microsoft learning ignite | may 4 – 8, 2015 | chicago, il light it up
TRANSCRIPT
Microsoft Learning Ignite | May 4 – 8, 2015 | Chicago, IL
Light IT up.
Implementing Microsoft Azure Infrastructure SolutionsExam Preparation 70-533
MarkGrimes• Residence, SE MI• 18 Years MCT, 10 years ft
active• 10 years consulting• ½ with Partner, ½
@Microsoft• Lead Internal Identity
Technical Communities• Lead multiple internal
Azure Cert programs• Losing weight fast with Joe
Cross’ plan!
Azure Certification70-533
Roadmap – Azure Certification
http://bit.ly/Ignite-CertApp
Let’s get this party started!Break it down section by section for Skills Mapping
Implement Websites16%
Implement Virtual Machines18%
Implement Cloud Services16%
Implement Storage16%
Implement Azure AD16%
Implement Virtual Networks20%
70-533 Exam Objectives
http://aka.ms/certification/70-533
Side-by-side Comparison | 70-533/4
70-533 70-534
Implement WebsitesImplement Cloud Services
Design Websites
Implement StorageImplement Cloud Services
Design an Application Storage and Data Access Strategy
Implement Virtual NetworksImplement an Azure ADImplement Virtual Machines
Design Azure Infrastructure and Networking
Implement Cloud Services Design an Advanced Application
Microsoft Azure components
• Compute• Virtual Machines• Web Sites• Mobile Services• Cloud Services• Web Roles• Worker Roles
• Data Services• Storage• SQL Database• HDInsight• Cache• Redis
• Backup• Recovery Manager
• App Services• Media Services• Service Bus• Notification Hubs• Scheduler• Automation• BizTalk Services• BizTalk Hybrid Connections• Visual Studio Online• Active Directory• Multi Factor Authentication• API Management • Azure RemoteApp
Network ExpressRoute Virtual Network Traffic Manager CDN
SDK’s .NET Java PHP Python Node.js Ruby
Implement WebsitesDeploy
Websites
Configure Websites
Configure Diagnostic
s, Monitoring, Analytics
Configure Scale &
Resilience
Manage Hosting Plans
Azure Websites
See Websites, Cloud Service and Virtual Machines Comparison
Deploy websitesDeployment Slots
Live sites w/ own hostnamesAlpha Numeric only! + hyphens
Requires Standard mode plan(=1,2, 4 cores | up to 10 instances)
Can Swap for ProdSwap the slots to Rollback
WebjobsScripts or Programs: .bat, ps1, .sh, PHP, .py, Node.js2 options: w or w/o web projectRUN:1.Continuous (App_Data/jobs/continuous) Preview
2. Scheduled 3.On-Demand (App_Data/jobs/triggered)Create Schedule
Deploy an Console or VS (needs Azure SDK 2.4)
Configure websitesSettings
Web App loads name/value pairs.Net Configuration at runtimePHP, Python, Java and Node.js
applications access as env varsConnection Strings for SQL db, SQL Server, MySQL, Custom Handler Mappings add custom scripts for custom extensionsVirtual Application –specify each dir with root site
Check Application checkbox to mark as an app in site config
How to configure Websites – step-by-step
Connection Stings for linked resources.Net Sites
Use connection strings at runtimeHIDDEN by default!
Other languagesUses Environment Variables at Runtime
EXAMPLES• SQL Server: SQLCONNSTR_• MySQL: MYSQLCONNSTR_• SQL Database: SQLAZURECONNSTR_• Custom: CUSTOMCONNSTR_IF MySQL connection string was named mystring1THEN access through the env variable MYSQLCONNSTR_ mystring1
See MySQL Example
Configure websitesConfigure Custom Domain Name, SSL & more!
