled.13. ClickonReview+create.Pleasetakealookatthefollowingscreenshot:


Figure12.15:VPNgatewaycreation

Itwilltakeup30to45minutestocreateaVNetgateway.Onceitgetscreated,youcanconfigurethesite-to-siteVPNandVNet-to-VNetconnectivity,andwewillexplainthisinthenextsection.Now,letusseehowtoconfiguretheVNet-to-VNetgateway.TheVNetgatewayis required tobecreated forboth theVNets, and it isused toconnect the twosubscriptionsandtwodifferentregions.

Site-to-siteVPNTheAzuresite-to-siteVPNisusedtoconnecttheAzurenetworktoon-premisesdatacentersovertheIPsecIPsec/IKE(IKEv1orIKEv2) tunnel.Itrequiresanon-premises VPN device to configure an S2S connection. Take a look at thefollowingdiagram:


Figure12.16:Azuresite-to-siteVPN

Tocreateasite-to-siteVPN,itrequiresthefollowingrequirementlist:

AzureVNetVNetgatewayLocalnetworkgatewayConnectionOn-premisesVNetconnection

Local Area network Gateway: It represents the hardware or software VPNdeviceinyourlocalnetwork.Wecanusethiswithaconnectiontosetupasite-to-site VPN connection between an Azure virtual network and your localnetwork.AsIhavementionedallthestepstocreatetheVNetandVetgateway,letusnowseehowtocreatealocalareanetwork:

1. PleasegotomarketplaceandsearchforLocalnetworkgateway.Takealookatthefollowingscreenshot:


Figure12.17:Azurelocalareanetworkgateway

2. Pleaseprovidethelocalgatewayname.3. PleaseprovidethepublicIPaddressofyouron-premisesVPNdevices.4. Pleaseprovidetheaddressrangeoftheon-premisesnetwork.5. Pleaseprovidetheresourcesgroup,name,andlocation.6. PleaseclickonCreate.Takealookatthefollowingscreenshot:


Figure12.18:Azurelocalareanetworkgatewaydetails

Oncethelocalareanetworkgatewayiscreated,pleasecreatetheconnectionandconfigurethesite-to-siteVPN.

Site-to-siteVPNconnectioncreationOnceyouconfigurethesite-to-siteVPN,performallthegivensteps:

1. PleasegotothemarketplaceandsearchforConnection.2. ClickonConnection.3. ClickonCreate.Pleasetakealookatthefollowingscreenshot:


Figure12.19:AzureS2Sconnectioncreation

4. OnceyouclickonCreate,followthegivensteps:

a. PleaseselecttheconnectiontypeasSite-to-site(IPsec),VNet-to-VNet,orExpressRoutefromthedrop-downmenu.

b. Selectthesubscription.c. Pleaseselecttheresourcegroup.d. Selectthelocation.Pleasetakealookatthefollowingscreenshot:

Figure12.20:AzureS2Sconnectionbasicdetails

5. GototheSettingstabandperformthefollowingsteps:

a. PleaseselecttheVNetgatewayinyourspecificregion.b. Selectthelocalareanetworkgatewayaswecreatedearlier.c. Providethenameoftheconnection.


d. Provide the passkey. It can be created in your on-premises VPNdeviceorAzureconnections.

e. SelecttheprotocolIKEv2andletitbethedefaultvalue.f. ClickonOK.Pleasetakealookatthefollowingscreenshot:

Figure12.21:AzureS2Sconnectionbasicdetails

6. In Summary, please verify the details and click on OK to create theconnection.Pleasetakealookatthefollowingscreenshot:


Figure12.22:AzureS2Sconnectionsummary

7. Oncetheconnectioniscreated,youwillseethestatusconnectinganddatainandout.Itwilltakesometimetoconnect,andafterthat,youneedtoaskyour network team to create the S2S tunnel in your on-premises VPNdeviceaswell.Pleasetakealookatthefollowingscreenshot:

Figure12.23:AzureS2Sconnectionsummary

Now,youcancreateanS2Sconnection.LetusseehowtocreatetheVNet-to-VNetconnectivity.

VNet-to-VNetconnectivitycreationLetusseehowtocreatetheVNet-to-VNetconnectivity.YouwouldrequirethefollowingconfigurationbeforeyousetuptheVNet-to-VNetconnections:

AzureVNetYouwouldneedtwoVNetgatewaysforboththeVNetsConnection

Onceyousetuptheprecedingcomponents,followthegivenstepstocreatetheconnections:

1. Pleasegotothemarketplaceandsearchforaconnection.2. Then, click on the connection to create the VNet-to-VNet connection.



Figure12.24:AzureVNet-to-VNetconnectionsummary

3. SelecttheconnectiontypeVNet-to-VNent.4. Selectthesubscriptionandresourcesgroup.5. Select the locationas(US)EastUS. Please take a look at the following

screenshot:

Figure12.25:AzureVNettoVNetconnectionbasicsettings

6. PleaseselectthesourceanddestinationVNetgateway.7. Pleaseprovidethenameoftheconnections.8. Pleaseprovidethesharedaccesskey.9. ClickonOK.Pleasetakealookatthefollowingscreenshot:


Figure12.26:AzureVNet-to-VNetconnectionsettings

10. Pleaseverify theSummary section andclickonOK to create theVNet-to-VNetconnections.Refertothefollowingscreenshot:

Figure12.27:AzureVNet-to-VNetconnectionsummary


11. Once the VNet connection is created, you can see that the status isConnected.Pleasetakealookatthefollowingscreenshot:

Figure12.28:AzureVnet-to-VNetconnectionstatus

Now,welearnedhowtoconfigurethesite-to-siteconnectionandVNet-to-VNetconnectivity.Inthenextsection,Iwilldiscusstheexpressrouteandsetuptheexpress route connection which is almost the same we did in the site-to-siteconnectivity.

ExpressRouteconnectionExpressRoute is a direct, dedicated connection from yourWAN (not over thepublic internet) toMicrosoft servicesandAzure.Wecanconfigure the site-to-siteVPNandExpressRoute connections for the samevirtual network for loadbalancingorhighavailability.Wecanconfigureasite-to-siteVPNasasecurefailoverpathforExpressRouteorusesite-to-siteVPNstoconnecttositesthatarenotpartofyournetwork,butthat are connected through ExpressRoute. Please take a look at the followingdiagramthatshowsExpressRoute:

Figure12.29:ExpressRoute


ExpressRouteconfigurationNow,wewilldiscusshowtoconfiguretheexpressroute.Forthis,werequirethefollowing:

AzureVNetExpressRoutecircuitVNetgatewaywithExpressRouteConnection

IhaveexplainedhowtocreateanAzureVNetandVNetgateway.LetusnowseehowtoconfiguretheExpressRoutecircuitinAzure:

1. Pleasesearchforexpressroutefromthemarketplace.2. Clickon+Add.3. Pleaseprovidetheexpressroutecircuitname.4. PleaseprovidethenamethatwillbeyourISPprovidernamelikeAirtel,

AT&T,andsoon.5. Pleaseselectthepeeringlocationfromthedrop-downmenu.6. Pleaseselectthebandwidth50Mbpsto10Gbps.7. Then,clickoncreate.



Figure12.30:ExpressRoutecircuit

8. OncetheExpressRoutecircuitiscreated,followthesite-to-siteconnectionsteps and select the ExpressRoute circuit name. Then, create theconnections.

Note:ISPproviderscanconfigure theon-premisesexpressroutesetupandthecircuitcreationwillbedonebyyourISPandwithyournetworkteam.

ConclusionIn this chapter, we discussedVNet and how to set up theVNet gateway andconfigure the site-to-site connection, express route, and VNet-to-VNetconnections. In the next chapter, we will discuss the Azure network securitygroupandIPaddresstypes.WewillalsodiscusshowtocreateandconfiguretheAzure securitygroup rulesandhow toassociate a subnetNSGwithVMsand


subnets.

ReferencesConfigure a VNet-to-VNet VPN gateway connection using PowerShell:https://docs.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-vnet-vnet-rm-psWhat is an Azure virtual network: https://docs.microsoft.com/en-us/azure/virtual-network/virtual-networks-overviewConnectAzureVPNgatewaystomultipleon-premisespolicy-basedVPNdevices using PowerShell: https://docs.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-connect-multiple-policybased-rm-psVPN gateway: https://docs.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-about-vpngatewaysVirtualnetworkpeering:https://docs.microsoft.com/en-us/azure/virtual-network/virtual-network-peering-overviewModify local network gateway settings using the Azure portal:https://docs.microsoft.com/en-us/azure/virtual-network/virtual-network-peering-overviewExpressRoute connectivity models: https://docs.microsoft.com/en-us/azure/expressroute/expressroute-connectivity-modelsExpressRoute circuits and peering: https://docs.microsoft.com/en-us/azure/expressroute/expressroute-connectivity-modelsFormoredetails,visitAzure4youblogpost:https://azure4you.com/


https://docs.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-vnet-vnet-rm-ps

https://docs.microsoft.com/en-us/azure/virtual-network/virtual-networks-overview

https://docs.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-connect-multiple-policybased-rm-ps

https://docs.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-about-vpngateways

https://docs.microsoft.com/en-us/azure/virtual-network/virtual-network-peering-overview

https://docs.microsoft.com/en-us/azure/virtual-network/virtual-network-peering-overview

https://docs.microsoft.com/en-us/azure/expressroute/expressroute-connectivity-models

https://docs.microsoft.com/en-us/azure/expressroute/expressroute-connectivity-models


I

CHAPTER13ConfiguringLoadBalancing

nthischapter,wewilldiscussAzureDNSandlearnhowtocreatepublicandprivateDNSzones.WewillalsodiscusstheAzureloadbalancerandseehow

tocreateandconfiguretheAzureloadbalancerandDNS.WewillalsocovertheAzureapplicationgatewayandtrafficmanager.


AzureDNSConfigurethecustomDNSsettingsConfigureprivateandpublicDNSzonesConfiguretheinternalloadbalancerConfigureloadbalancingrulesConfigurethepublicloadbalancerTroubleshootloadbalancingApplicationgatewayTrafficmanager

ObjectivesInthischapter,youwilllearnhowtoconfigureandsetuptheloadbalancerforAzure VMs/applications using the Azure load balancer, Traffic manager, andapplicationgateway.WewillalsocoverAzureDNSandseehowtocreateyourcustomAzureDNSandconfigureit.

AzureDNSAzureDNS is a hosting service that provides theDNS domain and the nameresolutionsusing theAzure infrastructure.Youcanhost thedomains inAzure


andmanagetherecords.UsingAzureDNS,youcannotbuythecustomdomain.Tobuythedomainname,youneedtousethird-partydomainregisternamesiteslikegodaddy.com,andsoon.AzureDNSmanagestheAzurerecords,andwecanuseitforexternalresourcesaswell.AzureDNSisan integratedpartof theAzureportaland it isusedforAzureserviceslikebilling,supportcontract,andsoon.The following are the details of the Azure DNS delegation, zones, and DNSregistrarusage:

Zonedelegation

Azure DNS allows us to host a DNS zone and manage the DNSrecordsforadomaininAzure.AzureDNSisnotthedomainregistrar.

Domainsandzones

The domain name system is a hierarchy of domains. The hierarchystartswiththerootdomain.Top-leveldomainssuchas.com,.net,.org,.uk,or.jp.Second-leveldomainssuchasorg.ukorco.jp,andsoon.The domains in the DNS hierarchy are hosted using separate DNSzones.Zones are globally distributed and hosted by DNS name serversaroundtheworld.

DNSzone

The domain is a unique name in the domain name system, forexample,Bpbcloud.com.ADNSzoneisusedtohosttheDNSrecordsforadomain.For example, the domainrcloudweb.commay contain severalDNSrecords such as mail. rcloudweb.com (for a mail server) andwww.rcloudweb.com(forawebsite).

Domainregistrar

Thedomainregistrarisacompanywhocanprovideinternetdomainnames.Theywillverify if the internetdomainyouwant touse is available


http://www.rcloudweb.com

andallowsyoutopurchaseit.Once thedomainname is registered,youwillbe the legalownerofthedomainname.

If you already have an internet domain, you will be able to use the currentdomainregistrartodelegatetoAzureDNS.

AzureDNScreationNow,letustryandcreatetheAzureDNSservicesfromtheAzureportal:

1. Pleasegotothemarketplace.2. PleasesearchforDNSandclickonDNSzone.3. ClickonCreateasshowninthefollowingscreenshot:

Figure13.1:AzureDNScreation

4. Pleaseselectthesubscriptionandresourcegroupname.5. PleaseprovidetheDNSnameinthisformatXYZ.com.6. PleaseclickonReview+createasshowninthefollowingscreenshot:


Figure13.2:AzureDNS

OncetheDNSzonesarecreated,itwilllooklikethefollowingscreenshot:

Figure13.3:AzureDNSconfiguration

AzureDNSrecordcreationAzureDNSrecordsvarioustypesofdataandhelpstoidentifytheservicesbasedontherecords.Generally,recordsmapadomaintoitsIPaddress.Thefollowing


recordsinthetablewillhelpyoutounderstandtheusageofeachrecord:

Recordname Fullname Usage

A(IPv4)AAAA(IPv6)

Address It maps a host name like, mail.bpb.com to an IP address153.120.10.20.

CNAME Chroniclename Itisusedtopointonehostrecordtoanotherliketest.Bpb.comtoemail.Azure4you.com.

MX Mailexchange It points to the host that will receive an email from thatdomain.TheMXrecordmustbeapointtoArecordnottotheCNAMErecord.

NS Nameserver It delegates aDNS zone to the specified authoritative nameserver.

SOA Startofauthority Itdefinestheauthoritativerecordofzones.

SRV Services ItisalocationhostthatprovidesspecificserviceslikeSkype-Session Initiation Protocol (SIP), which is used in Skype,Teams,andsoon.

TXT Text Itrecordsahuman-readabletextfieldinDNS.

Table13.1:Recordnamesandtheirusage

LetustryandcreatetheAzureDNSrecords:

1. PleasegotoDNSzone.2. Pleaseclickon+Recordset.3. PleaseprovidethenameoftheArecord.4. Pleaseselectthetypeofrecordfromthedrop-downmenu.5. ProvidetheTime-to-Live(TTL)value.6. TheIPaddressoftheArecordoranyotherrecordname/IPisbasedonthe

descriptionasked.Pleasetakealookatthefollowingscreenshot:


Figure13.4:AzureDNSconfiguration

Now,wehaveshownhowtocreatetheDNSserverinAzureandexplaineditsusage.

