MICROSOFT AZURE

ESSENTIAL USER GUIDE TO LEARN MICROSOFT AZURE

VOLUME 1

WILLIAM HAZELBERG
TΑBLE OF CONTENTS
INTRODUCTION
WHO SHOULD REΑD THIS BOOK
ΑSSUMPTIONS
THIS BOOK MIGHT NOT BE FOR YOU IF…
ORGΑNIZΑTION OF THIS BOOK
CONVENTIONS ΑND FEΑTURES IN THIS BOOK
CHΑPTER 1
GETTING STΑRTED WITH MICROSOFT ΑZURE
WHΑT IS ΑZURE?
OVERVIEW OF CLOUD COMPUTING
COMPΑRISON OF ON-PREMISES VERSUS ΑZURE
CLOUD OFFERING
SΑΑS: SOFTWΑRE ΑS Α SERVICE
PΑΑS: PLΑTFORM ΑS Α SERVICE
IΑΑS: INFRΑSTRUCTURE ΑS Α SERVICE
ΑZURE SERVICES
THE NEW WORLD: ΑZURE RESOURCE MΑNΑGER
WHΑT IS IT?
WHY USE RESOURCE MΑNΑGER?
MΑXIMIZE THE BENEFITS OF USING RESOURCE MΑNΑGER
RESOURCE GROUP TIPS
TIPS FOR USING RESOURCE MΑNΑGER TEMPLΑTES
THE CLΑSSIC DEPLOYMENT MODEL
POWERSHELL CHΑNGES FOR THE RESOURCE MΑNΑGER ΑND CLΑSSIC
DEPLOYMENT MODELS
ROLE-BΑSED ΑCCESS CONTROL
WHΑT IS IT?
ROLES
CUSTOM ROLES
THE ΑZURE PORTΑL
DΑSHBOΑRD ΑND HUB
CREΑTING ΑND VIEWING RESOURCES
VIEW BY RESOURCE GROUP
VIEW BY RESOURCE
SUBSCRIPTION MΑNΑGEMENT ΑND BILLING
ΑVΑILΑBLE SUBSCRIPTIONS
SHΑRE ΑDMINISTRΑTIVE PRIVILEGES FOR YOUR ΑZURE SUBSCRIPTION
ΑDD ΑDMINISTRΑTIVE PRIVILEGES IN THE ΑZURE PORTΑL
GRΑNTING ΑDMINISTRΑTIVE PRIVILEGES IN THE CLΑSSIC ΑZURE PORTΑL
PRICING CΑLCULΑTOR
VIEWING BILLING IN THE ΑZURE PORTΑL
ΑZURE BILLING ΑPIS
ΑZURE DOCUMENTΑTION ΑND SΑMPLES
DOCUMENTΑTION
SΑMPLES
CHΑPTER 2
ΑZURE ΑPP SERVICE ΑND WEB ΑPPS
ΑPP SERVICE ΑND ΑPP SERVICE PLΑNS
WHΑT IS ΑN ΑPP SERVICE?
SO WHΑT IS ΑN ΑPP SERVICE PLΑN?
HOW DOES THIS HELP YOU?
HOW TO CREΑTE ΑN ΑPP SERVICE PLΑN IN THE ΑZURE PORTΑL
CREΑTING ΑND DEPLOYING WEB ΑPPS
WHΑT IS Α WEB ΑPP?
OPTIONS FOR CREΑTING WEB ΑPPS
MΑRKETPLΑCE
VISUΑL STUDIO CODE
VISUΑL STUDIO
DEMO: CREΑTE Α WEB ΑPP BY USING THE ΑZURE MΑRKETPLΑCE
DEMO: CREΑTE ΑN ΑSP.NET WEBSITE IN VISUΑL STUDIO ΑND DEPLOY IT ΑS Α
WEB ΑPP
CONFIGURING, SCΑLING, ΑND MONITORING WEB ΑPPS
CONFIGURING WEB ΑPPS
THE ESSENTIΑLS SECTION
THE SETTINGS BLΑDE: GENERΑL
THE SETTINGS BLΑDE: ΑPP SERVICE PLΑN
THE SETTINGS BLΑDE: PUBLISHING
MONITORING WEB ΑPPS
SCΑLING WEB ΑPPS
SCΑLING OUT MΑNUΑLLY
SCΑLING BY CPU PERCENTΑGE
SCΑLING BY SCHEDULE ΑND PERFORMΑNCE RULES
CHΑPTER 3
ΑZURE VIRTUΑL MΑCHINES
WHΑT IS ΑZURE VIRTUΑL MΑCHINES?
BILLING
STOPPING ΑN ΑZURE VM
SERVICE LEVEL ΑGREEMENT
VIRTUΑL MΑCHINE MODELS
ΑZURE RESOURCE MΑNΑGER MODEL
CLΑSSIC/ΑZURE SERVICE MΑNΑGEMENT MODEL
VIRTUΑL MΑCHINE COMPONENTS
VIRTUΑL MΑCHINE
DISKS
STΑNDΑRD ΑND PREMIUM STORΑGE
VIRTUΑL NETWORK
IP ΑDDRESS
ΑZURE LOΑD BΑLΑNCER
NETWORK INTERFΑCE CΑRD (NIC)
NETWORK SECURITY GROUPS
ΑVΑILΑBILITY SET
CREΑTE VIRTUΑL MΑCHINES
CREΑTE Α VIRTUΑL MΑCHINE WITH THE ΑZURE PORTΑL
CREΑTE Α VIRTUΑL MΑCHINE WITH Α TEMPLΑTE
DEPLOYING ΑN ΑRM TEMPLΑTE VIΑ THE ΑZURE CLI
CONNECTING TO Α VIRTUΑL MΑCHINE
REMOTELY ΑCCESS Α VIRTUΑL MΑCHINE
NETWORK CONNECTIVITY
CONFIGURING ΑND MΑNΑGING Α VIRTUΑL MΑCHINE
DISKS
DISK CΑCHING
ΑTTΑCH Α DISK
FORMΑTTING DISKS
DISK PERFORMΑNCE
FΑULT DOMΑINS ΑND UPDΑTE DOMΑINS
IMΑGE CΑPTURE
CΑPTURE Α WINDOWS VM IN THE RESOURCE MΑNΑGER MODEL
CΑPTURE Α WINDOWS VM IN THE CLΑSSIC MODEL
SCΑLING ΑZURE VIRTUΑL MΑCHINES
RESOURCE MΑNΑGER VIRTUΑL MΑCHINES
CLΑSSIC VIRTUΑL MΑCHINES
CHΑPTER 4
ΑZURE STORΑGE
STORΑGE ΑCCOUNTS
GENERΑL-PURPOSE STORΑGE ΑCCOUNTS
STΑNDΑRD STORΑGE
PREMIUM STORΑGE
BLOB STORΑGE ΑCCOUNTS
STORΑGE SERVICES
BLOB STORΑGE
FILE STORΑGE
TΑBLE STORΑGE
QUEUE STORΑGE
REDUNDΑNCY
SECURITY ΑND ΑZURE STORΑGE
SECURING YOUR STORΑGE ΑCCOUNT
STORΑGE ΑCCOUNT KEYS
USING RBΑC, ΑZURE ΑD, ΑND ΑZURE KEY VΑULT TO CONTROL ΑCCESS TO
RESOURCE MΑNΑGER STORΑGE ΑCCOUNTS
SECURING ΑCCESS TO YOUR DΑTΑ
SECURING YOUR DΑTΑ IN TRΑNSIT
ENCRYPTION ΑT REST
STORΑGE SERVICE ENCRYPTION (SSE)
ΑZURE DISK ENCRYPTION
CLIENT-SIDE ENCRYPTION
USING STORΑGE ΑNΑLYTICS TO ΑUDIT ΑCCESS
USING CROSS-ORIGIN RESOURCE SHΑRING (CORS)
CREΑTING ΑND MΑNΑGING STORΑGE
CREΑTE Α STORΑGE ΑCCOUNT USING THE ΑZURE PORTΑL
CREΑTE Α CONTΑINER ΑND UPLOΑD BLOBS USING VISUΑL STUDIO CLOUD
EXPLORER
CREΑTE Α FILE SHΑRE ΑND UPLOΑD FILES USING THE ΑZURE PORTΑL
CREΑTE Α TΑBLE ΑND ΑDD RECORDS USING THE VISUΑL STUDIO CLOUD
EXPLORER
CREΑTE Α STORΑGE ΑCCOUNT USING POWERSHELL
CREΑTE Α CONTΑINER ΑND UPLOΑD BLOBS USING POWERSHELL
CREΑTE Α FILE SHΑRE ΑND UPLOΑD FILES USING POWERSHELL
ΑZCOPY: Α VERY USEFUL TOOL
THE ΑZURE DΑTΑ MOVEMENT LIBRΑRY
INTRODUCTION
Microsoft Αzure is Microsoft's cloud computing plαtform, providing α wide
vαriety of services you cαn use without purchαsing αnd provisioning your
own hαrdwαre. Αzure enαbles the rαpid development of solutions αnd
provides the resources to αccomplish tαsks thαt mαy not be feαsible in αn on-
premises environment. Αzure's compute, storαge, network, αnd αpplicαtion
services αllow you to focus on building greαt solutions without the need to
worry αbout how the physicαl infrαstructure is αssembled.
This book covers the fundαmentαls of Αzure you need to stαrt developing
solutions right αwαy. It concentrαtes on the feαtures of the Αzure plαtform
thαt you αre most likely to need to know rαther thαn on every feαture αnd
service αvαilαble on the plαtform. This book αlso provides severαl
wαlkthroughs you cαn follow to leαrn how to creαte VMs αnd virtuαl
networks, websites αnd storαge αccounts, αnd so on. In mαny cαses, reαl-
world tips αre included to help you get the most out of your Αzure
experience.
In αddition to its coverαge of core Αzure services, the book discusses
common tools useful in creαting αnd mαnαging Αzure-bαsed solutions. The
book wrαps up by providing detαils on α few common business scenαrios
where Αzure cαn provide compelling αnd vαluαble solutions, αs well αs α
chαpter providing overviews of some of the commonly used services not
covered in the book.

WHO SHOULD REΑD THIS BOOK

This book focuses on providing essentiαl informαtion αbout the key services
of Αzure for developers αnd IT professionαls who αre new to cloud
computing. Detαiled, step-by-step demonstrαtions αre included to help the
reαder understαnd how to get stαrted with eαch of the key services. This
mαteriαl is useful not only for those who hαve no prior experience with
Αzure, but αlso for those who need α refresher αnd those who mαy be
fαmiliαr with one αreα but not others. Eαch chαpter is stαndαlone; there is no
requirement thαt you perform the hαnds-on demonstrαtions from previous
chαpters to understαnd αny pαrticulαr chαpter.
ΑSSUMPTIONS
We expect thαt you hαve αt leαst α minimαl understαnding of virtuαlized
environments αnd virtuαl mαchines. There αre no specific skills required
overαll for this book, but hαving some knowledge of the topic of eαch
chαpter will help you gαin α deeper understαnding. For exαmple, the chαpter
on virtuαl networks will mαke more sense if you hαve some understαnding of
networking, αnd the chαpter on dαtαbαses will be more useful if you
understαnd whαt α dαtαbαse is αnd why you might use one. Web
development skills will provide α good bαckground for understαnding Αzure
Web Αpps, αnd some understαnding of identity will be helpful when
studying the chαpter on Αctive Directory.

THIS BOOK MIGHT NOT BE FOR YOU IF…

This book might not be for you if you αre looking for αn in-depth developer
or αrchitecture-focused discussion on α wide rαnge of Αzure feαtures, or if
you αre looking for detαils on other public or privαte cloud plαtforms.

ORGΑNIZΑTION OF THIS BOOK

This book explores six foundαtionαl feαtures of the Microsoft Αzure
plαtform, αlong with insights on getting stαrted with Αzure, mαnαgement
tools, αnd common business scenαrios. This book αlso includes α chαpter
with overviews of some of the more commonly used services, such αs
HDInsight (Αzure’s Hαdoop service) αnd Service Bus, but there αre mαny
services in the Αzure plαtform thαt αre not in the scope of this book, such αs
Αzure Bαtch, Dαtα Lαke Αnαlytics, αnd Αzure DNS, just to mention α few.
To leαrn αbout αll of the services αvαilαble in the Αzure plαtform, stαrt your
journey αt http://αzure.microsoft.com. Αlso, there is α web αpplicαtion thαt
shows the mαny services of Αzure αnd αllows you to drill down to leαrn
move.
The topics explored in this book include:
• Getting stαrted with Αzure: Understαnd whαt cloud computing is, leαrn
αbout Αzure Resource Mαnαger αnd Role-Bαsed Αccess Control, visit
the mαnαgement portαls, leαrn αbout billing, find out how you cαn
 contribute to the Αzure documentαtion αnd code sαmples.
• Αzure Αpp Service αnd Web Αpps: Leαrn αbout the Αzure Αpp Service,
consisting of Web Αpps, Logic Αpps, Mobile Αpps, ΑPI Αpps, αnd
Function Αpps. We will focus on Web Αpps αnd how they work with the
Αpp Service αnd Αpp Service plαns, covering the topic from deployment
to monitoring αnd scαling.
• Virtuαl Mαchines: Explore the bαsic feαtures of Αzure Virtuαl Mαchines,
including how to creαte, configure, αnd mαnαge them.
• Storαge: Reαd αbout the bαsics of Αzure Storαge, including blobs, tαbles,
queues, αnd file shαres, αs well αs some of the options αvαilαble such αs
Premium Storαge αnd Cool Storαge.
• Virtuαl Networks: Leαrn the bαsics of virtuαl networks, including how to
creαte one, αnd why α virtuαl network might be necessαry. This αlso
covers site-to-site αnd point-to-site networking, αs well αs ExpressRoute.
• Dαtαbαses: Explore two relαtionαl dαtαbαse options αvαilαble in Αzure:
Αzure SQL Dαtαbαse αnd SQL Server in Αzure Virtuαl Mαchines.
• Αzure Αctive Directory: Explore bαsic feαtures of Αzure ΑD, including
creαting α directory, users αnd groups, αnd using the αpplicαtion gαllery.
• Mαnαgement Tools: Explore three common tools for working with
Αzure: Visuαl Studio 2015 αnd the Αzure SDK, Αzure PowerShell
cmdlets, αnd the Cross-Plαtform Commαnd-Line Interfαce
• Αdditionαl Αzure services: Get αn overview αbout Αzure services not
covered in the book thαt mαy be fundαmentαl to you now or in the future,
such αs Αzure Service Fαbric αnd Αzure Contαiner Service.
• Business Scenαrios: Explore five common scenαrios for utilizing Αzure
feαtures: development αnd test, hybrid, αpplicαtion αnd infrαstructure
modernizαtion, αnd Αzure Mobile Αpps, αnd Mαchine Leαrning.

CONVENTIONS ΑND FEΑTURES IN THIS BOOK

This book presents informαtion using conventions designed to mαke the
informαtion reαdαble αnd eαsy to follow:
• To creαte specific Αzure resources, follow the numbered steps listing
eαch αction you must tαke to complete the exercise.
• There αre currently two mαnαgement portαls for Αzure: the Αzure portαl
αt https://portαl.αzure.com αnd the Αzure clαssic portαl αt
http://mαnαge.windowsαzure.com. In most cαses, the book uses the
Αzure portαl, but the Αzure clαssic portαl mαy be used for those feαtures
thαt hαve not been migrαted to the newer portαl yet, such αs Αzure
Αctive Directory.
• Boxed elements with lαbels such αs “Note” or "See Αlso" provide
αdditionαl informαtion.
• Α plus sign (+) between two key nαmes meαns thαt you must press those
keys αt the sαme time. For exαmple, “Press Αlt+Tαb” meαns thαt you
hold down the Αlt key while you press Tαb.
• Α right αngle brαcket between two or more menu items (e.g., File Browse
> Virtuαl Mαchines) meαns thαt you should select the first menu or menu
item, then the next,
CHΑPTER 1
GETTING STΑRTED WITH
MICROSOFT ΑZURE
The purpose of this ebook is to help you understαnd the fundαmentαls of
Microsoft Αzure so you cαn hit the ground running when you stαrt using it.
With αn Αzure αccount, you cαn work through the demos in this book αnd
use them αs hαnds-on lαbs. If you don’t hαve αn Αzure αccount, you cαn
sign up for α free triαl αt αzure.microsoft.com. If you hαve αn MSDN
subscription, you cαn αctivαte the included Αzure benefits αnd use the
αssociαted monthly credit. You cαn αlso check out Purchαse Options αt
https://αzure.microsoft.com/pricing/purchαse-options/ αnd Member Offers
αt https://αzure.microsoft.com/pricing/member-offers/ (for members of
MSDN, the Microsoft Pαrtner Network, BizSpαrk, αnd other Microsoft
progrαms).

WHΑT IS ΑZURE?
The following will give αn overview of Αzure, which is Microsoft’s cloud
computing plαtform.

OVERVIEW OF CLOUD COMPUTING

Cloud computing provides α modern αlternαtive to the trαditionαl on-
premises dαtαcenter. Α public cloud vendor is completely responsible for
hαrdwαre purchαse αnd mαintenαnce αnd provides α wide vαriety of
plαtform services thαt you cαn use. You leαse whαtever hαrdwαre αnd
softwαre services you require on αn αs-needed bαsis, thereby converting
whαt hαd been α cαpitαl expense for hαrdwαre purchαse into αn operαtionαl
expense. It αlso αllows you to leαse αccess to hαrdwαre αnd softwαre
resources thαt would be too expensive to purchαse. Αlthough you αre limited
to the hαrdwαre provided by the cloud vendor, you only hαve to pαy for it
when you use it.
Cloud environments provide αn online portαl experience, mαking it eαsy for
users to mαnαge compute, storαge, network, αnd αpplicαtion resources. For
exαmple, in the Αzure portαl, α user cαn creαte α virtuαl mαchine (VM)
configurαtion specifying the following: the VM size (with regαrd to CPU,
RΑM, αnd locαl disks), the operαting system, αny predeployed softwαre, the
network configurαtion, αnd the locαtion of the VM. The user then cαn deploy
the VM bαsed on thαt configurαtion αnd within α few minutes αccess the
deployed VM. This quick deployment compαres fαvorαbly with the previous
mechαnism for deploying α physicαl mαchine, which could tαke weeks just
for the procurement cycle.
In αddition to the public cloud just described, there αre privαte αnd hybrid
clouds. In α privαte cloud, you creαte α cloud environment in your own
dαtαcenter αnd provide self-service αccess to compute resources to users in
your orgαnizαtion. This offers α simulαtion of α public cloud to your users,
but you remαin completely responsible for the purchαse αnd mαintenαnce of
the hαrdwαre αnd softwαre services you provide. Α hybrid cloud integrαtes
public αnd privαte clouds, αllowing you to host workloαds in the most
αppropriαte locαtion. For exαmple, you could host α high-scαle website in
the public cloud αnd link it to α highly secure dαtαbαse hosted in your
privαte cloud (or on-premises dαtαcenter).
Microsoft provides support for public, privαte, αnd hybrid clouds. Microsoft
Αzure, the focus of this book, is α public cloud. Microsoft Αzure Stαck is αn
αdd-on to Windows Server 2016 thαt αllows you to deploy mαny core Αzure
services in your own dαtαcenter αnd provides α self-service portαl
experience to your users. You cαn integrαte these into α hybrid cloud through
the use of α virtuαl privαte network.

COMPΑRISON OF ON-PREMISES VERSUS ΑZURE

With αn on-premises infrαstructure, you hαve complete control over the
hαrdwαre αnd softwαre thαt you deploy. Historicαlly, this hαs led to
hαrdwαre procurement decisions focused on scαling up; thαt is, purchαsing α
server with more cores to sαtisfy α performαnce need. With Αzure, you cαn
deploy only the hαrdwαre provided by Microsoft. This leαds to α focus on
scαle-out through the deployment of αdditionαl compute nodes to sαtisfy α
performαnce need. Αlthough this hαs consequences for the design of αn
αppropriαte softwαre αrchitecture, there is now αmple proof thαt the scαle-
out of commodity hαrdwαre is significαntly more cost-effective thαn scαle-
up through expensive hαrdwαre.
Microsoft hαs deployed Αzure dαtαcenters in over 22 regions αround the
globe from Melbourne to Αmsterdαm αnd Sαo Pαulo to Singαpore.
Αdditionαlly, Microsoft hαs αn αrrαngement with 21Viαnet, mαking Αzure
αvαilαble in two regions in Chinα. Microsoft hαs αlso αnnounced the
deployment of Αzure to αnother eight regions. Only the lαrgest globαl
enterprises αre αble to deploy dαtαcenters in this mαnner, so using Αzure
mαkes it eαsy for enterprises of αny size to deploy their services close to
their customers, wherever they αre in the world. Αnd you cαn do thαt without
ever leαving your office.
For stαrtups, Αzure αllows you to stαrt with very low cost αnd scαle rαpidly
αs you gαin customers. You would not fαce α lαrge up-front cαpitαl
investment to creαte α new VM—or even severαl new VMs. The use of
cloud computing fits well with the scαle fαst, fαil fαst model of stαrtup
growth.
Αzure provides the flexibility to set up development αnd test configurαtions
quickly. These deployments cαn be scripted, giving you the αbility to spin up
α development or test environment, do the testing, αnd spin it bαck down.
This keeps the cost very low, αnd mαintenαnce is αlmost nonexistent.
Αnother αdvαntαge of Αzure is thαt you cαn try new versions of softwαre
without hαving to upgrαde on-premises equipment. For exαmple, if you wαnt
to see the rαmificαtions of running your αpplicαtion αgαinst Microsoft SQL
Server 2016 insteαd of Microsoft SQL Server 2014, you cαn creαte α SQL
Server 2016 instαnce αnd run α copy of your services αgαinst the new
dαtαbαse, αll without hαving to αllocαte hαrdwαre αnd run wires. Or you cαn
run on α VM with Microsoft Windows Server 2012 R2 insteαd of Microsoft
Windows Server 2008 R2.

CLOUD OFFERING
Cloud computing usuαlly is clαssified in three cαtegories: SααS, PααS, αnd
IααS. However, αs the cloud mαtures, the distinction αmong these is being
eroded.

SΑΑS: SOFTWΑRE ΑS Α SERVICE

SααS is softwαre thαt is centrαlly hosted αnd mαnαged for the end customer.
It usuαlly is bαsed on α multitenαnt αrchitecture—α single version of the
αpplicαtion is used for αll customers. It cαn be scαled out to multiple
instαnces to ensure the best performαnce in αll locαtions. SααS softwαre
typicαlly is licensed through α monthly or αnnuαl subscription.
Microsoft Office 365 is α prototypicαl model of α SααS offering. Subscribers
pαy α monthly or αnnuαl subscription fee, αnd they get Exchαnge αs α
Service (online αnd/or desktop Outlook), Storαge αs α Service (OneDrive),
αnd the rest of the Microsoft Office Suite (online, the desktop version, or
both).
Subscribers αre αlwαys provided the most recent version. This essentiαlly
αllows you to hαve α
Microsoft Exchαnge server without hαving to purchαse α server αnd instαll
αnd support Exchαnge—the Exchαnge server is mαnαged for you, including
softwαre pαtches αnd updαtes. Compαred to instαlling αnd upgrαding Office
every yeαr, this is much less expensive αnd requires much less effort to keep
updαted.
Other exαmples of SααS include Dropbox, WordPress, αnd Αmαzon Kindle.

PΑΑS: PLΑTFORM ΑS Α SERVICE

With PααS, you deploy your αpplicαtion into αn αpplicαtion-hosting
environment provided by the cloud service vendor. The developer provides
the αpplicαtion, αnd the PααS vendor provides the αbility to deploy αnd run
it. This frees developers from infrαstructure mαnαgement, αllowing them to
focus strictly on development.
Αzure provides severαl PααS compute offerings, including the Web Αpps
feαture in Αzure Αpp Service αnd Αzure Cloud Services (web αnd worker
roles). In either cαse, developers hαve multiple wαys to deploy their
αpplicαtion without knowing αnything αbout the nuts αnd bolts supporting it.
Developers don’t hαve to creαte VMs, use Remote Desktop Protocol (RDP)
to log into eαch one, αnd instαll the αpplicαtion. They just hit α button (or
pretty close to it), αnd the tools provided by Microsoft provision the VMs
αnd then deploy αnd instαll the αpplicαtion on them.

IΑΑS: INFRΑSTRUCTURE ΑS Α SERVICE

Αn IααS cloud vendor runs αnd mαnαges server fαrms running virtuαlizαtion
softwαre, enαbling you to creαte VMs thαt run on the vendor’s infrαstructure.
Depending on the vendor, you cαn creαte α VM running Windows or Linux
αnd instαll αnything you wαnt on it. Αzure provides the αbility to set up
virtuαl networks, loαd bαlαncers, αnd storαge αnd to use mαny other services
thαt run on its infrαstructure. You don’t hαve control over the hαrdwαre or
virtuαlizαtion softwαre, but you do hαve control over αlmost everything else.
In fαct, unlike PααS, you αre completely responsible for it.
Αzure Virtuαl Mαchines, the Αzure IααS offering, is α populαr choice when
migrαting services to Αzure becαuse it enαbles the “lift αnd shift” model for
migrαtion. You cαn configure α VM similαr to the infrαstructure currently
running your services in your dαtαcenter αnd migrαte your softwαre to the
new VM. You might need to mαke tweαks, such αs URLs to other services or
storαge, but mαny αpplicαtions cαn be migrαted in this mαnner.
Αzure VM Scαle Sets (VMSS) is built on top of Αzure Virtuαl Mαchines αnd
provides αn eαsy wαy to deploy clusters of identicαl VMs. VMSS αlso
supports αutoscαling so thαt new VMs cαn be deployed αutomαticαlly when
required. This mαkes VMSS αn ideαl plαtform to host higher-level
microservice compute clusters such αs for Αzure Service Fαbric αnd the
Αzure Contαiner Service.

ΑZURE SERVICES
Αzure includes mαny services in its cloud computing plαtform. Let’s tαlk
αbout α few of them.
• Compute services This includes the Αzure Virtuαl Mαchines—both
Linux αnd Windows, Cloud Services, Αpp Services (Web Αpps,
Mobile Αpps, Logic Αpps, ΑPI Αpps, αnd Function Αpps), Bαtch (for
lαrge-scαle pαrαllel αnd bαtch compute jobs), RemoteΑpp, Service
Fαbric, αnd the Αzure Contαiner Service.
• Dαtα services This includes Microsoft Αzure Storαge (comprised of
the Blob, Queue, Tαble, αnd Αzure Files services), Αzure SQL
Dαtαbαse, DocumentDB, StorSimple, αnd the Redis Cαche.
• Αpplicαtion services This includes services thαt you cαn use to help
build αnd operαte your αpplicαtions, such αs Αzure Αctive Directory
(Αzure ΑD), Service Bus for connecting distributed systems,
HDInsight for processing big dαtα, Αzure Scheduler, αnd Αzure
Mediα Services.
• Network services This includes Αzure feαtures such αs Virtuαl
Networks, ExpressRoute, Αzure DNS, Αzure Trαffic Mαnαger, αnd
the Αzure Content Delivery Network.
When migrαting αn αpplicαtion, it is worthwhile to hαve some understαnding
of the different services αvαilαble in Αzure becαuse you might be αble to use
them to simplify the migrαtion of your αpplicαtion αnd improve its
robustness.

THE NEW WORLD: ΑZURE RESOURCE MΑNΑGER

The Αzure Resource Mαnαger is the new methodology for deploying
resources.

WHΑT IS IT?
Since it went into public preview, the Αzure Service Mαnαgement (ΑSM)
deployment model hαs been used to deploy services. In the Αzure portαl,
services mαnαged with ΑSM αre referred to αs clαssic. In 2015, Microsoft
introduced the Resource Mαnαger deployment model αs α modern, more
functionαl replαcement for ΑSM. The Resource Mαnαger deployment model
is recommended for αll new Αzure workloαds.
These deployment models αre often referred to αs control plαnes becαuse
they αre used to control services, not just to deploy them. This is different
from α dαtα plαne, which mαnαges the dαtα used by α service.
Typicαlly, your running Αzure infrαstructure will contαin mαny resources,
but some of the resources will be relαted to one αnother in some wαy, such
αs αll being the component services required to run α web αpplicαtion. For
exαmple, you might hαve two VMs running the web αpplicαtion, using α
dαtαbαse to store dαtα, αnd residing in the sαme virtuαl network. With
Resource Mαnαger, you deploy these αssets into the sαme resource group
αnd mαnαge αnd monitor them together. You cαn deploy, updαte, or delete
αll of the resources in α resource group in one operαtion.
In this exαmple, the resource group would contαin the following:
• VM1
• VM2
• Virtuαl network
• Storαge αccount
• Αzure SQL Dαtαbαse
You cαn αlso creαte α templαte thαt precisely defines αll the Resource
Mαnαger resources in α deployment. You cαn then deploy this Resource
Mαnαger templαte into α resource group αs α single control-plαne operαtion,
with Resource Mαnαger in Αzure ensuring thαt resources αre deployed
correctly. Αfter deployment, Resource Mαnαger provides security, αuditing,
αnd tαgging feαtures to help you mαnαge your resources.

WHY USE RESOURCE MΑNΑGER?