CNAME (Alias) versus A recordRead moreVideo Walkthrough Create Custom Domain Name and Securing Communication Awverify -> CNAME to prove you own it
Get-AzureDeployment -ServiceName yourservicename | Select UrlNeed CNAME for WWW also
Use for A record
Use for CNAME
Configure websites
Manage Websites | PowerShellGet-AzureWebsiteGet-AzureWebsite siteslotstestNew-AzureWebsiteNew-AzureWebsite siteslotstest -Slot staging -Location "West US"Publish-AzureWebsiteProjectPublish-AzureWebsiteProject -Name siteslotstest -Slot staging -Package [path].zipShow-AzureWebsiteShow-AzureWebsite -Name siteslotstest -Slot stagingSwitch-AzureWebsiteSlotSwitch-AzureWebsiteSlot -Name siteslotstestRemove-AzureWebsite (To Delete)Remove-AzureWebsite -Name siteslotstest -Slot staging
Manage Websites | Xplat-CLITo list the commands available for Azure Websites in the xplat-cli, call azure site –h
azure site list siteslotstestazure site create siteslotstest --slot stagingazure site create --git siteslotstest --slot stagingazure site swap siteslotstestazure site delete siteslotstest --slot stagingSee more
Configure Diagnostics, Monitoring Analytics1. Application Diagnostics | “Configure”
File System, Table Storage and Blob Storage
2. Site Diagnostics | “Configure”Web Svr Logging (WC3), Error Msgs (HTTP Status), Failed Request Tracing, Remote
Debugging
Diagnostic Logs File, Table, Blob
Download with: FTP, PS, Azure CLI
Monitor in the PortalView Data, Adding Metrics, Configure Alerts
Also, KUDU! Git support for websiteshttps://mysite.scm.azurewebsites.net
See How to Monitor Websites
Configure Diagnostics, Monitoring Analytics
How to Monitor Websites
Up to 2 Endpoints, 3 Geographic locations
Uses HTTP Get on web URL. Each location runs test every 5 minutes
Logging WebsitesPowerShellSave-AzureWebSiteLog -Name websitename#View Live StreamGet-AzureWebSiteLog -Name websitename –Tail
Azure Command-lineazure site log download websitenameazure site log tail websitename
Configure Diagnostics, Monitoring AnalyticsConfigure Scale
IF Select Shared or Basic only get…• Hosting Plans• Instance Size• Instance Count
NOTE if Shared, NO instance size!
How to Scale Websites
Configure Diagnostics, Monitoring AnalyticsConfigure Scale
Select Standard• Hosting Plans• Instance Size• Instance CountSchedule Times• Day and Night or• Weekend Weekday• Half hour increments
Then can Scale by Metric• Instance Count• Target CPU
Manage Hosting PlansCreate Hosting Plans
Free , Shared | 32-bit apps only! | Shared InfrastructuresBasic , Standard | Dedicated InfrastructureBasic: Sm (1 core), Med (2), Large (4)
See What is a Web Hosting Plan and Web hosting plans In-Depth
Migrate Between PlansACTIONS1. Change Plan2. Configure SettingsDO NOT require code change or redeploy!
Create Website w/in PlanJust do it!
Implement Websites – know these 5 things now
Run Web Jobs 3 ways1. Continuous 2. Schedule 3. On-Demand
Connection Strings | how made available? .Net vs. others?
.Net: uses connectionStrings object OTHERS as Environment Variables
Website Diagnostics | # endpoints & # geo locations
Up to 2 Endpoints, 3 Geographic locations
Configure Scale –what additional options w/ STD?
Schedule : Day/ Night, Weekday/Weekend, Half hour incr. | By Metric : Instance Count, Target CPU
Hosting Plans – Name the 4Free | Shared | Basic | Standard
Implement Virtual MachinesDeploy
Workloads
Implement Images and
disks
Configuration
Management
Configure networking
Configure resiliency
Design Implement
Storage
Monitor VMs
VMVM VM
See Websites, Cloud Service and Virtual Machines Comparison
Virtual Machine Sizes
Each Persistent Data Disk Can be up to 1 TB with up to 16 disks per VM
Compute Instance Name Virtual Cores RAM
Extra Small (A0) Shared 768 MB
Small (A1) 1 1.75 GB
Medium (A2) 2 3.5 GB
Large (A3) 4 7 GB
Extra Large (A4) 8 14 GB
Compute Instance Name
Virtual Cores RAM
A5 2 14 GB
A6 4 28 GB
A7 8 56 GB
Compute Instance Name
Virtual Cores
RAM Networking
A8 8 56 GB 40 Gbit/s InfiniBand
A9 16 112 GB 40 Gbit/s InfiniBand
General Purpose VMs
Memory Intensive VMs
Compute Intensive VMs
http://azure.microsoft.com/en-us/pricing/details/virtual-machines/
Deploy Workloads on Azure VMsMicrosoft Supported WorkloadsServer Roles: AD, AD FS, DNS, Print, Application, File, RAS, RDP, Web, WSUS | SQL, SP, SC, DynamicsNOT GOOD: Low Volume Limited growth. Regulated Environments Read more
Deploy and Connect to a Linux VMSupported: • UBUNTU 12.04.1+, 13.10 & 14.04• CentOS by OpenLogic 6.3+• Oracle Linux 6.4+• SUSE Linux Enterprise Server SLES SP3• OpenSUSE 13.1+
Create VMsPortalPowerShell
Create a VM running Windows.Create a VM running Linux
PS: Create Virtual Machine Set-AzureSubscription -CurrentStorageAccountName yourstorageaccountname -SubscriptionName "your subscription name" Add-AzureProvisioningConfig -Windows -AdminUsername $adminUser -Password $adminPassword $webvm2 = New-AzureVMConfig -Name "Webvm2" -InstanceSize Small -ImageName $vmimage | Add-AzureProvisioningConfig -Windows -AdminUsername $adminUser -Password $adminPassword New-AzureVM –ServiceName $svcname –VMs $webvm1, $webvm2 –Location $location
BEFORE the command, you would do….Add-AzureAccount you would enter your credsGet-AzureSubscription record the subscriptionGet-AzureStorageAccount record the storage account
Implement Images and Disks
Base OS image for new Virtual Machines
Sys-Prepped/Generalized/Read Only
Created by uploading or by capture
Writable Disks for Virtual Machines
Created during VM creation or during upload of existing VHDs.
