Upload
khangminh22
View
24
Download
0
Embed Size (px)
Citation preview
MicrosoftAzureAdministrator
ExamPrep(AZ-104)
MakeYourCareerwithMicrosoftAzurePlatform
UsingAzureAdministeredExamPrep
LalitRawat
www.bpbonline.com
Telegram Channel : @IRFaraExam
FIRSTEDITION2021
Copyright©BPBPublications,IndiaISBN:978-93-89898-767
AllRightsReserved.Nopartofthispublicationmaybereproduced,distributedortransmittedinanyformor by anymeans or stored in a database or retrieval system,without the priorwritten permission of thepublisher with the exception to the program listings which may be entered, stored and executed in acomputersystem,buttheycannotbereproducedbythemeansofpublication,photocopy,recording,orbyanyelectronicandmechanicalmeans.
LIMITSOFLIABILITYANDDISCLAIMEROFWARRANTY
Theinformationcontainedinthisbookistruetocorrectandthebestofauthor’sandpublisher’sknowledge.Theauthorhasmadeeveryefforttoensuretheaccuracyofthesepublications,butpublishercannotbeheldresponsibleforanylossordamagearisingfromanyinformationinthisbook.AlltrademarksreferredtointhebookareacknowledgedaspropertiesoftheirrespectiveownersbutBPBPublicationscannotguaranteetheaccuracyofthisinformation.
Distributors:
BPBPUBLICATIONS20,AnsariRoad,DaryaGanj
NewDelhi-110002Ph:23254990/23254991
MICROMEDIA
ShopNo.5,MahendraChambers,150DNRd.NexttoCapitalCinema,
V.T.(C.S.T.)Station,MUMBAI-400001Ph:22078296/22078297
DECCANAGENCIES
4-3-329,BankStreet,Hyderabad-500195
Ph:24756967/24756400
BPBBOOKCENTRE376OldLajpatRaiMarket,
Telegram Channel : @IRFaraExam
Delhi-110006
Ph:23861747
Published byManish Jain for BPB Publications, 20 Ansari Road, Darya Ganj, New Delhi-110002 andPrintedbyhimatReproIndiaLtd,Mumbai
www.bpbonline.com
Telegram Channel : @IRFaraExam
DedicatedtoNarendraKumarRawatandNarmadaRawat
TomyParents:Thankyouforyourunconditionalsupportinanyandevery
situation.Thanksforyourblessingsandsupport.RadhikaandMayraRawat
Mydaughterswhohavemademylifeeasy!
Telegram Channel : @IRFaraExam
AbouttheAuthorLalit is a Cloud Architect, Azure MVP, MCT, and author of the ‘AzureInterview Q and A’ book. He likes to share his knowledge through his blog(https://azure4you.com/) and share his technical skills in awider communitylikeAzureTalk,LocalMeetupGroup,andsoon.HehaswrittenseveralarticlesonMicrosoftAzureandchangedmanylivesfromhisarticlesandhishands-ontrainingprogramsandworkshops.He is “Speaker” and delivered the session on a big platform, including MSGlobalBootcamp,Localusergroup,ExpertLiveIndia,andotherevents.Moreover, and to his credit, he has delivered 500+ training sessions toprofessionals worldwide in Microsoft Azure technologies and othertechnologies, including SCOM and Windows Server. He has also providedinstructor-ledonlinetrainingandhands-onworkshops.His technical prowess and capability of exploring new frontiers of technologyand imparting them to his aspiring team members is his trademark. Hisexecutionispricelessandbringingforthhisapproachwillhelpyourealizeyourdreams,goals,andaspirationsintoreality.
Telegram Channel : @IRFaraExam
AbouttheReviewersGauravAroraa is a serial entrepreneur and start-upmentor. He has done anMPhil in computer science. He is aMicrosoftMVP award recipient. He is alifetime member of the Computer Society of India (CSI) and an advisorymemberandseniormentoratIndiaMentor.HeiscertifiedasaScrumtrainerandcoach,ITIL-Fcertified,andPRINCE-FandPRINCE-Pcertified.Heisanopensourcedeveloperandcontributortothecommunity.Pulakesh Mahanta is a technology addict and always feels happy when helearns new things, explores new technology, or shares personal IT experience.Hiscareerstartedasadesktopengineerwaybackin2007andheworkedasaSystemAdministrator formore than6years.For the last5years,hehasbeenworkingonpublic cloud.He isMicrosoftAzure andAWSCertifiedArchitecthaving extensive experience in data center design, implementation,consolidation, andmigration.Hebelieves in automation and integrationof thenewclouddigitalplatformHeishighlyskilledinthenewdigitalplatformwhichalso demands EUC (End User Experience) such as AWS Workspace andAppStream,CitrixVDI,AzureWVD(WindowsVirtualDesktop),Self-Bot,andsoon.ArunPachehra is a certifiedAzureArchitect and hasmore than 11 years ofindustryexperience.Heiscurrentlyworkingwithoneofthebestcloudserviceproviders in theworldwhichdealswithallkindsofpublicandprivateclouds.Hehasbeenworkingwithpubliccloudtechnologiesformorethan5years.Hisfocusareasincludecloudconsulting,architecture,designing,andmigration.Hecomes from a Windows background; hence, Azure is always welcoming.However,heisalwaysexploringandlearningnewthings.Hehasalsocompletedthe AWS certification, and nowadays, he is exploring the modernization ofapplicationwithDocker,Kubernetes,andDevOps.HeiswellversedinIACviaTerraform.HebelievesinknowledgesharingandalsohoststechnicalblogsandYouTubechannels.
Telegram Channel : @IRFaraExam
AcknowledgementThere are a few people I would like to thank for the continued and ongoingsupporttheyhavegivenmeduringthewritingofthisbook.Firstandforemost,Iwould like to thankmywife, Punita Rawat, and two daughters, Radhika andMayra, for putting up with me while I was spending many weekends andevenings on writing. I could have never completed this book without theirsupport.Thisbookwouldn’thavehappenedifIhadn’tgot thesupportfrommyfamily,followers, friends, and so on.My gratitude goes to the AzureTalk core team,especiallyNiraj Kumar, for providing valuable insights into some of the newfeaturesandprovidingmentorshipandguidance.Iwould like to thankGauravAroraa for hiswonderful support, guidance andhelpingmewhilewritingtheAzureAdministratorbook.Thankyou,DeepakRajendranSir,forprovidingyourguidancetodosomethingnewandcontributemoreandmore.Finally, Iwould like to thankGauravandBPBPublicationsforgivingme thisopportunitytowritemyfirstbookforthem.
Telegram Channel : @IRFaraExam
PrefaceMicrosoft Azure is a platform where you can start your journey of cloudlearning.InthisbookAzureAdministration(AZ-104),wehaveexplainedaboutthe day-to-day tasks which you can take up and learn about Azureadministration.WehaveexplainedAzurecoreconceptsinthischapterandaddthelab-basedscenario,whichwillhelpyouclearthecoreconceptsofMicrosoftAzure.Wehaveincludedapprox.60to70questionswhichwillhelpyoucheckyour knowledge and provide a glimpse of the Azure administration examquestions.ThiswillhelpyouprepareforyourAzureadministrationexam.In this book, we have explained how to use the Azure Active Directory andcreateusersintheAzuresubscription.WehavealsoexplainedabouttheAzurestorage account, networking component like Azure Vnet, Subnet, and how toimplementthenetworksecuritygrouptorestrictthetraffictosecuretheAzureenvironments.Wehavealsoexplained loadbalancemechanics to loadbalanceyour application. We have also explained about the Azure role-based accesscontrolwhichwillhelpyoufinegrain theAzuresubscriptionaccess.WehavedefinedtheAzuresubscriptionusageandhowtosavecostmanagement.Inthisbook, you will also learn how to create the WebApps and Azurecontainer/Kubernetesserviceswhichwillhelpyouto learnthesame,andit’satoptrendingsubjectinthemarkettoday.Wehavealsocoveredinthischapteraboutthehybridconnectivityusingthesitetositeconnectionandexpressroute.WehaveexplainedwhatisthecomponentwhichbeenusedtocreatetheAzurevirtualmachine.Once you have all of the azure resources, then azure monitoring will alsoimportant to monitor the Azure Resources. We have nicely explained andprovided the step by step solutions for Azure monitor to clear you Azuremonitoring concepts.We have explained how to analysis theAzure resourcesetc.The primary goal of this book is to provide information and skills that arenecessarytobuildanddeploytheAzureinfrastructureinyourownenvironment.Thisbookcontainsreal-lifeexamplesthatwillshowyouhowtocleartheAzureAdministrationexamaswellashowtointegrateanon-premisesenvironmenttoAzure.Youwilllearnthefollowingtopicsinthisbook:
Telegram Channel : @IRFaraExam
Chapter1ManagingAzureADObjects,introducestheAzureADobjectanddiscusseshow tocreateusers inAzureAD,group,andsoon,whichwillhelpyouunderstandtheAzureAD.Thiswillhelpyouintheexamaswell.Chapter 2 Implementing and Managing Hybrid Identities, discusses theAzureADconnectandhowtoconnecton-premisesADtoAzureADandsyncthe users. It provides the step-by-step instructions using an actual screenshotfromanAzurelabenvironment.Chapter3ManagingRoleAssignmentsThroughtheRBACPolicy,discussestheAzure role-basedaccess tocontrolhow tomanage theaccess in theAzuresubscriptionanddefinestheaccesslevelinyourorganization.Chapter 4 Managing Azure Subscription and Resource Management,explainstheAzuresubscriptionanditstype.ItalsodiscusseshowtomanagetheAzuresubscriptionandreducethecostofyoursubscription.Chapter5ManagingandConfiguringofAzureStorageAccounts,discusses,indepth,whatanAzurestorageaccount isandhowtouse it. Ithelpsusers toallowthemtosavetheirowndatainanAzurestorageaccountandmanagethedata.ItalsodiscusseshowtoconnecttheAzurestorageaccountusingtheAzureStorageExplorer.Chapter 6ManageData inAZURE Storage, describes how to manage thedata andmigrate the petabytes of the data using theAzure export and importservices. It discusses the Azure databox and Azure AzCopy command-lineutility tomove the data fromon-premise to theAzure storage account or onestorageaccounttoanother.Chapter 7 The Azure File Share, introduces the Azure file share, which isdesigned to integrate your on-premises systems to migrate the files to Azureautomatically using the Azure file sync. It explains the core concepts of theAzurefileshareandhowtoconnecttoyouron-premisesservers.Chapter8CreatingandConfiguringofAzureVMs,describeshowtocreatetheAzurevirtualmachine,explainsitscomponents,andhowtoconfigureit.ItprovidesexampleswithWindows/LinuxOS.Chapter9AutomatingDeploymentofVMs,describeshowtocreatetheVMautomaticallyusingtheAzureArmtemplate.Chapter 10 Creating and Configuring Container, describes how to createcontainersandconfiguretheminAzuresubscriptions.Chapter11CreatingandConfiguringWebApps,describeshowtocreateandconfigureAzureWebApps.ItdescribestheAppservices,Appservicesplan,and
Telegram Channel : @IRFaraExam
soon.Chapter 12ConfiguringVirtualNetworking and IntegratingOn-PremisestoAzureNetwork,discusseshowtoconfigurevirtualnetworkingandintegratean on-premises to the Azure network. It explains Azure Vnet and configuresVnet-to-Vnetpeering.Chapter 13 Configuring Load Balancing Securing Access to VirtualNetworks, discusses how to configureAzure load balancing and provides theAzureloadbalancer,Applicationgateway,andDNSservices.Chapter 14 Securing Access to Virtual Networks, discusses how to secureaccesstovirtualnetworksusingtheAzurenetworksecuritygroupandanAzurefirewall.ItexplainsAzureBastionservices.Chapter 15 Monitoring and Troubleshooting of Virtual Networking,discusseshow tomonitor and troubleshootvirtualnetworkingusing theAzurenetworkwatcher.Chapter16AnalyzingResourceUtilizationandConsumption,discusseshowtoanalyze resourceutilizationusing theAzuremonitorandexplainsanalyzingmetricsacrosssubscriptionandserviceshealth.Chapter 17 Implementation of Azure Backup and Disaster Recovery,discusses how to implement ofAzure backup and protect theAzureVMs foraccidentaldeletion.ItexplainshowtoperformtheAzurebackupandrestorationprocess.Chapter 18 Exam PreparationGuidelines and Assessment Based on LiveQuestions,describesexampreparationguidelinesandassessmentsbasedonlivequestionswhichwillhelpyouinyourexampreparation.Itcoversmorethan70questions,whichincludesthescenario-basedquestionsaswell.
Telegram Channel : @IRFaraExam
Downloadingthecolouredimages:Pleasefollowthelinktodownloadthe
ColouredImagesofthebook:
https://rebrand.ly/z8zq95n
Errata
We take immense pride in our work at BPB Publications and follow bestpractices to ensure the accuracy of our content to provide with an indulgingreadingexperience tooursubscribers.Ourreadersareourmirrors,andweusetheir inputs to reflect and improve upon human errors, if any, that may haveoccurredduringthepublishingprocessesinvolved.Toletusmaintainthequalityandhelpusreachouttoanyreaderswhomightbehavingdifficultiesduetoanyunforeseenerrors,pleasewritetousat:[email protected] support, suggestions and feedbacks are highly appreciated by the BPBPublications’Family.
DidyouknowthatBPBofferseBookversionsofeverybookpublished,withPDFandePubfilesavailable?YoucanupgradetotheeBookversionatwww.bpbonline.comandasaprintbookcustomer,youareentitledtoa discount on the eBook copy. Get in touch with us [email protected],youcanalsoreadacollectionoffreetechnicalarticles, sign up for a range of free newsletters, and receive exclusivediscountsandoffersonBPBbooksandeBooks.
Telegram Channel : @IRFaraExam
BPBissearchingforauthorslikeyouIf you're interested in becoming an author for BPB, please visitwww.bpbonline.com and apply today.Wehaveworkedwith thousandsof developers and tech professionals, just like you, to help them sharetheir insight with the global tech community. You can make a generalapplication,applyforaspecifichottopicthatwearerecruitinganauthorfor,orsubmityourownidea.The code bundle for the book is also hosted on GitHub athttps://github.com/bpbpublications/Microsoft-Azure-Administrator-Exam-Prep-AZ-104. In case there's an update to the code, it will beupdatedontheexistingGitHubrepository.We also have other code bundles from our rich catalog of books andvideos available at https://github.com/bpbpublications. Check themout!
PIRACYIf you come across any illegal copies of ourworks in any formon theinternet,wewouldbegratefulifyouwouldprovideuswiththelocationaddressorwebsitename.Pleasecontactusatbusiness@bpbonline.comwithalinktothematerial.
IfyouareinterestedinbecominganauthorIf there is a topic that you have expertise in, and you are interested ineitherwritingorcontributingtoabook,pleasevisitwww.bpbonline.com.
REVIEWSPlease leavea review.Onceyouhavereadandused thisbook,whynotleavea reviewon the site thatyoupurchased it from?Potential readerscanthenseeanduseyourunbiasedopiniontomakepurchasedecisions,we atBPB can understandwhat you think about our products, and ourauthorscanseeyourfeedbackontheirbook.Thankyou!
Telegram Channel : @IRFaraExam
FormoreinformationaboutBPB,pleasevisitwww.bpbonline.com.
Telegram Channel : @IRFaraExam
TableofContents1.ManagingAzureADObjects
StructureObjectivesBulkusercreationUsercreationGroupcreationGroupmanagementGuestusermanagementSelf-servicepasswordresetAzureADjoinConclusionReferences
2.ImplementingandManagingHybridIdentitiesStructureObjectivesAzureADConnectAzureADConnectinstallationPre-requisites
ManageAzureADConnectPasswordwritebackEnablingthepasswordwritebackfromtheAzureADEnablingpasswordwritebackfromtheportalPasswordsyncConclusionReferences
3.ManagingRoleAssignmentsThroughtheRBACPolicyStructureObjectiveRole-basedaccesscontrol(RBAC)RBACaccessconfigurationSubscriptionaccessusingtheRBACpolicyResourcegroupaccessusingtheRBACpolicy
Telegram Channel : @IRFaraExam
ResourceaccessusingtheRBACpolicyCustomRBACroleCreatingthecustomrole
ConclusionReferences
4.ManagingAzureSubscriptionandResourceManagementStructureObjectiveAzuresubscriptionsEnterpriseagreementsubscriptionEnterpriseDepartmentsAccountsSubscriptions
AzuresubscriptionssupportplanAzuredevelopersupportProfessionaldirectsupportStandardsupportAzuretenant
CreatingafreeAzuresubscriptionGlobaladministratorpermissionResourcesgroupAzureresourcegroupmanagerCostmanagementConfigurationofthebudgetalertsAzuresubscriptionpolicyAzurepolicycreation,configuration,andassignmentAzurequotaResourcetagUsageoftheresourcetagConfigurationofaresourcelockResourcesmovementfromoneresourcegrouptoanotherRemovingaresourcegroupCreatingandconfiguringthemanagementgroupsConclusionReferences
Telegram Channel : @IRFaraExam
5.ManagingandConfiguringofAzureStorageAccountsStructureObjectiveAzurestorageaccountAzurestorageaccountcreationandconfigurationImplementAzurestoragereplicationGenerateandmanagethesharedaccesssignatureManagingthestorageaccountaccesskeyConfigurenetworkaccesstothestorageaccountInstallationandconfigurationofthestorageexplorerConclusionReferences
6.ManageDatainAZUREStorageStructureObjectivesImportandexportjobsinAzureConfiguringAzureBlobstorageCreatingtheimportandexportjobinAzureStorageAzuredataboxConfiguringAzureADauthenticationforastorageaccountCopyingdatausingAzCopyConclusionReferences
7.TheAzureFileShareStructureObjectivesAzureFileshareCreatingandconfiguringtheAzureFileshareConfigurationofAzureFilesyncAzureFileSyncgroup
AzureFilesynctroubleshootingConclusionReferences
8.CreatingandConfiguringofAzureVMsStructure
Telegram Channel : @IRFaraExam
ObjectivesAzurevirtualmachineVirtualmachinecomponentsPre-requisitesCreatingaWindowsvirtualmachineCreatingLinuxVMsAzurevirtualmachinescalesetcreationConfigureAzurediskencryptionRedeployaVMConclusionReferences
9.AutomatingDeploymentofVMsStructureObjectivesAzureARMtemplateModifyingtheARMtemplateTemplatedeploymentsConclusionReferences
10.CreatingandConfiguringContainerStructureObjectiveAzureContainerUseofanAzureContainerCreateacontainerAzureKubernetesCreateAzureKubernetesConclusionReferences
11.CreatingandConfiguringWebAppsStructureObjectivesAppserviceAppservicesplanCreateandconfiguretheappservice
Telegram Channel : @IRFaraExam
CustomdomainconfigurationAppservicessecurityAppservicesbackupConclusionReferences
12.ConfiguringVirtualNetworkingandIntegratingOn-PremisestoAzureNetwork
StructureObjectivesAzurevirtualnetworkAzurevirtualnetworkcreationAzureVNetpeeringVirtualnetworkgatewaySite-to-siteVPNSite-to-siteVPNconnectioncreationVNet-to-VNetconnectivitycreationExpressRouteconnectionExpressRouteconfigurationConclusionReferences
13.ConfiguringLoadBalancingStructureObjectivesAzureDNSAzureDNScreationAzureDNSrecordcreationAzureloadbalancerAzureinternalloadbalancerFront-endIPconfigurationAzurebackendpoolHealthprobesApplicationgatewayAzuretrafficmanagerConclusionReferences
Telegram Channel : @IRFaraExam
14.SecuringAccesstoVirtualNetworksStructureObjectivesConfigurationofprivateandpublicIPaddressesNetworksecuritygroupNetworksecuritygroupassociationRoutetableConfigureanddeploytheAzurefirewallConfigureanddeployAzureBastionservicesEvaluateeffectivesecurityrulesConclusionReferences
15.MonitoringandTroubleshootingofVirtualNetworkingStructureObjectivesNetworkwatcherNetworkwatchertopologyMonitoron-premisesconnectivityIPflowverifyNexthopNetworkperformancemonitorConclusionReferences
16.AnalyzingResourceUtilizationandConsumptionStructureObjectivesAzureMonitorSetupandconfigurationofAzurealertsAzureMetricsAzureServicesHealthDiagnosticlogsEnablingthediagnosticsettings
AzureLogAnalyticsCreatetheAzureworkspaceUtilizelogsearchqueryfunctionsConclusion
Telegram Channel : @IRFaraExam
References
17.ImplementationofAzureBackupandDisasterRecoveryStructureObjectivesAzurebackupAzurebackupvaultcreationAzureVMsbackupconfigurationAzurebackuppolicyAzurebackupreportAzurerestorationofVMsAzurebackupoperationdetailsUsesoftdeletetorecoverAzureVMsSite-to-siterecoverybyusingAzuresiterecoveryConclusionReferences
18.ExamPreparationGuidelinesandAssessmentBasedonLiveQuestionsExampreparationguidelinesAZ-104examtipsExamregistrationDummyobjectiveexamquestionsDummyscenario-basedexamquestions
Index
Telegram Channel : @IRFaraExam
T
CHAPTER1ManagingAzureADObjects
hisbookwillcoveralltheAZ-104examprospectivestudymaterialwhichwillhelpyoutocleartheexam.Wewillprovideadditionalinformationin
thischapterwhichwillcovervarioustopicsandhelpyougetanunderstandingofthetopicsindetail.ThesechapterswillhelpyouunderstandtheAzureenvironmentseasilyandhelpyoucleartheAZ-104exam.
StructureThefollowingtopicswillbecoveredinthischapter:
BulkusercreationUsercreationGroupcreationGroupmanagementGuestusermanagementSelf-servicepasswordresetAzureADJoin
ObjectivesIn thischapter,wewill explain thebulkusercreation inAzureADandgroupcreationandmanagement.Wewilldiscusshowtoprovideaccesstoguestusersand how tomanage guest users.Wewill cover how the users can reset theirpasswords using the self-service password and add the devices in Azure ADusingtheAzureADjointool.
BulkusercreationBulkusercreationwillhelpyourorganization in theonboardingprocess tobe
Telegram Channel : @IRFaraExam
completedsoonandotherprospectstoimprovetheusercreation,whichhasbeenjoined your organization or existing users’ creation in Azure. It will reduceadministrativework. If youwant to create theusersor bulkofusers inAzureenvironments, you need a user administrator access in the Azure ActiveDirectory.Letus tryandcreatebulkusers inAzureAD.Followthegivensteps tocreatethebulkusers:
1. GotoAzureActiveDirectory.2. SelecttheUsersandclickonAllusers.3. ClickonBulkCreate.
Takealookatthefollowingscreenshotforbulkusercreation:
Figure1.1:BulkUserCreation
4. Whenyouclickonbulkcreate,itwillaskyoutodownloadtheCSVfile.5. Fillinthefollowingdetails:
Providethename,lastname,andusername.Provide the initial password and block sign-in (Yes/No)which is amandatoryfield.Providethedepartmentanduserlocation.Providethejobtitleandcountrycode.Providetheofficialphonenumber,mobilenumber,andsoon.
6. Youhavetoputallthedetailsinasinglelineasperthe.csvfile.Ihavechanged the column to show you the properties of theCSV file. Take alookatthefollowingscreenshotforbulkusercreationdetails:
Telegram Channel : @IRFaraExam
Figure1.2:Bulkusercreationdetails
7. Onceyou fillall thedetailsandupload the.csv file, clickonSubmit. Itwillstartprocessingtheusercreation.Itwilltakesometimetocreatetheusers, and you can see all those users under the user's tab. Refer to thefollowingscreenshot:
Figure1.3:BulkusercreationSubmit
Telegram Channel : @IRFaraExam
UsercreationInthebulkusercreation,Ihaveexplainedtheuseofthebulkusercreation,butletussayifyouwanttocreateanindividualuser,thenhowcanyoucreatetheuser?Pleasefollowthegivensteps:
1. GotoAzureActiveDirectory.2. SelecttheUsersandclickonAllusers.3. ClickontheNewuser.4. EntertheUsername.5. ProvidetheName,Firstname,andLastname.6. Youcanalsoprovidethedepartmentnumber,location,andJobtitle.7. Onceyouprovidealltheprecedingdetails,clickonCreateandyourusers
willbecreated.
Refertothefollowingscreenshotformoredetails:
Figure1.4:Usercreation
GroupcreationIfyouwouldliketocreatetheAzureADgroup,thenfollowthegivenstepsto
Telegram Channel : @IRFaraExam
createtheAzureuser’sgroup:
1. ClickontheAzureAD.2. SelectthegroupsfromtheManagetab.3. SelectAllgroups.4. ClickontheNewgroup.
Pleasetakealookatthefollowingscreenshot:
Figure1.5:Groupcreation
5. When you click on group creation, select the following group type:SecurityorO365:
SecurityGroup: It helps to manage users and computer access tosharedresourcesforaspecificgroup.O365Group:Usingthisgroup,wecanprovideaccesstousersforasharedmailbox,calendar,files,SharePointsite,andsoon.
6. Youcanassigntheownertothegroupadministratorandthenclickonthemembership.
7. When you click on themembership, it will ask you to select as per thegivendetails:
Telegram Channel : @IRFaraExam
Assigned:Theadministratorwilladdspecificuserstothegroup.Dynamicuser:Itallowsuserstousedynamicmembershiprulesandaddautomaticallytothegroup.Dynamicdevice:Itusesthedynamicgrouprulestoaddandremovethedevicesautomatically.
8. Please select the assignedmember as default as shown in the followingscreenshot:
Figure1.6:Groupcreationdetails
9. Onceyouclickoncreate,yourgroupswillbecreatedsuccessfully.Letusseehowtomanagethegroupanditsproperties.
GroupmanagementPerformthefollowingsteps:
1. Once the group is created, you can click on the group and see thepropertiesofthegrouplikemembershiptype,sourceID,andsoon.
Telegram Channel : @IRFaraExam
Figure1.7:Groupmanagement
2. Basedontherequirements,userscanchangethegroup.3. ClickontheMemberstabandaddthenewmembers.4. PleaseclickontheOwnerstabandaddthemultipleowners.5. You can assign the application and see theAzure resourceswhich have
beenaccessedbythesegroupmembers.6. Youcanseetheapplicationaccessedbythisgroupandmanageit.
In this section, we discussed the Azure group creation and learned how tomanagethegroups.WeexplainedtheAzuresecuritygroupandO365group.We also discussed group management. Refer to the following screenshot formoredetails:
Telegram Channel : @IRFaraExam
Figure1.8:Groupmanagementgeneralsettings
GuestusermanagementAzureAdsupportstheBusinesstoCustomer(B2C)andBusinesstoBusiness(B2B)userswherewecanallowcustomerstohaveaccesstoourAzureAD.Thecustomer ID can be their organization ID, Outlook, Facebook, LinkedIn,AmazonGmailID,andsoon.Youcaninvitethoseusersasguestsandprovideaccess as a request to perform the task. If youwant to invite guests, the usershouldhavetheuseradministratorroleassignedtohimtoinvitetheguestusers.Letusseehowtoinviteguestusers.Pleasefollowthegivensteps:
GotoAzureADandclickonAllusers.Intherightpane,clickonNewguestuser.
Pleasetakealookatthefollowingscreenshot:
Telegram Channel : @IRFaraExam
Figure1.9:Guestuseraccess
SelecttheInviteuser.
ProvidethenameandemailIDoftheuseryouwanttoinvite.Therestofthefieldsareoptional.YoucanthenclickonInvite.
Now,youwillbeabletoinvitealltheB2BandB2Cusers.Pleasetakealookatthefollowingscreenshot:
Telegram Channel : @IRFaraExam
Figure1.10:GuestUserAccessInvite
Self-servicepasswordresetAzureself-servicepasswordresetwillhelpuserstoresettheirpasswordwithoutthe help of a help desk administrator. If the user account is locked or if thepassword expires, the user can unlock/reset the password using a self-servicepasswordreset.Ifyouwanttoconfiguretheself-servicepasswordreset,youshouldhaveglobaladministratorrightsinAzureAD.Pleasefollowthegivenstepstoconfiguretheself-servicepasswordreset:
1. PleasegotoyourAzureAD.2. ClickonthePasswordresettab.3. Select the users, either All or the selected one. If you click on selected
users,itwillaskyoutochoosethegroupname.4. Onceyouaredonewiththis,pleaseclickontheSavebuttonasshownin
thefollowingscreenshot:
Figure1.11:Passwordreset
PleasegotoAuthenticationmethodandfollowthegivensteps:
1. Please select the authentication method as 1 or 2 as per the followingmethods:
MobileappcodeEmailPhone-SMSonlyMobileappnotificationOfficephone
Telegram Channel : @IRFaraExam
Securityquestion
2. Onceyouselecttheprecedingmethod,youruserwillbeabletoresetthepasswordusingthemultifactorauthentication.Refertothefollowingscreenshot:
Figure1.12:Authenticationmethod
Once you configure this, you can go tohttps://passwordreset.microsoftonline.comtoresetthepassword.Then,followthegivensteps:
1. PleaseprovideyouruserID.2. Enterthecharactersaspertheimageandclickonthenextasshowninthe
followingscreenshot:3. Now,youwillbeabletoresetthepassword.
Telegram Channel : @IRFaraExam
Figure1.13:Passwordresetmethod.
AzureADjoinAzureAD join provides the feature to register yourmobile, laptop, and otherdevicestoAzureADwithrespecttothesizeofthedeviceorindustry.AzureAdjoinworksinhybridenvironmentsaswell. Itenablesaccess tobothcloudandon-premisesapps.IfyouwanttomanageandconfiguretheAzureAdjoin,thenyouhavetousetheMDMandIntunesolutionwhichrequiresanAzureADP2license.WecanusetheAzureADjoininthefollowingfewscenarios:
Telegram Channel : @IRFaraExam
Windowsdeploymentforyourowneddevices.Accesstoorganizationalappsandresourcesfromyourdevice.Cloud-basedmanagementofowneddevices.To configure the user sign in to their deviceswithAzureAD or syncedAzureADworkorschoolaccounts.
ConclusionIn thischapter,wediscussedhowtocreatebulkusersandgroupmanagement.Weexplainedhow to inviteguestusersandhow tomanage themusingAzureAD.WealsoexplainedAzureADjoinandlearnedhowtosetuptheself-servicepasswordreset.Inthenextchapter,wewilldiscussAzureADconnectanditsinstallation.We will also discuss how to manage Azure AD connect and learn how tomanagethepasswordsofusersandenablethepasswordwriteback.
ReferencesCreate a basic group and add members using Azure Active Directory:https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/active-directory-groups-create-azure-portalAzure Active Directory B2C: https://docs.microsoft.com/en-us/azure/active-directory-b2c/active-directory-b2c-overviewGuest user access in Azure Active Directory B2B:https://docs.microsoft.com/en-us/azure/active-directory/b2b/what-is-b2bAddorupdateauser'sprofile informationusingAzureActiveDirectory:https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/active-directory-users-profile-azure-portalAssign or remove licenses in the Azure Active Directory portal:https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/license-users-groupsAzureADjoineddevices:https://docs.microsoft.com/en-us/azure/active-directory/devices/concept-azure-ad-joinFormoredetails:Azure4youBlogPost:https://azure4you.com/
Telegram Channel : @IRFaraExam
I
CHAPTER2ImplementingandManagingHybrid
Identitiesn the previous chapter, we discussed how to create bulk users and groupmanagement.Wealsodiscussedhowtoinvitetheguestusers.
Inthischapter,wewilldiscusshowtoimplementandmanagehybrididentities.WewillalsodiscusshowtoinstallandconfiguretheAzureADconnectandhowtoconfigurethefederationserviceswithon-premisesAD.Wewillalsocoverthemanagedpasswordsync,passwordwriteback,andsoon.
StructureThefollowingtopicswillbecoveredinthischapter:
AzureADConnectAzureADConnectinstallationManageAzureADConnectPasswordwritebackPasswordsync
ObjectivesInthischapter,wewilldiscussAzureADConnectandseehowtoconfigureandsync the on-premises identity to Azure AD. We will explain the passwordwritebackandpasswordsync thatwillhelp tosync thepasswordAzure toon-premises.
AzureADConnectTheAzureADConnect service can be used to synchronize your on-premisesactive directory identities to Azure AD. It helps to connect your on-premisesuserstoAzureandotherapplicationstogetauthenticationwithAzureAD.Itis
Telegram Channel : @IRFaraExam
calledhybridconnectivity.Integrating the on-premises identity with Azure AD provides the commonidentity for accessing cloud and on-premises resources.We can use the singleidentitytoaccesstheon-premisesandcloud-basedapplicationslikeOffice365,SharePointOnline,andsoon.Itprovidesthefollowingfeatures:
Password hash synchronization: It provides the single sign-on (SSO)method to synchronize the password of users by synchronizing thepasswordofon-premisesuserstoAzureADinthehashformat.Pass-throughauthentication:Itallowsuserstousethesamepasswordofon-premisesandcloudforsigningintoapplications.Onlythepass-throughagentgets installed,andasper thenumberofauthenticationspersecond,wemayneedmorethanoneagent.Federationintegration:Federationservicescanbeusedtoconfigurethesetupof thehybridenvironment andSSOwhile configuringon-premisesActive Directory Federation Services (ADFS) which require anadditionalserver.Synchronization: It helps to create users, groups, and other objects. Itverifiesiftheidentityinformationofon-premisesusersandgroupsmatchwiththecloudidentity.Itsynchronizespasswordhashesaswell.Healthmonitoring: AzureADConnect Health providesmonitoring forAzure AD Connect, and we can see Azure AD Connect health-relatedinformation/errorsontheAzureportal.
Azure AD Connect services can be installed in a separate server in the on-premisesADandcanbetightlyintegratedwithAzureADafterinstallationandconfiguration.Azure syncserviceswill sync theon-premiseADcomponent toAzureAD.On-premisesandAzureuserscanusethesamecredentialstologintoAzureandon-premises.Formoredetails,youcanrefertoAzureADConnect,whichhelpsyoutounderstandthecomponents.Pleasetakealookthefollowingdiagram:
Telegram Channel : @IRFaraExam
Figure2.1:AzureADConnectarchitecture
AzureADConnectinstallationBeforeyouinstall theAzureADConnect,youneedtohavethefollowingpre-requisites.
Pre-requisitesYouneed tohave the followingpre-requisites;withoutwhich, youwill not beabletoconfiguretheAzureAD.Thefollowingrequirementsaremandatory.Wecanseethesepropertiesbeenaskedduringconfiguration:
You should have an Azure AD services/user account which has globaladminrightstoconfiguretheAzureADConnecttoAzureAD.You should have an on-premises services/user account which hasenterpriseadminrightstoconfiguretheAzureADConnecttoAzureAD.Please download the Azure AD Connect fromhttps://www.microsoft.com/en-us/download/details.aspx?id=47594.WheneveryouconfiguretheADConnect,thedomainnameshouldmatchwithapublicdomainname,orelseyouwillgetawarningmessage.
WehavecreatedlabenvironmentsfordemonstrationandcreatedtheVMs.WehaveinstalledtheADonthisserver.Youcanalsotryonlyfortestingpurpose.It’s not recommended for production, but the steps of the Azure ADconfigurationcanbeperformed.PleasefollowthegivenstepstoconfiguretheAzureADConnect:
Telegram Channel : @IRFaraExam
1. Download the Azure AD Connect (https://www.microsoft.com/en-us/download/details.aspx?id=47594), or you can download it from theAzureportal.
