https://www.microsoft.com/en-us/learning/exam-az-103.

aspx

Manage Azure subscriptions and resources (15-20%)

Implement and manage storage (15-20%)
Deploy and manage virtual machines (VMs) (15-20%)
Configure and manage virtual networks (30-35%)
Manage identities (15-20%)
 azure.microsoft.com
Free trial account

https://docs.microsoft.com/en-us/learn/

https://www.microsoft.com/handsonlabs/selfpacedlabs
Manage Azure Subscriptions
and resources (15-20%)
Manage Azure Subscriptions - Subscriptions
• A subscription is an agreement that as a
customer or partner has with Microsoft and Azure AD tenant
that gives them access to provision
resources in Azure.
• Every subscription trusts ONE Azure AD
tenant as source of security principals
• Azure AD is identity system for Microsoft
business services
• If you create a subscription with a personal
account, an Azure AD tenant is created for
you Sub1 Sub2 Sub3
• Subscriptions can be transferred between
Azure AD tenants
 Enforces corporate standards on resources through policies
 Runs evaluations of resources and detects which ones are not
compliant with the defined rules
 Examples:
 Allow only a certain SKU size of virtual machines in your environment
 Ensure that all SQL servers use version 12.0
 Restrict the locations to use when deploying resources
 Enforce resource tagging
 Evaluations happen about once an hour
 Policies assigned within specific scope (subscription, RG, Mgmt Group)
Turn on built-in policies Apply policies to a Management
or build custom ones for all Group with control across your Real time remediation
resource types entire organization

Real-time policy evaluation and Apply multiple policies and & Remediation on existing resources
enforcement aggregate policy states with
policy initiative

Periodic & on-demand compliance

Exclusion Scope
evaluation

VM In-Guest Policy

Enforcement & Apply policies Remediation

Compliance at scale
 Pillars

Core
Foundation

aka.ms/Azure/Scaffold
Manage Azure Subscriptions - Scaffold

Enterprise Scaffold:
https://docs.microsoft.com/en-us/azure/architecture/cloud-
adoption/appendix/azure-scaffold

Naming convention:

https://docs.microsoft.com/en-us/azure/architecture/best-
practices/naming-conventions
 Manage Azure Subscriptions - Azure
Management Groups
Make environment management
easier by grouping subscriptions
together
• Grouping subscriptions into
logical groups allow for new
organization models
• Inheritance allows for single
assignment of controls that apply
to all subscriptions
• Aggregated views above the
subscription level
Create a hierarchy of management
groups that fit your organization
• Create a flexible hierarchy that
can be updated quickly
• Hierarchy doesn’t need to model
the organizations billing
hierarchy
• Can easily scale up or down
depending on the organizational
needs
Apply governance controls with
policies and access controls along
with other Azure services
• Azure Resource Manager (ARM)
objects that allow integrations
with other Azure services
• Azure services:
• Azure Policy
• RBAC
• Azure Cost Management
• Azure Blueprints
• Azure Security Center
Manage Azure Subscriptions - Management Group &
Subscription Modeling Strategy

Org Management Group

Prod RBAC + Policy Pre-Prod RBAC + Policy

App A App B App A App B

Microsoft Prod Prod Pre-Prod Pre-Prod
Recommended

Shared Shared
App D App C
services services
Prod Pre-Prod
(Prod) (Pre-Prod)
Manage Azure Subscriptions - Another
example
Manage Azure Subscriptions - Another
example
Manage Azure Subscriptions - Management
Groups Facts
• Each directory is given a single top-level management group called the "Root" management
group

• 10,000 management groups can be supported in a single directory

• A management group tree can support up to six levels of depth (not including root)
Manage Azure Subscriptions - Azure Management Groups

Purpose

aka.ms/Azure/MgtGroups
Manage Azure Subscriptions - Resource groups
• Tightly coupled containers of multiple
resources of similar or different types
• Azure resources contained should
have the same lifecycle
• Every resource *must* exist in one
RESOURCE GROUP and only one resource group
• Resource groups can span regions
• Nesting of resource groups not supported
• Only Subscription Owners can create
resource groups
Manage Azure Subscriptions - Manage Resource
Groups move Resources
Manage Azure Subscriptions - Locks
Manage Azure Subscriptions - Azure Tags
• Name-value pairs to organize resources
• Applied at the resource group or resource level
• Use cases:
• Environment (dev, qa, prod)
• Cost Management (bu, costcenter, region, owner)
• Application
• Compliance (hipaa, pii, germany)
• Configuration Management
• Maintenance window
Manage Azure Subscriptions - Tags add
context
Finance codes TAG = !!! ? Tags should be enforced
CostCenter tag, etc. by configuration policies