OS Images
MicrosoftPartner User
Disks (2 min)
OS Disks Temp disksData Disks
See About Disks and Images
See “How to Attach a Disk”
Perform Configuration ManagementAutomate Management
PS – Find, Create, Delete. To Automate VM Processes
DSC – w\ Azure Extension To Automate VM Config
Custom Script Exts Helper Extensions e.g.BGInfo, VMAccess, VMM
Enable Puppet Chef ExtensionsChef• Resources managed by“ Recipes” • =reusable definitions for tasks• Knife Azure plug-in
Puppet• Build, Deploy Manage = Lifecycle• “Puppet Master” pre-configured on Ubuntu server• “Puppet Enterprise” Agent – install as agent
See “About Azure VM Configuration settings” & “Manage Images Using PowerShell”
Configure VM NetworkingReserved IP Addresses
10.0.0.0/8 | 172.16.0.0/12 | 192.168.0.0/16Each can have multiple subnetsSmallest supported subnet is /29.
Size Hosts for 2n-2Don’t use same as on-premises
Access Control ListsPermit / Deny Packet FilteringFor Endpoints onlyCan’t for Virtual Network or subnet w/inOrdered first to last. So least->most restrictive!For VMs in Vnet use NSGs instead!Read more!
Configure VM NetworkingInternal Name Resolution
ELEMENT LOCATION NAME RESOLUTION PROVISION
Between role instances or VMs
Same Cloud Service Azure Internal Name Resolution
Between VMs Same VNet Azure Internal Name Resolution
Between role instances or VMs
Same VNet / diff Cloud Services Azure Internal Name Resolution
Between role instances or VMs
Same Cloud Services but not in a VNet
NOT POSSIBLE VMs & role instances can’t be deployed this way
Between role instances Different Cloud Services but not in a VNet
NOT POSSIBLE connectivity between role instances in diff cloud svcs not supported
Read more on DNS
1. If Azure <-> on-premises => Use your own DNS Server2. If Between on-premises to Azure public endpoints, then use MS
Azure external name resolution.
Configure VM NetworkingLoad Balancing Endpoints
1 Public (used by ILB) & 1 Private Port (used by VM internally) per endpointAzure Balancer distributes based on: Source Address, Protocol, Source /Destination PortInternal Load Balancing w/in Cloud Service!Use for RDP, PSRemote, SSH
Health ProbesHTTP/TCPProvide Base Availability DataDetail Extensible with custom probes
Firewall RulesLeveraging public/private/domain profilesAutomatically for RDP / SSH PS Remoting
Configure VM resiliencyScale Up Scale Down
Slide the slider! See Azure Limits!
Auto-ScaleAuto-scales Based on Schedule or loadCan leave VMs set initially running or stoppedConfigure on the Cloud Service containing them
Configure Availability SetsVMs in separate Fault Domains | 50 VMs Max perSLA 99.95 | HW SW | Windows & LinuxCombine with Load Balancer to increase resiliencyAvoid Single instance machine = NO SLA
See How to configure an Availability Set for VM & VM Configuration Settings
Fault DomainsGroups of resourcesSame rack, Server, Power Source, Network SwitchFabric spreads across min 2 fault domainsAvailability Set by default, spreads VMs across two
Update DomainsGroups of resources to be updated togetherHost OS updates honour service update domainsSpecified in service definitionDefault of 5 (up to 20)Only 1 rebooted at a time
Fabric Controller spreads role instances across Update Domains and Fault Domains
Fault and Update Domains
Key Concepts
HierarchySubscription
Cloud Service (200)
Virtual Machine (50x200)
Virtual Network (100)
Storage Account (100)
Storage Container
Storage Blob (40x100)
Object Limit Locking
Subscription120 Create/Add operations in 5 minute window
N/A
Cloud Service 200 per subscription ~3 minutes per update
Virtual Machine50 per cloud service2048 per Virtual Network
None
Virtual Network 100 per subscription Single modification API
Storage Account 100 per subscription None
Storage Container No Limit None
Storage Blob 40 per storage account
One blob per container per storage account at a time
Limits and Locking
Read more
Design and implement VM storageConfigure Disk Caching
OS and Data Disk have host caching setting aka host-cache modeHost caching - off by default for RW for data disks. Host-caching is ON by default for RW for operating system disksModify using Set-AzureOSDisk or Set-AzureDataDisk
Config OS Disk Redundancy 3 copies by defaultIf Geo-Redundancy enabled, then also at another site > 400 miles
MICROSOFT CONFIDENTIAL – INTERNAL ONLY
Virtual Machine Storage Architecture
Azure Virtual Machine
C:\OS Disk | SATA127 GB Max
E:\, F:\, etc.Data Disks | SCSI
1 TB MaxTemporary DiskWindows: D:\
Linux /dev/sdbDisk Cache
Azure BlobSee How to change the Temp Drive Letter
Configure shared storage using Azure File service
1. Create a context for your storage account and key
$ctx=New-AzureStorageContext account-name account-key
2. Create a new file share$s = New-AzureStorageShare sampleshare -Context $ctx
3. Create a directory in the file shareNew-AzureStorageDirectory -Share $s -Path sampledir
4. Upload a local file to the directorySet-AzureStorageFileContent -Share $s -Source C:\temp\samplefile.txt -Path
sampledir
5. Persist storage account cred for VM & mount share with them!
See Detailed Steps and PS examples
Design and implement VM storageConfig Geo-Replication
LRS – three local copiesZRS – zone copies w\in single facility & regionGRS is recommended over ZRS or LRS for maximum durability.Enabled for Storage Account by default= 6 copies of data – three times each in two data centersRA-GRS Read-Access geo-redundantallows read access at secondary when primary region becomes unavailable.NOTE: • Once selected, can’t change!• Striping may cause data loss –
win/linux
Monitor VMsConfigure Endpoint Monitoring
Can Aggregate metrics every hour or minute
Configure AlertsSelect MetricConditionThresholdAlert EvaluationCan Specify email sends
Configure DiagnosticsSee monitor, diagnose and troubleshoot Microsoft Azure Storage
Implement Virtual Machines – know these 5 things now
3 Ways to Automate ManagementPowerShell | Desired State Configuration | Extensions e.g. Custom, Puppet, Chef, Octopus
Load Balancing Endpoints1 Public 1 Private IP | w/in Cloud Service | Use for RDP, PS Remote, SSH
Access Control ListsSecurity Enhancement | Permit/Deny | Per Endpoint Only | By PowerShell or Mgt Portal
Fault Domain | Update DomainProtects against rack failure | OS Updates
Geo-Replication OptionsLRS (Single Region) | ZRS (Across 2-3 facilities within or across 2 regions) | GRS (3x’s in 2 regions)
Implement Cloud Services
Configure Cloud
Services & Roles
Deploy and
Manage Cloud
Services
Monitor Cloud
Services
See Cloud Services See Websites, Cloud Service and Virtual Machines Comparison
Configure cloud services and rolesInstance Count and Size
Size Determines cores & memory
OS Ver and FamilyWindows or Linux
2 types of roles:web role: dedicated IIS for hosting front-end web applications.worker role: Applications can run asynchronous, long-running or perpetual tasks independent of user interaction or input.
Configure cloud services and rolesConfigure Local Storage
Dedicated & Co-Located Caching
Local & Cloud Configs | Local Disks
Configure cloud services and rolesConfigure Multiple websites
Configure Custom Domains
Deploy and manage cloud services3 things Before you begin….1. Install Azure SDK, then download the SDK for the language to develop your code.
2. If any role instances require a certificate, create the certificates. Cloud services require a .pfx file with a private key. Upload to Azure as create and deploy the cloud service
3. Plan to deploy to Affinity Group? Use to deploy your cloud service and other Azure services to the same location in a region. You can create the affinity group in the Networks area of the Management Portal, on the Affinity Groups page.
Deploy and manage cloud services3 components are required in order to deploy an application as a cloud service in Azure:1. service definition file The cloud service definition file (.csdef) defines the service
model, including the number of roles.
2. service configuration file The cloud service configuration file (.cscfg) provides configuration settings for the cloud service and individual roles, including the number of role instances.
3. service package The service package (.cspkg) contains the application code and the service definition file.
Read more
Deploy and manage cloud servicesUpgrade Deployment
i.e. new code!1 or all rolesNeed new svc pckg and svc config
VIP Swap Staging -> Production
update deployment
Deploy and manage cloud servicesIn-Place Updates
Go look!
Runtime Configuration changes - portal
Scale a Cloud ServiceMust add VMs to Availability Set to scale an applicationCan only scale within limit of cores for subscriptionAll VMs in Availability Set, Must be the same sizeFor application HA, ensure deployed w\ two or more role instances or Virtual Machines.
Deploy and manage cloud servicesCreate Service Bus Namespaces & choose tier
See How to Use Service Bus Queues – for “Create a Service Namespace Steps!”Max # of service namespaces per subscription = 100 Connectivity options for WCF, REST endpointsEndpoints can be behind NAT or
Apply Scalability Targets
Monitor cloud servicesCreate Storage Account
Enable Azure DiagnosticsAzure Extensions toCollect diagnostic telemetry data fromWorker role, Web Role, or VM in AzureNeed connection strings to Storage AccountsThen, can do verbose – stored for 10 days
Configure Diagnostic Connection StringsDefault format looks like DefaultEndpointsProtocol=https;AccountName=StorageAccountName;AccountKey=StorageAccountKey
Monitor Cloud Services
Implement Cloud Services – know these 5 things nowWhat is a Web Role
dedicated IIS for hosting front-end web apps
3 Components to deploy application in Azure Cloud Service?
Service Definition file (.csdef) | Service Config File (.csdef) | Service Package (.cscfg)
What is a Worker Role Apps run asynch, long-running or perpetual tasks independent of user interaction or input.
Diagnostics can collect from… Worker Role | Web Role | VM’s in Azure | All from TELEMETRY Data
What are the 2 types of Service Bus Messaging capabilities?
Relayed | Brokered
Implement Storage
Implement Blobs and Azure Files
Manage Access
Configure Diagnostics
, Monitoring & Analytics
Implement SQL
Databases
Implement Recovery Services
See Websites, Cloud Service and Virtual Machines Comparison
Implement BlobsHighly scalable, REST interface based object store in the cloudData sharing – share documents, pictures, video, music, etc.Big Data – store raw data/logs and compute/map reduce over dataBackups – data and device backups
Block blobs - (read/write/update blocks of data, great for sequential IO like files). Up to 200GB each. Most cost effective storage.Page Blobs - (read and write in 512 byte pages, sparse files and random access, e.g. for disks). Up to 1TB each
AZCopy cli high-performance uploading, downloading, and copying data to and from Microsoft Azure Blob, File, and Table storage
Set Metadata on Container
Go to1. Storage2. Select some3. Containers
tab4. Edit at bottom
Azure Files
Shared Network File Storage for AzureAvailability, durability, scalability are managed automaticallySupports two interfaces: SMB and REST
IaaS VM
IaaS VM
IaaS VM
PaaS VM
Azure File Share(PaaS)
Azure Files - SMB 2.1 Protocol
Enables moving on-premises applications that rely on shared file storage to Azure • Azure VMs can “net use” to a share
Natively supported by OS APIs, libraries, and tools• Windows (CreateFile, ReadFile, WriteFile, …)• CRTs (fopen, fread, fwrite, …)• .Net (FileStream.Read, FileStream.Write, …)• Many more
Supports standard file system semantics• Move and rename files and directories• Read-only, write through, overlapped• Change notifications
Allows internet access to the same shared file systemBuild hybrid applications (on premises + cloud)Supports a variety of common APIs:• Create/Delete Files and Directories• Write/Read Files• Get File and Directory properties• List Files
Azure Files - File REST APIs
Manage AccessSAS – Shared Access Signatures
2 Types : Ad Hoc SAS & SAS with Stored Access PolicyDelegated access to Storage Account Resources > Blobs, Queues, TablesURI format with permissions and specified time | signedidentifier specifies Stored Access PolicyClient then passes the SAS to constructor or method
Stored Access PoliciesGroups SASs + provide additional restrictions | up to 64 charGreater control | Best Practice to use with SAS5 policies per Container, queue or table. Each policy-unlimited SASs
Regenerate KeysWHY? Increase securityAffects virtual machines, media services, and any applications dependent on the storage account. Must update all clients to use the new key.Share Access Signatures, Pt 1 | Stored Access Policies
Configure diagnostics, monitoring and analyticsConfigure Retention Policies
# Days (1-365) | zero = set no policy
Logging LevelsMinimal e.g. ingress/egress, availability, latency, & success %’sAggregated for the Blob, Table, and Queue services.Verbose – Same as above + collects same metrics per each storage operation in Azure Storage Service API. Enables closer analysis of issues occurring during application operations. Off - Turns off monitoring. Existing monitoring data persisted till end of retention period.
Analyze LogsLogs saved in blob container $logs in storage account. Use Blob svc API to access
See Monitor Storage Account
Implement SQL databasesDatabase Tiers.
Change Tiers and Service LevelsMust Read!