AzureloadbalancerTheAzureloadbalancercanbeusedtodistributethetrafficacrossthebackendserver and resourceswhichwill help to scale your services and create a highavailabilityofyourservices.Itprovideslowlatencyandhighthroughput.LoadbalancerssupportTransmissionControlProtocol(TCP)andUserDatagramProtocol(UDP).Azureloadbalancersareofthefollowingtwotypes:

Internal load balancer: It is used to load balance the internal trafficbetweenAzurevirtualmachines.You canusehybrid connectivity if youwanttoloadbalancetheon-premisesVMs.Inthisloadbalancer,thereareprivateIPaddressesthatareassignedtothefront-endIPconfiguration.External load balancer: It is used for your external application whichcommunicates with the internet traffic. In this load balancer, there arepublicIPaddressesthatareassignedtothefront-endIPconfiguration.

Azure load balancers provide the following two types of Stock-keeping-Unit(SKU):

Basic:ThebasicSKUsupportsupto100instancesandthevirtualmachineshouldbeinanavailabilityset,single,orinthescaleset.Theprotocolhasbeen supportedonTCPandUDP. It doesnot supportTCP reseton idle,


SLA,multiplefront-endandavailabilityzone,andsoon.Standard:ThestandardSKUsupportsupto1000instancesandthevirtualmachine should be in an availability set, single or in a scale set. TheprotocolhasbeensupportedonTCP,HTTP,andHTTPS.ItsupportsTCPresetonidle,SLA,multiplefront-endandavailabilityzone,andsoon.

AzureinternalloadbalancerLet us try to create an Azure private load balancer and understand itscomponents.BeforeyoucreateanAzureinternalload,youneedanAzurevirtualnetworktobecreatedandAzurevirtualmachineinanavailabilitysetorsingleVMswhichcanbeusedtoassociatewiththeAzureinternalloadbalancerbackendpool:

1. PleasegotothemarketplaceandsearchforanAzureloadbalancer.2. ClickonCreateasshowninthefollowingscreenshot:

Figure13.5:Azureloadbalancer

3. Pleaseselectthesubscriptionforwhichyouwanttocreateaninternalloadbalancer.

4. Pleaseselecttheappropriateresourcegroup.5. Pleaseprovidethenameoftheloadbalancer.6. Selecttheregionforwhichyouwanttodeploytheloadbalancer.7. Please select the load balancer type: internal or external based on your

project.8. PleaseselecttheSKUtypeasBasic.


9. Pleaseselectthevirtualnetworkandsubnet.10. PleaseselecttheIPaddressassignment.Letitbethedefault,butifyouare

deployingforproduction,pleaseselectStaticinsteadofDynamic.11. PleaseclickonReview+createasshowninthefollowingscreenshot:

Figure13.6:Azureloadbalancercreationdetails

12. Onceyouclickoncreate,theAzureloadbalancerwillbecreatedafter10to15minutes.Onceitiscreated,itwilllooklikethefollowingscreenshot.Letusseehowtoconfigurethebackendpool,healthprobe,loadbalancingrule,NATrule,andsoon:


Figure13.7:Azureloadbalanceroverview

Front-endIPconfigurationAllthetrafficwillcomefirsttothefront-endIPaddressedanditwilldistributethetrafficbasedonthebackendpoolconnectivityandtheloadbalancersrule.Performthefollowingsteps:

1. Go to the load balancer and selectFront-end IP configuration undertheSettingstab.

2. Clickon+Add.3. Providethenameofthefront-endloadbalancer.4. Selectthesubnetfromthedrop-downmenu.5. ClickonAddtoaddthefrontendIP.

By default, when you create the load balancer, an automatic front-end IPconfigurationwill be configured, but if youwant to add the front-end IP, youneed to follow the preceding process to add the new front-end configuration.Takealookatthefollowingscreenshot:


Figure13.8:AzureloadbalancerfrontendIPconfiguration

Onceyourfront-endIPconfigurationisdone,pleaseconfigurethebackendpool.

AzurebackendpoolTheAzurebackendpoolhasyourserverorservicesconfigurationwhichneedstobeload-balancedanditroutesthetrafficfromthefront-endIP.Itshouldbeasinglevirtualmachineorscalesettoconfigureit.

1. Providethebackendpoolname.2. Selectthevirtualmachineorscalesetyouwanttoassociate.3. SelectthevirtualmachineandtheIPaddressfromthedrop-downmenu.4. Clickon+Addasshowninthefollowingscreenshot:


Figure13.9:Azureloadbalancerbackendpoolconfiguration

HealthprobesIt helps us to find the failure of the application on the backend endpoint.Thehealthprobehelpstofindoutwhentosendthenewtrafficflowtothebackendendpointjustlikeabusy/freestatus.Ifthebackendendpointstatusfails,itstopsanddoesnotsendanynewtrafficflowtothatinstance.Letuscreatethehealthprobefortheloadbalancerconfiguration:

1. PleasegotoHealthprobesundertheSettingstab.2. Pleaseclickon+Add.3. Pleaseprovidethenameofthehealthprobe.4. PleaseselecttheTCP/UDPprotocolfromthedrop-downmenu.5. LettheIntervalbesettothedefaultvalue,whichmeansthehealthprobe

willcheckthebackendendpointstatusinaspecifictimeasconfiguredintheinterval.


6. Pleaseconfiguretheunhealthythresholdasperyourprojectrequirements.Itmeans that if it continuously fails for two times ormore, then it willconsiderthebackedendpointstatusasfailedandstopsendingthetraffic.

7. ClickonOKtoaddthehealthprobe.Pleasetakealookatthefollowingscreenshot:

Figure13.10:Azureloadbalancerhealthprobeconfiguration

8. PleaseclickonLoadbalancingrulesundertheSettingstab.9. Pleaseprovidetherulename.10. PleaseprovidetheprotocoltypeTCP/UDP.11. Pleaseprovidetheportnumberandbackendportofservices.12. Pleaseselectthebackendpoolandhealthprobe.13. Pleaseselectthesessionpersistenceandidletimeout.14. PleaseclickontheOKbuttontocreatealoadbalancingrule.

Takealookatthefollowingscreesnhot:


Figure13.11:Azureloadbalancerruleconfiguration

Now,yourloadbalanceconfigurationhasbeencompletedandyourserviceswillusetheAzureloadbalancercapability.

ApplicationgatewayAn application gateway is an application layer (OSI layer 7) load balancing,which helps theweb traffic load balancer to enable themanagement traffic toyourwebapplications.TheapplicationgatewaycanmaketheroutingdecisionaspertheHTTP/HTTPSrequesttoroutethetraffictotheURIpathorthehostVM.TheAzure applicationgatewaycando theURL-based routing. It provides thefollowingfeatures:

Secure sockets layer (SSL/TLS) termination: In this feature, theapplicationgatewayprovidesanSSL/TLSterminationatthegatewayandafterthat,trafficwillflow(encrypted)tothebackendservers/applications.Autoscaling:Theapplicationgatewaystandard_v2supportsandprovides


an autoscaling feature that helps to scale up and down the applicationgatewayifthereareanychangesinthetrafficload.Zone redundancy: The application gateway standard_v2 supportsmultiplezonesavailability.StaticVIP: The application gateway standard_v2 supports a staticVIPwhichmeans itwillmake sureyourVIPassociatedwith this applicationgatewaydoesnotchange.Webapplicationfirewall: Itprovidescentralizedprotection toyourwebapplicationforcommonvulnerabilities.ItisbasedontheOWASP3.1,3.0,and2.9. Ithelpsyouprotect fromSQLinjection, scriptingattack,andsoon.URL-basedrouting:ThisURL-basedroutingallowsyou to route trafficto the backend server pool based on your URL path. Let us sayhttps://bpb.com/videoorhttps://bpb.com/images,andsoon.Multiple-site hosting: We can host up 100 web applications in oneapplication gateway, and each application can be directed to its backendpool.Redirection:ItprovidestheHTTP/HTTPsbasedredirectiontomakesureall the communication between users and its application has beenencrypted.Sessionaffinity: The cookie-based session provides the feature – if youwanttheusersessiononthesameserverforprocessingtherequest.Pleasetakealookatthefollowingdiagram:

Figure13.12:Applicationgateway

Letusseehowtocreatetheapplicationgatewayandconfigureit:


https://bpb.com/video

https://bpb.com/images

1. PleaseclickonCreatearesource.2. SearchforApplicationgateway.3. Clickon theCreatebutton tocreateanapplicationgatewayasshown in


Figure13.13:Applicationgatewaycreation

Onceyouclickontheapplicationgatewaycreation,followthegivensteps:

1. Select the subscription for which you want to create an applicationgateway.

2. Createorselectanexistingresourcesgroup.3. Providetheapplicationgatewaynameasperyourorganization’sstandard.4. Selecttheregion.5. Selectthetier:

Standard:This standard tierdoesnot supportautoscalingandzoneredundancy.Standard V2: This standard tier supports autoscaling and zoneredundancy.WAF:ItsupportsWAF2.9and3.0.WAFV2:ItsupportsWAF3.1.

6. ProvidetheautoscalingasYesorNo.Ifyes,thenprovidetheminimumandmaximumscaleunit.

7. Provide the virtual network and subnet which does not have a routingtable.

8. Once you provide all the details as shown in the following screenshot,pleaseclickonNexttoconfigurethefront-endconfiguration:


Figure13.14:Applicationgatewaybasic

The application gateway front-end is where all the reapplication traffic willarriveandthengetroutedtoyourapps.Let us configure the front-end IP configuration and follow the givenconfiguration:

Public: If you have a public-facing application, then select Public and


configurethepublicIP.Private:Ifyouhaveyourinternalapplication,thenconfigurethePrivateoption.Both: If youwantyou to configureyourpublic and internal application,thenselectBoth.Pleasetakealookatthefollowingscreenshot:

Figure13.15:Applicationgatewayfront-endconfiguration

Once you are done with this configuration, please select the backendconfiguration.Theapplicationbackendpool iswhereyourapplication/hosthasbeenconfiguredtoroutethetrafficbasedonyouruserrequest.

1. PleaseclickonAddabackendpool.2. Providethenameofthebackendpool.3. Please selectYes orNo inAddbackendpoolwithouttargets. If yes,

pleaseprovidethebackendpoolconfigurationasfollows:

IPaddressorFQDNnameVirtualmachine


VMMSAppservices

4. Onceyouselectthis,pleaseclickonNextfortheconfigurationasshowninthefollowingscreenshot:

Figure13.16:Applicationgatewaybackendconfiguration

5. Once you are done with the backend configuration, let us look at theconfiguration part where you need to set up the routing rule for yourapplication.

Wewill nowconfigure theHTTP/HTTPS listener andbackend routing rule toredirectthetraffic.Letusjustconfigurethelistener:

1. Providethenameofthelistener.2. Selectthefront-end.3. SelecttheprotocolHTTPorHTTPSandport80or443.4. SelectthelistenertypeasMultisiteifyouareplanningtoaddmultiple

sitesorselectBasic.5. SelecttheerrorpageURLasshowninthefollowingscreenshot:


Figure13.17:Applicationgatewaylistener

Aswehaveconfiguredthelistener,wewillnowconfigurethebackendtarget:

1. Providetherulename.2. Select the target type either as Backend pool or Redirection based on

yourrequirements.3. Select the backend pool from the drop-down menu as shown in the



Figure13.18:Applicationgatewaybackendtarget

4. PleaseclickonHTTPsettingsandclickonAddnew.5. ProvidetheHTTPsettingname.6. Selectthebackendpoolandportnumber.7. Select the cookies-based session and connection draining as per your

requirements.8. Pleaseselecttherequesttimeout.9. Ifyouneedtoconfigureanewhostnameorthecustomhostname,youcan

alsoconfigureitasshowninthefollowingscreenshot:


Figure13.19:ApplicationgatewayHTTPsetting

Oncewearedonewiththisconfiguration,clickontheTagstab.Ifyouwanttoadd the tags, please click on Review + create as shown in the followingscreenshot:


Figure13.20:Applicationgatewaycreation

When you click on the application gateway creation, the application gatewaywillgetcreatedin10to15minutes.

AzuretrafficmanagerTheAzuretrafficmanagerisaDNS-basedtrafficloadbalancerthatenablesthedistribution of traffic and provides high availability to web applications. ThetrafficmanagerusesaDNStodirect the traffic to themostappropriateserviceendpointbasedonthetrafficroutingmethod.Itprovidesthefollowingfeatures:

ApplicationavailabilityApplicationperformanceHybridapplicationDistributesthetraffictocomplexenvironments

LetuscreateanAzuretrafficmanagerandconfigureit.Pleasefollowthegivensteps:


1. PleaseclickonCreatearesource.2. Pleasesearchforthetrafficmanager.3. PleaseclickontheCreatebuttontocreatethetrafficmanagerasshownin


Figure13.21:Trafficmanagerprofilecreation

4. Pleaseprovidethenameofthetrafficmanager.5. Pleaseprovidetheroutingmethodfromthefollowingtoconfigureit:

Priority: It is usedwhenyouwant to configure theprimary site'sendpointforallthetrafficandsecondarysitesforbackup.Weighted:Weightedcanbeconfiguredwhenyouwant todistributethetraffictosetoffendpoints,accordingtotheweight.Performance: It is used when you want to route the traffic togeographic locations and you want the closest endpoint for lownetworklatency.Geographic: It is used to redirect the traffic to a specific endpointsuchasAzure,external,andsoonbasedonthegeographiclocation.MultiValue:ThiscanbeconfiguredonlywhentheendpointhasanIPv4/IPv6address.Subnet: Subnet traffic-routing is used to map sets of end-users IPaddress (subnet) ranges toaspecificendpoint in the trafficmanagerprofile.

6. Selectthesubscription.7. Selecttheresourcegroup.8. PleaseclickontheCreatebuttonasshowninthefollowingscreenshot


Figure13.22:Trafficmanagercreation

Now, we can create the traffic manager and route the traffic using variousroutingmethodsinthetrafficmanagerprofile.

ConclusionInthischapter,wediscussedtheconfigurationofAzureDNSandhowtosetupthe Azure DNS private and public zones.We also discussed the Azure DNScomponentsandrecords.WecoveredtheusageoftheAzureloadbalancerandexplainedhowtoconfigureandsetuptheAzureloadbalancer.Wecoveredtheapplication gateway and traffic manager profile. We also covered how toconfiguretheapplicationandhowtoloadbalanceandsecureyourapplication.


ReferencesAzureDNS:https://docs.microsoft.com/en-in/azure/dns/dns-overviewAzureprivateDNS:https://docs.microsoft.com/en-in/azure/dns/private-dns-overviewCreate an Azure DNS zone and record using the Azure portal:https://docs.microsoft.com/en-in/azure/dns/dns-getstarted-portalVirtual network service endpoints: https://docs.microsoft.com/en-us/azure/virtual-network/virtual-network-service-endpoints-overviewAzure load balancer: https://docs.microsoft.com/en-us/azure/load-balancer/load-balancer-overviewCreate a standard load balancer to load balance VMs using the Azureportal: https://docs.microsoft.com/en-us/azure/load-balancer/quickstart-load-balancer-standard-public-portalAzure application gateway: https://docs.microsoft.com/en-us/azure/application-gateway/overview#:~:text=Azure%20Application%20Gateway%20is%20a,destination%20IP%20address%20and%20portTraffic manager: https://docs.microsoft.com/en-us/azure/traffic-manager/traffic-manager-overview#:~:text=Traffic%20Manager%20uses%20DNS%20to,the%20health%20of%20the%20endpoints.andtext=Traffic%20Manager%20provides%20a%20range,needs%20and%20automatic%20failover%20modelsFormoredetails,visitAzure4youblogpost:https://azure4you.com/


https://docs.microsoft.com/en-in/azure/dns/dns-overview

https://docs.microsoft.com/en-in/azure/dns/private-dns-overview

https://docs.microsoft.com/en-in/azure/dns/dns-getstarted-portal

https://docs.microsoft.com/en-us/azure/virtual-network/virtual-network-service-endpoints-overview

https://docs.microsoft.com/en-us/azure/load-balancer/load-balancer-overview

https://docs.microsoft.com/en-us/azure/load-balancer/quickstart-load-balancer-standard-public-portal

https://docs.microsoft.com/en-us/azure/application-gateway/overview#:~:text=Azure%20Application%20Gateway%20is%20a,destination%20IP%20address%20and%20port

https://docs.microsoft.com/en-us/azure/traffic-manager/traffic-manager-overview#:~:text=Traffic%20Manager%20uses%20DNS%20to,the%20health%20of%20the%20endpoints.andtext=Traffic%20Manager%20provides%20a%20range,needs%20and%20automatic%20failover%20models


I

CHAPTER14SecuringAccesstoVirtualNetworks

nthischapter,wewillexplain thenetworksecuritygroupanditsuses.Thenetwork securitygroup contains the security ruleswhich allowordeny the

inbound/outboundtrafficwithinthesubscriptionandtotheouterworld.Wewilldiscussnetworkroutesandlearnhowtherouteswillhelptodistributethetrafficasperrouterules.WewillexplainthetypesofIPaddressesandlearnhowtheycanbeassignedtoAzureVMs.WewillcovertheAzurefirewall,routetableandhowtoaccesstheVMusingAzureBastionservices.


ConfigurationofprivateandpublicIPaddressesNetworksecuritygroupRoutetableConfigureanddeploytheAzurefirewallConfigureanddeployAzureBastionservicesEvaluateeffectivesecurityrules

ObjectivesOneof theobjectives is todiscuss theAzure firewalland its features.Wewilldiscuss how you can protect your Azure network using the Azure firewall.Suppose your customer wants to connect VMs securely so this can be madepossibleusingtheAzureBastionservices.

ConfigurationofprivateandpublicIPaddressesThe public IP address can be used if you want to connect your applicationpubliclyoroutsidetheAzurenetwork.RefertothefollowingpublicIPtable:


PublicIPaddresses IPaddressassociation Dynamic Static

Virtualmachine NIC Yes Yes

Loadbalancer Front-endconfiguration Yes Yes

VPNgateway GatewayIPconfiguration Yes No

Applicationgateway Front-endconfiguration Yes No

Table14.1:PublicIPVSprivateIP

TheprivateIPaddresscanbeusedforinternalcommunicationwithintheAzurenetwork.RefertothefollowingprivateIPtable:

IPaddresses IPaddressassociation Dynamic Static

Virtualmachine NIC Yes Yes

Internalloadbalancer Front-endconfiguration Yes Yes

Applicationgateway Front-endconfiguration Yes Yes

Table14.2:IPAddressassociation

IPaddressescanbeassigneddynamicallybydefaultfromtheAzureportal,andyouhavemakethemstaticIPaddresses.LetusunderstandwhatisastaticIPanddynamicIPaddress.StaticIP isafixedIPaddress,anditcan’tbechangedevenifyourestartyourservicesanddeallocatetheVM.DynamicIPisthedynamicIPaddressthatcanbechangedifyourestartyourservicesordeallocatetheVM.Let us understand how to make changes in IP addresses, and we will try tochangedynamicIPtostaticIP:

1. PleaseselecttheAzureVMsforwhichyouwanttochangetheIPaddressfromdynamicIPtostaticIP.

2. UndertheSettingstab,clickonNetworking.3. ClickontheNICcardname.4. GototheIPconfigurationstab.5. ClickontheIPaddressontheright-handsideofthescreen.Takealookat



Figure14.1:AzureprivateIPconfiguration

6. PleasechangedynamictostaticandclickontheSavebutton.7. Aftera fewminutes,yourdynamic IPaddresswillchange to static IPas


Figure14.2:AzureprivateIPdynamicIPtostaticIP

IfyouwanttochangethepublicIPaddressfromdynamicIPtostaticIP,pleasefollowthegivensteps:

1. PleasegototheNetworkingtab.2. SelectthepublicIPaddressnameandclickonConfiguration.3. PleasechangetheselectionfromDynamictoStatic.


4. Now,yourpublicIPaddresswillchangetostaticIPaddress.Takealookatthefollowingscreenshot:

Figure14.3:AzurepublicIPdynamicIPtostaticIP

NetworksecuritygroupAzurenetworksecurityrulescontainthesetupofsecurityrulesandareusedtoallowordenytraffic inyourAzurenetwork.NSGisfollowedbytwotypesofrules which are inbound and outbound rules where you can define the portnumber,IPaddress,andsourceanddestinationforwhichyouwanttoallowordenythenetworktraffic.

Inboundrule:Thenetworktraffic thatallowstrafficfromtheinternet toyourVMiscalledaninboundruleorallowscalls/traffictoyourVMfromtheouterworld.Outboundrule:Thenetwork traffic thatallows traffic fromyourVMtothe internet is called an inboundrule or denies calls/traffic to yourVMfromtheouterworld.

Letusseehowtocreateanetworksecuritygroupandhowtoaddan inboundandoutboundrule:

1. Gotothemarketplaceandsearchforthenetworksecuritygroup.2. ClickonCreateasshowninthefollowingscreenshot:

Figure14.4:Networksecuritygroup


3. Providethenetworksecuritygroupsubscriptionandresourcegroup.4. Providethesecuritygroupname.5. SelecttheregionyouwanttocreatetheNSG.6. Click on Review + create the NSG. Take a look at the following

screenshot:

Figure14.5:Networksecuritygroupcreation

Afterafewminutes,yournetworksecuritygroupwillbecreatedanditwillbelookasfollows:

AfterthecreationofNSG,thedefaultrulewillbecreatedwiththepriorityof65000,65001,and65500.You canmaximum rules thatwill be created up to65500 notmore thanthat.Pleasetakealookatthefollowingscreenshot:


Figure14.6:Networksecuritygroupdefaultrule

LetuscreatetheinboundrulesinNSG:

1. SelectthesourceIPAddresses,virtualnetwork,orservicestag.2. ProvidethesourceIPaddress.3. Providetheportnumberyouwanttoallow.4. ProvidethedestinationasIPAddresses,virtualnetwork,orservices tag

asshowninthefollowingscreenshot:


Figure14.7:Networksecuritygroupinboundrule

5. SelecttheactioneitherasAlloworDeny.6. Providethepriority100oraboveastheNSGprioritywillstartfrom100to

65500.Lowerthepriority,highertheimportance;whichmeanstherulehaslowerpriorityas100willbeappliedfirst.

7. ProvidethenameofNSGanddescriptionandclickonAddasshowninthefollowingscreenshot:

Figure14.8:Networksecuritygroupinboundrule

Similarly,ifyouneedtocreatetheoutboundrule,youcanfollowthesamestepsasgivenintheinboundrulecreation.

NetworksecuritygroupassociationThenetworksecuritygroupcanbeassociatedwithAzureVMs,NICsandsubnetlevels.NSG when applied on the VM NIC card will have high priority. Let usunderstandthis.IfyouapplytheNSGrule3389inthesubnetwhichisallowed,butwhentrafficreachestheNICcard,NSGwhichhasthedeniedrule3389willdeny the traffic at NIC NSG level. You can allow the common ports to thesubnetandblockthespecificportinVMsNICNSG.


LetusseehowtoassociatetheNSGinthesubnet:

1. SelecttheNSGyouwanttoassociatewiththesubnet.2. ClickonSubnetsundertheSettingstab.3. Clickon+Associate.4. Selectthevirtualnetwork.5. Selectthesubnetunderthevirtualnetworkwhichyouwanttoassociatethe

NSGwith.6. ClickonOKtoprocessfurtherasshowninthefollowingscreenshot:

Figure14.9:Networksecurityassociatewithsubnet

LetusseehowtoassociatetheNSGintheNICcardoftheVM:

1. SelecttheNetworkingundertheSettingstab.2. ClickontheNICcard.3. SelecttheNetworksecuritygroupoptionundertheSettingstab.4. ClickonEditasshowninthefollowingscreenshot:


Figure14.10:NetworksecurityassociatewithVM’sNIC

5. Select the NSG and click on Save. After some time, NSG will beassociatedwith theVMsNICandyouwillbeable toseeall therulesasshowninthefollowingscreenshot:

Figure14.11:NetworksecurityinVM’sNIC

RoutetableTheAzureroutetablecanbeusedtoroutethetrafficinAzureandon-premises


network.Routeswill be createdautomaticallywhenyoucreate the subnet andassociateditwithautomatically.Youcancreatethecustomroutestodefinehowthetrafficrouteusestheroutetable.LetussayyouhaveconfiguredthefirewallinbetweentheAzureandon-premises.Youcanconfiguretheroutetableandsetthe rule that all the traffic firstwillgo to the firewall and then to the internet.Hence, you can control the network traffic in Azure and route it as per yourorganizationstandards.Now,letusseehowtocreatetheroutetableandconfigureit:

1. SearchforRoutetablesinthemarketplace.2. Clickon+Add.3. Providetheroutetablename.4. Selecttheresourcegroupnameandlocation.5. Click on Create. After some time, your route table will be created as



Figure14.12:Routetablecreation

Oncetheroutetableiscreated,itwilllooklikethefollowingscreenshot:

Figure14.13:Routetable


Now,wewillconfiguretheroutetable:

1. ClickonRoutesundertheSettingssection.2. Clickon+Add.3. Providethenameoftheroutetable.4. Providetheaddressprefixrange.5. Selectthevirtualappliance(firewall),VNet,VNetgateway,andinternet.6. ClickonAddtoaddroutes.


Figure14.14:Routetableconfiguration

7. Oncetherouteisconfigured,pleaseassociateitwiththesubnet.8. SelectSubnetsundertheSettingstab.9. Clickon+Associate.10. SelecttheVNet.11. Selectthesubnetfromthedrop-downmenu.12. Click on OK and associate the VNet. It will take some time to save the

settingsasshowninthefollowingscreenshot:


Figure14.15:Routetablesubnetassociation

ConfigureanddeploytheAzurefirewallAzure firewalls manage the Azure network security and its services which ismanagedbyavirtualnetwork. It is a fully stateful firewall asa servicewhichprovidesbuilt-inhighavailabilityandcloudscalability.TheAzurefirewallcanbecreatedcentrallyandmanagedtoenforcetherulesandlog application and network connectivity policies across subscriptions andvirtualnetworks.TheAzurefirewallisfullyintegratedwiththeAzureMonitorforloggingandanalyticspurpose.LetusseehowtocreatetheAzurefirewallandconfigureitforoursubscription:

1. GotothemarketplaceorsearchforFirewall.2. ClickontheCreatebuttonasshowninthefollowingscreenshot:


Figure14.16:Azurefirewall

WhenyouclickonCreate,followthegivenstepsandprovidethedetailsasfollows:

Subscriptionandresourcegroup.Nameofthefirewall.Regionandavailabilityzone.Ifyouwant touse anexistingornewVNet, selectoneasperyourrequirements.Providethevirtualnetworknameandaddressspace.Providethesubnet.ProvidethefirewallIPaddressandclickonReview+Create.

3. Onceyouprovideallthedetails,clickonReview+create:


Figure14.17:Azurefirewallcreation

Itwill takea fewminutes tocreate theAzurefirewall.LetusseehowwecanconfiguretheAzurefirewallrule.GototheAzurefirewallandfollowthegivensteps:

1. Providethenameoftherule.2. Providethepriorityoftherule.


3. Providethefollowingdetailsasshowninthefollowingscreenshot:

Protocol:TCP/UDP.

Sourcetype:IPaddress/IPgroup.

ProvidethesourceanddestinationIP.Providethetranslatedaddressanditsport.

Oncedone,youwillbeabletocreatetheNATrule.

Figure14.18:AzurefirewallNATrulecreation

Once we configure the NAT rule, it will allow the Remote Desktop Protocol(RDP)accesstotheservices.Let us try to configure an application rule which helps to allow the URL orspecific domain URL services such ashttp://www.microsoft.com,.*windows.net,andsoon.

1. Providethenameoftherule.2. ProvidethepriorityoftheruleandactionaseitherAllow/Deny.3. Providethefollowingdetailsasshowninthefollowingscreenshot.4. FQDNTagsasfollows:

NameoftheruleSourcetypeaseitherIPaddress/IPgroupSourceIPaddressAddthetagsinthedrop-downmenu

5. TargetFQDNsasfollows:


http://www.microsoft.com

NameoftheruleSourcetypeaseitherIPaddress/IPgroupSourceIPaddressProtocolwillbeinmsql:1433,TCP:80,andsoonProvidethetargetFQDNorURLyouaretryingtoconnectandthenclickonAddasshowninthefollowingscreenshot:

Figure14.19:Azurefirewallapplicationrule

WhenyouclickonAdd,yourapplicationrulewillbeaddedtothefirewallandyourAzureserviceswillbeabletoaccessthespecifictarget.

ConfigureanddeployAzureBastionservicesAzureBastionprovidesasecureandseamlessRDP/SSHaccesstoyourvirtualmachine in yourAzure portal. It is PaaS services that have to be provisionedinside your virtual network. If you try and connect the VMs through Bastionservices,thenyourVMdoesnotrequireapublicIPtobeassociatedwithit.Itprovidesthefollowingfeaturesoftheservices:

RDPandSSHdirectlyinAzureportal:WecandirectlyconnecttheRDPandSSHsessionfromtheAzureportalusingasingleclick.Remotesession:ItusesanHTML5-basedwebclientthatisautomatically


streamedtoyourlocaldevice,sowecanconnecttotheRDP/SSHsessionoverTLSonport443.Don’t need a public IP to VM: Azure Bastion opens the RDP/SSHconnection to yourAzure virtualmachine using private IP on yourVM.Youdon'tneedapublicIPonyourvirtualmachine.NohassleofmanagingNSGs:Youdon’trequiretomanagetheNSGrulesandsoon,asitisinternallyhardenedtoprovidetheRDP/SSHconnectionsecurely.

