Azure VM

How your VM is getting provision, what are all the dependency

components you have, if you want your VM to be successfully running
what are the components has to be up and running? if you want to
provide high availability for you VM what is the method that Microsoft
recommend?

Why we wanted to create VM?

We want to host a website or web application or any application in the
azure infrastructure for that we need start building the VM, while building
the VM first we have to get subscription, if somebody join in my team how
do I provide access to azure subscription then we have RBAC.

While creating the VM what are the components you see, ensure that your
VM is highly available.
I have VM, I am going to host web application inside this VM, this VM will
be running on one of the physical host in the data center, i.e.
windows2019 OS run their infrastructure in the backend they have used
Hyper-V has a virtualization platform, this node might have 2TB of RAM,
50TB of storage, physical server contains VMs means your VM and
another customer VM, virtualization means we use the common resources
to run your VM, the common resources are allocated by the physical
server in the data center.

While you are creating a VM you are going to specify what is RAM
required, we have 2 GB RAM, how many CPUs you are going to provide 2
Virtual CPUs per your VM, which means that this physical server is only
providing the basic resources to run your VM which means the CPU and
RAM only providing, this is compute.

Storage: in this storage you have disks placed, you have OS disk has to be
attached to VM, this OS disk is automatically getting attached to VM, this
OS disk contains the OS files from where this OS files are coming while
creating VM you are going to choose the image, there is an image server
which is managed by Microsoft while you are creating VM you are going to
choose what is the OS version you want you can pick one of them from
image server then later while creating VM the OS disk is getting attached
to VM and this OS getting installed in this OS disk. Once this OS is
installed your VM will be up and running.
Compute will provide additional disk i.e. temporary disk, by default table
will be D volume, why this temporary disk due to some reason you shut
down the VM you deallocated the server all the compute resources will be
disconnected so temporary disk also will be disconnected, when you start
this VM it will not go and sitting in same physical server in the data center
it might get new physical server in the data center where it is going to
run.

You have Storage which is provided OS disk and compute provide RAM
and CPU to run your VM. What else needed for VM to be running network.
Your VM needs a NIC every computer has NIC, NIC details has to be
associated with your VM along with your NIC should be have IP address,
without IP address you cannot connect any VM, you need to have IP
address which can be public or private IP, private IP is mandatory without
private IP you cannot create VM. Network related components are being
managed by network resource provider which means if you want your VM
need to be up and running there should be connectivity b/w storage and
compute.

How do you provide high availability for your VM if physical server going
down?
I have website, this VM(web1) is running on azure data center (physical
server), so if this VM is down my entire business down, can you create
another VM and deploy the same application and distribute the traffic if
one VM is go down we have another VM which can be process the end
user request, then I started creating another VM(web2), if VM(web1) is not
available I have web2 so I have configured the load balancer in b/w which
will distribute the traffic b/w these 2 servers, whenever external user
trying to request extra load balancer will check health of the which VM is
distributed the traffic accordingly, I can say my management
team I have deployed 2 VMs the traffic distributed through load balancer if
one VM is going down another VM is available. One of user reported that
website is not accessible we went and had a check both VM logs
underlying host has been degraded this physical server have some
problem due to some network connectivity or performance issues this
server is not available because of that both VMs are rebooted and move
to another physical server in the data center and they are running on the
same server but both VMs are not available, the reason because when you
keep 2 machines in azure you don't know which server they are running
they might be running on same server or diff server, here they are
running on same server if that server going down everything is down, to
avoid this Microsoft recommend you keep 2 or more VMs in availability
set, Microsoft will ensure that those 2 VMs are not going down at the
same time.
These 2 VMs (web1 and web2) will be in availability set, these VMs are not
deployed in same physical server VM1 will go another physical server and
VM2 will go another physical server.
Microsoft keep on doing updates to their physical server, if the physical
server rebooted all the VMs running on this physical server will be
rebooted, this is planned maintenance,

Disks: managed disks and unmanaged disk

Managed disk - Microsoft manages the storage platform, you don't to
create any storage account you see disk directly available and attach disk
to VM, there is no storage limit, you can create snapshot from the disk,
you can create VM directly from disk, high availability of VM.

Unmanaged disk - user needs to create storage account to manage the

disk, within the storage account you are going to place your disk, once
disk is available in the storage account and attach to your VM, you have
storage limit based on the storage account type, if you have premium
storage account type the limit is 35TB which means that you cannot have
more disks attached to your VM, you need to takes care of your Storage
account

Compute: We have CPU, RAM, and temporary disk,

Storage: we have managed disk and unmanaged disk and OS disk, OS
disk is not sufficient you can add additional disk i.e. data disk depends on
the VM and the region attach directly from the storage.

Availability set prevents you in the rack level outages and node level
outages, but availability zone will prevent you VM reboots from data
center level outages. availability set works on rack or node or server level.

Network Security Group: NSG

We have virtual network, within the virtual network multiple subnets
created, one subnet is created to host your web applications or web
servers, other subnet is created to host your database servers so this web
server need to talk to database servers and database servers should talk
to web servers that is how the communication happened, and your web
server is accessible through internet called load balancer in place and the
traffic is being distributed through load balancer to your backend web
servers and your backend web servers again the load will be distributed to
database server using another load balancer b/w them this is
how it works.
You have an end user who is going to access the website and web
application is accessible and URL has been accessible, this is one part.

Another part is you are azure admin, you are the responsible for
managing the azure resources so which I need to talk to these VMs using
RDP, to work on day to day operations like he need to login into the VM,
RDP port 3389 and SSH port is 22, you can connect VM using NIC, every
VM has NIC this NIC contains two IP addresses, public and private. Public
IP you are going to purchase from Microsoft, it is a separate service as
your VM storage
etc. private IPs coming from your VNet address space and subnet address
space you are going to define address space for your virtual network like
10.0.0.0/16, where your web servers are hosted call them as web subnet,
address range 10.0.1.0/16, based on virtual network address space we
divide multiple subnets so your VM or NIC will get IP address from the
subnet range that you specified. You can use public or private IP to take
RDP within public you can have DNS take DNS name to connect.
If you want to take RDP through public IP or you can use DNS that you
configure on the public IP, you can use any one of them because they
resolvable over the internet.
You can also use private IP but you cannot use private IP to connect over
the internet because private IP is internal to this virtual network within
azure, if you wanted to connect through private IP there should be some
diff mechanism you should be connect through VPN.
Public IP cannot be secured because public can be accessible over the
internet which is easy to connect VM.

You assigned a public IP and you are going to connect over the internet to
remote desktop connection but if you assign NSG in your subnet level or
you can assign NSG in NIC level as well, maybe you can assign IP address
directly to the NIC so if you assigned to NIC the NIC is connected to your
VM whatever the roles configuring in this NSG that rules applied to the
specific NIC, if you assign this to a subnet and if you configured any rules
in this NSG the rules applied to entire subnet which means all the
machines within the subnet.

What is NSG, what kind of rules it contains?

NSG act as a software firewall within azure so it can allow inbound
communication and it can also allow or deny outbound communications
which means that you can control inbound communications any request
coming inside your VM or going out of your VM those things can be
controlled within NSG inbound and outbound.
Inbound means admin is trying to take RDP to specific machine RDP works
on 3389 is not added as exception in the rule which I cannot take RDP
that is inbound rule.
Outbound is by default the communication goes to the internet other than
internet if you are going to any other resources it is blocked.
Default rules are available within this NSG inbound and outbound rules,
the default rules allow communication from a VNet any communication
within this VNet maybe b/w the subnets if web want to talk to DB and DB
want to talk to web it allow. Allow from load balancer, if load balancer
trying to connect your VMs that is allowed and deny all, these are the 3
default rules. Other than allow VNet and allow load balancer these sources
if the communication is coming from any other source that is by default
blocked by deny all rule.

How these rules are works?