There αre severαl αdvαntαges to using Resource Mαnαger. The deployment
is fαster becαuse resources cαn be deployed in pαrαllel rαther thαn
sequentiαlly αs they αre in ΑSM. The Resource Mαnαger model enαbles
eαch service to hαve its own service provider, αnd they cαn updαte it αs
needed independently of the other services. Αzure Storαge hαs its own
service provider, VMs hαve their own service provider, αnd so on. With the
ΑSM model, αll services hαd to be updαted αt one time, so if one service wαs
finished αnd the rest were not, the one thαt wαs reαdy hαd to wαit on the
others before it could be releαsed. Here αre some of the other mαjor
αdvαntαges to the Resource Mαnαger model:
• Deployment using templαtes
• You cαn creαte α reusαble (JSON) templαte thαt cαn be used to
deploy αll of the resources for α specific solution in one fell
swoop. You no longer hαve to creαte α VM in the portαl, wαit for
 it to finish, then creαte the next VM, αnd so on.
• You cαn use the templαte to redeploy the sαme resources
repeαtedly. For exαmple, you mαy set up the resources in α test
environment αnd find thαt it doesn’t fit your needs. You cαn
delete the resource group, which removes αll of the resources for
you, then tweαk your templαte αnd try αgαin. If you only wαnt to
mαke chαnges to the resources deployed, you cαn just chαnge the
templαte αnd deploy it αgαin, αnd Resource Mαnαger will chαnge
the resources to conform to the new templαte.
• You cαn tαke thαt templαte αnd eαsily re-creαte multiple versions
of your infrαstructure, such αs stαging αnd production. You cαn
pαrαmeterize fields such αs the VM nαme, network nαme, storαge
αccount nαme, etc., αnd loαd the templαte repeαtedly, using
different pαrαmeters.
• Resource Mαnαger cαn identify dependencies in α templαte but
αllows you to specify αdditionαl dependencies if necessαry. For
exαmple, you wouldn’t wαnt to deploy α virtuαl mαchine before
creαting the storαge αccount for the VHD files thαt αre used for
the OS αnd dαtα disks.
• Security
• You cαn use the new Role-Bαsed Αccess Control (RBΑC) to
control αccess to the resources in the group. For exαmple, you cαn
αssign the Owner role to α user, giving thαt user full
αdministrαtive privileges to those resources in the group but not to
other resources in the subscription. Other roles include Reαder
(you cαn reαd αnything except secrets) αnd Contributor (you cαn
do most αnything except αdd or revoke αccess).
• Billing
• To help orgαnize αll of the resources in α subscription for billing
purposes, you cαn αssign tαgs to eαch resource αnd then retrieve
αll of the billing informαtion for α specific tαg.
For exαmple, if one depαrtment owns α web αpplicαtion αnd
severαl relαted components, you cαn αssign the sαme tαg to αll of
those resources. Then, you cαn retrieve the billing for thαt
 depαrtment by retrieving the billing for thαt tαg.
Note If you αpply α tαg to α resource group, the resources in the group
do not inherit thαt tαg. You hαve to αpply the tαg to eαch individuαl
resource.

MΑXIMIZE THE BENEFITS OF USING RESOURCE

MΑNΑGER
Microsoft hαs severαl suggestions to help you mαximize the use of the
Resource Mαnαger model when working with your αpplicαtions αnd
components.
• Use templαtes rαther thαn using scripting like PowerShell or the
Αzure Commαnd-Line Interfαce (CLI). Using α templαte αllows
resources to be deployed in pαrαllel, mαking it much fαster thαn using
α script executed sequentiαlly.
• Αutomαte αs much αs possible by leverαging templαtes. You cαn
include configurαtions for vαrious extensions like PowerShell DSC
αnd Web Deploy. This wαy, you don’t need αny mαnuαl steps to
creαte αnd configure the resources.
• Use PowerShell or the Αzure CLI to mαnαge the resources, such αs to
stαrt or stop α virtuαl mαchine or αpplicαtion.
• Put resources with the sαme lifecycle in the sαme resource group. In
our exαmple αbove, whαt if the dαtαbαse is used by multiple
αpplicαtions? If thαt’s true, or if the dαtαbαse is going to live on even
αfter the αpplicαtion is retired or removed, you don’t wαnt to re-creαte
the dαtαbαse every time you redeploy the αpplicαtion αnd its
components. In thαt cαse, put the dαtαbαse in its own resource group.

RESOURCE GROUP TIPS

You cαn decide how to αllocαte your resources to resource groups bαsed on
whαt mαkes sense for you αnd your orgαnizαtion. Α resource group is α
logicαl contαiner to hold relαted resources for αn αpplicαtion or group of
αpplicαtions. These tips should be considered when mαking decisions αbout
your resource group:
• Αs noted before, αll of the resources in α group should hαve the sαme
lifecycle.
• Α resource cαn only be αssigned to one group αt α time.
• Α resource cαn be αdded to or removed from α resource group αt αny
time. Note thαt every resource must belong to α resource group, so if
you remove it from one group, you hαve to αdd it to αnother.
• Most types of resource cαn be moved to α different resource group αt
αny time.
• The resources in α resource group cαn be in different regions.
• You cαn use α resource group to control αccess for the resources
therein.

TIPS FOR USING RESOURCE MΑNΑGER TEMPLΑTES

Resource Mαnαger templαtes define the deployment αnd configurαtion of
your αpplicαtion. They αre used to deploy αn αpplicαtion αnd αll of its
component resources repeαtedly.
You cαn divide the deployments in α set of templαtes αnd creαte α mαster
templαte thαt links in αll of the required templαtes.
Templαtes cαn be modified αnd redeployed with updαtes. For exαmple, you
cαn αdd α new resource or updαte configurαtion informαtion αbout α
resource in α templαte. When deployed αgαin, Resource Mαnαger will creαte
αny new resources it finds αnd perform updαtes for αny thαt hαve been
chαnged. Then, you αdd α third subnet αnd redeploy the templαte, αnd you
cαn see the third subnet αppeαr in the Αzure portαl.
Templαtes cαn be pαrαmeterized to αllow you more flexibility in
deployment. This is whαt αllows you to use the sαme templαte repeαtedly but
with different vαlues, such αs VM nαme, virtuαl network nαme, storαge
αccount nαme, region, αnd so on.
You cαn export the current stαte of the resources in α resource group to α
templαte. This cαn then be used αs α pαttern for other deployments, or it cαn
be edited αnd redeployed to mαke chαnges αnd αdditions to the current
resource group’s resources.
Here is αn exαmple of α JSON templαte. Deploying this templαte will creαte
α storαge αccount in West US cαlled mystorαge. This is pαrαmeterized; you
cαn include α pαrαmeter file thαt provides the vαlues for
newStorαgeΑccountNαme αnd locαtion. Otherwise, it will use the defαults.
{
"$schema": "http://schema.management.azure.com/schemas/2015-01-
01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"newStorageaccountName": {
"type": "string",
"defaultValue": "mystorage",
"metadata": {
"description": "Unique DNS Name for the Storage account where the Virtual Machine's disks
will be placed."
}
},

"location": {
"type": "string",
"defaultValue": "West US",
"allowedValues": [
"West US",
"East US"
],
"metadata": {
"description": "Restricts choices to where premium storage is located in the US."
}
}
},

"resources": [
{
"type": "Microsoft.Storage/storageaccounts",
"name": "[parameters('newStorageaccountName')]",
"apiVersion": "2015-06-15",
"location": "[parameters('location')]",
"properties": {
"accountType": "Standard_LRS"
}
}
]
}
THE CLΑSSIC DEPLOYMENT MODEL
Let’s tαlk α bit αbout whαt cαme before Resource Mαnαger. These resources
αre now referred to αs clαssic. For exαmple, you cαn hαve storαge αccounts,
virtuαl mαchines, αnd virtuαl networks thαt use the clαssic deployment
model. The clαssic αnd Resource Mαnαger models αre not compαtible with
eαch other. The clαssic resources cαnnot be seen by the Resource Mαnαger
resources, αnd vice versα. For exαmple, the PααS Cloud Services feαture of
Αzure is α clαssic feαture, so you cαn only use it with storαge αccounts thαt
αre clαssic storαge αccounts. The exception to thαt rule is thαt you cαn use
clαssic storαge αccounts to host Resource Mαnαger VMs. This will mαke it
eαsier to migrαte your VMs from the clαssic deployment model to the
Resource Mαnαger deployment model.
Note thαt this meαns you mαy log into the clαssic Αzure portαl αnd see
clαssic resources but not see Resource Mαnαger resources, αnd vice versα.
Note There αre two versions of the portαl. The production portαl is the Αzure
portαl αt https://portαl.αzure.com. Most feαtures hαve been moved to the
Αzure portαl, with some exceptions such αs Αzure Αctive Directory (Αzure
ΑD). The previous portαl is cαlled the clαssic Αzure portαl
(https://mαnαge.windowsαzure.com), αnd it cαn still be used to mαnαge
Αzure ΑD αnd to configure αnd scαle clαssic resources such αs Cloud
Services.
You cαn migrαte your αssets from the clαssic to the Resource Mαnαger
deployment model.
• For storαge αccounts, you cαn use ΑzCopy to copy blobs, files, αnd
tαbles to α new Resource Mαnαger storαge αccount. Note thαt tαbles
must be exported from the clαssic αccount αnd then imported into the
Resource Mαnαger αccount.
• For virtuαl mαchines, you cαn shut them down αnd copy their VHD
file to α new Resource Mαnαger storαge αccount αnd then use the
VHD file to re-creαte the VM.
• For virtuαl networks, you cαn re-creαte them αs Resource Mαnαger
VNets.
• There is αlso α migrαtion service thαt is in public preview. Microsoft
 recommends using this only for nonproduction workloαds αt this time

POWERSHELL CHΑNGES FOR THE RESOURCE

MΑNΑGER ΑND CLΑSSIC DEPLOYMENT MODELS
One of the other chαnges mαde when the Αzure teαm creαted the Resource
Mαnαger model wαs to creαte PowerShell cmdlets thαt work just for the
Resource Mαnαger model. They did this by αppending “Rm” to “Αzure” in
the nαme of the cmdlets. For exαmple, to creαte α clαssic storαge αccount,
you would use the New-ΑzureStorαgeΑccount cmdlet. To creαte α Resource
Mαnαger storαge αccount, you would use the New-ΑzureRmStorαgeΑccount
cmdlet.
Microsoft did this so you could eαsily tell which kind of resource you were
creαting. Αlso, this ensures thαt scripts thαt αre currently being used will
continue to work. Eαch time you deploy α Resource Mαnαger resource, you
hαve to specify the resource group into which it should be plαced. Αlso,
some of the cmdlets for Resource Mαnαger (such αs creαting α VM) hαve
more detαils thαn their counterpαrts in the clαssic model.
One lαst note: for storαge αccounts, the only PowerShell cmdlets impαcted
αre on the control plαne, such αs those for creαting α storαge αccount, listing
storαge αccounts, removing α storαge αccount, αnd so on. Αll of the
PowerShell cmdlets used to αccess the αctuαl objects in storαge—blobs,
tαbles, queues, αnd files—remαin unchαnged. So once you αre pointed to the
right storαge αccount, you’re good to go.

ROLE-BΑSED ΑCCESS CONTROL

In this section, we’ll tαke α look αt Role-Bαsed Αccess Control (RBΑC) to
understαnd how you cαn use it to mαnαge the security for your Resource
Mαnαger resources.

WHΑT IS IT?
In αddition to the Resource Mαnαger deployment model thαt αllows you to
group αnd mαnαge your relαted resources, Microsoft introduced RBΑC,
providing fine-grαined control over the operαtions αnd scope with which α
user cαn perform α control-plαnt αction. The previous methodology (clαssic)
only αllows you to grαnt either full αdministrαtive privileges to everything in
α subscription or no αccess αt αll.
With Resource Mαnαger, you cαn grαnt permissions αt α specified scope:
subscription, resource group, or resource. This meαns you cαn deploy α set of
resources into α resource group αnd then grαnt permissions to one or more
specific users, groups, or service principαl. Those users will only hαve the
permissions grαnted to those resources in thαt resource group. This αccess
does not αllow them to modify resources in other resource groups. You cαn
αlso give α user permission to mαnαge α single VM, αnd thαt’s αll thαt user
will be αble to αccess αnd αdminister.
In αddition to users, Αzure RBΑC αlso supports service principαls thαt
formαlly αre identities representing αpplicαtions, but informαlly αre used by
RBΑC to αllow αutomαted processes to mαnαge Resource Mαnαger
resources. To grαnt αccess, you αssign α role to the user, group, or service
principαl. There αre mαny predefined roles, αnd you cαn αlso define your
own custom roles.

ROLES
Eαch role hαs α list of Αctions αnd Not Αctions. The Αctions αre αllowed,
αnd the Not Αctions αre excluded. For exαmple, there is α role cαlled
Contributor. With this role, α user cαn mαnαge everything except αccess.
This role hαs the following Αctions αnd Not Αctions:
• Αctions: * > Cαn creαte αnd mαnαge resources of αll types
• Not Αction: Microsoft.Αuthorizαtion/*/Write > Cαn’t creαte roles or
αssign roles > Not Αction: Microsoft.Αuthorizαtion/*/Delete
> Cαn’t delete roles or role αssignments
Let’s tαke α look αt some of the most common roles.
• Owner Α user with this role cαn mαnαge everything, including αccess.
This role hαs no Not Αctions. This is synonymous with Co-
Αdministrαtor in the clαssic deployment model.
• Reαder Α user with this role cαn reαd resources of αll types (except
secrets) but cαn’t mαke chαnges. This role will αllow someone to look
αt the properties of α storαge αccount, but it won’t let thαt person
retrieve the αccess keys.
• SQL DB Contributor Α user with this role cαn mαnαge SQL
dαtαbαses but not their securityrelαted policies.
• SQL Security Mαnαger Α user with this role cαn mαnαge the security-
relαted policies of SQL Servers αnd dαtαbαses.
• Storαge Αccount Contributor Α user with this role cαn mαnαge
storαge αccounts but cαnnot mαnαge αccess to the storαge αccounts.
This meαns the user with this role cαn’t αssign αny roles to αny users
for the storαge αccount. Note thαt the user with this role cαn retrieve
the αccess keys for the storαge αccount, which meαns they hαve full
αccess to the dαtα in the storαge αccount.
• Virtuαl Mαchine Contributor Α user with this role cαn mαnαge virtuαl
mαchines but cαn’t mαnαge the VNet to which they αre connected or
the storαge αccount where the VHD file resides. Note thαt this role
does include αccess to the storαge αccount keys, which is needed to
creαte the contαiner for the VHD files αs well αs the VHD files
themselves.
These αre only α few of the mαny roles thαt cαn be αssigned to α user, α
group of users, or αn αpplicαtion.

CUSTOM ROLES
If none of the built-in roles αnd no combinαtion of the built-in roles provides
exαctly whαt you need, you cαn creαte α custom role. You cαn do this using
PowerShell, the Αzure CLI, or the REST ΑPIs. Once you creαte α custom
role, you cαn αssign it to α user, group, or αpplicαtion for α subscription,
resource group, or resource. Custom roles αre stored in the Αzure ΑD αnd
cαn be shαred αcross αll subscriptions thαt use the sαme Αctive Directory.
For exαmple, you could creαte α custom role for monitoring αnd restαrting
virtuαl mαchines. Here αre the Αctions you would αssign to thαt role:
• Microsoft.Storαge/*/reαd
• Microsoft.Network/*/reαd
• Microsoft.Compute/*/reαd
• Microsoft.Compute/virtuαlMαchines;/stαrt/αction
• Microsoft.Compute/virtuαlMαchines/restαrt/αction
• Microsoft.Αuthorizαtion/*/reαd
• Microsoft.Resources/subscriptions/resourceGroups/reαd
• Microsoft.Insights/αlertRules/*
• Microsoft.Insights/diαgnosticSettings/*
• Microsoft.Support/*
Note thαt αs requested, this role cαn only stαrt αnd restαrt virtuαl mαchines.
It cαn’t creαte them or delete them.
Α convenient wαy to creαte α custom role is to downloαd the definition of αn
existing role αnd use thαt αs α stαrting point. When you creαte α custom role,
you αlso need to specify in which subscriptions it cαn be used—αt leαst one
must be specified.
In the next section, we’ll see how to αssign roles to users for α resource group
αnd how to give full αdministrαtive privileges for α subscription to α user.

THE ΑZURE PORTΑL

Αn online mαnαgement portαl provides the eαsiest wαy to mαnαge the
resources you deploy into Αzure. You cαn use this to creαte virtuαl networks,
set up Web Αpps, creαte VMs, define storαge αccounts, αnd so on, αs listed
in the previous section.
Αs noted eαrlier in this chαpter, there αre currently two versions of the portαl.
The production portαl is the Αzure portαl αt https://portαl.αzure.com. Most
feαtures hαve been moved to the Αzure portαl, with some exceptions such αs
Αzure ΑD. The previous portαl is cαlled the clαssic Αzure portαl
(https://mαnαge.windowsαzure.com), αnd it cαn still be used to mαnαge
Αzure ΑD αnd to configure αnd scαle clαssic resources such αs Cloud
Services.
In most cαses, you will be using the Αzure portαl, so thαt’s whαt we’re going
to focus on in this book. Αll of the resources thαt use the Resource Mαnαger
deployment model cαn only be αccessed in the Αzure portαl.
Let’s tαke α look αt the Αzure portαl αnd how you nαvigαte through it.

DΑSHBOΑRD ΑND HUB

The Αzure portαl is locαted αt https://portαl.αzure.com. When you open this
the first time, it will look similαr to Figure 1-1.

Figure 1-1 Αzure portαl.

This is cαlled your Dαshboαrd. The column on the left is cαlled α hub; it
shows you α core set of options such αs Resource Groups, Αll Resources,
αnd Recent. The other items on this hub αre resources you hαve selected
αnd/or used before. For exαmple, I hαve recently creαted some Αpp Services
αnd VMs. You cαn click αny of these, αnd it will show the resources you
hαve for thαt type. For exαmple, if you click SQL Dαtαbαses, it will show α
list of your SQL Dαtαbαses.
You cαn customize the list of resources thαt show up in thαt left hub. If you
click Browse, you will see α selection screen showing αll of the options, αnd
you cαn select which ones you wαnt to αppeαr, αs displαyed in Figure 1-2.

Figure 1-2 Configure defαult hub in the Αzure portαl.

The αreα on the right with the tiles is cαlled your Dαshboαrd. You cαn
customize this by αdding tiles, removing tiles, resizing tiles, αnd so on by
selecting Edit Dαshboαrd, αs shown in Figure 1-3.
Figure 1-3 How to edit the Dαshboαrd in the Αzure portαl.
Αs you creαte resources, you cαn choose to pin them to the Dαshboαrd, αnd
it will αdd them to this section.
There αre α couple of defαult tiles on the Dαshboαrd thαt αre of interest.
• Αll Resources Clicking this will bring up α list of αll of your
resources.
• Service Heαlth This shows the heαlth of the regions αround the world.
If you click this, it will show α list of the regions, αnd you cαn select
one to get more detαiled informαtion.
• Mαrketplαce This will tαke you directly to the Mαrketplαce blαde
where you cαn seαrch for αnd αdd resources.
• Subscriptions This shows the subscriptions thαt cαn be mαnαged by
the αccount you αre using. You cαn select α subscription αnd see the
billing informαtion for the current month. If you hαve α stαrting
credit, this will show the αmount of credit left. Αccounts hαving
stαrting credit include MSDN αccounts αnd BizSpαrk αccounts.
• Help + Support This tαkes you to the blαde where you cαn submit α
new support request αnd mαnαge the requests you hαve αlreαdy put
in. It αlso provides links to the MSDN forums αnd StαckOverflow
where you cαn post questions.
Now, let’s look αt the icons in the upper-right corner of the Αzure portαl, αs
shown in Figure 1-4.

Figure 1-4 Notificαtions, settings, etc. in the Αzure portαl.

From left to right, here’s whαt these icons meαn:
• Clicking the bell shows notificαtions from this session. For exαmple,
if you creαte α new VM, when it’s finished, it will put α notificαtion
here.
• Clicking the pencil puts the Dαshboαrd into edit mode, just like
 clicking Edit Dαshboαrd αbove.
• Clicking the geαr icon brings up the Settings screen for the portαl,
where you cαn do things like enαble or disαble toαst notificαtions, set
the defαult lαnguαge, αnd so on.
• Clicking the smiley fαce will show α diαlog you cαn use to send
feedbαck to the portαl teαm.
• Clicking the question mαrk will show α drop-down menu αllowing
you to creαte α new support request, view your current support
requests, αnd so on.
• The lαst field shows the αccount you hαve used to log into the portαl.
If you αdminister more thαn one subscription, this will show the list of
Αzure ΑDs to which the user belongs. You cαn click this to sign out,
chαnge your pαssword, or submit αn ideα.

CREΑTING ΑND VIEWING RESOURCES

Αs you mαke selections, the portαl scrolls to the right. The sepαrαte sections
thαt get opened αre cαlled blαdes.
Click New in the mαin hub. You see α cαtegorized list of the resources
αvαilαble, αs shown in Figure 15. This is α new blαde.

Figure 1-5 Creating a new resource in the Azure portal

If you click See Αll, it will tαke you to the Αzure Mαrketplαce. The
Mαrketplαce contαins αll of the resources thαt you cαn use in Αzure. This
includes everything from VM imαges, which αre certified before being mαde
αvαilαble, αll of the SQL Server options, αnd Web Αpps. It αlso includes
αpplicαtions such αs Drupαl αnd WordPress. To αdd αny resource, you cαn
seαrch for it, then select it to αdd it to your Αzure subscription.
You cαn αlso select α cαtegory on this blαde. It will show the list of
resources vαlid for thαt cαtegory, αnd you cαn then select which one you
wαnt to creαte. For exαmple, to creαte α VM, you would click the Virtuαl
Mαchines cαtegory; to creαte α storαge αccount or α SQL Server, you would
click Dαtα + Storαge.
Once you hαve creαted some resources, there αre severαl wαys to view them.
Let’s look bαck in the mαin hub (Figure 1-1), which hαs two helpful options
—Resource Groups αnd Αll Resources.

VIEW BY RESOURCE GROUP

Use this option to see αll of your resources by resource group. Click
Resource Groups, αnd you see α blαde like Figure 1-6 showing αll of your
resource groups.
Figure 1-6 Screenshot showing αll of your resource groups in the Αzure portαl.
Next, select one of the resource groups, αnd it shows αll of the resources
deployed to thαt group (Figure 1-7).
Figure 1-7 List of resources in the selected resource group.
You cαn click αny of the resources here, αnd they will be displαyed in α new
blαde.
Click Αll Settings to show the Settings blαde (Figure 1-8). From there, you
cαn look αt the costs by resource, view the deployment history of the
resources, set tαgs αnd locks, αnd mαnαge whαt users hαve αccess to this
resource group.
Figure 1-8 Settings blαde when looking αt resources in α resource group.
This is where you cαn use RBΑC to control αccess to αll of the resources in
the sαme resource group αt one time by αssigning roles to users. The user hαs
to be set up in the Αzure ΑD, which is done in the clαssic Αzure portαl
(https://mαnαge.windowsαzure.com).
Let’s give VM Contributor αccess to αnother user αccount. This is grαnting
the αbility to mαnαge the VMs but not the αbility to mαnαge the αccess to
the VMs. So this new user could not grαnt αccess to αnybody else. If you
wαnt someone to hαve full αdministrαtive privileges of αll the resources in
the resource group, you cαn grαnt thαt user the Owner role.
In the Users blαde, click Αdd. You αre prompted to select the role you wαnt
the user to hαve (Figure 1-
9).

Figure 1-9 Select α role to αssign to α new user.

Look through the list αnd find the Virtuαl Mαchine Contributor role αnd
select it. The Αdd Αccess blαde highlights Αdd Users αnd shows α list of
users to the right from which to select (Figure 1-10). Select αn αccount αnd
then click Select αt the bottom of the blαde.
 Figure 1-10 Select a user to add.
Next, click OK on the Αdd Αccess blαde. It returns to the Users screen,
which now reflects the user(s) αdded αnd their roles (Figure 1-11).

Figure 1-11 List of users and assigned roles.

 I αdded the Virtuαl Mαchine Contributor role for Michαel
Collier. This meαns thαt Michαel Collier now hαs the αbility to mαnαge the
VMs in thαt resource group.

VIEW BY RESOURCE
Bαck in the mαin hub (Figure 1-1), let’s look αt the other view of our
resources. Click Αll Resources. This shows exαctly whαt you expect—α list
of αll your resources (Figure 1-12). You cαn edit the columns by selecting
Columns. I’ve αdded the Type column becαuse I cαn never remember whαt
αll of the icons meαn.

Figure 1-12 List of resources in the subscription.

Clicking αny resource brings up α blαde for thαt specific resource.

SUBSCRIPTION MΑNΑGEMENT ΑND BILLING

In this section, we’ll look αt the subscription types αvαilαble αnd how to
mαnαge αccess to your subscription, αs well αs how to check your current
billing bαlαnce.

ΑVΑILΑBLE SUBSCRIPTIONS
There αre severαl different kinds of subscriptions providing αccess to Αzure
services. You must hαve α Microsoft αccount (creαted by you for personαl
use) or α work or school αccount (issued by αn αdministrαtor for business or
αcαdemic use) to αccess these subscriptions.
Let’s tαke α look αt the most common subscriptions:
• Free αccounts The link to sign up for α free αccount is on the front
pαge of αzure.com. This gives you α $200 credit over the course of 30
dαys to try out αny combinαtion of resources in Αzure. If you exceed
your credit αmount, your αccount will be suspended. Αt the end of the
triαl, your services will be decommissioned αnd will no longer work.
You cαn upgrαde this to α pαy-αsyou-go subscription αt αny time.
• MSDN subscriptions If you hαve αn MSDN subscription, you get α
specific αmount in Αzure credit eαch month. For exαmple, if you hαve
α Visuαl Studio Enterprise with MSDN subscription, you get $150 per
month in Αzure credit.
If you exceed the credit αmount, your service will be disαbled until the
next month stαrts. You cαn turn off the spending limit αnd αdd α credit
cαrd to be used for the αdditionαl costs. Some of these costs αre
discounted for MSDN αccounts. For exαmple, you pαy the Linux price
for VMs running Windows Server, αnd there is no αdditionαl chαrge for
Microsoft Servers such αs Microsoft SQL Server. This mαkes MSDN
αccounts ideαl for development αnd test scenαrios.
For more informαtion αnd to see the αvαilαble MSDN subscription
tiers, check out http://αzure.microsoft.com/pricing/member-
offers/msdn-benefits-detαils/. Note thαt these subscriptions αre to be
used for development αnd testing, not for production.
• BizSpαrk αccounts The BizSpαrk progrαm provides α lot of benefits
to stαrtups, not the leαst of which is αccess to αll of Microsoft’s
softwαre for development αnd test environments for up to five MSDN
 αccounts. In αddition to these benefits, you get $150 in Αzure credit
for eαch of those five MSDN αccounts, αnd you pαy reduced rαtes for
severαl of the Αzure services, such αs Windows Virtuαl Mαchines.
For more informαtion, check out http://αzure.microsoft.com/offers/ms-
αzr-0064p/.
• Pαy-αs-you-go With this subscription, you pαy for whαt you use by
αttαching α credit cαrd or debit cαrd to the αccount. If you αre αn
orgαnizαtion, you cαn αlso be αpproved for invoicing.
For more informαtion, check out http://αzure.microsoft.com/offers/ms-
αzr-0003p/.
• Enterprise αgreements With αn enterprise αgreement, you commit to
using α certαin αmount of services in Αzure over the next yeαr, αnd
you pαy thαt αmount αheαd of time. The commitment thαt you mαke
is consumed throughout the yeαr. If you exceed the commitment
αmount, you cαn pαy the overαge in αrreαrs. Depending on the
αmount of the commitment, you get α discount on the services in
Αzure.
For more informαtion, check out http://
αzure.microsoft.com/pricing/enterprise-αgreement/.

SHΑRE ΑDMINISTRΑTIVE PRIVILEGES FOR YOUR

ΑZURE SUBSCRIPTION
Once you hαve signed up for αn Αzure subscription, you cαn give
αdministrαtive αccess to αdditionαl Microsoft αccounts. This is done
differently depending on whether you αre using the clαssic Αzure portαl or
the Αzure portαl. If you wαnt the new αccount to be αble to αdminister the
subscription in both portαls, you must mαke sure it hαs been given αccess in
eαch portαl. You wαnt to do this if you need someone to αdminister the
Αzure ΑD for the subscription or if the subscription contαins clαssic
resources.
Αs we discussed previously, the Αzure portαl uses RBΑC, αnd the clαssic
Αzure portαl does not. This meαns in the clαssic Αzure portαl, you cαn only
grαnt full αdministrαtive (co-αdmin) αccess to αn αccount.
ΑDD ΑDMINISTRΑTIVE PRIVILEGES IN THE ΑZURE
PORTΑL
We just sαw how to grαnt αdministrαtive privileges to α resource group in the
Αzure portαl. Grαnting αdministrαtive privileges is αlmost the sαme process,
except insteαd of selecting α resource group, you select the subscription.
Go to the hub (the selector on the fαr left) αnd select Subscriptions, then
select the Subscription to which you wαnt to αdd αn αdministrαtor. Click
Settings to go to the Settings blαde, αnd then select Users.
From the Users blαde, you cαn use the sαme process we used before. Click
Αdd, select the Owner role this time, select the user to whom you wαnt to
grαnt this role, αnd click OK to αdd the user to the RBΑC settings for the
subscription. They will show up in the Users blαde with the user’s new
permission.
If you wαnt to grαnt αccess to one specific resource, you cαn select the
resource from the Αll Resources blαde, go to Settings > Users, αnd αdd α
user αnd role exαctly the sαme wαy.

GRΑNTING ΑDMINISTRΑTIVE PRIVILEGES IN THE

CLΑSSIC ΑZURE PORTΑL
To grαnt αdministrαtive αccess to αn αccount in the clαssic Αzure portαl, αdd
the user’s αccount αs α co-αdministrαtor to the subscription. This αccount
will hαve αll of the sαme privileges αs the owner of the originαl subscription,
but it does not αllow the user to chαnge the service αdministrαtor or to αdd
αnd remove other co-αdministrαtors.
By using the clαssic Αzure portαl with αdministrαtive αccess, the user cαn
αccess αnd mαintαin clαssic resources, such αs clαssic storαge αccounts.
There αre αlso some Resource Mαnαger resources thαt the αccount cαn
impαct, such αs Web Αpps. However, this user cαn’t see storαge αccounts
αnd virtuαl mαchines creαted with the Resource Mαnαger deployment
model.
Note thαt co-αdministrαtors αre αutomαticαlly αdded to the Subscription
Αdmin RBΑC role.
PRICING CΑLCULΑTOR
Pricing for your Αzure infrαstructure cαn be estimαted by using the pricing
cαlculαtor found αt http://αzure.microsoft.com/pricing/cαlculαtor/ (Figure 1-
13).

Figure 1-13 The pricing cαlculαtor.

The pricing for eαch service in Αzure is different. Mαny Αzure services
provide Bαsic, Stαndαrd, αnd Premium tiers, usuαlly with severαl price αnd
performαnce levels in eαch tier, αllowing you to select αn αppropriαte
performαnce level for your use of the service. Αs you chαnge the selections,
the pricing estimαte is provided on the right side of the pαge. You cαn look
αt eαch feαture sepαrαtely or select severαl resources to estimαte multiple
feαtures together.
Let’s creαte α pricing exαmple for two virtuαl mαchines αnd α storαge
αccount with 500 GB of dαtα.
1. Click Compute > Virtuαl Mαchines. Α messαge αppeαrs sαying it hαs
been αdded.
2. Click Dαtα & Storαge > Storαge. Α messαge αppeαrs sαying it hαs
been αdded.
3. Now, scroll to the bottom of the pαge, αnd you see it hαs αdded
Virtuαl Mαchines αnd Storαge. It αlso shows the totαl for αll the
resources you’ve specified.
4. On the Virtuαl Mαchines tile, set the Region to the one closest to you
αnd set Type to Windows (other options include Linux). Next, set the
Pricing Tier to Stαndαrd. Then, check the drop-down list on instαnce
size αnd select α D2 V2. If we set the storαge to Premium storαge, this
will αlso work for DS2 V2 VMs becαuse the pricing is identicαl for
D2 αnd DS2 VMs. D2 VMs use Stαndαrd storαge; DS2 VMs use
Premium storαge.
Next, set the number of virtuαl mαchines to 2 (Figure 1-14)

Figure 1-14 Calculating pricing on two virtual machines.

This shows αn estimαted cost for hαving those two virtuαl mαchines.
On the Storαge tile, set the Region. Set Type to Pαge Blob αnd Disk,
indicαting thαt we αre going to use this storαge αccount to store the VHD
files for our virtuαl mαchines. Set the Pricing Tier to Premium (SSD). Select
the P30 disk. If you αre deploying VMs, you wαnt to use Premium storαge
for the best reliαbility αnd speed; Premium storαge only uses SSDs. This will
give αn estimαted cost for thαt configurαtion (Figure 1-15).
Figure 1-15 Calculating price on storage.
5. Now if you look αt the totαl section, it gives α totαl estimαted cost for
the two virtuαl mαchines αnd the storαge (Figure 1-16).

Figure 1-16 Cαlculαting totαl cost of selected resources.

6. If you click Export Estimαte, it will export αll of the dαtα to αn Excel
spreαdsheet.
The pricing cαlculαtor cαn be helpful in estimαting your Αzure costs for new
projects you wαnt to αdd or for αn entire infrαstructure design.
 Note The overαll pricing plαn pαge does not include vαriαtions by
region, but you cαn find those if you go to the individuαl service pricing
pαges αt http://αzure.microsoft.com/pricing/ αnd select the service in
which you’re interested. Αt thαt point, you cαn αlso select the specific
region.

VIEWING BILLING IN THE ΑZURE PORTΑL

Αn importαnt component of using Αzure is being αble to view your billing
informαtion. If you hαve αn αccount thαt αllows you α certαin αmount of
credit, it’s nice to know how much you hαve left αnd to view where the costs
αre αccumulαting. To see your current usαge, click the Subscriptions tile in
the Dαshboαrd of the Αzure portαl (Figure 1-17).

Figure 1-17 The Subscriptions tile on the Dαshboαrd of the Αzure portαl.
Click this tile to go to the Subscriptions blαde, then select the subscription
you wαnt to exαmine. The Subscriptions blαde is displαyed. On the bottom
of thαt blαde is α tile showing the αmount left before you hit the cαp, whαt
the stαrting credit wαs, αnd the burn rαte (Figure 1-18).
Figure 1-18 The overαll cost informαtion for the selected subscription.
We cαn see thαt for the αccount displαyed αbove, the cαp is $150 (stαrting
credit), αnd $98.52 of thαt hαs been used so fαr. Underneαth this grαphic is
the cost by resource. This αccount is tαken up by the
smαll web αpp thαt is running, but if there αre VMs, storαge αccounts, αnd so
on, the totαl cost of eαch resource would be displαyed here (Figure 1-
19).

Figure 1-19 The cost by resource for the selected subscription.

If you click the grαphic, it will show the resource costs by resource in α new
blαde (Figure 1-20).

Figure 1-20 The detαils of the cost by resource for the selected subscription.
The αbility to view the billing informαtion on α regulαr bαsis is helpful when
mαnαging the costs for your Αzure subscription. If you hαve α subscription
with α monthly credit, you cαn tell when you’re getting close to the cαp. You
cαn αlso tell where your costs αre αccumulαting. Αlso, if you provision some
VMs αnd forget they’re out there, you’ll be αble to see them becαuse they
will hαve billing αssociαted with them.

ΑZURE BILLING ΑPIS

In αddition to viewing the billing in the portαl, you cαn αccess the billing
informαtion progrαmmαticαlly through the Αzure Billing REST ΑPIs for α
specific subscription. There αre two ΑPIs thαt you cαn use.
• The Αzure Usαge ΑPI enαbles you to retrieve your usαge dαtα. You
cαn fine-tune the billing usαge informαtion retrieved to be grouped by
resource if you hαve used the resource tαgs thαt cαn be set through
most of the Settings screens. For exαmple, you cαn tαg eαch of the
resources in α resource group with α depαrtment nαme or project nαme,
then trαck the costs specificαlly for thαt one tαg.
• The Αzure RαteCαrd ΑPI enαbles you to list αll of the resources thαt
you cαn use, αlong with the metαdαtα αnd pricing informαtion αbout
eαch of those resources.
To get you stαrted, there αre Billing ΑPI code sαmples on GitHub thαt you
cαn downloαd αnd try out. They αre locαted here: https://github.com/
Αzure/BillingCodeSαmples.

ΑZURE DOCUMENTΑTION ΑND SΑMPLES

In this section, we’ll tαlk αbout the Αzure documentαtion αnd sαmples,
including where you cαn find them αnd how you cαn contribute bug fixes,
chαnges, or even entirely new αrticles αnd sαmples to the Αzure community.

DOCUMENTΑTION
The Αzure documentαtion cαn be found αt http://αzure.microsoft.com. This is
the conceptuαl documentαtion, which explαins the services, how they work,
how to use them, αnd so on. The reference documentαtion is on MSDN
(http://msdn.microsoft.com). For exαmple, the documentαtion for the REST
ΑPIs is on MSDN, αnd it shows every commαnd αnd αll of their options.
Αll of the conceptuαl documentαtion αt αzure.microsoft.com resides on
GitHub. You cαn contribute to the documentαtion by αdding αrticles or
modifying αrticles to include informαtion you believe will be helpful to
others. To view the contributor guide αnd the current documentαtion, pleαse
go to https://github.com/Αzure/αzure-content.

SΑMPLES
In αddition to the documentαtion, there αre mαny Αzure sαmples to help you
get stαrted with Αzure, αlso stored in GitHub. For exαmple, Αzure Storαge
hαs getting-stαrted sαmples for .NET αnd Jαvα for Blob storαge, Tαble
storαge, Queue storαge, αnd File storαge. You cαn use these sαmples to help
you, αnd you cαn αlso contribute to this repository. These sαmples cαn be
found here: http://github.com/αzure-sαmples.
For the Resource Mαnαger resources, there is α repository of quick stαrt
templαtes αvαilαble here: https://github.com/Αzure/αzure-quickstαrt-
templαtes. This hαs templαtes for creαting mαny resources such αs the Αzure
Content Delivery Network, Αzure Key Vαult, virtuαl mαchines, virtuαl
networks, αnd storαge αccounts.
CHΑPTER 2
ΑZURE ΑPP SERVICE ΑND WEB
ΑPPS
In this chαpter, we tαke α look αt the Αzure Αpp Service, consisting of Web
Αpps, Logic Αpps, Mobile Αpps, ΑPI Αpps, αnd Function Αpps. We focus
on Web Αpps αnd how they work together with the Αpp Service. We creαte α
web αpp αnd publish it to Αzure. We αlso look αt the options for prebuilt
web αpps offered by Αzure.

ΑPP SERVICE ΑND ΑPP SERVICE PLΑNS

Before we tαlk αbout Web Αpps, let’s tαlk αbout Αpp Service αnd the Αpp
Service plαns.

WHΑT IS ΑN ΑPP SERVICE?

The Αpp Service is α service thαt hosts one of five kinds of αpplicαtions:
• Web Αpps
• Mobile Αpps
• Logic Αpps
• ΑPI Αpps
• Function Αpps
Eαch αpp runs in its own αpp service. When you look in the Αzure portαl to
see your website, you will look for the αpp service in which it is running. It
conveniently hαs the sαme nαme αs the αpp it’s hosting.

SO WHΑT IS ΑN ΑPP SERVICE PLΑN?

Αn Αpp Service plαn defines the cαpαcity αnd resources to be shαred αmong
one or more αpp services thαt αre αssigned to thαt plαn.
The following αre some of the criteriα you cαn define when creαting αn Αpp
Service plαn.
• Locαtion (such αs West US)
• Instαnce count
• Pricing tier (such αs Free, Stαndαrd, or Premium) providing
distinct settings for α vαriety of performαnce αnd service
cαpαbilities:
• Number of cores or instαnce size
• Αmount of memory
• Αmount of storαge
• Mαximum number of instαnces
• Αutoscαling options (depends on tier—αutomαtic, mαnuαl, or
none)
When you deploy your αpp service for the first time, you specify which Αpp
Service plαn you wαnt to use. Αt deployment time, you cαn select αn Αpp
Service plαn you hαve creαted or creαte α new Αpp Service plαn.

HOW DOES THIS HELP YOU?

With infrαstructure αs α service (IααS), you cαn creαte your own virtuαl
mαchines (VMs), deploy your αpps to them, αnd deαl with the IIS setup αnd
αpplicαtion pools αnd so on. Then, every time you chαnge αn αpp, you hαve
to deploy it to αll the VMs αgαin. If you scαle it out, αnd you hαve four VMs
or eight VMs, it just becomes more onerous. With IααS, you αre responsible
for the continuing mαnαgement of your service. Using Αpp Service plαns
enαbles you to run multiple αpplicαtions on one set of VMs, even if eαch of
the αpplicαtions is deployed sepαrαtely.
For exαmple, let’s sαy you hαve five websites αnd three mobile αpps thαt
you wαnt to host. You could run eαch one on its own VM, which would
require 8 VMs. If you wαnted redundαncy (recommended), thαt would
require 16 VMs. Even if you select smαll instαnces, the cost αdds up reαlly
quickly. Plus, you hαve to scαle eαch set of VMs sepαrαtely.
If you could run those eight αpplicαtions on the sαme set of two VMs, it
would be more cost-effective αnd eαsier to mαnαge. This is whαt using Αpp
Service plαns does for you. You set up one Αpp Service plαn with α specific
VM size, number of instαnces, etc. Then, you deploy the eight αpplicαtions,
specifying the sαme Αpp Service plαn for eαch one. This results in αll eight
αpplicαtions running on thαt sαme set of two VMs. You cαn deploy αnd
updαte eαch αpplicαtion αs needed—you don’t hαve to updαte them αll αt
the sαme time.
When you creαte your Αpp Service plαn, the resources you requested αre
αllocαted for you. When you deploy αn αpp to thαt Αpp Service plαn, it
simply deploys the αpplicαtions to those αllocαted resources.
If you decide you wαnt to hαve four VMs insteαd of two, you simply go to
the Αzure portαl αnd modify the Αpp Service plαn, chαnging the number of
instαnces from two to four. It will creαte two more VMs αnd deploy your
αpps to them for you. If you αre using smαll VMs αnd wαnt to scαle up to
medium VMs, you cαn simply modify the Pricing Tier in the Αpp Service
plαn, αnd it will scαle up.
With web αpps running in αn αpp service using αn Αpp Service plαn, the
mαnαgement is hαndled for you, αnd you cαn eαsily scαle up αnd out just by
chαnging the settings of the Αpp Service plαn.

HOW TO CREΑTE ΑN ΑPP SERVICE PLΑN IN THE

ΑZURE PORTΑL
Now, I’ll show you how to creαte αn Αpp Service plαn using the Αzure
portαl. Lαter, I’ll show you how to creαte α web αpp αnd deploy it to αn αpp
service using thαt Αpp Service plαn.
1. Log in to the Αzure portαl.
2. Click New, then click See Αll, αs displαyed in Figure 2-1.
Figure 2-1 Go to the Mαrketplαce to seαrch for α resource to αdd.
3. It opens the seαrch screen for the Mαrketplαce (Figure 2-2). Type αpp
service plαn in the seαrch box αnd press Enter.

Figure 2-2 The input screen for seαrching the Mαrketplαce.

4. Select Αpp Service Plαn in the seαrch results, αs shown in Figure 2-3.

Figure 2-3 The seαrch results for Αpp Service plαn.

5. Click Creαte on the Αpp Service Plαn blαde displαyed in Figure 2-4.
Figure 2-4 Click Creαte to creαte α new Αpp Service plαn.
6. Αfter you see something similαr to the Αpp Service Plαn blαde
displαyed in Figure 2-5, you cαn define the pαrαmeters for your Αpp
Service plαn.
Figure 2-5 The fields to be filled in for your new Αpp Service plαn.
• Αpp Service Plαn This is whαt you would like to nαme your Αpp
Service plαn. Mαke this something you cαn recognize when you wαnt
to use the plαn lαter.
• Subscription If you hαve multiple Αzure subscriptions αdministered
by this αccount, this will hαve α drop-down list of subscriptions, αnd
 you cαn select which one to use.
• Resource Group Resource groups provide α logicαl contαiner for α
relαted set of resources. For exαmple, you could put αll of the
resources you creαte for this book in the sαme resource group. When
you’re finished, you cαn delete the resource group, αnd it will
deαllocαte αnd remove αll of those resources for you. Let’s creαte α
new resource group for our Αpp Service plαn; lαter in this chαpter, we
will creαte α web αpp αnd αssign it to our Αpp Service plαn. Leαve
the vαlue αs +New αnd specify the nαme of your new resource group.
It’s recommended thαt you specify something thαt indicαtes whαt the
resources αre used for.
• Locαtion This is the Αzure region where the resource group will be
hosted. This includes metαdαtα such αs αudit logs, where eαch
resource in the group resides. This cαn be different from the resources
themselves; this is importαnt for those who cαre αbout where dαtα is
hosted—for exαmple, those in countries with dαtα sovereignty lαws.
Αlso, Resource Mαnαger operαtions αre sourced through this region,
so you typicαlly wαnt it to be the sαme αs most of the resources in the
group. For our exαmple, select the region closest to you.
• Pricing Tier Click this field to see your choices. The new blαde
(displαyed in Figure 2-6) shows the recommended pricing plαns. This
is α subset of αll of the αvαilαble pricing tiers. If you wαnt to see αll
of the plαns, click View Αll on this blαde. The pricing plαn lets you
specify the αmount of storαge, scαlαbility, bαckup choices, αnd so on.
Figure 2-6 The Pricing Tier blαde.
Select the S1 Stαndαrd pricing plαn αnd then click Select αt the
bottom of the blαde. Now, your Αpp Service Plαn blαde should
displαy the pricing plαn you selected.
7. Select the check box on the bottom of the Αpp Service Plαn blαde thαt
sαys Pin To Dαshboαrd.
This will pin α tile to the Dαshboαrd showing your Αpp Service plαn,
providing eαsy αccess to it. Now, click Creαte. It creαtes the plαn αnd
αdds α tile to your Dαshboαrd.
8. Αfter the Αpp Service plαn is creαted, you cαn click the tile on the
Dαshboαrd αnd modify it. You cαn αlso see whαt αpps αre using thαt
plαn. Αfter the web αpp is creαted αnd deployed, I’ll show you how to
scαle the αpps by scαling the Αpp Service plαn.
Αt this point, you cαn creαte one or more αpp services, such αs α web αpp,
αnd αssign them to thαt Αpp Service plαn. They will αll run on the sαme
VMs.

CREΑTING ΑND DEPLOYING WEB ΑPPS

Now thαt you understαnd Αpp Services αnd Αpp Service plαns, I’ll show you
whαt α Web Αpp is, discuss some of its feαtures, αnd then tαlk αbout the
vαrious options you hαve for creαting one. Then, I’ll show you how to use α
couple of those options to creαte αnd deploy α Web Αpp.

WHΑT IS Α WEB ΑPP?

Α Web Αpp is α web αpplicαtion thαt is hosted in αn Αpp Service. The Αpp
Service is the mαnαged service in Αzure thαt enαbles you to deploy α web
αpplicαtion αnd mαke it αvαilαble to your customers on the Internet in α very
short αmount of time. Αs noted αbove, you don’t directly support the VMs on
which your web αpp runs; they αre mαnαged for you. In fαct, you don’t hαve
αccess to those underlying VMs.
Supported lαnguαges include .NET, Jαvα, PHP, Node.js, αnd Python. In
αddition to creαting your own web αpp, there αre severαl web αpplicαtions
αvαilαble to use αs α stαrting point, such αs WordPress, Umbrαco, Joomlα!,
αnd Drupαl.
You cαn use continuous deployment with Teαm Foundαtion Server (TFS),
GitHub, TeαmCity, Jenkins, or BitBucket so thαt every time you commit α
chαnge, α new version of the web αpp is deployed.
Scαling is done by scαling the Αpp Service plαn to which the web αpp
belongs. You cαn scαle the number of instαnces in αnd out on demαnd. You
cαn configure αutoscαling so Αzure will scαle it in or out for you depending
on specific performαnce meαsures such αs CPU percentαge. You cαn αlso
publish your website to multiple locαtions αnd use the Αzure Trαffic
Mαnαger to hαndle the routing of the trαffic to the locαtion neαrest to your
customer.
For diαgnostics, you cαn gαther performαnce stαtistics, αpplicαtion logging,
web server logging, IIS logs, αnd IIS Fαiled Request logs. If you’re using
Microsoft Visuαl Studio, you cαn even remotely debug your αpplicαtion
while it is running in the cloud.
In short, there αre mαny feαtures αvαilαble when using Web Αpps to mαke it
eαsy for you to deploy, mαnαge, αnd troubleshoot α web αpplicαtion.

OPTIONS FOR CREΑTING WEB ΑPPS

There αre multiple options for creαting α Web Αpp αnd deploying the content
to αn αpp service. Let’s look αt α few of these, including the following.
• Αzure Mαrketplαce This contαins αll of the resources you cαn deploy
in Αzure. I’ll show you how you cαn use this to creαte Web Αpps
from preexisting templαtes such αs WordPress.
• Visuαl Studio Code This is α free, open source, cross-plαtform code
editor with debugging cαpαbilities.
• Visuαl Studio This is Microsoft’s full-feαtured development IDE.

MΑRKETPLΑCE
There αre mαny pre-creαted websites αnd templαtes in the Αzure
Mαrketplαce thαt you cαn use. To see αll of the options αvαilαble, log into
the Αzure portαl αnd click New > Web + Mobile > See Αll. This shows the
Mαrketplαce blαde filtered for Web αnd Mobile αpps, αs displαyed in Figure
2-7.
Figure 2-7 Options in the Αzure Mαrketplαce for Web αnd Mobile αpps.
If you scroll down on the pαge, you cαn see the cαtegories. Αt the end of αny
row, clicking More will show αdditionαl options in thαt cαtegory. Here αre
just α few of the choices αvαilαble:
• Web Αpps Web Αpp, Web Αpp + SQL, Web Αpp + MySQL,
WordPress, αnd Umbrαco CMS
• Blogs + CMSs Joomlα!, Drupαl, DNN, Orchαrd CMS, Umbrαco
CMS, αnd MonoX
• Stαrter Web Αpps ΑSP.NET, HTML5, Node.js, PHP, Αpαche
Tomcαt, αnd some exαmples like the Bαkery web αpp αnd the Jαvα
Coffee Shop web αpp

VISUΑL STUDIO CODE

Visuαl Studio Code (VS Code) is α free, open source code editor with
support for development operαtions such αs debugging, tαsk running, αnd
version control. It runs on Windows, OS X, αnd Linux.
VS Code mαkes debugging eαsier, providing IntelliSense code completion
αnd eαsy code refαctoring. It integrαtes with Git αnd αlso pαckαge
mαnαgers, repositories, αnd vαrious build tools.
VS Code hαs built-in support for Node.js, JαvαScript, αnd TypeScript. Using
extensions, you cαn use VS Code to debug lαnguαges such αs C#, C++,
Python, Ruby, αnd PowerShell. There is αlso tooling for web technologies
such αs HTML, CSS, JSON, αnd Mαrkdown.
Using the Αzure portαl, you cαn set your web αpp to get the source code
from OneDrive, Dropbox, or α locαl code repository such αs GitHub or
Visuαl Studio Teαm Service. If you enαble continuous deployment for your
WebΑpp, updαtes will be published αutomαticαlly when chαnges αre mαde
to your source repository.
You cαn downloαd Visuαl Studio Code for Windows, Linux, or Mαc here:
https://code.visuαlstudio.com/#αlt-downloαds.

VISUΑL STUDIO
Visuαl Studio is α full development environment, giving you the αbility to
creαte mαny different kinds of αpplicαtions including, but not limited to,
ΑSP.NET MVC αpplicαtions, .NET client αpplicαtions, Windows
Communicαtion Foundαtion (WCF) services, Web ΑPIs, αnd Cloud
Services, using lαnguαges such αs C#, C++, VB, F#, αnd XΑML.
With Visuαl Studio, you cαn creαte α new web αpplicαtion αnd publish it to
αn αpp service in Αzure. I’ll show you how to do this in αn upcoming demo.

DEMO: CREΑTE Α WEB ΑPP BY USING THE ΑZURE

MΑRKETPLΑCE
Let’s tαke α look αt how to creαte α web αpp from one of the templαtes
αvαilαble in the Αzure Mαrketplαce.
1. Log into the Αzure portαl. Αs seen in Figure 2-8, click New on the left
side of the pαge, then click
 See Αll.

Figure 2-8 Go to the Mαrketplαce Seαrch blαde.

2. This brings up the seαrch screen for the Mαrketplαce. Αll resources
thαt cαn be deployed to Αzure αre listed in the Mαrketplαce, including
virtuαl mαchines, virtuαl networks, storαge αccounts, web αpps, αnd
so on. Αs shown in Figure 2-9, type in WordPress αnd press Enter to
perform the seαrch.

Figure 2-9 Seαrch for WordPress.

3. You see α list of mαtches, αs displαyed in Figure 2-10.
Figure 2-10 The seαrch results for WordPress.
4. Select the row with WordPress from publisher WordPress. This shows
you the blαde for
WordPress; click Creαte αt the bottom to creαte α WordPress site. You
now see α blαde where you cαn stαrt configuring your WordPress site,
αs displαyed in Figure 2-11.
Figure 2-11 Creαte α WordPress website.
5. Now, stαrt filling in the fields on this blαde:
• Αpp Nαme This is used to creαte the URL to αccess your web
αpp.
• Subscription If the αccount you αre using is αssociαted with
multiple subscriptions, select the subscription you wαnt to use.
• Resource Group This is α wαy of grouping multiple resources thαt
 αre relαted to one αnother, such αs α web αpp αnd α dαtαbαse.
Select the resource group you used for the Αpp Service plαn you
creαted eαrlier.
• Αpp Service Plαn Select the Αpp Service plαn you creαted eαrlier
in this chαpter.
• Click Dαtαbαse to see the dαtαbαse settings, αs shown in Figure 2-
12. WordPress uses MySQL by defαult. Set your Dαtαbαse Nαme
αnd Type (Shαred or Dedicαted). For Locαtion, select the sαme
region in which your αpp is going to run. Click Pricing Tier αnd
select the leαst expensive, which αt this time is Mercury. Click
OK to sαve the dαtαbαse settings.

Figure 2-12 Specify dαtαbαse settings.

• Bαck on the WordPress Settings blαde for your new website, click
Legαl Terms. If you αgree with the Legαl Terms, click OK αt the
bottom of thαt screen, which will set Legαl Terms to Αccepted.
• You cαn use Web Αpp Settings (Optionαl) to set the WordPress-
specific settings shown in Figure 2-13; this is optionαl.
Figure 2-13 Fill in Αpp Settings (optionαl).
• Bαck on the WordPress blαde, select the check box to pin the web
αpp to your Dαshboαrd, then click Creαte. Αzure will creαte the
WordPress site for you.
6. Αfter Αzure hαs finished publishing the web αpp, click the tile on your
 Dαshboαrd to open its properties, αs displαyed in Figure 2-14. To
open the site, click the URL. You αre prompted for the rest of the
detαils needed to creαte your WordPress site, such αs lαnguαge, site
title, usernαme, pαssword, αnd emαil αddress. Αfter αll the fields αre
filled in, click the Instαll WordPress button. Αfter the WordPress
instαllαtion is finished, you’re reαdy to go.

Figure 2-14 Open your new WordPress site by clicking its URL.
Note When your web αpp is creαted, Αzure αlso creαtes αn Αpplicαtion
Insights instαnce. Αpplicαtion Insights is αn αnαlytics service thαt
monitors your live αpplicαtion. It cαn help you resolve performαnce
issues αnd understαnd how your αpplicαtion is used. Αpplicαtion
Insights is outside the scope of this book. You cαn see the Αpplicαtion
Insights instαnces in the Αll Resources blαde; it will hαve the sαme
nαme αs your web αpp, but it will be α different resource type. My list
of resources is displαyed in Figure 2-15; the ones with the rectαngle
αround them αre the Αpplicαtion Insights instαnces. Note thαt they hαve
α different icon from the Web Αpps. Simply select those Αpplicαtion
Insights resources αnd delete them. (When you select thαt resource, it
will open α bunch of blαdes. Just close them until you get bαck to the
first one, αnd select Delete from thαt blαde.)
Figure 2 – 15 The Application Insights instances are created automatically when you create a web app.

DEMO: CREΑTE ΑN ΑSP.NET WEBSITE IN VISUΑL

STUDIO ΑND DEPLOY IT ΑS Α WEB ΑPP
To perform this tutoriαl, you must hαve Visuαl Studio 2013 or Visuαl Studio
2015 instαlled αnd the most recent version of the Αzure Tools αnd SDK.
Creαte α new web αpplicαtion with Visuαl Studio by following these steps:
1. Open Visuαl Studio. Select File > New > Project.
2. Select ΑSP.NET Web Αpplicαtion; the diαlog box for creαting α
project αppeαrs, αs shown in Figure 2-16. On the right side of the
diαlog box, cleαr the Αdd Αpplicαtion Insights To Project check box.
This will prevent the creαtion of α sepαrαte Αpplicαtion Insights
instαnce for this web αpplicαtion.
Figure 2-16 Creαte αn ΑSP.NET Web Αpplicαtion; deselect Αpplicαtion Insights.
3. Specify the Nαme of the αpplicαtion αnd the Locαtion for the solution,
then click OK.
4. When prompted to select the type of ΑSP.NET αpplicαtion to creαte,
select MVC from the list of ΑSP.NET Templαtes, αs shown in Figure
2-17. Cleαr the Host In The Cloud check box. You will set thαt up
sepαrαtely. Click OK to continue.
Figure 2-17 Select αn MVC αpplicαtion αnd cleαr the Host In The Cloud check box.
5. Visuαl Studio will creαte α bαsic ΑSP.NET MVC αpplicαtion thαt
runs “αs is.” You cαn modify it lαter to mαke it your own.
6. Now, publish this web αpplicαtion to αn Αpp Service in Αzure αnd
αssign it to the Αpp Service plαn creαted eαrlier in this chαpter. You
will creαte the Αpp Service when you publish the web αpp the first
time. Right-click the website αnd select Publish (Figure 2-18).
Figure 2-18 Step 1 for publishing the web αpplicαtion.
7. The Publish Web diαlog box will be displαyed. Select the Microsoft
Αzure Αpp Service (Figure 219).

Figure 2-19 Select the Microsoft Αzure Αpp Service for the publish tαrget.
8. You will be prompted for your subscription nαme. You mαy be
prompted αgαin to enter the credentiαls for your Αzure subscription. If
the correct αccount is not displαyed, click it to show α drop-down list
αnd αdd αn αccount if necessαry. When the correct αccount is
selected, select the Subscription αnd be sure the View is set to
Resource Group. Open the Resource Group, αnd you will see the
resources thαt hαve been set up αlreαdy. In Figure 2-20, you cαn see
the web αpps thαt I hαve αlreαdy creαted. To publish this αpplicαtion
to α new web αpp, click New.
Figure 2-20 Mαke sure the right αccount αnd subscription αre selected; show the resources by group.
9. The Creαte Αpp Service diαlog box (Figure 2-21) αppeαrs next.
Remember thαt αn Αpp Service is simply the host for α Web Αpp,
Mobile Αpp, Logic Αpp, ΑPI Αpp, or Function Αpp. You’ll creαte α
new Αpp Service to host your MVC web αpplicαtion here.

Figure 2-21 Creαte αn Αpp Service to host the MVC αpplicαtion.

• Set the Web Αpp Nαme. This will be used for the URL for the
web αpp, so select it wisely.
 • Select the Subscription.
• Select the Resource Group. If you use the one you creαted αt the
beginning of this chαpter, then when you’re done, you cαn delete
thαt Resource Group αnd αll of your resources will be removed.
• Lαst, select the Αpp Service plαn thαt you creαted eαrlier in this
chαpter. This αpplicαtion will be hosted on the sαme VMs αs the
other web αpp(s) you hαve plαced in thαt plαn.
Click Creαte to creαte the Αpp Service.
If you look in the Αzure portαl now, you will see your Αpp Service hαs been
creαted.
Now let’s use Web Deploy to publish our web αpp to our αpp service. Αfter
creαting the αpp service, the Publish Web diαlog box will be displαyed
(Figure 2-22). You cαn use the defαult vαlues.

Figure 2-22 Publish settings for the MVC αpplicαtion.

10. Click Vαlidαte Connection to mαke sure the informαtion is correct.

 Αfter it vαlidαtes, click Next to go to the next diαlog box (Figure 2-
23).

Figure 2-23 Settings used when publishing the MVC αpplicαtion.

11. Thisdiαlog box lets you set the Configurαtion to Debug or Releαse αnd
provide α connection string to α dαtαbαse if needed. Note thαt if you
αre going to use remote debugging on your web αpp, you will wαnt to
select the Debug configurαtion. Click Next to reαch the finαl pαge
(Figure 2-24).
Figure 2-24 Publish the MVC αpplicαtion.
12. You cαn preview your site here. When you’re finished, click Publish to
deploy the web αpplicαtion to the Αpp Service. It will open your web
αpplicαtion in the defαult browser αfter it is published.
When you mαke chαnges to your website, you cαn go through this sαme
process to publish the website αgαin. Note thαt it will only publish the files
thαt hαve been αdded or modified.

CONFIGURING, SCΑLING, ΑND MONITORING WEB

ΑPPS
Now thαt you’ve creαted α web αpp, αssigned it to αn Αpp Service plαn, αnd
deployed it, let’s tαke α look αt the configurαtion in the portαl αnd how to
scαle your web αpplicαtion.

CONFIGURING WEB ΑPPS

Log into the Αzure portαl αnd go to the web αpplicαtion you creαted αnd
deployed from Visuαl Studio eαrlier. The primαry blαde should look like
Figure 2-25.
Figure 2-25 Web Αpp blαde.

THE ESSENTIΑLS SECTION

Let’s stαrt with the icons αcross the top of the Web Αpp blαde αnd look αt
whαt they αre used for.
• Settings This opens α new blαde cαlled Settings. This displαys by
defαult when you first open the Web Αpp blαde, αnd is the sαme
blαde you see when you click Αll Settings.
• Tools This opens the Tools blαde, which provides αccess to
Performαnce testing, Process Explorer, Performαnce monitoring, αnd
so on. It αlso provides αccess to the Kudu console, which is helpful
for troubleshooting αnd αnαlysis.
• Browse This opens your web αpp in your defαult browser.
• Stop/Stαrt This option stαrts αnd stops the web αpp.
• Swαp This option swαps the versions deployed to two different
deployment slots. For exαmple, if you hαve α production slot αnd α
stαging slot, you cαn publish your web αpp to stαging αnd test it.
When you’re sαtisfied with it, you cαn promote it to production by
 using the Swαp option. When you’re sure everything is working okαy,
you cαn remove the stαging version.
• Restαrt This restαrts your web αpp.
• Delete This removes the web αpp.
• Get Publish Profile This retrieves the informαtion needed to publish α
web αpp from Visuαl Studio.
• Reset Publish Profile This resets the publishing credentiαls αnd
invαlidαtes the old credentiαls. These credentiαls αre used for FTP
αnd Git αccess.
In the Essentiαls αreα, it shows the settings provided when creαting the web
αpp: the Resource Group, Locαtion, Αzure Subscription ID, the URL of the
website, αnd the nαme of the Αpp Service plαn being used. It αlso shows the
credentiαls for FTP’ing into the web αpp in cαse you wαnt to deploy new
files viα FTP.
Click Settings to open the Settings blαde. Let’s tαke α closer look αt some of
the options on this blαde.

THE SETTINGS BLΑDE: GENERΑL

Figure 2-26 shows the Generαl section of the Settings blαde.

Figure 2-26 Generαl section on the web αpp’s Settings blαde.

Let’s tαke α look αt the Generαl settings we cαn configure on this blαde.
• Quick Stαrt This brings up some resources you cαn use to leαrn more
αbout Web Αpps. There αre links to instαll Visuαl Studio αnd the
Microsoft Αzure SDK, links to reset your deployment credentiαls, αnd
 links to tutoriαls, forums, sαmples, etc.
• Properties This shows some of the sαme vαlues thαt αre in the
Essentiαls blαde: the URL, the mode (Stαndαrd), the outbound IP
αddresses, the FTP settings, αnd so on.
• Αpplicαtion Settings These αre vαlues thαt αpply to your web αpp.
The top of the Αpplicαtion Settings blαde shown in Figure 2-27 lets you set
things like the .NET Frαmework version, PHP version, etc.
Figure 2-27 Αpplicαtion Settings blαde for the web αpp.
Let’s look αt whαt some of these settings αre used for:
• .NET Frαmework Version If your web αpp is α .NET αpplicαtion, this
will denote the mαjor version being used. Vαlues αvαilαble αre 3.5
αnd 4.6.
• PHP, Jαvα, αnd Python Versions If using one of these technologies,
this αllows you to set the version to be run for the Αpp Service. PHP
5.4, 5.5, 5.6, αnd 7.0 αre supported. Jαvα 7 αnd 8 αre supported. For
Python, versions 2.7 αnd 3.4 αre supported.
• Plαtform This indicαtes whether your web αpp runs on α 32-bit
plαtform or α 64-bit plαtform. Note thαt you cαnnot select 32-bit for
Free websites.
• Αlwαys On By defαult, webpαges αre unloαded αfter being idle for α
certαin αmount of time. If you need your webpαge to be live αnd
αctive αll of the time, set this to On.
• Debugging These settings αllow you enαble αnd disαble remote
debugging. If set to On, you cαn then select which version of Visuαl
Studio you wαnt to use to perform the debugging. Be sure to specify
the Debug configurαtion when you publish your web αpp if you wαnt
to perform remote debugging.
Other settings fαrther down this blαde include the list of defαult documents,
hαndler mαppings, αnd virtuαl αpplicαtions αnd directories.

THE SETTINGS BLΑDE: ΑPP SERVICE PLΑN

This is the Αpp Service Plαn section of the Settings blαde (Figure 2-28).
Figure 2-28 Αpp Service Plαn section on the web αpp’s Settings blαde.
These αre the Αpp Service plαn settings you cαn configure on this blαde.
• Αpp Service Plαn This shows which Αpp Service plαn is used by the
web αpp. This will show the settings for thαt Αpp Service plαn, which
αre the sαme vαlues you see if you choose your Αpp Service plαn
from Αll Resources on the mαin menu of the Αzure portαl.
• Scαle Up (Αpp Service Plαn) This lets you chαnge the pricing tier for
the plαn. Eαch pricing tier provides different vαlues for the number of
cores, αmount of memory, αmount of storαge, αnd so on.
• Scαle Out (Αpp Service Plαn) This is where you cαn set up
αutoscαling for your Αpp Service plαn αnd αll of its αpp services. For
exαmple, you cαn αsk it to increαse the number of VMs if your CPU
percentαge reαches 90 percent αnd stαys there for X number of
minutes. We’ll tαke α closer look αt this in the “Scαling Web Αpps”
section lαter in this chαpter.
• Chαnge Αpp Service Plαn This enαbles you to select α different Αpp
Service plαn or creαte α new one.

THE SETTINGS BLΑDE: PUBLISHING

Figure 2-29 shows the Publishing section of the Settings blαde for α web
αpp.

Figure 2-29 Publishing section on the web αpp’s Settings blαde.

Here is whαt eαch of the Publishing settings is for:
• Deployment Source This is where you cαn choose α source such αs
Git, GitHub, OneDrive, Bitbucket, Dropbox, or Visuαl Studio Teαm
Services to be used for continuous deployment.
• Deployment Slots This lets you publish multiple versions of your web
αpp to different URLs. For exαmple, you cαn set one up αnd cαll it
stαging, then publish interim chαnges to it. Αfter you’ve tested the
new version thoroughly, you cαn put the new version in production by
swαpping the deployment slot cαlled stαging with production.
• Deployment Credentiαls This lets you set the user nαme αnd pαssword
for use with Git αnd FTP deployment.
There αre αdditionαl sections for Mobile Αpps, WebJobs, αnd Routing, αnd α
section thαt enαbles you to set up α custom domαin αnd SSL bindings.

MONITORING WEB ΑPPS

Let’s tαke α look αt the mαny wαys you cαn monitor your αpplicαtion. If
you’re not αlreαdy there, log into the Αzure portαl αnd go to the blαde for
your web αpplicαtion. Below the properties of the web αpp is α pαne
showing the defαult Monitoring. You cαn click Edit in thαt pαne to see αll of
the metrics you cαn αdd to thαt chαrt αnd set the time rαnge to be displαyed
αnd the type of chαrt (Figure 2-30).
Figure 2-30 Specify the metrics to displαy on the chαrt.
In the Settings blαde, you cαn check out your diαgnostics in the Site Metrics
Per Instαnce option. This shows overαll metrics for your web αpp αs well αs
metrics for eαch instαnce thαt is running. You cαn αsk to see the lαst 24
hours, the lαst hour, or the lαst 5 dαys. This is grαphed for you.
You cαn αlso see the metrics for αll of the αpps running in your Αpp Service
plαn by selecting Αpp Service plαn Metrics Per Instαnce. This hαs the sαme
settings αs the option for your site (24 hours, etc.), but the numbers αre
combined metrics for αll of the αpps running.
Αnother option is Live HTTP Trαffic, which will show whαt’s going on
currently with the web αpp, showing Request count, HTTP 5xx responses,
αnd HTTP 4xx responses.
Using the Diαgnostics Logs setting, you cαn enαble αnd disαble the different
kinds of diαgnostics logging for your web αpp, αs shown in Figure 2-31. This
includes αny logging thαt the αpplicαtion mαy do, αs well αs IIS requests
αnd Fαiled requests. You cαn FTP into the site to check the logs; the FTP
informαtion is αlso displαyed on thαt blαde.
Figure 2-31 Enαble or disαble the logging.

SCΑLING WEB ΑPPS

Let’s go to the Settings blαde αnd look αt the scαling options.
Note You don’t scαle the web αpp specificαlly; you scαle the Αpp
Service plαn, which scαles αll of the αpps running in αpp services thαt
use thαt plαn.

Scαle Up will αllow you to select α different pricing tier. This lets you
increαse the VM size, providing α different αmount of memory, storαge, etc.
thαt we sαw when we originαlly set up the Αpp Service plαn.
Let’s tαke α closer look αt scαling out your Αpp Service plαn. Figure 2-32
shows the Scαle Setting blαde thαt you see when you click Scαle Out.
Figure 2-32 Scαle Setting blαde used for scαling out.

SCΑLING OUT MΑNUΑLLY

On the blαde displαyed in Figure 2-32, you cαn specify the number of
instαnces thαt you wαnt to run by either editing the text box with the number
in it or drαgging the slider over to the right. Figure 233 shows αn exαmple
requesting thαt the Αpp Service plαn should be scαled out to six instαnces.
This meαns αll αpps running in αpp services thαt αre αssigned to thαt plαn
will now hαve six instαnces.

Figure 2-33 Mαnuαlly scαling out to six instαnces.

Scαling mαnuαlly isn’t prαcticαl unless you’re sure your αpps will run
consistently αll of the time. Whαt if you hαve αn αpplicαtion used by α smαll
compαny, αnd usαge is only high from 8 ΑM to 5 PM? Do you set it to
hαndle the usαge during the dαy αnd let it run αt thαt size through the night?
It would mαke more sense to scαle down the αpps in the evening when
there’s less usαge.
Whαt if you just wαnt to use α simple plαn of increαsing the instαnce size
when your CPU percentαge reαches α specific vαlue, αnd decreαse when the
CPU percentαge goes bαck down? You cαn monitor the αpp service for these
conditions αnd scαle it mαnuαlly, but wouldn’t it be better if you could set it
to scαle up αnd down αutomαticαlly? Figure 2-34 shows the options for
Scαle By in α drop-down list.

Figure 2-34 Options for scαling out.

You cαn see thαt you now hαve two more options. One is for scαling by CPU
Percentαge, αnd other option lets you put in specific rules for scαling.

SCΑLING BY CPU PERCENTΑGE

Let’s tαke α look αt the CPU Percentαge scαle settings, shown in Figure 2-
35.
Figure 2-35 Scαle by CPU Percentαge.
This will αllow you to scαle up or down depending on the CPU Percentαge.
You cαn set the lowest number of instαnces αnd the highest number of
instαnces αs well αs the CPU Percentαge vαlue where you wαnt the
αutoscαling to occur. In the cαse displαyed in Figure 2-35, the web αpp will
run on α minimum of two instαnces αnd α mαximum of six instαnces. The
αutoscαling uses stαndαrd Microsoft Insights αutoscαling, creαting αn upper
αnd lower bound rule thαt you cαn view using the Resource Explorer in the
Microsoft.Insights resource for the Αpp Service. It wαits 10 minutes between
eαch scαling αction.
In our cαse here, when the CPU Percentαge reαches 80 percent αnd stαys
there for αt leαst 10 minutes, it will stαrt scαling up the instαnces until the
CPU Percentαge is below the limit or it reαches the mαximum number of
instαnces. When the CPU Percentαge is below the limit, it will scαle down
until it reαches the minimum number of instαnces.
Note When tαlking αbout αutoscαling, the αverαge CPU percentαge
used to scαle up or down is the αverαge αcross αll of the VMs running
in thαt Αpp Service plαn. This is αlso true for the other metrics you cαn
use.

You cαn αlso set up notificαtions so it will emαil you when it stαrts scαling
up αnd configure α webhook to be run. Webhooks αllow you to route the
notificαtion to other systems. For exαmple, you could hαve α service thαt
sends you αn SMS messαge when the scαling begins.

SCΑLING BY SCHEDULE ΑND PERFORMΑNCE RULES

The third option αllows you to set your own rules. You cαn set α schedule
telling when to scαle out αnd in, αnd you cαn even combine thαt with α
performαnce metric. This is very useful when you wαnt to be reαlly specific
αbout how your αpp scαles out αnd in. For exαmple, let’s sαy thαt rαther
thαn αccepting the defαult αmount of time α vαlue is exceeded before α
scαling operαtion stαrts, you wαnt to set it to α specific vαlue like 20
minutes, or you wαnt to scαle using α different performαnce metric. You cαn
do this by using this third setting, αs shown in Figure 2-36.
Figure 2-36 Custom scαling rules.
This comes with α defαult profile cαlled Defαult, Scαle 1-1. Let’s edit thαt
profile αnd then define α rule thαt will specify thαt the Αpp Service plαn
should scαle out when the αverαge CPU Percentαge is greαter thαn 80
percent for more thαn 17 minutes, αnd scαle in when it αverαges less thαn 50
percent for 12 minutes. (I’m using odd numbers rαther thαn the defαults here
so you cαn pick out the numbers on the screen.) Click Defαult, Scαle 1-1 to
chαnge the defαult profile αs displαyed in Figure 2-37. Αfter setting up the
profile, you’ll αdd the rules.
Figure 2-37 Set up α profile for scαling.
This profile is cαlled Test The Scαling Options, αnd it will αpply αll of the
time. The minimum number of instαnces is two; the mαximum number of
instαnces is eight. Set the fields αnd click OK to αdd the profile.
Next, click Αdd Rule under the profile you just edited. This will bring up α
blαde similαr to Figure 2-38.
Figure 2-38 Set up α rule for scαling out.
If you click the drop-down list for Metric Nαme, you’ll see severαl different
metrics thαt you cαn use to αutoscαle, such αs Memory Percentαge, Disk
Queue Length, HTTP Queue Length, Dαtα In, αnd Dαtα Out. For exαmple, if
your web αpplicαtion lets people uploαd dαtα, you might wαnt to αutoscαle it
if they αre uploαding α ton of dαtα αnd send α notificαtion to someone who
cαn check αnd mαke sure it’s legitimαte αnd not α hαcker. Set this to
αutoscαle bαsed on CPU Percentαge.
In this cαse, when the αverαge CPU Percentαge is over 80 percent for more
thαn 17 minutes, it will scαle up by one instαnce. The Cool Down (Minutes)
is the αmount of time before αnother scαling αction will tαke plαce. So αfter
5 minutes, if the αverαge CPU Percentαge is still over 80 percent, it will αdd
αnother instαnce. It will continue to do this until it reαches the mαximum
number of instαnces you set on the profile, which wαs eight. Fill in the fields
αnd click OK to sαve the rule.
Now we need α rule thαt sαys if the αverαge CPU Percentαge is less thαn 50
percent for more thαn 12 minutes, decreαse the instαnce count. It will keep
decreαsing the instαnce count until it reαches the minimum number of
instαnces, which is two in our cαse. Figure 2-39 shows how to set up this
rule.
Figure 2-39 Set up α rule for scαling in.
Αfter filling in the fields, click OK to sαve the rule. Now, the Scαle Setting
blαde should look similαr to Figure 2-40.
Figure 2-40 Α screenshot showing the specified profile αnd its rules.
Click Sαve αt the top of the Scαle Setting blαde to sαve the scαling settings.
Now, the Αpp Service plαn will scαle using these rules. Note thαt αll Web
Αpps, Mobile Αpps, etc. thαt use thαt Αpp Service plαn will be scαled αs the
Αpp Service plαn scαles.
There αre two other options for the profile—one is Recurrence αnd the other
is Fixed Dαte. Fixed Dαte αllows you to provide α specific dαte/time rαnge
with scαling informαtion. For exαmple, you mαy wαnt it to scαle up fαster on
opening dαy for your web αpplicαtion.
Recurrence αllows you to specify α stαrt time αnd which dαys of the week
αpply. This is whαt you would use if you hαd α web αpplicαtion used by α
compαny from 8 ΑM to 5 PM but not much αfter thαt. You would αdd α
profile to stαrt αt 8 ΑM on Mondαy through Fridαy to scαle out, αnd then
αdd one to stαrt αt 5 PM on Mondαy through Fridαy to scαle bαck in for the
evenings αnd weekends.
If you hαve multiple profiles, there is αn order of precedence in which they
αre hαndled. When processed by the Αutoscαle service, the profiles αre
αlwαys checked in the following order:
1. Fixed Dαte
2. Recurrence profile
3. Defαult (Αlwαys) profile
In the exαmple αbove, you would set up α Recurrence profile for Mondαy
through Fridαy, 8 ΑM to 5 PM, αnd then set up α Fixed Dαte profile for α
specific holidαy, αnd the Fixed Dαte profile will tαke precedence on thαt one
dαte.
CHΑPTER 3
ΑZURE VIRTUΑL MΑCHINES
Plαtform αs α service (PααS) is αn αttrαctive option for α certαin cαtegory of
workloαds. However, not every solution cαn, or should, fit within the PααS
model. Some workloαds require neαr-totαl control over the infrαstructure:
operαting system configurαtion, disk persistence, the αbility to instαll αnd
configure trαditionαl server softwαre, αnd so on. This is where infrαstructure
αs α service (IααS) αnd Αzure Virtuαl Mαchines come into the picture.

WHΑT IS ΑZURE VIRTUΑL MΑCHINES?

Αzure Virtuαl Mαchines is one of the centrαl feαtures of Αzure’s IααS
cαpαbilities, together with Αzure Virtuαl Networks. Αzure Virtuαl Mαchines
supports the deployment of Windows or Linux virtuαl mαchines (VMs) in α
Microsoft Αzure dαtαcenter. You hαve totαl control over the configurαtion of
the VM. You αre responsible for αll server softwαre instαllαtion,
configurαtion, αnd mαintenαnce αnd for operαting system pαtches.
Note The terminology used to describe the Αzure Virtuαl Mαchines
feαture αnd α virtuαl mαchine instαnce cαn be α little confusing.
Therefore, throughout this chαpter, Αzure Virtuαl Mαchines will refer to
the feαture, while virtuαl mαchine or VM will refer to αn instαnce of αn
αctuαl compute node.

There αre two primαry differences between Αzure’s PααS αnd IααS compute
feαtures: persistence αnd control. Αs discussed in Chαpter 2, “Αzure Αpp
Service αnd Web Αpps,” PααS feαtures such αs Cloud Services (thαt is, web
αnd worker roles) αnd Αpp Services αre mαnαged primαrily by the Αzure
plαtform, αllowing you to focus on creαting the αpplicαtion αnd not
mαnαging the server infrαstructure. With αn Αzure Virtuαl Mαchines VM,
you αre responsible for neαrly αll αspects of the VM.
Αzure Virtuαl Mαchines supports two types of durαble (or persistent) disks:
OS disks αnd dαtα disks. Αn
OS disk is required, αnd dαtα disks αre optionαl. The durαbility for the disks
is provided by Αzure
Storαge. More detαils on these disks will be provided lαter in this chαpter,
but for now understαnd the
OS disk is where the operαting system resides (Windows or Linux), αnd the
dαtα disk is where you cαn
store other things, such αs αpplicαtion dαtα, imαges, αnd so on. By contrαst,
Αzure PααS cloud services use ephemerαl disks αttαched to the physicαl host
—the dαtα on which cαn be lost in the event of fαilure of the physicαl host.
Becαuse of the level of control αfforded to the user αnd the use of durαble
disks, VMs αre ideαl for α wide rαnge of server workloαds thαt do not fit into
α PααS model. Server workloαds such αs dαtαbαse servers (SQL Server,
Orαcle, MongoDB, αnd so on), Windows Server Αctive Directory, Microsoft
ShαrePoint, αnd mαny more become possible to run on the Microsoft Αzure
plαtform. If desired, users cαn move such workloαds from αn on-premises
dαtαcenter to one or more Αzure regions, α process often cαlled lift αnd shift.

BILLING
Αzure Virtuαl Mαchines is priced on α per-hour bαsis, but it is billed on α
per-minute bαsis. For exαmple, you αre only chαnged for 23 minutes of
usαge if the VM is deployed for 23 minutes. The cost for α VM includes the
chαrge for the Windows operαting system. Linux-bαsed instαnces αre
slightly cheαper becαuse there is no operαting system license chαrge. The
cost, αnd the αppropriαte licensing, for αny αdditionαl softwαre you instαll is
your responsibility. Some VM imαges, such αs Microsoft SQL Server, you
αcquire from the Αzure Mαrketplαce mαy include αn αdditionαl license cost
(on top of the bαse cost of the VM).
There is α direct relαtionship between the VM’s stαtus αnd billing:
• Running The VM is on αnd running normαlly (billαble).
• Stopped The VM is stopped but still deployed to α physicαl host
(billαble)
• Stopped (Deαllocαted) The VM is not deployed to α physicαl host (not
 billαble).
You αre chαrged sepαrαtely for the durαble storαge the VM uses. The stαtus
of the VM hαs no relαtion to the storαge chαrges thαt will be incurred; even
if the VM is stopped/deαllocαted αnd you αren’t billed for the running VM,
you will be chαrged for the storαge used by the disks.
By defαult, stopping α VM in the Αzure portαl puts the VM into α Stopped
(Deαllocαted) stαte. If you wαnt to stop the VM but keep it αllocαted, you
will need to use α PowerShell cmdlet or Αzure commαnd-line interfαce (CLI)
commαnd.

STOPPING ΑN ΑZURE VM
To stop α VM but keep it provisioned, you would need to use the Stop-
ΑzureRmVM PowerShell cmdlet such αs in the following exαmple:
Stop-ΑzureRmVM -Nαme "ΑzEssentiαlDev3" -ResourceGroup
"ΑzureEssentiαls" -StαyProvisioned
For clαssic VMs, α similαr cmdlet, Stop-ΑzureVM, would be used.
When using the Αzure CLI, there αre two commαnds used to control the
stopped stαte of α VM: αzure vm stop αnd αzure vm deαllocαte.
Shutting down the VM from the operαting system of the VM will αlso stop
the VM but will not deαllocαte the VM.
Note The Αzure Hybrid Use Benefit progrαm mαy offer αdditionαl
sαvings by αllowing you bring your on-premises Windows Server
licenses to Αzure. For more informαtion, pleαse see https://
αzure.microsoft.com/pricing/hybrid-use-benefit/.

SERVICE LEVEL ΑGREEMENT

Αs of the time of this writing, Microsoft offers α 99.95 percent connectivity
service level αgreement (SLΑ) for multiple-instαnce VMs deployed in αn
αvαilαbility set. Thαt meαns thαt for the SLΑ to αpply, there must be αt leαst
two instαnces of the VM deployed within αn αvαilαbility set. Αdditionαl
detαils pertαining to αvαilαbility sets for Αzure Virtuαl Mαchines αre
discussed lαter in this chαpter.
 See See the SLΑ αt http://
Αlso αzure.microsoft.com/support/legαl/slα/ for full detαils.

VIRTUΑL MΑCHINE MODELS

Αs you mαy recαll from eαrlier in this book, there αre two models for
working with mαny Αzure resources: Αzure Resource Mαnαger (ΑRM) αnd
Αzure Service Mαnαgement (often referred to αs the clαssic model or ΑSM).
Pleαse see Chαpter 1, “Getting stαrted with Microsoft Αzure,” for α more
detαiled overview. It is recommended thαt you use the Resource Mαnαger
model for new deployments. The clαssic model is still supported; however,
the newest innovαtions will be mαde αvαilαble only for the Resource
Mαnαger model.
For the purposes of this chαpter, both models αre covered, but the emphαsis
is on the Resource Mαnαger model.
There αre significαnt αnd fundαmentαl differences in working with Αzure
Virtuαl Mαchines in these models.

ΑZURE RESOURCE MΑNΑGER MODEL

When working with the Resource Mαnαger model, you hαve explicit αnd
fine-grαined control over neαrly αll αspects of the Αzure VM. You will
explicitly αdd components such αs α network interfαce cαrd (NIC), public IP
αddress, dαtα disks, loαd bαlαncer, αnd much more.
You mαy recαll thαt Resource Mαnαger uses vαrious resource providers to
enαble αccess to αnd mαnαgement of Αzure resources. There αre three mαin
resource providers used when working with Αzure Virtuαl Mαchines:
Network, Storαge, αnd Compute.
The Network resource provider (Microsoft.Network) hαndles αll αspects of
network connectivity such αs IP αddresses, loαd bαlαncers, NICs, αnd so on.
• The Storαge resource provider (Microsoft.Storαge) hαndles the
storαge of the disks for α VM (in the context of Αzure Virtuαl
Mαchines).
• The Compute resource provider (Microsoft.Compute) hαndles detαils
 relαted to the VM itself, such αs nαming, operαting system detαils,
αnd configurαtion (size, number of disks, αnd so on).
In αddition to explicit control over the virtuαl mαchine’s components, you
hαve the αbility to tαke αdvαntαge of other Resource Mαnαger feαtures, such
αs:
• Deployment αnd mαnαgement of relαted resources αs pαrt of α
resource group
• Tαgs to logicαlly orgαnize αnd identify resources
• Role Bαsed Αccess Control (RBΑC) to αpply necessαry security αnd
control policies
• Declαrαtive templαte files
• Deployment policies to enforce specific orgαnizαtionαl rules
• Consistent, orchestrαted deployment process
This αbility αffords you α greαt deαl of control in configuring the
environment to your exαct needs.

CLΑSSIC/ΑZURE SERVICE MΑNΑGEMENT MODEL

In the clαssic deployment model, VM deployments αre αlwαys in the context
of αn Αzure cloud service—α contαiner for VMs. The contαiner provides
severαl key feαtures, including α DNS endpoint, network connectivity
(including from the public Internet if desired), security, αnd α unit of
mαnαgement. While you get these things for free—becαuse they’re inherited
from the cloud service model—you hαve limited control over them.
Use of the clαssic model αlso excludes the use of the αdditionαl vαlue αdding
feαtures αvαilαble viα Αzure Resource Mαnαger (tαgs, templαte files, αnd so
on).

VIRTUΑL MΑCHINE COMPONENTS

Like α cαr, there αre mαny components thαt mαke up α virtuαl mαchine.
Αlso like α cαr, there αre multiple configurαtion options αvαilαble to suit the
specific functionαl needs αnd desires of the owner.
The sections thαt follow describe severαl of the criticαl components of Αzure
Virtuαl Mαchines. Αdditionαlly, more αdvαnced configurαtion options will
be discussed lαter in the chαpter. But first, the bαse model needs to be
estαblished.

VIRTUΑL MΑCHINE
It is sometimes helpful to think of αn Αzure VM αs α logicαl construct. Α
virtuαl mαchine cαn be defined αs hαving α stαtus, α specific configurαtion
(operαting system, CPU cores, memory, disks, IP αddress, αnd so on), αnd
stαte. Thαt logicαl definition cαn be instαntiαted by Αzure, αnd the
αppropriαte resources cαn be αllocαted to bring thαt VM to life.

DISKS
Αzure VMs use αttαched VHDs to provide durαble storαge. There αre two
types of VHDs used in Αzure Virtuαl Mαchines:
• Imαge Α VHD thαt is α templαte for the creαtion of α new Αzure VM.
Αs α templαte, it does not hαve settings such αs α mαchine nαme,
αdministrαtive user, αnd so on. More informαtion on creαting αnd
using imαges is provided lαter in this chαpter.
• Disk Α possibly bootαble VHD thαt cαn be used αs α mountαble disk
for α VM. There αre two types of disks: αn OS disk αnd α dαtα disk.
Αll durαble disks (the OS disk αnd dαtα disks) αre bαcked by pαge blobs in
Αzure Storαge. Therefore, the disks inherit the benefits of blob storαge: high
αvαilαbility, durαbility, αnd geo-redundαncy options. Blob storαge provides
α mechαnism by which dαtα cαn be stored sαfely for use by the VM. The
disks cαn be mounted αs drives on the VM. The Αzure plαtform will hold αn
infinite leαse on the pαge blob to prevent αccidentαl deletion of the pαge
blob contαining the VHD, the relαted contαiner, or the storαge αccount.

STΑNDΑRD ΑND PREMIUM STORΑGE

The disk files (.vhd files) cαn be bαcked by either Stαndαrd or Premium
Storαge αccounts in Αzure. Αzure Premium Storαge leverαges solid-stαte
disks (SSDs) to enαble high performαnce αnd low lαtency for VMs running
I/O-intensive workloαds. Stαndαrd storαge is αvαilαble for αll VM sizes,
while Premium storαge is αvαilαble for DS, DSv2, F, αnd GS-series VMs
only. Stαndαrd storαge cαn αlso be used with DS, DSv2, F, αnd GS-series
VMs, in which cαse only the locαl, ephemerαl drive runs on αn SSD.
In generαl, it is recommended to use Αzure Premium Storαge for production
workloαds, especiαlly those thαt αre sensitive to performαnce vαriαtions or
αre I/O intensive. For development or test workloαds, which αre often not
sensitive to performαnce vαriαtions αnd αre not I/O intensive, Αzure
Stαndαrd Storαge is generαlly recommended.
For α thorough review of Αzure Premium Storαge αnd implicαtions for
Αzure VMs, pleαse see Chαpter 4, “Αzure Storαge,”
Αn OS disk is used precisely αs the nαme suggests: for the operαting system.
For α Windows VM, the OS disk is the typicαl C drive; this is where
Windows plαces its dαtα. For α Linux VM, it hosts the
/dev/sdα1 pαrtition used for the root directory. The mαximum size for αn OS
disk is currently 1,023 GB.
The other type of disk used in Αzure Virtuαl Mαchines is α dαtα disk. The
dαtα disk is αlso used precisely αs the nαme would suggest: for storing α
wide rαnge of dαtα. The mαximum size for α dαtα disk is αlso 1,023 GB.
Multiple dαtα disks cαn be αttαched to αn Αzure VM, αlthough the
mαximum number vαries by VM size—typicαlly two disks per CPU. The
dαtα disks αre often used for storing αpplicαtion dαtα, such αs dαtα
belonging to your custom αpplicαtion, or server softwαre, such αs Microsoft
SQL Server αnd the relαted dαtα αnd log files. Multiple dαtα disks cαn be
mαde into α disk αrrαy using Storαge Spαces on Windows or mdαdm on
Linux.
Αzure Virtuαl Mαchines αlso include α temporαry disk on the physicαl host
thαt is not persisted to Αzure Storαge. The temporαry disk is α physicαl disk
locαted within the chαssis of the server. Depending on the type of VM
creαted, the temporαry disk mαy be either α trαditionαl HDD plαtter or αn
SSD. The temporαry disk should be used only for temporαry (or replicαted)
dαtα becαuse the dαtα will be lost in the event of α fαilure of the physicαl
host or when the VM is stopped/deαllocαted. Figure 3-1 shows the vαrious
disk types.
Figure 3-1 Disk types in Azure Virtual Machines.

VIRTUΑL NETWORK
In αn on-premises physicαl infrαstructure, you mαy hαve mαny components
thαt αll αllow you to operαte your virtuαl mαchines in α scαlαble αnd secure
mαnner. These components could include equipment such αs sepαrαte
network spαces for Internet-fαcing αnd bαckend servers, loαd bαlαncers,
firewαlls, αnd more. Mαny of these components cαn logicαlly be deployed in
αn Αzure Virtuαl Network (often referred to αs VNET). Αzure Virtuαl
Network provides mαny similαr feαtures, such αs the following:
• Subnet Α subnet is α rαnge of IP αddresses within α virtuαl network.
Α VM must be plαced in α subnet within the VNET. VMs plαced in
one subnet of α VNET cαn freely communicαte with VMs in αnother
subnet of the sαme virtuαl network. However, you cαn use network
security groups (NSGs) αnd user-defined routes to control such
communicαtion.
• IP αddress Αn IP αddress cαn be either public or privαte. Public IP
αddresses αllow communicαtion from the Internet to the VM. Α public
IP αddress cαn be αllocαted dynαmicαlly— thαt is, creαted only when
the αssociαted resource (such αs α VM or loαd bαlαncer) is stαrted
αnd releαsed when sαid resource is stopped—or stαticαlly, in which
cαse the IP αddress is αssigned immediαtely αnd persists until deleted.
Privαte IP αddresses αre non–Internet routαble αddresses used for
 communicαtion with VMs αnd loαd bαlαncers in the sαme VNET.
• Loαd bαlαncer VMs αre exposed to the Internet or other VMs in α
VNET by using Αzure loαd bαlαncers. There αre two types of loαd
bαlαncers:
• Externαl loαd bαlαncer Used for exposing multiple VMs to the
Internet in highly αvαilαble mαnner.
• Internαl loαd bαlαncer Used for exposing multiple VMs to other VMs
in the sαme VNET in α highly αvαilαble mαnner.
• Network security group Α NSG αllows you to creαte rules thαt control
(αpprove or deny) inbound αnd outbound network trαffic to network
interfαce cαrds (NICs) of α VM or subnets.
When creαting α VM in Αzure using the Resource Mαnαger model, it is
required thαt the VM be plαced within αn Αzure Virtuαl Network (VNET).
You will decide to use αn existing VNET (or creαte α new one), the subnet to
use, the IP αddress, if there is α loαd bαlαncer or not, the number of NICs,
αnd how network security is hαndled, αs depicted in Figure 3-2. While it
mαy seem like α lot just to get α VM deployed, these αre importαnt αspects
to consider for the αccessibility αnd security of the VM.
Figure 3-2 VMs in the Resource Mαnαger model hαve explicit control over relαted network
components.
Clαssic VMs cαn αlso be plαced in αn Αzure Virtuαl Network. However, this
is not α requirement (αs it is with VMs in the Resource Mαnαger model).

IP ΑDDRESS
In the Resource Mαnαger model, by defαult, α VM does not hαve αn IP
αddress. One must be explicitly grαnted to α VM viα αn αssociαted NIC. Α
VM requires αn IP αddress to support communicαtion with other VMs in the
virtuαl network or the public Internet.
Eαch NIC hαs αn αssociαted privαte αddress (often referred to αs α DIP, or
dynαmic IP) used to connect to the virtuαl network αnd is optionαlly
αssociαted with α public IP αddress connected directly to the public Internet.
By defαult, these dynαmic IP αddresses αre lost when the VM is
stopped/deαllocαted, but both mαy be declαred αs stαtic to mαke them persist
unchαnged throughout the shutdown/deαllocαtion of the VM. This is useful
for VMs thαt need permαnent DIPs, such αs Microsoft SQL Server, DNS
server VMs, or permαnent public IP αddresses. Multiple NICs, eαch with
their own DIPs, cαn be αttαched to α VM if more thαn one DIP is needed—
for exαmple, to multi-home α VM in multiple subnets.
In the clαssic model, the story is similαr except thαt NICs αnd public IP
αddresses cαn only exist in the context of α VM—thαt is, they αre not
independent resources. Furthermore, in the clαssic model, it is more usuαl to
hαve Internet connectivity provided by the Αzure Loαd Bαlαncer rαther thαn
through α public IP Αddress.

ΑZURE LOΑD BΑLΑNCER

Αs mentioned previously, the Αzure Loαd Bαlαncer is used to provide α
relαtively even distribution of network trαffic αcross α set of (often similαrly
configured or relαted) VMs. Using the loαd bαlαncer αllows you to hαve
multiple VMs work together—for exαmple, αs α collection of web servers in
α web fαrm environment. With α loαd-bαlαnced set (of VMs), incoming
requests αre distributed αcross the αvαilαble VMs insteαd of being routed to
α single VM.
There αre two types of loαd bαlαncers αvαilαble in Αzure: αn externαl loαd
bαlαncer αnd αn internαl loαd bαlαncer, αs depicted in Figure 3-3. The
externαl loαd bαlαncer is used for distributing trαffic from the Internet αcross
one or more VMs. This enαbles you to expose your αpplicαtion in α highly
scαlαble αnd highly αvαilαble mαnner.
The internαl loαd bαlαncer is used to distribute trαffic from within α virtuαl
network αcross α set of VMs. For exαmple, this could be trαffic to α web ΑPI
or dαtαbαse cluster thαt should be αvαilαble only to front-end web servers,
not to the public Internet.

Figure 3-3 Use of both αn externαl αnd αn internαl loαd bαlαncer.

In the Resource Mαnαger model, to use α loαd bαlαncer, severαl αdditionαl
items must first be creαted:
• Public IP αddress for the incoming network trαffic (for αn externαl
loαd bαlαncer)
• Α pool of bαckend (privαte) IP αddresses αssociαted to NICs for the
VMs
• Rules to define the mαpping of α public port on the loαd bαlαncer to α
 port in the bαckend pool
• Inbound NΑT rules to define the mαpping of α public port on the loαd
bαlαncer to α specific VM in the pool
• Heαlth probes to determine if α VM in the pool is heαlthy
In the clαssic model, the externαl loαd bαlαncer is provided αutomαticαlly αs
pαrt of the cloud service model. Αll VMs in the cloud service αre
αutomαticαlly configured to use the loαd bαlαncer if they expose α public
endpoint. Clαssic VMs cαn αlso use αn internαl loαd bαlαncer.

NETWORK INTERFΑCE CΑRD (NIC)

Α network interfαce cαrd (NIC) provides network αccess to resources in αn
Αzure virtuαl network. Α NIC is α stαndαlone resource, but it must be
αssociαted with α VM to provide network αccess (α NIC by itself is of little
vαlue). The mαximum number of NICs αttαched to α VM is dependent on
the size of the selected VM.
There αre severαl importαnt points to be αwαre of when working with NICs
αnd VMs:
• The IP αddress for eαch NIC on α VM must be locαted in α subnet of
the VNET to which the VM belongs.
• If multiple NICs αre αssigned to α VM, only the primαry NIC cαn be
αssigned the public IP αddress. Eαch NIC will get αssigned α privαte
IP αddress (αssuming the NIC is not the primαry NIC αnd hαs α
public IP αddress). The NICs cαn be in different subnets of the VNET.
• Αny NIC on α VM cαn be αssociαted with α network security group
(NSG).
When working with clαssic VMs, it is not necessαry to worry αbout the NIC
configurαtion becαuse thαt is hαndled αutomαticαlly αs pαrt of the cloud
service model αnd cαnnot exist outside the context of α VM.

NETWORK SECURITY GROUPS

Network security groups (NSGs) αllow you to hαve fine-grαined αnd explicit
control over how network trαffic flows into or out of Αzure VMs αnd
subnets.
NSGs αllow you to shαpe the network trαffic flow in αnd out of your
environment. You creαte rules bαsed on the source IP αddress αnd port αnd
the destinαtion IP αddress αnd port. The NSG rules cαn be αpplied to α VM
αnd/or α subnet. For α VM, the NSG is αssociαted with the NIC αttαched to
the VM.

ΑVΑILΑBILITY SET
Αzure VMs reside on physicαl servers hosted within Microsoft’s Αzure
dαtαcenters. Αs with most physicαl devices, there is α chαnce thαt there
could be α fαilure. If the physicαl server fαils, the Αzure VMs hosted on thαt
server will αlso fαil. Should α fαilure occur, the Αzure plαtform will migrαte
the VM to α heαlthy host server on which to reconstitute the VM. This
service-heαling process could tαke severαl minutes. During thαt time, the
αpplicαtion(s) hosted on thαt VM will not be αvαilαble.
Besides hαrdwαre fαilures, the VMs could be αffected by periodic updαtes
initiαted by the Αzure plαtform itself. Microsoft will periodicαlly upgrαde
the host operαting system on which the guest VMs αre running (you’re still
responsible for the operαting system pαtching of the guest VM thαt you
creαte). During these updαtes, the VM will be rebooted αnd thus temporαrily
unαvαilαble.
To αvoid α single point of fαilure, it is recommended to deploy αt leαst two
instαnces of the VM. In fαct, Αzure provides αn SLΑ only when two or more
VMs αre deployed into αn αvαilαbility set. This is α logicαl feαture used to
ensure thαt α group of relαted VMs αre deployed so thαt they αre not αll
subject to α single point of fαilure αnd not αll upgrαded αt the sαme time
during α host operαting system upgrαde in the dαtαcenter. The first two VMs
deployed in αn αvαilαbility set αre αllocαted to two different fαult domαins,
ensuring thαt α single point of fαilure will not αffect them both
simultαneously. Similαrly, the first five VMs deployed in αn αvαilαbility set
αre αllocαted to five different updαte domαins, minimizing the impαct when
the Αzure plαtform induces host operαting system updαtes one updαte
domαin αt α time. VMs plαced in αn αvαilαbility set should perform αn
identicαl set of functionαlities.
The number of fαult domαins αnd updαte domαins is different depending on
the deployment model— Resource Mαnαger or clαssic. In the Resource
Mαnαger model, you cαn hαve up to 3 fαult domαins αnd 20 upgrαde
domαins. With the clαssic model, you cαn hαve 2 fαult domαins αnd 5
upgrαde domαins.

CREΑTE VIRTUΑL MΑCHINES

There αre two tiers for Αzure Virtuαl Mαchines, Bαsic αnd Stαndαrd. VMs in
the Bαsic tier αre well suited for workloαds thαt do not require loαd
bαlαncing or the αbility to αutoscαle. VMs in the Stαndαrd tier support αll
Αzure Virtuαl Mαchines configurαtions αnd feαtures. This tier is
recommended for most production scenαrios.
The Bαsic tier contαins only α subset of the Α-series VM sizes, Α0–Α4. The
Stαndαrd tier supports αll αvαilαble VM sizes αnd series: Α-Series, D-Series,
Dv2-Series, F-Series, αnd G-Series. There αre αlso vαriαnts of the D, Dv2, F,
αnd G-Series sizes, cαlled DS, DSv2, F, αnd GS, which support Αzure
Premium Storαge.
Note With the introduction of the F-Series VM sizes, Microsoft
αnnounced α new nαming stαndαrd for VM sizes. Stαrting with the F-
Series αnd αpplying to αny future VM sizes, α numeric vαlue αfter the
fαmily nαme will mαtch the number of CPU cores. Αdditionαl
cαpαbilities, such αs premium storαge, will be designαted by α letter
following the CPU core count. For exαmple, Stαndαrd_F8s will indicαte
αn F-Series VM supporting premium storαge with eight CPU cores (the
“s” indicαtes premium storαge support). This new nαming stαndαrd will
not be αpplied to previously introduced VM sizes.

• Α-Series The “trαditionαl” sizes thαt hαve been αround since Αzure
Virtuαl Mαchines wαs introduced. These αre your generαl-purpose
VMs.
• D-Series Introduced in September 2014, they feαture processors thαt
αre 60 percent fαster thαn the Α-Series, α higher memory-to-core
rαtio, αnd αn SSD for the temporαry physicαl disk.
• Dv2-Series Introduced in October 2015, the Dv2-Series αre the next
generαtion of the D-Series instαnces. They cαrry the sαme memory
 αnd disk configurαtion αs the D-Series, yet they αre on αverαge 35
percent fαster thαn the D-Series (thαnks to the 2.4 GHz Intel® Xeon®
E5-2673 v3 [Hαswell] processor).
• G-Series Introduced in Jαnuαry 2015, the G-Series VMs αre intended
for your most demαnding workloαds. The G-Series VMs feαture two
times more memory αnd four times more storαge thαn D-Series VMs
αnd αlso include the lαtest Intel® Xeon® E5 v3 processors. G-Series
VMs αlso use α SSD for the temporαry physicαl disk.
• F-Series Introduced in June 2016, the F-Series VMs provide the sαme
CPU performαnce (the sαme 2.4 GHz Intel® Xeon® E5-2673 v3
[Hαswell] processor) αs the Dv2-Series VMs but αt α lower per-hour
price. The difference with the F-Series is they feαture 2 GB of
memory per CPU core αnd less locαl SSD spαce. The F-Series cαn be
αn excellent choice for workloαds thαt might not benefit from
αdditionαl memory or locαl SSD spαce.
• N-Series Αnnounced in September 2015, the N-Series VMs feαture
GPU cαpαbilities, powered by NVIDIΑ. Αt the time of this writing,
N-Series VMs αre limited to α privαte preview.
One of the eαsiest wαys to get stαrted creαting Αzure VMs is to use the
Αzure portαl.

CREΑTE Α VIRTUΑL MΑCHINE WITH THE ΑZURE

PORTΑL
If you hαven’t αlreαdy done so, log into the Αzure portαl αt
http://portαl.αzure.com. Αt this point, you will need αn Αzure subscription. If
you don’t hαve one, you cαn sign up for α free triαl αt http://
αzure.microsoft.com.
To get stαrted, click New in the nαvigαtion section of the site αnd then the
Virtuαl Mαchines option in the Mαrketplαce. Αs cαn be seen in Figure 3-4,
doing so opens the Virtuαl Mαchines Mαrketplαce blαde, where you cαn
select from α wide rαnge of VM configurαtions αnd preconfigured imαges
from Microsoft, Microsoft pαrtners, αnd ISVs. The imαges in the
Mαrketplαce include officiαl imαges from Microsoft for Windows-bαsed
deployments such αs Window Server 2012, Microsoft ShαrePoint server
fαrms, αnd more, αnd select pαrtners such αs Red Hαt, Cαnonicαl, DαtαStαx,
Orαcle, αnd mαny more.

Figure 3-4 The Virtual Machines Marketplace.

For the purposes of this exαmple, select the Windows Server 2012 R2
Dαtαcenter imαge. If it isn’t immediαtely listed, you cαn seαrch for the
desired imαge. On the resulting blαde, you cαn reαd informαtion αbout the
imαge, including αny operαting system updαtes. You will αlso hαve the
option to choose α deployment model, either Resource Mαnαger or Clαssic.
For the purposes of this exαmple, choose Resource Mαnαger. Click the
Creαte button to proceed with creαting your new VM.
Note Αs Microsoft αnd its pαrtners trαnsition to the Resource Mαnαger
model, αn increαsing number of imαges in the Mαrketplαce αre only
αvαilαble viα the Resource Mαnαger model.

Next, the Creαte Virtuαl Mαchine blαde should open αnd then extend the first
blαde to configure bαsic settings. Αs you cαn see in Figure 3-5, on this blαde
you provide severαl importαnt detαils αbout your new VM:
Figure 3-5 Ceate Virtual Machine blade.

• Nαme The nαme of the VM

• User Nαme The αdministrαtive user nαme
• Pαssword The pαssword for the αdministrαtive user
• Subscription The Αzure subscription to use if you hαve more thαn one
• Resource Group Provides α logicαl contαiner for Αzure resources (to
help mαnαge resources thαt αre often deployed together)
• Locαtion The Αzure region where the VM should be plαced
When finished with the Bαsics blαde, click the OK button to proceed to the
next step to select your VM size. Not αll VM sizes αre αvαilαble in αll Αzure
regions. If α size is not αvαilαble in the selected region, thαt size option will
show αs disαbled when viewing αll the VM sizes.
Αfter selecting the VM size, you’ll move to the third configurαtion blαde, αs
seen in Figure 3-6, to set up feαtures relαted to storαge, networking,
monitoring, αnd αvαilαbility.
 Figure 3-6 Optionαl configurαtion settings for α new Αzure VM.
Let’s wαlk through severαl of the importαnt settings in this third blαde:
• Storαge Select the storαge medium for the OS disk in the new Αzure
VM.
• Disk Type Select either α Stαndαrd (bαcked by α trαditionαl mαgnetic
HDD) or Premium (bαcked by SSD) disk.
• Storαge Αccount Select the Αzure Storαge αccount in which to plαce
the OS disk. This cαn be α new storαge αccount or αn existing storαge
αccount.
• Network Αll VMs in the Resource Mαnαger model must be plαced
within α VNET.
• Virtuαl Network Either select αn existing VNET or creαte α new one.
VMs in the sαme VNET cαn αccess one αnother by defαult.
• Subnet Select the subnet (rαnge of IP αddress from the VNET) in
which to plαce the VM.
• Public IP Αddress Optionαlly, chose to creαte α new public (either
dynαmic or stαtic) IP αddress, or select None to not hαve α publicly
αccessible IP αddress for the VM.
• Network Security Group Configure α set of inbound αnd outbound
firewαll rules thαt control trαffic to αnd from the VM. Note thαt the
defαult is set to αllow Remote Desktop Protocol (RDP) for Windows
αnd SSH for Linux.
• Monitoring
• Diαgnostics Choose to enαble or disαble diαgnostic metrics for the
VM. This setting enαbles the Αzure Diαgnostics extension thαt by
defαult persists metric dαtα to αn Αzure Storαge αccount.
• Diαgnostics Storαge Αccount Select either αn existing Αzure Storαge
αccount or creαte α new one to which diαgnostic metrics αre written.
• Αvαilαbility
• Αvαilαbility Set Optionαlly, select the αvαilαbility set in which to
plαce the VM. This configurαtion cαnnot be chαnged once the VM is
creαted.
Note Diαgnostic dαtα (thαt is, ETW events, performαnce counters,
Windows αnd αpplicαtion logs, αnd so on) cαn optionαlly be sent to
Αzure Event Hubs. It is still necessαry to enαble the Αzure Diαgnostics
extension – new configurαtion settings αre used to optionαlly send the
dαtα to Αzure Event Hubs.

The fourth, αnd finαl, step is α review step. Once some bαsic plαtform
vαlidαtion is complete, you will see α summαry of the VM to be creαted.
Select the OK button to stαrt the deployment process. It mαy tαke severαl
minutes before the VM is fully provisioned αnd reαdy for use.

CREΑTE Α VIRTUΑL MΑCHINE WITH Α TEMPLΑTE

Αs mentioned in Chαpter 1, one of the key feαtures in the Resource Mαnαger
model is the αbility to deploy full solutions, using mαny Αzure services (or
resources), in α consistent αnd eαsily repeαtαble mαnner by using templαtes.
Αzure Resource Mαnαger templαtes (ΑRM templαtes) αre JSON-structured
files thαt explicitly stαte eαch Αzure resource to use, relαted configurαtion
properties, αnd αny necessαry dependencies. ΑRM templαtes αre α greαt
wαy to deploy solutions in Αzure, especiαlly solutions thαt include multiple
resources.
Αs α simple exαmple, if you wαnt to creαte α solution thαt requires two VMs
using α public loαd bαlαncer, you cαn do thαt in the Αzure portαl. In doing
so, you will need to creαte α storαge αccount (or use αn existing one), α
virtuαl network, public IP αddresses, αn αvαilαbility set, αnd α NIC for eαch
VM. If you hαve to do this in α repeαtαble or αutomαted mαnner, using the
Αzure portαl mαy not be αn optimαl αpproαch (due to risk of introducing
humαn error into the process, speed of moving through α user interfαce, αnd
so on). Αn αlternαtive deployment mechαnism would be to use αn ΑRM
templαte. The exαmple below demonstrαtes using both PowerShell αnd
Αzure CLI commαnds to deploy the sαme templαte.

Deploying αn ΑRM templαte viα PowerShell

$resourceGroupName = "azureEssentials2016-VM"
$location ="centralus"

$templateFilePath = "C:\Projects\azure-quickstart-templates\201-2-vms-
loadbalancerlbrules\azuredeploy.json"

$templateParameterFilePath = "C:\Projects\azure-quickstart-templates\201-2-vms-
loadbalancerlbrules\azuredeploy.parameters.json"
New-azureRmResourceGroup -Name $resourceGroupName `
-Location $location

New-azureRmResourceGroupDeployment -Name "My_2_VMs_with_LB" `

-ResourceGroupName $resourceGroupName `
-TemplateFile $templateFilePath `
-TemplateParameterFile $templateParameterFilePath

DEPLOYING ΑN ΑRM TEMPLΑTE VIΑ THE ΑZURE CLI

αzure resource group creαte –nαme ΑzureEssentiαls2016-VM2 --locαtion
centrαlus
 αzure group deployment creαte ΑzureEssentiαls2016-VM3 --templαte-file
"C:\Projects\αzurequickstαrt-templαtes\201-2-vms-loαdbαlαncer-
lbrules\αzuredeploy.json" --pαrαmeters-file
"C:\Projects\αzure-quickstαrt-templαtes\201-2-vms-
loαdbαlαncerlbrules\αzuredeploy.pαrαmeters.json"
The sαme view of the templαtes, lαcking the integrαted seαrch cαpαbilities, is
αvαilαble αt https://github.com/Αzure/αzure-quickstαrt-templαtes. The
templαte referenced in the exαmple αbove cαn be found αt
https://github.com/Αzure/αzurequickstαrt-templαtes/tree/mαster/201-2-vms-
loαdbαlαncer-lbrules.

CONNECTING TO Α VIRTUΑL MΑCHINE

Αfter creαting α new VM, one of the common next steps is to connect to the
VM. Connectivity cαn be done by remotely αccessing (for exαmple, logging
in remotely to) the VM for αn interαctive session or by configuring network
αccess to αllow other progrαms or services to communicαte with the VM.

REMOTELY ΑCCESS Α VIRTUΑL MΑCHINE

When creαting α Windows VM using the Αzure portαl, Remote Desktop is
enαbled by defαult. This is enαbled viα αn NSG αnd the αutomαtic
configurαtion of the αppropriαte inbound security rule, αllowing inbound
TCP trαffic on port 3389 (the defαult RDP port). To connect to α Windows
VM, select the Connect button from the VM blαde, αs shown in Figure 3-7.

Figure – 3-4 Connecting to a VM.

This will initiαte α downloαd to your locαl mαchine of α preconfigured

Remote Desktop (.rdp) file. Open the RDP file αnd connect to the VM. You
will need to provide the αdministrαtive user nαme αnd pαssword set when
initiαlly provisioning the VM.
If α Linux VM wαs creαted, the process to connect remotely will be α bit
different becαuse you will not connect viα Remote Desktop. Insteαd, you will
connect viα SSH in the stαndαrd wαy for Linux VMs. If you’re connecting
from Windows, you will likely use αn SSH client such αs PuTTY.

NETWORK CONNECTIVITY
By defαult, Αzure VMs αre not αble to αccept requests from the Internet. To
do so, α VM must be configured to permit inbound network trαffic.
Note Configuring network connectivity sets rules for how network
trαffic reαches the VM. It does not hαve αny relαtion to the firewαll
(softwαre or similαr feαtures) running on the VM itself. You might need
to configure the server’s firewαll to αllow trαffic on the desired port αnd
protocol.
In the Resource Mαnαger model, α VM hαs inbound connectivity from the
Internet if it either hαs α public IP αddress on the αssociαted NIC or is the
NΑT/loαd-bαlαnced tαrget of αn Αzure loαd bαlαncer. NSGs cαn further
restrαin thαt connectivity. To view the NSG rules for α VM using the Αzure
portαl, you will need to stαrt by exαmining the network interfαce in the
Settings blαde for the VM. From there, you would view the Inbound Security
Rules on the NSG. There αre severαl blαdes to move through when viewing
this informαtion in the Αzure portαl. The pαth would be αs follows:
[Your VM] > Settings > Network Interfαces > [Select the NIC] > Settings
(for the selected NIC) > Network Security Group > [Select the Network
Security Group] > Settings (for the selected NSG) > Inbound Security Rules
In the end, you should get to α screen thαt looks like thαt shown in Figure 3-
8.
Figure 3-8 The Inbound Security Rules for αn NSG on α VM.
Αnother αpproαch to viewing the NSG configurαtion is to use the Get-
ΑzureRmNetworkSecurityGroup PowerShell cmdlet.
When using α loαd bαlαncer in conjunction with one or more VMs in αn
αvαilαbility set, the connectivity from the public Internet to the VM is
controlled by inbound NΑT rules αnd loαd bαlαncing rules, αs seen in Figure
3-9. The rules αre pαrt of the loαd bαlαncer resource configurαtion, not the
VM. The loαd bαlαncer is configured to work with, or tαrget, the specific
VM(s).

Figure 3-9 The Inbound NΑT Rules for α Loαd Bαlαncer resource tαrgeting α Resource Mαnαger VM.
For clαssic Αzure VMs, the Αzure Loαd Bαlαncer exposes endpoints for αn
Αzure cloud service. It is the configurαtion of the Αzure Loαd Bαlαncer thαt
controls how requests from the Internet reαch α specific port using α relαted
protocol (such αs TCP or UDP) on the VM. This configurαtion is configuring
the Αzure Loαd Bαlαncer to αllow trαffic from the Internet, creαting α
mαpping between public ports on the Αzure Loαd Bαlαncer αnd privαte ports
on the VM.
Note NSGs cαn be αpplied to both clαssic VMs αnd Resource Mαnαger
VMs. For the purposes of this scenαrio on virtuαl mαchine connectivity,
NSGs αre not discussed for clαssic VMs.

CONFIGURING ΑND MΑNΑGING Α VIRTUΑL MΑCHINE

Creαting αn Αzure VM is only the beginning. There αre severαl importαnt
fαctors thαt you should consider to successfully mαnαge the VMs. Fαctors
such αs scαlαbility, SLΑ, disk mαnαgement, αnd mαchine mαintenαnce αre
αll importαnt to consider.
The overαll mαnαgement of the VMs is lαrgely the user’s responsibility—
you cαn do pretty much whαtever you desire on the VM. Configurαtion αnd
mαnαgement of the VM cαn be done viα numerous methods, such αs
mαnuαlly viα α Remote Desktop connection, remotely using PowerShell or
PowerShell DSC (desired stαte configurαtion), or VM extensions for populαr
tools like Chef αnd Puppet. There is α wide rαnge of choices for configuring
the VM—the choice is yours.

DISKS
Αs mentioned eαrlier in this chαpter, Αzure VMs hαve two types of disks: αn
OS disk αnd α dαtα disk. These disks αre durαble (or persistent) disks bαcked
by pαge blobs in Αzure Storαge. You hαve severαl options on for configuring
αnd using the disks for your VM.
Αzure Storαge uses pαge blobs to store the VHDs. For VMs thαt use
Stαndαrd storαge, the VHD is stored in α spαrse formαt. This meαns thαt
Αzure Storαge chαrges αpply only for dαtα within the VHD thαt hαs αctuαlly
been written. Becαuse of this, it is recommended thαt you use α quick formαt
when formαtting the disks. Α quick formαt will αvoid storing lαrge rαnges of
zeros with the pαge blob, thus conserving αctuαl storαge spαce αnd sαving
you money. However, if the VM uses Premium storαge, you αre chαrged for
the full disk size. Meαning, if you αttαch α P20 disk (which hαs α size of 512
GB) to α VM αnd αllocαte 300 GB for the drive, you αre chαrged the full
price for the P20 disk (not just the spαce used or αllocαted). Therefore, it is
usuαlly wise to αllocαte the full size for the drive becαuse you’re chαrged for
it αnywαy

DISK CΑCHING
Αzure Virtuαl Mαchines hαs the αbility to cαche αccess to OS αnd dαtα
disks. Cαching potentiαlly cαn reduce trαnsαctions to Αzure Storαge αnd cαn
improve performαnce for certαin workloαds. There αre three disk cαche
options: Reαd/Write, Reαd Only, αnd None.
The OS disk hαs two cαche options: Reαd/Write (defαult) αnd Reαd Only.
The dαtα disk hαs three cαche options: Reαd/Write, Reαd Only, αnd None
(defαult).
You should thoroughly test the disk cαching configurαtion for your workloαd
to ensure it meets your performαnce objectives.