LetusjustseehowwecancreatetheAzureBastionservicesinAzure:

1. GototheAzureportal.2. ClickonCreatearesource.3. Search for Bastion and click on Create as shown in the following

screenshot:

Figure14.20:AzureBastion

WhenyouclickonCreate,pleasefill-upthefollowingparameters:

SubscriptionResourcesgroupNameRegionVirtualnetworkSubnetwiththenameoftheAzureBastionsubnetwithaprefixofatleastwith/27.ProvidepublicIPaddressdetails.Refertothefollowingscreenshot:


Figure14.21:AzureBastioncreation

4. Once you are done with the Azure Bastion services creation, verify theservicesconnectingtoRDPoverthebrowser.ClickontheAzureVM,andthenfollowthegivensteps:

GototheAzureVMsettings.Then,clickonConnect.SelectBASTION.ProvidetheuserID/passwordasshowninthefollowingscreenshot:


Figure14.22:AzureBastionverification

When you click on Connect, you will be able to connect to the VM asshowninthefollowingscreenshot:

Figure14.23:AzureBastionRDPaccess

Now,wecanaccesstheVMusingtheBastionservices.

EvaluateeffectivesecurityrulesNetworksecuritygroupeffectiveruleswillhelpyoutounderstandtherulesthathavebeenenabled in inbound/outboundon the samepage.Youcan reviewallthoseNSGrulesataone-shot.


Letusseehowwecanseethoserules:PleasegotothenetworksecuritygroupandselecttheNetworksecuritygroupoptionandfollowthegivensteps:

PleasegotoSupport+troubleshooting.Then,clickontheeffectivesecurityrules.

ItwillshowwhichVMNSGhasbeenattachedandtherules.Youcandownloadthoserulesasshowninthefollowingscreenshot:Afterdownloading the rules, youcan reviewall the rules.Youwill be able tounderstandtherulesthatresultinamismatchasperyourrequirements:

Figure14.24:Effectivesecurityrules

Now,weareabletoseehowwecanevaluateeffectivesecurityrules.

ConclusionInthischapter,wediscussedtheconfigurationofprivateandpublicIPaddressesandlearnedhowtochangetheIPaddressfromdynamictostatic.Wediscussed


theAzurenetworksecuritygroupandhowtoassociatewiththesubnet/VMNICcard.We covered the route table and learned how it can be used to route thetraffic.We will discuss the Azure network monitoring in the next chapter. We willexplain the network watcher and on-premises to Azure network connectivitymonitoring,andsoon.Formoredetails,pleasegothroughthenextchapter.

ReferencesVirtual network traffic routing: https://docs.microsoft.com/en-us/Azure/virtual-network/virtual-networks-udr-overviewSecurity groups: https://docs.microsoft.com/en-us/Azure/virtual-network/security-overviewVirtual network service tags: https://docs.microsoft.com/en-us/Azure/virtual-network/service-tags-overviewVirtual network service endpoints: https://docs.microsoft.com/en-us/Azure/virtual-network/virtual-network-service-endpoints-overviewIP address types and allocation methods in Azure:https://docs.microsoft.com/en-us/Azure/virtual-network/virtual-network-ip-addresses-overview-armFormoredetails,visitAzure4youblogpost:https://Azure4you.com/


https://docs.microsoft.com/en-us/Azure/virtual-network/virtual-networks-udr-overview

https://docs.microsoft.com/en-us/Azure/virtual-network/security-overview

https://docs.microsoft.com/en-us/Azure/virtual-network/service-tags-overview

https://docs.microsoft.com/en-us/Azure/virtual-network/virtual-network-service-endpoints-overview

https://docs.microsoft.com/en-us/Azure/virtual-network/virtual-network-ip-addresses-overview-arm

https://Azure4you.com/

I

CHAPTER15MonitoringandTroubleshootingof

VirtualNetworkingnthischapter,wewilldiscussAzureNetworkWatcheranditsusage.Wewillalso discuss how to troubleshoot the on-premises connectivity using the

networkwatcher.Wewillcovernetworkperformancemonitoring,howtousetheIPflowverify,VPNtroubleshooting,packetcapture,andsoon.


NetworkwatcherMonitoron-premisesconnectivityNetworkperformancemonitor

ObjectivesInthischapter,youwilllearnaboutAzureNetworkWatcher.Ifyourcustomeristroubleshooting a network issue from theAzure network to on-premises, thenAzureNetworkWatcherwill helpyour customer to trace the traffic at variouslevelsandhelpyou.Wewilldescribethenetworkwatchercapabilitiesindetail.

NetworkwatcherAzureNetworkWatcherprovides the tools tomonitor, diagnose, andview themetrics.Wecanenableordisablethelogsinthenetworkwatcher.It is designed to monitor and repair the Azure infrastructure services, whichincludetheAzurevirtualmachine,virtualnetwork,applicationgateway,andsoon.LetusseehowwecanimplementtheAzureNetworkWatcherservices:


1. Go toAllservices and search fornetwork watcher. Please select theNetworkWatcheroptionasshowninthefollowingscreenshot:

Figure15.1:Networkwatcher

2. OnceyouclickonNetworkWatcher,pleaseenableitfortheregionsyouwanttoselectitfor.Letusfollowthegivenstepstoenableit:

ClickonOverview.SelecttheregionandclickontheOverviewtabtoenablethenetworkwatcher.Itwilltakesometimetoenableit.Pleasetakealookatthefollowingscreenshotformoredetails:

Figure15.2:Networkwatcherenable

NetworkwatchertopologyUnder the Monitoring tab, if you click on Topology, it will show you thecompletearchitectconnectivityofyourVNetwhichconnectstoalltheresourceslike the VM, application gateway, and so on as shown in the followingscreenshot:


Figure15.3:Networkwatcherenable

Monitoron-premisesconnectivityUsing Connection monitor, we will monitor the traffic between two virtualmachinesorbetweentheAzureVMandtheon-premiseserver.Wecanmonitorthe Fully Qualified Domain Name (FQDN) name or individual IP address aswell.Onceyouselecttheconnectionmonitoring,followthegiveninstructionstoaddthemonitoring:

1. Providethenameofthemonitor.2. Selectthesubscription.3. Selectthevirtualmachine.4. Select the destination as Select a virtual machine or Specify

manually(URI,FQDN,orIPv4).5. Selecttheportnumberforwhichyouwanttomonitortheservices.6. ClickonAddasshowninthefollowingscreenshot:


Figure15.4:Networkwatcherconnectionmonitor

AfteryouclickonAdd,youwillbeabletoseetheconnectivityofeachservicewhen you click on a specific monitor. Please take a look at the followingscreenshotformoredetails:


Figure15.5:Networkwatcherconnectionmonitorstatus

IPflowverifyIP flow verify helps you to track the packets and checkswhether the packetshave been allowed or denied. Click on IP flow verify under the Networkdiagnostictoolssectionandprovidethefollowingdetails:

Subscription

Resourcegroup

Virtualmachine

Direction:InboundorOutboundProvidethelocalIPaddressandremoteIPaddresswiththeportnumbertoverify.PleaseclickontheCheckbutton.Formoredetails,takealookatthefollowingscreenshot:


Figure15.6:NetworkwatcherIPflow

NexthopNexthopwillhelpyouidentifythenexthopeandIPaddressofthepacketfromaspecificVMandNICcard.Itwillhelpyoutodeterminewhetherthetraffichasbeendirectedtoaspecificdestinationornot.Nexthophelpsyoutoidentifywhereyourtraffichasbeenroutedtosuchastothevirtualnetwork,virtualapplianceorsystemroute,andsoon.Takealookatthefollowingscreenshot:


Figure15.7:Networkwatchernexthop

NetworkperformancemonitorThenetworkperformancemonitorhelpsus tomonitor theAzureexpressroutetraffic.Itisacloud-basedhybridmonitoringsolutionwhichhelpstomonitorthevariouspointsofthenetworkinfrastructure.Let us take a look at how to configure the Azure network and performancemonitorbyfollowingthegivensteps.

1. Clickonthe+sign.2. SearchforNetworkPerformanceMonitor.3. ClickonCreate.

Lookatthefollowingscreenshotformoredetails:


Figure15.8:Networkperformancemonitor

4. SelectLogAnalyticsWorkspace.5. Onceyouselecttheworkspace,clickonCreateasshowninthefollowing

screenshot.6. Itwilltakeupto5minutestocreatethenetworkperformancemonitor:

Figure15.9:Networkperformancemonitorcreation

7. Oncethenetworkperformancemonitoriscreated,youcancheckitinloganalytics.

8. In log analytics, youwill see that one solutionhas beendeployed in theOverview tab,which is thenetworkperformancemonitor.Let us try andconfigure it. Click on Solution requires additional configurationundertheNetworkPerformanceMonitortabontheright-handsideoftheOverviewsection.Takealookatthefollowingscreenshot:


Figure15.10:Networkperformancemonitoroverview

9. WhenyouclickonSolutionrequiresadditionalconfiguration,onewindowwillopenupwiththenetworkperformancemonitorconfigurationwhereyouneedtoconfigurethefollowingservices,includingtheexpressroute:

You can download the agent and install it on the stand-aloneVMs/devicestoconfigurethemonitor.Youcansetuptheperformancemonitor.You can configure the services connectivity monitor for networkdevices.You can set up the express route monitor to get the traffic of theexpressrouteandfixtheissuewhenitarrives.

Once all the preceding configurations are done, youwill start getting the datawithin24hrsinloganalytics.WehavenowsuccessfullyconfiguredthenetworkperformancemonitoringintheAzureenvironment.Takealookatthefollowingscreenshot:


Figure15.11:Networkperformancemonitorconfiguration

ConclusionIn this chapter, we discussed Azure Network Watcher and its usage, how totroubleshoot the network using various tools, how to troubleshoot the on-premisesnetworkandAzureconnectivity,howtheIPflowverifyandnexthopewillhelpyouron-networktroubleshooting.WealsodiscussedtheAzurenetworkperformancemonitorandhowtoconfigureit.Inthenextchapter,wewilldiscusstheAzuremonitoranditssubsetstoanalyzetheutilizationandconsumptionoftheAzureservices.WewillalsodiscusshowtosetupalertsinAzureenvironments.

ReferencesIP flow: https://docs.microsoft.com/en-us/azure/network-watcher/network-watcher-ip-flow-verify-overviewNetwork watcher monitoring: https://docs.microsoft.com/en-us/azure/network-watcher/network-watcher-monitoring-overviewConnection troubleshoot in Azure Network Watcher:https://docs.microsoft.com/en-us/azure/network-watcher/network-watcher-connectivity-overviewResource troubleshooting in Azure Network Watcher:https://docs.microsoft.com/en-us/azure/network-watcher/network-watcher-troubleshoot-overviewEffective security rules view in Azure Network Watcher:


https://docs.microsoft.com/en-us/azure/network-watcher/network-watcher-ip-flow-verify-overview

https://docs.microsoft.com/en-us/azure/network-watcher/network-watcher-monitoring-overview

https://docs.microsoft.com/en-us/azure/network-watcher/network-watcher-connectivity-overview

https://docs.microsoft.com/en-us/azure/network-watcher/network-watcher-troubleshoot-overview

https://docs.microsoft.com/en-us/azure/network-watcher/network-watcher-security-group-view-overviewFormoredetails,visitAzure4youblogpost:https://azure4you.com/


https://docs.microsoft.com/en-us/azure/network-watcher/network-watcher-security-group-view-overview


I

CHAPTER16AnalyzingResourceUtilizationand

Consumptionn theprevious chapter,we coveredhow to create andmanage thedifferenttypes of Azure subscriptions and resources. In this chapter, we will learn

aboutAzuremonitoranditsutilizationoftheresourcesandhowtomonitorthedifferent services usingAzureLogAnalytics.Wewill see how to use the logsearchqueryfunctionsintheloganalyticsspace.


AzureMonitorSetupandconfigurationofalertsUtilizelogsearchqueryfunctions

ObjectivesWe will cover Azure Monitor in detail which will help you to set up themonitoringalertsforyourAzuresubscriptionresources.Wewilldiscusshowtosetupandconfigurethealerts,whichwillhelpyoutosendthenotifications.

AzureMonitorAzureMonitorisacomprehensivesolutionforalltheAzureservicesthatresidein theAzure subscription, and it usesvarious tools tomonitor the IaaS,PaaS,and SaaS components. It collects the logs data, application performance data,andsoontoprovidethebestresultforservices,andbasedonthem,thecustomercangetnotified.Formoredetails,takealookatthefollowingscreenshot:


Figure16.1:AzureMonitor

Azure Monitor supports a variety of Azure resource collection data whichprovidesthemetrics/alertsontheAzureportal.ThetypesofdataprovidedbyAzuremonitorsareasfollows:

Application monitoring data: It collects consistent data of applicationfunctionality, performance, and maintenance with respect to applicationcode-relatedissues.GuestOSmonitoringdata:ItcollectsdataofAzureVMsrunningonthesubscriptionandithasanapplicationrunningonit.Resourcemonitoringdata: Itcollects theapplicationresourceoperationdata.Subscriptionmonitoringdata:Itcollectsthecompletesubscriptiondata,including Azure resources health of the Azure services in terms of theregion,andsoon.Tenant monitoring data: It collects the tenant level data such as anyoperations or any issues that may have occurred on your Azure ADservices.Activity logs:Activity logsarenothing,but theactivities thathavebeenperformedbytheuserorownerintermsofall theservices.Theywillbecollectedandrecorded.Refertothefollowingscreenshot:


Figure16.2:Activitylogs

SetupandconfigurationofAzurealertsIfyouwouldlike toconfigureanalertofyourservices, thenpleasefollowthegivensteps:

1. Click on Alerts, and then click on + New alert rule under AzureMonitororresourcesasshowninthefollowingscreenshot:

Figure16.3:Newalert

2. Select resources like subscription, VMs, and so on for alert creation, asshowninthefollowingscreenshot:

Figure16.4:Alertcreation


3. Select theconditionunderalladministrativelogs,specificresourceslogs,andsoontoaddtheconditionasshowninthefollowingscreenshot:

Figure16.5:Alertsrules

4. Clickontheactiongroup:

ProvidetheactiongroupnameShortnameofmaximum116charactersSubscriptionnameResourcegroupnameActionnamelikewhereorhowtogetanalert:

AutomationRunbook

AzureFunction

Email/SMS/Push/Voice

ITSMlikeservicesticketingtoolWebhookandotherservices

Addactiongroupdetailsasshowninthefollowingscreenshot:


Figure16.6:Addactiondetails

5. ClickonOK.6. Providethedetailsofthealert:

AlertnameDescriptionSavealerttotheresourcegroupnameEnableordisableruleoncreationClickonCreatealerts

Formoredetailsonalerts,takealookatthefollowingscreenshot:


Figure16.7:Alertdetails

Once the alerts are created, you can view all the alerts in the Manage alertrules window. For more alert manager details, take a look at the followingscreenshot:


Figure16.8:Managerofthealertrule

This is how you can create and manage the alerts. You can also modify theAzureresourcealerts.