2. Click on theADConnectMSI setup and then click on Install. Pleasetakealookatthefollowingscreenshot:
Figure2.2:AzureADConnectinstallation
3. OnceyouclickontheInstalloption,theinstallationwizardwillopen.4. Please agree to the license terms and policy and click on the Continue
buttonasshowninthefollowingscreenshot:
Telegram Channel : @IRFaraExam
Figure2.3:AzureADConnectinstallationwizard
5. Once done, select the Express Settings to configure the Azure ADConnectasshowninthefollowingscreenshot:
Telegram Channel : @IRFaraExam
Figure2.4:AzureADConnectinstallationexpresssettings
6. Whenyouclickontheuseexpresssettings,itwillaskyoutoprovidetheglobaladministratorcredentialswhichhave.onmicrosoft.comintheuserIDasshowninthefollowingscreenshot.It will connect to the Azure AD and verify the credentials before weproceedtothenextstepasshowninthefollowingscreenshot:
Telegram Channel : @IRFaraExam
Figure2.5:AzureADConnectinstallationconnecttoAzureAD
7. Providetheservicesadmincredentialswhichhaveenterpriseadminrights.8. Whileprovidingthecredentials,pleasefollowdomainname.com\userid.9. Onceyouprovidethecredentials,clickontheNextbuttonasshowninthe
followingscreenshot:
Telegram Channel : @IRFaraExam
Figure2.6:AzureADConnectinstallationconnecttoADDS
10. Then, itwill ask you to verify theUPN suffix, but if you are doing thisinstallation in production, then please match the UPN suffix and moveforward.Pleasetakealookatthefollowingscreenshot:
Telegram Channel : @IRFaraExam
Figure2.7:AzureADConnectADsign-inconfiguration
11. OnceyouclickonNext,youarereadyforconfiguration.12. Startthesynchronizationprocesswhentheconfigurationiscompleted.But
inproduction,it’srecommendedthatyoustartthesynchronizationprocessonlyaftertheADConnectinstallation.Pleasetakealookatthefollowingscreenshot:
Telegram Channel : @IRFaraExam
Figure2.8:AzureADConnectreadyconfiguration
13. Whenyouclickonnext,firstitwillverifytheconnectivitybetweenAzureADandon-premise.Then,itwillconfiguretheconnectionbetweenAzureADandon-premisesAD.
14. ItwillinstallthesyncservicesandverifytheAzureAD.15. Now,itwillconfiguretheAzureADandupdatethesync.16. Afterthat,itwillconfigurethesetuptotheon-premisedomain.17. Afterthat,itwillenablethepasswordhashsync.18. Now,itwillsavethesyncsettings.19. After that, the final stepswillbeperformedby theADConnect setup to
install and configure the AD Connect Health agent for sync services asshowninthefollowingscreenshot:
Telegram Channel : @IRFaraExam
Figure2.9:AzureADConnectconfiguration
20. Now,thesetuphasbeencompleted.So,exitfromthesetupasshowninthefollowingscreenshot:
Telegram Channel : @IRFaraExam
Figure2.10:AzureADConnectsetupcompleted
ManageAzureADConnectWecanmanagetheAzureADConnectfromtheportalafterinstallation,andwecanseetheconfigurationdetailsoftheon-premisesAD.Pleasefollowthegivensteps:
1. PleaselogintotheAzureportal.2. GotoAzureADConnectundertheManagetabandclickontheAzureAD
Connect.YouwillbeabletoseethelastsyncisLessthan1houragoandthesyncstatushasbeenenabledasshowninthefollowingscreenshot:
Telegram Channel : @IRFaraExam
Figure2.11:ManagingAzureAD
3. We can also set up the Federation, Seamless single sign-on, andPass-throughauthenticationservices.
4. AzureADhealthservicescanbemanagedfromthesameportal.5. LetuscheckwhethertheusershavebeensyncedtoAzureADornot.6. We will go to the Users tab and check the on-premise users which are
syncedfromyouron-premisesAD.7. Now, in the following screenshot, you can see the user bpb32 source is
WindowsServerAD,andifyoucanseeAzureADusers, thesourcesareAzureAD:
Telegram Channel : @IRFaraExam
Figure2.12:AzureADuserverification
PasswordwritebackPasswordwritebackwillhelpyoutosynchronizethepasswordwhichhasbeenchangedinAzureADtoon-premisesAD.Thisfeatureneedstobeenabledfromthe Azure AD Connect and provides the security mechanism to send thepassword from Azure AD to the on-premises AD. It provides the followingfeatures:
Enforcementofon-premisesADpasswordpolicies: Ifusers reset theirpasswords, thenit isensuredtomeetyouron-premisesADpolicybeforecommitting it to the directory. This review process includes history,complexity, age, password filters, and other password restrictions whichhavebeendefinedinyouron-premisesAD.Zero-delayfeedback:Passwordwritebacksyncstheoperationsandusersare notified immediately if their password doesn’t meet the passwordpolicyorcan’tbechangedforanyreason.Supports password changes from the access panel and Office 365:Whenfederatedorpasswordhashsynchronizedusersneedtochangetheirexpired or non-expired passwords, those passwords are written back toyourlocalADenvironment.Supports password writeback when an admin resets them from theAzure portal: When an admin resets a user’s password in the Azureportal, if that user is federated or password hash synchronized, thepassword iswrittenback toon-premisesAD,but this functionality isnotsupportedfromtheofficeadminportal.Doesn’trequireanyinboundfirewallrules:PasswordwritebackusesanAzure service relay as an underlying communication channel and allcommutationisoutboundoverport443.
EnablingthepasswordwritebackfromtheAzureADPerformthefollowingsteps:
1. Logintoon-premisesmachineswhereyouhaveinstalledtheAzureAD.2. OpentheAzureADConnect,andyouwillseethewelcomewizard.3. ClickonConfigureasshowninthefollowingscreenshot:
Telegram Channel : @IRFaraExam
Figure2.13:Passwordwriteback
4. ClickonCustomizesynchronizationoptionstoconfigurethepasswordwriteback.Pleasetakealookatthefollowingscreenshot:
Figure2.14:Customizethesyncoption
ItwillaskyoutoconnecttotheAzureADandprovidethecredentialstoconfigureitasshowninthefollowingscreenshot:
Telegram Channel : @IRFaraExam
Figure2.15:ConnecttoAzureAD
Now,pleaseselect thetypeofthedirectoryandforest.ClickontheNextbuttonasshowninthefollowingscreenshot:
Figure2.16:Connectyourdirectories
Now,youcanselectSyncalldomainsandOUsandyourdomainaswellasshowninthefollowingscreenshot:
Telegram Channel : @IRFaraExam
Figure2.17:DomainandOUfiltering
Please select the password writeback and click on the Next button asshowninthefollowingscreenshot:
Figure2.18:Passwordwritebackenable
5. OnceyouaredonewithNext,itwillverifyallthesettingsandbereadyforconfiguration.
6. ClickontheConfigurebutton.Itwilltakeafewminutestocompletethesyncprocessandenablethepasswordwriteback.Pleasetakealookatthefollowingscreenshot:
Telegram Channel : @IRFaraExam
Figure2.19:Readytoconfigure
In this section,weexplainedanddemonstratedhowtoconfigure thepasswordwriteback. In the next section, we will demonstrate enabling the passwordwritebackfromtheportal.
EnablingpasswordwritebackfromtheportalPerformthefollowingsteps:
1. Forpasswordwriteback,weneedtheAzureADP1orP2license.2. Gototheportal.3. GotoAzureAD.
Under theManage tab, selectPasswordreset as shown in the followingscreenshot:
Telegram Channel : @IRFaraExam
Figure2.20:Passwordreset
4. Inthepasswordreset,undertheManagetab,pleaseselecttheon-premisesintegration and enable the writeback password to your on-premisesdirectory.Pleasetakealookatthefollowingscreenshot:
Figure2.21:On-premisesintegration
Passwordsync
Telegram Channel : @IRFaraExam
PasswordsyncwillbeenabledautomaticallyifweselecttheAzureADConnectexpresssettinginstallation.Ifyouchoosethecustomsetting,youcanselectthepasswordhashsyncontheusersign-inpage.Youcanenableit.
Figure2.22:PasswordHashsync
ConclusionInthischapter,wediscussedAzureADConnectandhowtointegrateitwithon-premises. We covered how to enable the password writeback from Azure aswell.Inthenextchapter,wewilllearnaboutAzureRBACrolesandutilizationoftheresources and how to apply the different types of RBAC roles using varioustypes of organization policies.Wewill also cover theAzureRBAC roles andcustomAzureRBACroles.
ReferencesAzure AD Connect: https://docs.microsoft.com/en-us/azure/active-directory/hybrid/whatis-azure-ad-connectCustom installation of Azure AD Connect:
Telegram Channel : @IRFaraExam
https://docs.microsoft.com/en-us/azure/active-directory/hybrid/how-to-connect-install-customImplement passwordhash synchronizationwithAzureADConnect syncpassword: https://docs.microsoft.com/bs-cyrl-ba/azure/active-directory/hybrid/how-to-connect-password-hash-synchronizationUser sign-in with Azure Active Directory Pass-through authentication:https://docs.microsoft.com/en-us/azure/active-directory/hybrid/how-to-connect-ptaAzure AD Connect and federation: https://docs.microsoft.com/en-us/azure/active-directory/hybrid/how-to-connect-fed-whatisFormoredetails,visit:https://azure4you.com/
Telegram Channel : @IRFaraExam
I
CHAPTER3ManagingRoleAssignmentsThrough
theRBACPolicyn this chapter, we will discuss Azure role-based access control (RBAC)roles and their utilization of the resources and how to apply the different
typesofRBACrolesusingvarioustypesoforganizationpolicies.WewillalsodiscusstheAzureRBACroles,customAzureRBACroles,andhowtoapplytheAzureRBACrolesusingPowerShell,andsoon.
StructureThefollowingtopicswillbecoveredinthischapter:
Role-basedaccesscontrol(RBAC)RBACaccessconfigurationCustomRBACrole
ObjectiveWewilldiscussRBACimplementationinthischapterandseehowwecanuseitinourorganizationtoputcontrolforanonymousaccess.
Role-basedaccesscontrol(RBAC)“Role-based access control helps you to manage and provide access to yourresourceswiththerestrictedmanner.”Letussayinyourorganizationthesupportteam,applicationteam,DBteam,andsoonareusingthesamesubscriptionandtherecouldbeapossibilitythatifyouallow everyone access to subscriptions, then there might be some changesmistakenlyperformedbyanyoftheteammembers.Itcouldresultinadisruptiveimpactontheexistingenvironment/subscription(productionornon-production).Hence, thinking of all such scenariosMSAzure has come upwith a solution
Telegram Channel : @IRFaraExam
calledRBACpolicywhich helps you to control the access. Let us say if youwanttoallowtheDBteamtoaccessonlyDBresourceswhichcanbepossibleonly throughRBAC.TheDB teamcanonly see theDB resources andcannotmakethechangestootherservices.So,usingRBAC,youcancontroltheaccess.AsperMSAzurerecommendation,thebestpracticethatyoucanprovideistheleast roleaccesswhichwillhelp theuser toprovide theexactaccesswhichheneeds.RBACcanbeappliedtogroups,applicationsorresources,andsoon.For any services, there are built-in RBAC roles defined as shown in thefollowingdiagram:
Figure3.1:AzureRBACrole
Now,letusunderstandeachterm:
Owner: The owner will have complete access of all your resources orspecificresourcesjustliketheadminofyoursubscription.Contributor: The contributorwill have equal access like the owner butcannotprovideaccess to resourcesorat the subscription level.However,hecancreateandmanagetheresources.Reader: In the reader role, a user will have access to read or viewpermission to specific resources or subscriptions. However, he is notallowedtochangeorcreateanynewresources.Useraccessadministrator:TheuseraccessadministratorwillhelpyoutomanageuseraccesstoAzureresources.
Telegram Channel : @IRFaraExam
RBACaccessconfigurationRBACaccesscanbeconfiguredfromvarioustypeslikeAzureresources,Azuresubscriptions, andAzure resources group aswell. In this section,wewill seehowtoimplementthosescenariosusingRBAC.
SubscriptionaccessusingtheRBACpolicyWe will learn how to provide access to subscriptions as per the organizationpolicy.
1. GototheSubscriptionoption.2. Click on Access control (IAM) as highlighted in the following
screenshotandselectAddroleassignment:
Figure3.2:Addroleassignment
3. OnceyouclickonAddroleassignment:
1. Select the Owner, Contributor, or Reader role as per yourrequirements.
2. TypeandsearchtheuserIDforwhichyouwanttoprovidetheaccessasshowninthefollowingscreenshot:
Telegram Channel : @IRFaraExam
Figure3.3:Roleselection
4. When you select all the required details, your screen will look like thefollowingscreenshot.ClickontheSavebuttontoapplythechanges.Oncedone,theuserwillbeabletologintothesubscriptionandaccesstheresources:
Telegram Channel : @IRFaraExam
Figure3.4:Assigningroles
In this section, we learned how to assign the RBAC roles at the subscriptionlevel.
ResourcegroupaccessusingtheRBACpolicyWe will learn how to provide access to the resources group as per theorganizationpolicy.
1. GototheResourcegroupoption.2. Click on Access control (IAM) and select Add role assignment as
showninthefollowingscreenshot:
Telegram Channel : @IRFaraExam
Figure3.5:Resourcesgrouproleassignment
3. OnceyouclickonAddroleassignment:
1. Select the Owner, Contributor, or Reader role as per yourrequirements.
2. TypeandsearchtheuserIDforwhichyouwanttoprovidetheaccess.3. Onceyouselectalltherequireddetails,yourscreenwilllooklikethe
followingscreenshot.ClickontheSavebuttontoapplythechanges.4. Once done, the user will be able to see the resource group and its
resourceswhichresideintheresourcegroup:
Telegram Channel : @IRFaraExam
Figure3.6:Resourcegroupcontributorroleassignment
Inthissection,welearnedhowtoassigntheRBACrolesattheresourcegrouplevel.
ResourceaccessusingtheRBACpolicyWewilllearnhowtoprovideaccesstoresourceslikeVirtualMachines(VMs),DB,andsoonaspertheorganizationpolicy.
1. Go to the resource forwhichyouwould like toprovideaccess likeVM,DBWebApps,andsoon.
2. ClickonAccesscontrol(IAM)andselectAddroleassignment:
Telegram Channel : @IRFaraExam
Figure3.7:Resourcesroleassignment
3. When you click on Add role assignment, select the role you want toassigntheresourcesto:
1. Select the Owner, Contributor, or Reader role as per yourrequirements.
2. TypeandsearchtheuserIDforwhichyouwanttoprovidetheaccess.3. Onceyouselectalltherequireddetails,yourscreenwilllooklikethe
followingscreenshot.ClickontheSavebuttontoapplythechanges.
4. Once done, the user will be able to see the resources and access theresources.
Telegram Channel : @IRFaraExam
Figure3.8:RoleassignmentofVM
CustomRBACroleCustom roles come in the picture when the built-in roles do not meet yourcustomerororganizationrequirements.Inthatcase,youcancreateacustomroleusingPowerShell,AzureResourceManager(ARM) template,CLI,orRESTAPI. You can create up to 5000 custom roles in each tenant-level, but for agovernment cloud like,China,Germany, and soon,youcanonly createup to2000customrolespertenant.
CreatingthecustomroleInthissection,IwillexplainhowtocreatetheRBACcustomroleandhowtouseexistingbuilt-inrulestocreateanewcustomrole.If you want to allow any action to users, it should be listed in the Actionssection and the deny user action can be put in the NotActions sectionwhilecreatingthecustomRBAC.Ifyouwould like to seewhatpermission is available in theAzurecontributorrole,takealookatthefollowingscreenshotforthedefinitionofthecontributor
Telegram Channel : @IRFaraExam
roleformoredetails:
Figure3.9:Definitionofacontributorrole
1. PleaserunthefollowingcommandinPowerShell:Get-AzRoleDefinition“Contributor”|ConvertTo-Json
Figure3.10:ContributorroleinJSONformat
Onceyougettheoutput,copythefileandchangetheactionornotactionruleaccordingly.IwillchangetheNotActionsruletoActionsandcreateacustomrole.SavethefileintheJSONformat:1.{
2."Name":"BPB_Contributor",
3."IsCustom":false,
4."Description":"Letsyoumanageeverythingexceptaccess
Telegram Channel : @IRFaraExam
toresources.",
5."Actions":[
6."Microsoft.Authorization/*/Delete",
7."Microsoft.Authorization/*/Write",
"Microsoft.Authorization/elevateAccess/Action",
"Microsoft.Blueprint/blueprintAssignments/write","
8.],
9."NotActions":[
10."
11."Microsoft.Blueprint/blueprintAssignments/delete"
12."DataActions":[],
13."NotDataActions":[],
14."AssignableScopes":[
15."/"
16.]
17.}
2. Go to PowerShell and connect to the subscription using the followingcommand:Connect-AzSubscription
3. PleaseprovidetheuserIDandpasswordtogetauthenticated.Then,runthefollowingcommandtocreateanewrole:New-AzRoleDefinition-InputFile"C:\Temp\BPB_Role.json"
Oncedone,youwillbeable tocreateacustomrole. Itwill look like thefollowingscreenshot,whichIhadcreatedearlier:
Figure3.11:Contributorrole
ConclusionInthischapter,wecoveredthedifferenttypesofRBACrolesandlearnedhowtoassign the RBAC custom roles in the subscription, resources group, andresources.Wediscussedhowtocreatethecustomroletomatchtheorganizationorclientrequirements.In the next chapter, we will learn about the Azure subscription and resourcemanagement.Wewill focusondifferent typesofsubscriptionsandseehowtomanageAzureresources.
Telegram Channel : @IRFaraExam
ReferencesCustom roles for Azure resources: https://docs.microsoft.com/en-us/azure/role-based-access-control/custom-rolesRBAC overview: https://docs.microsoft.com/en-us/azure/role-based-access-control/overviewCreate a custom role for Azure resources using Azure PowerShell:https://docs.microsoft.com/en-us/azure/role-based-access-control/tutorial-custom-role-powershellGrant user access toAzure resourcesusingRBACand theAzureportal:https://docs.microsoft.com/en-us/azure/role-based-access-control/quickstart-assign-role-user-portalGrantuseraccesstoAzureresourcesusingRBACandAzurePowerShell:https://docs.microsoft.com/en-us/azure/role-based-access-control/tutorial-role-assignments-user-powershellFormoredetails,visit:https://azure4you.com/
Telegram Channel : @IRFaraExam
I
CHAPTER4ManagingAzureSubscriptionand
ResourceManagementn thischapter,wewill coverAzure subscriptionand resourcemanagement.WewillfocusontypesofsubscriptionandhowtomanageAzureresources.
Wewill learnhow tocreatea freesubscription, typesof subscriptions,how tomanageresourcesusing theRBACpolicy.What isaquotaandhowtheuseofthe resources lockwill help you fromaccidental deletion of resources?Let uslearnallthisinthischapter.
StructureWewillcoverthefollowingtopicsinthischapter:
AzuresubscriptionEnterpriseagreementssubscriptionSubscriptionsupportplanCreatingafreeAzuresubscriptionGlobaladministratorpermissionResourcesgroupCostmanagementAzuresubscriptionpolicyAzurequotaandresourcetaggingManagementgroup
ObjectiveIn this chapter, wewill discussAzure subscription, types of subscription.Wewill also discuss the step-by-step process to utilizeAzure subscription, and soon.Thiswillhelpall the levelsof readers togetabetterunderstandingof thistopic.
Telegram Channel : @IRFaraExam
AzuresubscriptionsAzuresubscriptionsareacollectionof resourcesknownasbilling containers.EachsubscriptionhasauniqueIDthathasbeengeneratedbyMSautomaticallywhile creating the Azure subscription. If you need to create or access theresources,thenyouneedasubscriptionaccess.Withoutthesubscriptionaccess,youwillnotbeabletoaccesstheresourcesunderAzuresubscription.Let’stakealookatthedifferenttypesofsubscriptionsinthefollowingsection:
Freesubscription:MSprovidesthissubscription.Itisfreeforthefirst30dayswhichincludes$230creditandfree25servicesfor12months.It isusedforpracticalandlearningpurpose.Pay-as-you-go subscription: It is used widely in organizations and thepay-as-you-gosubscriptionhasaflexiblepaymentmethod,andthereisnolimit forpurposeorcommitments. Ifacustomerwants like tocancel thesubscription,he/shecancancelthesubscription.Microsoft resellers (Cloud solution provider -CSP): The CSPsubscriptionisusedonlyattheorganizationlevelwhereMSprovidesyouwiththeaccesstoworkwithpartnersdirectlytodesignandimplementthesolutionstomeetyourprojectrequirements.Open:ThissubscriptionprovidesyouwiththeflexibilitytoworkwiththesamevendorfromwhereyoupurchasedtheopenvolumelicenseprogramandactivatedyourAzuresubscription.Azure government customer: This subscription is used for USgovernment entities that are eligible to purpose Azure governmentservices,andtheycanusethepay-as-you-goservice.AzureGermanycustomers:ThissubscriptionisusedforEuropeanUnionor EFTA entities that are eligible to purposeAzure government servicesandtheycanusethepay-as-you-goservice.
EnterpriseagreementsubscriptionThe EA (Enterprise Agreement) is designed for organizations, and in thissubscription,thecustomerhastosignanagreementwithMicrosoftdirectlywiththe amount of consumption on your Azure resources. When an organizationsignsupfortheEAagreement,abillingaccountiscreatedandthebillingcanbedonemonthly,quarterly,oryearlybasedontheagreement.
Telegram Channel : @IRFaraExam
EnterpriseIt is most commonly known as Enterprise agreement, and it is only used byorganizations.TheEAsubscription canbe accessed from theEnterpriseportal(https://ea.Azure.com)andused tocreatemultipledepartments tomanage thesubscription.
DepartmentsIt isasub-accountofAzureEAsubscriptionwherewedefine thedepartmentsandassociateasubscriptiontoit,anditcanbeusedbyspecificdepartments.Wecanaddmultipledepartmentsbasedontheorganizationalneedsandassignadepartmentownerwhocanmanagethedepartmentandsubscriptionunderit.It will also help us to add a cap on Azure consumption and based on thesubscriptionutilization,wecandecidethemonthlyoryearlybudget.
AccountsAccountscanbecreatedbyadifferentdepartmentandanaccountadministratorcanaddnewaccountstotheirdepartmentstoprovidethemaccesstotheAzureaccount.Evenanaccountadministratorcancreatethesubscriptionaswell.
SubscriptionsAsdefinedintheAzuresubscriptionlevel,thesubscriptionisabillingcontainer,andallthebillingforconsumedresourceshappensatthesubscriptionlevel.Youcan set upbilling alerts of the budget spent to get an early notification if youhaveconsumptionmoreduringaspecificperiod.Refer to the following figureformoredetails:
Telegram Channel : @IRFaraExam
Figure4.1:Enterprisesubscription
AzuresubscriptionssupportplanAlongwiththesubscriptionsdiscussedearlier,wecanalsooptforthefollowingsupport plan with a subscription which will help you to connect to the MSsupportteamtofixortroubleshoottheissue.
AzuredevelopersupportThis kind of subscription support plan is most commonly used for Azuredevelopment/testingpurposeswhereMSprovidesthediscountedratesonAzuretosupportyourongoingdevelopmentandtestingactivity.
ProfessionaldirectsupportThissubscriptionsupportplancanbeusedbycompanieswhereMSincludesitstechnical,billing,andotherteamstogetafasterresolutionandsupport.
Telegram Channel : @IRFaraExam
StandardsupportThissubscriptionsupportplancanbeusedbycompanieswhereMSincludesitstechnical,billing,andotherteamstoresolveyourissuesfasterwith24/7support.MostofthecompaniesusethissubscriptiontofixthecriticaldependenceontheAzuresubscription.
AzuretenantAnAzuretenantisnothingbutAzureAD.It’sadedicatedinstanceofAzureADthatanorganizationreceivesandauthorizestheuserstovariouscloudservices.An Azure tenant can have multiple subscriptions. However, a subscriptioncannothavemultipletenants.Inthefollowingdiagram,youcanseefour3subscriptionsandonedirectory.Alltheothersaredifferent.Onceyoucreatethesubscription,thefirsttenant(AzureAD)willbecreated,andthenthesubscriptionwillbeassociatedwithit.Ifyouhaveatenant,thenyoucancreatemultiplesubscriptions.Let’stakealookatthefollowingfiguretogetanunderstandingofhowtenantsworkinAzure:
Figure4.2:Azuretenant
CreatingafreeAzuresubscription
Telegram Channel : @IRFaraExam
Whilecreatingthefreesubscription,thefollowingbenefitsareprovidedbyMSAzure:
12monthsoffreepopularservices$200credittoexploreserviceswithin30days25servicesarealwaysfree
IfyouwouldliketocreatethefreeAzuresubscription,followthegivensteps:Step:1
1. GotheURLhttps://Azure.microsoft.com/en-us/free/.2. ClickonStartfreeasshowninthefollowingscreenshot:
Figure4.3:Freesubscription
Step:2
1. ItwillaskyourloginIDandpassword.2. Provide your Microsoft ID like ([email protected], [email protected]
[referenceemailID],andsoon).3. You can even log in through your organization ID like
[email protected],andsoon.4. Providethepasswordforthesame.5. Afterthis,youwillbeabletologintothesubscriberpage.6. Provideyourdetailsasshowninthefollowingscreenshot:
Telegram Channel : @IRFaraExam
Figure4.4:Loginscreen
Step3
1. Clickonthefreesubscription.2. SelecttheFreeTrialasshowninthefollowingscreenshot:
Figure4.5:Selectthesubscription
Step4:
Telegram Channel : @IRFaraExam
1. Selectthecountrycode.2. Providethemobilenumber.3. ClickonTextmeorCallmetogettheverificationcode.4. Once you get the verification code, put it in the Verification code
section.5. Clickontheverifycode.6. Once the code is verified, youwill bedirected to thenext tab to fill the
paymentinformation.
Takealookatthefollowingfigureformoredetails:
Figure4.6:Detailsforsubscription
Step:5
1. Providethecardholdername.2. Enterthecardnumber.3. Providetheexpirydate.
Telegram Channel : @IRFaraExam
4. TypetheCVVnumber.5. ProvidetheaddressdetailsandclickontheNextbutton.6. UnderstandtheserviceusageandclickonNext.7. IfyouwanttoaddMSsupportplans,youcandoit.(It’schargeablesoit’s
bettertonotaddthisplan.)8. ClickontheAgreementsectionandclickontheSignupbutton.9. After10minutes,youwillreceivethesubscription.10. Now, you can utilize your subscription and create the services inAzure.
Providethedetailsasshowninthefollowingfigure:
Telegram Channel : @IRFaraExam
Figure4.7:Paymentdetailsandagreement
Note: When you create the subscription, make sure you put all thedetailscorrectlyasthishaswillbeusedforMSinternalpurpose.Whenyouaddyourcardinitially,itwillchargeaminimalamountlikeRs2toverifyyourcreditcardandonlyafterthat,itwillallowyoutocreatethefreesubscription.
GlobaladministratorpermissionUsers who have global administrator permission can access all administrativeservices like Azure Active Directory, federate services to Azure ActiveDirectoriessuchasExchangeOnline,SharePointOnline,andSkypeforBusinessOnline.The first user ID who signs up for the Azure Active Directory tenant orsubscriptionbecomesaglobaladministrator.Only global administrators can assign other administrator roles.We can havemorethanoneglobaladministratorattheorganizationlevel.Globaladminscanresetthepasswordforusersandallotheradministrators.Followthegivenstepstoprovidetheglobaladminaccessstepbystep:
1. ClickontheAzureActiveDirectoryoption.2. GotoManageandclickontheUsersoption.3. ClickonAllusers.4. Selecttheuserorsearchtheusersyouwanttoassignthepermission.5. Select details, as shown in the following screenshot, for subscription
details:
Telegram Channel : @IRFaraExam
Figure4.8:Globaladministratorrole
6. Clickontheuser'snameandthenclickonDirectoryrole.7. Then,clickonAddassignment.8. ClickonSearchandsearchforaGlobaladministratorrole.9. SelecttheGlobaladministratorrole.10. Click on the Save button, and your user will have global administrator
access.Followthestepsasshowninthefollowingscreenshot:
Figure4.9:Directory:globaladminrole
ResourcesgroupAnAzureresourcegroupisalogicalcontainerthatcontainstheAzureresourcesinit.Resourcesmanagetheresourceswithintheresourcesgrouptogetherasanentity.Ifyouhaveprovidedthepermissiontoaresourcegroup,thenyoucanalsoviewalltheresourceswhichareavailableintheresourcegroup.
Telegram Channel : @IRFaraExam
You can even create or delete the resource group. If you delete the resourcegroup, then all the resources which are present in the resource group will bedeletedautomatically.Forabetterunderstanding,let’stakealookatthefollowingfigure:
Figure4.10:Azureresourcegroup
AzureresourcegroupmanagerAzureResourceManagerisadeploymentandmanagementserviceforAzure.It provides management layers that will help to create, update, modify, anddelete the resources within the subscription. We can utilize the features likeaccess control, lock, and tag.Refer to the following figure formoredetails inAzureresourcegroupmanager:
Telegram Channel : @IRFaraExam
Figure4.11:Resourcegroupmanager
CostmanagementAzure cost management will help you to manage and control your cost.Organizations can utilize costmanagement to analyse andmanage the cost. Itgivesyouthebreakupcostofeachresourceandresourcegroup.Itusesadvancedanalytics to provide a customized cost to customers. The cost will be shownbasedontheconsumptionofeachserviceandthird-partyserviceslikeRedHat,Oraclecheckpointfirewall,andsoon.Exploringcostmanagement:Costmanagementwill addall the subscriptionswhichareunderonetenant.Togetthereportofeachtenantseparately,youneedtoperformthefollowingsteps:
1. ClickontheCostManagement+BillingoptionfromtheFAVORITESitemorsearchontheAzureportal.
2. ClickonOverview thatwillhelpyou togetall the subscriptionaccountsunderyourtenant.
3. Then,youwillbeabletoviewhowmuchyouhavespenteverymonth.Fora detailed analysis, use the cost management tool and follow the stepsperformedasshowninthefollowingscreenshot:
Telegram Channel : @IRFaraExam
Figure4.12:Exploringcostmanagement
Cost management tools will help you to get more details of resourceservicescosts. Itwillhelpyou tosetupanalert foryourAzureaccount,andyoucandefinethebudgetaswell.Followthegivenstepstoconfigurethesame:
4. ClickonCostanalysis:
Youcanseethegraphicalviewofthecostanalysis.Youcanseetheusageofeachservice,region.Ifyouwanttogodeeper,thenclickoneachresourceandyouwillgetmoredetails.You can export the data inCSVorExcel file for your reference ortellypurpose.
Thefollowingscreenshotdisplaysasamplereport:
Figure4.13:Costmanagementgraphicalview
Thefollowingscreenshotdisplaysasamplereportwhichisshownincostviewmodels:
Telegram Channel : @IRFaraExam
Figure4.14:Costmanagement-costseparationintoservices
ConfigurationofthebudgetalertsThe configuration of the budge alerts will help you get the alerts when yoursubscription cost gets utilized beyond the limit, and you can set an accountspending limits as well. Perform the following steps to configure the budgetalerts:
1. ClickontheBudgetsoptionintheleftpane.2. Once you click on the budget, you will get a window to provide the
information.3. Providethealertnameorbudgetname.4. Resettheperiodmonth/years/weeks.5. Providethestartdateandenddateofyourbudget.6. Providethenumberofyourbudget.7. Oncethisisdone,clickontheNextbuttontocreatethealert.8. Click on Alert conditions and set the alert % number based on your
budget.Letussayyourtotalbudgetis5K.Onceyouhavespentupto60%(3000INR),youwillgetanalert.Youcanchangethissettingaswell.
9. ProvidetheemailIDofyourusersorITteamtogetthebudgetalert.10. ClickonCreateandyouralertwillbecreatedsoon.11. Performthefollowingstepsasshowninthefollowingscreenshot:
Telegram Channel : @IRFaraExam
Figure4.15:Alertscreation
12. Addtheconditionsasshowninthefollowingscreenshot:
Telegram Channel : @IRFaraExam
Figure4.16:Alertcondition
AzuresubscriptionpolicyTheAzuresubscriptionpolicyorAzurepolicyisusedtoachievethecomplianceofyourorganization.IthelpsyoutocontroltheAzureenvironmentsasperyourorganization'scomplianceprospects.You can create, manage, modify, and assign the policy based on yourorganization standards. It will also help you to identify the non-complianceresourcesinyoursubscription.
Letus takeanexample thatyourorganizationneeds todeploya specificVM (VirtualMachine) instance size (VMsize) in your subscription, andyouwanttodisallowtherestofthem,thenyoucanachievethisusingthesubscriptionpolicy.ThesecondexamplewouldbeifyourcompanyresidesinAsiaortheUSregionwith few states. If youwant to allowaccess, users can create the
Telegram Channel : @IRFaraExam
resourcesinthespecificregionandthenyoucanchoosetheallowlocationpolicy and allow only specific locations. All the other locations can bedenied automatically. The allow location policy will help health care,financial,governmentservices,andsoontoachievecompliancespecifictothelocation.
Azurepolicycreation,configuration,andassignmentIn this section, we will learn how to implement, manage, and implement thepolicy.FortheAzurepolicyconfiguration,followthegivensteps:
1. LogintoAzureportal(https://portal.Azure.com).2. Click on search or on the left-hand side of the page in the FAVORITES
section.Then,selecttheSubscriptionsoption.3. IntheSubscriptionssection,clickonthesettingsandselectpoliciesand
followthestepsasshowninthefollowingscreenshot:
Figure4.17:Selectsubscription
4. When you click on the Policies, you will be able to see the assignedpolicyinyoursubscription.
5. Asyoucansee,Ihaveappliedacoupleofpoliciesinthesubscription,andyoucansee thecompliance levelof thesubscription.Followthestepsasshowninthefollowingscreenshot:
Telegram Channel : @IRFaraExam
Figure4.18:Azurepolicy
6. Ifyouwanttocreatethenewpolicy,clickonAssignedpolicy.7. Itredirectsyoutoanewscreen,andherewecancreateanewpolicy.8. YoucanprovidethefollowingvaluesinyourAzurepolicy.Thepolicywill
becreatedforaspecificregion:Scope:Providethesubscriptionasshowninthefollowingscreenshot:
Figure4.19:Policycompliance
Exclusions: This option can be used if you want to exclude theresources from the policy. If you want to apply to the entiresubscription,thendonotselectanyresourcesintheexclusionpolicy.Policy definition: Policy definition will help you to choose thedefined policy from the policy gallery to control your resources.Followthestepsasshowninthefollowingscreenshot:
Telegram Channel : @IRFaraExam
Figure4.20:Policyassignments
Ifyouareplanningtohavetheresourcesinaspecificlocation,thenclickontheAllowedlocationspolicy.If youwant to allow a specific SKU, then you can achieve this byusingtheAzurepolicy.Takealookatthefollowingspecificpolicy.Youcansearchandapplythepolicybasedonyourorganization'sstandardpolicy.Refer tothefollowingscreenshot:
Telegram Channel : @IRFaraExam
Figure4.22:Azurepolicyconfiguration
Finally,wehavesuccessfullyimplementedthepolicy.