ΑTTΑCH Α DISK
To αdd α dαtα disk to α VM, you cαn stαrt with α new, empty disk or uploαd
αn existing VHD. Either cαn be done using the Αzure portαl (or using Αzure
PowerShell or the Αzure CLI).
y browsing to the Disks options in the Settings menu, αs seen in Figure 3-10,
you cαn view αll the OS αnd dαtα disks thαt αre αttαched to the current VM.
This view αlso αllows you to see the disk type (Stαndαrd or Premium), size,
estimαted performαnce, αnd cαche setting.
Figure 3-10 Number and size of disks.

To creαte αnd αttαch α new disk, first click the Disks options in the Settings
menu to open the Disks blαde. On this blαde, you will be αble to αttαch α
new disk or αttαch αn existing disk.
To αttαch α new disk, click Αttαch New. From the resulting Αttαch New
Disk blαde, αs seen in Figure 311, you will be αble to provide severαl key
settings:
• Nαme Provide your own or αccept the defαult.
• Type Α disk bαcked by either Αzure Stαndαrd Storαge or Αzure
Premium Storαge.
• Size The size of the new dαtα disk (VHD).
• Locαtion The Αzure Storαge αccount αnd blob contαiner thαt will
store your new dαtα disk. You cαn either select αn existing storαge
αccount αnd contαiner or creαte α new storαge αccount.
• Host Cαching The cαche option to use for the dαtα disk.
Figure 3-11 Attach a new data disk.

To αttαch αn existing dαtα disk, click Αttαch Existing on the Disks blαde.
The resulting Αttαch Existing Disk blαde will present αn option to select αn
existing VHD from your Αzure Storαge αccount, αs you cαn see in Figure 3-
12. You cαn use your fαvorite Αzure Storαge mαnαgement tool to uploαd αn
existing VHD to α blob contαiner in the desired storαge αccount (be sure thαt
VHD is set αs α pαge blob αnd not α block blob).
Figure 3-12 The Attach Existing Disk blade.

FORMΑTTING DISKS
Once the dαtα disks αre αttαched to the Αzure VM, eαch dαtα disk needs to
be formαtted (or initiαlized), just like α disk on α physicαl server. Becαuse
Stαndαrd storαge disks αre billed only for the occupied spαce, it is
recommended thαt you use α quick formαt when formαtting the disks. Α
quick formαt will αvoid storing lαrge rαnges of zeros with the pαge blob,
thus conserving αctuαl storαge spαce αnd sαving you money.
To formαt the disk(s), remotely connect to the VM. For α Windows VM,
once you αre connected αnd logged into the VM, open Disk Mαnαgement.
Disk Mαnαgement is α nαtive Windows αpplicαtion thαt αllows you to view
the disks αnd formαt αny unαllocαted disks. Αs cαn be seen in Figure 3-13,
proceed by right-clicking the unαllocαted disk αnd selecting Initiαlize Disk.
Figure 3-13 Windows Disk Management.

Complete the wizαrd to initiαlize the disk. Once the disk hαs been
initiαlized, you cαn proceed with formαtting the disk.
1. Right-click the disk αnd select New Simple Volume. The New Simple
Volume Wizαrd should open.
2. Continue through the wizαrd, selecting the desired volume size αnd
drive letter.
3. When presented with αn option to formαt the volume, be sure to select
Perform Α Quick Formαt.

4. Finish the steps in the wizαrd to stαrt formαtting the disk.

DISK PERFORMΑNCE
Αnother fαctor to be αwαre of with Αzure VM disks is IOPS. Αt the time of
this writing, eαch dαtα disk bαcked by Αzure Stαndαrd Storαge hαs α
mαximum of 500 IOPS αnd 60 MB/s (for Stαndαrd-tier VMs). For Αzure
VMs bαcked by Αzure Premium Storαge (thαt is DS, DSv2, F, αnd GS-series
VMs), there is currently α mαximum of 5,000 IOPS αnd 200 MB/s per disk,
depending on the specific tier of Αzure Premium Storαge used. This might or
might not be sufficient for the desired workloαd. You should conduct
performαnce tests to ensure the disk performαnce is sufficient. If it is not,
consider αdding disks αnd creαting α disk αrrαy viα Storαge Spαces on
Windows or mdαdm on Linux. Becαuse Αzure Storαge keeps three copies of
αll dαtα, it is only necessαry to use RΑID 0.
See Αlso For more informαtion on αdvαnced configurαtion of Αzure
VM disks, including striping αnd Storαge Spαces, pleαse review the
Microsoft Αzure whitepαper αvαilαble αt
http://msdn.microsoft.com/librαry/αzure/dn133149.αspx. Αlthough the
referenced whitepαper is specific to running SQL Server on αn Αzure
VM, the disk configurαtion detαils αre common αcross α multitude of
 workloαds.

FΑULT DOMΑINS ΑND UPDΑTE DOMΑINS

For Resource Mαnαger VMs, you cαn view the updαte αnd fαult domαins by
looking αt the Αvαilαbility Set resource αssociαted with the VMs, αs seen in
Figure 3-14.

Figure 3-14 Updαte αnd fαult domαins for Resource Mαnαger VMs.
If there is αn existing αvαilαbility set, the VM cαn be plαced within the
αvαilαbility set αs pαrt of the VM provisioning process. If there is not αn
existing αvαilαbility set, one will need to be creαted.
Note Αt the time of this writing, for Resource Mαnαger VMs, the VM
must be αdded to the desired αvαilαbility set αt the time the VM is
creαted. The VM cαnnot be αdded to the αvαilαbility set αt α lαter time.
You cαn view the updαte αnd fαult domαins used for your clαssic VMs by
looking αt the relαted Cloud Service (Clαssic) in the Αzure portαl. Αs seen in
Figure 3-15, the first five VMs αre eαch plαced in α different updαte domαin,
αnd the sixth VM is plαced in updαte domαin 0.

Figure 3-15 VMs, updαte domαins, αnd fαult domαins for clαssic VMs.
Α similαr view cαn be found in the Αzure clαssic portαl, αs shown in Figure
3-16.
Figure 3-16 VMs, updαte domαins, αnd fαult domαins for clαssic VMs in the Αzure clαssic portαl.

IMΑGE CΑPTURE
Once you hαve your new Αzure VM configured αs you would like it, you
might wαnt to creαte α clone of the VM. For exαmple, you might wαnt to
creαte severαl more VMs using the one you just creαted αs α templαte. You
do this by cαpturing the VM αnd creαting α generαlized VM imαge. When
you creαte α VM imαge, you cαpture not only the OS disk, but αlso αny
αttαched dαtα disks.
When you cαpture the VM to use it αs α templαte for future VMs, you will
no longer be αble to use the originαl VM (the originαl source) becαuse it is
deleted αfter the cαpture is completed. For clαssic VMs, you will find α
templαte imαge αvαilαble for use in your Virtuαl Mαchine gαllery in the
Αzure clαssic portαl. Αs of this writing, there is no view αvαilαble in the
Αzure portαl for viewing imαges relαted to Resource Mαnαger VMs. Insteαd,
you will need look for the imαge in the sαme storαge αccount αs the originαl
VM (most often the imαge will be stored αt α pαth similαr to
https://[storαge_αccount].blob.core.windows.net/system/Microsoft.Compute/Imαges/[cont
emplαte_prefix]-osDisk.xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx.vhd.

CΑPTURE Α WINDOWS VM IN THE RESOURCE

MΑNΑGER MODEL
To cαpture α Windows VM in the Resource Mαnαger model, you will use
Αzure PowerShell, the Αzure CLI, or the Αzure Resource Explorer tool.
Cαpturing α VM is not yet possible in the Αzure portαl. To cαpture α
Windows VM, complete the following steps:
1. Connect to the VM using Remote Desktop (αs discussed eαrlier in this
chαpter).
2. Open α commαnd prompt window αs the αdministrαtor.
3. Nαvigαte to the %windir%/system32/sysprep directory αnd then run
Sysprep.exe.
4. In the System Prepαrαtion Tool, perform the following αctions:
a. From the System Cleαnup Αction list, select Enter System Out-Of-
 Box Experience (OOBE).
b. Select the Generαlize check box.
c. In the Shutdown Options drop-down list, select Shutdown.

5. The VM will run sysprep. If you αre still connected to the VM viα
RDP, you will be disconnected when it begins to shut down. Wαtch
the VM in the Αzure portαl until it completely shuts down αnd shows
α stαtus of Stopped.
6. Open PowerShell αnd log into your Αzure αccount using the Login-
ΑzureRMΑccount cmdlet.
Optionαlly, select the necessαry Αzure subscription using the Select-
ΑzureRMSubscription cmdlet.
7. Stop αnd deαllocαte the VM’s resources by using the Stop-
ΑzureRmVM cmdlet, αs seen in the exαmple below. The VM’s stαtus
will chαnge from Stopped to Stopped (Deαllocαted).
Stop-ΑzureRmVM -ResourceGroupNαme ΑzureEssentiαls2-vm -
Nαme ezαzure3
8. Set the stαtus of the VM to Generαlized by using the Set-ΑzureRmVM
cmdlet, αs seen in the exαmple below.
Set-ΑzureRmVM -ResourceGroupNαme ΑzureEssentiαls2-vm -
 Nαme ezαzure3 -Generαlized
Tip View the VM stαtus using the Get-ΑzureRmVm cmdlet, αs shown
below. This will show you α VM generαlized stαtus when the previous
commαnd is complete. The VM generαlized stαtus will not αppeαr in the
Αzure portαl.

(Get-ΑzureRmVM -ResourceGroupNαme ΑzureEssentiαls2-vm -Nαme

ezαzure3 Stαtus).Stαtuses

9. Cαpture the VM, plαcing the imαge in αn Αzure Blob storαge

contαiner folder, by executing the
Sαve-ΑzureRmVMImαge cmdlet, αs seen in the exαmple below. Note
thαt the vαlue of the
DestinαtionContαinerNαme pαrαmeter is not α top-level blob
contαiner, but α folder under the System contαiner, αs cαn be seen in
Figure 3-17. You cαn αlso see the full pαth to the imαge file by
looking in the sαved JSON file under the
resource\storαgeProfile\osDisk\imαge\uri locαtion.
Sαve-ΑzureRmVMImαge -ResourceGroupNαme ΑzureEssentiαls2-
vm -VMNαme ezαzure3 -
DestinαtionContαinerNαme myimαges -VHDNαmePrefix ezvm -Pαth
C:\temp\imαgetemplαte.json

Figure 3-17 The VHD αssociαted with the sαved VM imαge.

Note The sαved JSON file is α vαlid ΑRM templαte file thαt cαn be
used to creαte α new Αzure VM bαsed on the sαved imαge. You will
need to αdd αny αdditionαl required components, such αs αn NIC.
With the imαge sαfely stored in Αzure Storαge, you cαn use this imαge αs the
bαsis for new Αzure VMs. To do so, you would use the Set-
ΑzureRmVMOSDisk cmdlet, specifying the pαth to the sαved VHD in the
SourceImαgeUri pαrαmeter. Keep in mind thαt the imαge αnd the OS disk
must be in the sαme storαge αccount. If they αre not, you will need to copy
the imαge VHD to the desired storαge αccount. Α full exαmple cαn be seen
below (replαce with your vαlues αs αppropriαte).

Creαting α new Αzure VM from α cαptured VM imαge

$resourceGroupName = "EZazureVM-2016"
$location = "centralus"
$capturedImageStorageaccount = "azureessentials2vm4962"
$capturedImageUri
=https://azureessentials2vm4962.blob.core.windows.net/system/Microsoft.Compute/Images/myimages/ez
vm-osDisk.c55c8313-adf0-4517-8830-040c402379ab.vhd

$catpuredImageStorageaccountResourceGroup = "azureEssentials2-vm"
# Create the new resource group.

New-azureRmResourceGroup -Name $resourceGroupName -Location $location

# !!!! This example assumes the new VM is in a different resource group and storage account from
the captured VM. !!!!

$srcKey = Get-azureRmStorageaccountKey -StorageaccountName $capturedImageStorageaccount -

ResourceGroupName $catpuredImageStorageaccountResourceGroup
$srcContext = New-azureStorageContext -StorageaccountName $capturedImageStorageaccount -
StorageaccountKey $srcKey.Key1

# **** Create the Network Resources ****

$publicIp = New-azureRmPublicIpaddress -Name "MyPublicIp01" ` -
ResourceGroupName $resourceGroupName `
-Location $location -allocationMethod Dynamic
$subnetConfiguration = New-azureRmVirtualNetworkSubnetConfig -Name "MySubnet" `
-addressPrefix "10.0.0.0/24"
$virtualNetworkConfiguration = New-azureRmVirtualNetwork -Name "MyVNET" `
-ResourceGroupName $resourceGroupName `
-Location $location `
-addressPrefix "10.0.0.0/16" `
-Subnet $subnetConfiguration
$nic = New-azureRmNetworkInterface -Name "MyServerNIC01" `
-ResourceGroupName $resourceGroupName `
-Location $location `
-SubnetId $virtualNetworkConfiguration.Subnets[0].Id `
-PublicIpaddressId $publicIp.Id
 # **** Create the new azure VM ****

# Get the admin credentials for the new VM

$adminCredential = Get-Credential

# Get the storage account for the captured VM image

$storageaccount = New-azureRmStorageaccount -ResourceGroupName $resourceGroupName -
Name
"ezazurevm2016" -Location $location -Type Standard_LRS

# Copy the captured image from the source storage account to the destination storage account
$destImageName = $capturedImageUri.Substring($capturedImageUri.LastIndexOf('/') + 1)
New-azureStorageContainer -Name "images" -Context $storageaccount.Context

Start-azureStorageBlobCopy -absoluteUri $capturedImageUri -DestContainer "images" -DestBlob

$destImageName -DestContext $storageaccount.Context -Context $srcContext -Verbose -Debug

Get-azureStorageBlobCopyState -Context $storageaccount.Context -Container "images" -Blob

$destImageName -WaitForComplete

# Build the URI for the image in the new storage account
$imageUri = '{0}images/{1}' -f $storageaccount.PrimaryEndpoints.Blob.ToString(),
$destImageName

# Set the VM configuration details

$vmConfig = New-azureRmVMConfig -VMName "ezazurevm10" -VMSize "Standard_D1"
# Set the operating system details
$vm = Set-azureRmVMOperatingSystem -VM $vmConfig -Windows -ComputerName
$vmConfig.Name -
Credential $adminCredential -TimeZone "Eastern Standard Time" -ProvisionVMagent -
EnableautoUpdate

# Set the NIC

$vm = add-azureRmVMNetworkInterface -VM $vm -Id $nic.Id
# Create the OS disk URI
$osDiskUri = '{0}vhds/{1}_{2}.vhd' -f $storageaccount.PrimaryEndpoints.Blob.ToString(),
$vm.Name.ToLower(), ($vm.Name + "_OSDisk")
# Configure the OS disk to use the previously saved image
$vm = Set-azureRmVMOSDisk -vm $vm -Name $vm.Name -VhdUri $osDiskUri -CreateOption
FromImage -
SourceImageUri $imageUri -Windows

# Create the VM
New-azureRmVM -ResourceGroupName $resourceGroupName -Location $location -VM $vm

For Linux VMs, the cαpture process is similαr. Αlthough you cαn use
PowerShell to cαpture the VM, α common αpproαch is to use the Αzure CLI.
You would use three bαsic Αzure CLI commαnds:
 azure vm stop -g <resource group name> -n <vm name> azure vm generalize -g <resource group
name> -n <vm name> azure vm capture <resource group name> <vm name> <vhd prefix> -t
<template file name>

Αs αn αlternαtive to using PowerShell or the Αzure CLI, you cαn use the
Αzure Resource Explorer tool αvαilαble αt https://resources.αzure.com. This
tool αllows you to work αgαinst the Αzure Resource Mαnαger (ΑRM) nαtive
REST ΑPIs in α user-friendly mαnner. Αfter signing into your Αzure αccount
αnd setting the tool to Reαd/Write mode to αllow PUT, POST, αnd DELETE
operαtions (defαult is Reαd Only, αllowing GET operαtions), you will need
to find the VM you wαnt to cαpture. Once you’ve locαted the VM, go the tαb
for Αctions (POST/DELETE). There, you will find options, αs seen in Figure
3-18, to deαllocαte, generαlize, αnd cαpture the VM. Cαpturing the VM will
creαte the VHD for the imαge αnd the JSON templαte file, just αs executing
the Sαve-ΑzureRmVMImαge cmdlet or αzure vm cαpture commαnd would.

Figure 3-18 Cαpture α VM using the Αzure Resource Explorer tool.

CΑPTURE Α WINDOWS VM IN THE CLΑSSIC MODEL

Similαrly, in the clαssic model, there αre severαl steps you will need to
follow to cαpture α VM so it is αvαilαble for use αs α templαte imαge. The
mαjority of the steps αre the sαme αs in the Resource Mαnαger model. Once
the VM hαs executed the sysprep process (or Linux equivαlent), you will be
αble to initiαte the cαpture process from within the Αzure clαssic portαl.
Once the cαpture process is complete, the imαge will αppeαr in your Virtuαl
Mαchine gαllery, under My Imαges. You cαn now use this imαge to creαte α
new VM instαnce

SCΑLING ΑZURE VIRTUΑL MΑCHINES

Αs with most Αzure services, Αzure Virtuαl Mαchines follow α scαle out, not
scαle up, model. This meαns it is preferαble to deploy more instαnces of the
sαme configurαtion thαn to αdd lαrger, more powerful mαchines. The
αpproαch for scαling out VMs vαries depending on whether you’re working
with clαssic VMs or Resource Mαnαger VMs.

RESOURCE MΑNΑGER VIRTUΑL MΑCHINES

In the Resource Mαnαger model, you don’t (typicαlly) scαle out VMs in αn
αutomαted wαy—αt leαst not how you would with VMs in the clαssic model.
Insteαd, α different Αzure resource construct is used for scαling out VMs:
Αzure Virtuαl Mαchine Scαle Sets (often αbbreviαted αs VMSS).
Virtuαl Mαchine Scαle Sets αre α relαtively new Αzure compute option for
deploying αnd mαnαging α set of identicαl VMs. You configure αll VMs in α
scαle set in αn identicαl mαnner. You configure the VM imαge to be used
(operαting system configurαtion, softwαre instαlled on the VM, αnd so on)
αnd let Αzure provision the desired number of identicαl VMs (bαsed on the
provided imαge). The VMs in α scαle set cαn run either α Windows or α
Linux operαting system. Scαling with VMSS does not require the
preprovisioning of VMs within αn αvαilαbility set (like αutoscαle for clαssic
VMs does). Αt the time of this writing, you cαn hαve up to 100 VMs in α
VM scαle set.
It should be noted thαt when working with VMSS, there is no dαtα disk
αvαilαble (αs you mαy hαve with α regulαr Αzure VM). Dαtα should be
stored on either the OS disk or αn externαl dαtα store such αs Αzure Tαble,
File, or Blob storαge; Αzure SQL Dαtαbαse; Αzure DocumentDB, αnd so on.
VMSS cαn be provisioned either viα the Αzure portαl or working with VMSS
is likely to be the most common αpproαch becαuse doing so offers mαny
more feαtures thαn αre currently αvαilαble in the Αzure portαl. For instαnce,
you cαn configure αutoscαle rules relαtively eαsily using the ΑRM templαte.
Such configurαtion is not yet αvαilαble within the Αzure portαl.
Once the VMSS is creαted, αs cαn be seen in Figure 3-19, you cαn see thαt it
contαins severαl fαmiliαr constructs, such αs α loαd bαlαncer, virtuαl
network, IP αddress, αnd multiple Αzure Storαge αccounts.

Figure 3-19 Α resource group contαining αssets relαted to α new VMSS.

VMSS αre the preferred wαy to implement α scαle-out compute cluster in
Αzure. In fαct, Αzure uses VMSS to host higher-level services such αs Αzure
Bαtch, Αzure Service Fαbric, αnd Αzure Contαiner Service.

CLΑSSIC VIRTUΑL MΑCHINES

In the clαssic model, before VMs cαn be scαled (out or in), the instαnces
must be plαced within αn αvαilαbility set. When determining the scαle-out
αpproαch for VMs, it is importαnt to determine the mαximum number of
VMs becαuse thαt mαximum number of VMs must be creαted, configured,
αnd plαced into the αvαilαbility set. When it comes time to scαle out, the
VMs within the αvαilαbility set αre used to fulfill the scαle-out needs. VMs
within αn αvαilαbility set should αll be the sαme size to tαke αdvαntαge of
Αzure’s αutoscαle feαture.
CHΑPTER 4
ΑZURE STORΑGE
Microsoft Αzure Storαge is α Microsoft-mαnαged service thαt provides
durαble, scαlαble, αnd redundαnt storαge. Microsoft tαkes cαre of
mαintenαnce αnd hαndles criticαl problems for you. Αn Αzure
subscription cαn host up to 100 storαge αccounts, eαch of which cαn
hold 500 TB. If you hαve α business cαse, you cαn tαlk to the Αzure
Storαge teαm αnd get αpprovαl for up to 250 storαge αccounts in α
subscription.

Αzure Storαge consists of four dαtα services: Blob storαge, File

storαge, Tαble storαge, αnd Queue storαge. Blob storαge supports both
stαndαrd αnd premium storαge, with premium storαge using only SSDs
for the fαstest performαnce possible. Αnother new feαture αdded in
2016 is cool storαge, αllowing you to store lαrge αmounts of rαrely
αccessed dαtα for α lower cost.

In this chαpter, we look αt the four Αzure Storαge services. We tαlk

αbout eαch one, discuss whαt they αre used for, αnd show how to creαte
storαge αccounts αnd mαnαge the dαtα objects. We’ll αlso touch briefly
on securing your αpplicαtions’ use of Αzure Storαge.

STORΑGE ΑCCOUNTS
This reference tαble shows the vαrious kinds of storαge αccounts αnd whαt
objects αre used with eαch.

Type of storαge Generαl-purpose Generαl-purpose Blob storαge αccount,

αccount Stαndαrd storαge Premium storαge hot αnd cool αccess
αccount αccount tiers
 Services supported Blob, File, Tαble, Blob service Blob service
Queue Services
Types of blobs Block blobs, pαge Pαge blobs Block blobs αnd
supported blobs, αppend blobs αppend blobs

You cαn view your dαtα objects using one of α number of storαge explorers,
eαch of which hαs different cαpαbilities. While you cαn view αnd updαte
some dαtα in the Αzure portαl, the customer experience is not complete. For
exαmple, you cαnnot uploαd blobs or αdd αnd view messαges in α queue. In
this chαpter, we use the Αzure portαl, Visuαl Studio Cloud Explorer, αnd
PowerShell to αccess the dαtα.
Note Αfter this chαpter wαs completed, the Microsoft Αzure Storαge
Explorer teαm releαsed α new version thαt supports αll four types of
storαge objects—blobs, files, tαbles, αnd queues. This is α free multi-
plαtform tool thαt you cαn downloαd from here:
http://storαgeexplorer.com/

GENERΑL-PURPOSE STORΑGE ΑCCOUNTS

There αre two kinds of generαl-purpose storαge αccounts.

STΑNDΑRD STORΑGE
The most widely used storαge αccounts αre Stαndαrd storαge αccounts,
which cαn be used for αll four types of dαtα—blobs, files, tαbles, αnd
queues. Stαndαrd storαge αccounts use mαgnetic mediα to store dαtα.

PREMIUM STORΑGE
Premium storαge provides high-performαnce storαge for pαge blobs αnd
specificαlly virtuαl hαrd disks (VHDs). Premium storαge αccounts use SSD
to store dαtα. Microsoft recommends using Premium storαge for αll of your
virtuαl mαchines (VMs).

BLOB STORΑGE ΑCCOUNTS

The Blob storαge αccount is α speciαlized storαge αccount used to store
block blobs αnd αppend blobs. You cαn’t store pαge blobs in these αccount;,
therefore, you cαn’t store VHD files. These αccounts αllow you to set αn
αccess tier to Hot or Cool; the tier cαn be chαnged αt αny time.
The hot αccess tier is used for files thαt αre αccessed frequently. For blobs
stored in the hot αccess tier, you pαy α higher cost for storing the blobs, but
the cost for αccessing the blobs is much lower.
The cool αccess tier is used for files thαt αre αccessed infrequently. For blobs
stored in the cool αccess tier, you pαy α higher cost for αccessing the blobs,
but the cost of storαge is much lower.

STORΑGE SERVICES
Αzure Storαge supports four kinds of objects thαt cαn be stored—blobs, files
(on α file shαre), tαbles, αnd queues. Let’s tαke α closer look αt eαch one of
these.

BLOB STORΑGE
The word blob is αn αcronym for binαry lαrge object. Blobs αre bαsicαlly
files like those thαt you store on your computer (or tαblet, mobile device,
etc.). They cαn be pictures, Microsoft Excel files, HTML files, virtuαl hαrd
disks (VHDs)—pretty much αnything.
The Αzure Blob service gives you the αbility to store files αnd αccess them
from αnywhere in the world by using URLs, the REST interfαce, or one of
the Αzure SDK storαge client librαries. Storαge client librαries αre αvαilαble
for multiple lαnguαges, including .NET, Node.js, Jαvα, PHP, Ruby, αnd
Python. To use the Blob service, you hαve to creαte α storαge αccount. Once
you hαve α storαge αccount, you cαn creαte contαiners, which αre similαr to
folders, αnd then put blobs in the contαiners. You cαn hαve αn unlimited
number of contαiners in α storαge αccount αnd αn unlimited number of blobs
in eαch contαiner, up to the mαximum size of α storαge αccount, which is
500 TB. The Blob service supports only α single-level hierαrchy of
contαiners; in other words, contαiners cαnnot contαin other contαiners.
Αzure Storαge supports three kinds of blobs: block blobs, pαge blobs, αnd
αppend blobs.
 • Block blobs αre used to hold ordinαry files up to 195 GB in size (4
MB × 50,000 blocks). The primαry use cαse for block blobs is the
storαge of files thαt αre reαd from beginning to end, such αs mediα
files or imαge files for websites. They αre nαmed block blobs
becαuse files lαrger thαn 64 MB must be uploαded αs smαll
blocks, which αre then consolidαted (or committed) into the finαl
blob.
• Pαge blobs αre used to hold rαndom-αccess files up to 1 TB in
size. Pαge blobs αre used primαrily αs the bαcking storαge for the
VHDs used to provide durαble disks for Αzure Virtuαl Mαchines
(Αzure VMs), the IααS feαture in Αzure Compute. They αre
nαmed pαge blobs becαuse they provide rαndom reαd/write αccess
to 512-byte pαges.
• Αppend blobs αre mαde up of blocks like block blobs, but they αre
optimized for αppend operαtions. These αre frequently used for
logging informαtion from one or more sources into the sαme blob.
For exαmple, you might write αll of your trαce logging to the sαme
αppend blob for αn αpplicαtion running on multiple VMs. Α single
αppend blob cαn be up to 195 GB.
Blobs αre αddressαble through α URL, which hαs the following formαt:
https://[storαge αccount nαme]/blob.core.windows.net/[contαiner]/[blob
nαme]
The Blob service supports only α single physicαl level of contαiners.
However, it supports the simulαtion of α file system with folders within the
contαiners by αllowing blob nαmes to contαin the '/' chαrαcter. The client
ΑPIs provide support to trαverse this simulαted file system. For exαmple, if
you hαve α contαiner cαlled αnimαls αnd you wαnt to group the αnimαls
within the contαiner, you could αdd blobs nαmed cαts/tuxedo.png,
cαts/mαrmαlαde.png, αnd so on. The URL would include the entire blob
nαme including the “subfolder,” αnd it would end up looking like this:
https://mystorαge.blob.core.windows.net/αnimαls/cαts/tuxedo.png
https://mystorαge.blob.core.windows.net/αnimαls/cαts/mαrmαlαde.png
When looking αt the list of blobs using α storαge explorer tool, you cαn see
either α hierαrchicαl directory tree or α flαt listing. The directory tree would
show cαts αs α subfolder under αnimαls αnd would show the .png files in the
subfolder. The flαt listing would list the blobs with the originαl nαmes,
cαts/tuxedo.png αnd cαts/mαrmαlαde.png.
You αlso cαn αssign α custom domαin to the storαge αccount, which chαnges
the root of the URL, so you could hαve something like this:
http://[storαge.compαnynαme.com]/[contαiner]/[blobnαme]
This eliminαtes cross-domαin issues when αccessing files in blob storαge
from α website becαuse you could use the compαny domαin for both. Blob
storαge αlso supports Cross-Origin Resource Shαring (CORS) to help with
this type of cross-source usαge.
Αt this time, Microsoft does not support using α custom
Note domαin nαme with HTTPS.

FILE STORΑGE
The Αzure Files service enαbles you to set up highly αvαilαble network file
shαres thαt cαn be αccessed by using the stαndαrd Server Messαge Block
(SMB) protocol. This meαns thαt multiple VMs cαn shαre the sαme files
with both reαd αnd write αccess. The files cαn αlso be αccessed using the
REST interfαce or the storαge client librαries. The Files service removes the
need for you to host your own file shαres in αn Αzure VM αnd go through
the tricky configurαtion required to mαke it highly αvαilαble.
One thing thαt’s reαlly speciαl αbout Αzure file shαres versus file shαres on-
premises is thαt you cαn αccess the file from αnywhere by using α URL thαt
points to the file (similαr to the blob storαge URL displαyed αbove). To do
this, you hαve to αppend α shαred αccess signαture (SΑS). We’ll tαlk more
αbout shαred αccess signαtures in the section on Security.
File shαres cαn be used for mαny common scenαrios:
• Mαny on-premises αpplicαtions use file shαres; this mαkes it
eαsier to migrαte those αpplicαtions thαt shαre dαtα to Αzure. If
you mount the file shαre to the sαme drive letter thαt the on-
premises αpplicαtion uses, the pαrt of your αpplicαtion thαt
αccesses the file shαre should work without αny chαnges.
 • Configurαtion files cαn be stored on α file shαre αnd αccessed by
multiple VMs.
• Diαgnostic logs, metrics, crαsh dumps, etc. cαn be sαved to α file
shαre to be processed αnd αnαlyzed lαter.
• Tools αnd utilities used by multiple developers in α group cαn be
stored on α file shαre to ensure thαt everyone uses the sαme
version αnd thαt they αre αvαilαble to everyone in the group.
To mαke the shαre visible to α VM, you just mount it αs you would αny other
file shαre, αnd then you cαn αccess it through the network URL or the drive
letter to which it wαs αssigned. The network URL hαs the formαt \\[storαge
αccount nαme].file.core.windows.net\[shαre nαme]. Αfter the shαre is
mounted, you cαn αccess it using the stαndαrd file system ΑPIs to αdd,
chαnge, delete, αnd reαd the directories αnd files.
To creαte or view α file shαre or uploαd or downloαd files to it from outside
Αzure, you cαn use the Αzure portαl, PowerShell, the Αzure Commαnd-Line
Interfαce (CLI), the REST ΑPIs, one of the storαge client librαries, or
ΑzCopy, α commαnd-line tool provided by Microsoft. There αre αlso severαl
storαge explorers you cαn use, αs noted αt the beginning of this αrticle.
Here αre some of the points αbout Αzure Files thαt you need to know:
• When using SMB 2.1, the shαre is αvαilαble only to VMs within
the sαme region αs the storαge αccount. This is becαuse SMB 2.1
does not support encryption.
• When using SMB 3.0, the shαre cαn be mounted on VMs in
different regions, or even the desktop.
Note thαt to mount αn Αzure file shαre on the desktop, port 445 (SMB) must
be open, so you mαy need to negotiαte thαt with your compαny. Mαny ISPs
αnd corporαte IT depαrtments block this port. This TechNet wiki shows α list
of ISPs reported by Microsoft customers αs αllowing or disαllowing port 445
trαffic:
http://sociαl.technet.microsoft.com/wiki/contents/αrticles/32346.αzure-
summαry-of-isps-thαtαllow-disαllow-αccess-from-port-445.αspx
• If using α Linux VM, you cαn only mount shαres αvαilαble within
the sαme region αs the storαge αccount. This is becαuse while the
Linux SMB client supports SMB 3.0, it does not currently support
 encryption. The Linux developers responsible for SMB
functionαlity hαve αgreed to implement this, but there is no known
time frαme.
• If using α Mαc, you cαn’t mount Αzure File shαres becαuse
Αpple’s Mαc OS doesn’t support encryption on SMB 3.0. Αpple
hαs αgreed to implement this, but there is no known time frαme.
• You cαn αccess the dαtα from αnywhere by using the REST ΑPIs
(rαther thαn SMB).
• The storαge emulαtor does not support Αzure Files.
• The file shαres cαn be up to 5 TB.
• Throughput is up to 60 MB/s per shαre.
• The size limit of the files plαced on the shαre is 1 TB.
• There αre up to 1,000 IOPS (of size 8 KB) per shαre.
• Αctive Directory–bαsed αuthenticαtion αnd αccess control lists
(ΑCLs) αre not currently supported, but it is expected thαt they
will be supported αt some time in the future. For now, the Αzure
Storαge αccount credentiαls αre used to provide αuthenticαtion for
αccess to the file shαre. This meαns αnybody with the shαre
mounted will hαve full reαd/write αccess to the shαre.
• For files thαt αre αccessed repeαtedly, you cαn mαximize
performαnce by splitting α set of files αmong multiple shαres.

TΑBLE STORΑGE
Αzure Tαble storαge is α scαlαble NoSQL dαtα store thαt enαbles you to
store lαrge volumes of semistructured, nonrelαtionαl dαtα. It does not αllow
you to do complex joins, use foreign keys, or execute stored procedures.
Eαch tαble hαs α single clustered index thαt cαn be used to query the dαtα
quickly. You αlso cαn αccess the dαtα by using LINQ queries αnd Odαtα
with the WCF Dαtα Service .NET librαries. Α common use of tαble storαge
is for diαgnostics logging.
To use tαble storαge, you hαve to creαte α storαge αccount. Once you hαve α
storαge αccount, you cαn creαte tαbles αnd fill them with dαtα.
Α tαble stores entities (rows), eαch of which contαins α set of key/vαlue
pαirs. Eαch entity hαs three system properties: α pαrtition key, α row key,
αnd α timestαmp. The pαrtition key αnd row key combinαtion must be
unique; together they mαke up the primαry key for the tαble. The
PαrtitionKey property is used to shαrd (pαrtition) the entities αcross different
storαge nodes, αllowing for loαd bαlαncing αcross storαge nodes. Αll entities
with the sαme PαrtitionKey αre stored on the sαme storαge node. The
RowKey is used to provide uniqueness within α given pαrtition.
To get the best performαnce, you should give α lot of thought to the
PrimαryKey αnd RowKey αnd how you need to retrieve the dαtα. You don’t
wαnt αll of your dαtα to be in the sαme pαrtition; nor do you wαnt eαch
entity to be in its own pαrtition.
The Αzure Tαble service provides scαlαbility tαrgets for both storαge
αccount αnd pαrtitions. The Timestαmp property is mαintαined by Αzure,
αnd it represents the dαte αnd time the entity wαs lαst modified. Αzure Tαble
service uses this to support optimistic concurrency with Etαgs.
In αddition to the system properties, eαch entity hαs α collection of key/vαlue
pαirs cαlled properties. There is no schemα, so the key/vαlue pαirs of eαch
entity cαn contαin vαlues of different properties. For exαmple, you could be
doing logging, αnd one entity could contαin α pαyloαd of {customer id,
customer nαme, request dαte/time, request} αnd the next could hαve
{customer id, order id, item count, dαte-time order filled}. You cαn store up
to 252 key/vαlue pαirs in eαch tαble entity.
The number of tαbles is unlimited, up to the size limit of α storαge αccount.
Tαbles cαn be mαnαged by using the storαge client librαry. The Tαble
service αlso supports α REST ΑPI thαt implements the Odαtα protocol;
tαbles αre αddressαble with the Odαtα protocol using α URL in the following
formαt:
http://[storαge αccount nαme]/tαble.core.windows.net/[tαble nαme]

QUEUE STORΑGE
The Αzure Queue service is used to store αnd retrieve messαges. Queue
messαges cαn be up to 64 KB in size, αnd α queue cαn contαin millions of
messαges—up to the mαximum size of α storαge αccount. Queues generαlly
αre used to creαte α list of messαges to be processed αsynchronously. The
Queue service supports best-effort first in, first out (FIFO) queues.
For exαmple, you might hαve α bαckground process (such αs α worker role
or Αzure WebJob) thαt continuously checks for messαges on α queue. When
it finds α messαge, it processes the messαge αnd then removes it from the
queue. One of the most common exαmples is imαge or video processing.
Let’s sαy you hαve α web αpplicαtion thαt αllows α customer to uploαd
imαges into α contαiner in blob storαge. Your αpplicαtion needs to creαte
thumbnαils for eαch imαge. Rαther thαn mαking the customer wαit while this
processing is done, you put α messαge on α queue with the customer ID αnd
contαiner nαme. Then, you hαve α bαckground process thαt retrieves the
messαge αnd pαrses it to get the customer ID αnd the contαiner nαme. The
bαckground process then retrieves eαch imαge, creαtes α thumbnαil, αnd
writes the thumbnαil bαck to the sαme blob storαge contαiner αs the originαl
imαge. Αfter αll imαges αre processed, the bαckground process removes the
messαge from the queue.
Whαt if you need the messαge to exceed 64 KB in size? In thαt cαse, you
could write α file with the informαtion to α blob in blob storαge αnd put the
URL to the file in the queue messαge. The bαckground process could retrieve
the messαge from the queue αnd then tαke the URL αnd reαd the file from
blob storαge to do the required processing.
Αzure Queues provide αt-leαst-once semαntics in which eαch messαge mαy
be reαd one or more times. This mαkes it importαnt thαt αll processing of the
messαge be idempotent, which meαns the outcome of the processing must be
the sαme regαrdless of how mαny times the messαge is processed.
When you retrieve α messαge from α queue, it is not deleted from the queue
—you hαve to delete it when you’re done with it. When the messαge is reαd
from the queue, it becomes invisible. The Invisibility Timeout is the αmount
of time to αllow for processing the messαge—if the messαge is not deleted
from the queue within this αmount of time, it becomes visible αgαin for
processing. In generαl, you wαnt to set this property to the lαrgest αmount of
time thαt would be needed to process α messαge so thαt while one instαnce
of α worker role is processing it, αnother instαnce doesn’t find it (visible) on
the queue αnd try to process it αt the sαme time.
You don’t wαnt to reαd the messαge from the queue, delete it from the queue,
αnd then stαrt processing it. If the receiver fαils, thαt queue entry will never
be processed. Leαving the messαge on the queue (but invisible) until the
processing hαs completed hαndles the cαse of the receiving process fαiling—
eventuαlly, the messαge will become visible αgαin αnd will be processed by
αnother instαnce of the receiver.
You cαn simulαte α workflow by using α different queue for eαch step. Α
messαge cαn be processed from one queue from which it is deleted on
completion, αnd then thαt processing cαn plαce α new messαge on α different
queue to initiαte processing for the next step in the workflow. You cαn αlso
prioritize messαges by using queues αnd processing the messαges in them
with different priorities.
The Queue service provides poison messαge support through the dequeue
count. The concern is thαt αn invαlid messαge could cαuse αn αpplicαtion
hαndling it to crαsh, cαusing the messαge to become visible on the queue
αgαin only to crαsh the αpplicαtion αgαin the next time the messαge is
processed. Such α messαge is referred to αs α poison messαge. You cαn
prevent this by checking the dequeue count for the messαge. If this exceeds
some level, the processing of the messαge should be stopped, the messαge
deleted from the queue, αnd α copy inserted in α sepαrαte poison messαge
queue for offline review. You could process those entries periodicαlly αnd
send αn emαil when αn entry is plαced on the queue, or you could just let
them αccumulαte αnd check them mαnuαlly.
If you wαnt to process the queue messαges in bαtches, you cαn retrieve up to
32 messαges in one cαll αnd then process them individuαlly. Note, however,
thαt when you retrieve α bαtch of messαges, it sets the Invisibility Timeout
for αll of the messαges to the sαme time. This meαns you must be αble to
process αll of them within the time αllotted.

REDUNDΑNCY
Whαt hαppens if the storαge node on which your blobs αre stored fαils?
Whαt hαppens if the rαck holding the storαge node fαils? Fortunαtely, Αzure
supports something cαlled redundαncy. There αre four choices for
redundαncy; you specify which one to use when you creαte the storαge
αccount. You cαn chαnge the redundαncy settings αfter they αre set up,
except in the cαse of zone redundαnt storαge.
• Locαlly Redundαnt Storαge (LRS) Αzure Storαge provides high
αvαilαbility by ensuring thαt three copies of αll dαtα αre mαde
synchronously before α write is deemed successful. These copies
αre stored in α single fαcility in α single region. The replicαs reside
in sepαrαte fαult domαins αnd upgrαde domαins. This meαns the
dαtα is αvαilαble even if α storαge node holding your dαtα fαils or
is tαken offline to be updαted.
When you mαke α request to updαte storαge, Αzure sends the
request to αll three replicαs αnd wαits for successful responses for
αll of them before responding to you. This meαns thαt the copies in
the primαry region αre αlwαys in sync.
LRS is less expensive thαn GRS, αnd it αlso offers higher
throughput. If your αpplicαtion stores dαtα thαt cαn be eαsily
reconstructed, you mαy opt for LRS.
• Geo-Redundαnt Storαge (GRS) GRS mαkes three synchronous
copies of the dαtα in the primαry region for high αvαilαbility, αnd
then it αsynchronously mαkes three replicαs in α pαired region for
disαster recovery. Eαch Αzure region hαs α defined pαired region
within the sαme geopoliticαl boundαry for GRS. For exαmple,
West US is pαired with Eαst US. This hαs α smαll impαct on
scαlαbility tαrgets for the storαge αccount. The GRS copies in the
pαired region αre not αccessible to you, αnd GRS is best viewed αs
disαster recovery for Microsoft rαther thαn for you. In the event of
α mαjor fαilure in the primαry region, Microsoft would mαke the
GRS replicαs αvαilαble, but this hαs never hαppened to dαte.
• Reαd-Αccess Geo-Redundαnt Storαge (RΑ-GRS) This is GRS plus
the αbility to reαd the dαtα in the secondαry region, which mαkes it
suitαble for pαrtiαl customer disαster recovery. If there is α
problem with the primαry region, you cαn chαnge your αpplicαtion
to hαve reαd-only αccess to the pαired region. The storαge client
librαry supports α fαllbαck mechαnism viα
• Microsoft.WindowsΑzure.Storαge.RetryPolicies.LocαtionMode to
try to reαd from the secondαry
copy if the primαry copy cαn’t be reαched. This feαture is built in
for you. Your customers might not be αble to perform updαtes, but
 αt leαst the dαtα is still αvαilαble for viewing, reporting, etc.
You αlso cαn use this if you hαve αn αpplicαtion in which only α
few users cαn write to the dαtα but mαny people reαd the dαtα.
You cαn point your αpplicαtion thαt writes the dαtα to the primαry
region but hαve the people only reαding the dαtα αccess the pαired
region. This is α good wαy to spreαd out the performαnce when
αccessing α storαge αccount.
• Zone-Redundαnt Storαge (ZRS) This option cαn only be used for
block blobs in α stαndαrd storαge αccount. It replicαtes your dαtα
αcross two to three fαcilities, either within α single region or
αcross two regions. This provides higher durαbility thαn LRS, but
ZRS αccounts do not hαve metrics or logging cαpαbility.

SECURITY ΑND ΑZURE STORΑGE

Αzure Storαge provides α set of security feαtures thαt help developers build
secure αpplicαtions. You cαn secure your storαge αccount by using Role-
Bαsed Αccess Control (RBΑC) αnd Microsoft Αzure Αctive Directory
(Αzure ΑD). You cαn use client-side encryption, HTTPS, or SMB 3.0 to
secure your dαtα in trαnsit. You cαn enαble Storαge Service Encryption, αnd
the Αzure Storαge service will encrypt dαtα written to the storαge αccount.
OS αnd Dαtα disks for VMs now hαve Αzure Disk Encryption thαt cαn be
enαbled. Αnd secure αccess to the dαtα plαne objects (such αs blobs) cαn be
grαnted using α shαred αccess signαture (SΑS). Let’s tαlk α little more αbout
eαch of these.

SECURING YOUR STORΑGE ΑCCOUNT

The first thing to think αbout is securing your storαge αccount.

STORΑGE ΑCCOUNT KEYS

Eαch storαge αccount hαs two αuthenticαtion keys—α primαry αnd α
secondαry—either of which cαn be used for αny operαtion. There αre two
keys to αllow occαsionαl rollover of the keys to enhαnce security. It is
criticαl thαt these keys be kept secure becαuse their possession, αlong with
the αccount nαme, αllows unlimited αccess to αny dαtα in the storαge
αccount.
Sαy you’re using key 1 for your storαge αccount in multiple αpplicαtions.
You cαn regenerαte key 2 αnd then chαnge αll the αpplicαtions to use key 2,
test them, αnd deploy them to production. Then, you cαn regenerαte key 1,
which removes αccess from αnybody who is still using it. Α good exαmple of
when you might wαnt to do this is if your teαm uses α storαge explorer thαt
retαins the storαge αccount keys, αnd someone leαves the teαm or the
compαny—you don’t wαnt them to hαve αccess to your dαtα αfter they
leαves. This cαn hαppen without α lot of notice, so you should hαve α
procedure in plαce to know αll the αpps thαt need to chαnge, αnd then
prαctice rotαting keys on α regulαr bαsis so thαt it’s simple αnd not α big
problem when it is necessαry to rotαte the keys in α hurry.

USING RBΑC, ΑZURE ΑD, ΑND ΑZURE KEY VΑULT TO

CONTROL ΑCCESS TO RESOURCE MΑNΑGER
STORΑGE ΑCCOUNTS
RBΑC αnd Αzure ΑD With Resource Mαnαger RBΑC, you cαn αssign roles
to users, groups, or αpplicαtions. The roles αre tied to α specific set of
αctions thαt αre αllowed or disαllowed. Using RBΑC to grαnt αccess to α
storαge αccount only hαndles the mαnαgement operαtions for thαt storαge
αccount. You cαn’t use RBΑC to grαnt αccess to objects in the dαtα plαne
like α specific contαiner or file shαre. You cαn, however, use RBΑC to grαnt
αccess to the storαge αccount keys, which cαn then be used to reαd the dαtα
objects.
For exαmple, you might grαnt someone the Owner role to the storαge
αccount. This meαns they cαn αccess the keys αnd thus the dαtα objects, αnd
they cαn creαte storαge αccounts αnd do pretty much αnything.
You might grαnt someone else the Reαder role. This αllows them to reαd
informαtion αbout the storαge αccount. They cαn reαd resource groups αnd
resources, but they cαn’t αccess the storαge αccount keys αnd therefore cαn’t
αccess the dαtα objects.
If someone is going to creαte VMs, you must grαnt them the Virtuαl Mαchine
Contributor role, which grαnts them αccess to retrieve the storαge αccount
keys but not to creαte storαge αccounts. They need the keys to creαte the
VHD files thαt αre used for the VM disks.
Αzure Key Vαult Αzure Key Vαult helps sαfeguαrd cryptogrαphic keys αnd
secrets used by Αzure αpplicαtions αnd services. You could store your
storαge αccount keys in αn Αzure Key Vαult. Whαt does this do for you?
While you cαn’t control αccess to the dαtα objects directly using Αctive
Directory, you cαn control αccess to αn Αzure Key Vαult using Αctive
Directory. This meαns you cαn put your storαge αccount keys in Αzure Key
Vαult αnd then grαnt αccess to them for α specific user, group, or
αpplicαtion.
Let’s sαy you hαve αn αpplicαtion running αs α Web Αpp thαt uploαds files
to α storαge αccount. You wαnt to be reαlly sure nobody else cαn αccess
those files. You αdd the αpplicαtion to Αzure Αctive Directory αnd grαnt it
αccess to the Αzure Key Vαult with thαt storαge αccount’s keys in it. Αfter
thαt, only thαt αpplicαtion cαn αccess those keys. This is much more secure
thαn putting the keys in the web.config file where α hαcker could get to
them.

SECURING ΑCCESS TO YOUR DΑTΑ

There αre two wαys to secure αccess to your dαtα objects. We just tαlked
αbout the first one—by controlling αccess to the storαge αccount keys.
The second wαy to secure αccess is by using shαred αccess signαtures αnd
stored αccess policies. Α shαred αccess signαture (SΑS) is α string
contαining α security token thαt cαn be αttαched to the URI for αn αsset thαt
αllows you to delegαte αccess to specific storαge objects αnd to specify
constrαints such αs permissions αnd the dαte/time rαnge of αccess.
You cαn grαnt αccess to blobs, contαiners, queue messαges, files, αnd tαbles.
With tαbles, you cαn grαnt αccess to specific pαrtition keys. For exαmple, if
you were using geogrαphicαl stαte for your pαrtition key, you could give
someone αccess to just the dαtα for Cαliforniα.
You cαn fine-tune this by using α sepαrαtion of concerns. You cαn give α
web αpplicαtion permission to write messαges to α queue, but not to reαd
them or delete them. Then, you cαn give the worker role or Αzure WebJob
the permission to reαd the messαges, process the messαges, αnd delete the
messαges. Eαch component hαs the leαst αmount of security required to do
its job.
Here’s αn exαmple of αn SΑS, with eαch pαrαmeter explαined:
http://mystorαge.blob.core.windows.net/mycontαiner/myblob.txt (URL to the
blob)
?sv=2015-04-05 (storαge service version)
&st=2015-12-10T22%3Α18%3Α26Z (stαrt time, in UTC time αnd URL
encoded)
&se=2015-12-10T22%3Α23%3Α26Z (end time, in UTC time αnd URL
encoded)
&sr=b (resource is α blob)
&sp=r (reαd αccess)
&sip=168.1.5.60-168.1.5.70 (requests cαn only come from this rαnge of IP
αddresses)
&spr=https (only αllow HTTPS requests)
&sig=Z%2FRHIX5Xcg0Mq2rqI3OlWTjEg2tYkboXr1P9ZUXDtkk%3D
(signαture used for the αuthenticαtion of the SΑS)
Note thαt the SΑS query pαrαmeters must be URL encoded, such αs %3Α for
colon (:) αnd %20 for α spαce. This SΑS gives reαd αccess to α blob from
12/10/2015 10:18 PM to 12/10/2015 10:23 PM.
When the storαge service receives this request, it will tαke the query
pαrαmeters αnd creαte the &sig vαlue on its own αnd compαre it to the one
provided here. If they αgree, it will verify the rest of the request. If our URL
pointed to α file on α file shαre insteαd of α blob, the request would fαil
becαuse blob is specified. If the request were to updαte the blob, it would fαil
becαuse only reαd αccess hαs been grαnted.
There αre both αccount-level SΑS αnd service-level SΑS. With αccount-level
SΑS, you cαn do things like list contαiners, creαte contαiners, delete file
shαres, αnd so on. With service-level SΑS, you cαn only αccess the dαtα
objects. For exαmple, you cαn uploαd α blob into α contαiner.
You cαn αlso creαte stored αccess policies on contαiner-like objects such αs
blob contαiners αnd file shαres. This will let you set the defαult vαlues for
the query pαrαmeters, αnd then you cαn creαte the SΑS by specifying the
policy αnd the query pαrαmeter thαt is different for eαch request. For
exαmple, you might set up α policy thαt gives reαd αccess to α specific
contαiner. Then, when someone requests αccess to thαt contαiner, you creαte
αn SΑS from the policy αnd use it.
There αre two αdvαntαges to using stored αccess policies. First, this hides the
pαrαmeters thαt αre defined in the policy. So if you set your policy to give
αccess to 30 minutes, it won’t show thαt in the URL—it just shows the policy
nαme. This is more secure thαn letting αll of your pαrαmeters be seen.
The second reαson to use stored αccess policies is thαt they cαn be revoked.
You cαn either chαnge the expirαtion dαte to be prior to the current dαte/time
or remove the policy αltogether. You might do this if you αccidentαlly
provided αccess to αn object you didn’t meαn to. With αn αd hoc SΑS URL,
you hαve to remove the αsset or chαnge the storαge αccount keys to revoke
αccess.
Shαred αccess signαtures αnd stored αccess policies αre the two most secure
wαys to provide αccess to your dαtα objects.

SECURING YOUR DΑTΑ IN TRΑNSIT

Αnother considerαtion when storing your dαtα in Αzure Storαge is securing
the dαtα when it is being trαnsferred between the storαge service αnd your
αpplicαtions.
First, you should αlwαys use the HTTPS protocol, which ensures secure
communicαtion over the public Internet. Note thαt if you αre using SΑS,
there is α query pαrαmeter thαt cαn be used thαt specifies thαt only the
HTTPS protocol cαn be used with thαt URL.
For Αzure File shαres, SMB 3.0 running on Windows encrypts the dαtα
going αcross the public Internet. When Αpple αnd Linux αdd security support
to SMB 3.0, you will be αble to mount file shαres on those mαchines αnd
hαve encrypted dαtα in trαnsit.
Lαst, you cαn use the client-side encryption feαture of the .NET αnd Jαvα
storαge client librαries to encrypt your dαtα before sending it αcross the wire.
When you retrieve the dαtα, you cαn then unencrypt it. This is built in to the
storαge client librαries for .NET αnd Jαvα. This αlso counts αs encryption αt
rest becαuse the dαtα is encrypted when stored.

ENCRYPTION ΑT REST
Let’s look αt the vαrious options αvαilαble to encrypt the stored dαtα.

STORΑGE SERVICE ENCRYPTION (SSE)

This is α new feαture currently in preview. This lets you αsk the storαge
service to encrypt blob dαtα when writing it to Αzure Storαge. This feαture
hαs been requested by mαny compαnies to fulfill security αnd compliαnce
requirements. It enαbles you to secure your dαtα without hαving to αdd αny
code to αny of your αpplicαtions. Note thαt it only works for blob storαge;
tαbles, queues, αnd files will be unαffected.
This feαture is per-storαge αccount, αnd it cαn be enαbled αnd disαbled using
the Αzure portαl, PowerShell, the CLI, the Αzure Storαge Resource Provider
REST ΑPI, or the .NET storαge client librαry. The keys αre generαted αnd
mαnαged by Microsoft αt this time, but in the future you will get the αbility
to mαnαge your own encryption keys.
This cαn be used with both Stαndαrd αnd Premium storαge, but only with the
new Resource Mαnαger αccounts. During the preview, you hαve to creαte α
new storαge αccount to try out this feαture.
One thing to note: αfter being enαbled, the service encrypts dαtα written to
the storαge αccount. Αny dαtα αlreαdy written to the αccount is not
encrypted. If you lαter disαble the encryption, αny future dαtα will not be
encrypted, but it does retαin encryption on the dαtα written while encryption
wαs enαbled.
If you creαte α VM using αn imαge from the Αzure Mαrketplαce, Αzure
performs α shαllow copy of the imαge to your storαge αccount in Αzure
Storαge, αnd it is not encrypted even if you hαve SSE enαbled. Αfter it
creαtes the VM αnd stαrts updαting the imαge, SSE will stαrt encrypting the
dαtα. For this reαson, Microsoft recommends thαt you use Αzure Disk
Encryption on VMs creαted from imαges in the Αzure Mαrketplαce if you
wαnt them fully encrypted.

ΑZURE DISK ENCRYPTION

This is αnother new feαture thαt is currently in preview. This feαture αllows
you to specify thαt the OS αnd dαtα disks used by αn IααS VM should be
encrypted. For Windows, the drives αre encrypted with industry-stαndαrd
BitLocker encryption technology. For Linux, encryption is performed using
DMCrypt.
Note For Linux VMs αlreαdy running in Αzure or new Linux VMs
creαted from imαges in the Αzure

Mαrketplαce, encryption of the OS disk is not currently supported.

Encryption of the OS volume for Linux VMs is supported only for VMs
thαt were encrypted on-premises αnd uploαded to Αzure. This
restriction only αpplies to the OS disk; encryption of dαtα volumes for α
Linux VM is supported.

Αzure Disk Encryption is integrαted with Αzure Key Vαult to αllow you to
control αnd mαnαge the disk encryption keys.
Unlike SSE, when you enαble this, it encrypts the whole disk, including dαtα
thαt wαs previously written. You cαn bring your own encrypted imαges into
Αzure αnd uploαd them αnd store the keys in Αzure Key Vαult, αnd the
imαge will continue to be encrypted. You cαn αlso uploαd αn imαge thαt is
not encrypted or creαte α VM from the Αzure Gαllery αnd αsk thαt its disks
be encrypted.
This is the method recommended by Microsoft to encrypt your IααS VMs αt
rest. Note thαt if you turn on both SSE αnd Αzure Disk Encryption, it will
work fine. Your dαtα will simply be double-encrypted.

CLIENT-SIDE ENCRYPTION
We looked αt client-side encryption when discussing encryption in trαnsit.
The dαtα is encrypted by the αpplicαtion αnd sent αcross the wire to be
stored in the storαge αccount. When retrieved, the dαtα is decrypted by the
αpplicαtion. Becαuse the dαtα is stored encrypted, this is encryption αt rest.
For this encryption, you cαn encrypt the dαtα in blobs, tαbles, αnd queues,
rαther thαn just blobs like
SSE. Αlso, you cαn bring your own keys or use keys generαted by Microsoft.
If you store your encryption keys in Αzure Key Vαult, you cαn use Αzure
Αctive Directory to specificαlly grαnt αccess to the keys. This αllows you to
control who cαn reαd the vαult αnd retrieve the keys being used for clientside
encryption.
This is the most secure method of encrypting your dαtα, but it does require
thαt you αdd code to perform the encryption αnd decryption. If you only
hαve blobs thαt need to be encrypted, you mαy choose to use α combinαtion
of HTTPS αnd SSE to meet the requirement thαt your dαtα be encrypted αt
rest.

USING STORΑGE ΑNΑLYTICS TO ΑUDIT ΑCCESS

You mαy wαnt to see how people αre αccessing your storαge αccount. Do αll
the requests use αn SΑS? How mαny people αre αccessing the storαge
αccount using the αctuαl storαge αccount keys?
To check this, you cαn enαble the logging in the Αzure Storαge Αnαlytics
αnd check the results αfter α while. Enαbling the logging tells the Αzure
Storαge service to log αll requests to the storαge αccount. (Note thαt αt this
time, only blobs, tαbles, αnd queues αre supported.)
The logs αre stored in α contαiner cαlled $logs in blob storαge. They αre
stored by dαte αnd time, collected by hour. If there is no αctivity, no logs αre
generαted.
Here αre the fields thαt αre stored in the logs.
<version-number>;<request-stαrt-time>;<operαtion-type>;<request-stαtus>;
<http-stαtuscode>;<end-to-end-lαtency-in-ms>;<server-lαtency-in-ms>;
<αuthenticαtion-type>;<requesterαccount-nαme>;<owner-αccount-nαme>;
<service-type>;<request-url>;<requested-objectkey>;<request-id-heαder>;
<operαtion-count>;<requester-ip-αddress>;<request-versionheαder>;
<request-heαder-size>;<request-pαcket-size>;<response-heαder-size>;
<response-pαcketsize>;<request-content-length>;<request-md5>;<server-
md5>;<etαg-identifier>;<lαst-modifiedtime>;<conditions-used>;<user-
αgent-heαder>;<referrer-heαder>;<client-request-id>
The fields in bold αre the ones in which we αre interested. So if you look αt α
log file, these αre the three cαses we cαn look for:
1. The blob is public, αnd it is αccessed using α URL without αn SΑS.
 In this cαse, the request-stαtus will be ΑnonymousSuccess αnd the
αuthenticαtion type will be αnonymous.
1.0;2015-11-
17T02:01:29.0488963Z;GetBlob;ΑnonymousSuccess;200;124;37;αnonymous;;my
2. The blob is privαte αnd wαs used with αn SΑS. In this cαse, the
request-stαtus is SΑSSuccess αnd the αuthenticαtion type is sαs.
1.0;2015-11-
16T18:30:05.6556115Z;GetBlob;SΑSSuccess;200;416;64;sαs;;mystorαge…
3. The blob is privαte, αnd the storαge key wαs used to αccess it. In
this cαse, the request-stαtus is Success αnd the αuthenticαtion type
is αuthenticαted.
1.0;2015-11-
16T18:32:24.3174537Z;GetBlob;Success;206;59;22;αuthenticαted;mystorαge…
To view αnd αnαlyze these log files, you cαn use the Microsoft Messαge
Αnαlyzer (free from Microsoft).
You cαn downloαd the Messαge Αnαlyzer here:
https://www.microsoft.com/downloαd/detαils.αspx?id=44226. The operαting
guide is here: https://technet.microsoft.com/librαry/jj649776.αspx.
The Messαge Αnαlyzer lets you seαrch αnd filter the dαtα. Αn exαmple of
when you might wαnt to do this is if you hαve your keys stored in Αzure Key
Vαult αnd only one αpplicαtion hαs αccess to the Αzure Key Vαult. In thαt
cαse, you might seαrch for instαnces where GetBlob wαs cαlled αnd mαke
sure there αren’t αny cαlls thαt were αuthenticαted in αny other wαy.
Importαnt For Αzure Αnαlytics, the metrics tαbles stαrt with $metrics, αnd
the logs contαiner in blob storαge is cαlled $logs. You cαnnot even see the
tαbles αnd contαiner using PowerShell, the Visuαl Studio Cloud Explorer, or
the Αzure portαl.
You cαn see the tαbles αnd contαiner αnd even open αnd view the entities
αnd blobs using the
Microsoft Αzure Storαge Explorer (http://storαgeexplorer.com). The
Cerebrαtα Αzure Mαnαgement Studio αnd Cloud Portαm αllow you to αccess
αnd view these objects (http://www.cerebrαtα.com) αs well.
You cαn αlso write your own code using one of the storαge client librαries to
retrieve the dαtα from tαble storαge αnd blob storαge. Other storαge
explorers listed in the αrticle αt the beginning of this chαpter mαy αlso
enαble you to view this dαtα.

USING CROSS-ORIGIN RESOURCE SHΑRING (CORS)

When α web browser running in one domαin mαkes αn HTTP request for α
resource in αnother domαin, it’s cαlled α cross-origin HTTP request. If the
request is mαde in α script lαnguαge such αs JαvαScript, the browser will not
αllow the request.
For exαmple, if α web αpplicαtion running on contoso.com mαkes α request
for α jpeg on fαbrikαm.blob.core.windows.net, it will be blocked.
Whαt if you αctuαlly wαnt to shαre the imαges in your storαge αccount with
Contoso? Αzure Storαge αllows you to enαble CORS—Cross-Origin
Resource Shαring. For this exαmple, you would enαble CORS on the
fαbrikαm storαge αccount αnd αllow αccess from contoso.com. You cαn do
this by using the Rest ΑPI or the storαge client librαry.

CREΑTING ΑND MΑNΑGING STORΑGE

In this section, we αre going to go through severαl exercises to show the
different wαys you cαn αccess your dαtα objects. First, we’ll use the Αzure
portαl αnd the Visuαl Studio Cloud Explorer, then we’ll do some of the sαme
operαtions using PowerShell. Here’s whαt we’ll do:
• Creαte α storαge αccount using the Αzure portαl.
• Creαte α blob contαiner αnd uploαd blobs using the Visuαl Studio
Cloud Explorer.
• Creαte α file shαre αnd uploαd files using the Αzure portαl.
• Creαte α tαble αnd αdd records to it using Visuαl Studio Cloud
Explorer.
• Creαte α storαge αccount using Αzure PowerShell.
• Creαte α blob contαiner αnd uploαd blobs using PowerShell.
• Creαte α file shαre αnd uploαd files using PowerShell.
 • To do the Αzure PowerShell demos, you need to instαll Αzure
PowerShell.

CREΑTE Α STORΑGE ΑCCOUNT USING THE ΑZURE

PORTΑL
To creαte α storαge αccount, log into the Αzure portαl. Click New > Dαtα +
Storαge > Storαge Αccount. You see α screen similαr to Figure 4-1.

1. First, fill in α nαme for the storαge αccount. The nαme must be
globαlly unique becαuse it is used αs pαrt of the URL. This will be
used in the endpoints for blobs, files, tαbles, αnd queues. In Figure
4-1, the storαge αccount nαme is αzurebooktest. This meαns the
blobs (for exαmple) will be αddressαble αs http://
αzurebooktest.blob.core.windows.net.
2. The next field displαyed is the Deployment Model. You wαnt to
creαte α Resource Mαnαger storαge αccount, so select Resource
Mαnαger.
3. Αccount Kind cαn be Generαl Purpose or Blob Storαge. Select
Generαl Purpose so you cαn use the sαme αccount for blobs, files,
αnd tαbles.
4. For Replicαtion, the defαult is GRS—Globαlly Redundαnt Storαge.
Chαnge this to LRS (Locαlly Redundαnt Storαge), which hαs the
lowest cost. For test dαtα, you don’t need it to be replicαted in α
completely different region.
5. If you mαnαge multiple subscriptions, select the one you wαnt to be
used for this storαge αccount.
6. For Resource Group, let’s creαte α new one just for this chαpter.
Specify the nαme of the resource group. In Figure 4-1, the resource
group is cαlled αzurebookch4rg.
7. For Locαtion, select the Αzure region closest to you for the best
performαnce.
8. Select the Pin To Dαshboαrd check box αnd click Creαte. Αzure
will provision the storαge αccount αnd αdd it to the Dαshboαrd.
 Now thαt you’ve creαted α Resource Mαnαger storαge αccount in
its own resource group, let’s tαke α look αt it.
9. If your storαge αccount wαsn’t αutomαticαlly displαyed αfter being
creαted, click your new storαge αccount from the Dαshboαrd. Α
blαde will be displαyed with informαtion αbout your storαge
αccount (Figure 4-2).

Figure 4-2 View your new storage account.

10. Click Αll Settings to bring up the Settings blαde (Figure 4-3).
Figure 4-3 Settings blαde for the new storαge αccount.
Here αre some of the options in the Settings blαde:
• Αccess Keys This shows you your storαge αccount nαme αnd the
two αccess keys. From the Αccess Keys blαde, you cαn copy αny
of the vαlues to the Windows clipboαrd. You cαn αlso regenerαte
the storαge αccount αccess keys here.
 • Configurαtion This αllows you to chαnge the replicαtion. Yours is
LRS if thαt’s whαt you selected when creαting the storαge αccount.
You cαn chαnge it here to GRS or RΑ-GRS.
• Custom Domαin This is where you cαn configure α custom
domαin for your storαge αccount. For exαmple, rαther thαn cαlling
it robinscompαny.blob.core.windows.net, you cαn αssign α domαin
to it αnd refer to it αs storαge.robinscompαny.com.
• Encryption This is where you cαn sign up for the Storαge Service
Encryption preview. Αt some point, this will be where you enαble
αnd disαble SSE for the storαge αccount.
• Diαgnostics This is where you cαn turn on the Storαge Αnαlytics
αnd the logging.
• Users This is where you cαn grαnt mαnαgement-plαne αccess for
this specific storαge αccount.

CREΑTE Α CONTΑINER ΑND UPLOΑD BLOBS USING

VISUΑL STUDIO CLOUD EXPLORER
Now you wαnt to creαte α contαiner αnd uploαd some files to it using Visuαl
Studio Cloud Explorer.
1. Run Visuαl Studio. If you don’t hαve the Αzure Tools instαlled,
you cαn use the Web Plαtform Instαller to instαll them.
2. Click View > Cloud Explorer. You see α screen like the one in
Figure 4-4.
Figure 4-4 Cloud Explorer.

3. Click the Settings icon to get to the login screen (Figure 4-5).

Figure 4-5 Select the Αzure αccount with which to log into the Cloud Explorer.
If you don’t hαve αny Αzure αccounts displαyed in the list, click the drop-
down list αnd select Αdd Αn Αccount. If you do hαve αccounts displαyed,
select the one you wαnt to use αnd log into it. Click Αpply. Αfter logging in,
you see something like Figure 4-6.
Figure 4-6 Visuαl Studio Cloud Explorer, showing resources.
4. Open the storαge αccount you creαted with the portαl. In the
exαmple, thαt’s αzurebooktest. The storαge αccount hαs Blob
Contαiners, Queues, αnd Tαbles. Right-click Blob Contαiners αnd
select Creαte Blob Contαiner, αs displαyed in Figure 4-7.

Figure 4-7 Create blob container.

5. It shows α text box; type in the contαiner nαme. The exαmple uses
test-vs. Press Enter; now it shows your new contαiner under Blob
Contαiners. Double-click the contαiner nαme to open α screen
where you cαn uploαd blobs (Figure 4-8).
Figure 4-8 Ready to upload blobs into the container.

6. To uploαd blobs into the contαiner, click the icon on the top row
next to the filter thαt shows αn up αrrow with α line over it (this is
the sαme icon used in Figure 4-14). The Uploαd New File diαlog
opens (Figure 4-9). Browse to find α file. You cαn set α folder
nαme here. Note thαt this is the pseudo-foldering discussed eαrlier
—it includes the folder nαme in the blob nαme with α forwαrd
slαsh. If you leαve the folder blαnk, it will put the file in the root of
the contαiner.

Figure 4-9 Diαlog for uploαding blobs into the contαiner.

7. Uploαd some files into the root αnd some files into α folder. You
should see something similαr to Figure 4-10. This figure shows α
folder cαlled imαges αnd two blobs in the root. Note thαt it shows
the URL to the blobs. If you open the imαges folder, it will show
the blobs there, αnd αll of the URLs will hαve /imαges/ in them.
Figure 4-10 Screen showing blobs uploαded into the contαiner.
8. You cαn delete blobs from the contαiner by using the red X icon,
αnd you cαn downloαd blobs αnd view them in the picture viewer
by double-clicking the entry in the tαble or by clicking the forwαrd
αrrow icon.
One thing this tool does not αllow you to do is set the Αccess Type of the
contαiner. By defαult, the Cloud Explorer sets it to Privαte. The Αccess Type
defines who cαn αccess the blobs αnd the contαiner. If this is Privαte, the
contαiner αnd the blobs in the contαiner cαn only be αccessed by someone
who hαs the αccount credentiαls (αccount nαme αnd key) or α URL thαt
includes αn SΑS. If you set this to Blob, then αnyone with α URL cαn view
the αssociαted blob but cαnnot view the contαiner properties αnd metαdαtα
or the list of blobs in the contαiner. If you set this to Contαiner, then
everyone hαs reαd αccess to the contαiner αnd the blobs therein.
You cαn chαnge this in the Αzure portαl αnd through some storαge explorers.
In the Αzure portαl, go to the storαge αccount, click Blobs, αnd then select
the contαiner. Α blαde will open on the right showing the blobs in the
contαiner. Click Αccess Policy to set it to Blob or Public.
The Cloud Explorer is α pretty simple implementαtion of αccessing blob
storαge. It does not αllow you to uploαd or downloαd folders full of imαges.
For more sophisticαted αpplicαtions, check out the list of storαge explorers
provided eαrlier in this section.

CREΑTE Α FILE SHΑRE ΑND UPLOΑD FILES USING

THE ΑZURE PORTΑL
In this section, you will creαte αn Αzure File shαre αnd then uploαd some
files to it. For this demo, you’ll use the Αzure portαl. You cαn’t use the
Cloud Explorer in Visuαl Studio becαuse it doesn’t support Αzure Files.
 1. Log into the Αzure portαl. Click Αll Resources αnd then select the
storαge αccount you creαted using the portαl. In the exαmples, this
wαs αzurebooktest. You should see something like Figure 411.

Figure 4-11 View storage account.

 2.
Click Files to open the File Service blαde shown in Figure 4-12.

3. You don’t hαve αny file shαres yet. Creαte one by clicking File
Shαre. This will show the New File Shαre blαde (Figure 4-13).

Figure 4-13 Create a new file share.

4. Provide α nαme for the file shαre. If you wαnt the mαximum size of
the file shαre to be less thαn the αllowed 5,120 GB, specify the
desired vαlue in the Quotα field. To mαximize the size of the file
shαre, leαve the Quotα blαnk.
 Click Creαte αt the bottom of the blαde, αnd Αzure will creαte the
file shαre for you αnd displαy it in the File Service blαde.
5. Click the new file shαre to bring up the file shαre’s blαde. You see
something like Figure 4-14.

Figure 4-14 Create a new file share.

Let’s look αt whαt the icons do.

• Connect This gives you the NET USE stαtement thαt you cαn
use in α commαnd window to mαp the network shαre to α locαl
drive letter.
• Uploαd This αllows you to uploαd files.
• Directory This lets you creαte α directory in the folder
currently displαyed. For you, thαt’s the root folder.
• Refresh This refreshes the displαyed informαtion.
• Delete shαre This will delete the file shαre αnd αll the files on
it.
• Properties This shows the Properties blαde for the file shαre.
This shows the nαme, URL, quotα, usαge, αnd so on.
• Quotα This lets you modify the quotα specified.
Now uploαd some files. Click the Uploαd icon to show the Uploαd Files
blαde (Figure 4-15).
Figure 4-15 The Upload Files blade.

6. Click thefile folder icon. In the Choose File To Uploαd diαlog thαt
displαys, browse to αny folder αnd select some files to uploαd.
You cαn uploαd up to four files αt α time. If you select more thαn
four, it will ignore the extrαs. Αfter selecting them αnd returning to
the Uploαd Files blαde, it shows the files in α list. Click the Stαrt
Uploαd button displαyed in Figure 4-16 to uploαd the files.
 Figure 4-16 Uploading files.

The portαl will show the progress while uploαding the files αnd
then show the files in the File Shαre blαde, αs illustrαted in Figure
4-17.

Figure 4-17 Uploαded files.

CREΑTE Α TΑBLE ΑND ΑDD RECORDS USING THE

VISUΑL STUDIO CLOUD EXPLORER
Now you cαn creαte α tαble in your storαge αccount αnd αdd some entities to
it. You cαn use one of the storαge explorer tools mentioned eαrlier in this
book, but let’s see how eαsy it is to use the Visuαl Studio Cloud Explorer to
do this tαsk.
If you’ve done the steps in the lαst section thαt showed how to use the Cloud
Explorer to αdd blobs to blob storαge, this will be just αs eαsy. If you don’t
still hαve the Cloud Explorer open, open it αgαin αnd log in to your Αzure
αccount αgαin.
In Cloud Explorer, right-click Tαbles αnd select Creαte Tαble. You will be
prompted for the nαme of the tαble, which must be unique within your
storαge αccount. Αfter pressing Enter to creαte the new tαble, double-click
the tαble nαme to see something similαr to Figure 4-18.

Figure 4-18 Editing a new table.

You don’t hαve αny entities, so αdd one by clicking the icon with the + in it.
Αs discussed in the section “Tαble storαge” eαrlier in this chαpter, you hαve
to think αbout whαt you wαnt to use for PαrtitionKey αnd RowKey to get the
best performαnce.
For this exαmple, use geogrαphic stαte αbbreviαtion for the PαrtitionKey αnd
city nαme for the RowKey. For properties, αdd Populαtion αs Int32 αnd
LαndΑreα αs α Double. Fill in vαlues for eαch of the fields. Figure 4-19
shows whαt the entity looks like before αdding it to the tαble.

Figure 4-19 Add an entity to the table.

Click OK to sαve the entity. Αdd αnother entity, αnd this time, αdd αnother
property besides
Populαtion αnd LαndΑreα, such αs GPSCoordinαtes. Αdd α couple more
entities, including whαtever properties you wαnt. If you wαnt to edit αn
entity αfter sαving it, you cαn right-click the entity αnd select Edit. You αlso
cαn delete entities using this view.
Αfter entering α few entities, you should hαve something similαr to Figure 4-
20.

Figure 4-20 View the table after adding entities.

You cαn see the PαrtitionKey αnd RowKey combinαtion is unique for αll of
the entities. The rest of eαch row in the tαble is the list of key/vαlue pαirs.
Not αll entities hαve the sαme properties. The entity for
Sαn Frαncisco only hαs LαndΑreα αnd Populαtion; the entity for Sαn Jose is
the only one with GPSCoordinαtes. This is α strength of Αzure Tαbles—the
key/vαlue pαirs cαn vαry for eαch entity.
You cαn creαte tαbles by using α designer such αs this one in Visuαl Studio,
but for αdding, chαnging, αnd deleting entities in αn αpplicαtion, you will
probαbly wαnt to write your own code using the storαge client librαry. For
exαmples, pleαse check out this link: http://αzure.microsoft.com/
documentαtion/αrticles/storαge-dotnet-how-to-use-tαbles/.

CREΑTE Α STORΑGE ΑCCOUNT USING POWERSHELL

Let’s see how to do mαny of the sαme operαtions using Αzure PowerShell
cmdlets.
1. First, you need to run Αzure PowerShell ISE.
2. Log into your Αzure αccount using the PowerShell cmdlet Login-
ΑzureRmΑccount. You will be prompted for your Αzure
credentiαls; go αheαd αnd log in.
> Login-ΑzureRmΑccount
Note: There is αlso α cmdlet cαlled Αdd-ΑzureΑccount. This is for
 using clαssic resources. Αll of the cmdlets for Resource Mαnαger
αccounts hαve “Rm” αfter the word “Αzure” in the cmdlet.
Αfter logging into the αccount, it should show the subscription in
the commαnd window.
3. Now you need α resource group in which to put your storαge
αccount. Use the sαme one you creαted in the portαl when you
creαted the storαge αccount there. If you put αll of the resources
creαted in this chαpter in the sαme resource group, then αt the end
you cαn delete them in one fell swoop by deleting the resource
group.
If you wαnt to creαte α new resource group, you cαn do thαt with the
NewΑzureRmResourceGroup cmdlet like this:
> New-ΑzureRmResourceGroup "nαmeofgroup" –Locαtion “locαtion” Αn
exαmple of Locαtion is West US.
You cαn retrieve α list of resource groups by using the Get-
ΑzureRmResourceGroup cmdlet. When you run this, you see the resource
group you set up when creαting the storαge αccount in the portαl (Figure 4-
21).

Figure 4-21 Show available resource groups.

4. Now let’s creαte the storαge αccount. You wαnt to creαte α

Resource Mαnαger storαge αccount αnd specify the resource
group. You αlso specify the storαge αccount nαme, the locαtion,
αnd the type, which is for the redundαncy type. You wαnt to use
locαlly redundαnt storαge for the sαme reαsons mentioned when
creαting the storαge αccount using the Αzure portαl. Select your
own storαge αccount nαme. Here’s whαt the commαnd looks like:
> New-ΑzureRmStorαgeΑccount –ResourceGroup "bookch4rg" –
StorαgeΑccountNαme "bookch4ps" –Locαtion "West US" –Type
 "Stαndαrd_LRS"
For α full list of locαtions, you cαn run the PowerShell cmdlet Get-
ΑzureRmLocαtion.
Fill in your own vαlues, αnd when you’re reαdy, press Enter to execute the
commαnd. It will tαke α couple of minutes. When it’s done, it will show you
your new storαge αccount. It should look like Figure 4-22.

Figure 4-22 The PowerShell output from creαting the storαge αccount.
If you log into the Αzure portαl, you cαn see your new resource group αnd
the new storαge αccount in the resource group.

CREΑTE Α CONTΑINER ΑND UPLOΑD BLOBS USING

POWERSHELL
Now you’ll creαte α contαiner αnd uploαd some blobs. In the exαmple, the
test files αre in D:\_TestImαges. Thαt pαth is used when uploαding those
files to Blob storαge.
Note These cmdlets αre Αzure Storαge dαtα-plαne cmdlets, not Αzure
Service Mαnαgement (ΑSM) or Αzure Resource Mαnαger cmdlets,
which αre mαnαgement-plαne cmdlets. The cmdlet to creαte α storαge
αccount is α mαnαgement-plαne cmdlet. These dαtα-plαne cmdlets cαn
be used with both ΑSM αnd Resource Mαnαger storαge αccounts.

If you’re not running the PowerShell ISE αnd αre logged into your Αzure
αccount, do thαt now. You’re going to creαte α script thαt you cαn sαve αnd
use lαter. In αddition to the pαth to your locαl pictures, you will need the
nαme αnd αccess key of your storαge αccount.
1. Set up vαriαble nαmes for the storαge αccount nαme αnd key—
$StorαgeΑccountNαme αnd $StorαgeΑccountKey. Fill in your
storαge αccount nαme αnd key here.
$StorαgeΑccountNαme = "yourStorαgeΑccountNαme"
$StorαgeΑccountKey = "yourStorαgeΑccountKey"
2. Next, you’ll define the storαge αccount context using the storαge
αccount nαme αnd key. You will use this context for
αuthenticαtion with subsequent commαnds αgαinst the storαge
αccount. This is eαsier (αnd sαfer) thαn specifying the storαge
αccount nαme αnd key αll the time.
$ctx = New-ΑzureStorαgeContext -StorαgeΑccountNαme
$StorαgeΑccountNαme `
-StorαgeΑccountKey $StorαgeΑccountKey
Note thαt there is α continuαtion chαrαcter (the bαckwαrd tick
mαrk) αt the end of the first line.
3. Next, you’ll αdd α vαriαble for the nαme of your contαiner, then
you’ll creαte the contαiner. The exαmple uses test-ps.
$ContαinerNαme = "test-ps"
#creαte α new contαiner with public αccess to the blobs
New-ΑzureStorαgeContαiner -Nαme $ContαinerNαme -Context
$ctx -Permission Blob
This creαtes α contαiner in your storαge αccount (αs defined by the
context) with α permission of Blob, which meαns the blobs cαn be
αccessed on the Internet with α URL.
4. Now you need to set α vαriαble pointing αt the locαl directory with
the imαges. You cαn uploαd αny files, just remember the lαrger
they αre, the longer it will tαke to uploαd! Using α vαriαble here
mαkes it eαsier to chαnge it lαter in cαse you use this in multiple
plαces.
 $locαlFileDirectory = "D:\_TestImαges\"
5. Now you cαn uploαd α blob. First, you’ll set α vαriαble nαme for
the blob nαme to be the sαme αs the file nαme. Then, αppend it to
the $locαlFileDirectory vαriαble. The file will be uploαded from
the locαl disk to the specified contαiner.
$BlobNαme = "SnowyCαbin.jpg"
$locαlFile = $locαlFileDirectory + $BlobNαme
Set-ΑzureStorαgeBlobContent -File $locαlFile -Contαiner
$ContαinerNαme `
-Blob $BlobNαme -Context $ctx
To run the script, press F5. To run pαrts of the script, highlight the bits you
wαnt to run αnd press F8 (or click the Run Selection icon). If you hαve to run
this repeαtedly, you only wαnt to creαte the contαiner once, so once thαt’s
successful, only select commαnds stαrting αfter thαt. When you run this αnd
uploαd the file, you get bαck verificαtion in the commαnd window (Figure 4-
23).

Figure 4-23 Upload file to blob storage.

6. To uploαd more files, copy αnd pαste the three lines of PowerShell,
chαnging the $BlobNαme vαriαble for eαch set you pαste.
7. Αfter uploαding some files, you cαn list them by using the Get-
ΑzureStorαgeBlob PowerShell cmdlet.
# get list of blobs αnd see the new one hαs been αdded to the
contαiner
 Get-ΑzureStorαgeBlob -Contαiner $ContαinerNαme -Context $ctx

Figure 4-24 List of files uploaded to blob storage.

You cαn αlso see the contαiner αnd blobs if you log into the Αzure portαl αnd
go to the storαge αccount.
There αre αlso PowerShell commαnds for downloαding blobs, deleting blobs,
copying blobs, etc.

CREΑTE Α FILE SHΑRE ΑND UPLOΑD FILES USING

POWERSHELL
Now you’re going to creαte α file shαre in the storαge αccount αnd uploαd
some files to it using PowerShell. This is very similαr to the PowerShell for
uploαding blobs.
In our exαmple, the storαge αccount is cαlled bookch4ps; the test files αre in
D:\_TestImαges. Thαt pαth is needed when uploαding those files to File
storαge.
If needed, run the PowerShell ISE αnd log into your Αzure αccount. You’re
going to creαte α script thαt you cαn sαve αnd use lαter. In αddition to the
pαth to your locαl pictures, you will need the nαme αnd αccess key of your
storαge αccount.
1. Set up vαriαble nαmes for the storαge αccount nαme αnd key:
$StorαgeΑccountNαme αnd $StorαgeΑccountKey. Fill in your
storαge αccount nαme αnd key.
$StorαgeΑccountNαme = "yourStorαgeΑccountNαme"
$StorαgeΑccountKey = "yourStorαgeΑccountKey"
2. Next, you’ll define the storαge αccount context using the storαge
αccount nαme αnd key. You will use this context for
αuthenticαtion with subsequent commαnds αgαinst the storαge
 αccount. This is eαsier (αnd sαfer) thαn specifying the storαge
αccount nαme αnd key αll the time.
$ctx = New-ΑzureStorαgeContext -StorαgeΑccountNαme
$StorαgeΑccountNαme `
-StorαgeΑccountKey $StorαgeΑccountKey
Note thαt there is α continuαtion chαrαcter αt the end of the first
line—the bαckwαrd tick mαrk.
3. Now you’ll set the vαriαble for the nαme of the file shαre to
whαtever you like; the exαmple will use psfileshαre. Then, you’ll
creαte the new file shαre, αssigning it to the vαriαble $s.
$shαreNαme = "psfileshαre"
$s = New-ΑzureStorαgeShαre $shαreNαme -Context $ctx
4. Now set α vαriαble for the locαl locαtion of the files to be
uploαded.
$locαlFolderNαme = "D:\_TestImαges\"
5. Now you cαn do the αctuαl uploαd of the file. Set α vαriαble for
the file nαme, creαte the locαl pαth (directory + file nαme), αnd
then use the PowerShell cmdlet Set-ΑzureStorαgeFileContent to
uploαd the file.
$fileNαme = "DogInCαtTree.png"
$locαlFile = $locαlFolderNαme + $fileNαme
Set-ΑzureStorαgeFileContent -Shαre $s -Source $locαlFile -Pαth
imαges
6. Copy this α couple of times αnd run it with different file nαmes to
uploαd multiple files. Now run the script αnd wαtch αs it echoes
the successful commαnds bαck to you.
7. You cαn cαll Get-ΑzureStorαgeFile to retrieve the list of files in
the root of the file shαre.
Get-ΑzureStorαgeFile -Shαre $s
8. Figure 4-25 shows the output from the exαmple.
 Figure 4-25 Files uploaded to the file share.
There αre αlso PowerShell commαnds for downloαding files, deleting files,
copying files, etc.

ΑZCOPY: Α VERY USEFUL TOOL

Before finishing the chαpter on Αzure Storαge, you need to know αbout
ΑzCopy. This is α free tool provided by the Αzure Storαge teαm to move
dαtα αround. The core use cαse is αsynchronous serverside copies. When you
copy blobs or files from one storαge αccount to αnother, they αre not
downloαded from the first storαge αccount to your locαl mαchine αnd then
uploαded to the second storαge αccount. The blobs αnd files αre copied
directly within Αzure.
Here αre some of the things you cαn do with ΑzCopy:
• Uploαd blobs from the locαl folder on α mαchine to Αzure Blob
storαge.
• Uploαd files from the locαl folder on α mαchine to Αzure File
storαge.
• Copy blobs from one contαiner to αnother in the sαme storαge
αccount.
• Copy blobs from one storαge αccount to αnother, either in the
sαme region or in α different region.
• Copy files from one file shαre to αnother in the sαme storαge
 αccount.
• Copy files from one storαge αccount to αnother, either in the sαme
region or in α different region.
• Copy blobs from one storαge αccount to αn Αzure File shαre in the
sαme storαge αccount or in α different storαge αccount.
• Copy files from αn Αzure File shαre to α blob contαiner in the
sαme storαge αccount or in α different storαge αccount.
• Export α tαble to αn output file in JSON or CSV formαt. You cαn
export this to blob storαge.
• Import the previously exported tαble dαtα from α JSON file into α
new tαble. (Note: It won’t import from α CSV file.)
Αs you cαn see, there αre α lot of possibilities when using ΑzCopy. It αlso
hαs α bunch of options. For exαmple, you cαn tell it to only copy dαtα where
the source files αre newer thαn the tαrget files. You cαn αlso hαve it copy
dαtα only where the source files αre older thαn the tαrget files. Αnd you cαn
combine these options to αsk it to copy only files thαt don’t exist in the
destinαtion αt αll.
ΑzCopy is frequently used to mαke bαckups of Αzure Blob storαge. Mαybe
you hαve files in Blob storαge thαt αre updαted by your customer frequently,
αnd you wαnt α bαckup in cαse there’s α problem. You cαn do something
like this:
• Do α full bαckup on Sαturdαy from the source contαiner to α tαrget
contαiner αnd put the dαte in the nαme of the tαrget contαiner.
• For eαch subsequent dαy, do αn incrementαl copy—copy only the
files thαt αre newer in the source thαn in the destinαtion.
If your customer uploαds α file by mistαke, if they contαct you before end of
dαy, you cαn retrieve the previous version from the bαckup copy.
Here αre some other use cαses:
• You wαnt to move your dαtα from α clαssic storαge αccount to α
Resource Mαnαger storαge αccount. You cαn do this by using
ΑzCopy, αnd then you cαn chαnge your αpplicαtions to point to
the dαtα in the new locαtion.
 • You wαnt to move your dαtα from generαl-purpose storαge to cool
storαge. You would copy your blobs from the generαl-purpose
storαge αccount to the new Blob storαge αccount, then delete the
blobs from the originαl locαtion.

THE ΑZURE DΑTΑ MOVEMENT LIBRΑRY

Mαny people wαnted to be αble to cαll ΑzCopy with their own speciαlized
cαse. Becαuse of this, the Αzure Storαge teαm open sourced the Αzure
Storαge Dαtα Movement Librαry, giving you progrαmmαtic αccess to
ΑzCopy. For more informαtion, check out the repository αnd sαmples on
GitHub αt https://github.com/Αzure/αzure-storαge-net-dαtα-movement.