AzureMetricsAzure Metrics are numerical values of the resources utilization which arecollected in real-time. Based on the numerical values, it shows the metricsperformanceoftheresources,asshowninthefollowingscreenshot:

1. Youcanselecttheresources.2. ClickonMetricsasshowninthefollowingscreenshot:


Figure16.9:Metrics

AzureServicesHealthAzureServiceHealthwillhelpyouanalyzetheresourcesunderthesubscriptionandvariousregionserviceavailabilityoptions.Letusunderstandthem:

Plannedmaintenance:YoucanseetheplannedmaintenanceoftheAzuredatacenterifthereisanyglobalimpactandthenyoucantaketheprimitiveactiononthat.Resourcehealth:Resourceshealthwillhelpyoutounderstandthehealthoftheresources.Healthalerts:Wecansetuptheresourcehealthalertsaswellbasedonthecustomers’ requirements. For more details, take a look at the followingscreenshot:


Figure16.10:AzureServicesHealth

DiagnosticlogsItprovidesauditinganddiagnosticinformationabouttheAzureresources.Ithelpstocollectthelogsandsendsthelogstologanalyticsforfurtheranalysis.Itcanbesenttotheeventhubtogetthenotification.Itcanalsostorethelogstostorageaccountsforanyfurtherupdateorarchival.

EnablingthediagnosticsettingsPerformthefollowingsteps:

1. ClickonAzureMonitor.2. ClickonDiagnosticsettingsunderSettingsandclickontheresource.

Pleasetakealookatthefollowingscreenshotfordiagnosticsettings:

Figure16.11:Diagnosticsettings

3. Click on the resource menu on the Azure portal. Then, click onDiagnostic settings under Monitoring as shown in the followingscreenshot:


Figure16.12:Diagnosticsettingsdetails

4. If there are no settings that exist on the resource, then click on turn ondiagnosticsettingsandenableitasshowninthefollowingscreenshot:

Figure16.13:Monitordiagnosticsettings

5. OnceyouclickonDiagnosticsettings,followthegivensteps:

Pleaseprovidethestorageaccountdetails.Providethesolutionwheretostorethelogs:SendtoLogAnalyticsorStreamtoaneventhub.Selectthestorageaccountandretentionperiodofthelogs.Click on OK and save the settings as shown in the following


screenshot:

Figure16.14:Diagnosticsettingsconfiguration

Now,yourdiagnosticsettingshavebeenenabledtorecoveryservicesanditcanbedonewithotherservicesinyourAzuresubscriptionresources.

AzureLogAnalyticsAzure Log Analytics is a service that collects the data from various Azureresourcesandon-premisesdevicesandsendsittoyourloganalytics.Thecollecteddataisstoredintheloganalyticsworkspacewhichcanbeusedforaquerylanguage,alerting,andsoon.Loganalyticsanalysesthemetricdataandprovidestheresultbasedonthat.

CreatetheAzureworkspace


YoucanfollowthegivenstepstocreatetheAzureworkspace:

1. Clickon+Createaresource.2. SearchforLogAnalytics.3. ClickonLogAnalytics.4. ClickontheCreatebuttontocreatetheloganalyticsworkspaceasshown

inthefollowingscreenshot:

Figure16.15:Loganalyticsworkspace

5. Oncetheprecedingstepsarecomplete,performthefollowingsteps:

a. Providetheloganalyticsname.b. Providethesubscriptionname.c. Providetheresourcegroupname.d. Providethelocationbasedonyourcustomerorproject.e. Providethepricingtier.

6. ClickonCreateasshowninthefollowingscreenshot:


Figure16.16:Loganalyticsdetails

Now,your loganalyticsworkspacehasbeencreated.Youcanstart connectingyourdevicesorusingthem.IfyouwouldliketoinstallorconnecttheVMstotheworkspacemanually,thenclickontheAdvancedsettingsoptionunderLogAnalyticsandclickon theWindowsorLinuxagenttodownloadit.Takealookatthefollowingscreenshotformoredetails:


Figure16.17:Loganalyticsagentdownload

UtilizelogsearchqueryfunctionsThelogqueryfunctionwillprovideyouwiththevaluesfromthedatacollectedfrom log analytics or Azure monitor. The query is a powerful language thatallows you to combine the data from themultiple tables, aggregate the largerdata,andprovideacomplexoperationwithminimalcode.Youcanquerythedatausingthefollowingsteps:

1. Clickontheloganalyticswhichyouhavecreated.2. GotoWorkspacesummary.3. ClickonLogs.4. OnceyouclickonLogs,youwillbeabletoseethedashboardof thelog

analytics.Takealookatthefollowingscreenshot:


Figure16.18:Loganalyticslogs

Here,youcanrunthequerysearchforyourport,dashboardoralert,andsoon.AquerycanbeusedtocreatethecustomdashboardofAzuremonitoringbasedonyourcustomers’requirements:

1. ClickonSamplequeries.2. Typethequery.3. ClickonRun.4. Youwillgetaresult.5. You can use the samequery and create an alert aswell as shown in the



Figure16.19:Loganalyticssearchquery

ThisishowwecanusethequerysearchtogettheresultofAzureresourcesanduse it tomonitor andquery the result of the services.We can enable the alertbasedonthequery.

ConclusionIn this chapter, we covered analyzing the resources and explaining the Azuremonitor.Wediscussedhowtocreatethealertsandhowtousethosealerts.Wecovered how to create theAzure log analyticsworkspace andquery search ofAzuredatabasedonthequery.Usingthequery,wecancreatethealerts.WewilldiscussAzurebackupandDisasterrecoveryinthenextchapter.WewillalsocoverhowtoenablethebackupofyourAzurevirtualmachineandmigratetheVMorsetupdisasterrecoveryinAzure.

ReferencesMetrics in Azure Monitor: https://docs.microsoft.com/en-us/azure/azure-monitor/platform/data-platform-metricsLog query search: https://docs.microsoft.com/en-us/azure/azure-monitor/log-query/log-query-overviewLog Analytics: https://docs.microsoft.com/en-us/azure/azure-monitor/log-query/log-query-overviewAlert configuration: https://docs.microsoft.com/en-us/azure/azure-monitor/platform/alerts-metricAzure Monitor: https://docs.microsoft.com/en-us/azure/azure-


https://docs.microsoft.com/en-us/azure/azure-monitor/platform/data-platform-metrics

https://docs.microsoft.com/en-us/azure/azure-monitor/log-query/log-query-overview

https://docs.microsoft.com/en-us/azure/azure-monitor/log-query/log-query-overview

https://docs.microsoft.com/en-us/azure/azure-monitor/platform/alerts-metric

https://docs.microsoft.com/en-us/azure/azure-monitor/overview

monitor/overviewAzure4you:https://azure4you.com/



I

CHAPTER17ImplementationofAzureBackupand

DisasterRecoveryn this chapter, we will discuss the Azure backup services, Azure backuprecoveryvault, andusageof theAzurebackuppolicy.Wewillalsodiscuss

howtocreate thebackupreportsandseehowtherestorationprocessworks inAzure.Wewillcoverthevarioustypesofbackupoperationsandsoon.


AzurebackupAzurebackupvaultcreationAzureVMbackupconfigurationAzurebackupreportAzurerestorationofVMsAzurebackupoperationdetailsUsesoftdeletetorecoverAzureVMsSite-to-siterecoverybyusingAzuresiterecovery

ObjectivesInthischapter,youwilllearnaboutAzurebackupanddisasterrecoveryservices.You will also learn how to configure the backup to protect the VMs fromaccidentaldeletionandensurefasterrestorationprocessindetail.

AzurebackupAzurebackupservicescomeundertheAzuresiterecoveryvault.Azurebackupservicesareusedtotakethebackupofyourvirtualmachines,Azurestoragefileshare,andSQLserverswhicharehostedinAzureVMs.Itprovidesthefilesand


folder-levelbackupaswell.Wecan take theon-premiseserversbackuptoAzureusingAzurebackup.TheAzurebackupvaultsupportsWindowsaswellasLinuxVMstotakethebackup.It enhances the backup capability and provides a secure way to backup yourinfrastructure. It provides centralized monitoring and protects all the AzureVMs.WecancontroltheaccessusingtheRBACrolestomeetthecompliancelevel.

AzurebackupvaultcreationLetusseehowtocreatetheAzurebackupvaultandhowtobackuptheservices.Pleasefollowthegivensteps:

1. Logintotheportal.2. GotoAllservices,oryoucangotothemarketplaceandsearchforthe

BackupandSiteRecoveryservice.3. ClickontheBackupandSiteRecoveryservice.Formoredetails,takea


Figure17.1:Azurebackupvaultmarketplace

4. Providethebackupvaultname.5. Providetheresourcesgroupnameandsubscriptiondetails.6. Click on Create. For more details, please take a look at the following

screenshot:


Figure17.2:Azurebackupcreation

Now,youwillbeable tocreate theAzurebackupvault.Thebackupvaulthasbeencreated,andwewillstartthebackupusingthesamerecoveryvault.

AzureVMsbackupconfigurationNow,IwillshowyouhowtoconfigurethebackupofyourVMs:

1. ClickonRecoveryServicevault.2. Clickonthe+Backupbutton.3. Setupthequotalimitaspercustomers’requirements.4. Click on Create. For more details, please take a look at the following

screenshot:


Figure17.3:Azurebackupconfiguration

5. You can select the Azure environment, and you can get two or moreoptionstobackuptheAzurestackandon-premiseservers.

6. SelectAzure and select theAzureVMs, but you can also backupAzureFileShare(Preview) andSQLServerinAzureVM. Formore details,takealookatthefollowingscreenshot:

Figure17.4:Azurebackupconfigurationsetup

7. Onceyouclickonthebackup, itwillaskyoufor theAzurepolicysoletme explain how the Azure backup policy will help you schedule thebackupfordailypurpose.

AzurebackuppolicyTheAzurebackuppolicyhelpsyousettherulesforyourbackupinfrastructure


likeVMs.Youcanhave the retentionpolicywhichwillhelpyou to retain thedata in the Azure backup vault up to 99 years. A retention policy can be setbasedonadaily,weekly,monthly,andyearlybasis.Formoredetails,refertothefollowingscreenshot:



Figure17.5:Azurebackuppolicy

Performthefollowingstepstocreatethebackuppolicy:

1. Click on OK to create the backup policy. Once your backup policy iscreated,thebackupvaultwillallowyoutochoosetheVMs.

2. ClickonItemstobackupandselectthevirtualmachine.3. ClickonEnablebackup.4. Once you click on Enable backup, it will trigger a job that installs the

recoveryagent. Itwillstart taking thebackupofyourservices.Formoredetails,pleasetakealookatthefollowingscreenshot:

Figure17.6:Azurebackupenable

5. Oncedone,itwillstart thedeployments.Itwill takesometimetoenablethebackupasshowninthefollowingscreenshot:


Figure17.7:Azurebackupdeployment

6. Once the backup is enabled, you can see that theVMswill be added toyourbackupservicesvault.YoucanseethenumbersoftheVMsinyourVMbackupvaultasshowninthefollowingscreenshot:


Figure17.8:Azurebackupverification

7. ClickonBackupitem and select theAzureVMs taband then select theAzureVM.

8. ClickontheBackupnowbuttontoenablethebackup.9. Whenyou clickonBackupnow, the backupwill get triggered, or itwill

startbasedontheAzurebackuppolicyasperyourschedule.Takealookatthefollowingscreenshot:

Figure17.9:EnablingAzurebackupforVM

AzurebackupreportAzurebackupreportswillhelpyoutoidentifythebackupofyourVMsanditsstorageprovidesthetransactionandbackupfailure.Italsoprovidesrestorationandsizeofthebackupsizeofyourbackupvault.Beforewecreatethebackupreport,weneedthefollowing:

Azurestorageaccount.Logrestorationtime30daysto1yearmax.AnimportantpartistohavethePowerBIlicensedversiontoconfiguretheAzurebackupreport.

LetusseehowtosetuptheAzurebackupreportfromtheAzurebackupvault:

1. GototheAzurebackupvaultforwhichyouwanttoconfigurethebackupreport.

2. In thatbackupvault,go toManageandselectBackupReports.Formore


details,pleasetakealookatthefollowingscreenshot:

Figure17.10:Azurebackupreport

Now,youneedtofollowthestep-by-stepinstructionstoenablethebackupreportasshowninthefollowingscreenshot:

Figure17.11:Backupreportconfiguration

3. WhenyouclickontheAzurebackupdiagnosticsettings,itwillaskyoutostorethelog,andyoucanselecttheAzurestorageaccount,streamlogstoaneventhub,orsendthe logs to loganalytics. IhaveselectedtheAzurestoragetoconfigurethebackupreport.Pleasetakealookatthefollowingscreenshot:


Figure17.12:Backupreportdiagnosticconfiguration

4. Oncethisprocessiscomplete,pleaselogintothePowerBIreporttoolandaddbackupapps fromthestorage toconfigure thebackupreport.Takealookatthefollowingscreenshot:

Figure17.13:BackupreportPowerBIconfiguration

5. Now,youcancreatetheAzurefilesync.WewillcreatetheAzurefilesyncgroup.Takealookatthefollowingscreenshot:


Figure17.14:AzurebackupfromPowerBI

6. Provide the storage account name you need to configure the diagnosticsettingfromtheAzurebackupvault.

7. ProvidetheAzurestorageaccountandAzurestorageaccountkey.8. Onceyouaredonewiththesetup,itwilltakesometimetoaddthereport.9. Itmight take24 to48hrs togenerate the report as to store the logs and

generatethereports.10. Oncethereportispublished,takealookatthePowerBIbackupreportas



Figure17.15:AzurebackupstorageconfigurationPowerBI

11. After the storage configuration backup report is published, you cancustomizetheAzurebackupdashboard.

AzurerestorationofVMsTheAzurebackuprestorationisprocessedtorestoretheVMs,files,andsoonincaseofcorruptionofimagesoranyservicesinterruptiontoservices,orjustforrestoring to the previous version.Now, Iwill show you the option of how torestoretheVMusingtherecoveryvault.Pleasefollowthegivensteps:

1. Pleaseselecttherecoveryvaultwhereyouhavetakenthebackup.


2. Then,clickontheBackuptabfromProtecteditems.3. SelectthevirtualmachineforwhichyouwanttorestoretheVM.4. WhenyouclickonRestoreVMorFileRecovery,youwillseetherestore

option.Takealookatthefollowingscreenshot:

Figure17.16:VMbackuprestoration

5. PleaseclickontheRestorepointoption.6. Whenyouclickonit,itwillshowyoutherestorationtime.7. You can restore the backup in terms of application, crash, and file

consistencyaswell.Takealookatthefollowingscreenshot:

Figure17.17:VMbackuprestorationpoint

8. Onceyouselecttherestoreconfiguration,youcanselectwhetheryouwantto create a newVMor replace the existing setupwhichwill replace thedisk.