Service Tier
Common App Pattern Perf Objectives Max Size
Basic Small databases with a single operation at a given point in time
Reliability per hour 2 GB
Standard Workgroup and cloud applications with multiple concurrent transactions
Reliability per minute
250 GB
Premium Mission-critical, high transactional volume with many concurrent users
Reliability per second
500 GB
Implement SQL databasesIm/Export Data
Geo-Restore & Point in Time preferredCan use for ArchivingCan combine with Database CopyTemp increase perf level to decrease export timesExport is in bulk | no guarantee on transactional consistencyExport = BACPAC files | requires Storage Account | Use Export Data-tier Application WizardCan Schedule Automated Exports & Also Can Import/Export using REST API
Im/Export SchemaA DAC package vs BACPAC target different scenarios.A BACPAC contains both schema and data, but does not support being imported to a database project for schema modification. DAC packages contain only schema information import into an SSDT database project for further development work. The primary use for a DAC package is in deploying a database schema to development, testing, and then production environments. Read More
Implement SQL databasesAzure SQL Database Copy
Create transnationally consistent copyThen Export the copy and use for ArchivingStore Export in Azure Blob Storage AccountAutomated exports always creates a copy of the DB, then exports from the copy
Read More
Implement SQL databasesSharding DefinedPartitions data across multiple databases. Each database in this model is referred to as a shard.
Design Scaling Strategy3 methods to implement Sharding1. Elastic Scale2. Custom Sharding3. FederationsRead More
Implement recovery servicesCreate Backup Vault
Backs up files/data from Win Server to AzureCreate a backup vault in geographic regionVault Credentials Replace Certificates
Backup & Restore Data“Protected Items” = been backed upRecover 2012 or 2008 R2 SP1Alternate Server RecoveryStart-OBRecovery -RecoverableItem $FinalItem -RecoveryOption $secureString -Credential $cstrial
See Configure Azure Back Up to back up Windows ServerAlso Azure Backup Overview
Implement recovery servicesDeploy Backup Agent
REQUIRES: WIF and PSWABInstaller.exeCan install on:• Servers: 2012 R2, 2012, 2008 R2 SP1• 64 bit Win 7, 8, 8.1• Ext available for Server 2012 EssentialsIf using DPM, requires Update Roll up 2 for SCDPM SP1Recovery Services –> Quick Start –> to generate and download credentialSelect Agent Type: Azure Backup Agent Windows Server and System Center Data Protection ManagerWindows Server Essentials
See Install Backup Agent and upload vault credentialAlso Administer Azure Backup with Windows PowerShell
Implement Storage – know these 5 things now
Implement BlobsBlock Blobs (Sequential IO) up to 200GB each | Page Blobs (Random Access) up to 1 TB
Shared Access StorageDelegated Access | Limit Permissions to Blobs, Queues, Tables | URI format w\perms & spec. time
Logging LevelsFor Blobs, Tables and Queue Services | Off , Minimal, Verbose - > per Storage operations
SQL Import/Export | 2 File Types & ScenariosBACPAC contains both schema and data | DAC packages contain only schema
Deploy Backup Agent | can install on….Servers 2012 R2, 2012, 2008 R2 SP1, 64 bit Win 7, 8, 8.1, Ext available - Server 2012 Essentials
Implement Azure Active Directory
Integrate Azure AD with other
dirs
Configure the
Application Panel
Integrate an app
with Azure AD
Integrate an Azure AD with existing directories
User attributes are synchronized including the password hash, Authentication can be completed against either Azure or Windows Server Active Directory
Identity Sync
AD FS
Active Directory Identity Sync with
password hash sync
User attributes are synchronized, Authentication is passed back through federation and completed against Windows Server Active Directory
Active Directory
Synchronization
Federation
AD FS provides conditional access to resources, Work Place Join for device registration and integrated Multi-Factor Authentication
*Write back of attributes to support cloud first and co-existence
Active Directory
Active Directory
Integrate an Azure AD with existing directoriesSSO with On-premises 2012 R2
AD FS and Web Application Proxy
Add Custom Domains1. Create CNAME in Registrar’s DNS Table2. With Azure PowerShell run• Get-AzureDeployment -ServiceName yourservicename | Select Url
3. Use for CNAME4. Add www alias or subdomain if needed
Read More
Configure the Application Access PanelConfigure SaaS SSO
SaaS providers leverage AAD as an IdP STS. This is similar to the relationship they would otherwise have with AD FS
AAD decides how to authenticate the user: federated or standard, MFA or simple password
SSO is facilitated using the protocols expected by the SaaS provider: SAML-P, WS-Federation, OpenID Connect
Depending on the app, single-sign out and password reset integration will be supported
Configure the Application Access PanelAdd Users/Groups to Apps
Access Panel by http://myapps.microsoft.comCustom branding? Load by appending your organization’s domain http://myapps.microsoft.com/contosobuild.comUSERS CAN: change PW, Edit PW Reset, MFA prefs, view account details, view/launch appsSelf-manage groups
AuthenticationUsers must be authenticated by Organizational account in AADIf Federation, then can AuthN against on-premisesRead more…
Configure the Application Access Panel
Configure the Application Access Panel
Integrate an app with Azure ADWeb Apps | WS-Fed
SOAP Clients | WS-Trust spec | RST/RSTR
Desktop Apps | OAuthRESTful Apps | HTTP Methods | Stateless
Graph APIProgrammatic access to AAD through REST API EndpointApps use to perform CRUD operations on Directory data and objectsTo call on directory must register APP with AADRBAC – Security Groups used to perform RBAC in Graph APIEXAMPLES• Create New User, Get Properties, Disable• Check Group Membership, update, delete, etc
Query an Azure AD directory using the Graph API
Implement Azure Active Directory – know these 5 things now
Azure AD Integration OptionsAzure AD Sync | Dirsync | FIM 2012 R2
Add Custom DomainsCreate CNAME | Get-AzureDeployment -ServiceName yourservicename | Select Url
Configure SaaS SSOAAD is the IdP | AAD determines AuthN, fed/std/MFA/Password, SSO: SAML-P, WS-Fed, Open ID Connect
WS-Fed vs. Oauth AppsSOAP Clients, WS-Trust spec, RST/RSTR | RESTful Apps, HTTP Methods, Stateless
Graph APIAccess AAD | REST | CRUD operations | Must register App with AAD | Security Groups use RBAC
Implement Virtual Networks
Configure a Virtual
Network
Modify a Network
Configuration
Design and implement a multi-site or hybrid network
See Virtual Network Configuration Tasks
Implement Virtual Networks
Service consumers
Internet
On premises Datacenter
AzureVirtual Network
Front-End Network Access
Load-balanced and direct VIPs
ACLs & DDoS protection
Traffic Manager & Azure DNS
Virtual NetworksFlexible, multi-tier topologyNetwork segmentationInternal load balancing
Hybrid Connectivity
Secure Internet cross premises VPN connectivity
ExpressRoute – direct connectivity
Internet Connectivity
Traffic Manager: DNS-based Load Balancing
www.yourapp.com
Performance - Direct to “closest” service based on network latencyRound-robin - Distribute equally across all servicesFailover - Direct to “backup” service if primary fails
—also included in other policies
Load balancing policies
Nested Profile for Traffic ManagerMyApp.TrafficManager.net
PerformanceLoad Balancing
WestUS.CloudApp.net
EastUS.CloudApp.net
EUNorth.TrafficManager.net
EUWest.CloudApp.net
AsiaEast.CloudApp.net
JapanWest.CloudApp.net
EUNorth.CloudApp.net
EUNorth-new.CloudApp.net
Weight=95% Weight=5%
• VIP• Internet IP load balanced among one or more VM
instances• MUST explicitly “open” input endpoints• Primarily for load balanced, highly available, or
auto-scale scenarios
• PIP• Internet IP assigned to a single VM exclusively• Entire port ranges are accessible by default• For applications that dispatch/redirect to a
secondary port(s) on the same VM or require to target a specific VM
Internet IP Addresses & Load Balancing
DIP1 DIP2
VM1 VM2
Cloud service
Reserved VIP
LB Microsoft Azure
151.2.3.4
131.3.3.3 131.4.4.4
Internet
• Default• 5-tuple-hash based; spreading incoming
connections to all active instances
• Source-IP-based affinity• All connections from the same Internet
client IP to the same backend server• Scenarios• Applications that require multiple connections to
the same server• Example: media streaming to establish control
and data channel to same backend server
Azure Load Balancing Algorithms
Azure Load Balancer
Client 1
Client 2
VM Server Instance 1
VM Server Instance 2
VIP
Client 3
Virtual Network
Click icon to add picture
See Virtual Network Configuration Tasks
• Bring Your Own Network• Address spaces – Private/RFC1918 & Public IP*• Multi-tier subnet topology• Bring your own AD & DNS• Linux, virtual appliances, & Windows
• Logical isolation with control over network segmentation using Network Security Groups
• Secure cross premises connectivity
Azure Virtual Network
Azure Virtual Network
VPN GW
Frontend10.1/16
Mid-tier10.2/16
Backend10.3/16
Internet
On Premises10.0/16
S2S VPNs &ExpressRoute
AD / DNS
Direct InternetConnectivity
• Enables network segmentation & DMZ
• Access Control List• Filter conditions with allow/deny
• Individual addresses, address prefixes, wildcards
• Associate with VMs or subnets• Ingress Subnet ACLs VM ACLs VM• Egress Subnet ACLs VM ACLs VM
Network Security Groups
VirtualNetwork
Backend10.3/16
Mid-tier10.2/16
Frontend10.1/16
VPN GW
Internet
On Premises 10.0/16
S2SVPNs
Internet
√ √
√ √
See About NSGs
Workflow Steps to CreateCreate a network security group (NSG).
1. Add network security rules, unless the default rules are sufficient.
2. Associate the NSG to a VM.
3. Update the VM.
4. After update, the NSG rules will take effect immediately.
Network Security Groups
See About NSGs
Additional Key Points Can associate NSG to VM, or subnet w/in a VNet.
VM or subnet can be associated w\only1 NSG,
but each NSG can contain up to 200 rules.
Can Associate NSG to BOTH a VM and a Subnet !
You can have 100 NSGs per subscription.
Endpoint-based ACLs and network security groups are not supported on the same VM instance. First remove Endpoint ACL before associating an
NSG.
Default rules cannot be deleted, but can be overridden because at lowest priority
Network Security Groups
See About NSGs
• Enables load balancing among VMs with private IP addresses • Accessible only by customer’s virtual network
and on-premises networks
• Multi-tier applications with internal facing tiers require load balancing• HA LOB apps• SQL Always On • RDP to internal endpoints
for added default security
• Replaces “Floating IPs”
Internal Load Balancing
External load
balancer
Web frontend tier Logic tier
Azure Virtual Network
Internal load
balancerBack end
Front end
Internal VIP
Public VIP
Internet
Configure a Virtual NetworkConfigure Static IPs
Verify IP Address freeTest-AzureStaticVNetIP –VNetName TestVNet –IPAddress 192.168.4.7 Specify when creating new VM or for existingCan remove when done see all PS Examples!
Configure Internal Load Balancing1. Create ILB Instance2. Add endpoint to the ILB Instance3. Configure Servers to send their traffic to the new ILB EndpointExisting virtual networks that have been configured for an affinity group cannot use ILBRead More – See PowerShell Examples!
Design Subnets
Modify a Network ConfigurationModify a SubnetImport a Network ConfigurationExport a Network Configuration
Read More
• Building blocks• Multiple NICs• MAC address persistence
• Appliance ecosystem• Barracuda NG Firewall• Citrix NetScaler• Riverbed Steelhead,
SteelApp, SteelStore• More to come!
Bring Your Appliances to the Cloud “Azure Certified”
Hybrid Connectivity
Click icon to add picture
Design and implement a multi-site or hybrid network
Cloud Customer Segment and workloads
Secure point-to-site connectivity
• Developers• POC Efforts• Small scale
deployments• Connect from
anywhere
Secure site-to-site VPN connectivity
• SMB, Enterprises• Connect to Azure
compute
ExpressRoute private connectivity
• SMB & Enterprises• Mission critical workloads• Backup/DR, media, HPC• Connect to all Azure
services• Virtual Network• Express Route • Traffic Manager
• Multiple Site-to-Site connections • Multiple on-premises sites connect to same
virtual network
• VNet-to-VNet connectivity to any Azure datacenter• Same region or cross regions• For HA and DR, customers create virtual
networks in different Azure regions
• Cross-subscription connectivity• Virtual networks in different subscriptions can
securely communicate using private IP addresses
Multi-site & VNet-to-VNet connectivity
Connect to multiple virtual networks and on-premises locations
Multi-site & VNet-to-VNet
VNet1US West10.1/16
VNet2East Asia10.2/16
Contoso NorthAm HQ (10.0.0.0/16)
Contoso East Asia (10.3.0.0/16)
• “Force” or redirect customer Internet-bound traffic to an on-premises site
• Auditing & inspecting outbound traffic from Azure
• Needed by many scenarios for critical security and IT policy requirements
Forced Tunneling
Virtual Network
Backend10.3/16
Mid-tier10.2/16
Frontend10.1/16
VPN GW
Internet
On Premises
S2SVPNs
Forced Tunneledvia S2S VPN Internet
MICROSOFT CONFIDENTIAL – INTERNAL ONLY
Gateway Enhancements• High Performance Gateway• Better throughput• More S2S tunnels• Pricing• $0.49 per gateway hour• Data transfer & VNet traffic rates
unchanged
• No Encryption option• Better throughput for Vnet-to-
Vnet within Azure• Intra-/Inter-region Vnet-to-
Vnet traffic stays within Microsoft networks, not Internet
• PFS Support for IKE• Compliance requirements &
better security
• Operations Logs• Visibility into critical gateway
events
Gateway SKU
ExpressRoute Throughput*
S2S Throughput*
MaxTunnels
Default 500 Mbps 100 Mbps 10
Performance
1000 Mbps 200 Mbps 30* Subject to traffic conditions and application behavior
Implement Virtual Networks – know these 5 things nowNetwork Security Groups
Free | Shared | Basic | Standard
Configure ILBChange Plan + Configure Settings
Import Network Config | Modify SubnetsJust do it!
P2S | S2SJust do it!
Express RouteJust do it!
• Microsoft Learning Site (http://bit.ly/Ignite-Learning) • Your one-stop location for info on all available Microsoft certifications, training, and
exam prep resources
• Microsoft Virtual Academy (http://bit.ly/Ignite-VirtAcad) • Your source for on-demand, online technical training
• Microsoft Training and Certification Guide (http://bit.ly/Ignite-CertApp) • Interactive Windows 8.1 app, to help you choose and traverse your path
• aka.ms/certification/70-533
Resources
© 2015 Microsoft Corporation. All rights reserved.