These rules work on priority numbers; minimum priority number is 100.
and it goes up to 65000 default rules have certain priority numbers, if you
wanted to overwrite these rules by creating another rule with a lower
priority number than this deny rule, you cannot delete these rules
because default rules, if you wanted to allow anything you need to create
a rule with lower number than the deny rule.
Priority is very very important because lower number priority will take
high precedence in the NSG. Create NSG rule you can specify source,
destination, port, protocol, priority number and rule name. Source specify
from a specific IP address or resource provider, when i say IP address you
can specify entire subnet or you can specify specific VM IP address or you
can specify ASG, any communication coming from the ASG also you can
allow or deny. 1 is IP address, 2nd is ASG and 3rd is service tags, service
tags nothing but your VM need to talk to any other azure services let's say
azure backup or azure site recovery or azure storage so any service in
azure will have a certain public IP associated, those public IP's are keep on
regenerated every month, if you add them based on public IP if the IPs are
regenerated you have always modify the rules that's difficult so adding IP
address Microsoft introduced service tags. Any source coming from azure
backup or going to the azure backup you can just specify azure backup as
a service tag. Destination also same, port like 3389 or 22 or website - http
port 80, https for secured 443, protocol could be TCP, UDP priority give
number.

What is ASG?
You have web server1, web server2 so on, DB server1, DB server2, DB
server3 so on, now you have request to allow the communication from
web server1 to DB server1, DB server2, DB server3, each machine need
to talk to other machines it's not looking better way, to avoid these things
Microsoft introduced ASG, ASG act as a page, you can create one
application security group for web servers and one application security
group of DB servers now you need to allow the communication b/w this all
the web servers and db servers you just all web servers to web-asg, add
db servers to ASG(db-asg) and later you just create one rule that says
allow communication from web to db using ASG and create one rule and
all the machines which are added to this ASG will be able to talk to the
machines which are added to the db-asg that is called ASG, we are using
ASG as a mediator to allow the communication.

Subscription & Azure Active Directory:

Subscription: if you want to get subscription we need to have an account,
account can be your organization ID, or it can be Microsoft account,
Microsoft account means your outlook.com, Gmail or Hotmail.
You have pay-as-you-go subscription for this you need to provide details
like address, company name, when you provide these there will be
something called directory that gets created, your company name is dxc
so there will be directory created as dxc.onmicrosoft.com and we do call it
as tenant. Once it is created whatever the subscription that we are trying
to buy that subscription will be associated with this directory which means
that there can be one directory and there can be more than one
subscription. Now we have one subscription later if you want to buy one
more subscription the new subscription will also be joined.
Your account will be integrated with this directory and this directory will
have your azure subscriptions.
This directory which holds your details of your organization, like who is the
owner of the subscription and who can login into the subscription all the
details will be managed by your directory we call this directory as azure
active directory.

Azure AD - maintains your user ID's and passwords and the role as well
you know what kind of permissions you have, when your login to azure
portal you enter your email ID, the request goes to azure AD, Azure AD
will check this account is existing or not, then if it exists it will give you
access to portal login, once account is logged into the portal then the
permissions are evaluated what permissions he has, subscription or he
just user in the azure, if he cannot part of any subscription he cannot see
any resources in the azure portal, he is just user
in this tenant.

One directory can have multiple subscriptions but one subscription cannot
be part of multiple directories.

Resources: I have business requirement I want to put my application in

cloud, right now my application is running on VM ware, or in my current
data center, if I go to azure which component I have to use, I have to
create VM once I create VM I have to deploy my application in the VM so
that my users can access that application from those VM.
Resource Group: it is a logical grouping system; without resource group
you cannot create any type of resource.
Within this RG only you can create any resources, you can create n
number of RG's, and each RG contain more than one resources and one
resource cannot be part of multiple RG's. VM1 is a one resource, hierarchy
like Subscription, RG, and resources.

What are the built-in roles available in azure? How do you manage these
permissions?
We have something called RBAC, this is a service in azure, which is used
to assign permissions in the cloud environment, in RBAC we have few
built-in roles those are owner, contributor, reader. Owner - I can create a
resource, I can delete any resource and I can give you access to any
resource as an owner, contributor or reader if I am an owner. If I am a
contributor, I get same permissions as an owner but I cannot add
somebody as an owner. If I am a reader, I can just see what is the status
of the service what are the resource available in the subscription and
RG's.

Where do you and how do you apply these permissions?

The permissions can be applied in a management group level, if apply
management group level the permissions will be inherited to all these
subscriptions, I can apply permissions in a subscription level, if I apply
permissions at subscription level you get access to one specific
subscription only and its resource groups and its resources so you get the
access to the subscription which means all the resource groups and
resources in that subscription you will be able to access it, you can give
permissions in a resource group level as well.
If you give resource group level, you will get access to only to that specific
resource group and its resources.
Owner, Contributor and reader permissions are not sufficient Microsoft
introduced service specific roles.
You have VM contributor, when it's a VM contributor you get only access
to your VMs, you don't get access to the network components, you can
give access to users in a subscription level as a VM contributor. Now if I
want to manage the backup I have backup operator role, I can assign a
user with the backup operator role in the subscription level or resource
group level anything you can because user can only manage backups.
Microsoft introduced custom RBAC means you can still customise the roles
let's say VM contributor you can customise this role you can perform
certain actions only user should perform restart, so I can create custom
role and assign this role in a subscription level and the user who have this
role can only restart he cannot do anything else.

Go to azure portal, go to subscription, click on Access Control(IAM), go to

role assignments we can see who all are having access, go to roles, we
see owner, contributor and reader and another service specific roles.
To create a custom role, you just need to click on add custom role,
provide role name, next, add permissions select the category, compute
category, VM related roles we see like get VM, create, delete, start, power
off, restart, etc. I am creating this role in subscription level, click on
create.

If I wanted to assign this role to anybody click on add, add role

assignment, select the permission that you wanted to any user select
owner and select members click next and assign.

In the resource group you have access control you can provide access to
resource in a resource group level and click on add permissions and you
can also go to specific resource and provide permissions there add, add
role assignment, everywhere you have IAM access control.

How to assign the permissions in a subscription level, resource group level

and resource level and how users are getting provisioned in the azure?
When I am giving access to the resources there are diff users I can invite;
1. Cloud users, 2. Guest users or Microsoft account users. Cloud users -
when you subscribe for the azure subscription you get azure active
directory so let's say your company dxc then you get azure AD as tenant
or directory as dxc.onmicrosoft.com, now if you want to create users in
the azure AD, let's say the user Siva, the user account will be
[email protected]
the username, password. Then I am using them to login into azure portal,
domain is not good it's very big, we do custom domain verification, you
got a domain from godaddy.com, here in Godaddy I can add some MX
records, host a record in the Godaddy account, these records we can get
in azure AD their custom domain verification, this is one scenario.

You have guest user, I have invited Hari work on sometime for a
freelancer, [email protected], I am going to invite Hari into my directory as
a guest user, he can login into azure portal and he help me in my daily
activities, whey I add his email ID in azure portal he can get invitation
from my directory which is [email protected] and he can accept
the invitation and he can login into azure portal and he can see azure
resources.
Another one is on-premise AD user, most of the organizations are also in
this model, when you join any company your ID team will provide you the
username and password and once you login into teams or outlook, and
diff applications so the user accounts and passwords will manage in on-
premises your own data center there will be service called domain
controller that holds a role called active directory domain services so that
maintains the user IDs and passwords of all the employees and also
maintains all the employees what kind of permissions they have so those
user IDs and passwords it maintains and permissions also will maintains,
once you login into any computer the AD will get authenticate them, and
give them access, whatever the user IDs and passwords you have in on-
premise those details will be present in azure AD as well so the users get
access to azure AD application and azure subscription as well. So you can
use one user ID password login into all cloud applications and your on-
premises applications. We will also setup domain controllers and will try to
create users and synchronize them to azure AD then we give them access
to outlook, teams, and azure portal.

Go to azure portal, azure active directory, users, we see guest user and
here we see directory synced - NO, which means that are not
synchronized from on-premise AD.
While creating user we see 2 options create user and invite user. Invite
user means guest user. To create user, provide username and for
password you can enter or auto generate, diff groups and diff user roles,
role you can give global administrator, usage location select India, created
user as a member, member nothing but from azure AD. Global
administrator can create users, if you want to see subscriptions go to
subscription, click on it, add role assignment, select owner, select
member, and assign.

Azure AD permissions are diff from subscription permissions, if you are

just user in this azure but you are owner of the subscription.

I want to create my own domain, how to verify your domain with azure
AD, I am in azure AD, you can see custom domain names, I wanted to use
my own domain which I brought it from Godaddy account, add custom
domain, we see the status is unverified and to verify this click on it, is this
TXT or MX record we have to verify in Godaddy website, add record, select
what kind of record so select TXT, name alias or @, value is take from
azure AD, TTL by default it will take 1 hr, click on add record. Next add MX
record, go to Godaddy website and add MX
record, when I am creating user account by default we get primary
domain, to add another domain as primary click on make primary.

Connect RDP: take public IP, connect RDP, we see server manager
dashboard window, if the machine is slow we need to resize, dsa.msc this
is a command to login to project domain services users and computers.
Now we are in Active Directory users and computers, here you can create
users and groups, providing access to the users and specific folders and
applications, to create user right click on the organization unit, users,
create user.
You can also create a group, like global or universal and group type is
security or distribution.

Q) I have the VM, I have the domain controller, I am trying to join this
machine to the domain and my machine is not able to reach the domain
so what could be possible causes?
Did you update the DNS IP address in the Vnet level by default it is going
to take azure provider DNS but if your domain controller need to be
reachable you need to update the DNS server IP address here? Your VM
private IP address you need to update in the DNS server.

To join this server to the domain, right click and properties, click on
change settings, change, select domain, [email protected], I
need to provide domain admin credentials, domainname/username and
password. Restart the machine, go to dsa.msc, go to computers, you see
my VM which is joined to the domain is available. Download azure AD
connect.

Azure Firewall:
Most of the customers uses third party firewall devices like CISCO, Paulo
alto, for that we need to setup server infrastructure in azure, we have to
manage the servers and infrastructure and manage rules as well, with
azure firewall we don’t need to create any host it’s a PaaS component that
Microsoft is offering, in the azure firewall service the backend components
are being managed by Microsoft we only have an option to create
a rules, whatever the rules that help us to run our business securely those
rules we can configure, those rules called, NAT rules, Network rules,
application rules. NAT rules can be used to hide your VM public IP's,
Network rules if you wanted to restrict access to the specific ports like
DNS, DHCP, TCP, UDP, ICMP any ports that you wanted to allow or block
you need to use network rules. Application rules you want to restrict
access to specific URLs so most of the organization does this.

Here we need to have Vnet created, in Vnet we have one subnet, within
this subnet you have to deploy azure firewall component, while creating
azure firewall you have an option to choose Vnet and choose subnet and
you can create n number of subnets where your work loads are running.
I have a VM, this VM don't have public IP associated, so I am going to use
private IP of firewall to connect VM, open VM, go to networking, see NIC
public and NIC private, take NIC private IP address. Create firewall, select
subscription, RG, name, region, availability zone, select firewall tier
standard or premium, create a Vnet, select public IP, once created firewall
go to rules, NAT, Network and application rules,

How does the VM the traffic has to go through this Firewall?

the default routes the communication b/w the VMs in the same subnet,
communication from the load balancer, communication to the Vnet
anything goes to the internet directly but you need to change this route
and move this route through a firewall so this only can happen using the
routes called route table, we can create custom route which will redirect
the traffic from VM to azure firewall.
Create route table, select subscription, RG, region, name, create. open
firewall, go to routes, add route, route name, address prefix - 0.0.0.0/0 it
means this communication to the internet, next hop type - VM, next hop
address - private IP address of firewall, I have created firewall and this
route table has to be associated with subnet where my VM is exist, go to
subnet, click on associate, select Vnet, select subnet, which means that
any VM that is provisioned in the subnet all the traffic which is going to
internet will be routed to that firewall. Go to subnet, open subnet, route
table is associated here.
Azure Backup:
Azure Backup is one of the component of azure recovery service vault.
ARS has two sub components, one of them is Azure Backup and other one
is azure site recovery. Azure Backup is used to protect on-premises and
azure workloads, when it comes to the on-premises you can back up your
Hyper-V or VMWare if you have domain controller you can backup system
state of your domain controller and if you don't want to backup entire
server you wanted
to backup with specific files and folders you can use azure backup service
to back up the files and folders.

When it comes to azure, azure backup can protect azure VMs, SQL DB
running on azure VM, and if you have file share created in storage account
you can backup file share as well, if you have SAP Hana running on azure
VM you can backup workloads as well.

If you wanted to back up the on-premises workloads for Hyper-V, VMWare

you need to install component called MABS (Microsoft Azure Backup
Server or Service), when it comes System state and files and folders you
need to install MARS Agent (Microsoft Azure Recovery Service).

When it comes to azure you don't need to install any specific application,
since it is native service there will be few extensions that gets installed
inside your azure workloads to configure the backup.