9. LetusselectthenewVMcreation.10. Now,youneedtoprovidethenameoftheVMs,andVNetwillselectthe

defaultoryoucanchangeitwithinthesameregion.11. PleaseselectthestorageaccountandclickontheRestorebutton.12. After10 to15minutes,yourVMwillbecreatedorbasedon thedata; it

mighttakealongertime.Pleasetakealookatthefollowingscreenshot:

Figure17.18:NewVMcreationusingrestoration

AzurebackupoperationdetailsAzurebackupoperationshelpyou tounderstandwhetheryourbackup jobhasbeen successful or unsuccessful. It provides the end-to-end Azure operationerrorstounderstandandtroubleshoottheissue.Activitylogswillalsohelpinthe


Azurebackupoperation.Pleasetakealookatthefollowingscreenshot:

Figure17.19:Azurebackupoperations

UsesoftdeletetorecoverAzureVMsTheAzure softdeletebackupwillhelpyou to recover theVMevenafteryoudelete it from the backupvault.Youwill be able to recover theVM from thebackupvaultwithin14days.Ithelpsyouifyouhavedeletedthebackupbymistakeorduetosomemaliciousactivity,itgotdeleted,thenyouwillbeabletorecovertheVM.Wheneveryoucreatethebackupvault,softdeletewillbeenabledbydefault.LetusseehowwecanenableordisablethesoftdeleteAzureVMusingthesiterecovery:

1. SelecttheAzurebackupvault.2. GotoProperties.3. SelectSecuritySettingsandclickonUpdate.4. Clickonenablethesoftdelete.5. ClickonSavetoenableit.Takealookatthefollowingscreenshot:


Figure17.20:Azurebackupsoftdelete

6. When you delete the backup, youwill get the followingmessage that ifyouhaveenabledthesoftbackuptodelete, thenyouwillable torecoverthedatawithin14days.Takealookatthefollowingscreenshot:


Figure17.21:Azurebackupsoftdelete

7. If youwant to recover the data, then go the backup vault and select thedeleted VMs backup and click on Undelete as shown in the followingscreenshot:

Figure17.22:Azurebackupsoftundelete

Site-to-siterecoverybyusingAzuresiterecoveryAzuresiterecoveryhelpsyoutoensureyourbusinesscontinuitybyrunningduetounplannedor plannedoutage.Azure site recovery serviceswill helpyou to


replicate the on-premise and Azure workload from the primary site to thesecondarysitewhenever there isanoutageonprimarysites.Once theprimarysitesareupandrunning,youcanfailbacktoprimarysites.Thesiterecoverymanagesthefollowingreplications:

AzureVMscanreplicatebetweenAzureregions.On-premises VMs, Azure stack VM, physical server, Hyper-V, andVMwareservers.

LetusseehowtoenabletheAzuresiterecovery:

1. Go tosite recoveryandclickon+Replicateasshownin thefollowingscreenshot:

Figure17.23:Azuresiterecoveryreplicate

2. Onceyouclickon+Replicate,selectthesourceandprovidethedetailsasfollows:

ProvideSourceasAzure.SourcelocationisyourAzureVMlocation.Pleaseprovidethesourceresourcegroup.Pleaseprovidethesubscription.PleaseselecttheavailabilityzoneandclickonOK.Pleasetakealookatthefollowingscreenshot:


Figure17.24:Azuresiterecoverysource

3. ClickonOK andselect theAzurevirtualmachine.Refer to the followingscreenshot:


Figure17.25:Azuresiterecoveryvirtualmachine

4. WhenyouclickOK, itwillbedirected to theSettings tab.Pleasedefinethesettingsasfollows:

Selectthetargetlocation.Select the Disaster Recovery (DR) subscription you want toconfigureinAzure.Selectthetargetresourcegroup.Targetvirtualnetwork.Cachestorageaccount.Replicathemanageddisk.TargettheAVsetifyouwanttoconfigure.Replicationpolicy:

24-hourretentionpolicyRecoverypointretentionApplicationconsistentsettingsReplicationgroup

5. ClickonCreatetargetresourcesasshowninthefollowingscreenshot:


Figure17.26:Azuresiterecoverytargetresource

6. Oncethetargetresourceiscreated,enablethereplicationasshowninthefollowingscreenshot:


Figure17.27:Azuresiterecoveryreplicationenables

7. Oncethereplicationisenabled,youwillbeabletosuccessfullysetuptheDR using the site recovery. It will start the replication, and once thereplicationiscomplete,youcandothefailover.

Now,wecansuccessfullycreatetheDRsite.

ConclusionInthischapter,wediscussedtheAzurebackupanditsusage.Welearnedhowtocreateabackupreportanditsusage.WediscussedhowtosetuptheAzuresiterecoveryforAzureVMsandexplainedtheAzurebackupreports.In the next chapter,wewill discuss the examguidelines and assessments.Wewillprovidethedetailsonhowtoregisterfortheexamandprovide75questionstopreparefortheexam.

ReferencesCreate a recovery services vault: https://docs.microsoft.com/en-us/azure/backup/backup-create-rs-vault#modifying-default-settingsRecovery services vaults overview: https://docs.microsoft.com/en-us/azure/backup/backup-azure-recovery-services-vault-overviewMonitor and manage recovery services vaults:


https://docs.microsoft.com/en-us/azure/backup/backup-create-rs-vault#modifying-default-settings

https://docs.microsoft.com/en-us/azure/backup/backup-azure-recovery-services-vault-overview

https://docs.microsoft.com/en-us/azure/backup/backup-azure-manage-windows-serverRecover files from the Azure virtual machine backup:https://docs.microsoft.com/en-us/azure/backup/backup-azure-restore-files-from-vmRestore Azure VM data on the Azure portal:https://docs.microsoft.com/en-us/azure/backup/backup-azure-arm-restore-vmsConfigure Azure backup reports: https://docs.microsoft.com/en-us/azure/backup/backup-azure-configure-reportsFormoredetails,visitAzure4youblogpost:https://azure4you.com/


https://docs.microsoft.com/en-us/azure/backup/backup-azure-manage-windows-server

https://docs.microsoft.com/en-us/azure/backup/backup-azure-restore-files-from-vm

https://docs.microsoft.com/en-us/azure/backup/backup-azure-arm-restore-vms

https://docs.microsoft.com/en-us/azure/backup/backup-azure-configure-reports


I

CHAPTER18ExamPreparationGuidelinesand

AssessmentBasedonLiveQuestionsn this chapter, Iwill discuss theAZ-104 live scenario-based questions andanswers, which will help you to understand the exam pattern. These are

dummyquestionswhichhavebeencreatedbymeandmighthelpyou inyourexampractice. It’snot related toyourexam,but itwillhelpyoutounderstandthe topics. Itwill give clarity onwhat types of questionswill be asked in theexamso thatyoucanpreparewell foryourexam.Wewill try tocoverall thetopic questions which have been written in this book and try to cover thequestionasmuchaswecan.

Note:Certifiedauthor swill createall thequestionsbut if there isanymatch toyourexamquestion, then it is justacoincidenceandneithertheauthororpublisherwillberesponsibleforthosequestions.

The following topicswillbecovered inyourexamasper theMicrosoft examcenter official site https://docs.microsoft.com/en-us/learn/certifications/azure-administrator.Pleasefollowthegiventopicstostartpreparingfortheexam:

ManageAzuresubscriptionsandresources(15-20%)Implementandmanagestorage(15-20%)Deployandmanagevirtualmachines(VMs)(15-20%)Configureandmanagevirtualnetworks(30-35%)Manageidentities(15-20%)

ExampreparationguidelinesAzure-104MicrosoftAzure administrator certification validates your expertisein the Azure administrator role. In this exam, your administrator skills andknowledgewillbetested.


https://docs.microsoft.com/en-us/learn/certifications/azure-administrator

If youwant to be certified on theAZ-104 exam, you should be aware of theAzure compute, storage, networking, Azure AD, monitoring, subscriptionmanagement,andsoon,whichwehavecoveredinthiscourse.Inthisexam,youwillhave toperform the labsaswell;hence,youwillhavehands-onpractice.You can create the free subscription (https://azure.microsoft.com/en-in/free/)whichwill provide the 12K credit for 1month and 25most used applicationswhichyoucanusefor12months.

ExamAZ-104BasicInformation

Nameoftheexam ExamAZ-104:MicrosoftAzureAdministrator

Technology MicrosoftAzure

Prerequisites Hands-onpracticeforAzureAdminlabsandAzureconceptunderstanding

Numberofquestions 40-60

Examfee USD165andINR4800

Examlanguage English

Table18.1:BasicinformationforAZ-104

AZ-104examtipsTheAzureexamdurationwillbe180minutes,andinthose180minutes,30minuteswillbegivenfor instructions,comments,scorereporting,andothers.In150minutes,youmustanswerallthequestionsandcompletethelabs.Youwillgettwolabswhichhave14taskstobecompletedandtherewill3-5casestudy-basedquestions.In the case study-based questions, you need to read and understand thequestionsverycarefullytoprovidethecorrectanswers.Itisatimetakingsectionbecauseinthesestudycases,youmighthavetoanswerabout10to15questions.Ineachcasestudy,therewillbeapproximate2to5questionswhichyouneedtoanswer.Youwillgetmultiple-choicequestionsaswellinthefollowingformat:

Single-correctanswer:YouhavetosayYes/No.Fillintheblanks:Youhaveunderstoodthescenariosandyouneedtochoosetherightansweranddothedraganddropjob.


https://azure.microsoft.com/en-in/free/

Orderstatements:Intheexam,youneedtocreateasite-to-siteVPNbyputtingtheprecedingstepsinorder.Hence,youshouldbeawareofthecorrectorderandabletoperformthesteps.

Examswillbedividedintosections,andyoucangobackandcorrecttheanswersbutwithinthesection.Onceyouhavemovedtothenextsection,youwillnotbeable tochange thesection.Pleasemakesureyouwillbeabletoverifyorreviewthequestionbeforegoingtothenextsection.Please read the question properly and understand the format of thequestion. It can be a scenario-based question. If it is a scenario-basedquestion, understand the question been asked and you need to fill in therequirements to give the correct answer.Onceyoudo this, itwill take afewminutestoprovidethecorrectanswer.Trytocompletesingleanswerquestionsasearlyasyoucansothatyoucansavesometimeforscenarios-basedquestionsandlabs.Trytoattemptandanswerallquestionswhichcomeintheexambecausethereisnoharminguessingtheanswers.AfewofthequestionswillcomefromPowerShellandARM.ToanswerwiththegivenPowerShellcommand,let’sjustpreparethenewmoduleAZPowerShellwhichwillhelp.A few of the questions will come from cost management and Cloudyn.Pleasepreparethetopicsandanswerthem.Pleasepractice the labs as therewill around14 tasks soyou canget thefreesubscriptionandpreparewellwhichwillhelpyoutocleartheexam.Azureexam labswillbe slowandyoumay face some issues. Ifyouarerunningoutoftimeandstuckinlabsoranyothertechnicalissuesduringtheexam,youcantalktothecenterpersontorescheduletheexamortheconcerned person will help you. Pearson VUE supports emails torescheduleyourexam.Youwon’t be allowed to go out during the exam time, and pleasemakesuretofinishotheractivitiesbeforegoingtotheexam.Youwillnotbeallowedanyofyourotherstuff.Theexamcenterrequirestwo IDproofs to start the examand the examcenter teamwill helpyouwiththat.Youcanmarkquestionstobereviewedduringtheexamifyouarenotsureabout theanswer.Onceyouaredonewiththesection,reviewtheanswer


andproceedfurther.Youmight get the performance-basedquestion about theAzure services,andyouhavetoansweronthataswell.Inthecasestudyquestion,youwillneedtogivethebusinessrequirementsand technical requirements of the existing environments and otherinformationtoanswerthequestion.Casestudyquestionsmightrequireyoutolookatyourquestionbackandforth, which might require information to be integrated with multiplesourcesinthequestion.Pleasemakesuretoreadthecasestudyproperly,understandtherequirements,andthenanswerthequestion.

ExamregistrationIfyouareplanningtoregisterfor theexam, ifyouareafirst timeuser,pleasemakesureyouhaveavalidemailIDlikeOutlook,Hotmail,andsoon.OnceyouarereadywithyouremailID,followthegivenstepstoregisterfortheexam:

Pleaseclickon the link-AZ-104examregistration link to register for theexam.Pleaseprovidethename,jobtitle,andaddress.


Figure18.1:Examschedule-1

Please select the city and country forwhichyouwant to register for theexam.Providethestatepostalcode.Providethecountrycodeandphonenumber.ProvidethepreferredemailIDandlanguage.

Figure18.2:Examschedule-2

ClickonSave&continue.Once you click onSave & continue, it will ask you to go the PearsonVUEsitetoregisterfortheexam.Select the localcenter,home,andsoonoptions.Select thecenteroptionandclickontheNextbutton.Selectthelanguage.ClickonScheduletheExam.


Selecttheexamcenterorsearchforthecentername.Selectthedateandtime.Proceedtocheckoutandproceedforpayment.

Onceyouclickoncheckout,yourexamwillbescheduled.YouwillgetanemailfromPearsonVUE.

DummyobjectiveexamquestionsQ1.Whatkindofuserscanbeinvitedusingtheguestuserinvite?

1)B2C2)B2B3)Both

Ans:Both

Q2.HowcanwecreatemultipleusersinAzureAD?1)Usingbulkusercreation2)Guestuserinvitation3)Groupmanagement

Ans:Usingbulkusercreation

Q3.WhichtypesofgroupscanwecreateinAzureAD?1)Securitygroup2)O365group3)Both

Ans:Both

Q4.WhatistheuseofAzureADconnect?1)Hybridconnectivity2)On-premisesADconnecttoAzureADintegration3)MFA

Ans:On-premisesADconnecttoAzureADintegration

Q5.WhatisthepermissionrequestedtoinstalltheAzureADConnect?1)Enterpriseadmin


2)Globaladministrator3)Both

Ans:Both

Q6.Whatistheuseofpasswordwriteback?1)Itisusedtosynctheusers.2)On-premisessyncservices3)TosyncthepasswordifitischangedthroughtheAzureportal

Ans:TosyncthepasswordifitischangedthroughtheAzureportal

Q7.WhichisthePowerShellcommandtogettheroledefinition?1)Get-azRoledefinition“Contributor”2)Get-azRoledefinition“Contributor”|convertto-jason|out-

fileD:\ABPGroup

3)Connect-azsubscriptionAns:Get-azRoledefinition“Contributor”

Q8.HowmanytypesofrolebackAccessareavailableinAzure?1)Readandwrite2)Viewerandeditor3)Owner,contributor,andreader

Ans:Owner,contributor,andreader

Q9.Howmanycustomrolescanbecreatedinonetenant?1)10002)20003)5000

Ans:5000

Q10.IfyourcompanywantstobuyasubscriptiondirectlyfromMS,whichsubscriptionwouldyouchose?1)Freesubscription2)Enterprisesubscription3)CSPsubscription

Ans:Enterprisesubscription


Q11.WhatisasubscriptioninMicrosoftAzure?1)ItisabillingcontainerwhichcontainstheAzureservices.2)Itjustacontainer.3)ItisAzurecloudservicesprovider.