AzurequotaAnAzurequota isnothingbut the limitationofa specific subscriptionofhowmanyresourcescanbedeployed.Generally,aquotaisoftwotypes:
Telegram Channel : @IRFaraExam
Softlimit:DefaultresourcesavailableinthesubscriptioncanbeincreasedbyraisingtherequestwiththeMSteam.Hardlimit:MaximumresourcescanbedeployedwithinthesubscriptionandevenraisingtherequestwiththeMSteamcannotbeincreased.
Ifyouwanttoseetheusagelimitandquotaofyoursubscription,thenclickonthesubscription.IntheSettingssection,clickonUsage+quotas,andyouwillbeabletoviewtheavailableservicesinyoursubscriptionandseethequotaaswell.Youcanseethedetailsofthesubscriptionlimitationinthefollowingscreenshot:
Figure4.23:Usageandquotalimitation
ResourcetagWe can use the Azure resource tag to add the extra fields to identify theresources and it can be used for billing purposes. Every tag contains thefollowingfields:
Name:ProductionApplicationOwner:LalitRawatDepartment:ITBillto:IT
Note: The preceding resource tags are just examples that can be
Telegram Channel : @IRFaraExam
changed based on your organization’s policy. Based on that, you candefinethetagsandassociatespecificresources.
UsageoftheresourcetagLetussay ifyouareabigorganizationandhavedeployed4,000applications,thenhowyoucanunderstandwhichresourcesgroupbelongstowhichappandwho is theowner?Who tobill theusageof serviceswhich ispresented in theresourcesgroup?Hence,toidentifythebillingpurpose,resourcegrouptagscanbeused,andtheyare very helpful in the long term for a structured organization. Perform thefollowingsteps:
1. ClickonResourcegroups.2. UndertheOverviewtab,clickontheTagsoption.3. Providetheresourcename,application,owner,database,andsoon.4. Then, provide the values, where values is your application name like
Tomcat,Apache,SQLDB,andsoon.5. ClickonSaveasshowninthefollowingscreenshot:
Figure4.24:Resourcestag
ConfigurationofaresourcelockTheresourcelockwillhelpyouwithyouraccidentaldeletionofresources.Administrators can lock the resources to prevent others from deleting theresources.Inthesubscription,youcanfindtwotypesoflocks:
Delete: This lock prevents resources from users deleting the resource.
Telegram Channel : @IRFaraExam
However,userscanstillreadandmodifytheresource.Read-only:Thislockprovidesaccesstoread-onlyresources;inthatcase,userscannotmodifyorchange the resources.However, theycanstill seetheresources.
Takealookatthefollowingscreenshot:
Figure4.25:Resourceslock
Ifyouwanttoapplyalockonyourresourcegroup,followthegivensteps.
1. LogintotheAzureportalbyopeninghttps://portal.Azure.com.2. SelectResourcegroups.3. Undertheresourcesgroup,clickonLocks.4. Createalock.5. After the lock creation, you can deploy the lock-in resource group
successfully.6. Performthefollowingstepsasshowninthefollowingscreenshot:
Telegram Channel : @IRFaraExam
Figure4.26:Resourceslockcreation
7. If you try to delete the resources, you will get the message that theresources group has been locked and cannot be deleted as shown in thefollowingscreenshot:
Figure4.27:Resourceslock
ResourcesmovementfromoneresourcegrouptoanotherIf you are planning tomove the resource group resource (VMs and so on) toanotherresourcegroup,thenthiscanbedoneeasily.Youcanalsomigratetheresourcesbetweensubscriptionsunderthesametenant,andthiscanbedoneusingtheportal.Ifyouwanttomovetheresources,performthefollowingsteps:
1. Clickontheresourcesgroupinwhichyouwanttomovetheresources.2. SelecttheMovebuttonatthetop-rightcornerofthescreenasshowninthe
Telegram Channel : @IRFaraExam
followingscreenshot:
Figure4.28:Resourcesmove
3. Select the resources you want to move from once resources group toanother.
4. ClickonOK.5. Itwilltake45to20minutesbasedonthesizeoftheresourcetocomplete
thetask.6. Followthegivenstepsasshowninthefollowingscreenshotandclickon
Movetomovetothenewresourcesgroup.
Telegram Channel : @IRFaraExam
Figure4.29:Resourcesselectiontomove
7. Whenyouclickonyourresources,theresourceswillbemigratedtoanewresourcesgroup.
RemovingaresourcegroupAresourcegroupcanberemovedbyclickingonthedeleteresourcegroup.ThiscanbedonethroughtheAzureportal,CLI,PowerShell,andsoon.Takealookatthefollowingscreenshot:
Telegram Channel : @IRFaraExam
Figure4.30:Resourcegroupdeletion
Performthefollowingsteps:
1. Clickonthedeleteresourcesgroup.2. Providetheresourcegroupname.3. Onceyouprovidetheresourcesgroupname,clickontheDeletebutton.4. Oncedone,theresourceswillbedeletedautomatically.
Takealookatthefollowingscreenshotformoredetails:
Telegram Channel : @IRFaraExam
Figure4.31:Resourcegroupdeletionconfirmation
CreatingandconfiguringthemanagementgroupsThe management group will help you to manage multiple subscriptions in asingletenant.Wecanefficientlymanagetheaccess,policies,andcomplianceforthesesubscriptions.Wecanapply the singlepolicywithin the tenantgroup.The firstmanagementgroupwillactasatenant,andthepolicythatappliesonthissubscriptionwillbeinheritedtoothersubscriptionsaswell.If youwant to create and configure themanagement group, follow the givensteps:
Telegram Channel : @IRFaraExam
1. Clickonallservices.2. Typemanagementinthesearchbox.3. Click on the Management groups option, as shown in the following
screenshot:
Figure4.32:Managementgroup
4. Onceyouclickonthemanagementgroup:
ClickonCreatenew.InManagementgroupID(Cannotbeupdatedaftercreation)*,providethename.Providethemanagementgroupdisplayname.ClickonSaveasshowninthefollowingscreenshot:
Figure4.33:Managementgroupcreation
5. OnceyouclickonSave, itwillstartcreating thefirstmanagementgroupwhichmighttakeupto15minutes.Refertothefollowingscreenshot:
Telegram Channel : @IRFaraExam
Figure4.34:Groupcreation
6. Oncethemanagementgroupiscreated,youwillseethefollowingscreenasshowninthefollowingscreenshot:
Figure4.35:Managementgroupview
7. Ifyouwanttocreateanothermanagementgroup,thenclickonthe+Addmanagement group and create another group as shown in the followingscreenshot:
Telegram Channel : @IRFaraExam
Figure4.36:Addmanagementgroup
8. Oncethemanagementgroupiscreated,youneedtoassignthesubscriptiontothemanagementgroupsothatwhenyouapplythepolicy, itshouldbeinherited to the subscriptionassociatedwith themanagementgroup.Youcanconfigureitasshowninthefollowingscreenshot:
9. Now,wewillcomplete this step toconfigure themanagementgroupandassociateitwiththesubscription:
Figure4.37:Addsubscriptiontothemanagementgroup
Conclusion
Telegram Channel : @IRFaraExam
In this chapter, we learned how to create the free Azure subscription,subscriptionmanagement,andhowtoassignthepolicy.IfyouwanttoallowtheresourcesfromtheAzurepolicy,configuretheAzureresourcesgrouptagsandimplementtheresourcelock.Wecoveredthetypesofsubscriptions.Inthenextchapter,wewillcoverhowtomonitorresourcesinAzuresubscription.Inthenextchapter,wewillalsolearnaboutthemanagementandconfigurationofAzurestorageanditstypes,storageaccountreplication,andsoon.
ReferencesFreesubscriptioncreation:https://azure.microsoft.com/en-us/free/Associate or add an Azure subscription to your Azure Active Directorytenant: https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/active-directory-how-subscriptions-associated-directoryActivate Azure subscriptions and accounts with Cloudyn:https://docs.microsoft.com/en-us/azure/cost-management-billing/cloudyn/activate-subs-accountsCloudyn service : https://docs.microsoft.com/en-us/azure/cost-management-billing/cloudyn/overviewAzure cost management: https://docs.microsoft.com/en-us/azure/cost-management-billing/cloudyn/overviewAzure resourcemanager:https://docs.microsoft.com/en-us/azure/azure-resource-manager/management/overviewAzure4you-blog:https://azure4you.com/
Telegram Channel : @IRFaraExam
I
CHAPTER5ManagingandConfiguringofAzure
StorageAccountsnthischapter,wewillcoverhowtomanageandconfiguretheAzurestorageaccount.Inthischapter,youwilllearnaboutdifferenttypesofAzurestorage
accounts, theuseof storageaccounts,andcreationandconfigurationofAzurestorage accountswhichwill help you to understand how the storage accountswork inAzure.Wewill explain how to secure your storage account using theAzurefirewallconfigurationandintegrateitwithavirtualnetwork.WhatistheuseoftheAzurestorageexplorerandhowtomanagetheAzurestorageaccountaccesskey?MonitoringAzurestorageaccountusingloganalyticswillhelpyouunderstand if you need to troubleshoot your storage account if anything goeswrong.Wewillcovermoreaboutreplication,howthisreplicationwillwork,andhowyourdatacanbesyncedtoadifferentregion.
StructureThefollowingtopicswillbecoveredinthischapter:
AzurestorageaccountGenerateandmanagethesharedaccesssignatureManagingstorageaccountaccesskeysInstallationandconfigurationofthestorageexplorer
ObjectiveInthischapter,youwilllearnhowtoconfigurethestorageaccountandhowtostoredatainAzure.Wewillprovideyouwithstep-by-stepinstructionsofhowtocreate and configure theAzure storage account, how to connect to theAzurestorage account using the Azure storage explorer, and how to use the Azurestoragekey.
Telegram Channel : @IRFaraExam
AzurestorageaccountAnAzurestorageaccountisacloud-basedsolutionforstoringstructuralandun-structuraldata.It is also used to store the data disk of VMs, files, and so on. It is highlyavailable, durable, and secure. It can be accessed by HTTP/HTTPS fromanywhere. You can take a look at the following diagram for more details tounderstandaboutthestorageaccountdatastructure:
StorageforVMsdata:ThiskindofdatawillbestoredinablobstorageaccountunderthepageblobwhichstorestheVirtualHardDisk(VHD)fileofVMs.Structured data: It is a commonly used cosmos DB, table, and so onwherethedatawillbestoredstructurallyanditcangivetheresultseasily.Unstructureddata:Unstructured data can be used to store the data logfile,image,movieorarchivaldata,andsoon,whichisusedtodumpthedata. This does give results faster as this is not stored in a format orstructural way. Please take a look at the following diagram for moredetails:
Figure5.1:Azurestorageaccountdata
Azurestorageaccountsconsistofthefollowingthreetypes:
1. Blob storage account: Blob storage accounts are used for unstructureddatalikebackup,JPEG,AVIfiles,andsoon.Ablobstorageaccountoffersthreekindsofaccounts:coolstorage,hotstorage,andarchive.
Telegram Channel : @IRFaraExam
Access tiers: Access tiers have the functionality to determine howfrequently data can be accessed. Based on the tiers, your storageaccountbillwillbecharged:
Hotstorage:Thistypeofstorageaccountcanbeusedwhenyouneedtoaccessthedatafrequentlysuchasday-to-dayoperations.Coolstorage:Thistypeofstorageaccountcanbeusedfordatathat is infrequently accessed and stored for a minimum of 30days.Letussayifyouhaveanolderbackuporfileyoujustwanttostoretoastorageaccount,andyouneedtoaccessitmonthlyonceortwice.Archivestorage:This typeof storage account is used to storethedatawhichhasbeen accessed rarely and stored for at least180dayssuchasanolderbackupwithmore than5or10-yearcompliancedata.
Pleaseseethefollowingscreenshotformoredetails:
Figure5.2:Azureblobstorageaccounttier
2. GeneralpurposeV1:GPv1storageaccountsarelegacyaccountsandtheyhavebeenusedforblobs(namechangedtoacontainer),filesqueues,andtables. They aremost commonly used and support replication like LRS,GRS,andRA-GRS.Pleasetakealookatthefollowingscreenshot:
Figure5.3:AzureGPv1account
3. GeneralpurposeV2:GPv2storageaccountsare recommended touseasthey areupgradedversions.Theyareused forblobs (namechanged to a
Telegram Channel : @IRFaraExam
container), files queue, and tables. They support replication like LRS,GRS,RA-GRS,andZRS.Theyalsohavethefeatureforcold/hotstorageaccountwhichyoucangetonlyintheblobstorageaccount.Recently, MS Azure has released new replications like GZRS-zoneredundant storage and read-access geo-zone-redundant storage (RA-GZRS). It is in the preview feature. Please take a look at the followingscreenshot:
Figure5.4:GPv2
4. Premiumstorageaccounts:PremiumstorageaccountsusetheSSDdiskandprovidehighperformanceandlowlatencydisksupport.Thepremiumstorage account is mainly used for mission-critical applications orproductionenvironments.1TBdiskprovidesthe7500IOPSand250MBthroughputforthedisk.Pleasetakealookatthefollowingscreenshot:
Figure5.5:Premiumstorageaccount
Telegram Channel : @IRFaraExam
AzurestorageaccountcreationandconfigurationIfyouwanttocreateastorageaccount,followthegivensteps:
1. PleaseclickonCreatearesource.2. SearchforStorageaccount.3. Click on the Create button to create a storage account as shown in the
followingscreenshot:
Figure5.6:Storageaccountcreation
4. Please select the subscription for which you want to create the Azurestorageaccount.
5. Pleasecreate thenewresourcesgrouporuseanexistingresourcesgroupfromthedrop-downmenu.
6. ProvidetheAzurestorageaccountname(namewillonlybeinlowercaseandinnumbers).
7. Selecttheregionyouwanttodeploythestorageaccount.8. Performance type can either be Standard or Premium as per customer
requirements.9. Fortheaccountkind,youcanselect:GPv1,GPv2,orblobstorageaccount.
IhaveselectedGPv2asitslatestversion.10. For replication, you can select the default RA-GRS but based on the
Telegram Channel : @IRFaraExam
requirements,youcanchangetoGRS,LRS,orZRS(ifavailable inyourregion).
11. Selecttheaccesstier:HotorCool.Inmycase,IhaveselectedHot.12. ClickonNext:Networking> for further configuration as shown in the
followingscreenshot:
Figure5.7:Storageaccountconfigurationdetails
13. Basedontherequirements,youcanonlyenablethefollowingendpoints:
Publicendpoint(allnetwork):Opentoallnetworks.Publicendpoint(selectednetworks):Foraselectednetwork.Private endpoint: Integrate the VNet and make it available foryournetworkonlyasshowninthefollowingscreenshot:
Telegram Channel : @IRFaraExam
Figure5.8:Storageaccountnetworkingconfiguration
Pleaseclickon theAdvanced tab,andhere,youcanset thesecuritylike secure transfer required and data protection settings, etc. Formoredetails,takealookatthefollowingscreenshot.PleaseclickonTagsandassignthetagsforbillingpurposesasshowninthefollowingscreenshot:
Figure5.9:Storageaccountadvancesettings
14. Oncethevalidationiscomplete,youwillseethegreenmark.15. Pleaseverify thedetailsonemore timeandclickonCreate tocreate the
account.16. After that, the deployment will start and your storage account will be
created within 5 to 10 minutes. Please take a look at the followingscreenshot:
Telegram Channel : @IRFaraExam
Figure5.10:Storageaccountverificationandcreation
In this session, I have explained the Azure storage account data type and itsusage.Ihavebrieflyexplainedhowtocreatethestorageaccountandsoon.Now,youwillbeabletounderstandandcreatethestorageaccount.
ImplementAzurestoragereplicationInAzurestoragereplication,wehavereplicationpoliciesaspartofthestorageaccount replication. Ithelpsus tomaintain thecompliancepart and secure thedataonit:
Telegram Channel : @IRFaraExam
Locallyredundant storage (LRS)account: Itmaintains threecopiesofyourdatawithinasingledatacenterinasingleregion.Itsusagedatacanbereconstructed, and it help in your complincae for regional governancerequirements.Zone redundant storage (ZRS): It maintains three copies of your datawithin2or3datacentersinasingleregionoracrosstheregion.Datawillbe replicatedacross the three-storageclusters ina single region. It isnotavailableinAzureoftheregion.Geo redundant storage (GRS) account: It maintains six copies of thedataanddatathathasbeenreplicatedthreetimeswithintheprimaryregionandthreetimesinthesecondaryregion100milesawayfromtheprimaryregion.Datawillbeavailabletoread-onlyduringafailure.Read-only geo-redundant storage (GRS) account: It maintains sixcopiesofthedataandworksinthesamewayasyourGRS,butitprovidesthereadaccesstoyoursecondaryregionevenwithoutthefailover.
If you would like to implement or change the replication, then you need tofollowthegivensteps:
1. PleaseselecttheAzurestorageaccount.2. GotoConfiguration.3. SelecttheappropriatereplicationfromtheReplicationdrop-downmenu.4. ClickonChange.Ifyouclickonchange,thechangesmightbeapplicable
basedonthereplicationyouselect.5. ClickonSaveasshowninthefollowingscreenshot:
Telegram Channel : @IRFaraExam
Figure5.11:Storageaccountreplication
6. Onceyouchangethereplication,clickonGeo-replication.7. In this section, you will able to see the primary and secondary regions
whereyourdatahasbeencopiedasshowninthefollowingscreenshot:
Figure5.12:Storageaccountreplicationwithasecondaryendpoint
GenerateandmanagethesharedaccesssignatureAshared access signaturewill help you to provide the restricted access to thestorageaccountifanydeveloperoranyonerequeststogainaccesstothestorage
Telegram Channel : @IRFaraExam
account.Youcanprovideaccesswithtimelimitation,andafterthesetduration,theaccesswillgetexpired.YoucangeneratetheSASaccessusingyourprimarystorageaccountkeyorsecondarystorageaccountkey.IfyouneedtogeneratetheSASkey,selecttheSharedaccesssignature tabunderSettings:
1. PleaseselecttheallowedserviceslikeBlob,File,Table,orQueue.2. SelecttheallowedresourcetypeslikeService,Container,orObject.3. AllowpermissionlikeRead,Write,andsoonbasedontherequirements.4. YoucanselectthespecificIPtoallowyourstorageaccount.5. SelecttheHTTPorHTTPSselection.6. ClickontheGenerateSASandconnectionstringbutton.7. After a fewseconds,keyswillbegenerated, and theuser canaccess the
key.Pleasetakealookatthefollowingscreenshot:
Figure5.13:Generatingsharedaccesssignature
ManagingthestorageaccountaccesskeyTheAzure storage account key is used to access the storage account from thestorage explorer or if you want to access it publicly. It is just like a storage
Telegram Channel : @IRFaraExam
accountpasswordwhichyoucanchangeanytimewhileclickingontheRefreshbutton.
Youwillhaveaprimaryandsecondarykey.WhileclickingontheRefreshbutton,youcangeneratethenewkeywhichismarkedinaredcircleasshowninthefollowingscreenshot:Youcanusetheconnectionstringtoconnecttothestorageaccount:
Figure5.14:ManagingtheAzurestorageaccountkey
ConfigurenetworkaccesstothestorageaccountEnablingtheVNettotheAzurestorageaccountwillprovideanadditionallayerof security to your storage account which has your critical data. Afterintegration, thestorageaccountcanbeaccessedwithinVNetnotpubliclyuntilthepublicendpointorpublicIPisnotadded:
1. PleaseselectthestorageaccountforwhichyouwanttoenabletheVNet.2. SelectFirewallsandvirtualnetworksunderSettings.3. SelectthenetworkandclickontheAddnewvirtualnetworkoption,or
you can add the existing network as well as shown in the followingscreenshot:
Telegram Channel : @IRFaraExam
Figure5.15:AzureStorageaccountnetworkconfiguration
4. OnceyouselecttheexistingVNetorcreateanewVNet,clickonokto5. PleaseprovidetheVNetnameandrangeofIP.6. Providetheresourcesgroupandregion.7. ProvidethesubnetnameandrangeofIP.8. Provide the locationandclickonCreate.Pleasecheckout thedetails in
thefollowingscreenshot:
Telegram Channel : @IRFaraExam
Figure5.16:Azurestorageaccount-VNetcreation
Once theVet is associatedwith a storageaccount, clickon theSave button tosavetheconfiguration.Afterthat,youwillbeabletosuccessfullyconfigurethenetworkwithastorageaccount.Pleasetakealookatthefollowingscreenshot:
Telegram Channel : @IRFaraExam
Figure5.17:AzurestorageaccountVNetassociation
InstallationandconfigurationofthestorageexplorerTheAzure storage explorer is an application that will help you to connect tostorage accounts andmove the data froman on-premises system to theAzureblob,file,queue,andtablestorageaccount.Youcan easilyupload, download, andmanageAzureblobs, files, queues, andtablesstorageaccount,AzureCosmosDB,andAzureDataLakeStoragedata.Itiseasytomanageandaccessfromyoursystem.YoucanaccessvirtualmachinedisksfromtheARMorclassicstorageaccounts.IfyouwanttoinstalltheAzurestorageexplorer,thenfollowthegivensteps:
1. Please go to https://Azure.microsoft.com/en-in/features/storage-explorer/todownloadtheAzurestorageexplorer.
2. Please select theOS (Windows/Linux orMAC) from the drop-downmenubasedontherequirements.Pleasetakealookatthefollowingscreenshot:
Telegram Channel : @IRFaraExam
Figure5.18:Azurestorageexplorer
3. Onceyoudownloadthestorageaccountfile,doubleclickonitandfollowtheinstructions.
4. Oncedone,youwillbeabletosuccessfullyinstallthestorageexplorer.5. PleaseopentheAzureStorageExplorer.6. ClickontheUsericon.7. ClickonAddanaccount…asshowninthefollowingscreenshot.8. LoginwiththeAzureaccount,connectionstringorSASURI,oranyother
optionmentionedinthefollowingscreenshot.9. ClickonNext:
Telegram Channel : @IRFaraExam
Figure5.19:Azurestorageexplorersignin
10. Now,youcancopyandpastethestorageaccountstringsasshowninthefollowingscreenshot.
11. ForConnectionstring,pleasecheckthetopicmanagedaccesskey.12. Oncedone,youwillbeabletologinsuccessfullytothestorageaccount:
Telegram Channel : @IRFaraExam
Figure5.20:Azurestorageexplorerloginmethod
Now,youwillsuccessfullybeabletologintotheAzurestorageexplorerasshowninthefollowingscreenshot:
Telegram Channel : @IRFaraExam
Figure5.21:Azurestorageinexplorer
13. Now,youcanuploadthedatatotheAzureblobstorageaccounts.14. Youcancreatethecontainer.15. Now,youcanuploadthedatausingtheUploadoption.16. YoucandownloadthedatabyclickingontheDownloadoption.17. Createanewfolderifrequired.18. Youcanselectallthedocumentsandupdatethenecessarychanges.19. The same storage account can work for your file storage, and you can
createthequeueandtableaswell.Formoredetails,refertothefollowingscreenshot:
Telegram Channel : @IRFaraExam
Figure5.22:Azurestorageinexplorerusage
ConclusionIn this chapter,wecovered thedifferent typesof storage accounts andhow tousethosestorageaccounts.Weexplainedthereplicationpolicyandlearnedhowit can help you in your compliancewith the data or to replicate the data.Welearned how to create the storage account and what are the GPv1 and GPv2storageaccounts.Wecoveredthepremiumstorageaccountanditsusage.In thenextchapter,wewilldiscusshowto importandexportdataandhowtomovethedatausingtheAzureAzCopycommand-lineutility.
ReferencesAzure storage account overview: https://docs.microsoft.com/en-us/azure/storage/common/storage-account-overviewBlob storage accounts: https://docs.microsoft.com/en-us/azure/storage/blobs/storage-blobs-introductionBlob file-disk: https://docs.microsoft.com/en-us/azure/storage/common/storage-introduction
Telegram Channel : @IRFaraExam
Storage scalability and performance: https://docs.microsoft.com/en-us/azure/storage/common/scalability-targets-standard-accountFormoredetails,visit:Azure4youblogpost:https://azure4you.com/
Telegram Channel : @IRFaraExam
I
CHAPTER6ManageDatainAZUREStorage
nthischapter,wewilldiscusshowtomigratelargedatatotheAzurestorageaccountusingtheAzureimportandexportservices.Wewillalsodiscussthe
AzureDataBoxandconfigurationofAzureADauthentication for the storageaccountusage.WewillcoverhowtousetheAzcopycommandwhichwillhelpyoutomovethedatafromon-premisestotheAzurestorageaccount.
StructureThefollowingtopicswillbecoveredinthischapter:
ImportandexportjobsinAzure
ConfiguringAzureBlobstorageCreatingtheimportandexportjobsinAzurestorage
AzureDataBox
ConfiguringAzureADauthenticationforastorageaccountCopydatausingAzCopy
ObjectivesTheobjectivesofthischapteristoexplainhowtomigratethepetabytesofthedata using the Azure export/import utility and Azure Data Box solutions andhowtotransferthedatatoablobstorageaccountusingtheAzCopycommand-lineutility.
ImportandexportjobsinAzureWecancreatetheimportandexportjobsusingtheAzurestorageaccountwhichrequiresablobstorageaccountwherewecankeepthedata.Importandexportjobs can be used to send large data toAzureBlobs; for example, terabytes orpetabytesofdata.
Telegram Channel : @IRFaraExam
Ifyourequireadatadisktocopythedataandconfiguretheservices,thendatawillneedtobeshippedtoMicrosoft,andMicrosoftwillcopythedatatoAzureBlob as per the customer’s request, and thedatawill be encrypted end to endusingBitLockerwhiletheconfigurationofimportandexportjobs.
ConfiguringAzureBlobstorageIn Chapter 5, Managing and Configuration of Storage Accounts, I haveexplainedabouttheblobanditsusage.Ifyouwanttocreatetheblob(container)underthestorageaccount,followthegivensteps:
1. Logintotheportal.2. Select the storageaccount forwhichyouwant to create theblob storage
(container).3. ClickonContainers.
Note: The blob storage name has been changed recently tocontainerduetonewmodificationsmadebyMicrosoftAzure,butthe terminology andusage are the same.Take a look at theblobcreationinthestorageaccountinthefollowingscreenshot.
Figure6.1:Blobcreationinthestorageaccount
4. ClickontheContainerbutton.5. Providethenameofthecontainer.
Telegram Channel : @IRFaraExam
6. For Public access level: Select any of the following based on therequirements:
Private(noanonymousaccess)
Blob(anonymousreadaccessforblobsonly)
Container(anonymousreadaccessforcontainersandblobs)
Thefollowingscreenshotshowsthecontainercreation:
Figure6.2:Containercreation
7. Onceyourcontaineriscreated,youwillbereadytoconfiguretheimportandexportjobs.Youcanalsouploadthedatadirectly.Takealookatthecontainerconfiguration:
Telegram Channel : @IRFaraExam
Figure6.3:Containerconfiguration
CreatingtheimportandexportjobinAzureStorageIfyouwanttocreateanimportjob,followthegivensteps:
1. Logintosubscription.2. GotoAllservicesandsearchforImport/exportjobs.
Takealookatthefollowingscreenshot:
Figure6.4:Importandexportsearch
3. Oncedone,youcanprovidethebasicconfigurationsetting.4. SelecttheImportintoAzureoption.5. Provide the subscription and resource group name. Take a look at the
Telegram Channel : @IRFaraExam
followingscreenshot:
Figure6.5:Importbasicconfiguration
6. ClickonJobdetails.7. DownloadandinstalltheWAImportExporttooltogeneratethe.jrnfile.8. Now,youcanuploadtheJRNorXMLfile.9. Onceitisuploaded,selectthestorageaccount.10. Thelocationwillbethedefault.11. Click on the OK button and provide the return shipping information and
configurethereturnshippingdetails.12. ClickonOKandyourimportjobswillbecreated.
Takealookatthefollowingscreenshot:
Telegram Channel : @IRFaraExam
Figure6.6:Importjobsdetails
Aftercreatingtheimportjob,IwillnowexplainhowtocreateanexportjobinAzure.Now,youneedtofollowthesamestepsyoufollowedintheimportjob.Intheconfiguration,youcanexportthejobratherthanimportthejob:
1. Afteryoucreatethejob,youcanprovidethebasicconfigurationsetting.2. SelecttheExporttabfromtheAzureoption.3. Providethesubscriptionandtheresourcegroupname.
Takealookatthefollowingscreenshot:
Telegram Channel : @IRFaraExam
Figure6.7:Exportbasicconfiguration
4. Selectthedatasourceandselectthestorageaccount.5. ClickonExportall,Selectedcontainersandblobs,orExportfrom
thebloblistfile(XMLformat)basedontherequirements.Takealookatthefollowingscreenshot:
Figure6.8:Exportjobdetails
Telegram Channel : @IRFaraExam
6. ProvidethecouriernamesuchasBlueDart,DHL,FedEx,andsoon.7. Then,addthename,address,phonenumber,andotherdetailsasshownin
thefollowingscreenshot:
Figure6.9:Exportjobshippingdetails
Now,youaresuccessfullyabletocreatetheexportjob,andthecourierguyswillpickupthecourierandsent it toyourdatacenter torecover thedata.Youcansecurely transfer the data using the data box. Each data box has the storagecapacityof80TBdata.
AzuredataboxAzureDataBoxwillhelpyoutomigratetheterabytesofdatatoAzurequickly,and it is a less expensive and reliable solution. It is a Data Box device(hardware)thatneedstobesetupandconfigured.Itisusedfordifferentscenarios:
One-timemigration:Ifyouhavealargeamountofon-premisesdataandyouwanttomovetoAzure:
Youcanmove themedia libraryfromyouron-premisesandbackup
Telegram Channel : @IRFaraExam
tapes.It will help if you want to migrate your VM, SQL Server, andapplicationstoAzure.Ifyouwanttomovehistoricaldatafromon-premisestoAzureforin-depthanalysis,andsoon.
Initialbulktransfer:InitialbulktransferisdoneusingDataBox(seed),anditprovidesincrementaltransfersoverthenetwork.Periodicuploads: If your organization generates a large amount of dataperiodicallyandifitneedstobemovedtoAzure,thentheDataBoxwillhelpyoudothis.
The Data Box supports a large amount of data to migrate to Azure. It is aMicrosoft device that can be configured in your on-premises data center andconnectedtotheAzureDataBoxsolution.
ConfiguringAzureADauthenticationforastorageaccountInthissection,wewilldiscusshowtoconfiguretheauthenticationofAzureADusersforastorageaccount.Followthegivenstepstoconfigureit.It helps to manage a single identity to access the blob storage account andprovideaccess to it, soyoudonothave todependon the storageaccountkeyandprovidethegranularaccessusingAzureADauthentication.
1. GotothestorageaccountandthenclickonContainers.2. Select thecontainerandclickon thecontainerasshownin thefollowing
screenshot:
Figure6.10:AzureADauthenticationtothestorageaccount
3. One you get an insight into the Azure storage container, click on the
Telegram Channel : @IRFaraExam
Access control (IAM) in figure 6.11 and select the appropriate role asfollows.ItcanalsobedonefromthestorageaccountIAMaswell.
StorageBlobDataOwner:Itisusedtosetownershipandmanageaccesscontrol forAzureDataLakeStorageGen2 and the storageaccount.Storage Blob Data Contributor: It is used to grantread/write/deletepermissionstoblobstorageresources.Storage Blob Data Reader: It is used to grant read-onlypermissionstoblobstorageresources.Storage Queue Data Contributor: It is used to provide theread/write/deletepermissionstoAzurequeues.Storage Queue Data Reader: It is used to provide read-onlypermissionstoAzurequeues.StorageQueueDataMessageProcessor:Itisusedtograntpeek,retrieve,anddeletepermissionstomessagesinAzurestoragequeues.Storage Queue Data Message Sender: It is used to provide thepermissionstomessagesinAzurestoragequeues.
4. Onceyou select the roles to assign, clickonOK to provide the access asshowninthefollowingscreenshot:
Figure6.11:AzureADauthenticationrole
Onceyouprovidethepermission,theuserwillhaveaspecificroleandwillbeabletoaccessthedataorstorageaccountaspertheassociaterole.
Telegram Channel : @IRFaraExam
NowletuslearnhowtoenabletheActiveDirectoryDomainServices(ADDS)intheAzurestorageaccounttoaccessanAzurefileshare.
1. ClickonStorageaccount.2. Inthestorageaccount,clickonConfiguration.3. SelectIdentity-basedaccessforfileshares.4. Click on Enabled and save the settings as shown in the following
screenshot:
Figure6.12:Identity-basedaccessforafileshare
CopyingdatausingAzCopyAzCopy is a command-line utility that is designed to copy the data from theAzureBlob,file,andtablestorageaccount.ItusestheAzureADorSAS-basedauthenticationtoconnecttotheAzurestorageaccount.WecanusetheutilityinWindows,Mac,orLinuxOS.Itcanalsobeusedifyouwant tomove or copy your blob storage account fromone storage account toanother.Letusseehowwecanrun thesecommand-lineutilities tomakesurewecopythedata from theblobstorageorupload thedata in theblobstorage.Youcan
Telegram Channel : @IRFaraExam
download the utility from https://docs.microsoft.com/en-us/azure/storage/common/storage-use-azcopy-v10.
1. UsethefollowingcommandtologintoyourAzureADtenant:“azCopylogin--tenant-id=aeXXXX-XXXX-XXX”
2. Then,clickonEnter.3. Once theURLcomesup in the command line, select andpressEnter to
copy the URL (https://microsoft.com/devicelogin). Go to the URL andbrowseitandprovidethecodewhichcomeswiththeURLasshowninthefollowingscreenshot:
Figure6.13:AzCopylogin
4. Providetheauthenticationcodeasshowninthefollowingscreenshot:
Figure6.14:AzCopyloginauth-code
5. Once you enter the auth-code, youwill be able to log in to theAzcopyconsoleasshowninthefollowingscreenshot:
Telegram Channel : @IRFaraExam
Figure6.15:AzCopyloginsuccessful
6. Usethefollowingcommandtocopythedatatotheblobstorageaccount:azCopycopy'C:\bpbfolder\bpbTextFile.txt'
'https://bobstorage.blob.core.windows.net/bpb/bpbTextFile.txt'
7. OnceyouclickonEnter,youwillbeabletocopythedataandmakesureyouusethecorrectblobstorageaccountanddestinationtocopythedata.
ConclusionInthischapter,wediscussedtheuseoftheimportandexportservicesandhowto migrate the petabytes of data to Azure. We also discussed the Azure ADauthenticationwhichwillhelpyoutodefinethefine-grainedaccesstotheAzurestorageaccount.UsingtheAzureAzCopycommandutility,youcantransferthedata from one blob storage account to another and you can transfer from on-premisessystemsaswell.In the next chapter, we will discuss Azure file configuration and see how toaccesstheAzurefileshare.WewilllearnabouttheAzurefilesyncaswellandthedetailsofusageandconfigurationinthenextchapter.
ReferencesAzure storage account overview: https://docs.microsoft.com/en-us/azure/storage/common/storage-account-overviewAzure storage introduction: https://docs.microsoft.com/en-us/azure/storage/common/storage-introductionAzure Blob storage: https://docs.microsoft.com/en-us/azure/storage/blobs/storage-blobs-overviewAzureDataLakeStorage:https://docs.microsoft.com/en-us/azure/data-lake-store/data-lake-store-overviewFor more details, visit: beginning-modern-c-and-net-development-scorm2004_4-7OiO-Aea.zip
Telegram Channel : @IRFaraExam
I
CHAPTER7TheAzureFileShare
nthischapter,wewilldiscussAzurefileshareandhowtocreatetheAzureFileshareandmapanetworkdrive.WewillusetheAzureFilesyncservices
and see how to troubleshoot them.Wewill also discuss the different types ofAzureFilesyncgroups.
StructureThefollowingtopicswillbecoveredinthischapter:
AzureFileshare
CreatingandconfiguringtheAzureFileshareConfiguringtheAzureFilesyncAzureFilesyncgroup
AzureFilesynctroubleshooting
ObjectivesInthischapter,wewillexplaintheAzureFileshareandhowtocreatetheAzureFile share.TheAzureFile share canbeused as anetworkdrive, andyoucanmapittoyourserversandsynctheon-premisesfilestoAzure.WewillexplaintheAzure File sync andAzure File syncwill help customers transfer the on-premisesfilestoAzure.Itprovidesflexibility,performance,andcompatibility.
AzureFileshareTheAzureFilesharecanbeusedfornetworksharingjustlikeyourmapnetworkdrives.ItworksonSMBport445port,anditcanbeusedtokeepthedatawithregardstoVirtualHardDisk(VHD),backup,andsharingthedata.Youcankeepamaximumof5TBdataperfileshare.Ifyouwanttokeepmoredatainit,thenyoumustcreatemorefilesharestorageaccounttokeepthedata.
Telegram Channel : @IRFaraExam
ThereisalimitationintheAzureFileshare,notAzurestorageaccount.Inonestorageaccount,youcancreatemultiplefilesharesandkeepthedataandapplydifferentkindsofsecuritypolicies.TheAzureFilesharehelpsus toprovidethestoragespacewithoutaddinganyadditionalstorageon-premises.
CreatingandconfiguringtheAzureFileshareIn Chapter 5, Managing and Configuration of Storage Accounts, I haveexplainedhowtocreateastorageaccount,itstype,anditsusage.Ifyouwanttocreatethefileshareinthestorageaccount,followthegivensteps:
1. Logintotheportal.2. Select the storage account for which you want to create the Azure File
share.3. ClickontheFilesharesoption.
TakealookattheAzureFilesharecreatedinthestorageaccountasshowninthefollowingscreenshot:
Figure7.1:AzureFilesharecreationinastorageaccount
4. ClickontheFilesharebutton.5. Providethenameasshowninthefollowingscreenshot.6. Setthequotalimitasperthecustomer’srequirements.
Telegram Channel : @IRFaraExam
7. ClickontheCreatebutton.Let’stakealookatthefollowingscreenshot:
Figure7.2:Filesharecreation
8. Youcancreatethefileshareup5TBeachandthisisalimitationfromMSAzureend.Let’stakealookatthefollowingscreenshot:
Figure7.3:AzureFilesharelimitation
9. Oncethefileshareiscreated,itwilllooklikethefollowingscreenshot:
Figure7.4:AzureFileshare
Telegram Channel : @IRFaraExam
10. Onceyouclickonthefolder,youwillgettheoptiontouploadthedata.11. ClickontheUploadtab.12. Selectthefileandbrowsethefoldertouploadthedocuments.13. Oncedone,clickontheUploadbuttontouploadthedocuments:
Adddirectory:Userforfoldercreationorusetoaddfolderinthefileshare.Refresh:Ifthedataisnotreflecting,youcanrefreshthebutton.Deleteshare:Thiscanbeusedtodeletethecompletesharefolder.Quota:Thiswillhelpincreaseordecreasethequotalimit.View snapshots: This can be used to see a snapshot of your fileshare.CreateSnapshot:Thiscanbeusedtocreatethebackupofyourfileshareorcreatethesnapshotwithinastorageaccount
Figure7.5:AzureFilesharefileupload
Now, I will show you how to connect the file share with your on-premisemachineorlocaldesktopPC:
1. ClickontheConnectoption.2. Oncedone,itwillaskyoutocopythepathandrunitinPowerShell.3. TheAzureFilesharesupportsWindows,Linux,andMacOSestoconnect
tothefileshare.4. Based on the OS, you can copy the command line and follow the
instructionstoconnect.5. Makesureyouallow445portfromyourFirewallandNSGtoconnectto
thefileshare.Let’stakealookatthefollowingscreenshot:
Telegram Channel : @IRFaraExam
Figure7.6:AzureFileshareconnect
Now, you can connect the Azure File share and upload the data which willautomaticallysynctoanAzureFileshare.
ConfigurationofAzureFilesyncAzureFilesyncwillhelpyoumanagethedocumentscentralizedjust likeyournetwork share. It provides flexibility and high performance with your on-premises fileserver. It supportsprotocols likeSMB,NFS,andFTPS toaccessyourdatalocallyandprovidesthecachetotheAzureFileshare.
Note:Fornow,itsupportsonlyWindowsServerandnootherplatformaspertheMSdocumentation.PleasetakealookatthedocumentationformoreclarificationonAzureFilesyncsupportandfeatures.
Ifyouwant tocreate theAzureFileshare, followthegivensteps tocreate theAzureFilesync:
1. GotoMarketplaceandsearchforAzureFileSync.2. Selecttheservices.3. Providethenameofthefilesyncservices.
Telegram Channel : @IRFaraExam
4. ClickoncreateAzureFilesync.5. Selecttheresourcesgroup.6. ClickonReview+Create.7. Oncedone,youwillbeabletocreatefilesyncservices.
Let’stakealookatthefollowingscreenshot:
Figure7.7:AzureFilesynccreation
8. Now,youcancreatetheAzureFilesync.Next,wewillcreatetheAzureFilesyncgroup.
AzureFileSyncgroupAzureFilesyncprovidesasetofsynctopologytoasetoffilestokeepthedatasyncingthroughtheendpointwhichhasbeencreatedduringtheAzureFilesyncgroup creation.The sync group helps to sync files frommultiple endpoints tokeepsyncing.Tocreatethesyncgroup,let’sfollowthegivensteps:
1. SelecttheAzureFilesync.2. GototheSynctabandclickontheSyncgroupoption.
Telegram Channel : @IRFaraExam
Let’stakealookatthefollowingscreenshot:
Figure7.8:Syncgroupcreation
3. Providethesyncgroupname.4. Selectthesubscription.5. ClickonthestorageaccountandselecttheAzurestorageaccount,andthen
youcanselecttheDataBoxaswellforthesamesolution.6. SelecttheAzureFilesharefromthedrop-downmenu.7. ClickonCreate.Oncedone,yoursyncgroupwillbecreated.Let’stakea
lookatthefollowingscreenshot:
Telegram Channel : @IRFaraExam
Figure7.9:Syncgroupcreationsteps
Now, you can create the Azure sync group. Once the sync group is created,pleaseregistertheserversyouwanttotransferthedatato:
1. ClickontheSynctab.2. ClickonRegisteredservers.3. ClickontheDownloadAzureFileSyncagentandinstallitonall
serversyouwanttosyncoption.4. Oncetheagentisinstalled,yourserverswillbeshowntoregisterservers.5. Youwillbeabletotransferthefilesandfoldersautomatically.Let’stakea
lookatthefollowingscreenshot:
Telegram Channel : @IRFaraExam
Figure7.10:Registeredservers
AzureFilesynctroubleshootingAzureFilesynctroubleshootingwillhelpyoutofigureoutthecommonissuesyoufacetoconnecttotheAzureFileshare.YoumighthaveaproblemdeletingthefilesfromtheAzureFileshareoragentinstallation.Youmighthaveanissuewithregisteredservers’additionorremovalprocess.I sometimes face an issue of the server been already added and had totroubleshootandfixtheissue.Sometimes,youmightfacetheissueofthesyncgroupnotworkingorMgmtServerJobFailed.For all these issues, Microsoft Azure has written a wonderful documentation(https://docs.microsoft.com/en-us/azure/storage/files/storage-sync-files-troubleshoot?tabs=portal1%2Cazure-portal),sofollowthisdocumentationtofixtheissue.
ConclusionIn this chapter, we explained the usage of the Azure File share and how toconnect and transfer the files in the Azure File share.We also explained thelimitation of the Azure File share. We discussed the Azure File syncconfiguration and explained the components as well. In Azure File sync, wediscussedaboutthesyncgroupandhowtoregistertheservers.Ifyougetstuckonsomeissues,thenyoucanusetheAzureFilesynctroubleshootingstepstofixtheissue.In the next chapter, we will discuss the implementation of the Azure virtualmachineandhowtocreateandconfiguretheAzurevirtualmachine.We will discuss the high Azure availability and disk encryption and how toredeploytheAzureVManditsusage.
Telegram Channel : @IRFaraExam
ReferencesAzure File share: https://docs.microsoft.com/en-us/azure/storage/files/storage-files-introductionCreate and manage Azure Files share with Windows virtual machines:https://docs.microsoft.com/en-us/azure/storage/files/storage-files-quick-create-use-windowsEnable and create large file shares: https://docs.microsoft.com/en-us/azure/storage/files/storage-files-how-to-create-large-file-shareDeploy Azure File sync: https://docs.microsoft.com/en-us/azure/storage/files/storage-sync-files-deployment-guide?tabs=azure-portalAzure File sync proxy and firewall settings:https://docs.microsoft.com/en-us/azure/storage/files/storage-sync-files-firewall-and-proxyTroubleshoot Azure File Sync: https://docs.microsoft.com/en-us/azure/storage/files/storage-sync-files-troubleshoot?tabs=portal1%2Cazure-portalFormoredetails,visit:https://azure4you.com/
Telegram Channel : @IRFaraExam
I
CHAPTER8CreatingandConfiguringofAzureVMsnthischapter,wewillbediscussingtheuseofAzureVMs,howtoconfigurethehighavailability,andhowtomonitortheAzureVMsusageoftheAzure
storage and what kind of disk required while creating the VMs. I will beexplaining about the Azure scale set as well. How to scale-in the Azureenvironments usingAzure scale set.Wewill be discussing how to choose theAzureVMsizeandmuchmorestuff.
StructureThefollowingtopicswillbecoveredinthischapter:
AzureVirtualMachine(VM)AzureVMscalesetsConfigureAzurediskencryptionRedeployVM
ObjectivesWewill be explaining in this chapter, creating theAzureWindows andLinuxVM inAzure subscriptionwhich can be used for your test, development, andproduction environments. Configuring the high availability will help you toreducethedowntimeoftheAzureVMs.Wehavealsoexplainedhowtosetupthemonitoring, storage,VM size, and configure the disk encryption inAzureVM,whichwillhelptoencryptthediskandsecurethediskdata.
AzurevirtualmachineTheAzureVMprovides flexibility invirtualenvironmentswithoutbuyingon-premisehardwareorsoftwarelicenses.Itprovideshighavailability,andwecanuse it as on-premise servers. You can even perform tasks like softwareinstallationpatchingandothertasksasperthecustomer’srequirements.
Telegram Channel : @IRFaraExam
AzureVMsaremainlyusedforapplicationtesting,developmentwork,orhybridcloudscenarios.Ifyouneedtoextendyouron-premisesenvironmentstoAzure,youcandothataswell.MicrosoftAzuresupportsWindows,Linux,andanothercustomOSversionaspermarketplacestandards.MicrosoftAzuresupportsthevarioustypesofVMsizessothatcustomerscandeploytheVMsbasedontheirrequiredconfiguration.ItalsosupportshighlevelofVMsizesforSAPandSAPHANAaswell.
VirtualmachinecomponentsIfyouareplanningtocreateaVM,thenyouneedtofollowthegivenstepsandcompleteafewpre-requisites.PleasefollowthegivenstepstocreateVMs.
Pre-requisitesFirst, I will explain a few of the components under the pre-requisite section.Onceyouunderstandthecomponents,itwillbeeasyforyoutocreatetheVMs:
Subscription:YouneedtoselectthecorrectsubscriptionwhereyouwanttodeploytheVMs.Resourcegroup:Pleaseselect thecorrectresourcesgroupforwhichyouwant to deploy theVMs.Formore details, refer toChapter 4, ResourceGroupManagement.Virtualmachinename:Followyourorganizationnamingconventionorgetthedetailsfromyourcustomer/project.Providethemachinename.Region: The region is equal to yourAzure data center location. If yourcustomer is from theUS, you can choose a location likeEastUS,EastUS2,WestUS,orCentralUS.Basedon thecustomer location,youcanchoosetheregionwhichwillhelptoreducethelatency.Availabilityset:The availability set is a logical groupingofyourAzureVMswhichprovideshighavailabilityofyourVMsincaseofunexpectedhardware failure, unplanned hardware or software maintenance, and ifthereisanyplannedmaintenancefromMicrosoftAzure.
FaultDomain:Faultdomainsharesthecommonpowersourcesandphysicalnetworkswitch.Thismeansthat ifanythinghappensinthehardwareornetworklayer,thenitwillhelpyourVMstokeepalive.Update Domain: Update domain will help you in case of anyplannedorunplannedsoftwaremaintenancefromMicrosoftAzure.It
Telegram Channel : @IRFaraExam
ensures your application VMs reboot at the time within theavailabilityset.Takealookatthefollowingdiagram:
Figure8.1:Azureavailabilityset
Availability zone: The availability zone is another option that provideshigh availability in caseof data center failurewithin the zone.The zonehasbeendesignedwithonemoredatacenter;whichprovidestheresiliencyandavailabilityofyourdataandapplicationservices.Pleasetakealookatthefollowingdiagram:
Figure8.2:Azureavailabilityzone
Image:Imagesarenothing,butyouroperatingsystemthatyoucanchoosewhile creating theVMs. Images canhaveWindows,Linux,Ubuntu, and
Telegram Channel : @IRFaraExam
customizedimagesthatareavailableintheAzuremarketplace.Pleasetakealookatthefollowingscreenshot:
Figure8.3:Azureimageoptions
Administrator accounts: The administrator account is used to log inlocallyintheVMs.YoucanusetheVMcredentialsthatwillhelpyoutoconnecttheVMstotheRemoteDesktopProtocol(RDP)orSecureShell(SSH).Disktype:ThedisktypeiswhereyourdataandOSarestored.Itconsistsofthefollowingtypes:
HDD:Harddiskdriveisbackedbyamagneticdiskanditprovides500IOPS/1TB. It isusedforanyworkloadbasedon thecustomer’srequirements.SSD: It isalsocalledapremiumdiskwhich isbackedby thesolid-
Telegram Channel : @IRFaraExam
state drive and provides 7500 IOPS/1TB. It is mainly used forproductionworkload.Standard SSD: It is a combination of SSD and HDD disk, whichprovides faster performance and provides 500 IOPS/1TB. It can beusedfordevelopmentandUATenvironments.
AzureVMssize:AzureVMssizeisacollectionofthecapacity(memory,disk,IOPS,andsoon)andfeaturessupportedbyyourAzureVMsinstancelike2GBRAMwith120GBdisk space asyouron-premiseshardware.Youcanchoosebasedontherequirements.ItsupportslargeinstancesizeswhichcanbeusedforGPU-basedsystemsorSAPVMs.Pleasetakealookatthefollowingscreenshot:
Figure8.4:Azureinstancesize
Network component: Azure network components are mainly used toconnectyourVMs/services toyournetwork.Forexample,whilecreatingVMs,youneed toselect thevirtualnetworkandsubnetwhichdefine thenetworkboundaryofyourVMs.PublicIP:ApublicIPaddressisusedifyouwanttoconnectyourVMstotheinternetoraccessandconnectapplicationspublicly.NSG(inboundandoutboundport):Thenetworksecuritygroupdefinesthe rules for ports that need to be allowed or denied and based on therequirements,youcanallowtheports.
Inboundport:ThetrafficwhichyouwanttoallowfromtheinternettoyourVMs.Outboundport:ThetrafficwhichyouwanttoallowfromyourVMs
Telegram Channel : @IRFaraExam
totheinternet.
Bootdiagnostics:Itisusedtocapturetheconsoleoutputandhelpyoutoprovide the screenshots of the VM running on a host in case of anoccurrenceofanissue.OS guest diagnostics: It helps to collect the metrics of your virtualmachine.So,youcanuseandcreatealertstoupdateyourteams.Diagnosticaccounts:Thediagnosticsaccountisnothingbutyourstorageaccount where you want to store the diagnostics logs for furthertroubleshooting.Autoshutdownconfiguration:IthelpstoshutdowntheVMsafteryourbusinesshoursautomatically. It is recommended thatyoudonotuse thisoptionforyourproductionenvironments.Dedicatedhost: It is a new feature that is launchedbyMicrosoftAzureandallowsadedicatedhostintheAzuredatacentertoprovisiontheVMswithinadedicatedhost.ItprovidesisolatedenvironmentsandhelpsinanymaintenanceinitiatedbyMicrosoftAzure.However,itisnotnecessarytochoosethesame.Proximity placement group: It allows users to group Azure resourcesphysicallyclosertogetherwithinthesameregion.Resourcegrouptag:Itisusedforbillingpurposesandyoucantagyourresourcesbasedonyourrequirementslikeacostcenter,applicationname,productteam,andsoon.Reviewandcreate:Finally,youwillseealltherequireddetailsinthistab,andyoucanreviewandcreatetheVMs.
AsIhaveexplainedallthecomponents,letusunderstandandcreatetheAzureVMs.
CreatingaWindowsvirtualmachineTocreatetheWindowsVM,performthefollowingsteps:
1. Providethefollowing-requireddetails:
Subscription:Providethesubscriptionname.Resource group: Provide the resources group name based on theorganizationstandards.
Telegram Channel : @IRFaraExam
Virtualmachinename:ProvidetheVMname.Region:ProvidethelocationyouwanttodeploytheVMto.Availability set: Provide the availability set based on therequirements.Availability zone: Provide the availability zones based on therequirements.Image:SelecttheimageWindows,Linux,orcustomimage.Lookatthefollowingscreenshot:
Figure8.5:AzureVMdetails
2. Then,addthefollowingdetails:
Administratoraccount:Provide theadminaccountusernameandpassword.Size:ProvidethesizeoftheVMsbasedontherequirements.Pleasetakealookatthefollowingscreenshot:
Telegram Channel : @IRFaraExam
Figure8.6:AzureVMscredentials
3. Specify thediskbasedontherequirements likePremiumSSD,StandardHDD,orStandardSSD.
4. Youcanaddanadditionaldiskusingadvanceoptions.Takealookat thefollowingscreenshot:
Figure8.7:AzureVMsdiskspecification
5. Selectthevirtualnetworknameandsubnet.6. IfyouneedPublicIP,thenclickonCreatenewandprovidethename.
Telegram Channel : @IRFaraExam
7. SelecttheportsyouwanttoallowtoconnecttoVMslike3389or22,andsoon.Takealookatthefollowingscreenshot:
Figure8.8:AzureVMsnetworkconfiguration
8. ProvidethebootandOSdiagnosticsaccounts.9. SelecttheDiagnosticstorageaccountfromthedrop-downmenu.10. Enabletheauto-shutdownoptionforVMsthatarenotproductionVMs.11. ProvidetheemailIDandtimezoneandsoon.Takealookatthefollowing
screenshot:
Telegram Channel : @IRFaraExam
Figure8.9:AzureVMsdiagnosticsconfiguration
12. SelecttheAdvancedtabandclickonNexttoselecttheTagsoption.Takealookatthefollowingscreenshot:
Figure8.10:AzureVMsresourcestag
Telegram Channel : @IRFaraExam
13. VerifyReview+createtheVMs.Itwilltake8to10minutestocreatetheVMs. Now, the VM creation process is complete. Take a look at thefollowingscreenshot:
Telegram Channel : @IRFaraExam
Figure8.11:AzureVMscreationreview
Now,youwillbeabletocreatetheWindowsVM,andIwillshowyouhowtotakecareoftheLinuxVMs.
CreatingLinuxVMsIfyouneed tocreate theLinuxVMs,pleasechange the imagenametoLinux,RedHatEnterprise,andsoon,followedbytheprecedingstepsasprovidedfortheWindowsvirtualVMcreation:
Figure8.12:AzureLinuxVMs
Once you complete all the steps, click onCreate and yourLinuxVMwill becreated.YoucanrefertotheVMcreationsectiontogetmoredetails.
AzurevirtualmachinescalesetcreationTheAzurescalesethelpsyoutocreateagroupofVMsandmanagethem.ItisautomaticallymanagedtoincreaseordecreasetheVMsbasedontheCPUusageor other rules which you have to define in a scale set. It provides highavailabilityofyourapplicationwhileauto-scalingtheVMbasedontherequiredconfiguration. It provides redundancy and improves the performance of your
Telegram Channel : @IRFaraExam
applicationswhichisdistributedacrossmultipleinstances.It is easy to create a scale set and high availability and application resiliency.Youcanscaletheinstancebasedonapplicationdemands.
1. Letusconfigureanddeploythescalesetandfollowthegivensteps:
Virtualmachinescalesetname:BPBScalesetOperating system disk image: Windows Server 2016
Datacenter
Subscription:Selectasubscription.Resourcegroup:BPB
Location:(US)EastUS
Availabilityzone:Selectifrequiredorleaveittodefault.Username:BPBuserPassword:Providethepassword.Pleasetakealookatthefollowingscreenshot:
Figure8.13:Azurescalesetconfiguration
Instance count: The default value is 2 and based on therequirement,youcanincreasethecount.
Telegram Channel : @IRFaraExam
Instancesize:StandardB1SUsemanageddisks:SelectYes,ifitisrequired.Enablethescalesetwhilecreatingoryoucanselectaftercreatingitaswell.
Telegram Channel : @IRFaraExam
Figure8.14:Azurescalesetauto-scaleconfiguration
2. Ifyouwanttoselecttheapplicationgateway,pleaseselectthesame.3. Selectthevirtualnetwork.4. SelectPublicIPifrequired.5. Publicinboundportsarerequired.6. Enablethebootdiagnostics.7. ClickontheCreatebutton.
Telegram Channel : @IRFaraExam
ConfigureAzurediskencryptionTheAzurediskencryptionwilluseaBitLocker feature toenable the fulldiskencryptionoftheWindowsOSanddatadisk.WecanconfiguretheAzurediskencryptionusingtheAzureportal,PowerShell,andAzureCLI.TheAzurekeyvaultisintegratedwithAzureencryptiontohelpyoutomanagetheaccessandcontroltheencrypteddisk.For Linux, the Azure VM uses a DM encrypt feature to provide the volumeencryption to theOS and data disk of theLinuxVM.TheAzure key vault isintegrated with the Azure encryption to help you to manage the access andcontrolthekeysandsecrets.ItsupportsthefollowsOSes:
Windows8andlaterOSversionServers2008R2andlaterOSversionRedHat,Ubuntu,andsoonasperLinuxOSdiskencryptionsupported
Letusjustseehowtoconfigurethediskencryption:
1. GototheVMtowhichyouwanttoenablethediskencryption.2. UnderSettings,clickontheDisksoption.3. On the right-hand side of the tab, click on Encryption as shown in the
followingscreenshot:
Figure8.16:Azurediskencryption
4. Once you click on Encryption, it will open another tab to provide the
Telegram Channel : @IRFaraExam
detailstoencryptthedisk.Followthegivendetails:
Selectthefollowingdiskoptionfromthedrop-downmenu:
None
OSdisk
OSanddatadisks
Onceyouselectthisoption,youneedtoselectthekeyvault,key,andkeyversionasshowninthefollowingscreenshot:
Figure8.17:Azurediskencryptionsettings
5. Once you fill all the parameters, click onSave at the top to encrypt thedisk. Itwill pop up themessage theVMmight reboot, and you need toreboottheVM.
6. ClickonYesandyourdiskwillstartencryptingasshowninthefollowingscreenshot:
Telegram Channel : @IRFaraExam
Figure8.18:Azurediskencryptionsave
7. Onceyoulogintoyoursystem,youwillobservethatyouhaveenabledthediskencryption.Then,youwillseethatthediskhasalocksignwhichisaBitLocker encryption symbol. Hence, your disk has been encrypted asshowninthefollowingscreenshot:
Figure8.19:Azurediskencryptionverification
Now,wehavesuccessfullyverified that theAzurediskencryption isdoneandunderstandsthewholeprocess.
RedeployaVMAzure VM redeploy can be used if you are facing an RDP connectiontroubleshootingissueorapplicationconnectivityissueintheAzureVM.Azureredeploywillhelpyoutomovethemtoanewnode,andinthisprocess,theVMwillbeshutdownandretaintheentireconfiguration, includingyourdatadisk,butthetemporarydiskdatawillbedeleted.LetusseehowtoprocesswiththeAzurevirtualmachineredeployVMoption.
Telegram Channel : @IRFaraExam
1. Go to the VM for which you want to perform the Azure VM redeployoption.
2. GotoSupport+troubleshooting.3. Then,clickontheRedeployoptionasshowninthefollowingscreenshot:
Figure8.20:AzureVMredeploy
4. OnceyouclickontheRedeployoption,clickontheRedeploybuttonandtheprocesswillstartandthenyoucangothroughtheinstructionasshowninthefollowingscreenshot:
Figure8.21:AzureVMredeployinstruction
It will take up to 15 to 20 minutes to complete the process. Once this iscomplete,youcanseeyourVMupandrunningfineandyoucanconnecttoappsorVMs.
Telegram Channel : @IRFaraExam
ConclusionIn this chapter, we discussed the Azure virtual machine and its usage. WedescribedtheAzurevirtualmachineandscalesetcomponentsindetail.Wealsodiscussedhow to implement theAzure disk encryption and encrypt your diskandhowtotroubleshoottheissueusingtheAzureVMredeployoption.In the next chapter,wewill discuss how to deploy theAzure virtualmachineautomatically using the Azure template.We will also discuss how to use theARMtemplateandmodifythesame.
ReferencesCompute-optimizedvirtualmachinesizes:https://docs.microsoft.com/en-us/azure/virtual-machines/linux/sizes-computeSizesforLinuxvirtualmachinesinAzure:https://docs.microsoft.com/en-us/azure/virtual-machines/linux/sizesCreateaLinuxvirtualmachineinanavailabilityzonewiththeAzureCLI:https://docs.microsoft.com/en-us/azure/virtual-machines/linux/create-cli-availability-zoneWhat are availability zones in Azure: https://docs.microsoft.com/en-us/azure/availability-zones/az-overviewDeploy VMs to dedicated hosts using the portal:https://docs.microsoft.com/en-us/azure/virtual-machines/windows/dedicated-hosts-portalManage the availability of Windows virtual machines in Azure:https://docs.microsoft.com/en-us/azure/virtual-machines/windows/manage-availabilityFormoredetails,visit:Azure4you
Telegram Channel : @IRFaraExam
I
CHAPTER9AutomatingDeploymentofVMs
nthischapter,wewilldiscusstheautomationofAzureVMs,howtodeploytheVMs using theARM template, how to configure the location ofVMs,
howtoconfiguretheARMtemplate,andhowtosavethetemplateanddeploytheVMs.
StructureThefollowingtopicswillbecoveredinthischapter:
AzureARMtemplateModifyingtheARMtemplateTemplatedeployment
ObjectivesIn this chapter,wewill learn about theARM template and how to create theAzureVMusingthetemplate.WewillalsolearnhowtogenerateanddeploytheARMtemplateinanAzuresubscription
AzureARMtemplateThe Azure ARM template defines an automated way to deploy the AzureinfrastructureliketheAzurevirtualmachinestorageaccount,andsoon.Thisismanaged by theAPI, called theARMAPI or resourcemanager, and used todeploy the infrastructure code. You can use the Azure portal, PowerShell, orCLI,bycallingtheAPIdirectlyandbycreatingARMtemplates.WecancreatetheARMtemplateintheJSONformat,andwecanuseitfortherepeateddeploymentofyourresources.Itcanalsobeusedtodeployresourcesacrossthesubscriptionenvironments.
Note: Many templates are available in the GitHub and Microsoftdocumentationwhich can be used andmodified for your deployment.
Telegram Channel : @IRFaraExam
Refer to the ARM GitHub at https://github.com/Azure/azure-quickstart-templates.
ModifyingtheARMtemplateInthissection,IwilldeployanAzurevirtualmachineandyouwillseehowtousetheARMtemplatedeploymentfromthetemplate.YouwillunderstandhowtogenerateandmodifytheAzuretemplate.Ifyouneedtocreatethetemplate,followthegivensteps:
1. Logintotheportal.2. Selectthevirtualmachineandprovidetheparameters.3. Selectthesubscription.4. SelecttheResourcesgroupname:
VMnameAzurediskVNetSubnet
5. Once the process is complete, download the template as shown in thefollowingscreenshot:
Telegram Channel : @IRFaraExam
Figure9.1:ResourcestemplateCreate
6. OnceyouclickonDownloadatemplateforautomation,youwillgetmultipleoptionsasfollows:
DownloadthetemplateAddtoARMlibraryDeployusingthesametemplate
7. Youcansee the templatebeencreated in theJSONformat. Ithasstringsandvaluesinthetemplate.
8. Ifyouneedtoeditthetemplate,thenyouwillhavecertaineditparameterssuch as $schema, contentVersion, Parameters, Variables,
Resources,andOutput.Onceyousetall theseparameters,yourtemplateisreadyfordeployment.Let’stakealookatthefollowingscreenshot:
Telegram Channel : @IRFaraExam
Figure9.2:Resourcestemplatedownload
ThetemplatewillbedownloadedintheZIPfolder,andyoucanopenitintheARMeditorsoftware.
9. Now,youcanseethetemplateparameters,andyoucanevensetthevaluethatcouldberequiredforfurthertemplatedeployment,andsoon.Youcanseethefollowingvalues:
LocationRDPPorts
Let’stakealookatthefollowingscreenshot:
Telegram Channel : @IRFaraExam
Figure9.3:Resourcestemplateparameter
10. Search for the deployments and select the Deploy a custom templateoption.Takealookatthefollowingscreenshot:
Figure9.4:Resourcestemplatecustomdeployment
11. Onceyouselect thetemplate,youwillgetanoptiontoedit thetemplate.Youcanchoose the template from theGitHubdirectly andclickonedit.Pleasetakealookatthefollowingscreenshot:
Telegram Channel : @IRFaraExam
Figure9.5:Templateeditordeployment
12. OnceyouclickonEdittemplate,youwillbedirectedtothenextsection.Then,selecttheLoadfileoptionandtryanduploadthefile:
Telegram Channel : @IRFaraExam
Figure9.6:ARMtemplateloadfile
13. Onceyouadd the template, itwilladdyourparameters,andyouneed toverifytheparameters.Then,clickonSave:
Figure9.7:ARMtemplateedits
TemplatedeploymentsTodeploythetemplate,performthefollowingsteps:
1. OnceyouclickonSave,itwillautomaticallygotothedeploymentscreen.2. Providealltheparametersasperyourrequirements.3. Onceyouaredonewiththeparameters,clickonPurchaseandyouwillbe
abletodeploytheVMs.4. It will take 10 to 15 minutes to deploy the VMs. After this, your
Telegram Channel : @IRFaraExam
deploymentwillbecompleted.Takealookatthefollowingscreenshot:
Figure9.8:ARMtemplatedeployment
ConclusionInthischapter,wediscussedhowtodeploytheAzurevirtualmachineusingtheARMautomation,whichwillhelpyoutodeployyourbiginfrastructurequicklyandsaveyourtime.In the next chapter, we will discuss how to create and configure the Azurecontainers and use of the Kubernetes services.Wewill give you step-by-stepinstructionsonhowtodeploytheKubernetesandcontainerservicesinanAzuresubscription.
ReferencesGitHub ARM template: https://github.com/Azure/azure-quickstart-templatesAzure Resource Manager templates overview:
Telegram Channel : @IRFaraExam
https://docs.microsoft.com/en-us/azure/azure-resource-manager/template-deployment-overviewCreateanddeployAzureresourcemanager templatesbyusing theAzureportal: https://docs.microsoft.com/en-us/azure/azure-resource-manager/resource-manager-quickstart-create-templates-use-the-portalAzureresourcemanagertemplatesformanagementfeaturescodesamples:https://docs.microsoft.com/en-us/azure/azure-resource-manager/template-samplesFormoredetailsonAzure4youblogpost,visit:https://azure4you.com/
Telegram Channel : @IRFaraExam
I
CHAPTER10CreatingandConfiguringContainer
n this chapter, we will learn about the Azure Container and Kubernetesservices and how to create these services and their usage. We will also
discussanAzureContaineranditsuses.
StructureThefollowingtopicswillbecoveredinthischapter:
AzureContainer
UseofanAzureContainerCreateacontainer
AzureKubernetes
CreateAzureKubernetes
ObjectiveThe objective of this chapter is to create and configure Azure ContainerInstances(ACI)andAzureKubernetesService(AKS).
AzureContainerAn Azure Container is a standard package of software which helps you topackage the code, dependencies, and configuration of a particular application.Containers help to split the monolithic applications into individual serviceswhichmakeupthesolution.
UseofanAzureContainerThefollowingaretheusesofanAzurecontainer:
Itisusedtoscaleuptheapplication.
Telegram Channel : @IRFaraExam
Itprovidesthelightweightandimmutableinfrastructureforpackagingtheapplicationanddeployment.It provides better performance and removes the OS, versions, anddependencies.
CreateacontainerLetusseehowtocreatethecontainerservicesusingthefollowingsteps:
1. ClickonCreatearesource.2. SearchforContainerInstances.3. ClickonCreateforcreatingthecontainerinstance:
Figure10.1:Containerinstancecreate
4. Providethefollowingdetails:
Thesubscriptionandtheresourcesgroupname.Theregionforwhichyouwanttocreatethecontainer.Selecttheimagesourcesfromanyofthefollowingoptions:
Quickstartimages
AzureContainerRegistry
DockerHuborotherregistry
Selectthesizeofthecontainerinstance.
5. Click on the Next: Networking > button as shown in the followingscreenshot:
Telegram Channel : @IRFaraExam
Figure10.2:Containerinstancedetails
6. IntheNetworkingtab,providethefollowingdetails:
Selectthenetworkingtypefromthefollowingoptions:
Public: It will create a public IP address and assign it to thecontainerforpublicaccess.Private: If you want to integrate a VNet with the container,selectthisoption.
ProvidetheDNScustomname.Verifytheportnumber.
Telegram Channel : @IRFaraExam
7. Once done, click on the Next: Advanced > button as shown in thefollowingscreenshot:
Figure10.3:Containernetworking
8. IntheNetworkingtab,followthegivensteps:
Clickonanyoftherestartpolicy:
Onfailure
Always
Never
Setuptheenvironmentvariableifyouwanttosetupthecontainer.Youcansetacommandlinetooverrideifrequired.
Let’stakealookatthefollowingscreenshot:
Telegram Channel : @IRFaraExam
Figure10.4:Containeradvancesettings
9. ClickonCreateafterthevalidationofthecontainerservicesasshowninthefollowingscreenshot:
Telegram Channel : @IRFaraExam
Figure10.5:Containerinstancecreation
Thecontainerwillbecreatedinafewminutesafterperformingthesesteps,andyoucanmakeuseofit.
AzureKubernetesKubernetes is an open source portable platform for automatic deployment,scaling, and management of containerized workload. It is managed andorchestrated by the container in difference compute environments. Thisorchestration platform provides the ease of use and flexibility with PaaS andIaaSenvironments.
CreateAzureKubernetes
Telegram Channel : @IRFaraExam
LetusseehowtocreateAzureKubernetesbyfollowingthegivensteps:
1. ClickonCreatearesource.2. SearchforKubernetesService.3. SelecttheserviceandclickonCreate:
Figure10.6:Kubernetesservices
4. OnceyouclickoncreatetheKubernetesservices,itwillaskyoutofillthefollowingdetails:
Subscription
Resourcegroup
Providetheclusterdetailsasfollows:
Kubernetes cluster name: Set of node machines calledKubernetesforrunningcontainerizedapplications.RegionYouwanttodeploytheservices.TheversionofKubernetesservicesyouwanttodeploy.
Node:A node is a physical or virtualmachine that depends on theclusterconfiguration.Providethenodesizeandnodecount.YouwanttoaddanadditionalKubernetescluster.
Takealookatthefollowingscreenshot:
Telegram Channel : @IRFaraExam
Figure10.7:Kubernetesservicesdetails
5. Onceyouaredonewith theprecedingconfiguration,go theNodepoolssectionandprovidethefollowingdetails:
AddthenodepoolanditsinstancesizewiththeOS.Selectthevirtualnodetobeenabledordisabled.SelecttheVMscalesettobeenabled.
Telegram Channel : @IRFaraExam
6. GototheAuthenticationtabasshowninthefollowingscreenshot:
Figure10.8:Kubernetesservicesnodepool
7. IntheAuthenticationtab,selectthefollowingdetails:
Select the authentication method Service Principal or system-assignedmanagedidentity.
In Kubernetes authentication and authorization, enable the RBACrole.Selecttheencryptiontypeasdefault.
8. ClickontheNetworkingtabasshowninthefollowingscreenshot:
Telegram Channel : @IRFaraExam
Figure10.9:Kubernetesservicesauthentication
9. OnceyouclickontheNetworkingtab,providethefollowingdetails:
Selectthenetworkconfiguration:BasicorAdvancedDNSnameprefix
Loadbalancer
Privatecluster:EnabledorDisabled
Networkpolicy
HTTPapplicationrouting:YesorNo
Gotothenexttabasshowninthefollowingscreenshot:
Telegram Channel : @IRFaraExam
Figure10.10:Kubernetesservicesnetworking
10. Once you click on the Integration tab, select the Log Analytics
workspaceundertheAzureMonitorsection.11. ClickontheNext:Tags>buttonasshowninthefollowingscreenshot:
Telegram Channel : @IRFaraExam
Figure10.11:Kubernetesservicesintegration
12. Here, provide the tag name and click on create theKubernetes services.After the validation, click on next to create the Kubernetes services asshowninthefollowingscreenshot:
Telegram Channel : @IRFaraExam
Figure10.12:Kubernetesservicescreation
Itwilltake10to15minstocreatetheKubernetesservices.Afterthis,wewillbeabletousetheservicesasperourrequirements.
ConclusionInthischapter,wediscussedthecreationandconfigurationofAzureContainerandKubernetes.Wealsocovered theKubernetes resources,how tosetupandconfigure the container and Kubernetes, and how it will help you and thecustomertomanagethelargerapplications.Inthenextchapter,wewilldiscussAzureappservicesandseehowtocreateanddeploy the app services in yourAzure environments.Wewill also discuss theconfiguration part on WebApps which will help you to learn the WebAppsservicesmoreeasily.
ReferencesContainer: https://azure.microsoft.com/en-in/overview/what-is-a-container/Kubernetes: https://docs.microsoft.com/en-us/azure/aks/intro-kubernetesContainer services: https://azure.microsoft.com/en-in/product-categories/containers/Kubernetes services: https://docs.microsoft.com/en-us/learn/modules/intro-to-azure-kubernetes-service/2-what-is-azure-kubernetes-serviceDeployanAzureKubernetesService(AKS)clusterusingtheAzureportal:https://docs.microsoft.com/en-us/azure/aks/kubernetes-walkthrough-portal
Telegram Channel : @IRFaraExam
I
CHAPTER11CreatingandConfiguringWebApps
n this chapter, we will discuss the benefits of Azure app services, how tocreatetheappservices,andhowtoconfiguretheappservicesplan.Wewill
alsodiscuss theAzureappsservicescomponentsandhowtousethewebappsslotandcustomdomainconfiguration.WewilldiscusshowtosecureyourAzurewebapps.
StructureThefollowingtopicswillbecoveredinthischapter:
AppservicesCreateandconfigureappservices
CustomdomainconfigurationAppservicesecurityAppservicebackup
ObjectivesThemainobjectiveof thischapter is to learnaboutAzureappservicesand itsusecases.Wewilldiscussthepropertiesofitsappservicesandseehowtocreateand configure the app services using the Azure portal. So, the customer canutilizetheAzureappservicesbasedontheirrequirements.
AppserviceAzure app services are HTTP-based services which are used to host theapplication similar to your on-premise IIS server. We can develop ourapplication using .NET, .NET Core, Java, Ruby, Node.js, PHP, or Pythonlanguage.Theappservicesautomaticallymanagethepatches,OS,andlanguageframework.
Telegram Channel : @IRFaraExam
AppservicesplanTheappservicesplandefines theSKU/sizeof theAzureappservices instancebased on the app services plan. You will be able to utilize the features likecustomdomain,VNet-integration,loadbalancing,andsizeofappservicessuchas2GBand100ACU,andsoon.Letusseehowtocreatetheappservicesplan:
1. Clickonthe+Createaresourceoption.2. SearchforAppServicePlan.3. ClickonCreateasshowninthefollowingscreenshot:
Figure11.1:Appserviceplan
Beforewecreate theappservicesplan, letusseehowmanyplanswehave inappservicesanditsusage:
Sharedcompute:Inthisplan,youwillgetthefreeappsservicesplanandsharedservicesplanwhichcanbeusedforthedev/testpurposeasshowninthefollowingtable:
Selectedfeatures Free Shared
Web,mobile,orAPIapps 10 100
Diskspace 1GB 1GB
Autoscale NA NA
Deploymentslots NA NA
Maxinstances NA NA
Table11.1:Webservicessharedplan
Dedicatedcompute: It is used for production purpose. In this plan, you
Telegram Channel : @IRFaraExam
willgetabasic,standard,premium,andpremiumV2tier.Thiscanbeseeninthefollowingtable:
Selectedfeatures Basic Standard Premium
Web,mobile,orAPIapps Unlimited Unlimited Unlimited
Diskspace 10GB 50GB 250GB
Autoscale NA Supported Supported
Deploymentslots NA 5 20
Maxinstances Upto3 Upto10 Upto30
Table11.2:Webservicesdedicatedplan
Isolated: It will provide the dedicated VM instance which is integratedwith the dedicated VNet. It provides complete isolation as well. Take alookatthefollowingtable:
Selectedfeatures Isolated
Web,mobile,orAPIapps Unlimited
Diskspace 1TB
Autoscale Supported
Deploymentslots 20
Maxinstances Upto100
Table11.3:Webservicesisolatedplans
Pleasetakealookatthefollowingscreenshot:
Telegram Channel : @IRFaraExam
Figure11.2:Appservicesplansize
OnceyouclickonCreateappservice,followthegivensteps:
1. Selecttheresourcegroup.2. Pleaseprovidethenameoftheappservice.3. PleaseselecttheOS:Windows/Linuxasperyourrequirements.4. PleaseclickonReview+createasshowninthefollowingscreenshot:
Telegram Channel : @IRFaraExam
Figure11.3:Appserviceplancreation
OnceyouclickonReview+create,yourappserviceplanwillbecreatedin5to10minutes.
CreateandconfiguretheappserviceLetusnowcreate theappservicesaswehavealreadycreatedandunderstoodtheappservicesplan.Todothis,followthegivensteps:
1. Clickon+Createaresource.2. SearchforAzureappservices.3. ClickonWebAppasshowninthefollowingscreenshot:
Telegram Channel : @IRFaraExam
Figure11.4:Webapp
4. OnceyouclickonWebApp,providethefollowingdetailstocreatethenewappservices:
SubscriptionResourcegroupProvidethenameoftheinstancePublish can be Code or Docker Container as per yourcustomer/projectrequirements
5. Selecttheruntimestackas..NETCORE3.1(LTS).6. SelecttheOS;eitherWindowsorLinux.7. Selecttheregion.8. ClickonwindowssizeorAppServicePlaninappservices.Takealook
atthefollowingscreenshot:
Telegram Channel : @IRFaraExam
Figure11.5:Webappdetails
9. ClickonNext:Monitoring>andselecttheMonitoringtabandcreateanewapplicationinsightformonitoringofappservices.
10. Oncethisisdone,clickonReview+create,andafter10minutes,yourappserviceswillbecreated.Takealookatthefollowingscreenshot:
Telegram Channel : @IRFaraExam
Figure11.6:Webappcreation
CustomdomainconfigurationAcustomdomain isused toconfigureyourowncustomdomain foryourwebapps.Forexample,ifyouwanttoconfigurethexyz.comtobpb.com,thenyouneedtoconfigurethecustomdomain.Now,wewillconfigure thecustomdomain forappservices.Please follow thegivensteps:
1. GotoAppService.2. ClickonCustomdomains.3. Clickon+Addcustomdomain.4. Providethecustomdomainname.5. ClickontheValidatebutton.
OnceyouclickonValidate, add theArecord andTXTrecord in your publicdomainregistrationtovalidate,andthentrytovalidate.Iwillsuccessfullyvalidateafterthat,andnowyoucanconfiguretheAzurewebappsservices.Takealookatthefollowingscreenshot:
Telegram Channel : @IRFaraExam
Figure11.7:Customdomain
AppservicessecurityThe app services security will help you to reduce the attack and enable theauthenticationtoyourwebappsforyourusers.Forexample,youcanintegrateitwithAzureAD,Facebook,Microsoftaccount,Google,andTwitteraccount.Formoredetails,pleasetakealookatthefollowingscreenshot:
Telegram Channel : @IRFaraExam
Figure11.8:Authentication
WecanevenenabletheTransportLayerSecurity(TLS)toservicesandaddtheTLS/SSL certificate binding for theHTTPS configuration under the TLS/SSLsettingsconfiguration.
TLS:Itstandsfortransportlayersecuritywhichisdesignedtoprovidetheprivacyanddatasecurityofcommunicationovertheinternet.SSL: It is a secure socket layer that helps to protect the connectionbetween the server and client while encrypting the link. The examplesinclude websites, main servers, browsers, and so on. Take a look at thefollowingscreenshot:
Figure11.9:TLS/SSLsettings
AppservicesbackupIfyouneedtoenablethebackupofAzureappservices,itisnotsimpletoenableitdirectlyfromthebackupvault,buttheappservicescanusethebackupvaultwith their configuration. Please follow the given steps to configure the appservicesbackup:
1. GotoAppService.2. ClickontheBackupsoption.3. ClickonBackuptoconfigureashighlightedinthefollowingscreenshot:
Telegram Channel : @IRFaraExam
Figure11.10:Appbackup
4. ClickontheStoragetabandselectthestorageaccountforbackup.5. SelecttheOnbuttonforenablingthebackup.6. Setupthebackupfrequency.7. Pleasementionthebackupschedulestart.8. Selecttheretentionperiod.9. Clickon theSave button, andyour app servicesbackupwillbe enabled.
Takealookatthefollowingscreenshotformoredetails:
Telegram Channel : @IRFaraExam
Figure11.11:Appbackupconfigure
ConclusionInthischapter,wediscussedtheAzureappservicesandappservicesplan.Wealso discussed how to configure the Azure app services backup and customdomain.Wecoveredtheappservicessecurityaswellinthischapter.Inthenextchapter,wewilldiscusshowtointegratetheon-premisesnetworktoAzureusing thesite-to-siteconnectionandexpress route.Wewill alsodiscusstheVNet-to-VNetpeeringandmore.
ReferencesApp service overview: https://docs.microsoft.com/en-us/azure/app-
Telegram Channel : @IRFaraExam
service/overviewWeb apps: https://docs.microsoft.com/en-us/rest/api/appservice/webappsCreate an ASP.NET core web app in Azure:https://docs.microsoft.com/en-us/azure/app-service/app-service-web-get-started-dotnetCreate a web app in an app service environment v1:https://docs.microsoft.com/en-us/azure/app-service/environment/app-service-web-how-to-create-a-web-app-in-an-ase
Telegram Channel : @IRFaraExam
I
CHAPTER12ConfiguringVirtualNetworkingand
IntegratingOn-PremisestoAzureNetwork
n this chapter, we will discuss the networking services and use theircomponentssuchastheAzurevirtualnetworkandseehowtocreateanduse
theseservices.WewillalsocovertheVNetpeeringthatcanbeusedtoconnecttoVNet,howtoconfiguretheVNet-to-VNetconnectivityandtheAzurevirtualnetwork gateway. Let us start with all of these topics and learn how to usenetworkingservices.
StructureThefollowingtopicswillbecoveredinthischapter:
AzurevirtualnetworkExpressRouteconnectionExpressRouteconfiguration
ObjectivesIn this chapter, you will learn how to define the network in your AzuresubscriptionusingAzureVNetandsubnet.Wewilldiscusshowtoconfigureasite-to-site connection and on-premises to Azure connectivity usingExpressRoute.
AzurevirtualnetworkAn Azure virtual network is defined as the Azure network within yoursubscription.VNetintegrationenablesyoutoaccessAzureresourceslikeAzurevirtual machine, SQLDB, and so on securely to the Azure network or on-premises network. It is just like your on-premises network that you have
Telegram Channel : @IRFaraExam
configured and have access to in your data center. Please take a look at thefollowingcomponentsthatarerequiredtocreatethevirtualnetwork:
Addressspace:An address space is nothing but a range of your virtualnetworkIPaddress.Subnet:A subnet is a collectionof the IP addresswhich canbeused toassign an Azure virtual machine. Please take a look at the followingdiagram:
Figure12.1:Azureaddressspaceandsubnet
AzurevirtualnetworkcreationIfyouneedtocreatetheAzurevirtualnetwork,thenfollowthegivensteps:
1. Logintotheportal.2. GotoAllservicesandclickonNetworking.3. SelectVirtualnetworksasshowninthefollowingscreenshot:
Figure12.2:Azurevirtualnetwork
Telegram Channel : @IRFaraExam
4. Providethevirtualnetworkname.5. Mentiontheaddressspaceasperyourrequirements.6. Selectthesubscription,location,andresourcesgroup.7. Providethenameofthesubnet.8. Then,providetherangeofthesubnetwithintheaddressspacerange.9. ClickonCreate,andafterthat,itwilltakesometimetocreatethevirtual
network.Pleasetakealookatthefollowingscreenshot:
Telegram Channel : @IRFaraExam
Figure12.3:Azurevirtualnetworkdetails
Once thevirtual network is created, youcan see the followingdetails asshowninthefollowingscreenshot
Figure12.4:VNetconfiguration
AzureVNetpeeringTheAzurevirtualnetworkcanbeusedtoconnecttwodifferentvirtualnetworks.ItprovidesaseamlessconnectivityfromtheMicrosoftbackboneinfrastructure.VNetpeeringcanconnecttwodifferentVNets,anditprovideslow-latencyandhigh-bandwidth.AzureVNetpeeringareoftwotypes:
VNetpeering:Itisusedtoconnecttwovirtualnetworkswithinthesameregion.GlobalVNetpeering: It is used to connect two virtual networks acrossregions.
Pleasetakealookatthefollowingdiagram:
Figure12.5:VNetpeering
Telegram Channel : @IRFaraExam
Now, we have understood the use of Azure VNet peering, so let us nowunderstandhowtocreatetheAzureVNetpeering.SupposeifyouhavemultipleVNetsfromvariousenvironmentsandyouwanttocommunicatewith all theVNets, then you can haveVNet peering. ForVNetpeering, we require a minimum of two VNets either in the same region ordifferentregion.LetusseehowtocreatetheVNetpeering:
1. Log in to the portal and choose the two VNets in which you want toconfiguretheVNetpeering.
2. SelecttheVNetyouwanttopeer.3. PleaseselecttheVNet.4. UndertheSettingstab,selectthePeeringsoption.5. Clickon+Add.TakealooktoconfiguretheVNetpeeringasshowninthe
followingscreenshot:
Figure12.6:VNetpeeringconfiguration
6. ProvidetheVNetpeeringname.7. Select thedeploymentResourcesmanager asdefault.The classicmodel
canbeusedifyouhaveresourcesintheclassicmode(it isanoldmodelandMShasstoppedsupportingthismodel).
8. Then, select the secondvirtual network name from the drop-downmenuforwhichyouwanttoenabletheVNetpeering.
Telegram Channel : @IRFaraExam
9. Provide the name of VNet peering again for the second VNetconfiguration.Takealookatthefollowingscreenshot:
Figure12.7:VNetpeeringconfigurationdetails
10. Pleaseselect theconfigurationsetting toenable toallow theVNet trafficfromVNet1toVNet2.YoucanevenenabletrafficfromVNet2to1ifrequiredbyyourorganization.ThegatewaytransitisonlyrequiredifVNetisconfiguredwithavirtualnetworkgateway.
11. ClickontheOKbuttontoconfigureit.12. OnceyouclickonOk,itwilltakesometimetoconfigure,anditwillallow
trafficinboththeVNets.Refertothefollowingscreenshot:
Telegram Channel : @IRFaraExam
Figure12.8:VNetpeeringconfigurationsettings
13. OncetheVNetpeeringisdone,verifytheconnectivityunderthePeeringssectionasshowninthefollowingscreenshot:
Figure12.9:VNetconnectivityverification
VirtualnetworkgatewayTheAzurevirtualnetworkgatewayisusedtosendtheencryptedtrafficfromtheAzurenetwork to theon-premisesnetwork. Inotherwords, it isused tocreateconnectivity between the Azure and on-premise network. A virtual network
Telegram Channel : @IRFaraExam
gateway isused to send theencrypted trafficover theMicrosoftnetwork. Inasingle VNet, you can configure only one VPN gateway, and if you want toconnectfrommultipleconnections,thenyoucanusethesameVPNgateway.Fortheconfiguration,thefollowingarepre-requisites:
AzureVNetYoumight need a gateway subnet under the sameVNet if you want toconfigurethevirtualnetworkgateway.You might need a gateway in which you can choose either a VPN orexpressroutebasedonyourrequirements.ItrequiresapublicIPaswell.
Before we create the virtual network, please make sure to understand theconnectivity you want to use. If you need VNet-to-VNet and site-to-siteconnection,youcanusetheVPN,butifyouwanttoconfigurewiththeexpressroute,thenselectthegatewaytypeasEXPRESSROUTE.LetusseehowtoconfiguretheAzurevirtualnetworkgateway:
1. Please go to the marketplace and search for the Azure virtual networkgateway.
2. Select Virtual network gateway and click on Create. The followingscreenshotshowstheVNetnetworkgatewaycreation:
Figure12.10:VNetnetworkgatewaycreation
3. Providethesubscriptionandresourcegroupnameofyourvirtualnetworkresources.
4. Then,providethevirtualnetworkgatewaynameandregionforwhichyouwanttocreatetheVNetgateway,anditwillprovidethesamelocationasyourVNet.
Telegram Channel : @IRFaraExam
5. ChoosetheVNetgatewaytypeasfollows:
VPN: It is used to connect the VNet-to-VNet and site-to-siteconnectivity.Expressroute:Ifyouareplanningfortheexpressrouteconnectivity,thenpleaseselect theexpressroutegatewaytype.Iwillexplainthislaterinthischapter.TheVPNtypeisexplainedasfollows:
Policy-based: It is a combination of both the networks andbasedonthefirewallpolicy.Itwillfiltertheencrypted/decryptedtraffic. It is a built-in firewall device which performs trafficfiltering.Inanotherway,itisastaticVPNdeviceconfigurationandithassomelimitations.Pleasetakealookatthefollowingdiagram:
Figure12.11:VPNtypepolicy-based
Route-based:Inthisscenario,VPNdevicesareusedtosendthetrafficorroute/filterthetrafficfromanydevicetoanydeviceorinternetbyan IPsec tunnel.Please takea lookat the followingdiagram:
Telegram Channel : @IRFaraExam
Figure12.12:VPNtyperoute-based
6. Please select the VPN SKU; it is nothing but a VNet device capabilityconfiguration. For more details, please take a look at the followingscreenshot:
Figure12.13:VPNSKU
7. Onceyouprovideallthedetailsandselecttheoption,itwilllooklikethefollowingscreenshot:
Telegram Channel : @IRFaraExam
Figure12.14:VPNgatewayconfiguration
8. SelectthegenerationwhichisGeneration1,andletitbethedefault.9. Selectthevirtualnetworkfromthedrop-downmenu.10. ProvidethepublicIPnameoruseanexistingone.11. SelectEnableactive-activemodewhichwillbethedefaultvalue,butif
youwant to configure it, then you need to add another public IP in theconfiguration.
12. SelectthedefaultoptioninConfigureBGPASNasDisabled.13. ClickonReview+create.Pleasetakealookatthefollowingscreenshot:
Telegram Channel : @IRFaraExam
Figure12.15:VPNgatewaycreation
Itwilltakeup30to45minutestocreateaVNetgateway.Onceitgetscreated,youcanconfigurethesite-to-siteVPNandVNet-to-VNetconnectivity,andwewillexplainthisinthenextsection.Now,letusseehowtoconfiguretheVNet-to-VNetgateway.TheVNetgatewayis required tobecreated forboth theVNets, and it isused toconnect the twosubscriptionsandtwodifferentregions.
Site-to-siteVPNTheAzuresite-to-siteVPNisusedtoconnecttheAzurenetworktoon-premisesdatacentersovertheIPsecIPsec/IKE(IKEv1orIKEv2) tunnel.Itrequiresanon-premises VPN device to configure an S2S connection. Take a look at thefollowingdiagram:
Telegram Channel : @IRFaraExam
Figure12.16:Azuresite-to-siteVPN
Tocreateasite-to-siteVPN,itrequiresthefollowingrequirementlist:
AzureVNetVNetgatewayLocalnetworkgatewayConnectionOn-premisesVNetconnection
Local Area network Gateway: It represents the hardware or software VPNdeviceinyourlocalnetwork.Wecanusethiswithaconnectiontosetupasite-to-site VPN connection between an Azure virtual network and your localnetwork.AsIhavementionedallthestepstocreatetheVNetandVetgateway,letusnowseehowtocreatealocalareanetwork:
1. PleasegotomarketplaceandsearchforLocalnetworkgateway.Takealookatthefollowingscreenshot:
Telegram Channel : @IRFaraExam
Figure12.17:Azurelocalareanetworkgateway
2. Pleaseprovidethelocalgatewayname.3. PleaseprovidethepublicIPaddressofyouron-premisesVPNdevices.4. Pleaseprovidetheaddressrangeoftheon-premisesnetwork.5. Pleaseprovidetheresourcesgroup,name,andlocation.6. PleaseclickonCreate.Takealookatthefollowingscreenshot:
Telegram Channel : @IRFaraExam
Figure12.18:Azurelocalareanetworkgatewaydetails
Oncethelocalareanetworkgatewayiscreated,pleasecreatetheconnectionandconfigurethesite-to-siteVPN.
Site-to-siteVPNconnectioncreationOnceyouconfigurethesite-to-siteVPN,performallthegivensteps:
1. PleasegotothemarketplaceandsearchforConnection.2. ClickonConnection.3. ClickonCreate.Pleasetakealookatthefollowingscreenshot:
Telegram Channel : @IRFaraExam
Figure12.19:AzureS2Sconnectioncreation
4. OnceyouclickonCreate,followthegivensteps:
a. PleaseselecttheconnectiontypeasSite-to-site(IPsec),VNet-to-VNet,orExpressRoutefromthedrop-downmenu.
b. Selectthesubscription.c. Pleaseselecttheresourcegroup.d. Selectthelocation.Pleasetakealookatthefollowingscreenshot:
Figure12.20:AzureS2Sconnectionbasicdetails
5. GototheSettingstabandperformthefollowingsteps:
a. PleaseselecttheVNetgatewayinyourspecificregion.b. Selectthelocalareanetworkgatewayaswecreatedearlier.c. Providethenameoftheconnection.
Telegram Channel : @IRFaraExam
d. Provide the passkey. It can be created in your on-premises VPNdeviceorAzureconnections.
e. SelecttheprotocolIKEv2andletitbethedefaultvalue.f. ClickonOK.Pleasetakealookatthefollowingscreenshot:
Figure12.21:AzureS2Sconnectionbasicdetails
6. In Summary, please verify the details and click on OK to create theconnection.Pleasetakealookatthefollowingscreenshot:
Telegram Channel : @IRFaraExam
Figure12.22:AzureS2Sconnectionsummary
7. Oncetheconnectioniscreated,youwillseethestatusconnectinganddatainandout.Itwilltakesometimetoconnect,andafterthat,youneedtoaskyour network team to create the S2S tunnel in your on-premises VPNdeviceaswell.Pleasetakealookatthefollowingscreenshot:
Figure12.23:AzureS2Sconnectionsummary
Now,youcancreateanS2Sconnection.LetusseehowtocreatetheVNet-to-VNetconnectivity.
VNet-to-VNetconnectivitycreationLetusseehowtocreatetheVNet-to-VNetconnectivity.YouwouldrequirethefollowingconfigurationbeforeyousetuptheVNet-to-VNetconnections:
AzureVNetYouwouldneedtwoVNetgatewaysforboththeVNetsConnection
Onceyousetuptheprecedingcomponents,followthegivenstepstocreatetheconnections:
1. Pleasegotothemarketplaceandsearchforaconnection.2. Then, click on the connection to create the VNet-to-VNet connection.
Pleasetakealookatthefollowingscreenshot:
Telegram Channel : @IRFaraExam
Figure12.24:AzureVNet-to-VNetconnectionsummary
3. SelecttheconnectiontypeVNet-to-VNent.4. Selectthesubscriptionandresourcesgroup.5. Select the locationas(US)EastUS. Please take a look at the following
screenshot:
Figure12.25:AzureVNettoVNetconnectionbasicsettings
6. PleaseselectthesourceanddestinationVNetgateway.7. Pleaseprovidethenameoftheconnections.8. Pleaseprovidethesharedaccesskey.9. ClickonOK.Pleasetakealookatthefollowingscreenshot:
Telegram Channel : @IRFaraExam
Figure12.26:AzureVNet-to-VNetconnectionsettings
10. Pleaseverify theSummary section andclickonOK to create theVNet-to-VNetconnections.Refertothefollowingscreenshot:
Figure12.27:AzureVNet-to-VNetconnectionsummary
Telegram Channel : @IRFaraExam
11. Once the VNet connection is created, you can see that the status isConnected.Pleasetakealookatthefollowingscreenshot:
Figure12.28:AzureVnet-to-VNetconnectionstatus
Now,welearnedhowtoconfigurethesite-to-siteconnectionandVNet-to-VNetconnectivity.Inthenextsection,Iwilldiscusstheexpressrouteandsetuptheexpress route connection which is almost the same we did in the site-to-siteconnectivity.
ExpressRouteconnectionExpressRoute is a direct, dedicated connection from yourWAN (not over thepublic internet) toMicrosoft servicesandAzure.Wecanconfigure the site-to-siteVPNandExpressRoute connections for the samevirtual network for loadbalancingorhighavailability.Wecanconfigureasite-to-siteVPNasasecurefailoverpathforExpressRouteorusesite-to-siteVPNstoconnecttositesthatarenotpartofyournetwork,butthat are connected through ExpressRoute. Please take a look at the followingdiagramthatshowsExpressRoute:
Figure12.29:ExpressRoute
Telegram Channel : @IRFaraExam
ExpressRouteconfigurationNow,wewilldiscusshowtoconfiguretheexpressroute.Forthis,werequirethefollowing:
AzureVNetExpressRoutecircuitVNetgatewaywithExpressRouteConnection
IhaveexplainedhowtocreateanAzureVNetandVNetgateway.LetusnowseehowtoconfiguretheExpressRoutecircuitinAzure:
1. Pleasesearchforexpressroutefromthemarketplace.2. Clickon+Add.3. Pleaseprovidetheexpressroutecircuitname.4. PleaseprovidethenamethatwillbeyourISPprovidernamelikeAirtel,
AT&T,andsoon.5. Pleaseselectthepeeringlocationfromthedrop-downmenu.6. Pleaseselectthebandwidth50Mbpsto10Gbps.7. Then,clickoncreate.
Pleasetakealookatthefollowingscreenshot:
Telegram Channel : @IRFaraExam
Figure12.30:ExpressRoutecircuit
8. OncetheExpressRoutecircuitiscreated,followthesite-to-siteconnectionsteps and select the ExpressRoute circuit name. Then, create theconnections.
Note:ISPproviderscanconfigure theon-premisesexpressroutesetupandthecircuitcreationwillbedonebyyourISPandwithyournetworkteam.
ConclusionIn this chapter, we discussedVNet and how to set up theVNet gateway andconfigure the site-to-site connection, express route, and VNet-to-VNetconnections. In the next chapter, we will discuss the Azure network securitygroupandIPaddresstypes.WewillalsodiscusshowtocreateandconfiguretheAzure securitygroup rulesandhow toassociate a subnetNSGwithVMsand
Telegram Channel : @IRFaraExam
subnets.
ReferencesConfigure a VNet-to-VNet VPN gateway connection using PowerShell:https://docs.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-vnet-vnet-rm-psWhat is an Azure virtual network: https://docs.microsoft.com/en-us/azure/virtual-network/virtual-networks-overviewConnectAzureVPNgatewaystomultipleon-premisespolicy-basedVPNdevices using PowerShell: https://docs.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-connect-multiple-policybased-rm-psVPN gateway: https://docs.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-about-vpngatewaysVirtualnetworkpeering:https://docs.microsoft.com/en-us/azure/virtual-network/virtual-network-peering-overviewModify local network gateway settings using the Azure portal:https://docs.microsoft.com/en-us/azure/virtual-network/virtual-network-peering-overviewExpressRoute connectivity models: https://docs.microsoft.com/en-us/azure/expressroute/expressroute-connectivity-modelsExpressRoute circuits and peering: https://docs.microsoft.com/en-us/azure/expressroute/expressroute-connectivity-modelsFormoredetails,visitAzure4youblogpost:https://azure4you.com/
Telegram Channel : @IRFaraExam
I
CHAPTER13ConfiguringLoadBalancing
nthischapter,wewilldiscussAzureDNSandlearnhowtocreatepublicandprivateDNSzones.WewillalsodiscusstheAzureloadbalancerandseehow
tocreateandconfiguretheAzureloadbalancerandDNS.WewillalsocovertheAzureapplicationgatewayandtrafficmanager.
StructureThefollowingtopicswillbecoveredinthischapter:
AzureDNSConfigurethecustomDNSsettingsConfigureprivateandpublicDNSzonesConfiguretheinternalloadbalancerConfigureloadbalancingrulesConfigurethepublicloadbalancerTroubleshootloadbalancingApplicationgatewayTrafficmanager
ObjectivesInthischapter,youwilllearnhowtoconfigureandsetuptheloadbalancerforAzure VMs/applications using the Azure load balancer, Traffic manager, andapplicationgateway.WewillalsocoverAzureDNSandseehowtocreateyourcustomAzureDNSandconfigureit.
AzureDNSAzureDNS is a hosting service that provides theDNS domain and the nameresolutionsusing theAzure infrastructure.Youcanhost thedomains inAzure
Telegram Channel : @IRFaraExam
andmanagetherecords.UsingAzureDNS,youcannotbuythecustomdomain.Tobuythedomainname,youneedtousethird-partydomainregisternamesiteslikegodaddy.com,andsoon.AzureDNSmanagestheAzurerecords,andwecanuseitforexternalresourcesaswell.AzureDNSisan integratedpartof theAzureportaland it isusedforAzureserviceslikebilling,supportcontract,andsoon.The following are the details of the Azure DNS delegation, zones, and DNSregistrarusage:
Zonedelegation
Azure DNS allows us to host a DNS zone and manage the DNSrecordsforadomaininAzure.AzureDNSisnotthedomainregistrar.
Domainsandzones
The domain name system is a hierarchy of domains. The hierarchystartswiththerootdomain.Top-leveldomainssuchas.com,.net,.org,.uk,or.jp.Second-leveldomainssuchasorg.ukorco.jp,andsoon.The domains in the DNS hierarchy are hosted using separate DNSzones.Zones are globally distributed and hosted by DNS name serversaroundtheworld.
DNSzone
The domain is a unique name in the domain name system, forexample,Bpbcloud.com.ADNSzoneisusedtohosttheDNSrecordsforadomain.For example, the domainrcloudweb.commay contain severalDNSrecords such as mail. rcloudweb.com (for a mail server) andwww.rcloudweb.com(forawebsite).
Domainregistrar
Thedomainregistrarisacompanywhocanprovideinternetdomainnames.Theywillverify if the internetdomainyouwant touse is available
Telegram Channel : @IRFaraExam
andallowsyoutopurchaseit.Once thedomainname is registered,youwillbe the legalownerofthedomainname.
If you already have an internet domain, you will be able to use the currentdomainregistrartodelegatetoAzureDNS.
AzureDNScreationNow,letustryandcreatetheAzureDNSservicesfromtheAzureportal:
1. Pleasegotothemarketplace.2. PleasesearchforDNSandclickonDNSzone.3. ClickonCreateasshowninthefollowingscreenshot:
Figure13.1:AzureDNScreation
4. Pleaseselectthesubscriptionandresourcegroupname.5. PleaseprovidetheDNSnameinthisformatXYZ.com.6. PleaseclickonReview+createasshowninthefollowingscreenshot:
Telegram Channel : @IRFaraExam
Figure13.2:AzureDNS
OncetheDNSzonesarecreated,itwilllooklikethefollowingscreenshot:
Figure13.3:AzureDNSconfiguration
AzureDNSrecordcreationAzureDNSrecordsvarioustypesofdataandhelpstoidentifytheservicesbasedontherecords.Generally,recordsmapadomaintoitsIPaddress.Thefollowing
Telegram Channel : @IRFaraExam
recordsinthetablewillhelpyoutounderstandtheusageofeachrecord:
Recordname Fullname Usage
A(IPv4)AAAA(IPv6)
Address It maps a host name like, mail.bpb.com to an IP address153.120.10.20.
CNAME Chroniclename Itisusedtopointonehostrecordtoanotherliketest.Bpb.comtoemail.Azure4you.com.
MX Mailexchange It points to the host that will receive an email from thatdomain.TheMXrecordmustbeapointtoArecordnottotheCNAMErecord.
NS Nameserver It delegates aDNS zone to the specified authoritative nameserver.
SOA Startofauthority Itdefinestheauthoritativerecordofzones.
SRV Services ItisalocationhostthatprovidesspecificserviceslikeSkype-Session Initiation Protocol (SIP), which is used in Skype,Teams,andsoon.
TXT Text Itrecordsahuman-readabletextfieldinDNS.
Table13.1:Recordnamesandtheirusage
LetustryandcreatetheAzureDNSrecords:
1. PleasegotoDNSzone.2. Pleaseclickon+Recordset.3. PleaseprovidethenameoftheArecord.4. Pleaseselectthetypeofrecordfromthedrop-downmenu.5. ProvidetheTime-to-Live(TTL)value.6. TheIPaddressoftheArecordoranyotherrecordname/IPisbasedonthe
descriptionasked.Pleasetakealookatthefollowingscreenshot:
Telegram Channel : @IRFaraExam
Figure13.4:AzureDNSconfiguration
Now,wehaveshownhowtocreatetheDNSserverinAzureandexplaineditsusage.
AzureloadbalancerTheAzureloadbalancercanbeusedtodistributethetrafficacrossthebackendserver and resourceswhichwill help to scale your services and create a highavailabilityofyourservices.Itprovideslowlatencyandhighthroughput.LoadbalancerssupportTransmissionControlProtocol(TCP)andUserDatagramProtocol(UDP).Azureloadbalancersareofthefollowingtwotypes:
Internal load balancer: It is used to load balance the internal trafficbetweenAzurevirtualmachines.You canusehybrid connectivity if youwanttoloadbalancetheon-premisesVMs.Inthisloadbalancer,thereareprivateIPaddressesthatareassignedtothefront-endIPconfiguration.External load balancer: It is used for your external application whichcommunicates with the internet traffic. In this load balancer, there arepublicIPaddressesthatareassignedtothefront-endIPconfiguration.
Azure load balancers provide the following two types of Stock-keeping-Unit(SKU):
Basic:ThebasicSKUsupportsupto100instancesandthevirtualmachineshouldbeinanavailabilityset,single,orinthescaleset.Theprotocolhasbeen supportedonTCPandUDP. It doesnot supportTCP reseton idle,
Telegram Channel : @IRFaraExam
SLA,multiplefront-endandavailabilityzone,andsoon.Standard:ThestandardSKUsupportsupto1000instancesandthevirtualmachine should be in an availability set, single or in a scale set. TheprotocolhasbeensupportedonTCP,HTTP,andHTTPS.ItsupportsTCPresetonidle,SLA,multiplefront-endandavailabilityzone,andsoon.
AzureinternalloadbalancerLet us try to create an Azure private load balancer and understand itscomponents.BeforeyoucreateanAzureinternalload,youneedanAzurevirtualnetworktobecreatedandAzurevirtualmachineinanavailabilitysetorsingleVMswhichcanbeusedtoassociatewiththeAzureinternalloadbalancerbackendpool:
1. PleasegotothemarketplaceandsearchforanAzureloadbalancer.2. ClickonCreateasshowninthefollowingscreenshot:
Figure13.5:Azureloadbalancer
3. Pleaseselectthesubscriptionforwhichyouwanttocreateaninternalloadbalancer.
4. Pleaseselecttheappropriateresourcegroup.5. Pleaseprovidethenameoftheloadbalancer.6. Selecttheregionforwhichyouwanttodeploytheloadbalancer.7. Please select the load balancer type: internal or external based on your
project.8. PleaseselecttheSKUtypeasBasic.
Telegram Channel : @IRFaraExam
9. Pleaseselectthevirtualnetworkandsubnet.10. PleaseselecttheIPaddressassignment.Letitbethedefault,butifyouare
deployingforproduction,pleaseselectStaticinsteadofDynamic.11. PleaseclickonReview+createasshowninthefollowingscreenshot:
Figure13.6:Azureloadbalancercreationdetails
12. Onceyouclickoncreate,theAzureloadbalancerwillbecreatedafter10to15minutes.Onceitiscreated,itwilllooklikethefollowingscreenshot.Letusseehowtoconfigurethebackendpool,healthprobe,loadbalancingrule,NATrule,andsoon:
Telegram Channel : @IRFaraExam
Figure13.7:Azureloadbalanceroverview
Front-endIPconfigurationAllthetrafficwillcomefirsttothefront-endIPaddressedanditwilldistributethetrafficbasedonthebackendpoolconnectivityandtheloadbalancersrule.Performthefollowingsteps:
1. Go to the load balancer and selectFront-end IP configuration undertheSettingstab.
2. Clickon+Add.3. Providethenameofthefront-endloadbalancer.4. Selectthesubnetfromthedrop-downmenu.5. ClickonAddtoaddthefrontendIP.
By default, when you create the load balancer, an automatic front-end IPconfigurationwill be configured, but if youwant to add the front-end IP, youneed to follow the preceding process to add the new front-end configuration.Takealookatthefollowingscreenshot:
Telegram Channel : @IRFaraExam
Figure13.8:AzureloadbalancerfrontendIPconfiguration
Onceyourfront-endIPconfigurationisdone,pleaseconfigurethebackendpool.
AzurebackendpoolTheAzurebackendpoolhasyourserverorservicesconfigurationwhichneedstobeload-balancedanditroutesthetrafficfromthefront-endIP.Itshouldbeasinglevirtualmachineorscalesettoconfigureit.
1. Providethebackendpoolname.2. Selectthevirtualmachineorscalesetyouwanttoassociate.3. SelectthevirtualmachineandtheIPaddressfromthedrop-downmenu.4. Clickon+Addasshowninthefollowingscreenshot:
Telegram Channel : @IRFaraExam
Figure13.9:Azureloadbalancerbackendpoolconfiguration
HealthprobesIt helps us to find the failure of the application on the backend endpoint.Thehealthprobehelpstofindoutwhentosendthenewtrafficflowtothebackendendpointjustlikeabusy/freestatus.Ifthebackendendpointstatusfails,itstopsanddoesnotsendanynewtrafficflowtothatinstance.Letuscreatethehealthprobefortheloadbalancerconfiguration:
1. PleasegotoHealthprobesundertheSettingstab.2. Pleaseclickon+Add.3. Pleaseprovidethenameofthehealthprobe.4. PleaseselecttheTCP/UDPprotocolfromthedrop-downmenu.5. LettheIntervalbesettothedefaultvalue,whichmeansthehealthprobe
willcheckthebackendendpointstatusinaspecifictimeasconfiguredintheinterval.
Telegram Channel : @IRFaraExam
6. Pleaseconfiguretheunhealthythresholdasperyourprojectrequirements.Itmeans that if it continuously fails for two times ormore, then it willconsiderthebackedendpointstatusasfailedandstopsendingthetraffic.
7. ClickonOKtoaddthehealthprobe.Pleasetakealookatthefollowingscreenshot:
Figure13.10:Azureloadbalancerhealthprobeconfiguration
8. PleaseclickonLoadbalancingrulesundertheSettingstab.9. Pleaseprovidetherulename.10. PleaseprovidetheprotocoltypeTCP/UDP.11. Pleaseprovidetheportnumberandbackendportofservices.12. Pleaseselectthebackendpoolandhealthprobe.13. Pleaseselectthesessionpersistenceandidletimeout.14. PleaseclickontheOKbuttontocreatealoadbalancingrule.
Takealookatthefollowingscreesnhot:
Telegram Channel : @IRFaraExam
Figure13.11:Azureloadbalancerruleconfiguration
Now,yourloadbalanceconfigurationhasbeencompletedandyourserviceswillusetheAzureloadbalancercapability.
ApplicationgatewayAn application gateway is an application layer (OSI layer 7) load balancing,which helps theweb traffic load balancer to enable themanagement traffic toyourwebapplications.TheapplicationgatewaycanmaketheroutingdecisionaspertheHTTP/HTTPSrequesttoroutethetraffictotheURIpathorthehostVM.TheAzure applicationgatewaycando theURL-based routing. It provides thefollowingfeatures:
Secure sockets layer (SSL/TLS) termination: In this feature, theapplicationgatewayprovidesanSSL/TLSterminationatthegatewayandafterthat,trafficwillflow(encrypted)tothebackendservers/applications.Autoscaling:Theapplicationgatewaystandard_v2supportsandprovides
Telegram Channel : @IRFaraExam
an autoscaling feature that helps to scale up and down the applicationgatewayifthereareanychangesinthetrafficload.Zone redundancy: The application gateway standard_v2 supportsmultiplezonesavailability.StaticVIP: The application gateway standard_v2 supports a staticVIPwhichmeans itwillmake sureyourVIPassociatedwith this applicationgatewaydoesnotchange.Webapplicationfirewall: Itprovidescentralizedprotection toyourwebapplicationforcommonvulnerabilities.ItisbasedontheOWASP3.1,3.0,and2.9. Ithelpsyouprotect fromSQLinjection, scriptingattack,andsoon.URL-basedrouting:ThisURL-basedroutingallowsyou to route trafficto the backend server pool based on your URL path. Let us sayhttps://bpb.com/videoorhttps://bpb.com/images,andsoon.Multiple-site hosting: We can host up 100 web applications in oneapplication gateway, and each application can be directed to its backendpool.Redirection:ItprovidestheHTTP/HTTPsbasedredirectiontomakesureall the communication between users and its application has beenencrypted.Sessionaffinity: The cookie-based session provides the feature – if youwanttheusersessiononthesameserverforprocessingtherequest.Pleasetakealookatthefollowingdiagram:
Figure13.12:Applicationgateway
Letusseehowtocreatetheapplicationgatewayandconfigureit:
Telegram Channel : @IRFaraExam
1. PleaseclickonCreatearesource.2. SearchforApplicationgateway.3. Clickon theCreatebutton tocreateanapplicationgatewayasshown in
thefollowingscreenshot:
Figure13.13:Applicationgatewaycreation
Onceyouclickontheapplicationgatewaycreation,followthegivensteps:
1. Select the subscription for which you want to create an applicationgateway.
2. Createorselectanexistingresourcesgroup.3. Providetheapplicationgatewaynameasperyourorganization’sstandard.4. Selecttheregion.5. Selectthetier:
Standard:This standard tierdoesnot supportautoscalingandzoneredundancy.Standard V2: This standard tier supports autoscaling and zoneredundancy.WAF:ItsupportsWAF2.9and3.0.WAFV2:ItsupportsWAF3.1.
6. ProvidetheautoscalingasYesorNo.Ifyes,thenprovidetheminimumandmaximumscaleunit.
7. Provide the virtual network and subnet which does not have a routingtable.
8. Once you provide all the details as shown in the following screenshot,pleaseclickonNexttoconfigurethefront-endconfiguration:
Telegram Channel : @IRFaraExam
Figure13.14:Applicationgatewaybasic
The application gateway front-end is where all the reapplication traffic willarriveandthengetroutedtoyourapps.Let us configure the front-end IP configuration and follow the givenconfiguration:
Public: If you have a public-facing application, then select Public and
Telegram Channel : @IRFaraExam
configurethepublicIP.Private:Ifyouhaveyourinternalapplication,thenconfigurethePrivateoption.Both: If youwantyou to configureyourpublic and internal application,thenselectBoth.Pleasetakealookatthefollowingscreenshot:
Figure13.15:Applicationgatewayfront-endconfiguration
Once you are done with this configuration, please select the backendconfiguration.Theapplicationbackendpool iswhereyourapplication/hosthasbeenconfiguredtoroutethetrafficbasedonyouruserrequest.
1. PleaseclickonAddabackendpool.2. Providethenameofthebackendpool.3. Please selectYes orNo inAddbackendpoolwithouttargets. If yes,
pleaseprovidethebackendpoolconfigurationasfollows:
IPaddressorFQDNnameVirtualmachine
Telegram Channel : @IRFaraExam
VMMSAppservices
4. Onceyouselectthis,pleaseclickonNextfortheconfigurationasshowninthefollowingscreenshot:
Figure13.16:Applicationgatewaybackendconfiguration
5. Once you are done with the backend configuration, let us look at theconfiguration part where you need to set up the routing rule for yourapplication.
Wewill nowconfigure theHTTP/HTTPS listener andbackend routing rule toredirectthetraffic.Letusjustconfigurethelistener:
1. Providethenameofthelistener.2. Selectthefront-end.3. SelecttheprotocolHTTPorHTTPSandport80or443.4. SelectthelistenertypeasMultisiteifyouareplanningtoaddmultiple
sitesorselectBasic.5. SelecttheerrorpageURLasshowninthefollowingscreenshot:
Telegram Channel : @IRFaraExam
Figure13.17:Applicationgatewaylistener
Aswehaveconfiguredthelistener,wewillnowconfigurethebackendtarget:
1. Providetherulename.2. Select the target type either as Backend pool or Redirection based on
yourrequirements.3. Select the backend pool from the drop-down menu as shown in the
followingscreenshot:
Telegram Channel : @IRFaraExam
Figure13.18:Applicationgatewaybackendtarget
4. PleaseclickonHTTPsettingsandclickonAddnew.5. ProvidetheHTTPsettingname.6. Selectthebackendpoolandportnumber.7. Select the cookies-based session and connection draining as per your
requirements.8. Pleaseselecttherequesttimeout.9. Ifyouneedtoconfigureanewhostnameorthecustomhostname,youcan
alsoconfigureitasshowninthefollowingscreenshot:
Telegram Channel : @IRFaraExam
Figure13.19:ApplicationgatewayHTTPsetting
Oncewearedonewiththisconfiguration,clickontheTagstab.Ifyouwanttoadd the tags, please click on Review + create as shown in the followingscreenshot:
Telegram Channel : @IRFaraExam
Figure13.20:Applicationgatewaycreation
When you click on the application gateway creation, the application gatewaywillgetcreatedin10to15minutes.
AzuretrafficmanagerTheAzuretrafficmanagerisaDNS-basedtrafficloadbalancerthatenablesthedistribution of traffic and provides high availability to web applications. ThetrafficmanagerusesaDNStodirect the traffic to themostappropriateserviceendpointbasedonthetrafficroutingmethod.Itprovidesthefollowingfeatures:
ApplicationavailabilityApplicationperformanceHybridapplicationDistributesthetraffictocomplexenvironments
LetuscreateanAzuretrafficmanagerandconfigureit.Pleasefollowthegivensteps:
Telegram Channel : @IRFaraExam
1. PleaseclickonCreatearesource.2. Pleasesearchforthetrafficmanager.3. PleaseclickontheCreatebuttontocreatethetrafficmanagerasshownin
thefollowingscreenshot:
Figure13.21:Trafficmanagerprofilecreation
4. Pleaseprovidethenameofthetrafficmanager.5. Pleaseprovidetheroutingmethodfromthefollowingtoconfigureit:
Priority: It is usedwhenyouwant to configure theprimary site'sendpointforallthetrafficandsecondarysitesforbackup.Weighted:Weightedcanbeconfiguredwhenyouwant todistributethetraffictosetoffendpoints,accordingtotheweight.Performance: It is used when you want to route the traffic togeographic locations and you want the closest endpoint for lownetworklatency.Geographic: It is used to redirect the traffic to a specific endpointsuchasAzure,external,andsoonbasedonthegeographiclocation.MultiValue:ThiscanbeconfiguredonlywhentheendpointhasanIPv4/IPv6address.Subnet: Subnet traffic-routing is used to map sets of end-users IPaddress (subnet) ranges toaspecificendpoint in the trafficmanagerprofile.
6. Selectthesubscription.7. Selecttheresourcegroup.8. PleaseclickontheCreatebuttonasshowninthefollowingscreenshot
Telegram Channel : @IRFaraExam
Figure13.22:Trafficmanagercreation
Now, we can create the traffic manager and route the traffic using variousroutingmethodsinthetrafficmanagerprofile.
ConclusionInthischapter,wediscussedtheconfigurationofAzureDNSandhowtosetupthe Azure DNS private and public zones.We also discussed the Azure DNScomponentsandrecords.WecoveredtheusageoftheAzureloadbalancerandexplainedhowtoconfigureandsetuptheAzureloadbalancer.Wecoveredtheapplication gateway and traffic manager profile. We also covered how toconfiguretheapplicationandhowtoloadbalanceandsecureyourapplication.
Telegram Channel : @IRFaraExam
ReferencesAzureDNS:https://docs.microsoft.com/en-in/azure/dns/dns-overviewAzureprivateDNS:https://docs.microsoft.com/en-in/azure/dns/private-dns-overviewCreate an Azure DNS zone and record using the Azure portal:https://docs.microsoft.com/en-in/azure/dns/dns-getstarted-portalVirtual network service endpoints: https://docs.microsoft.com/en-us/azure/virtual-network/virtual-network-service-endpoints-overviewAzure load balancer: https://docs.microsoft.com/en-us/azure/load-balancer/load-balancer-overviewCreate a standard load balancer to load balance VMs using the Azureportal: https://docs.microsoft.com/en-us/azure/load-balancer/quickstart-load-balancer-standard-public-portalAzure application gateway: https://docs.microsoft.com/en-us/azure/application-gateway/overview#:~:text=Azure%20Application%20Gateway%20is%20a,destination%20IP%20address%20and%20portTraffic manager: https://docs.microsoft.com/en-us/azure/traffic-manager/traffic-manager-overview#:~:text=Traffic%20Manager%20uses%20DNS%20to,the%20health%20of%20the%20endpoints.andtext=Traffic%20Manager%20provides%20a%20range,needs%20and%20automatic%20failover%20modelsFormoredetails,visitAzure4youblogpost:https://azure4you.com/
Telegram Channel : @IRFaraExam
I
CHAPTER14SecuringAccesstoVirtualNetworks
nthischapter,wewillexplain thenetworksecuritygroupanditsuses.Thenetwork securitygroup contains the security ruleswhich allowordeny the
inbound/outboundtrafficwithinthesubscriptionandtotheouterworld.Wewilldiscussnetworkroutesandlearnhowtherouteswillhelptodistributethetrafficasperrouterules.WewillexplainthetypesofIPaddressesandlearnhowtheycanbeassignedtoAzureVMs.WewillcovertheAzurefirewall,routetableandhowtoaccesstheVMusingAzureBastionservices.
StructureThefollowingtopicswillbecoveredinthischapter:
ConfigurationofprivateandpublicIPaddressesNetworksecuritygroupRoutetableConfigureanddeploytheAzurefirewallConfigureanddeployAzureBastionservicesEvaluateeffectivesecurityrules
ObjectivesOneof theobjectives is todiscuss theAzure firewalland its features.Wewilldiscuss how you can protect your Azure network using the Azure firewall.Suppose your customer wants to connect VMs securely so this can be madepossibleusingtheAzureBastionservices.
ConfigurationofprivateandpublicIPaddressesThe public IP address can be used if you want to connect your applicationpubliclyoroutsidetheAzurenetwork.RefertothefollowingpublicIPtable:
Telegram Channel : @IRFaraExam
PublicIPaddresses IPaddressassociation Dynamic Static
Virtualmachine NIC Yes Yes
Loadbalancer Front-endconfiguration Yes Yes
VPNgateway GatewayIPconfiguration Yes No
Applicationgateway Front-endconfiguration Yes No
Table14.1:PublicIPVSprivateIP
TheprivateIPaddresscanbeusedforinternalcommunicationwithintheAzurenetwork.RefertothefollowingprivateIPtable:
IPaddresses IPaddressassociation Dynamic Static
Virtualmachine NIC Yes Yes
Internalloadbalancer Front-endconfiguration Yes Yes
Applicationgateway Front-endconfiguration Yes Yes
Table14.2:IPAddressassociation
IPaddressescanbeassigneddynamicallybydefaultfromtheAzureportal,andyouhavemakethemstaticIPaddresses.LetusunderstandwhatisastaticIPanddynamicIPaddress.StaticIP isafixedIPaddress,anditcan’tbechangedevenifyourestartyourservicesanddeallocatetheVM.DynamicIPisthedynamicIPaddressthatcanbechangedifyourestartyourservicesordeallocatetheVM.Let us understand how to make changes in IP addresses, and we will try tochangedynamicIPtostaticIP:
1. PleaseselecttheAzureVMsforwhichyouwanttochangetheIPaddressfromdynamicIPtostaticIP.
2. UndertheSettingstab,clickonNetworking.3. ClickontheNICcardname.4. GototheIPconfigurationstab.5. ClickontheIPaddressontheright-handsideofthescreen.Takealookat
thefollowingscreenshot:
Telegram Channel : @IRFaraExam
Figure14.1:AzureprivateIPconfiguration
6. PleasechangedynamictostaticandclickontheSavebutton.7. Aftera fewminutes,yourdynamic IPaddresswillchange to static IPas
showninthefollowingscreenshot:
Figure14.2:AzureprivateIPdynamicIPtostaticIP
IfyouwanttochangethepublicIPaddressfromdynamicIPtostaticIP,pleasefollowthegivensteps:
1. PleasegototheNetworkingtab.2. SelectthepublicIPaddressnameandclickonConfiguration.3. PleasechangetheselectionfromDynamictoStatic.
Telegram Channel : @IRFaraExam
4. Now,yourpublicIPaddresswillchangetostaticIPaddress.Takealookatthefollowingscreenshot:
Figure14.3:AzurepublicIPdynamicIPtostaticIP
NetworksecuritygroupAzurenetworksecurityrulescontainthesetupofsecurityrulesandareusedtoallowordenytraffic inyourAzurenetwork.NSGisfollowedbytwotypesofrules which are inbound and outbound rules where you can define the portnumber,IPaddress,andsourceanddestinationforwhichyouwanttoallowordenythenetworktraffic.
Inboundrule:Thenetworktraffic thatallowstrafficfromtheinternet toyourVMiscalledaninboundruleorallowscalls/traffictoyourVMfromtheouterworld.Outboundrule:Thenetwork traffic thatallows traffic fromyourVMtothe internet is called an inboundrule or denies calls/traffic to yourVMfromtheouterworld.
Letusseehowtocreateanetworksecuritygroupandhowtoaddan inboundandoutboundrule:
1. Gotothemarketplaceandsearchforthenetworksecuritygroup.2. ClickonCreateasshowninthefollowingscreenshot:
Figure14.4:Networksecuritygroup
Telegram Channel : @IRFaraExam
3. Providethenetworksecuritygroupsubscriptionandresourcegroup.4. Providethesecuritygroupname.5. SelecttheregionyouwanttocreatetheNSG.6. Click on Review + create the NSG. Take a look at the following
screenshot:
Figure14.5:Networksecuritygroupcreation
Afterafewminutes,yournetworksecuritygroupwillbecreatedanditwillbelookasfollows:
AfterthecreationofNSG,thedefaultrulewillbecreatedwiththepriorityof65000,65001,and65500.You canmaximum rules thatwill be created up to65500 notmore thanthat.Pleasetakealookatthefollowingscreenshot:
Telegram Channel : @IRFaraExam
Figure14.6:Networksecuritygroupdefaultrule
LetuscreatetheinboundrulesinNSG:
1. SelectthesourceIPAddresses,virtualnetwork,orservicestag.2. ProvidethesourceIPaddress.3. Providetheportnumberyouwanttoallow.4. ProvidethedestinationasIPAddresses,virtualnetwork,orservices tag
asshowninthefollowingscreenshot:
Telegram Channel : @IRFaraExam
Figure14.7:Networksecuritygroupinboundrule
5. SelecttheactioneitherasAlloworDeny.6. Providethepriority100oraboveastheNSGprioritywillstartfrom100to
65500.Lowerthepriority,highertheimportance;whichmeanstherulehaslowerpriorityas100willbeappliedfirst.
7. ProvidethenameofNSGanddescriptionandclickonAddasshowninthefollowingscreenshot:
Figure14.8:Networksecuritygroupinboundrule
Similarly,ifyouneedtocreatetheoutboundrule,youcanfollowthesamestepsasgivenintheinboundrulecreation.
NetworksecuritygroupassociationThenetworksecuritygroupcanbeassociatedwithAzureVMs,NICsandsubnetlevels.NSG when applied on the VM NIC card will have high priority. Let usunderstandthis.IfyouapplytheNSGrule3389inthesubnetwhichisallowed,butwhentrafficreachestheNICcard,NSGwhichhasthedeniedrule3389willdeny the traffic at NIC NSG level. You can allow the common ports to thesubnetandblockthespecificportinVMsNICNSG.
Telegram Channel : @IRFaraExam
LetusseehowtoassociatetheNSGinthesubnet:
1. SelecttheNSGyouwanttoassociatewiththesubnet.2. ClickonSubnetsundertheSettingstab.3. Clickon+Associate.4. Selectthevirtualnetwork.5. Selectthesubnetunderthevirtualnetworkwhichyouwanttoassociatethe
NSGwith.6. ClickonOKtoprocessfurtherasshowninthefollowingscreenshot:
Figure14.9:Networksecurityassociatewithsubnet
LetusseehowtoassociatetheNSGintheNICcardoftheVM:
1. SelecttheNetworkingundertheSettingstab.2. ClickontheNICcard.3. SelecttheNetworksecuritygroupoptionundertheSettingstab.4. ClickonEditasshowninthefollowingscreenshot:
Telegram Channel : @IRFaraExam
Figure14.10:NetworksecurityassociatewithVM’sNIC
5. Select the NSG and click on Save. After some time, NSG will beassociatedwith theVMsNICandyouwillbeable toseeall therulesasshowninthefollowingscreenshot:
Figure14.11:NetworksecurityinVM’sNIC
RoutetableTheAzureroutetablecanbeusedtoroutethetrafficinAzureandon-premises
Telegram Channel : @IRFaraExam
network.Routeswill be createdautomaticallywhenyoucreate the subnet andassociateditwithautomatically.Youcancreatethecustomroutestodefinehowthetrafficrouteusestheroutetable.LetussayyouhaveconfiguredthefirewallinbetweentheAzureandon-premises.Youcanconfiguretheroutetableandsetthe rule that all the traffic firstwillgo to the firewall and then to the internet.Hence, you can control the network traffic in Azure and route it as per yourorganizationstandards.Now,letusseehowtocreatetheroutetableandconfigureit:
1. SearchforRoutetablesinthemarketplace.2. Clickon+Add.3. Providetheroutetablename.4. Selecttheresourcegroupnameandlocation.5. Click on Create. After some time, your route table will be created as
showninthefollowingscreenshot:
Telegram Channel : @IRFaraExam
Figure14.12:Routetablecreation
Oncetheroutetableiscreated,itwilllooklikethefollowingscreenshot:
Figure14.13:Routetable
Telegram Channel : @IRFaraExam
Now,wewillconfiguretheroutetable:
1. ClickonRoutesundertheSettingssection.2. Clickon+Add.3. Providethenameoftheroutetable.4. Providetheaddressprefixrange.5. Selectthevirtualappliance(firewall),VNet,VNetgateway,andinternet.6. ClickonAddtoaddroutes.
Takealookatthefollowingscreenshot:
Figure14.14:Routetableconfiguration
7. Oncetherouteisconfigured,pleaseassociateitwiththesubnet.8. SelectSubnetsundertheSettingstab.9. Clickon+Associate.10. SelecttheVNet.11. Selectthesubnetfromthedrop-downmenu.12. Click on OK and associate the VNet. It will take some time to save the
settingsasshowninthefollowingscreenshot:
Telegram Channel : @IRFaraExam
Figure14.15:Routetablesubnetassociation
ConfigureanddeploytheAzurefirewallAzure firewalls manage the Azure network security and its services which ismanagedbyavirtualnetwork. It is a fully stateful firewall asa servicewhichprovidesbuilt-inhighavailabilityandcloudscalability.TheAzurefirewallcanbecreatedcentrallyandmanagedtoenforcetherulesandlog application and network connectivity policies across subscriptions andvirtualnetworks.TheAzurefirewallisfullyintegratedwiththeAzureMonitorforloggingandanalyticspurpose.LetusseehowtocreatetheAzurefirewallandconfigureitforoursubscription:
1. GotothemarketplaceorsearchforFirewall.2. ClickontheCreatebuttonasshowninthefollowingscreenshot:
Telegram Channel : @IRFaraExam
Figure14.16:Azurefirewall
WhenyouclickonCreate,followthegivenstepsandprovidethedetailsasfollows:
Subscriptionandresourcegroup.Nameofthefirewall.Regionandavailabilityzone.Ifyouwant touse anexistingornewVNet, selectoneasperyourrequirements.Providethevirtualnetworknameandaddressspace.Providethesubnet.ProvidethefirewallIPaddressandclickonReview+Create.
3. Onceyouprovideallthedetails,clickonReview+create:
Telegram Channel : @IRFaraExam
Figure14.17:Azurefirewallcreation
Itwill takea fewminutes tocreate theAzurefirewall.LetusseehowwecanconfiguretheAzurefirewallrule.GototheAzurefirewallandfollowthegivensteps:
1. Providethenameoftherule.2. Providethepriorityoftherule.
Telegram Channel : @IRFaraExam
3. Providethefollowingdetailsasshowninthefollowingscreenshot:
Protocol:TCP/UDP.
Sourcetype:IPaddress/IPgroup.
ProvidethesourceanddestinationIP.Providethetranslatedaddressanditsport.
Oncedone,youwillbeabletocreatetheNATrule.
Figure14.18:AzurefirewallNATrulecreation
Once we configure the NAT rule, it will allow the Remote Desktop Protocol(RDP)accesstotheservices.Let us try to configure an application rule which helps to allow the URL orspecific domain URL services such ashttp://www.microsoft.com,.*windows.net,andsoon.
1. Providethenameoftherule.2. ProvidethepriorityoftheruleandactionaseitherAllow/Deny.3. Providethefollowingdetailsasshowninthefollowingscreenshot.4. FQDNTagsasfollows:
NameoftheruleSourcetypeaseitherIPaddress/IPgroupSourceIPaddressAddthetagsinthedrop-downmenu
5. TargetFQDNsasfollows:
Telegram Channel : @IRFaraExam
NameoftheruleSourcetypeaseitherIPaddress/IPgroupSourceIPaddressProtocolwillbeinmsql:1433,TCP:80,andsoonProvidethetargetFQDNorURLyouaretryingtoconnectandthenclickonAddasshowninthefollowingscreenshot:
Figure14.19:Azurefirewallapplicationrule
WhenyouclickonAdd,yourapplicationrulewillbeaddedtothefirewallandyourAzureserviceswillbeabletoaccessthespecifictarget.
ConfigureanddeployAzureBastionservicesAzureBastionprovidesasecureandseamlessRDP/SSHaccesstoyourvirtualmachine in yourAzure portal. It is PaaS services that have to be provisionedinside your virtual network. If you try and connect the VMs through Bastionservices,thenyourVMdoesnotrequireapublicIPtobeassociatedwithit.Itprovidesthefollowingfeaturesoftheservices:
RDPandSSHdirectlyinAzureportal:WecandirectlyconnecttheRDPandSSHsessionfromtheAzureportalusingasingleclick.Remotesession:ItusesanHTML5-basedwebclientthatisautomatically
Telegram Channel : @IRFaraExam
streamedtoyourlocaldevice,sowecanconnecttotheRDP/SSHsessionoverTLSonport443.Don’t need a public IP to VM: Azure Bastion opens the RDP/SSHconnection to yourAzure virtualmachine using private IP on yourVM.Youdon'tneedapublicIPonyourvirtualmachine.NohassleofmanagingNSGs:Youdon’trequiretomanagetheNSGrulesandsoon,asitisinternallyhardenedtoprovidetheRDP/SSHconnectionsecurely.
LetusjustseehowwecancreatetheAzureBastionservicesinAzure:
1. GototheAzureportal.2. ClickonCreatearesource.3. Search for Bastion and click on Create as shown in the following
screenshot:
Figure14.20:AzureBastion
WhenyouclickonCreate,pleasefill-upthefollowingparameters:
SubscriptionResourcesgroupNameRegionVirtualnetworkSubnetwiththenameoftheAzureBastionsubnetwithaprefixofatleastwith/27.ProvidepublicIPaddressdetails.Refertothefollowingscreenshot:
Telegram Channel : @IRFaraExam
Figure14.21:AzureBastioncreation
4. Once you are done with the Azure Bastion services creation, verify theservicesconnectingtoRDPoverthebrowser.ClickontheAzureVM,andthenfollowthegivensteps:
GototheAzureVMsettings.Then,clickonConnect.SelectBASTION.ProvidetheuserID/passwordasshowninthefollowingscreenshot:
Telegram Channel : @IRFaraExam
Figure14.22:AzureBastionverification
When you click on Connect, you will be able to connect to the VM asshowninthefollowingscreenshot:
Figure14.23:AzureBastionRDPaccess
Now,wecanaccesstheVMusingtheBastionservices.
EvaluateeffectivesecurityrulesNetworksecuritygroupeffectiveruleswillhelpyoutounderstandtherulesthathavebeenenabled in inbound/outboundon the samepage.Youcan reviewallthoseNSGrulesataone-shot.
Telegram Channel : @IRFaraExam
Letusseehowwecanseethoserules:PleasegotothenetworksecuritygroupandselecttheNetworksecuritygroupoptionandfollowthegivensteps:
PleasegotoSupport+troubleshooting.Then,clickontheeffectivesecurityrules.
ItwillshowwhichVMNSGhasbeenattachedandtherules.Youcandownloadthoserulesasshowninthefollowingscreenshot:Afterdownloading the rules, youcan reviewall the rules.Youwill be able tounderstandtherulesthatresultinamismatchasperyourrequirements:
Figure14.24:Effectivesecurityrules
Now,weareabletoseehowwecanevaluateeffectivesecurityrules.
ConclusionInthischapter,wediscussedtheconfigurationofprivateandpublicIPaddressesandlearnedhowtochangetheIPaddressfromdynamictostatic.Wediscussed
Telegram Channel : @IRFaraExam
theAzurenetworksecuritygroupandhowtoassociatewiththesubnet/VMNICcard.We covered the route table and learned how it can be used to route thetraffic.We will discuss the Azure network monitoring in the next chapter. We willexplain the network watcher and on-premises to Azure network connectivitymonitoring,andsoon.Formoredetails,pleasegothroughthenextchapter.
ReferencesVirtual network traffic routing: https://docs.microsoft.com/en-us/Azure/virtual-network/virtual-networks-udr-overviewSecurity groups: https://docs.microsoft.com/en-us/Azure/virtual-network/security-overviewVirtual network service tags: https://docs.microsoft.com/en-us/Azure/virtual-network/service-tags-overviewVirtual network service endpoints: https://docs.microsoft.com/en-us/Azure/virtual-network/virtual-network-service-endpoints-overviewIP address types and allocation methods in Azure:https://docs.microsoft.com/en-us/Azure/virtual-network/virtual-network-ip-addresses-overview-armFormoredetails,visitAzure4youblogpost:https://Azure4you.com/
Telegram Channel : @IRFaraExam
I
CHAPTER15MonitoringandTroubleshootingof
VirtualNetworkingnthischapter,wewilldiscussAzureNetworkWatcheranditsusage.Wewillalso discuss how to troubleshoot the on-premises connectivity using the
networkwatcher.Wewillcovernetworkperformancemonitoring,howtousetheIPflowverify,VPNtroubleshooting,packetcapture,andsoon.
StructureThefollowingtopicswillbecoveredinthischapter:
NetworkwatcherMonitoron-premisesconnectivityNetworkperformancemonitor
ObjectivesInthischapter,youwilllearnaboutAzureNetworkWatcher.Ifyourcustomeristroubleshooting a network issue from theAzure network to on-premises, thenAzureNetworkWatcherwill helpyour customer to trace the traffic at variouslevelsandhelpyou.Wewilldescribethenetworkwatchercapabilitiesindetail.
NetworkwatcherAzureNetworkWatcherprovides the tools tomonitor, diagnose, andview themetrics.Wecanenableordisablethelogsinthenetworkwatcher.It is designed to monitor and repair the Azure infrastructure services, whichincludetheAzurevirtualmachine,virtualnetwork,applicationgateway,andsoon.LetusseehowwecanimplementtheAzureNetworkWatcherservices:
Telegram Channel : @IRFaraExam
1. Go toAllservices and search fornetwork watcher. Please select theNetworkWatcheroptionasshowninthefollowingscreenshot:
Figure15.1:Networkwatcher
2. OnceyouclickonNetworkWatcher,pleaseenableitfortheregionsyouwanttoselectitfor.Letusfollowthegivenstepstoenableit:
ClickonOverview.SelecttheregionandclickontheOverviewtabtoenablethenetworkwatcher.Itwilltakesometimetoenableit.Pleasetakealookatthefollowingscreenshotformoredetails:
Figure15.2:Networkwatcherenable
NetworkwatchertopologyUnder the Monitoring tab, if you click on Topology, it will show you thecompletearchitectconnectivityofyourVNetwhichconnectstoalltheresourceslike the VM, application gateway, and so on as shown in the followingscreenshot:
Telegram Channel : @IRFaraExam
Figure15.3:Networkwatcherenable
Monitoron-premisesconnectivityUsing Connection monitor, we will monitor the traffic between two virtualmachinesorbetweentheAzureVMandtheon-premiseserver.Wecanmonitorthe Fully Qualified Domain Name (FQDN) name or individual IP address aswell.Onceyouselecttheconnectionmonitoring,followthegiveninstructionstoaddthemonitoring:
1. Providethenameofthemonitor.2. Selectthesubscription.3. Selectthevirtualmachine.4. Select the destination as Select a virtual machine or Specify
manually(URI,FQDN,orIPv4).5. Selecttheportnumberforwhichyouwanttomonitortheservices.6. ClickonAddasshowninthefollowingscreenshot:
Telegram Channel : @IRFaraExam
Figure15.4:Networkwatcherconnectionmonitor
AfteryouclickonAdd,youwillbeabletoseetheconnectivityofeachservicewhen you click on a specific monitor. Please take a look at the followingscreenshotformoredetails:
Telegram Channel : @IRFaraExam
Figure15.5:Networkwatcherconnectionmonitorstatus
IPflowverifyIP flow verify helps you to track the packets and checkswhether the packetshave been allowed or denied. Click on IP flow verify under the Networkdiagnostictoolssectionandprovidethefollowingdetails:
Subscription
Resourcegroup
Virtualmachine
Direction:InboundorOutboundProvidethelocalIPaddressandremoteIPaddresswiththeportnumbertoverify.PleaseclickontheCheckbutton.Formoredetails,takealookatthefollowingscreenshot:
Telegram Channel : @IRFaraExam
Figure15.6:NetworkwatcherIPflow
NexthopNexthopwillhelpyouidentifythenexthopeandIPaddressofthepacketfromaspecificVMandNICcard.Itwillhelpyoutodeterminewhetherthetraffichasbeendirectedtoaspecificdestinationornot.Nexthophelpsyoutoidentifywhereyourtraffichasbeenroutedtosuchastothevirtualnetwork,virtualapplianceorsystemroute,andsoon.Takealookatthefollowingscreenshot:
Telegram Channel : @IRFaraExam
Figure15.7:Networkwatchernexthop
NetworkperformancemonitorThenetworkperformancemonitorhelpsus tomonitor theAzureexpressroutetraffic.Itisacloud-basedhybridmonitoringsolutionwhichhelpstomonitorthevariouspointsofthenetworkinfrastructure.Let us take a look at how to configure the Azure network and performancemonitorbyfollowingthegivensteps.
1. Clickonthe+sign.2. SearchforNetworkPerformanceMonitor.3. ClickonCreate.
Lookatthefollowingscreenshotformoredetails:
Telegram Channel : @IRFaraExam
Figure15.8:Networkperformancemonitor
4. SelectLogAnalyticsWorkspace.5. Onceyouselecttheworkspace,clickonCreateasshowninthefollowing
screenshot.6. Itwilltakeupto5minutestocreatethenetworkperformancemonitor:
Figure15.9:Networkperformancemonitorcreation
7. Oncethenetworkperformancemonitoriscreated,youcancheckitinloganalytics.
8. In log analytics, youwill see that one solutionhas beendeployed in theOverview tab,which is thenetworkperformancemonitor.Let us try andconfigure it. Click on Solution requires additional configurationundertheNetworkPerformanceMonitortabontheright-handsideoftheOverviewsection.Takealookatthefollowingscreenshot:
Telegram Channel : @IRFaraExam
Figure15.10:Networkperformancemonitoroverview
9. WhenyouclickonSolutionrequiresadditionalconfiguration,onewindowwillopenupwiththenetworkperformancemonitorconfigurationwhereyouneedtoconfigurethefollowingservices,includingtheexpressroute:
You can download the agent and install it on the stand-aloneVMs/devicestoconfigurethemonitor.Youcansetuptheperformancemonitor.You can configure the services connectivity monitor for networkdevices.You can set up the express route monitor to get the traffic of theexpressrouteandfixtheissuewhenitarrives.
Once all the preceding configurations are done, youwill start getting the datawithin24hrsinloganalytics.WehavenowsuccessfullyconfiguredthenetworkperformancemonitoringintheAzureenvironment.Takealookatthefollowingscreenshot:
Telegram Channel : @IRFaraExam
Figure15.11:Networkperformancemonitorconfiguration
ConclusionIn this chapter, we discussed Azure Network Watcher and its usage, how totroubleshoot the network using various tools, how to troubleshoot the on-premisesnetworkandAzureconnectivity,howtheIPflowverifyandnexthopewillhelpyouron-networktroubleshooting.WealsodiscussedtheAzurenetworkperformancemonitorandhowtoconfigureit.Inthenextchapter,wewilldiscusstheAzuremonitoranditssubsetstoanalyzetheutilizationandconsumptionoftheAzureservices.WewillalsodiscusshowtosetupalertsinAzureenvironments.
ReferencesIP flow: https://docs.microsoft.com/en-us/azure/network-watcher/network-watcher-ip-flow-verify-overviewNetwork watcher monitoring: https://docs.microsoft.com/en-us/azure/network-watcher/network-watcher-monitoring-overviewConnection troubleshoot in Azure Network Watcher:https://docs.microsoft.com/en-us/azure/network-watcher/network-watcher-connectivity-overviewResource troubleshooting in Azure Network Watcher:https://docs.microsoft.com/en-us/azure/network-watcher/network-watcher-troubleshoot-overviewEffective security rules view in Azure Network Watcher:
Telegram Channel : @IRFaraExam
https://docs.microsoft.com/en-us/azure/network-watcher/network-watcher-security-group-view-overviewFormoredetails,visitAzure4youblogpost:https://azure4you.com/
Telegram Channel : @IRFaraExam
I
CHAPTER16AnalyzingResourceUtilizationand
Consumptionn theprevious chapter,we coveredhow to create andmanage thedifferenttypes of Azure subscriptions and resources. In this chapter, we will learn
aboutAzuremonitoranditsutilizationoftheresourcesandhowtomonitorthedifferent services usingAzureLogAnalytics.Wewill see how to use the logsearchqueryfunctionsintheloganalyticsspace.
StructureThefollowingtopicswillbecoveredinthischapter:
AzureMonitorSetupandconfigurationofalertsUtilizelogsearchqueryfunctions
ObjectivesWe will cover Azure Monitor in detail which will help you to set up themonitoringalertsforyourAzuresubscriptionresources.Wewilldiscusshowtosetupandconfigurethealerts,whichwillhelpyoutosendthenotifications.
AzureMonitorAzureMonitorisacomprehensivesolutionforalltheAzureservicesthatresidein theAzure subscription, and it usesvarious tools tomonitor the IaaS,PaaS,and SaaS components. It collects the logs data, application performance data,andsoontoprovidethebestresultforservices,andbasedonthem,thecustomercangetnotified.Formoredetails,takealookatthefollowingscreenshot:
Telegram Channel : @IRFaraExam
Figure16.1:AzureMonitor
Azure Monitor supports a variety of Azure resource collection data whichprovidesthemetrics/alertsontheAzureportal.ThetypesofdataprovidedbyAzuremonitorsareasfollows:
Application monitoring data: It collects consistent data of applicationfunctionality, performance, and maintenance with respect to applicationcode-relatedissues.GuestOSmonitoringdata:ItcollectsdataofAzureVMsrunningonthesubscriptionandithasanapplicationrunningonit.Resourcemonitoringdata: Itcollects theapplicationresourceoperationdata.Subscriptionmonitoringdata:Itcollectsthecompletesubscriptiondata,including Azure resources health of the Azure services in terms of theregion,andsoon.Tenant monitoring data: It collects the tenant level data such as anyoperations or any issues that may have occurred on your Azure ADservices.Activity logs:Activity logsarenothing,but theactivities thathavebeenperformedbytheuserorownerintermsofall theservices.Theywillbecollectedandrecorded.Refertothefollowingscreenshot:
Telegram Channel : @IRFaraExam
Figure16.2:Activitylogs
SetupandconfigurationofAzurealertsIfyouwouldlike toconfigureanalertofyourservices, thenpleasefollowthegivensteps:
1. Click on Alerts, and then click on + New alert rule under AzureMonitororresourcesasshowninthefollowingscreenshot:
Figure16.3:Newalert
2. Select resources like subscription, VMs, and so on for alert creation, asshowninthefollowingscreenshot:
Figure16.4:Alertcreation
Telegram Channel : @IRFaraExam
3. Select theconditionunderalladministrativelogs,specificresourceslogs,andsoontoaddtheconditionasshowninthefollowingscreenshot:
Figure16.5:Alertsrules
4. Clickontheactiongroup:
ProvidetheactiongroupnameShortnameofmaximum116charactersSubscriptionnameResourcegroupnameActionnamelikewhereorhowtogetanalert:
AutomationRunbook
AzureFunction
Email/SMS/Push/Voice
ITSMlikeservicesticketingtoolWebhookandotherservices
Addactiongroupdetailsasshowninthefollowingscreenshot:
Telegram Channel : @IRFaraExam
Figure16.6:Addactiondetails
5. ClickonOK.6. Providethedetailsofthealert:
AlertnameDescriptionSavealerttotheresourcegroupnameEnableordisableruleoncreationClickonCreatealerts
Formoredetailsonalerts,takealookatthefollowingscreenshot:
Telegram Channel : @IRFaraExam
Figure16.7:Alertdetails
Once the alerts are created, you can view all the alerts in the Manage alertrules window. For more alert manager details, take a look at the followingscreenshot:
Telegram Channel : @IRFaraExam
Figure16.8:Managerofthealertrule
This is how you can create and manage the alerts. You can also modify theAzureresourcealerts.
AzureMetricsAzure Metrics are numerical values of the resources utilization which arecollected in real-time. Based on the numerical values, it shows the metricsperformanceoftheresources,asshowninthefollowingscreenshot:
1. Youcanselecttheresources.2. ClickonMetricsasshowninthefollowingscreenshot:
Telegram Channel : @IRFaraExam
Figure16.9:Metrics
AzureServicesHealthAzureServiceHealthwillhelpyouanalyzetheresourcesunderthesubscriptionandvariousregionserviceavailabilityoptions.Letusunderstandthem:
Plannedmaintenance:YoucanseetheplannedmaintenanceoftheAzuredatacenterifthereisanyglobalimpactandthenyoucantaketheprimitiveactiononthat.Resourcehealth:Resourceshealthwillhelpyoutounderstandthehealthoftheresources.Healthalerts:Wecansetuptheresourcehealthalertsaswellbasedonthecustomers’ requirements. For more details, take a look at the followingscreenshot:
Telegram Channel : @IRFaraExam
Figure16.10:AzureServicesHealth
DiagnosticlogsItprovidesauditinganddiagnosticinformationabouttheAzureresources.Ithelpstocollectthelogsandsendsthelogstologanalyticsforfurtheranalysis.Itcanbesenttotheeventhubtogetthenotification.Itcanalsostorethelogstostorageaccountsforanyfurtherupdateorarchival.
EnablingthediagnosticsettingsPerformthefollowingsteps:
1. ClickonAzureMonitor.2. ClickonDiagnosticsettingsunderSettingsandclickontheresource.
Pleasetakealookatthefollowingscreenshotfordiagnosticsettings:
Figure16.11:Diagnosticsettings
3. Click on the resource menu on the Azure portal. Then, click onDiagnostic settings under Monitoring as shown in the followingscreenshot:
Telegram Channel : @IRFaraExam
Figure16.12:Diagnosticsettingsdetails
4. If there are no settings that exist on the resource, then click on turn ondiagnosticsettingsandenableitasshowninthefollowingscreenshot:
Figure16.13:Monitordiagnosticsettings
5. OnceyouclickonDiagnosticsettings,followthegivensteps:
Pleaseprovidethestorageaccountdetails.Providethesolutionwheretostorethelogs:SendtoLogAnalyticsorStreamtoaneventhub.Selectthestorageaccountandretentionperiodofthelogs.Click on OK and save the settings as shown in the following
Telegram Channel : @IRFaraExam
screenshot:
Figure16.14:Diagnosticsettingsconfiguration
Now,yourdiagnosticsettingshavebeenenabledtorecoveryservicesanditcanbedonewithotherservicesinyourAzuresubscriptionresources.
AzureLogAnalyticsAzure Log Analytics is a service that collects the data from various Azureresourcesandon-premisesdevicesandsendsittoyourloganalytics.Thecollecteddataisstoredintheloganalyticsworkspacewhichcanbeusedforaquerylanguage,alerting,andsoon.Loganalyticsanalysesthemetricdataandprovidestheresultbasedonthat.
CreatetheAzureworkspace
Telegram Channel : @IRFaraExam
YoucanfollowthegivenstepstocreatetheAzureworkspace:
1. Clickon+Createaresource.2. SearchforLogAnalytics.3. ClickonLogAnalytics.4. ClickontheCreatebuttontocreatetheloganalyticsworkspaceasshown
inthefollowingscreenshot:
Figure16.15:Loganalyticsworkspace
5. Oncetheprecedingstepsarecomplete,performthefollowingsteps:
a. Providetheloganalyticsname.b. Providethesubscriptionname.c. Providetheresourcegroupname.d. Providethelocationbasedonyourcustomerorproject.e. Providethepricingtier.
6. ClickonCreateasshowninthefollowingscreenshot:
Telegram Channel : @IRFaraExam
Figure16.16:Loganalyticsdetails
Now,your loganalyticsworkspacehasbeencreated.Youcanstart connectingyourdevicesorusingthem.IfyouwouldliketoinstallorconnecttheVMstotheworkspacemanually,thenclickontheAdvancedsettingsoptionunderLogAnalyticsandclickon theWindowsorLinuxagenttodownloadit.Takealookatthefollowingscreenshotformoredetails:
Telegram Channel : @IRFaraExam
Figure16.17:Loganalyticsagentdownload
UtilizelogsearchqueryfunctionsThelogqueryfunctionwillprovideyouwiththevaluesfromthedatacollectedfrom log analytics or Azure monitor. The query is a powerful language thatallows you to combine the data from themultiple tables, aggregate the largerdata,andprovideacomplexoperationwithminimalcode.Youcanquerythedatausingthefollowingsteps:
1. Clickontheloganalyticswhichyouhavecreated.2. GotoWorkspacesummary.3. ClickonLogs.4. OnceyouclickonLogs,youwillbeabletoseethedashboardof thelog
analytics.Takealookatthefollowingscreenshot:
Telegram Channel : @IRFaraExam
Figure16.18:Loganalyticslogs
Here,youcanrunthequerysearchforyourport,dashboardoralert,andsoon.AquerycanbeusedtocreatethecustomdashboardofAzuremonitoringbasedonyourcustomers’requirements:
1. ClickonSamplequeries.2. Typethequery.3. ClickonRun.4. Youwillgetaresult.5. You can use the samequery and create an alert aswell as shown in the
followingscreenshot:
Telegram Channel : @IRFaraExam
Figure16.19:Loganalyticssearchquery
ThisishowwecanusethequerysearchtogettheresultofAzureresourcesanduse it tomonitor andquery the result of the services.We can enable the alertbasedonthequery.
ConclusionIn this chapter, we covered analyzing the resources and explaining the Azuremonitor.Wediscussedhowtocreatethealertsandhowtousethosealerts.Wecovered how to create theAzure log analyticsworkspace andquery search ofAzuredatabasedonthequery.Usingthequery,wecancreatethealerts.WewilldiscussAzurebackupandDisasterrecoveryinthenextchapter.WewillalsocoverhowtoenablethebackupofyourAzurevirtualmachineandmigratetheVMorsetupdisasterrecoveryinAzure.
ReferencesMetrics in Azure Monitor: https://docs.microsoft.com/en-us/azure/azure-monitor/platform/data-platform-metricsLog query search: https://docs.microsoft.com/en-us/azure/azure-monitor/log-query/log-query-overviewLog Analytics: https://docs.microsoft.com/en-us/azure/azure-monitor/log-query/log-query-overviewAlert configuration: https://docs.microsoft.com/en-us/azure/azure-monitor/platform/alerts-metricAzure Monitor: https://docs.microsoft.com/en-us/azure/azure-
Telegram Channel : @IRFaraExam
monitor/overviewAzure4you:https://azure4you.com/
Telegram Channel : @IRFaraExam
I
CHAPTER17ImplementationofAzureBackupand
DisasterRecoveryn this chapter, we will discuss the Azure backup services, Azure backuprecoveryvault, andusageof theAzurebackuppolicy.Wewillalsodiscuss
howtocreate thebackupreportsandseehowtherestorationprocessworks inAzure.Wewillcoverthevarioustypesofbackupoperationsandsoon.
StructureThefollowingtopicswillbecoveredinthischapter:
AzurebackupAzurebackupvaultcreationAzureVMbackupconfigurationAzurebackupreportAzurerestorationofVMsAzurebackupoperationdetailsUsesoftdeletetorecoverAzureVMsSite-to-siterecoverybyusingAzuresiterecovery
ObjectivesInthischapter,youwilllearnaboutAzurebackupanddisasterrecoveryservices.You will also learn how to configure the backup to protect the VMs fromaccidentaldeletionandensurefasterrestorationprocessindetail.
AzurebackupAzurebackupservicescomeundertheAzuresiterecoveryvault.Azurebackupservicesareusedtotakethebackupofyourvirtualmachines,Azurestoragefileshare,andSQLserverswhicharehostedinAzureVMs.Itprovidesthefilesand
Telegram Channel : @IRFaraExam
folder-levelbackupaswell.Wecan take theon-premiseserversbackuptoAzureusingAzurebackup.TheAzurebackupvaultsupportsWindowsaswellasLinuxVMstotakethebackup.It enhances the backup capability and provides a secure way to backup yourinfrastructure. It provides centralized monitoring and protects all the AzureVMs.WecancontroltheaccessusingtheRBACrolestomeetthecompliancelevel.
AzurebackupvaultcreationLetusseehowtocreatetheAzurebackupvaultandhowtobackuptheservices.Pleasefollowthegivensteps:
1. Logintotheportal.2. GotoAllservices,oryoucangotothemarketplaceandsearchforthe
BackupandSiteRecoveryservice.3. ClickontheBackupandSiteRecoveryservice.Formoredetails,takea
lookatthefollowingscreenshot:
Figure17.1:Azurebackupvaultmarketplace
4. Providethebackupvaultname.5. Providetheresourcesgroupnameandsubscriptiondetails.6. Click on Create. For more details, please take a look at the following
screenshot:
Telegram Channel : @IRFaraExam
Figure17.2:Azurebackupcreation
Now,youwillbeable tocreate theAzurebackupvault.Thebackupvaulthasbeencreated,andwewillstartthebackupusingthesamerecoveryvault.
AzureVMsbackupconfigurationNow,IwillshowyouhowtoconfigurethebackupofyourVMs:
1. ClickonRecoveryServicevault.2. Clickonthe+Backupbutton.3. Setupthequotalimitaspercustomers’requirements.4. Click on Create. For more details, please take a look at the following
screenshot:
Telegram Channel : @IRFaraExam
Figure17.3:Azurebackupconfiguration
5. You can select the Azure environment, and you can get two or moreoptionstobackuptheAzurestackandon-premiseservers.
6. SelectAzure and select theAzureVMs, but you can also backupAzureFileShare(Preview) andSQLServerinAzureVM. Formore details,takealookatthefollowingscreenshot:
Figure17.4:Azurebackupconfigurationsetup
7. Onceyouclickonthebackup, itwillaskyoufor theAzurepolicysoletme explain how the Azure backup policy will help you schedule thebackupfordailypurpose.
AzurebackuppolicyTheAzurebackuppolicyhelpsyousettherulesforyourbackupinfrastructure
Telegram Channel : @IRFaraExam
likeVMs.Youcanhave the retentionpolicywhichwillhelpyou to retain thedata in the Azure backup vault up to 99 years. A retention policy can be setbasedonadaily,weekly,monthly,andyearlybasis.Formoredetails,refertothefollowingscreenshot:
Telegram Channel : @IRFaraExam
Figure17.5:Azurebackuppolicy
Performthefollowingstepstocreatethebackuppolicy:
1. Click on OK to create the backup policy. Once your backup policy iscreated,thebackupvaultwillallowyoutochoosetheVMs.
2. ClickonItemstobackupandselectthevirtualmachine.3. ClickonEnablebackup.4. Once you click on Enable backup, it will trigger a job that installs the
recoveryagent. Itwillstart taking thebackupofyourservices.Formoredetails,pleasetakealookatthefollowingscreenshot:
Figure17.6:Azurebackupenable
5. Oncedone,itwillstart thedeployments.Itwill takesometimetoenablethebackupasshowninthefollowingscreenshot:
Telegram Channel : @IRFaraExam
Figure17.7:Azurebackupdeployment
6. Once the backup is enabled, you can see that theVMswill be added toyourbackupservicesvault.YoucanseethenumbersoftheVMsinyourVMbackupvaultasshowninthefollowingscreenshot:
Telegram Channel : @IRFaraExam
Figure17.8:Azurebackupverification
7. ClickonBackupitem and select theAzureVMs taband then select theAzureVM.
8. ClickontheBackupnowbuttontoenablethebackup.9. Whenyou clickonBackupnow, the backupwill get triggered, or itwill
startbasedontheAzurebackuppolicyasperyourschedule.Takealookatthefollowingscreenshot:
Figure17.9:EnablingAzurebackupforVM
AzurebackupreportAzurebackupreportswillhelpyoutoidentifythebackupofyourVMsanditsstorageprovidesthetransactionandbackupfailure.Italsoprovidesrestorationandsizeofthebackupsizeofyourbackupvault.Beforewecreatethebackupreport,weneedthefollowing:
Azurestorageaccount.Logrestorationtime30daysto1yearmax.AnimportantpartistohavethePowerBIlicensedversiontoconfiguretheAzurebackupreport.
LetusseehowtosetuptheAzurebackupreportfromtheAzurebackupvault:
1. GototheAzurebackupvaultforwhichyouwanttoconfigurethebackupreport.
2. In thatbackupvault,go toManageandselectBackupReports.Formore
Telegram Channel : @IRFaraExam
details,pleasetakealookatthefollowingscreenshot:
Figure17.10:Azurebackupreport
Now,youneedtofollowthestep-by-stepinstructionstoenablethebackupreportasshowninthefollowingscreenshot:
Figure17.11:Backupreportconfiguration
3. WhenyouclickontheAzurebackupdiagnosticsettings,itwillaskyoutostorethelog,andyoucanselecttheAzurestorageaccount,streamlogstoaneventhub,orsendthe logs to loganalytics. IhaveselectedtheAzurestoragetoconfigurethebackupreport.Pleasetakealookatthefollowingscreenshot:
Telegram Channel : @IRFaraExam
Figure17.12:Backupreportdiagnosticconfiguration
4. Oncethisprocessiscomplete,pleaselogintothePowerBIreporttoolandaddbackupapps fromthestorage toconfigure thebackupreport.Takealookatthefollowingscreenshot:
Figure17.13:BackupreportPowerBIconfiguration
5. Now,youcancreatetheAzurefilesync.WewillcreatetheAzurefilesyncgroup.Takealookatthefollowingscreenshot:
Telegram Channel : @IRFaraExam
Figure17.14:AzurebackupfromPowerBI
6. Provide the storage account name you need to configure the diagnosticsettingfromtheAzurebackupvault.
7. ProvidetheAzurestorageaccountandAzurestorageaccountkey.8. Onceyouaredonewiththesetup,itwilltakesometimetoaddthereport.9. Itmight take24 to48hrs togenerate the report as to store the logs and
generatethereports.10. Oncethereportispublished,takealookatthePowerBIbackupreportas
showninthefollowingscreenshot:
Telegram Channel : @IRFaraExam
Figure17.15:AzurebackupstorageconfigurationPowerBI
11. After the storage configuration backup report is published, you cancustomizetheAzurebackupdashboard.
AzurerestorationofVMsTheAzurebackuprestorationisprocessedtorestoretheVMs,files,andsoonincaseofcorruptionofimagesoranyservicesinterruptiontoservices,orjustforrestoring to the previous version.Now, Iwill show you the option of how torestoretheVMusingtherecoveryvault.Pleasefollowthegivensteps:
1. Pleaseselecttherecoveryvaultwhereyouhavetakenthebackup.
Telegram Channel : @IRFaraExam
2. Then,clickontheBackuptabfromProtecteditems.3. SelectthevirtualmachineforwhichyouwanttorestoretheVM.4. WhenyouclickonRestoreVMorFileRecovery,youwillseetherestore
option.Takealookatthefollowingscreenshot:
Figure17.16:VMbackuprestoration
5. PleaseclickontheRestorepointoption.6. Whenyouclickonit,itwillshowyoutherestorationtime.7. You can restore the backup in terms of application, crash, and file
consistencyaswell.Takealookatthefollowingscreenshot:
Figure17.17:VMbackuprestorationpoint
8. Onceyouselecttherestoreconfiguration,youcanselectwhetheryouwantto create a newVMor replace the existing setupwhichwill replace thedisk.
Telegram Channel : @IRFaraExam
9. LetusselectthenewVMcreation.10. Now,youneedtoprovidethenameoftheVMs,andVNetwillselectthe
defaultoryoucanchangeitwithinthesameregion.11. PleaseselectthestorageaccountandclickontheRestorebutton.12. After10 to15minutes,yourVMwillbecreatedorbasedon thedata; it
mighttakealongertime.Pleasetakealookatthefollowingscreenshot:
Figure17.18:NewVMcreationusingrestoration
AzurebackupoperationdetailsAzurebackupoperationshelpyou tounderstandwhetheryourbackup jobhasbeen successful or unsuccessful. It provides the end-to-end Azure operationerrorstounderstandandtroubleshoottheissue.Activitylogswillalsohelpinthe
Telegram Channel : @IRFaraExam
Azurebackupoperation.Pleasetakealookatthefollowingscreenshot:
Figure17.19:Azurebackupoperations
UsesoftdeletetorecoverAzureVMsTheAzure softdeletebackupwillhelpyou to recover theVMevenafteryoudelete it from the backupvault.Youwill be able to recover theVM from thebackupvaultwithin14days.Ithelpsyouifyouhavedeletedthebackupbymistakeorduetosomemaliciousactivity,itgotdeleted,thenyouwillbeabletorecovertheVM.Wheneveryoucreatethebackupvault,softdeletewillbeenabledbydefault.LetusseehowwecanenableordisablethesoftdeleteAzureVMusingthesiterecovery:
1. SelecttheAzurebackupvault.2. GotoProperties.3. SelectSecuritySettingsandclickonUpdate.4. Clickonenablethesoftdelete.5. ClickonSavetoenableit.Takealookatthefollowingscreenshot:
Telegram Channel : @IRFaraExam
Figure17.20:Azurebackupsoftdelete
6. When you delete the backup, youwill get the followingmessage that ifyouhaveenabledthesoftbackuptodelete, thenyouwillable torecoverthedatawithin14days.Takealookatthefollowingscreenshot:
Telegram Channel : @IRFaraExam
Figure17.21:Azurebackupsoftdelete
7. If youwant to recover the data, then go the backup vault and select thedeleted VMs backup and click on Undelete as shown in the followingscreenshot:
Figure17.22:Azurebackupsoftundelete
Site-to-siterecoverybyusingAzuresiterecoveryAzuresiterecoveryhelpsyoutoensureyourbusinesscontinuitybyrunningduetounplannedor plannedoutage.Azure site recovery serviceswill helpyou to
Telegram Channel : @IRFaraExam
replicate the on-premise and Azure workload from the primary site to thesecondarysitewhenever there isanoutageonprimarysites.Once theprimarysitesareupandrunning,youcanfailbacktoprimarysites.Thesiterecoverymanagesthefollowingreplications:
AzureVMscanreplicatebetweenAzureregions.On-premises VMs, Azure stack VM, physical server, Hyper-V, andVMwareservers.
LetusseehowtoenabletheAzuresiterecovery:
1. Go tosite recoveryandclickon+Replicateasshownin thefollowingscreenshot:
Figure17.23:Azuresiterecoveryreplicate
2. Onceyouclickon+Replicate,selectthesourceandprovidethedetailsasfollows:
ProvideSourceasAzure.SourcelocationisyourAzureVMlocation.Pleaseprovidethesourceresourcegroup.Pleaseprovidethesubscription.PleaseselecttheavailabilityzoneandclickonOK.Pleasetakealookatthefollowingscreenshot:
Telegram Channel : @IRFaraExam
Figure17.24:Azuresiterecoverysource
3. ClickonOK andselect theAzurevirtualmachine.Refer to the followingscreenshot:
Telegram Channel : @IRFaraExam
Figure17.25:Azuresiterecoveryvirtualmachine
4. WhenyouclickOK, itwillbedirected to theSettings tab.Pleasedefinethesettingsasfollows:
Selectthetargetlocation.Select the Disaster Recovery (DR) subscription you want toconfigureinAzure.Selectthetargetresourcegroup.Targetvirtualnetwork.Cachestorageaccount.Replicathemanageddisk.TargettheAVsetifyouwanttoconfigure.Replicationpolicy:
24-hourretentionpolicyRecoverypointretentionApplicationconsistentsettingsReplicationgroup
5. ClickonCreatetargetresourcesasshowninthefollowingscreenshot:
Telegram Channel : @IRFaraExam
Figure17.26:Azuresiterecoverytargetresource
6. Oncethetargetresourceiscreated,enablethereplicationasshowninthefollowingscreenshot:
Telegram Channel : @IRFaraExam
Figure17.27:Azuresiterecoveryreplicationenables
7. Oncethereplicationisenabled,youwillbeabletosuccessfullysetuptheDR using the site recovery. It will start the replication, and once thereplicationiscomplete,youcandothefailover.
Now,wecansuccessfullycreatetheDRsite.
ConclusionInthischapter,wediscussedtheAzurebackupanditsusage.Welearnedhowtocreateabackupreportanditsusage.WediscussedhowtosetuptheAzuresiterecoveryforAzureVMsandexplainedtheAzurebackupreports.In the next chapter,wewill discuss the examguidelines and assessments.Wewillprovidethedetailsonhowtoregisterfortheexamandprovide75questionstopreparefortheexam.
ReferencesCreate a recovery services vault: https://docs.microsoft.com/en-us/azure/backup/backup-create-rs-vault#modifying-default-settingsRecovery services vaults overview: https://docs.microsoft.com/en-us/azure/backup/backup-azure-recovery-services-vault-overviewMonitor and manage recovery services vaults:
Telegram Channel : @IRFaraExam
https://docs.microsoft.com/en-us/azure/backup/backup-azure-manage-windows-serverRecover files from the Azure virtual machine backup:https://docs.microsoft.com/en-us/azure/backup/backup-azure-restore-files-from-vmRestore Azure VM data on the Azure portal:https://docs.microsoft.com/en-us/azure/backup/backup-azure-arm-restore-vmsConfigure Azure backup reports: https://docs.microsoft.com/en-us/azure/backup/backup-azure-configure-reportsFormoredetails,visitAzure4youblogpost:https://azure4you.com/
Telegram Channel : @IRFaraExam
I
CHAPTER18ExamPreparationGuidelinesand
AssessmentBasedonLiveQuestionsn this chapter, Iwill discuss theAZ-104 live scenario-based questions andanswers, which will help you to understand the exam pattern. These are
dummyquestionswhichhavebeencreatedbymeandmighthelpyou inyourexampractice. It’snot related toyourexam,but itwillhelpyoutounderstandthe topics. Itwill give clarity onwhat types of questionswill be asked in theexamso thatyoucanpreparewell foryourexam.Wewill try tocoverall thetopic questions which have been written in this book and try to cover thequestionasmuchaswecan.
Note:Certifiedauthor swill createall thequestionsbut if there isanymatch toyourexamquestion, then it is justacoincidenceandneithertheauthororpublisherwillberesponsibleforthosequestions.
The following topicswillbecovered inyourexamasper theMicrosoft examcenter official site https://docs.microsoft.com/en-us/learn/certifications/azure-administrator.Pleasefollowthegiventopicstostartpreparingfortheexam:
ManageAzuresubscriptionsandresources(15-20%)Implementandmanagestorage(15-20%)Deployandmanagevirtualmachines(VMs)(15-20%)Configureandmanagevirtualnetworks(30-35%)Manageidentities(15-20%)
ExampreparationguidelinesAzure-104MicrosoftAzure administrator certification validates your expertisein the Azure administrator role. In this exam, your administrator skills andknowledgewillbetested.
Telegram Channel : @IRFaraExam
If youwant to be certified on theAZ-104 exam, you should be aware of theAzure compute, storage, networking, Azure AD, monitoring, subscriptionmanagement,andsoon,whichwehavecoveredinthiscourse.Inthisexam,youwillhave toperform the labsaswell;hence,youwillhavehands-onpractice.You can create the free subscription (https://azure.microsoft.com/en-in/free/)whichwill provide the 12K credit for 1month and 25most used applicationswhichyoucanusefor12months.
ExamAZ-104BasicInformation
Nameoftheexam ExamAZ-104:MicrosoftAzureAdministrator
Technology MicrosoftAzure
Prerequisites Hands-onpracticeforAzureAdminlabsandAzureconceptunderstanding
Numberofquestions 40-60
Examfee USD165andINR4800
Examlanguage English
Table18.1:BasicinformationforAZ-104
AZ-104examtipsTheAzureexamdurationwillbe180minutes,andinthose180minutes,30minuteswillbegivenfor instructions,comments,scorereporting,andothers.In150minutes,youmustanswerallthequestionsandcompletethelabs.Youwillgettwolabswhichhave14taskstobecompletedandtherewill3-5casestudy-basedquestions.In the case study-based questions, you need to read and understand thequestionsverycarefullytoprovidethecorrectanswers.Itisatimetakingsectionbecauseinthesestudycases,youmighthavetoanswerabout10to15questions.Ineachcasestudy,therewillbeapproximate2to5questionswhichyouneedtoanswer.Youwillgetmultiple-choicequestionsaswellinthefollowingformat:
Single-correctanswer:YouhavetosayYes/No.Fillintheblanks:Youhaveunderstoodthescenariosandyouneedtochoosetherightansweranddothedraganddropjob.
Telegram Channel : @IRFaraExam
Orderstatements:Intheexam,youneedtocreateasite-to-siteVPNbyputtingtheprecedingstepsinorder.Hence,youshouldbeawareofthecorrectorderandabletoperformthesteps.