Azure VM Backup: I have VM running on azure, call this VM as web VM,

this VM is located in East US, we need to configure backup for this VM if
somebody deleted this VM or any other attacks you have data you can
restore from the backup solution, at the same time if you are performing
any application upgrade or if you are performing patching for your VM if
your VM is not able to connect or if the OS if corrupted you still have a
backup in azure backup solution you can restore from the backup.
What is happen when you configure backup and what are the restore
options available?
If you wanted to configure backup for your VM you need to have recovery
service vault created RSV, RSV has one of the component called azure
backup, every VM which is created from azure marketplace will have
windows azure guest agent installed automatically, guest agent is heart of
your VM any azure native service or components want to interact with VM
this agent place a major role, this agent is up to date and running all the
time, in case if the agent is not responding you might see any component
such as azure backup or azure site recovery or if you are configuring
monitoring using log analytics workspace those components may not work
because those components depending on this agent, this agent sends
heartbeat and also this agent takes care of certain operations for your
native services to work well.

When you want to configure backup there are few stages you have to go
through it, first you need to configure a policy, we call it as azure VM
backup policy, first we are going to specify when to backup, azure backup
provides a schedule backup option so with policy you can schedule a
backup, how frequently you want to schedule, what time you want to
trigger the backup when to trigger the backup that is going to specify in
the azure VM backup policy, you can only have one schedule backup in a
day for your VM backup policy. And once you schedule a backup policy
how long you wanted to retain the data, there are two types of retention
here one is short term retention or instant restore recovery points it
means data is locally available to your vault so you can set retention for 1
to 5 days, and other one is long-term retention means Microsoft provides
up to 99 years. In the restore you can specify weekly backup, monthly and
yearly backup restore so those details you can specify in
the azure VM backup policy, once the backup policy set next process is
going to be discovery of your VM so the VM will be discovered in the
configuration console if the VM is not back up to any other RSV and if the
VM and your RSV location are the same location then only the discovery
operation will be successful and you will be able to see your VM when you
configuring the virtual machine backup, once you select right VM the 3rd
step in enable backup so when you enable backup azure backup we call it
as backup management service BMS is going to talk to your windows
azure guest agent so it is going to provide extension details so during this
backup process so we are going to install BMS is going to install a
extension call VM snapshot extension this extension is available in one of
the storage account which is being managed by Microsoft, these
extensions are binaries available in the storage account, this binaries info
is being given to windows azure guest agent by BMS service,
once windows guest agent have the info it takes the path from the host or
node in the backend so this VM is running on physical server or host in the
azure data center so it is going to take this path and from this path it's
going to reach out to the storage account and download this snapshot so
these are the steps are going to happen when you configure the backup.
Snapshot of VM might have couple of disks it might contain disk 1 which is
OS disk, it can contain a data disk it can contain multiple data disk to your
VM, VM snapshot extension is going to take snapshot of all this disk and
once snapshot is completed your instant recovery point is getting created.
Once the snapshot is completed the data will be transferred to the vault.

Note: remember 2 things; when you trigger the backup there are 2 stages
it goes through one is taking snapshot the other one is transferring data
to the vault so while taking a snapshot your VM snapshot extension might
be interacting with various OS components.

3 types of snapshots; Application, Crash, and File System.

Create Backup: open portal, RSV, we see overview, Backup and Site
Recovery. RSV is used for business continuity using backup and disaster
recovery solutions using site recovery.
If I want to configure backup for my VM I have to choose Backup, choose
on-premise or azure, if I select azure we see azure VM, azure file share,
SQL server in Azure VM, SAP Hana in Azure VM.
If I choose on-premise you can see files and folders, Hyper-V VM, VMWare
VM, Microsoft SQL server, Microsoft share point, Microsoft exchange,
system state, Bare metal recovery. Select Azure, select VM, next step is
configuring backup here 2 subtypes; 1 is backup policy and another you
need to discover your VM, you can see default policy gets created, first
backup is the full backup and next is ad-hoc or schedule backup are going
to be incremental backup.
Create new policy, give policy name, schedule: frequency - daily or weekly
and specify time and time zone.
Instance restore - 1 to 5 days, daily backup retention 30 days by default,
whatever days you can specify, in case you wanted to specify retention of
weekly (M,T,W,T,F,S,S), monthly and yearly backup point. Specify the
specific day in a week and on that day whatever the backup is going to
happen you can specify how long that backup has to be retained and
same thing in monthly backup on every month first Sunday or second
week or which day you want to backup you wanted to retain for a certain
no of months same thing for yearly.
Backup policy is created where you are going to add your VM you just
click on Add, it is going to discover the VM, select VM and Microsoft given
an option OS disk only, in case if you don't want to take backup of entire
VM you want to take backup only OS you can choose this option.
3rd step is enable backup the backup job gets initialized once backup job
is executed you can see them under backup job section. Go to backup
items, click on backup now, you can see retention by default it will choose
30 days.

Disaster Recovery for azure VMs:

I have VM which is running on East US this is source location, I have RSV
created in central India, I wanted to enable replication to West US this is
target location, wherein my VM is going to replicated and failover to West
US location when I initiate a failover from azure end, the failover initiated
when the primary region is down, there is a OS disk associated with VM in
source, so respected replica disk will be created in the target OS disk-ASR,
how the
replication is going to happen we have something called mobility service
agent that gets installed inside your VM when you enable replication so
this component is going to perform a disk level replication.

Source VM running on East US location, go to RSV, select RSV which we

created i.e. in central India location, we have 2 options; 1 is Backup and 2
is Enable Site Recovery, Site Recovery for disaster recovery solution, or
you have option Site Recovery and ASR supports site recovery supports
DR solution for diff workloads, 1 is for the VMs which are running on azure
the other one is for the VM which are running VMWare and VMs which are
running on Hyper-V, I am going to configure the azure VM replication click
on enable replication, you have to
specify source location, VM deployment model - Resource manager, select
subscription, select RG, disaster recovery b/w availability zone

Azure Monitoring:
you have multiple VMs in azure how do you centralize and monitor them,
most of the organizations uses zabbix, splunk, Nagios diff tools they used
to monitor the infrastructure.
When it comes to azure, azure provides native services called log
analytics workspace, using log analytics workspace you can store the
metrics, metrics means CPU utilization, memory utilization, disk or
network related once you store this data here.
How do you store the metrics into this for your each VM?
You are going to connect these 2 VMs to the LAW this workspace is going
to install agent in your VM that agent is called MMA (Microsoft Monitoring
Agent) this agent responsibility is to collect the metrics that are required it
is in your control what kind of metrics you wanted to monitor, if your
agent is not well the agent which is sitting in the VM will send heartbeat to
your LAW every one minute.

Azure Performance Monitoring:

Insights: in Insights if you go to monitoring section it will tell you the basic
metrics what is the CPU in average utilization and network and disk bytes
and you can select time range last 1hr, 6hrs, 1day, 7days, 30days, if you
want to get more details each and every metrics of VM we can see more
options like data disk IOPS how much it consumed you can specify last
24hrs, local time or UTC, whenever you see any performance issues you
can come to this blade and start filtering.
Diagnostic settings: if you wanted to check the performance metrics do
you see with respect to disk IO length you can select performance count
and enable.
Resource health: what is the VM status you can see few health events that
customer initiated event it means shutdown the server.
Boot Diagnostic: will tell you what is the current state of your VM is it
stuck at boot stage or updating the computer or whenever you are not
able to rdp you can come and check here.
Reset password: if you forget the password you can reset.
Redeploy and reapply: redeploy if your VM is not accessible if your VM is
having some problem it could be because of the underlying node is not
providing enough resources when you redeploy the VM this VM will move
to another node in the data center.
reapply will tell you VM provisioning status to healthy

Serial console: if you are not able to login to the VM if you are not able to
rdp to the VM let's say one of NIC is disabled you wanted to re enable the
NIC inside the OS this will give you command prompt window you will get
inside the VM through command prompt and perform certain operations
you need to do that tab escape and provide username and password.

Azure Update Manager: it is used for patching your VMs, it's a PaaS
component you don't need to manage any infrastructure, we have
automation account that is a service we have couple of features one of
them is update manager which means you are not integrating with
workspace you can integrate with automation account patching the azure
VMs once automation account is created and update manager feature is
enabled it has integration with
workspace next you can create a schedule, when do you want to patch
your servers in a month what is the data you wanted to patch, once you
create a schedule you can add VMs, there are 2 types of schedule; one for
windows and one for Linux VMs