Application context Use Azure Policy to set

AppService tag, etc.
Deployment context
Environment tag, etc.
Who is accountable
BusinessOwner tag, etc.
!!! !!! !!!
and track ARM tagging
policies
!!! !!! MG, Subscription, RG scopes
Enforce that tags exist
Set default values for tags
Audit if tags are missing
!!! !!! !!! 
Manage Azure Subscriptions - Azure Tags -
Limitations
• Not all resource types support tags
• Each resource or resource group can have a maximum of 15 tag
name/value pairs
• Tags applied to the resource group are not inherited by the resources in that
resource group
• The tag name prefixes “Azure,” “Windows,” and “Microsoft” are reserved
and cannot be used
• Tag Names: 512 characters. Tag Values: 256 characters.
• Can’t contain special characters
https://docs.microsoft.com/en-us/azure/cost-management/overview
Create Action Groups
• Azure Resource Manager is the deployment and management service for
Azure.
• It provides a consistent management layer that enables you to create, update,
and delete resources in your Azure subscription.
• You can use its access control, auditing, and tagging features to secure and
organize your resources after deployment.
• You can interact with ARM through the portal, PowerShell, Azure CLI, REST
APIs, or client SDKs.
Azure Resource Manager Terminology
 resource

 resource group

 resource provider

Resource
providers
Azure Resource Manager Terminology
 Resource Manager template

 declarative syntax
ARM Template Deployments
Instantiation of repeatable
What? SQL-A config.
Website
• Source file, can be checked-in [SQL CONFIG] VM (2x) Configuration  Resource Group

• Specifies resources, dependencies and

connections
• Parameterized input/output
DEPENDS ON SQL DEPENDS ON SQL

Why?
• Ensure Idempotency Virtual
SQL - A Website Machines
• Simplify orchestration (dependencies,
nested templates)
SQL CONFIG
ARM Template Syntax
 JavaScript Object Notation (JSON) syntax - http://www.json.org/
 Objects are unordered sets of name and value pairs

 An object begins with left curly brace { and ends with right curly brace }

 Each name and value is enclosed by double quotes “”

 Names and values are delimited by a colon :

 Name and value pairs are delimited by a comma ,

JSON Syntax Example
Object
delimiter
{ Name / Value pair
"name": "myVm001", delimiter

"type": "Microsoft.Compute/virtualMachines",
"location": "australiaeast",
"apiVersion": "2015-05-01-preview",
"dependsOn": [
Array
"'Microsoft.Storage/storageAccounts/myStor001'",
delimiter
"'Microsoft.Network/networkInterfaces/myNic001'"
],
"tags": { String Nested
delimiter string
"displayName": "Web VM" delimiter
} Name / Value
} delimiter
 Template Format
{ Location of the JSON schema file

"$schema": "http://schema.management.azure.com/schemas/2015-01-
01/deploymentTemplate.json#",

"contentVersion": "",
Your version number

"parameters": { }, Template Input parameters

"variables": { }, Variables to simplify expressions

"resources": [ ], Resources to deploy or update

"outputs": { } Output returned after deployment

}
ARM Template Elements
Variable Format
• Simple Variable "nicName": "myNic01"

• Complex Variable: "vmNames": {

"webVm": "myWeb01",
"sqlVm": "mySql01",
"dcVm": "myDc01"
},

• variables() function: "[variables(nickname)]"

"[variables(vmNames.sqlVm)]"
Resource Format
{
"name": “myVNet",
"type": "Microsoft.Network/virtualNetworks",
"location": “australiaeast",
"apiVersion": "2015-05-01-preview",
"tags": {
"displayName": “myVNet"
},
"properties": {
// specific to each resource type
}
}
Template Functions
Numeric String Array Resource

Add() Base64() Concat() listAccountSas()

copyIndex() concat() Length() listKeys()
div() padLeft() Split() listSecrets
int() replace() list*()
length() split() providers()
mod() string() reference()
mul() substring() resourceGroup()
Sub() toLower() resourceId()
toUpper() subscription()
trim()
uniqueString()
Uri()
https://docs.microsoft.com/en-us/azure/azure-resource-manager/resource-group-template-functions
Conditions
{
"condition": "[equals(parameters('newOrExisting'),'new')]",
"type": "Microsoft.Storage/storageAccounts",
"name": "[variables('storageAccountName')]",
"apiVersion": "2017-06-01",
"location": "[resourceGroup().location]",
"sku": {
"name": "[variables('storageAccountType')]"
},
"kind": "Storage",
"properties": {}
}
Outputs
"outputs": {
"fqdn": {
"value":
"[reference(parameters('publicIPAddresses_name')).dnsSettings.fqdn]",
"type": "string"
},
"ipaddress": {
"value": "[reference(parameters('publicIPAddresses_name')).ipAddress]",
"type": "string"
}
}
Deploy & Manage Virtual
Machines (20-25%)
Virtual Machines
Selecting the correct VM Size
Highest value Largest scale-up

A D G N

Highest value SSD Storage Most memory GPU-enabled

Fast CPUs fastest CPUs virtual machines

Type Sizes Description

Balanced CPU-to-memory ratio. Ideal for testing and development, small to medium databases, and low
General purpose Dsv3, Dv3, DSv2, Dv2, DS, D, Av2, A0-7
to medium traffic web servers.
High CPU-to-memory ratio. Good for medium traffic web servers, network appliances, batch processes,
Compute optimized Fs, F
and application servers.
High memory-to-CPU ratio. Great for relational database servers, medium to large caches, and
Memory optimized Esv3, Ev3, M, GS, G, DSv2, DS, Dv2, D
in-memory analytics.
Storage optimized Ls High disk throughput and IO. