Instructor Rithin

Skaria
 Certification Roadmap

AZ-900 (Azure Fundamentals is optional). Passing score for AZ-104 is 700

 Manage Implement Deploy and Configure and Monitor and
identities and and manage manage manage backup
governance storage compute virtual resources
resources networking
15-20% 15-20% 20-25% 25-30% 10-15%

Exam AZ-104 : Skills Measured

As an administrator, you need to implement, manage and administer compute, network, storage, identity, governance and monitoring. This includes creating,
updating, resizing, and deleting resources in cloud infrastructure as needed.
One of the prerequisites for the course is basic knowledge of Azure services and strong knowledge of compute, storage, and network concepts. In large enterprise
organizations, you will be a part of a team which focuses on administering one or more Azure services.
Exam AZ-104: Microsoft Azure Administrator

Understand the basics of Azure Active Directory and how it’s

different from traditional AD. Along with learn user management
and group management in Azure AD.

Managing Azure Subscriptions and implementing governance

using Azure Policy, Azure Tags and Role Based Access Control.

Learn how to manage Azure Virtual Networks and some of the

core networking concepts such as User Defined Routes, Azure
DNS, Azure Firewall and Network Security Groups.
 Start planning and deploy your virtual machines to Azure.
Understand how to set up scaling and high availability for Azure VMs.

Load Balancing is required to balance the requests between our

Azure workloads. Explore different load balancing solutions
available in Azure

Learn how to deploy Azure-to-Azure connectivity and Azure-to-on-

premises connectivity.
Start automating resource deployment using ARM templates and
configure your VMs with the help of VM Extensions.

Learn how to secure your Azure Storage Accounts

Understand how to work storage services like Azure Blobs and

Azure Files.
 Get familiarized with tools that can be used to manage Azure
Storage. Explore Azure Storage Explorer, AZCopy, and Import/Export
service

Learn Azure App Service Plans and Azure App Service

Explore Azure Container Instances and Azure Kubernetes Service..

Learn how to setup backup and disaster recovery in Azure

Set up network monitoring tools to troubleshoot network related issues

Configure monitoring for Azure resources.

Manage Implement Deploy and Configure and Monitor and
identities and and manage manage manage backup
governance storage compute virtual resources
resources networking
15-20% 15-20% 20-25% 25-30% 10-15%

Managing Azure Configure Virtual Implementing virtual Implement backup

Securing storage
Active Directory Machines networking and recovery

Subscription and Administering Azure Automating deployment

and configuration
Load Balancing Network Monitoring
Governance Blobs and Azure Files

Managing Storage Azure App Services Intersite connectivity Resource Monitoring

Configuring
containers
Identity
Learn how to use Azure Active Directory to secure your identities. Also, understand how users and groups are implemented in Azure AD.

Self-Service Password
Azure Active Directory Azure AD Join
Overview of Azure AD and concepts Joining and registering devices to Azure
Reset
Enabling users to reset their passwords
related to Azure AD AD
without reaching out to IT helpdesk.

Multi-tenant
User Accounts Group Accounts
Managing users and bulk user Group Management in Azure AD
environments
operations in Azure AD. Managing multiple tenants or directories
Managing Azure Active
Directory
Section Overview
Identity
Learn how to use Azure Active Directory to secure your identities. Also, understand how users and groups are implemented in Azure AD.

Self-Service Password
Azure Active Directory Azure AD Join
Overview of Azure AD and concepts Joining and registering devices to Azure
Reset
Enabling users to reset their passwords
related to Azure AD AD
without reaching out to IT helpdesk.

Multi-tenant
User Accounts Group Accounts
Managing users and bulk user Group Management in Azure AD
environments
operations in Azure AD. Managing multiple tenants or directories
Introduction to Azure AD
 Azure Active Directory

Cloud based identity and directory management

Devices
service enabling access to Azure services and
other SaaS solutions like Microsoft 365, DropBox,
Concur, Salesforce etc. Business
SAAS Apps
Partner

AZURE Active
Directory
Offers self-service options including password
reset, authentication, device management, hybrid On-Premises Active
identities, and single sign-on. Application Directory

Image source: Microsoft Docs

Azure AD concepts
 Azure AD Concepts
Identity
Any object that can be authenticated
is considered as an identity. It could
be a user, group, managed identity, or
service principals.
Account
When we associate data attributes to
an identity, we call it an account. For
example, a user will have multiple
attributes like location, department,
manager, phone number etc.
Azure AD Account
Accounts that are created in Azure AD
or another Microsoft cloud service is
known as Azure AD Account.
Azure AD tenant
or directory
Dedicated instance of Azure AD that is
created during the sign-up of any
Microsoft cloud service subscription.
Tenant and directory means the same
and you can use interchangeably
Azure AD vs Active
VS
Directory Domain
Services COMPARISON
 Azure AD vs Active Directory Domain Services

Queried using HTTP/HTTPS Queried using LDAP

Protocols used for authentication

Kerberos is used AD DS
includes SAML, WS-Federation, OpenID
authentication
connect. OAuth is used for authorization
VS
Federation can be setup with third Federation is only to other domains;
party providers like Facebook. third party services are not supported.
COMPARISON

Azure AD is a managed service offering. ADDS will be running on VMs or physical

servers.
Azure AD Editions
 Azure AD Editions

Premium No directory Single Sign on B2B O365 Identity Hybrid Conditional Identity Identity
P2 object limit & Core IAM collaboration & Access identities Access Protection Governance

Premium No directory Single Sign on B2B O365 Identity Hybrid Conditional

P1 object limit & Core IAM collaboration & Access identities Access

No directory Single Sign on B2B O365 Identity

M365
Apps object limit & Core IAM collaboration & Access

50,000 Single Sign on B2B

Free
directory & Core IAM collaboration
objects
User Accounts
 User Accounts
User accounts are used for
authentication and
authorization, all users must
have an account.
Each user account can
have optional properties
such as address,
department etc.
All users can be accessed
from Azure Active Directory
> Users > All Users.
We can also perform bulk
operations like bulk create,
bulk invite, and bulk
delete.
Cloud Identities
These are users exist only in azure
AD. Can be Azure AD or external
Azure AD as well.
Guest Accounts
These are users exist outside of Azure and
they are invited for collaboration. Microsoft
accounts, Live accounts etc.
Directory synchronized
users
These users are synchronized from your
on-premises Windows AD. We cannot
create directory synchronized users; they
need to be synchronized.
 Managing User Accounts

Create a user: This will create a user in your Azure AD. The
identity created as part of this process will have a sign in name
from your tenant.

Invite a user: This will help us to invite guest users to collaborate

with your organization. An invitation will be triggered to the email
address, and they must accept the invitation to start
collaborating.

User can be deleted if needed. Deleted users will be retained for

30 days and can be restored during this window.

All sign in and audit log can be tracked.

Bulk Operations
 User Accounts – Bulk Operations

Bulk operations will let you download a CSV template where

you add users you want to create, delete, or invite. Using bulk
operation, we can easily work on these operations rather than
doing one by one.

Bulk create: Create users in bulk

Bulk invite: Invite external users for collaboration in bulk.

Bulk delete: Delete existing users in bulk

Download users: Creates export of all users in the directory

Group Account
Group Accounts

Group Types
Security groups

Microsoft 365 groups

Assignment Types
Assigned

Dynamic user

Dynamic device (only for Security group type)

Azure AD Join
Azure AD Join

Microsoft Enterprise Device On-premises

Single sign-on Store for state roaming Windows Hello Management access
Business

Access to Microsoft Enterprise State Windows Hello Access to on-prem

Single sign-on Device Management
Store for Business Roaming support apps
Enable SSO for your Publish your internal Synchronize your user For supported Windows Check device Enable seamless access
apps, services, and SaaS applications to settings and devices, users can use compliance and restrict to on-premises
solutions Microsoft Store for configuration across facial or biometric sign access to applications applications and
Business for internal devices in. resources.
users.
Self service password
reset (SSPR)
 Self service password reset (SSPR)

Enables users to reset Step 1

password without the
need to call IT helpdesk.
1 Enable SSPR for all users or for
selected groups

Setup multiple methods

1
for resetting the
2 Step 2
password.
3 2 Setup the number of authentication
methods requires for reset and the
Requires Premium P2
available methods
license as this a premium
feature.
Step 3
Target all users or a group
of users and enable SSPR.
3 Users will be requested to register for
SSPR during next sign in where they can
For admin accounts, SSPR enable their reset method.
is enabled by default.
 Multi tenant
environments
 Multi tenant environments
Relationship
Each Azure AD organization or tenant
is fully independent. There is no
parent-child relationship between
these tenants. Each tenant will be
considered as a separate entity.
Resource
Independence
Creation or deletion of a resource in
one tenant has no impact on any
resource in another tenant.
Administration Synchronization
independence independence
The level of permissions of the user is We can setup synchronization of
only valid within the tenant. If a user is account data for each Azure AD
Global Administrator in one tenant tenant independently.
and non-admin user in another
tenant , that user will not have admin
rights in the tenant where the user
non-admin.
Managing Subscriptions
Azure Subscriptions

Logical container that defines the An account can have multiple

billing boundary for the usage. subscriptions.

Resources deployed in Azure will be Identities that are part of Azure AD or an

mapped to an Azure subscription identity from any trusted Microsoft cloud
service can sign up for a subscription

Subscriptions can also help in setting There are different types of subscriptions
up environmental boundaries based on the use case scenario.

Every subscription will have a unique Subscription also act as a scope for
ID and it’s called the subscription ID. access management.
Subscription offer types

Enterprise Agreements Pay-as-you-go

Recommended for organizations with Ideal for small organizations,
500 or more users or devices that where they don’t have the budget
offers the cloud services and software to make upfront agreements
licenses at discounted rates

Cloud Solution Provider Free Trial

Subscriptions licensed via Microsoft $200 credit for 30 days and free
Partners, ideal for small to medium limited access for 12 months.
organizations. Billing is managed by
the partner.

Azure for Students Visual Studio

Students are eligible for $100 Credit based subscriptions offered
credit for 12 months upon to Visual Studio Professional and
verification of student credentials Enterprise subscribers.
Understanding the
hierarchy
Understanding the hierarchy
Root management group
Management groups

Management groups offers a scope above

subscriptions by which you will be able to group
subscriptions together. Subscriptions

Root Management group is created by default, and

you have up to 6 levels of nested groups excluding the IT Finance
root group.

Resource groups
Each subscription will contain one or more resources
groups for logically grouping resources like virtual
machines, databases etc.
Production Dev
Hierarchy helps in implementing policies, access
and cost management
Resources
Subscription C

Subscription A Subscription B
Working with Role Based
Access Control
Role Based Access Control
Enables administrators to grant access to Azure resources and to segregate duties within the team.

“The Principle of Least Privilege”

? ? ? A
Who? What? Where? Assignment

Security Principal Role Definition Scope Role Assignment

Any identity which is requesting for
access. It could be a user, group,
service principal or managed identity.
Defines a set of operations that a
particular role can perform.
Written in JSON format.
Limit of access, defines When we attach a role definition to a
a boundary. service principal at a particular
scope, then it becomes a role
assignment. Max: 2000 in each
subscription.
Role Definition
Contributor
Owner {
"Name": "Contributor",
Contributor "Id": "b24988ac-6180-42a0-ab88-20f7382dd24c",
Reader "IsCustom": false,
"Description": "Grants full access to manage all
------ resources, but does not allow you to assign roles in
Azure RBAC, manage assignments in Azure Blueprints
User Access Administrator , or share image galleries.",
Virtual Machine Contributor
"Actions": [
"*"
],
Built-in roles "NotActions": [
"Microsoft.Authorization/*/Delete",
"Microsoft.Authorization/*/Write",
"Microsoft.Authorization/elevateAccess/Action",
"Microsoft.Blueprint/blueprintAssignments/write",
"Microsoft.Blueprint/blueprintAssignments/delete",
Helpdesk Admin "Microsoft.Compute/galleries/share/action"
],
Webapps Operator "DataActions": [

],
"NotDataActions": [
Custom roles ],
"AssignableScopes": [
"/"
]
}
Scope

Management Group

Subscription

Resource Group

Resources
 Azure RBAC vs Azure AD Roles
Used to manage access to Azure
resources
Scopes include Management groups,
Subscriptions, Resource Groups, and
Resources
Role assignments can be managed
via Azure Portal, Azure PowerShell,
Azure CLI, ARM templates, and REST
API
Example roles includes Owner, Contributor,
Reader, User Access Administrator etc.
Used to manage Azure AD
features
Scope is at the Azure AD
tenant level
VS
Roles can be managed via Azure Portal,
M365 Admin Portal, Microsoft Graph
COMPARISON API, Azure AD and Graph PS module.
Example roles includes Global
Administrator, Billing Administrator,
Global Reader etc.
 Azure RBAC vs Azure AD Roles

Azure AD Azure Active

Admin Roles Directory Tenant
Global admin
Application admin
Application developer
Billing admin
…

Global Admin/
/ Root User Access Admin
(elevated access)
Azure RBAC
Roles
Root Management Subscription
Owner Group
Contributor
Reader Management
User access admin
Group Resource Group
…
Azure RBAC
Resource
Roles

Image source: https://docs.microsoft.com/en-us/azure/role-based-access-control/rbac-and-directory-admin-roles?WT.mc_id=modinfra-28824-socuff

Built-in-roles and Custom
Roles
Built-in roles
Built-in roles are roles offered by Azure which we can assign to users, groups, service principals, and managed identities. Following are the
fundamental roles that you need to be aware of.

Owner Contributor

Full access to all resources and can Create and manage all types of

delegate access to other users. resources, however, cannot grant

access to others.

O C
Reader R U User Access Administrator
Read access to all resources, no User access to Azure resources can be
permission to make changes to the managed using this role.
resources.
 Custom RBAC Roles

Custom RBAC roles can be used to create fine tuned roles for
your environment, if the built-in roles doesn’t meet your specific
needs

Custom roles can be created from Azure Portal, Azure PowerShell,

Azure CLI and REST API

Each directory can have up to 5000 custom roles

We can assign custom roles to users, groups, and service

principals to any scope; same way we work with built-in roles.
 Multi tenant Managing
access using Azure Portal
Azure Tags
 Azure Tags

Adding metadata Logical grouping Name-value pair Cost Management

Using tags we can add metadata to
our subscription, resource groups,
and resources
With tags, we can logically filter our
resources for management
purposes
Tags uses a name value pair. Tag
name is limited to 512 characters
and tag value is limited to 256
character. Maximum number of
tags we can assign is limited to 50.
Tags can be used to filter Azure
usage and cost management. The
tags added to resources will be
propagated to Azure Billing system.

Tags doesn’t follow inheritance by default, we can use Azure Policy to inherit tags from resource group or subscription.
Resource Locks
 Resource Locks

Avoids accidental
Inheritance
changes

With the help of resource locks, we can protect Locks can be applied at the subscription, resource
our resources from accidental changes or group, and resource level. The lock will inherit to
deletion. the lower scopes.

Read-only locks Delete locks

Resources with read-only locks cannot be Resources with delete lock can be modified,
modified and this will prevent any changes to the however, they cannot be deleted. Ideal for
resource. resources which you would like to modify and at
the same time, prevent accidental deletion.

.
Analyzing costs
 Analyzing costs

Budgets and
Cost Analysis Export data
Recommendations

We can analyze the current spending and see cost Using Cost Management, we can define fine tuned We can export our cost data to a storage account
forecast. We can also connect our AWS cost to budgets targeting specific scopes and further narrow it in Azure. The data can be exported as a one-time
Azure Cost Management down using filters. We can also generate cost related export or a recurring export which works based on
recommendations. the schedule we define.

.
Cost savings
Azure Reserved Azure Hybrid Benefit
Instances (RI) (AHUB)

For instances that are planned for long term and You can purchase Windows and SQL licenses from
is running 24x7 can be reserved. Reservations can Software Assurance can use with your Azure VMs
be purchased for 1 year or 3 year with upfront and PaaS services. AHUB is cheaper than PAYG
payment or equated monthly payments. licensing cost

Credits Regions

Credit based subscriptions such Visual Studio
Enterprise, Visual Studio Professional, MPN could
provide you monthly credits that can be used for
testing and developing solutions on Azure.
In Azure, every region has a different pricing.
When you deploying resources, choose low-cost
regions. While selecting low-cost regions, make
sure you are not comprising the compliance or
performance of your workloads.

.
100% 60% 80%
PAYG Azure Azure
RI RI +
AHUB
Azure Policy
Azure Policy
Helps us to create, manage, and assign policies. Policies can be used to define organizational standards and identify non-compliant resources

Definition Scope

D S
Policy definition is a JSON document Like RBAC, we must specify the scope
which is used to define the policy and to which we want to enforce the
its effect. Azure has built-in policies policy. We can scope to management
that we can use, or you can write your group, subscription, or to resource
own custom policies group.

Assignment
Assignment is the process assigning a
policy definition to a scope. Once it’s
assigned policy enforcement is done.
A T
C Compliance
After assigning the policy, we can
evaluate the compliance to
understand compliant and non-
compliant resources.
Azure Policy – Use cases

Allowed resources Require tags

types Enforce tags that needs to be
added to the resources
Defines a set of resources that can
be created in the selected scope

Allowed virtual Inherit tags

machine SKUs Inherit tags from subscription or
Defines a set of VM SKUs that can resource group
be deployed.

Allowed locations Allowed resource

Defines a set of cloud locations group locations
where we can deploy resources.
List of locations where you can
create resource groups.
Initiative
Chaining policy definitions so that they can assigned as single item and the compliance can be evaluated

Azure Backup
should be enabled
for Virtual
Not allowed Require a tag Allowed Machines
Audit all VMs and
Allowed Virtual
resource types on resources locations Machine SKUs
make sure VM
Cosmos DB, ExpressRoute, CostCenter
East US, West US and Backup is enabled BS, DSv2, DSv3, F, FS
Redis Cache, Cognitive
Central US
Services

Azure Initiative
Creating and configuring
virtual networks
 Virtual Networks

Representation of Connectivity between

Dedicated instance Hybrid scenarios
cloud network Azure services

Logical representation of your network in Every VNet instance in Azure is private and With the help of VNets, we can extend our Virtual Network is responsible for facilitating
the cloud. Azure Virtual Networks (VNets) dedicated communication to on-premises datacenters connectivity between Azure Virtual Machines and
helps us to create and manage networking and other cloud providers securely. other Azure services. Also, enables Azure VMs to
in Azure connect to Internet.
Virtual Network Concepts
Region

Virtual Network
(192.168.0.0/16)

Azure regions represents a set of datacenters which

are part of different availability zones. Each Azure
region can containEachone virtual network
or more we networks
virtual create should have
Subnets helps us to segment our VNet address space to smaller
basedaddress
on your space. You can use private or public
requirement
subnetworks. Each of these subnetworks can be used to host
GatewaySubnet
(RFC
frontendSubnet
1918) addresses for your address
databaseSubnet
different types of workloads.
192.168.0.0/24 Every resource in the192.168.2.0/24
192.168.1.0/24 subnet will
space. The thumb rule is do not let your
get an IP address from the address allocated to the subnet.
address space overlap with other VNet
address spaces or your on-premises address
space. Whenever we create a resource in the
VNet, the IP address is given from this
address space.
Private and Public IP
addresses
 Private IP addresses
Used within Azure Virtual Network, and with hybrid scenarios involving VPN Gateways and ExpressRoute connections

Virtual Network
(192.168.0.0/16)

192.168.1.4 192.168.1.5 192.168.2.4 192.168.2.5

192.168.0.4

GatewaySubnet frontendSubnet databaseSubnet

192.168.0.0/24 192.168.1.0/24 192.168.2.0/24

192.168.1.6 192.168.1.7 192.168.2.6 192.168.2.7

Static Dynamic

Allocation methods Helps in setting up static IP address for domain controllers, web servers This is the default option, where the IP address is dynamically allocated from
and DNS servers which do not change even if the servers are rebooted. the address pool. If you restart a server and if the previous IP address is not
Also used with services such internal LBs and Application Gateways. available, Azure will assign another available IP address from the address
space.
 Public IP addresses
Virtual Network
Allocation types : Static and Dynamic (192.168.1.0/24)

default
(192.168.1.0/24)

SKU: Basic and Standard

Internet and public
facing services
Public IP address

Feature Basic SKU Standard SKU

Private IP address
IP Allocation Static/Dynamic 192.168.1.4 Static
Security By default, open Used in VNet and on-premises
connections (VPN gateway or By default, closed
ExpressRoute)
Resources Virtual Machine NIC, VPN Gateways, Public Virtual Machine NIC, Public
Load Balancers, Application Gateways Load Balancers, Application
Gateways

Redundancy No zone redundancy Zone redundant

User Defined Routes
 User Defined Routes Virtual Network
(192.168.0.0/16)

frontendSubnet databaseSubnet
192.168.1.0/24 192.168.2.0/26

Communication between VMs in the same subnet

Communication between VMs in different subnets in the same virtual network.

System routes Communication from VM to the Internet

Communication via Site-to-Site and ExpressRoute connection while using VPN gateways
 User Defined Routes
NVA

dmzSubnet
System route
192.168.0.0/24
Virtual Network
(192.168.0.0/16)

Route table

frontendSubnet databaseSubnet
192.168.1.0/24 192.168.2.0/26

The next hope can be a virtual network gateway, virtual network, internet,
or virtual appliance
Service Endpoints
 Service Endpoints Virtual Network
(192.168.0.0/16)

Source IP : VM Private IP

Service Endpoint
Public IP

Virtual Machine Storage account

192.168.1.4 kodekloud

workloadSubnet Allow : VNet - workloadSubnet

192.168.1.0/24
Azure Storage Service

Access Azure services with better security

Leverages Microsoft backbone network

Benefits Ease of setup and management

Supported services include Azure Storage, Azure SQL Database, Azure Synapse Analytics, Azure Database for PostgreSQL server, Azure
Database for MySQL server, Azure Database for MariaDB server, Azure Cosmos DB, Azure Key Vault, Azure Service Bus, Azure Event
Hubs, ADLS Gen1, Azure App Service, Azure Cognitive Services, and Azure Container Registry (preview)
Private Link
 Private Link Virtual Network
(192.168.0.0/16)

ServicePrivate
Endpoint
Link

Private Endpoint
Virtual Machine Storage account
192.168.1.4 kodekloud

workloadSubnet
192.168.1.0/24
Azure Storage Service

Connect to Azure services via private connection

Seamless integration with on-premises and peered networks

Benefits Eliminates risk of data exfiltration

Direct availability in Azure VNets

Azure DNS
 Azure DNS

On-premises DNS servers

Query delegated to Azure DNS NS

DNS hosting Naming convention Delegation Record Sets
DNS query for azure.kodekloud.org

kodekloud.org
Azure DNS will help us host safe and The zone name should be unique within the You can create delegated DNS zones in Records having the same name and type are
kodekloud.org
reliable DNS zones for name resolution. resource group. You can have same zone within your on-premises DNS servers can provide grouped together to form record sets. Maximum
Delegated DNS zone
We will be creating records inside this DNS multiple resource groups, in this case the name the Azure DNS name servers for name number of records allowed to a record set is 20
servers will be different for these zones.
zone. resolution. and they need to be unique.

>_

dig @ns1-09.azure-dns.com.
azure.kodekloud.org A
Private zones
Private DNS zones
Name resolution for services deployed in Azure Virtual Network

Name IP
vm-01 vm-02 vm-03
10.0.0.4 10.0.0.5 10.0.0.6
vm-01 10.0.0.4

vm-02 10.0.0.5 vnet-a

10.0.0.0/24
vm-03 10.0.0.6

vm-04 10.1.0.4

vm-05 10.1.0.5

vm-06 10.1.0.6 vm-04 vm-05 vm-06

10.1.0.4 10.1.0.5 10.1.0.6

Private DNS zone

kodekloud-internal.com vnet-b
10.1.0.0/24
Network Security Groups
 Network Security Groups

Filter traffic Rule set

NSG operate at layer 4 and allows us to filter the NSG comprises a set of priority-based rules that
incoming and outgoing traffic from a virtual can be used to allow or deny inbound or
network outbound traffic.

Association Evaluation

NSGs can be associated to subnets and network Rules applied at subnet and network interface
interfaces. You can associate multiple subnets level is evaluated separately. Traffic requires
and network interfaces to a single NSG. “allow” rule at both levels to be admitted.

.
 Network Security Group Rules

Rules are evaluated based on the priority. There is a set of

default rules which cannot be modified or deleted.
Nevertheless, we can override these rules by creating rules with
higher priority. Rules can be created based on the following
attributes besides the IP details:

Service: You can choose custom or predefined services such as

HTTP, HTTPS, RDP, SSH etc to allow the respective ports.

Port range: You can configure ports or a port range.

Priority: Lower the number higher the priority. Values range from
100-4096. Values in 65000 range is for default rules.

Action: Allow or Deny

Effective Security Rules

Subnet

HTTP
NSG

HTTPHTTP
Inbound traffic : Source → Subnet NSG → Network Interface NSG

HTTP
Outbound traffic : VM → Network interface NSG → Subnet NSG
NSG

HTTP
HTTP
Azure Firewall
Azure Firewall

Public IP support

Threat
Intelligence

Multiple types
of rules

Redundancy

Highly available
and scalable
Azure Firewall

SpokeNetworkA CentralVNet

AzureFirewallSubnet

Connected VNets Traffic allowed using rules and

Threat Intelligence

Internet
SpokeNetworkB Azure Firewall

Connected VNets Traffic is denied by default

Connectivity to on-premises
Planning VMs
Shared responsibility model

Image source: https://docs.microsoft.com/en-us/azure/security/fundamentals/shared-responsibility

 Virtual Machine Planning
We need to plan certain aspects before deploying our virtual machines
Networking
We need to plan our networking address spaces
based on the number of virtual machines you are
planning to create. Also, make sure the network
address spaces are not overlapping.
N N
Location L P
You need to check the availability of VM sizes in
Azure regions. Choose low-cost regions if you are
flexible with data residency. Also, for production
resources choose regions closer to your customers
to avoid performance issues. Azure has 60+ regions
to choose from.
Naming
Naming convention helps us in recognizing VMs by
looking their names. Try adding environment, role,
service, and region details to VM names. For
example, we could name production webserver in
East US as “web-prod-eus”
Pricing
Consider pricing models such as Pay-As-You-Go and
Reserved Instances. For low priority development
workloads choose Spot VMs. Licensing cost can be
reduced by using Azure Hybrid Benefit.
Managing VM sizes
Virtual Machine Sizing
Choosing the virtual machine size and family depends on what type of workload you are running. Azure offers different VM families targeting different types of workloads
Type Sizes Targeted workloads

General Purpose B, Dsv3, Dv3, Dasv4, Dav4, DSv2, Dv2, Balanced CPU-to-memory ratio. Ideal for testing and
Av2, DC, DCv2, Dv4, Dsv4, Ddv4, Ddsv4, development, small to medium databases, and low to medium
Dv5, Dsv5, Ddv5, Ddsv5, Dasv5, Dadsv5 traffic web servers.
Compute optimized F, Fs, Fsv2, FX High CPU-to-memory ratio. Good for medium traffic web
servers, network appliances, batch processes, and application
servers.
Memory optimized Esv3, Ev3, Easv4, Eav4, Ebdsv5, Ebsv5, High memory-to-CPU ratio. Great for relational database
Ev4, Esv4, Edv4, Edsv4, Ev5, Esv5, Edv5, servers, medium to large caches, and in-memory analytics.
Edsv5, Easv5, Eadsv5, Mv2, M, DSv2, Dv2
Storage optimized LSv2 High disk throughput and IO ideal for Big Data, SQL, NoSQL
databases, data warehousing and large transactional
databases.
GPU NC, NCv2, NCv3, NCasT4_v3, ND, NDv2, Specialized virtual machines targeted for heavy graphic
NV, NVv3, NVv4, NDasrA100_v4, rendering and video editing, as well as model training and
NDm_A100_v4 inferencing (ND) with deep learning. Available with single or
multiple GPUs.
HPC HB, HBv2, HBv3, HC, H Our fastest and most powerful CPU virtual machines with
optional high-throughput network interfaces (RDMA).
Confidential computing DCsv2, DCsv3, and DCdsv3 Confidential computing allows you to isolate your sensitive
data while it's being processed. Ideal for banks and hospitals
which handle customer PII.

Microsoft documentation – VM sizes

Virtual Machine Storage
Virtual Machine Storage

Virtual Machine
Performance tiers
Azure disks can be created in different performance tiers such as Standard
HDD, Standard SSD, Premium SSD or Ultra SSD. Based on the tiers the
IOPS and performance will vary. Standard HDD is the cheapest option. You
can change tier even after creating the disks. Premium SSD is required for
IO intensive applications.
OS Disk Temporary disk Data disk

Management
When creating VMs, you can choose between, Managed disks and
Unmanaged disks. In Unmanaged disks, customer needs to take care of
the underlying storage account which is used to store the VHD file. In
case of Managed disks, the underlying storage account will be managed
by Microsoft, and you can use the service. Microsoft recommends to use Azure Blob Storage
Managed disks.
Creating VMs
Creating Virtual Machine (Portal)

Basics (mandatory): Subscription, Resource group,

Region, VM Image, Size, Port rules

Disks: Disk type, size, data disks

Networking: Virtual Network, subnet, NSG, load

balancing

Management: Monitoring, Diagnostic Account,

Azure AD login, Backup, Auto-shutdown
 Creating Virtual Machine (PowerShell & Azure CLI)
>_ PowerShell >_ Azure CLI
$ az vm create \
PS > New-AzVm `
--name vm-01 \
-ResourceGroupName "web-rg" `
--resource-group web-rg \
-Name "vm-01" `
--image UbuntuLTS \
-Location "East US" `
--location EastUS2 \
-VirtualNetworkName "vm-01-vnet" `
--admin-username adminuser \
-SubnetName "default" `
--admin-password Pa$$w0rd1234
-SecurityGroupName "vm-01-nsg" `
-PublicIpAddressName "vm-01-pip"
Connecting to VMs
Connecting to Virtual Machines
Public IP Jumpbox Azure Bastion

Virtual Network
(192.168.0.0/16)

Connection via Private IP

Connection via Bastion Public IP

Bastion Host
Virtual Machine
Virtual Machine
192.168.1.4 192.168.0.4

AzureBastionSubnet
jumboxSubnet
workloadSubnet
192.168.0.0/24
192.168.1.0/24
Connecting to Virtual Machines

Operating System Protocol/ Port Authentication Method

RDP (TCP/3389) Password

WinRM (TCP5986) Certificates

SSH (TCP/22) Password

Configuring high
availability
Configuring High Availability

Unplanned Hardware
Maintenance

Unexpected downtime

Planned maintenance
Configuring High Availability

Region B

Region C
Availability Zone Availability Zone Availability Zone

Region A Region D

GEOGRAPHY
Availability Set
Datacenter
FD0 FD1 FD2

UD0

UD1 UD4

UD3

UD2
Availability zones

Availability Zone Availability Zone

Availability Zone

Region A
Deploying VM Scale Sets
 Deploying VM Scale Sets

Vertical Scaling

Adding or removing compute power to an instance is called vertical

scaling. Increasing compute power is called scale up and decreasing
compute power is called scale down. This process is usually manual.

Horizontal Scaling
Current
Current count
instance size Scale out
Increasing or decreasing number of instances is called horizontal
scaling. This is usually automated with the help of some criteria like
Scale in
Scale down Scale up
metrics or schedule; hence it’s also called autoscaling. Increasing
instances is called scale out and decreasing instances is called scale in.
 Deploying VM Scale Sets

Azure Virtual Machine Scale set is used to create a group of load

balanced VMs and manage them. VMSS supports use of Azure
Load Balancer and Application Gateway

We can increase or decrease the number of instances based on

schedule, metrics, or on demand. All VMs in a scale set are
created from the same base OS and configuration.

We can distribute the VMs in a scale set across availability zones

for high availability. If one VM becomes unavailable, customers
can access the application via other VMs in the scale set.

For images from marketplace and custom images, scale set can
scale up to 1000 instances. If you create scale set using a
managed image, the limit is set to 600.
Azure Load Balancer
 Azure Load Balancer

Azure Load Balancer is a Layer 4 load balancer which supports Frontend

Azure Virtual Machines and Azure Virtual Machine Scale Sets as
backend.

Load Balancer is offered in two SKUs: Standard and Basic SKU

Supports all TCP/UDP protocols

Security is managed with the help of Network Security Groups

Backend
Load Balancer SKU
Basic Load Balancer Standard Load Balancer
Ideal for testing and development. No SLA offered Recommended for production scenarios because of the SLA. Offers
HTTPS health probe

Feature Basic Standard

Backend pool size Up to 300 instances Up to 1000 instances
Health probes TCP, HTTP TCP, HTTP, HTTPS
Redundancy Not available Zone redundant and zonal
redundant

Multiple frontend Inbound only Inbound and outbound

Security Open by default. NSG is Closed, unless traffic is
optional allowed by NSG

SLA Not applicable 99.99%

 Public Load Balancer

Ideal for public facing workloads Port 80

• Public load balancer will have public IP address

• Incoming traffic’s public IP address and port number will be mapped to

Virtual Network
the private IP address and port number of the backend servers. Public Load Balancer
• With the help of load balancing rules, we can distribute the traffic
across backend servers.

• Used in all public facing workloads which require load balancing.

80
WebSubnet
 Internal Load Balancer
Port 80

Virtual
VirtualNetwork
Network
Ideal for internal workloads Public Load Balancer

• Internal load balancer doesn’t have public IP address as frontend

• Incoming traffic inside the virtual network or from a VPN can be

80
WebSubnet
distributed across the backend servers

• This load balancer is never exposed to the internet, so the IP addresses

and port numbers are not visible to the internet.

• Used in internal resources that needs to be accessed from Azure or on-

premises via VPN connection.

DataSubnet
Internal Load Balancer
 Load Balancer Rules Admin Users

Load Balancing rule

Load balancing rules
Virtual Network

The incoming traffic to backend pools is distributed with the help of load

Inbound NAT rule (30009:3389)

balancing rules. We can create frontend IP to backend IP port mapping and the

Load Balancing rule

traffic is distributed accordingly.

WebSubnet

Inbound NAT rules

Instead of backend pool, we can target a specific virtual machine and create a
NAT rule. Frontend IP and port combination is used to send traffic to IP and port
of the designated VM.

Outbound rule

Allows instances in the backend pool to communicate to the Internet and other
endpoint.
 Session Persistence

None (default)

Request will be routed based on a 5-tuple hash. Five tuple comprises of

Source IP, Source Port, Destination IP, Destination port, and Protocol.
Requests can be handled by any VM and the chances of getting a new VM for
every session is very high.

Client IP

Client IP is called two-tuple where the hash of source IP and destination IP is

used to route the traffic. Requests will be handled by the same VM if the
source IP or destination IP doesn’t change.

Client IP and protocol

This is also called as three-tuple hash, where the hash of source IP,
destination IP and protocol is used to route the traffic to the VM. Requests
coming from same IP and protocol will be handled by the same VM.
Azure Application
Gateway
Application Gateway
HTTP POOL
Setting

Application HTTP/ HTTPS

Browser Rule VM
Gateway Listener

VMSS

Servers

Layer 7 Load Balancer Routing and features Backend pools

Manages HTTP, HTTPS, HTTP/2, and WebSocket
requests. Requests will be routed to the backend pool.
Web Application Firewall can be added to Application
Gateway as an option component.
Requests can be routed to the backend pool based on URL
also known as path-based routing. Also, we can host multiple
sites behind an application gateway. Features includes URL
Redirect, SSL termination, Rewrite HTTP headers and Custom
error pages.
The web servers can be hosted in Azure Virtual
Machines, Azure Virtual Machine Scale Sets, Azure App
Services, and even on-premises servers.
 Application Gateway - Components
Frontend IP
Defines the VIP or ILB Frontend listener on
a port, IP and
certificate

Listener

For SSL
offloading
Port Certificate
Bridge between frontend
Rule and backend

HTTP Setting Backend Pool Backend Instances

Settings for backend

traffic: probe, timeout,
Custom Probe
stickiness etc.
 Application Gateway – Routing Rules

Path based routing Multiple-site routing

Based on the path in the URL, we can route the request Multiple sites can be hosted behind a single application
to different backend pools. Ideal for routing requests to gateway. Based on the domain, the request can be routed to
different backend pools optimized for different paths. the backend pool hosting the requested domain.

Image source: https://docs.microsoft.com/en-us/learn/modules/configure-azure-application-gateway/3-determine-routing

Other load balancing
solutions
 Other load balancing solutions
Azure Front Door
Modern CDN solution that provides reliable, fast content delivery .
Azure Front Door is a global solution which leverages the Microsoft’s
global edge network with hundreds of global and local point-of-
presence locations. These endpoints are distributed across the
globe and closer to your customers.
We can deploy our solutions in multiple regions and load balance
using the Azure Front Door. Path based routing and multiple-site
routing is available.
Web Application Firewall can be added as an optional component.
Azure Traffic Manager
ATM or Azure Traffic Manager is a DNS based load balancer. Traffic coming to
your public facing applications can be distributed across the globe with the
help of ATM.
As this is a DNS load balancer, it uses DNS to direct the client request to an
endpoint based on the routing rule we configure. Traffic Manager finds the best
endpoint for you based on the routing and returns a DNS response with the
endpoint name. Client then directly reaches out to the endpoint.
ATM can be used with the public facing services deployed in Azure or non-
Azure environments. Routing methods includes Priority, Weighted, Geography,
Performance and Nested Profile.
 Comparing Load Balancing Solutions
Feature Application Gateway Front Door Load Balancer Traffic Manager
Usage Optimize delivery from Scalable, security- Balance inbound and Distribute traffic optimally
application server farms enhanced delivery point outbound connections to services across global
while increasing for global, micro service- and requests to your Azure regions, while
application security with based web applications. applications or server providing high availability
web application firewall. endpoints. and responsiveness.
Protocols HTTP, HTTPS, HTTP2 HTTP, HTTPS, HTTP2 TCP, UDP Any
Internal support Yes Yes
Cross Region No Yes Preview Yes
Environment Azure, non-Azure cloud, Azure, non-Azure cloud, Azure Azure, non-Azure cloud,
on premises on premises on premises
Security WAF WAF, NSG NSG -

Reference architecture examples

Azure Bastion
Azure Bastion

Admins

Subnet AzureBastionSubnet

Virtual Network
Azure Bastion

Direct RDP and SSH in Azure Portal Public IP is not required

No need to deploy or download SSH and RDP clients to Since we are connecting via Bastion Host, there is no need to main
your computer, you can RDP/SSH from browser. public IP addresses for our virtual machines.

No need to tweak NSGs Port scanning protection

No need to manage and write complex rules in your NSG Since we are not exposing any public IPs, attackers cannot perform
as Bastion is connecting to private IP address port scanning.

Hardening Basic and Standard SKUs

Bastion is a platform managed service and hardening in Basic SKU provides base functionality as in direct RDP/SSH access. The Standard
one place only. SKU enables premium features that allow Azure Bastion to manage remote
connectivity at a larger scale.
Intersite connectivity
 Intersite Connectivity – Azure-to-Azure
connectivity

VNet-A (192.16.0.0/16) VNet-B (172.16.0.0/16)

Peering

VNet-to-Vnet Connection

subnet GatewaySubnet GatewaySubnet Subnet

(192.16.1.0/24) (192.16.0.0/24) (172.16.0.0/24) (172.16.1.0/24)
Intersite Connectivity – Azure-to-on premises
connectivity
VNet-A (192.16.0.0/16) On-premises (192.17.0.0/16)

Site-to-Site Connection

GatewaySubnet
(192.16.0.0/24)

ExpressRoute Connection

subnet ERSubnet
(192.16.1.0/24) (192.16.2.0/24)
Virtual Network Peering
Virtual Network Peering

VNet-A VNet-A
Global VNet Peering VNet-B Peering Regional VNet Peering VNet-CVNet-B

Region X Region Y

Types of peering: Global VNet Peering and Regional VNet High speed data transfer, easy configuration and great
Peering. performance

Provides connectivity between Azure virtual networks. The virtual

Uses Microsoft backbone network for data transfer, so privacy
networks can reside in the same region, different region, same
and low latency is offered in peering
subscription, different subscription, same tenant or different
tenant
VPN Gateway
VPN Gateway

VNet-to-VNet VNet B
VNet A

Point-to-Site Site-to-Site Point-to-Site Site-to-Site

LON NYC
 VPN Gateway SKUs
Gen SKU S2S/VNet-to-VNet Tunnels P2S IKEv2 Connections Throughput Benchmark

Gen 1 VpnGw1/Az Max. 30 Max. 250 650 Mbps

Gen 1 VpnGw2/Az Max. 30 Max. 500 1.0 Gbps

Gen 2 VpnGw2/Az Max. 30 Max. 500 1.25 Gbps

Gen 1 VpnGw3/Az Max. 30 Max. 1000 1.25 Gbps

Gen 2 VpnGw3/Az Max. 30 Max. 1000 2.5 Gbps

Gen 2 VpnGw4/Az Max. 100 Max. 5000 5.0 Gbps

Gen 2 VpnGw5/Az Max. 100 Max. 10000 10.0 Gbps

SKU selection Resizing Basic SKU

SKU is selected based on the number of Within generation, we can resize the VPN gateway In addition to the above SKUs, we have Basic SKU

connections and throughput you require. based on the requirement. which is considered as legacy and should not be
used.
VNet-to-VNet Connection
Establish VNet-to-VNet connection using VPN gateways
Create Gateway Subnet in
both virtual networks.
Gateway Subnet
VPN Gateways requires a
dedicated subnet to deploy the
gateway. First, we need to create
Gateway Subnet in both of our
virtual networks.
Create the VPN gateway in
both virtual networks
VPN Gateway
Once the Gateway Subnet is
created, we will deploy the
VPN gateway to the subnet.
Creating a VPN gateway would
take around approx.: 40
minutes.
Create the VPN connection
VNet-to-VNet connection
After creating the VPN
gateway, then we need to
create VNet-to-VNet
connection from the VPN
Gateway
VNet Peering v/s VNet-to-VNet Connection
Property VNet Peering VNet-to-VNet Connection

Number of connections Up to 500 VNet peerings per VNet One VNet can have only VPN Gateway and
connection count is SKU dependent
Pricing Ingress + Egress Gateway hourly cost + egress

Encryption No encryption. Software level is IPsec/IKE

recommended.
Bandwidth No restrictions SKU dependent

Route Routed via Microsoft backbone network and Routed via public internet, however encrypted
is private
Public IP No public IP or internet is used Public IP is involved

Transitivity Nontransitive Transitive (BGP enabled)

Initial setup time Fast ~ 30-40 minutes

Use cases Data replication, database Scenarios where encryption is needed and not
failover, and other scenarios latency/bandwidth sensitive.
needing frequent backups of
large data.
Site-to-Site and Point-to-
Site
Site-to-Site connection
Connecting to your virtual network to an on-premises site or non-Azure site.

Gateway VPN Gateway Local On-premises

Subnet Deploy VPN Gateway Network VPN device Site-to-Site
Create Site-to-Site
Create Gateway to the Gateway Gateway Provide Public IP
Subnet in Azure VPN connection
Subnet in Azure address of your
Create LNG in
Virtual Network to virtual network Azure VPN Gateway
Azure by providing
deploy the VPN in on-premises VPN
the IP address or
Gateway. device
FQDN of your on-
premises VPN
device
Point-to-Site connection
Connecting to your virtual network from a device

Gateway VPN Gateway P2S Download

Subnet Deploy VPN Gateway configuration Connect
Download the VPN
Create Gateway From your
to the Gateway
Configure your P2S client configuration
Subnet in Azure Windows, Linux,
Subnet in Azure
in VPN gateway by to your client
macOS or mobile
Virtual Network to virtual network
selecting the machine
clients; connect to
deploy the VPN
address pool and the VPN
Gateway.
authentication
method
Gateway Transit
Gateway Transit

Site-to-Site
Site-to-Site
vnet-a Site-to-Site vnet-b vnet-c

On-premises network
Gateway Transit

vnet-b

Peering
Peering Peering

hub-vnet
vnet-a vnet-c

S2S
On-premises network
High Availability
 High Availability
Active/standby Active/Active

Azure VPN Gateway On-premises Azure VPN Gateway On-premises

Active Device 1 Active Device 1

Standby Active Device 2

Default count Cost High availability

There will be always two instances of VPN The cost of the gateway includes the cost of two High availability can be ensured by enabling
Gateway, default selection is Active/standby instances. Regardless of whether it’s Active/active configuration. You should make sure
active/standby or active/active cost will be same. that you have similar setup in on-premises.
ExpressRoute
ExpressRoute

Private connectivity Partner network Features

ExpressRoute offers private connectivity between Traffic is routed with the help of partner network Reliable, secure, low latency and high-speed
on-premises infrastructure and Microsoft and public internet is not used. connection.
datacenters.

Image source: https://docs.microsoft.com/en-us/learn/modules/configure-expressroute-virtual-wan/2-determine-expressroute-uses

ExpressRoute
Redundant L3 connectivity

Within a geography, connectivity is available to all regions

Bandwidth options vary from 50 Mbps to 100 Gbps

ExpressRoute circuit is offered in Local, Standard and Premium

SKUs

In Local SKU, you will be charged under the Unlimited plan. In

unlimited outbound data transfer is free.

With Standard and Premium SKU, you can select between a

Metered or an Unlimited data plan. In metered, you will be
charged for outbound data transfer.

With the addition of premium add-on, you can get global

connectivity.

Image source: https://docs.microsoft.com/en-us/learn/modules/configure-expressroute-virtual-wan/3-determine-expressroute-capabilities

ExpressRoute connectivity models
Co-located at a cloud exchange
If your facility is already co-located with cloud exchange, then
virtual cross connections to Microsoft cloud can be provisioned
through the co-location provider’s Ethernet exchange. L2 and
managed L3 cross connections are supported.

Point-to-Point Ethernet connection

By leveraging point-to-point Ethernet links, you can connect
your on-premises network to Microsoft cloud. L2 or managed
L3 connections are supported.

Any-to-Any (IPVPN)
With the integration of your WAN to Microsoft cloud, you
can make it look like Microsoft cloud is one of your branch
offices. Supports managed L3 connectivity.

Direct model
Establish connectivity by directly connecting to Microsoft’s
global network at a peering location nearby.

Image source: https://docs.microsoft.com/en-us/azure/expressroute/expressroute-connectivity-models

Co-existing ExpressRoute and Site-to-Site

ExpressRoute
ExpressRoute Gateway
Site-to-Site

Corp HQ
VPN Gateway

Site-to-Site

Branch office

Failover path Branch office connectivity Separate gateways

Though ExpressRoute has redundant connection, We can use S2S connectivity to connect to branch ExpressRoute and VPN requires separate
we can use S2S connection as a failover path for offices or other sites which are not connected to gateways for communication.
ExpressRoute ExpressRoute.

Image source: https://docs.microsoft.com/en-us/learn/modules/configure-expressroute-virtual-wan/4-coexist-site-to-site-expressroute

Virtual WAN
Virtual WAN

Brings together all connections

We can connect Point-to-Site, Site-to-Site, Virtual
Network and ExpressRoute connections to VWAN.

Seamless connectivity
Connects Azure virtual networks and resources to
the hub seamlessly.

Advanced architecture
With the help VWAN, we can advance our hub-
spoke architecture. End-to-end traffic flow can be
visualized.

Image source: https://docs.microsoft.com/en-us/learn/modules/configure-expressroute-virtual-wan/6-determine-uses

Creating ARM template
Azure Resource Manager

Management layer
Azure Resource Manager or ARM is the
management layer responsible for creating,
updating and managing resources.

Way to deploy resources

Regardless of whether you are using Azure Portal,
Azure PowerShell, Azure CLI or REST API; Azure
Resource Manager offers a way to deploy and
manage the resources.

Features
Access Control, Locks, Tags, Resource Groups,
and Templates are some of the features offered
by ARM, which was not available in the previous
model – Azure Service Manager

Image source: https://docs.microsoft.com/en-us/azure/azure-resource-manager/management/overview

Azure Resource Manager (ARM) Templates
Declarative automation Visual Studio Code
ARM templates uses JSON file. In declarative automation, you need to
declare the resources but not how to create them. Creating the
{
resources is Resource Manager’s responsibility.
"$schema":
"https://schema.management.azure.com/schemas/
Consistent and reusable 2019-04-01/deploymentTemplate.json#",
Environments deployed via ARM template will be consistent. With the "contentVersion": "1.0.0.0",
help of parameters, we can share and reuse the template to create "parameters": {},
environment from scratch. "functions": [],
"variables": {},
Error prone tasks and simplify deployment "resources": [],
If we are creating environment manually chances of human error will "outputs": {}
be there and with ARM templates, we can deploy all the resources we }
define in a single operation.

Linkable and helps complex deployment

You can write small ARM templates and link them to a parent
template. This helps in managing different parts of the template
efficiently. With ARM templates, we can deploy complex environments
in the correct dependency order.
ARM template design

Virtual Machine

Template App Service

reference()

SQL Database
ARM template design

Nested VM
template Virtual Machine

Nested App
Template App Service
Service reference()
template

SQL Database

Nested SQL
template
ARM template design

VM Virtual Machine
template

App Service App Service

template

reference()

SQL Database
SQL
template
ARM Extension for VS Code (optional)
ARM Template structure
Visual Studio Code

{
"$schema":
"https://schema.management.azure.com/schema
s/2019-04-01/deploymentTemplate.json#",
}

$schema*
References the location of the JSON file schema that describes the version of the template language. We can
deploy ARM templates to different scopes like tenant, management groups, subscriptions; based on the scope
that we are selecting the schema will change.
ARM Template structure
Visual Studio Code

"contentVersion": "1.0.0.0",

contentVersion*
Used to version the template, the default value is 1.0.0.0. Any value can be given to this element. Content
version is useful if you are storing your templates in a source control and would like to keep the changes
tracked in different versions. Proper versioning will help users to pick the latest version of your template.
ARM Template structure
Visual Studio Code
"parameters": {
"location": {
"type": "string",
"allowedValues" :[
"East US",
"West US"
],
"defaultValue": "East US",
"metadata": {
"description": "Location of the resource"
}
}
},

parameters
During resource deployment, the parameter value can be provided as an input to the template. Parameters
helps making the templates reusable, where users can supply different values during execution without the
need to modify the template.
ARM Template structure
Visual Studio Code

"variables": {
"publicIPAddressName": “app-gw-pip"
},

variables
Variables can be used to hardcode value to the templates. If you are referencing a value with the help of
variables and if that value needs to be modified; instead of updating all occurrences, you just need to update
the value of the variable.
ARM Template structure
Visual Studio Code
"functions": [
{
"namespace": "userspace",
"members": {
"VMNameGenerator": {
"parameters": [
{
"name": "userstring",
"type": "string"
}
],
"output": {
"value": "function-return-value",
"type": "string"
}
}
}
}
],

functions
We can create user defined functions in ARM templates that can be used to replace repeated code blocks.
ARM Template structure
Visual Studio Code

"resources": [
{
"name": "appServicePlan1",
"type": "Microsoft.Web/serverfarms",
"apiVersion": "2020-12-01",
"location": "[parameters('location')]",
"sku": {
"name": "F1",
"capacity": 1
},
"tags": {
"displayName": "appServicePlan1"
},
"properties": {
"name": "appServicePlan1"
}
}
]

resources*
Resources we intend to create, or update will be declared inside this element. Here, we can reference the
parameters, variables, and functions we created earlier.
ARM Template structure
Visual Studio Code

"outputs": {
"hostname": {
"type": "string",
"value":"[reference(resourceId('Microsoft.Network/publicI
PAddresses',variables('publicIPAddressName'))).dnsSettings.fqd
n]"
},
}

outputs
Display values that are returned after deployment.
Azure Quickstart Templates
Deploy ARM template
Deploy ARM template

>_ Azure PowerShell

$ New-AzResourceGroupDeployment `
-ResourceGroupName <resourcegroup> `
-TemplateFile <path-to-file>

Azure Portal Azure CLI Azure PowerShell

>_ Azure CLI

$ az group deployment create \

-g <resource-group-name>
--template-file <path-to-file>
Exporting deployments
as ARM template
Exporting deployments as ARM template

>_ Azure PowerShell

$ Export-AzResourceGroup `
-ResourceGroupName <resource-group>

Azure Portal Azure CLI Azure PowerShell

>_ Azure CLI

$ az group export \
--name <resource-group-name>
Creating VHD Templates
Creating VHD Templates

Operating

System State
Virtual Machine
Extensions
Virtual Machine Extensions
Small applications
Automation tasks and post deployment configuration can be done with
the help of extension.

Management
Extensions can be managed with Azure Portal, Azure PowerShell,
Azure CLI and ARM templates..

Scope
Extensions can be used for post-deployment configuration during the
VM deployment or on existing VMs.

Platform
Extensions and their availability will vary based on the operating
system. We have different extensions available for Windows and Linux
VMs.
Custom Script Extension
Supported scenarios
Custom Script extension can be used for simple and complex scripts.
Scripts will not continue execution if the workflow includes reboot.
PowerShell scripts can be selected and optionally arguments can be
passed.

Duration
Script can run up to 90 minutes, if the script takes more than 90
minutes to execute, then it will be a timed-out operation. Also, the VM
should be in running state to execute the script.

Dependency access
Storage and network access is required by the extension. For successful
execution of the script, we need to make sure that the content is
available.

Error handling and data sensitivity

Plan for error handling and how to handle sensitive data such as
passwords, connection strings, storage account keys etc.
Desired State Configuration
Supported scenarios
>_ configuration.ps1
DSC uses PowerShell DSC which will help you to carry out complex deployments which
includes reboot as well. DSC will ensure that the state is achieved.
Configuration IISConfiguration
{
Node "localhost"
{
WindowsFeature WebServer
Configuration {
Name = "Web-Server"
Easy to read scripts called configuration is created in a declarative way. Configuration is Ensure = "Present"
saved in PS1 format. }

WindowsFeature IISManagementTools
{
When to use DSC? Name = "Web-Mgmt-Tools"
Ensure = "Present"
If your post deployment configuration includes complex steps such as reboots, then CSE is }
not the right choice. Choose DSC in all complex scenarios where CSE is not supported.
WindowsFeature IISDefaultDoc
{
Name = "Web-Default-Doc"
Ensure = "Present"
Blocks }
}
Configuration block is the outermost script block, we will give a name to the configuration }
define the script. Node block defines the computers that are under the scope of the
configuration. Each node block has one or more resource where we define the configuration.
Storage accounts
Storage accounts
Microsoft Azure’s storage solution for object storage, file storage, message queue and a NoSQL store for meeting modern application requirements.

High availability and durability

Storage account comes with different redundancies to fulfill your durability requirements.
Data stored in the storage account can be replicated to different datacenters and even across
regions ensuring high availability for the data.

Security
Standard Premium
By default, all data written to the storage account is encrypted by Storage Encryption Service.
To access the data storage accounts, provide different authorization methods such as storage
keys, shared access signature, and Azure AD.

Scalability and Managed

Storage for VMs
Azure Storage is a platform managed service, depending upon the requirement it will
automatically scale the storage and performance.

Unstructured data
Access
HTTP or HTTPS can be used to access the data that is stored in Azure Storage. With the help
SDKs provided by Microsoft, developers can easily integrate Azure Storage with their code. Structured data
Azure Storage also supports Azure PowerShell, Azure CLI and REST API.
 Storage services
Documents Backup files
Images Databases
Container Blobs Video Log files
Audio Big Data

*.txt
Files Directories *.exe
*.*

Name = Sandy
Table Entities Country= US
State= TX
ZIP= 03445

resizeImage
Queue Messages cropImage
processImage

Azure Containers Azure Files Azure Tables Azure Queues

An object store with immense scaling capability. Managed file share NoSQL datastore Messaging store
Ideal for storing unstructured data such as text or Used to provision highly available file shares in cloud Ideal for storing structured non-relational data Used to store messages and retrieve messages
binary data. that can be mounted to cloud and on-premises between application components that needs to be
machines. processed asynchronously.
 Storage account types
Type Services Performance tiers Replication options

Blob storage Blob Standard LRS, GRS, RA-GRS

General Purpose V1 Blob, File, Queue, Table, Standard, Premium LRS, GRS, RA-GRS
and Disk

General Purpose V2 Blob, File, Queue, Table, Standard, Premium LRS, ZRS, GRS, RA-GRS,
and Disk GZRS, RA-GZRS

Block blob storage Blob Premium LRS, ZRS

File storage Files Premium LRS, ZRS

Storage redundancy
Storage replication – Locally Redundant Storage

Region

Datacenter

Storage account - LRS

Replication Durability Chances of failure

Data is replicated and will retain three copies of LRS offers 99.99999999999 (11 9’s) of durability. As the replicated copies are stored within a
data across fault domain within a single datacenter. Data stored in LRS is protected from hardware single datacenter, if the entire datacenter
Since the data is replicated only within a single data failures as the data is stored in different fault is down, then the data will not be available
center, LRS is the cheapest option. domains.
Storage replication – Zone Redundant Storage

Region

Zone A Zone B Zone C

Storage account – ZRS

Replication Durability Chances of failure

Data is replicated and will retain three copies of ZRS offers 99.999999999999 (12 9’s) of durability. As the replicated copies are stored within a
data across availability zones within a single region. Data stored in ZRS is protected from datacenter single region, if the entire region goes
failures as each zone where the datacenter resides down, then the data will not be available
is physically separated from each other.
 Storage replication – Geo Redundant Storage

Geo-replication

Primary Region Secondary Region

Datacenter Datacenter

Storage account - GRS

Failover

Replication Durability Considerations

Data is replicated across three fault domains in a GRS offers 99.9999999999999999 (16 9’s) of The primary region will be available for all
datacenter which is part of the primary region and is durability. If the primary region goes down, a operations and secondary will be only
asynchronously replicated to secondary region where we failover will happen, and secondary region will available after failover. The failover can be
will have three copies across fault domains. become available for read requests. Microsoft initiated or customer initiated.
 Storage replication – Read access Geo
Redundant Storage
Geo-replication

Primary Region Secondary Region

Datacenter Datacenter

Storage account - RAGRS

Replication Durability Considerations

Data is replicated across three fault domains in a RAGRS offers 99.9999999999999999 (16 9’s) of The secondary region will be always
datacenter which is part of the primary region and is durability. available for reach operations regardless
asynchronously replicated to secondary region where we whether there is a failover or not.
will have three copies across fault domains.
 Storage replication –Geo Zone Redundant
Storage
Geo-replication

Primary Region Secondary Region

Zone Zone Zone Datacenter

Storage account - GZRS

Failover

Replication Durability Considerations

Three copies will be spread across availability zones within GZRS offers 99.9999999999999999 (16 9’s) of As we saw in the case of GRS, the primary region will be
the primary region and is asynchronously replicated to durability. If the primary region goes down, a available for all operations and secondary will be only
secondary region where we will have three copies across failover will happen, and secondary region will available after failover. The failover can be Microsoft
fault domains. become available for read requests. initiated or customer initiated
 Storage replication –Read Access Geo Zone
Redundant Storage
Geo-replication

Primary Region Secondary Region

Zone Zone Zone Datacenter

Storage account - GZRS

Replication Durability Considerations

Three copies will be spread across availability zones within GZRS offers 99.9999999999999999 (16 9’s) of Here secondary region will be always available
the primary region and is asynchronously replicated to durability regardless of whether there is a failover or not.
secondary region where we will have three copies across
fault domains.
 Accessing storage endpoints
Based on the storage account name and the service, every service has its own unique endpoint

<protocol>://<storage account name>.<service>.core.windows.net

http, https Your storage account name blob, queue, file, table

For a storage account named “kodekloud”, the endpoints will be:

Service Endpoint
Container service https://kodekloud.blob.core.windows.net
Queue service https://kodekloud.queue.core.windows.net
File service https://kodekloud.file.core.windows.net
Table service https://kodekloud.table.core.windows.net

If needed, we can use our own custom domain with CNAME mapping

DNS CNAME entry Alias

blobs.kodekloud.com kodekloud.blob.core.windows.net
Securing storage
endpoints
Securing storage endpoints
Setup Private Endpoint

Control public access to

storage account

Restrict access to specific VNets

using service endpoints

Allow IP ranges from internet or

on-premises
 Storage security capabilities

Encryption Authentication Data in transit Disk encryption Shared access signature

By default, without any
additional configuration, all
data written to the storage
account is encrypted by Storage
Service Encryption (SSE)
With help of Azure AD and Client-side encryption, OS and Data disks of Linux Fine tuned granular access
RBAC, we can authenticate HTTPS, and SMB 3.0 is used and Windows VMs can be can be given to storage
and requests and provide to secure data in transit. encrypted using Azure Disk services with the help of SAS.
authorization to storage Encryption (ADE).
services.
 Storage Service
Encryption (SSE) and
Azure Disk Encryption
(ADE)
 Storage Service Encryption (SSE)
Protection
Data at rest is protected using SSE. All data
written to Azure Disks, Blob, File, Queue, and
Table is encrypted using SSE and is decrypted
when the data is retrieved.
Strong cipher
SSE uses 256-bit AES encryption to encrypt the
data. The encryption, decryption, data
management and key management is done by
storage service. SSE cannot be disabled.
.
Compliance
Organizations doesn't need develop in-house
encryption methods to encrypt data stored in Azure
storage. Using SSE organizations can meet their
compliance and security requirements.
Bring your own keys
If you would like to control the encryption keys and their
rotation, you replace Microsoft managed keys with
Customer Managed Keys. You need to create an Azure Key
Vault to store the key and the storage service will retrieve
the key from Key Vault for encryption and decryption.
 Azure Disk Encryption (ADE)
Encrypt disks
Using ADE, we can encrypt OS and Data Disks of
Windows and Linux virtual machines. ADE uses
BitLocker for Windows and DM-Crypt for Linux to
encrypting the disks. Encryption keys are stored in
Azure Key Vault.
Encrypted backup
When you are using Azure Backup, the encryption
keys are backed up to the recovery service vault.
Also, the backups are encrypted. ASE uses AES
256-bit encryption.
.
Restrict access
Since the disk is encrypted, only the VM owner will be
able to retrieve the data stored in the VM. If anyone
downloads the VHD and attaches to another VM,
without the keys, they will not be able to read the data.
Considerations
If you are encrypting both OS and Data disk, there will be a
small performance impact due to the encryption and
decryption activity. The impact is very minimal, however, if
your application is CPU intensive then you can skip the OS
disk and encrypt data disk only to enhance performance.
Storage security -
Authorization
Storage security - Authorization

Storage Account Keys Shared access signature

S S
Two 512-bit keys will be generated for
every storage account, and this can
be rotated. Account keys are like root
passwords, and we need to secure
them to avoid unauthorized access.
Delegate access to storage at a very
granular level. SAS are generated
using account keys but with fine
tuned access.

A T
A
Azure AD Anonymous
Using Azure AD and RBAC we can We can enable anonymous access to
authenticate and authorize requests from our blobs and containers. As the
users. Currently Azure AD authentication is request is anonymous, we don’t need
supported by Blobs, Queues, and Tables pass any authorization header.
only. For Files, SMB access can be given
with the help of AAD Domain Services.
Storage Account
Keys
Storage Account
Keys
Be cautious with the account key!

Account key is like the root password, the user possessing the
account keys can perform any action against the storage
account. Microsoft recommends to save the key to Azure Key
Vault and regularly rotate them.

Two keys

S
Azure provides two 512-bit keys for every storage account. You can either
one of these in your API calls in your authorization header. Users with
permission to Microsoft.Storage/storageAccounts/listkeys/action can
view, read or copy the key via Azure Portal, Azure CLI, and Azure
PowerShell.
Shared Access
Signature
Shared Access
Signature
Fine tuned access

Instead of giving full access via account keys we can fine tune the
access via SAS. We can control the allowed services, allowed
resource types, permissions, start time, end time, IP address and
protocol using SAS

Three types of SAS keys

S
✓ User delegation SAS

✓ Service SAS

✓ Account SAS
 Shared Access Signature

Name Excerpt Explanation

Resource URI https://kodekloud.blob.core.windo Blob endpoint
ws.net
URI
https://kodekloud.blob.core.windows.net?sv=2020-08-04&ss=bfqt&srt=sc&sp=rwdlacup&se=2022-05-
Storage service version sv=2020-08-04 Version of the storage service
19T14:31:40Z&st=2022-05-19T06:31:40Z&sip=168.11.12.13-
Resource
ss=bftq Endpoint
168.11.12.19&spr=https&sig=66iXqzZSakarJO5J210%2ByoPRVXTeT%2FTJcHHSEkUjHr0%3D
Services SAS token
SAS applies to blob, file, table and queue
https://kodekloud.blob.core.windows.net ?sv=2020-08-04&ss=bfqt&srt=sc&sp=rwdlacup……
Resource type srt=sc SAS applies to service and container level operations
Permissions sp=rwdlacup Supports read, write, delete, list, add, create, and update
Start time st=2022-05-19T06:31:40Z Start date and time in UTC
End time se=2022-05-19T14:31:40Z End date and time in UTC
IP address range sip=168.11.12.13-168.11.12.19 Allowed IP range
Protocol spr=https Only HTTPS requests are allowed
Signature sig=66iXqzZSakarJO5J210%2ByoPRV Unique signature which is HMAC computed over a string to sign and key using
XTeT%2FTJcHHSEkUjHr0%3D SHA256, then Base64 encoding on top of that.
 Azure AD
Authentication
Azure AD
Authentication POST: Login
Secure way of authenticating

Microsoft recommends using Azure AD authentication for 200: Bearer Token

Storage Blob Data
Contributor
accessing Blobs, Queues and Tables. Azure AD integrates
features such as MFA, Conditional Access to enhance the request
to access storage.

Requires dedicated RBAC roles

Even if you are the Owner or Contributor of the subscription, you would

A
still require storage specific RBAC to authorize storage access requests.
These RBAC can be assigned to any scope and the access will be
inherited. Example: Storage Blob Data Owner, Storage Queue Data
Storage Blob
Contributor. Container
Anonymous access to
blobs
Anonymous
access
Public access without authorization

Anonymous access can be granted to blobs and containers. Read

request to blobs and containers with anonymous access
enabled, doesn’t require any sort of authorization.

Ideal for public facing content

Used to share documents, images, or any unstructured data stored in

A
blob storage to public.
Creating Azure File share
 Creating Azure File Share

Enterprise grade file share

With file shares, we can share files across virtual machines and non-Azure
workloads. Any number of Azure or non-Azure virtual machines can mount
and work on the file share simultaneously. Also supports backup and
snapshot for data recovery.

Supports Windows, Linux and macOS

Azure provides easy to use scripts to mount the file share to Windows, Linux
and macOS computers. Computers can interact with Azure file share as they
work with on-premises file shares. Port 445 needs to be open for SMB traffic.

Use cases

Firstly, we can decommission on-premises file share and migrate to Azure

Files. It can be used for storing diagnostic data, tool and utilities which needs
to be shared with teams.
Configuring Azure File
Sync service
 Azure File Sync
Without losing the flexibility, performance, and compatibility for your on-premises file servers, extend and centralize your file shares in Azure Files using Azure File Sync.
Use SMB, NFS, and FTPS to connect with your file shares.

💽 💽 💽 💽

Lift and shift Adding new offices BCDR Archiving

Centralize your file share and provide
access to file shares across Windows
Servers and Azure Files. Helps to
share files across multiple sites at
ease.
You can easily onboard new branch
offices and share files with them.
Azure Backup will backup your on- File Sync caches data that has been
premises data once the sync is used recently. Data which is not in
established. Restoring data after a consumption will be stored in Azure
catastrophic failure will be quick. Files and is retrieved only upon
request. You can control this using the
cloud tiering feature.
 Azure File Sync - Components

Storage Account Storage Sync Service

Cloud Endpoint Cloud Endpoint

File Share File Share
//Marketing //Finance

Marketing Sync Finance Sync

Group Group

Azure Backup

Registered Server File

D:\Marketing D:\Finance
Sync Agent
Server Endpoint Server Endpoint
Azure File Sync - Implementation
Deploy the Storage Sync Service
Deploy the Storage Sync
Service
In the Azure Portal, we need to
create a Storage Sync Service.
This will be deployed to a
resource group like the storage
account
Prepare Windows File Servers
Prepare Windows File
Servers
All servers we are planning to
register requires preparation. Some
prerequisites include disabling IE
Enhanced Security and installing
latest version of PowerShell
Installing File Sync agent
Installing File Sync
Agent
File Sync Agent needs to be
installed on the prepared
Windows Server. Agent is
responsible for the sync to
Azure file share.
Registering Windows Server
Register Windows
Server
Once the agent is installed, you
will be redirected to the server
registration window. Registration
is required to establish trust with
the Storage Sync Service.
Configuring Azure Blob
Storage
Azure Containers (Blob Storage)
Provides storage for storing unstructured data as in any type of text or binary data. Blob Storage is referred to as “object storage”

Storage Account Container Blob

Document1.pdf
Documents

webfiles Document2.pdf

Videos IntroVideo.mp4

Embed images or documents in webpages Strong files for distribution for example Backup, recovery and archiving
installation packages on websites

Stream video and audio directly to Act as a disaster recovery site for your on- Store data for analysis which can be
browser premises site accessed by tools like Power BI
Creating Containers
All objects or blobs we upload should be in a container. A storage account can have unlimited number of containers and each container can have unlimited blobs.
Containers provides logical grouping of blobs, acts as a scope of assign RBAC and public access level

Storage Account Container Blob

Document1.pdf
Documents

webfiles Document2.pdf

Videos IntroVideo.mp4

Private
No anonymous access to data stored in the container

Blob
Anonymous read access to blobs only

Container
Permission to read and list entire container, which includes all the blobs
Storage Tiers
Blob Access Tiers
Based on the frequency of access, we can optimize storage cost using access tiers.

Hot
Ideal for storing data that is frequently accessed.

Cool
Ideal for storing large amounts data that is not accessed frequently and is stored for at
least 30 days.

Archive
Ideal for that can tolerate several hours of retrieval latency and will remain the archive
tier for at least 180 days.

Tier Storage Cost Access Cost

Hot $$$ $
Cool $$ $$
Archive $ $$$

Access tiers can be switched any time as required

Lifecycle Management
Blob Lifecycle Management
Code View
{
"rules": [
Policy based transition {
We can transition blobs to cooler tiers automatically based on the last "enabled": true,
"name": "rule",
modified date. "type": "Lifecycle",
"definition": {
Delete blobs and snapshots "actions": {
"baseBlob": {
Besides transitioning to cooler tiers, LCM can be used to delete blobs and blob
"tierToCool": {
snapshots after X number of days if they are not modified. "daysAfterModificationGreaterThan": 60
},
Filtering option "tierToArchive": {
"daysAfterModificationGreaterThan": 180
We can apply the policy to all the blobs in the storage or limit blobs with filters
},
"delete": {
"daysAfterModificationGreaterThan": 365
Target different types }
LCM can target block blobs and append blobs and further apply to sub types }
},
such as base blobs, versions and snapshots. "filters": {
"blobTypes": [
"blockBlob"
]
}
}
}
]
}
Import/Export Service
Import/Export Service
Import workflow

Create an Import job in Azure

Hard drives are delivered to The hard drives are returned to
Portal referencing your
the datacenter and drives are you and your data is in Azure
destination storage account.
processed. Storage
Upload the journal files.

Identifying that data that needs Ship the drives to the Azure Data is copied from the
to moved to Azure. Using the datacenter and update the hard drive to the storage
WAImportExport tool, prepare Import job with the tracking ID account.
the disks and copy the contents of the package. Also provide the
to the disk. This will generate return address for Microsoft to
the journal files. return the drives
Import/Export Service
Export workflow

Ship your drives to Azure The hard drives are Hard drives are shipped back to
datacenter and the carrier encrypted with BitLocker and the customer, and they can
delivers them. the job will be updated with decrypt the disk using the keys in
the keys the job

Identify the data that you want Drives are processed at the The hard drives are
to move and create an export datacenter and the data from packed, and they are
job in Azure Portal storage account is copied to the ready for shipping
hard drives
Azure Storage Explorer
Azure Storage Explorer
AzCopy
AzCopy
>_ Terminal
Supports multiple scenarios
#Get help
AzCopy can be used as a multi-cloud datar transfer tool. It supports azcopy /?
Azure Blobs, Azure Files, Amazon S3, GCP, ADLS Gen2 APIs etc. Data
movement between these and on—premises is supported by azcopy. #Copy files
azcopy copy <source> <destination> [options]
Enhanced resiliency azcopy copy ./myfiles/visio.png
Every instance will create a job ID and related log file. If your job is
https://kodekloud.blob.core.windows.net/files
getting failed, you can restart or review the logs to understand what
/files?sv=2020-08-
04&ss=bfqt&srt=sc&sp=rwdlacup&se=2022-05-
went wrong.
19T14:31:40Z&st=2022-05-
Supports include, exclude, wildcards and 19T06:31:40Z&sip=168.11.12.13-
recursive 168.11.12.19&spr=https&sig=66iXqzZSakarJO5J21
We can use include or exclude flags along with wildcard patterns.
0%2ByoPRVXTeT%2FTJcHHSEkUjHr0%3D
Recursive can be used to copy all files within a folder. We can also list
or remove blobs in a given path.
#Copy using AAD
azcopy login --tenant-id xxxx-xxxx-xxxxx-
Authentication and suppport
xxxxxxx-xxxxx
AzCopy can be authenticated using SAS tokens or Azure Active azcopy copy ./myfiles/visio.png
Directory. AzCopy can be installed on Windows, Linux or macOS https:///kodekloud.blob.core.windows.net/file
computers. s/files
Creating an App Service
App Service Plans

Compute
App Service Plan defines a set of compute resources required to run our Data & access
App Service.

Performance tier
Applications Application & Data Application & Data
Like VMs, App Service Plans also come in different tiers. These tiers represents the
performance, features, size and the price you pay.

Host multiple apps Runtime ASP.NET Core Python

We can run multiple apps on a single App Service Plan. We can choose a different App
Service Plan if you need to deploy your apps in a different region, requires a different OS
or higher performance. Operating System
Considerations
Regardless of the number of apps you run, you have to pay the cost of the
Linux App Service Plan
App Service Plans. We need to choose the plans wisely to optimize the cost Virtual Machine

Storage/Network/Compute
 App Service Plans
Selected Features Free Shared Basic Standard Premium Isolated

Web, mobile, or API apps 10 100 Unlimited Unlimited Unlimited Unlimited

Disk space 1 GB 1 GB 10 GB 50 GB 250 GB 1 TB

Auto Scale – – – Supported Supported Supported

Deployment Slots 0 0 0 5 20 20

Max Instances – – Up to 3 Up to 10 Up to 30 Up to 100

Shared Compute (Free & Shared): Run apps on the shared Azure VM infrastructure where your app will be placed
along with other apps.

Dedicated Compute (Basic, Standard, and Premium): Dedicated VMs will be provisioned, and your apps will be
running on that

Isolated: Dedicated VMs will be provisioned in dedicated virtual networks.

App Service Plans
Scale up: Adding more CPU, memory, disk and features
(basically, changing plan tier)

Scale out: Manual (fixed number of instances)

Auto scale (increasing/decreasing based on metrics or schedule)
App Service

Single plan Support multiple languages

Using App Service Plan, we can host web apps, API apps, mobile Developer can run .NET, .NET core, Node.js, PHP, Java, Python, and even
apps, and serverless apps. containerized applications on App Service.

Fully managed PaaS solution

Developers can focus on enhancing their code, while Microsoft
will take care of the underlying virtual machines and
infrastructure
Security and Compliance
Enterprise compliance standards such as ISO, SOC, and PCI is there for App
Service. Also, we can setup authentication with Azure AD or social login.

CI/CD and Visual Studio Integration Marketplace templates

Support CI/CD from source control and we can directly publish We can use templates like WordPress, Drupal etc. from Azure
our code from Visual Studio. Marketplace with App Service, making our deployments easier.

Run Function apps

API and mobile features
Functions can be run on your existing app service plan without the
Features like CORS support, offline data sync, push notifications
need to provision additional infrastructure.
making it best candidate for hosting mobile apps.
Securing an App Service
Securing App Service

Authentication

Enable authentication for Azure App Service. Supports Microsoft,

Apple, Facebook, GitHub, Google, Twitter, or any service that’s
using OpenID Connect. Default selection will be anonymous,
where users can access the app without presenting any
credentials.

Security

• SSL certificates

• Diagnostic settings for troubleshooting

• Network ACL

• Integrate keys with Azure Key Vault

Custom Domains
 Custom Domains in App Service

Branding Supports A or CNAME mapping Plan dependent

By default, Azure creates an entry in azurewebsites.net Requires to create TXT record to prove domain Custom domains are supported from Basic plan

domain. You can bring in your own domain and add to ownership. Once that’s done, you can add an A record onwards.

your app service. You need to validate the domain, or CNAME record to map the custom domain to App
before you could add to the App Service Service.
Backup App Service
 Backup App Service
Manual and scheduled backups
Backup supports manual or scheduled backup which
includes the backup of configuration, file contents,
and the connected database.
Filters and multiple restore options Plan dependent
Backup can be up to 10 GB of app and database. Full Backup requires Standard or Premium plan
and partial backups can be configured. We can restore
the app to a previous restore point or create a new app
altogether.
CI/CD and Deployment
slots
CI/CD
Automated Deployment
Automated deployment (CI/CD) is where developers will be push
new code which includes features, patches and bug fixed with
minimal impact to end users. These features will be immediately
updated in Azure App Service. We can integrate App Services with
GitHub, Bitbucket, Local Git and Azure Repos
Manual Deployment
Manual Deployment is where developers can store their code in a
remote cloud storage like OneDrive/Dropbox or to an external git.
In manual deployment, developers need to manually push the
code to the location for the App Service to update.
Deployment slots
commit

CI/CD Swap

Staging Production
commit

Slots representing different environments Test before swapping

With the help of deployment slots, we can run different versions Developers get a chance to test and validate their code in App Service before
of our application like prod, qa, dev etc. pushing to production.

Unique URLs Auto swap

Deployments slots will have their own unique URL like your App We can configure auto-swap in scenarios where validation is not needed.
Service

Reduces downtime and rollback strategy Plan dependent

As we are swapping, deployment slots avoids cold start and Number of slots supported depends on the service plan. Free, Shared, and
hence eliminate service disruption. Since this is a swap, we can Basic plan doesn’t support deployment slots. Standard supports up to 5,
always swap and roll back to the last known good configuration. Premium supports up to 20 and Isolated supports up to 20 slots.
Deployment slots - considerations
commit

CI/CD Swap

Staging Production
commit

Decision Understand what will be swapped or not

Decide whether you want to clone an app configuration, clone Understand the list of settings that can be swapped and cannot be swapped.
from another deployment slot or do no copy anything.

Settings that can be swapped Settings that aren’t swapped

General settings WebJobs contents Publishing Scale settings CORS
endpoints
App Settings & Path mappings Hybrid connections* Custom domain IP restrictions VNet integration
names
Non-public Always On Managed identities
Connection strings Service Endpoints*
certificates
TLS/SSL settings Diagnostic Settings that end with
Handler mappings Azure CDN* settings _EXTENSION_VERSION
suffix
Azure Container
Instances
Virtual Machines v/s Containers
Isolation andMachine
runs the user mode Deployment
Virtual Machine Virtual

Storage Fault tolerance

App A App B
Container Container

Libs/Bin App A
Libs/Bin App A

Guest OS Libs/Bin
Guest OS Libs/Bin

Hypervisor Container Runtime

Host
HostOSOS

Server
Server
Azure Container Instances
Port 80
(Public IP)
Faster startup
Unlike Virtual Machines, containers can startup in seconds

Host internet facing applications

ACI supports Public IP and DNS name which is ideal for exposing
your container apps to the internet.
Port 80
Isolation
Containers are isolated from each other even if they are deployed
on the same container host.

Scalability
You can choose custom sizes as per your resource requirements.

Persistent storage
Container storage is ephemeral, using Azure Files we can create
persistent storage for ACI. Container Host

OS and VNet
Virtual Network
ACI can be directly deployed to virtual networks. Both Windows
and Linux containers are supported by ACI.
Container Groups
Container groups
Collection of containers that get scheduled on the same container host machine they share resources, lifecycle, local network, and storage volumes.
Container Host
Deployment options
Container Groups can be deployed
using ARM templates or YAML file. If
your container group includes Azure
resources like a file share, then ARM
template is the better option.
80
1433
Shared networking
Resource allocation
Public IP address, one or more ports,
Resource requests of the container
and DNS label can be shared within
group is calculated by summing up
container group. In order to reach the
resource request of individual
containers from internet, we need to
containers that’s part of the container
expose the port to the internet.
group.
Azure Kubernetes Service
 Azure Kubernetes Services
Customer managed node Azure managed node (Master) Customer managed node

Customer managed node

kubelet Container Runtime

vNIC kube-proxy Containers

Container Runtime

Azure managed node kubelet

This node is created automatically
Receives
when we
requests
createfrom
an AKS
Azure
cluster.
managed node for scheduling containers
This node is not visible to the end user and run Kubernetes master
kube-proxy
node services
Routes traffic and manages IP addresses of pods and services
Customer managed nodes
These nodes run your containerized applications
Container and services. You
Runtime
only pay for the number of nodes.
Allows containers to be created and interact with networking and storage components
AKS Terminology
Pool

Node
Pools
Logical grouping of nodes with identical configuration Deployment

Nodes Pod
VMs that are running containerized application. Nodes are managed by
Kubernetes master node which is not visible to the end user.

Pods
Smallest unit of deployment which is a collection of one or more
containers representing a single instance of your application. Pod

Deployment
Creates one or more identical replicas of your pod

Manifest
YAML or JSON file used for deployment

Node Node
Pod Pod
AKS Networking
AKS Networking
Services in Kubernetes provide internal and external network connectivity to pods

:80
Internal traffic ClusterIP

:31000
Incoming direct traffic AKSPods
Node NodePort
:80

:80
Incoming non-direct traffic
AKS Node

ClusterIP NodePort LoadBalancer

Facilitates internal communication with other Open a specific port on the node and forward Creates an Azure Load Balancer which will route
apps in your cluster. There is no external access. traffic to pod via the service. You can choose port the traffic from external to the service. This is the
ClusterIP is the default Kubernetes service numbers 30000-32767 and number of services is standard way to expose your applications to the
limited to one service per port internet.
AKS Networking
AKS Storage
AKS Storage
Volumes
Volumes can be used to store, retrieve, and persist data. Local storage is AKS Cluster
fast and easy to use, on the other hand, Kubernetes treats pods as
ephemeral. If needed, we can create persistent volume using Azure Files or
Azure managed node Customer managed node
Azure Managed Disk.
API Server

Persistent Volumes Pod

Volume created along with pod is deleted when the pod is deleted. With
the help of persistent volume (PV) we can persist the storage even after Persistent
deleting the pod.
Volume Claim

Storage class
While creating storage, we can use StorageClasses to define the tier of the
storage required. You can select Premium or Standard. With the help of
reclaimPolicy parameter, we can define if the storage needs to be persisted
Persistent Volume
or not.

Persistent Volume Claims

Using PVC, we can request Azure Managed Disk or Azure File for a specific
tier (via StorageClass), access mode and size. Azure managed disk Azure Files
(Premium) (Standard)
AKS Scaling
AKS Scaling
AKS Cluster
Manual scale
Based on the requirement, you can independently increase the number of
pods replicas or increase the number of nodes. Cluster Autoscaler
Scale
out
Cluster autoscaler
Cluster autoscaler can increase the number of nodes in the cluster
Node Node Node
automatically based on demand. API server checks every 10 seconds for
validate if there are any changes required on the node count. Horizontal Pod Autoscaler
Scale
Horizontal Pod Autoscaler
out
Based on the demand, HPA will automatically increase the number of pod
replicas. Metrics API checks every 30 seconds to see if there any changes Pod Pod Pod
required on the replica count.

For best scaling, we need to use both cluster autoscaler and HP

AKS Bursting
AKS Bursting
Azure Container
AKS Cluster
Instance

Cluster Autoscaler
Scale
out
Pod
Virtual
Node Node Node Node
Horizontal Pod Autoscaler Pod
Scale
out

Pod Pod Pod Pod

We can use ACI as a virtual node to rapidly scale AKS cluster

Azure Demonstration
File and Folder Backup
File and Folder Backup

On-premises

MARS agent

Azure Files Recovery Services Vault

Windows Server
Virtual Machine Backup
Virtual Machine Backup – Azure VMs

Configure
Azure Backup Service

Backup Backup Policy Management

Managed disks

Recovery Services Vault

Snapshot HTTPS
Instant Recovery Snapshot Incremental Blocks
Transfer
Virtual Machine Backup – On-premises VMs
Specialized Workloads

Virtual Machines on VMWare & Hyper-V

Backup

Files/Folders/Volumes
MABS or DPM Recovery Services vault
2012 and 2012 R2 Windows XP
2008 and 2008 R2 Windows 7
2003 and 2003 R2 Windows 8 and 8.1
Windows 10 and 11

Physical servers

(Physical server)
Azure Site Recovery
Azure Site Recovery
Source Environment (Region A) Source Environment (Region A) Target Environment (Region B)

Disks Disks

Cache storage Cache storage

account account

Availability Set Availability Set Availability Set

Failover

Subnet Subnet Subnet

vnet vnet vnet-asr

Network Watcher
 Network Watcher

Network Watcher is a regional service that can be used to diagnose, monitor, and setup logging for resources that are
deployed in Azure Virtual Network
Network Watcher

IP Flow verify is used Next hop is used to VPN diagnostics will NSG Flow Logs will Connectionn Topology can be
to verify inbound identify the next help you diagnose store the details of troubleshoot can be used to see the
and outbound destination the VPN connectivity the traffic through used to identify topology of your
connectivity from or traffic will be routed issues and an NSG in a storage network Azure infrastructure.
to a VM from a to. troubleshoot them. account. performance and
remote IP address connectivity issues
Azure Monitor
Azure Monitor Azure Monitor

EXPERIENCES

…
Application Container VM Network

VISUALIZE

Application
Workbooks Dashboard
OS
ANALYZE

Azure Resources

Azure Subscription Metric Explorer Log Analytics

RESPOND
Azure Tenant

Custom
Alerts & Actions Auto Scale

INTEGRATE
Monitor and visualize metrics

Query and analyze logs

Event Hubs Logic Apps Import/ Export APIs

Alerting and notifications

Image source: https://docs.microsoft.com/en-us/azure/azure-monitor/data-platform

Metrics

Zero configuration required Near real time data

Time series
Metrics are collected from Azure resources without As Metrics can visualize real time data which
Metrics are plotted on a time axis to
any additional configuration. Thus, collected data represents the state of our system, it’s easy to
represent the state of a system at a point in
is displayed in the Overview blade of the resource monitor and troubleshoot issues.
time.
and we can analyze further with the help of Metrics
Explorer.
Azure Monitor
Logs

Organized as records Requires additional configuration Rich query language

Logs represent data that are organized into
different records. Each record represents an event
or information
Logs collected are stored in Log Analytics and this
collection requires agents to be configured on the
source.
Log Analytics supports Kusto Query
Language (KQL) for querying the data stored
in the repository. KQL supports simple
queries and complex queries where you can
perform joins, aggregations, and analytics.
 Data Sources

Application OS Azure Resources Azure Subscription Azure Tenant Custom

• Instrumentation Package • Metrics

• Azure Monitor agent • Service Health • Instrumentation Package
• Active Directory
• Availability Test Resource Logs • Activity Log
• Azure diagnostic• extension • Application
Azure Activity Log
Subscription level logging
Application Resource
All subscription level events will be logged in
Azure Activity Logs. The ingested data includes all
ARM operations and service health events.
Application Logs

Auditing Diagnostic Logs

Activity Log provides insights into what operations
were taken on the resource, whoDiagnostic
started it, when
Logs
did that happen, status and other raw data, that
could help in auditing. Guest OS

Retention
Activity Log is enabled byHost VM
default and as retention
period of 90 days, if needed, we can extend by
sending the data to a storage account.
Activity Logs Activity Logs
Azure Infrastructure Azure Infrastructure
Querying data
Compute
Filters like Subscriptions, Timespan, resource only
Severity, Non-compute resource only
Resource group, Resource, Operation, Event
initiated by, and Search for keywords
Azure Activity Log – Event Categories
Administrative
All Resource Manager create, update, delete, and
action operations are categorized under
Administrative

Security
All security alerts generated by Microsoft Defender
for cloud will be mapped under this category.

Service Health
Any service health incidents happened to Azure
Resources, this may or not may not include your
Recommendation Autoscale
resources.
All recommendations generated in Azure Advisor This category contains all scale in and out events

Alert Policy Resource Health

Any alerts triggered in Azure Alerts. All policy effects will be mapped to this category. Health events associated your Azure resources.
Azure Alerts
Azure Monitor Alerts

Unified Authoring Experience Classify based on severity and response Integrate with Action Groups
We can create alerts for Activity Logs, Service Azure Alerts supports severity (0-4), so you easily Define your notification and automation
Health Events, Log Analytics, Metrics etc. In all prioritize the alerts. Secondly, we can categorize preferences with the help of Action Groups.
these scenarios the authoring experience is same. by user response New, Acknowledged or Closed.
Azure Monitor Alerts

Scope Condition
Defines the scope for alert Helps you to define the signal and criteria for alert

Rule details
Actions
Specify name, severity, region, resource group and
Integrate alerts with Action Groups
subscription for the alert.
Action Groups

Notification
• Email Azure Resource Manager Role ( Owner/
Contributor/ Reader/ Monitoring Contributor/
Monitoring Reader)

• Email/ SMS/ Push/ Voice

Actions
• Automation Runbook

• Azure Function

• Event Hub

• ITSM

• Logic App

• Secure Webhook

• Webhook
Log Analytics
Log Analytics
Data collection
Data generated from resources in cloud and on-
premises can be collected to Azure Log Analytics
workspace.

Reporting and visualization

Use KQL to create rich reports and visualization

Workspace
A workspace should be created for data ingestion.
You can create one or more workspaces in
different regions as per your requirement.

Pricing
Cost is for data ingestion (GB) and data retention
(days). Log Analytics offers 30 days of cost-free
data retention.
Log Analytics Workspace

Workspace
Resource created in Azure to collect, analyze,
aggregate, and visualize the data from onboarded
resources.

Data isolation
You can create workspaces in different regions to
meet compliance and data residency
requirements.

Stores Insights and Sentinel data

Data ingested by other services like Application
Insights and Sentinel use Log Analytics Workspace
to store data.
Querying Log Analytics Workspace
Syslog
| union Event
Windows Events | where SeverityLevel == “Error”
Logs
Event

Heartbeat
Syslog
Syslog | where ComputerIP startswith "52"
and Computer startswith "DC"
| where OSType == "Windows" and
Agents OSName contains "2016"
Heartbeat

Perf
Performance metrics
| where CounterName == "Available
Perf
MBytes" and Computer == "JBOX00"
| project TimeGenerated,
Custom Logs
CounterValue
CustomLog_01 | sort by TimeGenerated asc
| render timechart

Alerts
Alert
Application Insights
 Application Insights
Alerts

namespace DemoWebApp.Controllers
{
public class HomeController : Controller
{
Power BI
public ActionResult Index()
{
return View();
}

public ActionResult About()

{
ViewBag.Message = "Your application description page."; Visual Studio
return View();
}

public ActionResult Contact()

{
ViewBag.Message = "Your contact page.";

}
return View(); REST API
}
}

Continuous Export

Continuous Monitoring Availability test Supports Azure and non-Azure applications

Ability to monitor failures and unavailability of our Ability to perform availability test from different We can install the instrumentation package on

applications continuously. geographic regions to observe latency and Azure and non-Azure environment to monitor our

performance. applications.