Examswillbedividedintosections,andyoucangobackandcorrecttheanswersbutwithinthesection.Onceyouhavemovedtothenextsection,youwillnotbeable tochange thesection.Pleasemakesureyouwillbeabletoverifyorreviewthequestionbeforegoingtothenextsection.Please read the question properly and understand the format of thequestion. It can be a scenario-based question. If it is a scenario-basedquestion, understand the question been asked and you need to fill in therequirements to give the correct answer.Onceyoudo this, itwill take afewminutestoprovidethecorrectanswer.Trytocompletesingleanswerquestionsasearlyasyoucansothatyoucansavesometimeforscenarios-basedquestionsandlabs.Trytoattemptandanswerallquestionswhichcomeintheexambecausethereisnoharminguessingtheanswers.AfewofthequestionswillcomefromPowerShellandARM.ToanswerwiththegivenPowerShellcommand,let’sjustpreparethenewmoduleAZPowerShellwhichwillhelp.A few of the questions will come from cost management and Cloudyn.Pleasepreparethetopicsandanswerthem.Pleasepractice the labs as therewill around14 tasks soyou canget thefreesubscriptionandpreparewellwhichwillhelpyoutocleartheexam.Azureexam labswillbe slowandyoumay face some issues. Ifyouarerunningoutoftimeandstuckinlabsoranyothertechnicalissuesduringtheexam,youcantalktothecenterpersontorescheduletheexamortheconcerned person will help you. Pearson VUE supports emails torescheduleyourexam.Youwon’t be allowed to go out during the exam time, and pleasemakesuretofinishotheractivitiesbeforegoingtotheexam.Youwillnotbeallowedanyofyourotherstuff.Theexamcenterrequirestwo IDproofs to start the examand the examcenter teamwill helpyouwiththat.Youcanmarkquestionstobereviewedduringtheexamifyouarenotsureabout theanswer.Onceyouaredonewiththesection,reviewtheanswer
Telegram Channel : @IRFaraExam
andproceedfurther.Youmight get the performance-basedquestion about theAzure services,andyouhavetoansweronthataswell.Inthecasestudyquestion,youwillneedtogivethebusinessrequirementsand technical requirements of the existing environments and otherinformationtoanswerthequestion.Casestudyquestionsmightrequireyoutolookatyourquestionbackandforth, which might require information to be integrated with multiplesourcesinthequestion.Pleasemakesuretoreadthecasestudyproperly,understandtherequirements,andthenanswerthequestion.
ExamregistrationIfyouareplanningtoregisterfor theexam, ifyouareafirst timeuser,pleasemakesureyouhaveavalidemailIDlikeOutlook,Hotmail,andsoon.OnceyouarereadywithyouremailID,followthegivenstepstoregisterfortheexam:
Pleaseclickon the link-AZ-104examregistration link to register for theexam.Pleaseprovidethename,jobtitle,andaddress.
Telegram Channel : @IRFaraExam
Figure18.1:Examschedule-1
Please select the city and country forwhichyouwant to register for theexam.Providethestatepostalcode.Providethecountrycodeandphonenumber.ProvidethepreferredemailIDandlanguage.
Figure18.2:Examschedule-2
ClickonSave&continue.Once you click onSave & continue, it will ask you to go the PearsonVUEsitetoregisterfortheexam.Select the localcenter,home,andsoonoptions.Select thecenteroptionandclickontheNextbutton.Selectthelanguage.ClickonScheduletheExam.
Telegram Channel : @IRFaraExam
Selecttheexamcenterorsearchforthecentername.Selectthedateandtime.Proceedtocheckoutandproceedforpayment.
Onceyouclickoncheckout,yourexamwillbescheduled.YouwillgetanemailfromPearsonVUE.
DummyobjectiveexamquestionsQ1.Whatkindofuserscanbeinvitedusingtheguestuserinvite?
1)B2C2)B2B3)Both
Ans:Both
Q2.HowcanwecreatemultipleusersinAzureAD?1)Usingbulkusercreation2)Guestuserinvitation3)Groupmanagement
Ans:Usingbulkusercreation
Q3.WhichtypesofgroupscanwecreateinAzureAD?1)Securitygroup2)O365group3)Both
Ans:Both
Q4.WhatistheuseofAzureADconnect?1)Hybridconnectivity2)On-premisesADconnecttoAzureADintegration3)MFA
Ans:On-premisesADconnecttoAzureADintegration
Q5.WhatisthepermissionrequestedtoinstalltheAzureADConnect?1)Enterpriseadmin
Telegram Channel : @IRFaraExam
2)Globaladministrator3)Both
Ans:Both
Q6.Whatistheuseofpasswordwriteback?1)Itisusedtosynctheusers.2)On-premisessyncservices3)TosyncthepasswordifitischangedthroughtheAzureportal
Ans:TosyncthepasswordifitischangedthroughtheAzureportal
Q7.WhichisthePowerShellcommandtogettheroledefinition?1)Get-azRoledefinition“Contributor”2)Get-azRoledefinition“Contributor”|convertto-jason|out-
fileD:\ABPGroup
3)Connect-azsubscriptionAns:Get-azRoledefinition“Contributor”
Q8.HowmanytypesofrolebackAccessareavailableinAzure?1)Readandwrite2)Viewerandeditor3)Owner,contributor,andreader
Ans:Owner,contributor,andreader
Q9.Howmanycustomrolescanbecreatedinonetenant?1)10002)20003)5000
Ans:5000
Q10.IfyourcompanywantstobuyasubscriptiondirectlyfromMS,whichsubscriptionwouldyouchose?1)Freesubscription2)Enterprisesubscription3)CSPsubscription
Ans:Enterprisesubscription
Telegram Channel : @IRFaraExam
Q11.WhatisasubscriptioninMicrosoftAzure?1)ItisabillingcontainerwhichcontainstheAzureservices.2)Itjustacontainer.3)ItisAzurecloudservicesprovider.
Ans:ItisabillingcontainerwhichcontainstheAzureservices.
Q12.AcustomerasksyoutoprovidetheITadminaccessrolethatcanmanagethesubscriptionandprovideaccess.WhichRBACroleaccesswouldyouprovidetotheuser?1)Owner2)Contributor3)Reader
Ans:Owner
Q13.WhatistheuseoftheAzurepolicy?1)Tomeetthecompliance.2)Tomeetthecloudsecurity.3)Torestricttheaccess.
Ans:Tomeetthecompliance.
Q14.AcustomerwantstoallowonlyafewlocationsbasedonhispresenceintheAzuresubscription.Howwouldyoudothat?1)UsingtheAzurepolicy2)UsingtheResourcesgroup3)UsingtheRBACaccess
Ans:UsingtheAzurepolicy
Q15.WhichtypesofstorageaccountsdoesAzurehave?1)Blobstorageaccount2)GPv13)GPv24)Alloftheabove
Ans:Alloftheabove
Q16.WhatisstorageaccountreplicationrecommendedbyMSAzure?
Telegram Channel : @IRFaraExam
1)RA-GRS2)GRS3)ZRS4)LRS
Ans:RA-GRS
Q17.HowmanyIOPSareprovidedby1TBpremiumstorageaccount?1)10002)20003)50004)7500
Ans:7500IOPS
Q18.HowtoconnecttheAzurestorageexplorer?Pleaseselecttwomethods.1)SASkey2)Storageaccountkey3)ThroughAzureportal
Ans:SASkeyandStorageaccountkey
Q19.Whatisthestorageaccountcontributorrole?1)Provideaccesstoread/write/deleteaccess.2)Providereadaccess.3)Providewriteaccess.
Ans:Provideaccesstoread/write/deleteaccess.
Q20.WhydoweusetheAzureimportandexportutility?1)Tomigratethepetabytesofdata2)Tomigrate1TBdata3)Tomigrate50GBdata
Ans:Tomigratethepetabytesofdata
Q21.WhichOSesaresupportedbyAzurefileshare?1)WindowsandLinux
Telegram Channel : @IRFaraExam
2)MAC3)Linux
Ans:WindowsandLinux,MAC
Q22.WhatisthelimitofAzurefileshare?1)2TB2)5TB3)4GB
Ans:5TB
Q23.WhatistheuseofAzurefilesync?1)Centralizedmanagementforyourfilesandfolders2)UsedtosyncdocsAzuretoAzure3)Usedforfilesharingwhichisincloud
Ans:Centralizedmanagementforyourfilesandfolders
Q24.WhatisAzureVMssize?1)ConfigurationofAzureVMsinstance2)VMimage3)None
Ans:ConfigurationofAzureVMsinstance
Q25.Canwesettheauto-scalingwhilecreatingthescaleset?1)Yes2)No3)Noneoftheabove
Ans:Yes
Q26.AzureVMssizesupportGUPandSAPsizesaswell?1)Yes2)No3)None
Ans:Yes
Q27.InwhichformatdoestheARMtemplatesavethedocuments?
Telegram Channel : @IRFaraExam
1)JSON2)PowerShell3)CLI
Ans:JSON
Q28.WhatarewaystodeploytheARMtemplate?1)PowerShell2)CLI3)Alloftheabove
Ans:Alloftheabove
Q29.HowtodeploytheARMtemplatefromtheportal?1)Usingacustomtemplate2)PowerShell3)None
Ans:Usingacustomtemplate
Q30.Whatisthewaytoconnecttotheon-premisesnetwork?1)Asite-to-siteconnection2)Expressroute3)Vnet-to-VNetconnection4)Options1and2
Ans:Options1and2
Q31.HowdoyouconfiguretheVnet-to-VNetconnectivity?1)VNetpeering2)Site-to-siteconnection3)ExpressRouteconfiguration
Ans:VNetpeering
Q32.Whatistheuseofalocalareanetwork?1)Ithason-premisesVPNdeviceconfiguration.2)ExpressRouteconfiguration3)None
Telegram Channel : @IRFaraExam
Ans:Ithason-premisesVPNdeviceconfiguration.
Q33.WhicharethetypesofAzureDNSzones?1)Privatezone2)Publiczone3)Both
Ans:Both
Q34.WhatarethedifferenttypesoftheAzureloadbalancer?1)Internal2)External3)Alloftheabove
Ans:Alloftheabove
Q35.WhicharethetypesofrulesavailableinAzureNSG?1)Inbound2)Outbound3)Both
Ans:Both
Q36.Whatistheuseofaroutetable?1)Routethetraffictothefirewall2)RoutethetrafficwithinAzure3)Alloftheabove
Ans:Alloftheabove
Q37.CanweapplytheNSGinwebapps?1)Yes2)No
Ans:No
Q38.WhatistheuseoftheAzureresource’shealthmonitoring?1)AzureResourcesHealthCheck2)Subscriptionmonitoring3)PaaSservicemonitoring
Telegram Channel : @IRFaraExam
4)NoneAns:AzureResourceHealthCheck
Q39.Whatistheuseofloganalytics?1)Resourcemonitoring2)Analyzingthemetricsandalerting3)Datacollection4)Alltheabove
Ans:Alloftheabove
Q40.Howtoquerythemonitoringdata?1)Usingthelogsearchquery2)Azuremonitor3)Loganalytics4)None
Ans:Usingthelogsearchquery
Q41.Whatisuseoftheactiongroupinanalert?1)Usedtosendthenotificationtotools/emailID.2)UsedtoconfiguretheAzuremonitor.3)Usedtoconnecttologanalytics.4)Noneoftheabove.
Ans:Usedtosendthenotificationtotools/emailID.
Q42.Whatistheuseofactivitylogs?1)Ittracksalltheoperationactivitieswithinthesubscription.2)ItcollectsthedatafromtheAzuremonitor.3)Itisusedtoconnecttologanalyticsandanalyzethelogs.
Ans:Ittracksalltheoperationactivitieswithinthesubscription.
Dummyscenario-basedexamquestionsQ1.ABPBcustomerhasmorethan150VMs,andnowthecustomerwants
todeletefewoftheVMsfromhissubscription.ThecustomerwantstofindouttheunuseddiskwhichhasbeencreatedduringtheVMs
Telegram Channel : @IRFaraExam
creationanddeletionprocess.Howcanyouidentifytheunuseddisk?1)YoucanusetheAzureportal.2)YoucanuseAzurestorageexplorer.3)Youcanusethecostmanagementreport.4)YoucanusetheCloudynoptimizationreport.
Ans:4.YoucanusetheCloudynoptimizationreportwhichwillprovidethereportofanunuseddisk.
Q2.ABPBcustomeraskedtocreate10AzurevirtualmachineswithLinuxOSthatwasrequiredfortheproductionworkload.Thecustomerneedstomonitorthemetrics.WhataretheoptionsthecustomercanusetomonitortheLinuxmetricsfromtheportal?1)Loganalytics2)Applicationinsight3)Azureperformancediagnosticextension4)Azuremonitor
Ans:3.AzureperformancediagnosticextensionwillhelpthecustomertocollecttheadditionalmetricdataandmonitortheLinuxmetrics.
Q3.ABPBcustomerhastwodifferentsubscriptions:callsubscriptionsBPBDevandBPBProdandboththesubscriptionsneedtocommunicatewitheachother.WehavealreadyconfiguredtheVNetDevforthesubscriptionsBPBDevandVNetProdwiththeBPBProdsubscription.Now,youwanttosetupacommunicationbetweenboththesubscriptions.Howcanyouconfigureit?1)WewillmovetheVNetDevtotheBPBProdsubscription.2)ConfiguretheVNetpeering.3)ConfigureVnet-to-VNetconnectionbetweenboththesubscriptions.4)Site-to-siteconnectivitybetweenthesubscriptions.
Ans:3.ConfigureVnet-to-VNetconnectionbetweenboththesubscriptions.Creatingthevent-to-ventconnectivityisasillierprocessthansite-to-siteVPconnectivityandtherequiredlocalareaconnectionneedstobecreated.
Q4,YourcustomerwantstocreateanAzurestorageaccountcalledbpbstorage,andunderthat,hewantstocreateanAzurefileshare.
Telegram Channel : @IRFaraExam
OnceyoucreatetheAzurefileshare,youneedtomapittoanAzurefilesharesupportedport.WhichportnumberwillyouchoosetoconfiguretheAzurefileshare?1)Port-4432)Port-4453)Port-804)Port-8080
Ans:2.Port-445becauseport445supportsAzurefileshare.Iftheport445isblockedbyyourorganization,thenyouwillnotbeabletoconnecttofileshare.
Q5.Youaretheadministratorofyoursubscriptionwhichcontains30virtualmachines,andinyourteam,memberswanttocreateacouplemoreVMswiththeNSGgroup.Now,yourmanagerwantstoblockport80wheneveranynewNSGiscreated.Whatisyourapproachonthis?1)UseacustomAzurepolicy2)CreatelockonNSG3)BlockusingtheRBACrole4)Providelimitedaccess
Ans:1.WewilluseacustomAzurepolicywhichwillhelptodefinethepolicy.WheneveranengineercreatesanNSGautomatically,thedenyrulewillbecreatedwithport80.
Q6.Youaretheadministratorofyoursubscriptionandyouhave50Kusersandyouwanttocreate10moreusersintheAzureADandassigntheuseradministratorroletothoseusers.Whatoptionswillyouchoosetoprovideaccesstothoseusers?1)Onlycreatetheusers.2)Createtheusersandmodifythedirectoryrole.3)Youcanusethegrouppolicytoprovidetheaccess.4)Useanactivedirectorylicensetoprovidetheaccess.
Ans:2.WewillcreatetheuserfromAzureADandusethedirectoryroletomodifyandassigntheuseradministratorroletothoseusers.
Q7.Youhave20Kusers,andnowyourorganizationITheadwantstobuy
Telegram Channel : @IRFaraExam
20additionalP2licensesforhighermanagementastheywanttousetheadditionalfeatureofpremiumAD.Youhaveboughtthe20licenses.Howwillyouconfigurethemsothathighermanagementcanusethepremiumfeature?1)Youwillassigntheadminroletothoseusers.2)Youwillcreateausergroupthatallowsyoutousethepremium
feature.3)YouwillassigntheP2licensestoeachuserusingthelicenseblade.4)YouwillusetheRBACrole.
Ans:3.WewillassigntheP2licensestoeachuserusingthelicensebladebecauseunlessthelicensehasbeennotconfigured,highermanagementcannotaccessthepremiumfeatureasthosefeatureswillbeavailableonlyiftheyhaveavalidlicense.
Q8.YouhavecreatedastorageaccountintheresourcegroupBPBRG32,andnowyouhaveappliedaread-onlylocktoBPBRG32.Whichoperationwillyouperform?1)Youwilldeletetheresourcegroup.2)Youcancopythestoragekey.3)Youcanuploadthedatatotheblobstorageaccount.4)Youcanchangethereplicationsettings.
Ans:2.Youcancopythestoragekeybecausetheread-onlylockallowsyoutocopythedata,butitwillnotallowyoutomodifyordeleteanythingfromtheresourcesgroup.
Q9.YouhavetwoAzureactivedirectoriesbpb.comandazure4you.com.Now,youwanttosetupadefaultdirectorytenanttosignintoboththetenants.Howcanyouconfigureit?1)Changetheportalconfigurationsettings.2)UsethePowerShellcommand.3)Changethedirectoryfromtheportal.4)Youcanchangethesubscription.
Ans:3.Wewillchangethedirectoryfromtheportaltosetupsignin.
Q10.YourcustomerwantstoenablethebackupsolutiononAzurewebappsnamecalledbpbapp1.Howwillyouprocessthisrequest?
Telegram Channel : @IRFaraExam
1)Setupthethird-partybackupsolution.2)Usethebackuppolicytoimplement.3)Configurethebackupusingtherecoveryvault.4)YoucanusetheAzurebackupserverforappservices.
Ans:3.Wewillconfigurethebackupusingtherecoveryvault,whichwillhelptotakethebackupofwebapps.
Q11.Acustomerwantstotransferthedatafromtheon-premisessystemtoAzure.Whichtoolwillyouusetoprocessit?1)Usetheuploadoptiondirectlytotheblobstorage.2)Usetheimportandexportoption.3)Createfileshareandmaptoon-premises.4)Usethestorageexplorertomovethedata.
Ans:4.WewillusethestorageexplorertomovethedataasitissimpletouseandtightlyintegratewiththeAzurestorageaccountandeasytomovethedatatothestorageaccount.
Q12.YouaretheglobaladministratorofyourAzureAD,andnowyouwanttoenforcethemultifactorauthentication.Howwillyouprocessit?1)ConfiguretheplaybookforMFA.2)Usethecustompolicy.3)ConfiguretheAzureADConnect.4)UsetheAzureADconditionalaccesspolicy.
Ans:4.WewillusetheAzureADconditionalaccesspolicywhichwillhelptheMFAimplementationorganization.Wecancreateaconditionalaccesspolicyandapplyit.
Q13.YourcustomerwantstoconfiguretheVNetnameBPBVnetprodwhichsupportstheVNetgatewayconfigurationtoconfigurethesite-to-siteVPN?1)CreateaVnet.2)Createsubnet.3)CreateaVNetwiththesubnetgateway.4)CreateVNetwiththesubnet.
Telegram Channel : @IRFaraExam
Ans:3.WewillcreatetheVNetwiththesubnetgateway,whichwillhelptoconfiguretheVNetgatewayandthesite-to-siteVPN.
Q14.YourAzuretenanthasenabledtheprivilegedidentitymanagement,andyouwanttoseehowmanyusershavebeenassignedthesecurityadminrole.Youneedtoreviewthesecurityadminaccessrole.Howcanyouprocessit?1)Inidentityprotectionmanager,youwillconfiguretheriskpolicy.2)Youwillconfiguretheweeklyadreport.3)Youwillconfiguretheaccessreviewfromtheprivilegedidentify
management.4)YouwillenabletheADauditlogs.
Ans:3.Wewillconfiguretheaccessreviewfromtheprivilegedidentitymanagementwhichhelpustofrequentlyunderstandaccesstothatsecurityadminandbasedonthereport,wecandecideit.
Q15.YouhaveconfiguredthemultifactorauthenticationtoalltheusersinyourAzuretenantandfewoftheusersarehavinganissueloggingintomobiledevicesandunabletoresetthepassword.Whatisthesolutionyouwillapply?1)Self-servicepasswordreset.2)Configurethemobiledevices.3)Createthepasswordforthoseusers.4)Reinstalltheappservices.
Ans:1.Wewillenabletheself-servicespasswordresetwhichwillhelptheuserstoresettheirpasswordwheneveritisrequired.Then,theywillbeabletoconfiguretheappsinmobiles.
Q16.Youhaveacoupleofstorageaccountsandyourcustomerwantstorestricttheaccesstotheinternetintheproductionstorageaccounts.Whichisthesolutionyouwillapply?1)Inthestorageaccount,enableencryption.2)CreatetheSASkey.3)EnabletheVNetintegrationfromthefirewallsettings.4)Enablethereplications.
Ans:3.WewillenabletheVNetintegrationfromthefirewallsettingsfrom
Telegram Channel : @IRFaraExam
theAzurestorageaccount,whichwillhelptorestrictthestorageaccesstotheinternet.
Q17.Yourclientshaveanon-premisesnetworkwhichcontainsmultipleOSversionsofservers.TheclientwantstomigratealltheserverstoAzure.YouneedtoprovideasolutiontoensurethatsomeoftheserverswhichareavailableinsingleAzuredatacenterandmightgoofflineduringplannedandunplannedmaintenance.Whatshouldbeyourrecommendationtotheclient?1)Faulttolerance2)Lowlatency3)Scalability4)ReplicationtoAzure
Ans:1.Wewillsuggesthavingfaulttoleranceintheworkloadwhichwillhelpduringplannedandunplannedmaintenance.
Q18.Youhave100VMsintheAzuresubscription,andnowyourcustomerwantstoconfigurethebackup.Youhavesuccessfullycreatedthebackup.Theclientmanagerwantstoenablethebackupretentionto20years?Whatisthesolutionyouwillproposetoyourcustomer?1)Backupreports2)Azurebackuppolicy3)Manuallytakethebackup4)Enablethereplicationfor20year
Ans:2.WewillenabletheretentionperiodintheAzurebackuppolicy,whichwillhelptoretainthebackupforupto20years.
Q19.Youhave50storageaccountsintheAzuresubscription,andnowyourcustomerwantstocreateacontainerin20storageaccounts.Whatarethetoolsyouwillusetocreatethecontainerinthestorageaccount?1)Fromtheportal.2)Yougotofileshareandcreatethecontainer.3)Manuallycreatethecontainer.4)Azurestorageexplorer.
Ans:4.WewillbeusingtheAzurestorageexplorertoconfiguretheAzurestoragecontainers.
Telegram Channel : @IRFaraExam
Q20.YourcustomerplanstomapanetworkdrivefromseveralcomputersthatrunWindows10andLinuxtoAzureStorage.YouneedtocreateastoragesolutioninAzurefortheplannedmappeddrive.Whatwillbethesolutionsyouwillprovidetothemappeddrive?1)Enabletheport80.2)Usingfileshare,connectandenabletheport445.3)Usetheblobstorageaccount.4)UsetheAzurecontainers.
Ans:2.Wewillusefileshareconnectandenabletheport445,whichprovidesthecommandtoconnecttoWindowsandLinuxfileshare.
Q21.YourcompanyplanstodeploywebserversandSQLdatabaseserverstotheAzuresubscription.Now,youneedtorecommendasolutiontorestricttheconnectionbetweenAzurewebserversandSQLBDservers.Whatisthesolutionyouwillprovide?1)Youwillrestrictfromthefirewall.2)Youwillusetheroutetable.3)Configuresite-to-siteconnection.4)ConfiguretheNetworkSecurityGroup(NSG).
Ans:4.WewillconfiguretheNetworkSecurityGroup(NSG)whichwillhelptoallowordenythetraffic.ItwillhelptorestricttheoutgoingtrafficanditcanonlysendthetraffictowebserverstoDBservers.
Q22.YourcustomerplanstomigratetoAzureandthecompanyhasseveraldepartments.AlltheAzureresourceshavebeenusedbyeachdepartmentandmanagedbyanITadministrator.Now,thecustomerwantstoprovidethesolutionwhichwillminimizetheadministrativeeffectandwillbeeasytomanagebyeachITadministrator.Pleaseprovidethesolutions.1)Multipletenantswithmultiplesubscriptions2)Multipleregiondeployment3)Onetenantwithmultiplesubscriptions4)Multipleresourcegroups
Ans:3.Wewillchooseonetenantwithmultiplesubscriptionswhichhelpstoseparatetheresourcesanditsbillingandalsotheadministrativetaskto
Telegram Channel : @IRFaraExam
reducetheadministrativeworkloads.
Q23.Yourorganizationhasmultipleoffices,andeverymonth,youplantogenerateseveralbillingreportsfromtheAzureportal.Everyreportcontainstheresourcesofeachsubscription.Whatisthefeatureyouwillusebeforegeneratingthereport?1)Azurepolicy2)Tags3)Costmanagement4)Cloudyn
Ans:2.Wewillusethetagsbeforegeneratingthereports,whichwillhelpustoprovidetheexpectedreportsdepartmentwise.
Q24.Youhavemultiplevirtualmachines,andnowyourcustomerwantstomovethevirtualmachinefromonesubscriptiontoanothersubscription.Howcanyouprocessthisrequest?1)Gotoresourcesgroup,andclickonMove.2)Fromthevirtualmachine,wecangotomove.3)UsingPowerShell,wecandothat.4)Willusethird-partytools.
Ans:1.Wewillgotoresourcesgroup,andclickonMoveandselectthesubscriptiontomovetheresourcestoanothersubscription.
Q25.Youhavemultiplevirtualmachinesandthebackuphasbeenconfiguredinallthevirtualmachines.Now,yourcustomerwantstounderstandthebackupprocessandwantstoshowthereporttohighermanagement.Whatisthesolutionyouwillpropose?1)Gotobackupreport.2)Fromthevirtualmachine,wecangotomove.3)UsingPowerShell,wecandothat.4)Willusethird-partytools.
Ans:1.Wewillgotobackupreportandconfigureit,whichwillhelpustoprovidethedataandwecanextractitinthePPTformatforpresentation.
Q26.Youarethenetworkadministratorofyoursubscriptionandthecustomerhasmorethan50VNet.Now,thecustomerwantstoenable
Telegram Channel : @IRFaraExam
theVNetpeeringbetweenVNetProd-to-VNetDevtoenablethecommunicationbetweenboththeVNetresources.Whatisthesolutionyouwillpropose?1)EnableVnet-to-VNetconnection2)ConfiguretheVNetpeering3)Site-to-siteVPN4)PointtositeVPN
Ans:2.WewillconfiguretheVnet-to-VNetpeeringbetweenboththeVNets,whichallowsthecommunicationbetweenboththeVNets.
Q27.YouarethenetworkadministratorofyoursubscriptionandthecustomerwantstoconfiguretheAzureEXPRESSROUTEconnectivityon-premisestoAzure.ThecustomerhasdecidedtheISP,andtheISPhasconfiguredtheon-premisesconnectivity.Now,youwanttoconfigureit.WhatistheserviceyoucancreatetoconfiguretheEXPRESSROUTE?1)VNet2)VNetgateway3)Site-to-siteVPN4)Expressroutecircuit
Ans:4.WewillcreatetheExpressroutecircuittoconfiguretheExpressrouteconnectivity.Then,weneedtoconfiguretheVNetgatewayforconnectivity.
Q28.Youhave100virtualmachinesinyoursubscription,andthereare20virtualmachinesinproductionenvironments.Now,yourmanagerwantstoenablethealertsandwheneveryourVMsreboots,deallocates,youshouldgetanalert.Whatisthesolutionyouwillpropose?1)Wewillcreatetherule.2)WewillconfigurewiththeAzurepolicy.3)Wewillcreatetworulesandoneactiongroupfrommonitoring.4)Wewillsetupalerts.
Ans:3.Wewillcreatetworulesandoneactiongroupfrommonitoring.OneruletostopdeallocationandanotherruletoreboottheVM.Wewillbe
Telegram Channel : @IRFaraExam
associatedwithoneactiongrouptoconfigurethealerts.
Q29.Youhave20virtualmachinesinyoursubscriptionandthecustomerhasreportedthatfewofthevirtualmachinesarenotconnectingtotheapplication,andthecustomerwantstofixtheissueonpriority.Whichtoolwillyouusetofixtheissue?1)Networkperformancemonitor2)Applicationinsight3)Webloganalytics4)Networkwatcher
Ans:4.Wewillusethenetworkwatchertool,whichwillhelptoidentifytheissueoftheserversandhelptofixtheissuequickly.ItwillalsoprovidetheinputontrafficflowwithinAzure.
Bestwishesforyourexam!
Telegram Channel : @IRFaraExam
Index
AActiveDirectoryFederationServices(ADFS)16AZ-104exampreparationguideline294registration296-298tips294-296
AzCopyabout105used,forcopyingdata105-107
AzureADbulkuser,creating2,3group,creating4-6passwordwriteback,enablingfrom26-29user,creating4
AzureADauthenticationconfiguring,forAzurestorageaccount103-105
AzureADConnectabout16downloadlink17features16installing17managing24pre-requisites17-23
AzureADjoinabout12scenarios12
Azurealertsconfiguring257-260settingup257-260
Azureapplicationgateway210,212-219Azureapplicationgateway,featuresautoscaling211multiple-sitehosting211redirection211securesocketlayer(SSL/TLS)termination210sessionaffinity211staticVIP211URL-basedrouting211webapplicationfirewall211zoneredundancy211
Azureappservicesabout164
Telegram Channel : @IRFaraExam
backup172-174configuring167-170creating167-170plan164,166,167security171,172usage164,165
AzureARMtemplateabout139,140deploying145,146modifying140-145
Azurebackendpool207,208Azurebackupabout272vault,creating272,273
Azurebackupoperations283,284Azurebackuppolicy275-277Azurebackupreport278-281AzureBastionservicesconfiguring238creating,inAzure239-241deploying238features238
AzureBlobstorageconfiguring96-98
AzureContainerabout150creating150-153usage150
Azurecostmanagement56-58Azuredataboxabout102scenarios102,103
Azurediskencryptionconfiguring133-136
AzureDNSabout200creating201,202domainregistrar201domainsandzones200record,creating203,204zone200zonedelegation200
AzureFileshareabout110configuring110-113creating110-113
AzureFilesyncconfiguring113,114group115,116troubleshooting117
Telegram Channel : @IRFaraExam
Azurefirewallconfiguring234,235creating235deploying234,235rule,configuring236rule,creating237,238
Azurefreesubscriptioncreating49-53
Azureinternalloadbalancer205,206AzureKubernetesabout154creating154-161
Azureloadbalancerabout204externalloadbalancer204internalloadbalancer204
AzureLogAnalytics264AzureMetrics261AzureMonitor256AzureMonitor,datatypesactivitylogs257applicationmonitoringdata256guestOSmonitoringdata256resourcemonitoringdata256subscriptionmonitoringdata256tenantmonitoringdata256
AzureNetworkWatcherabout246services,implementing246topology247
Azurepolicyassignment61-64configuring61-64creating61-64
Azurequotaabout65types65
Azureresourcegroup55Azureresourcegroupmanager56AzureResourceManager(ARM)40Azureresourcetagabout65usage66
Azureroutetableabout232configuring232-234
AzureServiceHealthabout261healthalerts262plannedmaintenance261
Telegram Channel : @IRFaraExam
resourcehealth261Azuresiterecoveryused,forsite-to-siterecovery286-290
Azuresite-to-siteVPNabout188connection,creating190-193requirementlist189
Azurestorageaccountabout76accesskey,managing86configuring79-82creating79-82datastructure76importandexportjob96importandexportjob,creating98-102networkaccess,configuring86-88used,forconfiguringAzureADauthentication103-105
Azurestorageaccount,typesBlobstorageaccount77generalpurposeV177generalpurposeV278premiumstorageaccounts78
Azurestorageexplorerconfiguring89-92installing89-92
Azurestoragereplicationgeoredundantstorage(GRS)83implementing83,84locallyredundantstorage(LRS)account83read-onlygeo-redundantstorage(GRS)83zoneredundantstorage(ZRS)83
Azuresubscriptionabout46types46
Azuresubscriptionpolicy60Azuresubscriptionsupportplanabout48Azuredevelopersupport48Azuretenant49professionaldirectsupport48standardsupport49
Azuretrafficmanagerabout219-221features219
Azurevirtualmachineabout120scaleset,creating130-133
Azurevirtualnetworkabout178components178
Telegram Channel : @IRFaraExam
creating179-181Azurevirtualnetworkgatewayabout185,187,188configuring185pre-requisites185
AzureVMssoftdelete,usingforrecovery284-286
AzureVMsbackupconfiguring273,274restoration281-283
AzureVNetpeering181-184AzureVNetpeering,typesGlobalVNetpeering181VNetpeering181
Azureworkspacecreating265-267
Bbillingcontainers46Blobstorageaccount77archivestorage77coolstorage77hotstorage77
budgetalertsconfiguring58-60
bulkusercreating,inAzureAD2,3
BusinesstoBusiness(B2B)7BusinesstoCustomer(B2C)7
Ccustomdomainconfiguring170,171
Ddatacopying,withAzCopy105-107
diagnosticlogsabout262setting,enabling262-264
EEnterpriseAgreement(EA)subscriptionabout47accounts47
Telegram Channel : @IRFaraExam
departments47enterprise47subscription47
ExpressRouteconfiguring196,197connection195,196
Ffront-endIPconfiguration207
Gglobaladministratorpermission54,55groupcreating,inAzureAD4-6
groupmanagement6,7guestusermanagement7-9GZRS-zoneredundant78
Hhealthprobe208-210hybridconnectivity16
IIPflowverifying249
LLinuxVMscreating130
localareanetworkgateway189,190logsearchqueryfunctionsutilizing267-269
Mmanagementgroupconfiguring71-74creating71-74
Nnetworkperformancemonitor250-253networksecuritygroupabout226,227
Telegram Channel : @IRFaraExam
association230,231effectiverules242inboundrule226inboundrule,creating228,229outboundrule226
nexthop250
Oon-premisesconnectivitymonitoring247,248
Ppasswordsync31passwordwritebackabout25enabling,fromAzureAD26-29enabling,fromportal29,30features25
portalpasswordwriteback,enablingfrom29,30
privateIPaddressesconfiguring224-226
publicIPaddressesconfiguring224-226
RRBACaccessconfiguring35subscription,withRBACpolicy35,36
RBACcustomroleabout40contributor35creating40-43owner34reader35useraccessadministrator35
RBACpolicyabout34used,forresourceaccess39,40used,forresourcegroupaccess37,38
read-accessgeo-zone-redundantstorage(RA-GZRS)78RemoteDesktopProtocol(RDP)122resourceaccesswithRBACpolicy39,40
resourcegroupaccessing,withRBACpolicy37,38
Telegram Channel : @IRFaraExam
movement,toanotherresourcegroup68,69removing70,71
resourcelockabout67,68configuring66types66
role-basedaccesscontrol(RBAC)34
SSecureShell(SSH)122SecureSocketLayer(SSL)172self-servicepasswordreset10-12sharedaccesssignaturegenerating85managing85
singlesign-on(SSO)16softdeleteusing,torecoverAzureVMs284-286
Stock-keeping-Unit(SKU),typesbasicSKU204standardSKU205
TTransmissionControlProtocol(TCP)204TransportLayerSecurity(TLS)172
Uusercreating,inAzureAD4
UserDatagramProtocol(UDP)204
VVirtualHardDisk(VHD)76virtualmachine(VM)about39components120pre-requisites120-124redeploying136,137
VNetgatewaytypeexpressroute186VNet186
VNet-to-VNetconnectivitycreating193-195
VPNtypepolicy-based186
Telegram Channel : @IRFaraExam