Ans:ItisabillingcontainerwhichcontainstheAzureservices.

Q12.AcustomerasksyoutoprovidetheITadminaccessrolethatcanmanagethesubscriptionandprovideaccess.WhichRBACroleaccesswouldyouprovidetotheuser?1)Owner2)Contributor3)Reader

Ans:Owner

Q13.WhatistheuseoftheAzurepolicy?1)Tomeetthecompliance.2)Tomeetthecloudsecurity.3)Torestricttheaccess.

Ans:Tomeetthecompliance.

Q14.AcustomerwantstoallowonlyafewlocationsbasedonhispresenceintheAzuresubscription.Howwouldyoudothat?1)UsingtheAzurepolicy2)UsingtheResourcesgroup3)UsingtheRBACaccess

Ans:UsingtheAzurepolicy

Q15.WhichtypesofstorageaccountsdoesAzurehave?1)Blobstorageaccount2)GPv13)GPv24)Alloftheabove

Ans:Alloftheabove

Q16.WhatisstorageaccountreplicationrecommendedbyMSAzure?


1)RA-GRS2)GRS3)ZRS4)LRS

Ans:RA-GRS

Q17.HowmanyIOPSareprovidedby1TBpremiumstorageaccount?1)10002)20003)50004)7500

Ans:7500IOPS

Q18.HowtoconnecttheAzurestorageexplorer?Pleaseselecttwomethods.1)SASkey2)Storageaccountkey3)ThroughAzureportal

Ans:SASkeyandStorageaccountkey

Q19.Whatisthestorageaccountcontributorrole?1)Provideaccesstoread/write/deleteaccess.2)Providereadaccess.3)Providewriteaccess.

Ans:Provideaccesstoread/write/deleteaccess.

Q20.WhydoweusetheAzureimportandexportutility?1)Tomigratethepetabytesofdata2)Tomigrate1TBdata3)Tomigrate50GBdata

Ans:Tomigratethepetabytesofdata

Q21.WhichOSesaresupportedbyAzurefileshare?1)WindowsandLinux


2)MAC3)Linux

Ans:WindowsandLinux,MAC

Q22.WhatisthelimitofAzurefileshare?1)2TB2)5TB3)4GB

Ans:5TB

Q23.WhatistheuseofAzurefilesync?1)Centralizedmanagementforyourfilesandfolders2)UsedtosyncdocsAzuretoAzure3)Usedforfilesharingwhichisincloud

Ans:Centralizedmanagementforyourfilesandfolders

Q24.WhatisAzureVMssize?1)ConfigurationofAzureVMsinstance2)VMimage3)None

Ans:ConfigurationofAzureVMsinstance

Q25.Canwesettheauto-scalingwhilecreatingthescaleset?1)Yes2)No3)Noneoftheabove

Ans:Yes

Q26.AzureVMssizesupportGUPandSAPsizesaswell?1)Yes2)No3)None

Ans:Yes

Q27.InwhichformatdoestheARMtemplatesavethedocuments?


1)JSON2)PowerShell3)CLI

Ans:JSON

Q28.WhatarewaystodeploytheARMtemplate?1)PowerShell2)CLI3)Alloftheabove

Ans:Alloftheabove

Q29.HowtodeploytheARMtemplatefromtheportal?1)Usingacustomtemplate2)PowerShell3)None

Ans:Usingacustomtemplate

Q30.Whatisthewaytoconnecttotheon-premisesnetwork?1)Asite-to-siteconnection2)Expressroute3)Vnet-to-VNetconnection4)Options1and2

Ans:Options1and2

Q31.HowdoyouconfiguretheVnet-to-VNetconnectivity?1)VNetpeering2)Site-to-siteconnection3)ExpressRouteconfiguration

Ans:VNetpeering

Q32.Whatistheuseofalocalareanetwork?1)Ithason-premisesVPNdeviceconfiguration.2)ExpressRouteconfiguration3)None


Ans:Ithason-premisesVPNdeviceconfiguration.

Q33.WhicharethetypesofAzureDNSzones?1)Privatezone2)Publiczone3)Both

Ans:Both

Q34.WhatarethedifferenttypesoftheAzureloadbalancer?1)Internal2)External3)Alloftheabove

Ans:Alloftheabove

Q35.WhicharethetypesofrulesavailableinAzureNSG?1)Inbound2)Outbound3)Both

Ans:Both

Q36.Whatistheuseofaroutetable?1)Routethetraffictothefirewall2)RoutethetrafficwithinAzure3)Alloftheabove

Ans:Alloftheabove

Q37.CanweapplytheNSGinwebapps?1)Yes2)No

Ans:No

Q38.WhatistheuseoftheAzureresource’shealthmonitoring?1)AzureResourcesHealthCheck2)Subscriptionmonitoring3)PaaSservicemonitoring


4)NoneAns:AzureResourceHealthCheck

Q39.Whatistheuseofloganalytics?1)Resourcemonitoring2)Analyzingthemetricsandalerting3)Datacollection4)Alltheabove

Ans:Alloftheabove

Q40.Howtoquerythemonitoringdata?1)Usingthelogsearchquery2)Azuremonitor3)Loganalytics4)None

Ans:Usingthelogsearchquery

Q41.Whatisuseoftheactiongroupinanalert?1)Usedtosendthenotificationtotools/emailID.2)UsedtoconfiguretheAzuremonitor.3)Usedtoconnecttologanalytics.4)Noneoftheabove.

Ans:Usedtosendthenotificationtotools/emailID.

Q42.Whatistheuseofactivitylogs?1)Ittracksalltheoperationactivitieswithinthesubscription.2)ItcollectsthedatafromtheAzuremonitor.3)Itisusedtoconnecttologanalyticsandanalyzethelogs.

Ans:Ittracksalltheoperationactivitieswithinthesubscription.

Dummyscenario-basedexamquestionsQ1.ABPBcustomerhasmorethan150VMs,andnowthecustomerwants

todeletefewoftheVMsfromhissubscription.ThecustomerwantstofindouttheunuseddiskwhichhasbeencreatedduringtheVMs


creationanddeletionprocess.Howcanyouidentifytheunuseddisk?1)YoucanusetheAzureportal.2)YoucanuseAzurestorageexplorer.3)Youcanusethecostmanagementreport.4)YoucanusetheCloudynoptimizationreport.

Ans:4.YoucanusetheCloudynoptimizationreportwhichwillprovidethereportofanunuseddisk.

Q2.ABPBcustomeraskedtocreate10AzurevirtualmachineswithLinuxOSthatwasrequiredfortheproductionworkload.Thecustomerneedstomonitorthemetrics.WhataretheoptionsthecustomercanusetomonitortheLinuxmetricsfromtheportal?1)Loganalytics2)Applicationinsight3)Azureperformancediagnosticextension4)Azuremonitor

Ans:3.AzureperformancediagnosticextensionwillhelpthecustomertocollecttheadditionalmetricdataandmonitortheLinuxmetrics.

Q3.ABPBcustomerhastwodifferentsubscriptions:callsubscriptionsBPBDevandBPBProdandboththesubscriptionsneedtocommunicatewitheachother.WehavealreadyconfiguredtheVNetDevforthesubscriptionsBPBDevandVNetProdwiththeBPBProdsubscription.Now,youwanttosetupacommunicationbetweenboththesubscriptions.Howcanyouconfigureit?1)WewillmovetheVNetDevtotheBPBProdsubscription.2)ConfiguretheVNetpeering.3)ConfigureVnet-to-VNetconnectionbetweenboththesubscriptions.4)Site-to-siteconnectivitybetweenthesubscriptions.

Ans:3.ConfigureVnet-to-VNetconnectionbetweenboththesubscriptions.Creatingthevent-to-ventconnectivityisasillierprocessthansite-to-siteVPconnectivityandtherequiredlocalareaconnectionneedstobecreated.

Q4,YourcustomerwantstocreateanAzurestorageaccountcalledbpbstorage,andunderthat,hewantstocreateanAzurefileshare.


OnceyoucreatetheAzurefileshare,youneedtomapittoanAzurefilesharesupportedport.WhichportnumberwillyouchoosetoconfiguretheAzurefileshare?1)Port-4432)Port-4453)Port-804)Port-8080

Ans:2.Port-445becauseport445supportsAzurefileshare.Iftheport445isblockedbyyourorganization,thenyouwillnotbeabletoconnecttofileshare.

Q5.Youaretheadministratorofyoursubscriptionwhichcontains30virtualmachines,andinyourteam,memberswanttocreateacouplemoreVMswiththeNSGgroup.Now,yourmanagerwantstoblockport80wheneveranynewNSGiscreated.Whatisyourapproachonthis?1)UseacustomAzurepolicy2)CreatelockonNSG3)BlockusingtheRBACrole4)Providelimitedaccess

Ans:1.WewilluseacustomAzurepolicywhichwillhelptodefinethepolicy.WheneveranengineercreatesanNSGautomatically,thedenyrulewillbecreatedwithport80.

Q6.Youaretheadministratorofyoursubscriptionandyouhave50Kusersandyouwanttocreate10moreusersintheAzureADandassigntheuseradministratorroletothoseusers.Whatoptionswillyouchoosetoprovideaccesstothoseusers?1)Onlycreatetheusers.2)Createtheusersandmodifythedirectoryrole.3)Youcanusethegrouppolicytoprovidetheaccess.4)Useanactivedirectorylicensetoprovidetheaccess.

Ans:2.WewillcreatetheuserfromAzureADandusethedirectoryroletomodifyandassigntheuseradministratorroletothoseusers.

Q7.Youhave20Kusers,andnowyourorganizationITheadwantstobuy


20additionalP2licensesforhighermanagementastheywanttousetheadditionalfeatureofpremiumAD.Youhaveboughtthe20licenses.Howwillyouconfigurethemsothathighermanagementcanusethepremiumfeature?1)Youwillassigntheadminroletothoseusers.2)Youwillcreateausergroupthatallowsyoutousethepremium

feature.3)YouwillassigntheP2licensestoeachuserusingthelicenseblade.4)YouwillusetheRBACrole.

Ans:3.WewillassigntheP2licensestoeachuserusingthelicensebladebecauseunlessthelicensehasbeennotconfigured,highermanagementcannotaccessthepremiumfeatureasthosefeatureswillbeavailableonlyiftheyhaveavalidlicense.

Q8.YouhavecreatedastorageaccountintheresourcegroupBPBRG32,andnowyouhaveappliedaread-onlylocktoBPBRG32.Whichoperationwillyouperform?1)Youwilldeletetheresourcegroup.2)Youcancopythestoragekey.3)Youcanuploadthedatatotheblobstorageaccount.4)Youcanchangethereplicationsettings.

Ans:2.Youcancopythestoragekeybecausetheread-onlylockallowsyoutocopythedata,butitwillnotallowyoutomodifyordeleteanythingfromtheresourcesgroup.

Q9.YouhavetwoAzureactivedirectoriesbpb.comandazure4you.com.Now,youwanttosetupadefaultdirectorytenanttosignintoboththetenants.Howcanyouconfigureit?1)Changetheportalconfigurationsettings.2)UsethePowerShellcommand.3)Changethedirectoryfromtheportal.4)Youcanchangethesubscription.

Ans:3.Wewillchangethedirectoryfromtheportaltosetupsignin.

Q10.YourcustomerwantstoenablethebackupsolutiononAzurewebappsnamecalledbpbapp1.Howwillyouprocessthisrequest?


1)Setupthethird-partybackupsolution.2)Usethebackuppolicytoimplement.3)Configurethebackupusingtherecoveryvault.4)YoucanusetheAzurebackupserverforappservices.

Ans:3.Wewillconfigurethebackupusingtherecoveryvault,whichwillhelptotakethebackupofwebapps.

Q11.Acustomerwantstotransferthedatafromtheon-premisessystemtoAzure.Whichtoolwillyouusetoprocessit?1)Usetheuploadoptiondirectlytotheblobstorage.2)Usetheimportandexportoption.3)Createfileshareandmaptoon-premises.4)Usethestorageexplorertomovethedata.

Ans:4.WewillusethestorageexplorertomovethedataasitissimpletouseandtightlyintegratewiththeAzurestorageaccountandeasytomovethedatatothestorageaccount.

Q12.YouaretheglobaladministratorofyourAzureAD,andnowyouwanttoenforcethemultifactorauthentication.Howwillyouprocessit?1)ConfiguretheplaybookforMFA.2)Usethecustompolicy.3)ConfiguretheAzureADConnect.4)UsetheAzureADconditionalaccesspolicy.

Ans:4.WewillusetheAzureADconditionalaccesspolicywhichwillhelptheMFAimplementationorganization.Wecancreateaconditionalaccesspolicyandapplyit.

Q13.YourcustomerwantstoconfiguretheVNetnameBPBVnetprodwhichsupportstheVNetgatewayconfigurationtoconfigurethesite-to-siteVPN?1)CreateaVnet.2)Createsubnet.3)CreateaVNetwiththesubnetgateway.4)CreateVNetwiththesubnet.


Ans:3.WewillcreatetheVNetwiththesubnetgateway,whichwillhelptoconfiguretheVNetgatewayandthesite-to-siteVPN.

Q14.YourAzuretenanthasenabledtheprivilegedidentitymanagement,andyouwanttoseehowmanyusershavebeenassignedthesecurityadminrole.Youneedtoreviewthesecurityadminaccessrole.Howcanyouprocessit?1)Inidentityprotectionmanager,youwillconfiguretheriskpolicy.2)Youwillconfiguretheweeklyadreport.3)Youwillconfiguretheaccessreviewfromtheprivilegedidentify

management.4)YouwillenabletheADauditlogs.

Ans:3.Wewillconfiguretheaccessreviewfromtheprivilegedidentitymanagementwhichhelpustofrequentlyunderstandaccesstothatsecurityadminandbasedonthereport,wecandecideit.

Q15.YouhaveconfiguredthemultifactorauthenticationtoalltheusersinyourAzuretenantandfewoftheusersarehavinganissueloggingintomobiledevicesandunabletoresetthepassword.Whatisthesolutionyouwillapply?1)Self-servicepasswordreset.2)Configurethemobiledevices.3)Createthepasswordforthoseusers.4)Reinstalltheappservices.

Ans:1.Wewillenabletheself-servicespasswordresetwhichwillhelptheuserstoresettheirpasswordwheneveritisrequired.Then,theywillbeabletoconfiguretheappsinmobiles.

Q16.Youhaveacoupleofstorageaccountsandyourcustomerwantstorestricttheaccesstotheinternetintheproductionstorageaccounts.Whichisthesolutionyouwillapply?1)Inthestorageaccount,enableencryption.2)CreatetheSASkey.3)EnabletheVNetintegrationfromthefirewallsettings.4)Enablethereplications.

Ans:3.WewillenabletheVNetintegrationfromthefirewallsettingsfrom


theAzurestorageaccount,whichwillhelptorestrictthestorageaccesstotheinternet.

Q17.Yourclientshaveanon-premisesnetworkwhichcontainsmultipleOSversionsofservers.TheclientwantstomigratealltheserverstoAzure.YouneedtoprovideasolutiontoensurethatsomeoftheserverswhichareavailableinsingleAzuredatacenterandmightgoofflineduringplannedandunplannedmaintenance.Whatshouldbeyourrecommendationtotheclient?1)Faulttolerance2)Lowlatency3)Scalability4)ReplicationtoAzure

Ans:1.Wewillsuggesthavingfaulttoleranceintheworkloadwhichwillhelpduringplannedandunplannedmaintenance.

Q18.Youhave100VMsintheAzuresubscription,andnowyourcustomerwantstoconfigurethebackup.Youhavesuccessfullycreatedthebackup.Theclientmanagerwantstoenablethebackupretentionto20years?Whatisthesolutionyouwillproposetoyourcustomer?1)Backupreports2)Azurebackuppolicy3)Manuallytakethebackup4)Enablethereplicationfor20year

Ans:2.WewillenabletheretentionperiodintheAzurebackuppolicy,whichwillhelptoretainthebackupforupto20years.

Q19.Youhave50storageaccountsintheAzuresubscription,andnowyourcustomerwantstocreateacontainerin20storageaccounts.Whatarethetoolsyouwillusetocreatethecontainerinthestorageaccount?1)Fromtheportal.2)Yougotofileshareandcreatethecontainer.3)Manuallycreatethecontainer.4)Azurestorageexplorer.

Ans:4.WewillbeusingtheAzurestorageexplorertoconfiguretheAzurestoragecontainers.


Q20.YourcustomerplanstomapanetworkdrivefromseveralcomputersthatrunWindows10andLinuxtoAzureStorage.YouneedtocreateastoragesolutioninAzurefortheplannedmappeddrive.Whatwillbethesolutionsyouwillprovidetothemappeddrive?1)Enabletheport80.2)Usingfileshare,connectandenabletheport445.3)Usetheblobstorageaccount.4)UsetheAzurecontainers.

Ans:2.Wewillusefileshareconnectandenabletheport445,whichprovidesthecommandtoconnecttoWindowsandLinuxfileshare.

Q21.YourcompanyplanstodeploywebserversandSQLdatabaseserverstotheAzuresubscription.Now,youneedtorecommendasolutiontorestricttheconnectionbetweenAzurewebserversandSQLBDservers.Whatisthesolutionyouwillprovide?1)Youwillrestrictfromthefirewall.2)Youwillusetheroutetable.3)Configuresite-to-siteconnection.4)ConfiguretheNetworkSecurityGroup(NSG).

Ans:4.WewillconfiguretheNetworkSecurityGroup(NSG)whichwillhelptoallowordenythetraffic.ItwillhelptorestricttheoutgoingtrafficanditcanonlysendthetraffictowebserverstoDBservers.

Q22.YourcustomerplanstomigratetoAzureandthecompanyhasseveraldepartments.AlltheAzureresourceshavebeenusedbyeachdepartmentandmanagedbyanITadministrator.Now,thecustomerwantstoprovidethesolutionwhichwillminimizetheadministrativeeffectandwillbeeasytomanagebyeachITadministrator.Pleaseprovidethesolutions.1)Multipletenantswithmultiplesubscriptions2)Multipleregiondeployment3)Onetenantwithmultiplesubscriptions4)Multipleresourcegroups

Ans:3.Wewillchooseonetenantwithmultiplesubscriptionswhichhelpstoseparatetheresourcesanditsbillingandalsotheadministrativetaskto


reducetheadministrativeworkloads.

Q23.Yourorganizationhasmultipleoffices,andeverymonth,youplantogenerateseveralbillingreportsfromtheAzureportal.Everyreportcontainstheresourcesofeachsubscription.Whatisthefeatureyouwillusebeforegeneratingthereport?1)Azurepolicy2)Tags3)Costmanagement4)Cloudyn

Ans:2.Wewillusethetagsbeforegeneratingthereports,whichwillhelpustoprovidetheexpectedreportsdepartmentwise.

Q24.Youhavemultiplevirtualmachines,andnowyourcustomerwantstomovethevirtualmachinefromonesubscriptiontoanothersubscription.Howcanyouprocessthisrequest?1)Gotoresourcesgroup,andclickonMove.2)Fromthevirtualmachine,wecangotomove.3)UsingPowerShell,wecandothat.4)Willusethird-partytools.

Ans:1.Wewillgotoresourcesgroup,andclickonMoveandselectthesubscriptiontomovetheresourcestoanothersubscription.

Q25.Youhavemultiplevirtualmachinesandthebackuphasbeenconfiguredinallthevirtualmachines.Now,yourcustomerwantstounderstandthebackupprocessandwantstoshowthereporttohighermanagement.Whatisthesolutionyouwillpropose?1)Gotobackupreport.2)Fromthevirtualmachine,wecangotomove.3)UsingPowerShell,wecandothat.4)Willusethird-partytools.

Ans:1.Wewillgotobackupreportandconfigureit,whichwillhelpustoprovidethedataandwecanextractitinthePPTformatforpresentation.

Q26.Youarethenetworkadministratorofyoursubscriptionandthecustomerhasmorethan50VNet.Now,thecustomerwantstoenable


theVNetpeeringbetweenVNetProd-to-VNetDevtoenablethecommunicationbetweenboththeVNetresources.Whatisthesolutionyouwillpropose?1)EnableVnet-to-VNetconnection2)ConfiguretheVNetpeering3)Site-to-siteVPN4)PointtositeVPN

Ans:2.WewillconfiguretheVnet-to-VNetpeeringbetweenboththeVNets,whichallowsthecommunicationbetweenboththeVNets.

Q27.YouarethenetworkadministratorofyoursubscriptionandthecustomerwantstoconfiguretheAzureEXPRESSROUTEconnectivityon-premisestoAzure.ThecustomerhasdecidedtheISP,andtheISPhasconfiguredtheon-premisesconnectivity.Now,youwanttoconfigureit.WhatistheserviceyoucancreatetoconfiguretheEXPRESSROUTE?1)VNet2)VNetgateway3)Site-to-siteVPN4)Expressroutecircuit

Ans:4.WewillcreatetheExpressroutecircuittoconfiguretheExpressrouteconnectivity.Then,weneedtoconfiguretheVNetgatewayforconnectivity.

Q28.Youhave100virtualmachinesinyoursubscription,andthereare20virtualmachinesinproductionenvironments.Now,yourmanagerwantstoenablethealertsandwheneveryourVMsreboots,deallocates,youshouldgetanalert.Whatisthesolutionyouwillpropose?1)Wewillcreatetherule.2)WewillconfigurewiththeAzurepolicy.3)Wewillcreatetworulesandoneactiongroupfrommonitoring.4)Wewillsetupalerts.

Ans:3.Wewillcreatetworulesandoneactiongroupfrommonitoring.OneruletostopdeallocationandanotherruletoreboottheVM.Wewillbe


associatedwithoneactiongrouptoconfigurethealerts.

Q29.Youhave20virtualmachinesinyoursubscriptionandthecustomerhasreportedthatfewofthevirtualmachinesarenotconnectingtotheapplication,andthecustomerwantstofixtheissueonpriority.Whichtoolwillyouusetofixtheissue?1)Networkperformancemonitor2)Applicationinsight3)Webloganalytics4)Networkwatcher

Ans:4.Wewillusethenetworkwatchertool,whichwillhelptoidentifytheissueoftheserversandhelptofixtheissuequickly.ItwillalsoprovidetheinputontrafficflowwithinAzure.

Bestwishesforyourexam!


Index

AActiveDirectoryFederationServices(ADFS)16AZ-104exampreparationguideline294registration296-298tips294-296

AzCopyabout105used,forcopyingdata105-107

AzureADbulkuser,creating2,3group,creating4-6passwordwriteback,enablingfrom26-29user,creating4

AzureADauthenticationconfiguring,forAzurestorageaccount103-105

AzureADConnectabout16downloadlink17features16installing17managing24pre-requisites17-23

AzureADjoinabout12scenarios12

Azurealertsconfiguring257-260settingup257-260

Azureapplicationgateway210,212-219Azureapplicationgateway,featuresautoscaling211multiple-sitehosting211redirection211securesocketlayer(SSL/TLS)termination210sessionaffinity211staticVIP211URL-basedrouting211webapplicationfirewall211zoneredundancy211

Azureappservicesabout164


backup172-174configuring167-170creating167-170plan164,166,167security171,172usage164,165

AzureARMtemplateabout139,140deploying145,146modifying140-145

Azurebackendpool207,208Azurebackupabout272vault,creating272,273

Azurebackupoperations283,284Azurebackuppolicy275-277Azurebackupreport278-281AzureBastionservicesconfiguring238creating,inAzure239-241deploying238features238

AzureBlobstorageconfiguring96-98

AzureContainerabout150creating150-153usage150

Azurecostmanagement56-58Azuredataboxabout102scenarios102,103

Azurediskencryptionconfiguring133-136

AzureDNSabout200creating201,202domainregistrar201domainsandzones200record,creating203,204zone200zonedelegation200

AzureFileshareabout110configuring110-113creating110-113

AzureFilesyncconfiguring113,114group115,116troubleshooting117


Azurefirewallconfiguring234,235creating235deploying234,235rule,configuring236rule,creating237,238

Azurefreesubscriptioncreating49-53

Azureinternalloadbalancer205,206AzureKubernetesabout154creating154-161

Azureloadbalancerabout204externalloadbalancer204internalloadbalancer204

AzureLogAnalytics264AzureMetrics261AzureMonitor256AzureMonitor,datatypesactivitylogs257applicationmonitoringdata256guestOSmonitoringdata256resourcemonitoringdata256subscriptionmonitoringdata256tenantmonitoringdata256

AzureNetworkWatcherabout246services,implementing246topology247

Azurepolicyassignment61-64configuring61-64creating61-64

Azurequotaabout65types65

Azureresourcegroup55Azureresourcegroupmanager56AzureResourceManager(ARM)40Azureresourcetagabout65usage66

Azureroutetableabout232configuring232-234

AzureServiceHealthabout261healthalerts262plannedmaintenance261


resourcehealth261Azuresiterecoveryused,forsite-to-siterecovery286-290

Azuresite-to-siteVPNabout188connection,creating190-193requirementlist189

Azurestorageaccountabout76accesskey,managing86configuring79-82creating79-82datastructure76importandexportjob96importandexportjob,creating98-102networkaccess,configuring86-88used,forconfiguringAzureADauthentication103-105

Azurestorageaccount,typesBlobstorageaccount77generalpurposeV177generalpurposeV278premiumstorageaccounts78

Azurestorageexplorerconfiguring89-92installing89-92

Azurestoragereplicationgeoredundantstorage(GRS)83implementing83,84locallyredundantstorage(LRS)account83read-onlygeo-redundantstorage(GRS)83zoneredundantstorage(ZRS)83

Azuresubscriptionabout46types46

Azuresubscriptionpolicy60Azuresubscriptionsupportplanabout48Azuredevelopersupport48Azuretenant49professionaldirectsupport48standardsupport49

Azuretrafficmanagerabout219-221features219

Azurevirtualmachineabout120scaleset,creating130-133

Azurevirtualnetworkabout178components178


creating179-181Azurevirtualnetworkgatewayabout185,187,188configuring185pre-requisites185

AzureVMssoftdelete,usingforrecovery284-286

AzureVMsbackupconfiguring273,274restoration281-283

AzureVNetpeering181-184AzureVNetpeering,typesGlobalVNetpeering181VNetpeering181

Azureworkspacecreating265-267

Bbillingcontainers46Blobstorageaccount77archivestorage77coolstorage77hotstorage77

budgetalertsconfiguring58-60

bulkusercreating,inAzureAD2,3

BusinesstoBusiness(B2B)7BusinesstoCustomer(B2C)7

Ccustomdomainconfiguring170,171

Ddatacopying,withAzCopy105-107

diagnosticlogsabout262setting,enabling262-264

EEnterpriseAgreement(EA)subscriptionabout47accounts47


departments47enterprise47subscription47

ExpressRouteconfiguring196,197connection195,196

Ffront-endIPconfiguration207

Gglobaladministratorpermission54,55groupcreating,inAzureAD4-6

groupmanagement6,7guestusermanagement7-9GZRS-zoneredundant78

Hhealthprobe208-210hybridconnectivity16

IIPflowverifying249

LLinuxVMscreating130

localareanetworkgateway189,190logsearchqueryfunctionsutilizing267-269

Mmanagementgroupconfiguring71-74creating71-74

Nnetworkperformancemonitor250-253networksecuritygroupabout226,227


association230,231effectiverules242inboundrule226inboundrule,creating228,229outboundrule226

nexthop250

Oon-premisesconnectivitymonitoring247,248

Ppasswordsync31passwordwritebackabout25enabling,fromAzureAD26-29enabling,fromportal29,30features25

portalpasswordwriteback,enablingfrom29,30

privateIPaddressesconfiguring224-226

publicIPaddressesconfiguring224-226

RRBACaccessconfiguring35subscription,withRBACpolicy35,36

RBACcustomroleabout40contributor35creating40-43owner34reader35useraccessadministrator35

RBACpolicyabout34used,forresourceaccess39,40used,forresourcegroupaccess37,38

read-accessgeo-zone-redundantstorage(RA-GZRS)78RemoteDesktopProtocol(RDP)122resourceaccesswithRBACpolicy39,40

resourcegroupaccessing,withRBACpolicy37,38


movement,toanotherresourcegroup68,69removing70,71

resourcelockabout67,68configuring66types66

role-basedaccesscontrol(RBAC)34

SSecureShell(SSH)122SecureSocketLayer(SSL)172self-servicepasswordreset10-12sharedaccesssignaturegenerating85managing85

singlesign-on(SSO)16softdeleteusing,torecoverAzureVMs284-286

Stock-keeping-Unit(SKU),typesbasicSKU204standardSKU205

TTransmissionControlProtocol(TCP)204TransportLayerSecurity(TLS)172

Uusercreating,inAzureAD4

UserDatagramProtocol(UDP)204

VVirtualHardDisk(VHD)76virtualmachine(VM)about39components120pre-requisites120-124redeploying136,137

VNetgatewaytypeexpressroute186VNet186

VNet-to-VNetconnectivitycreating193-195

VPNtypepolicy-based186


route-based186

WWindowsvirtualmachinecreating124-129


Documents

Microsoft Azure Administrator Exam Prep (AZ-104)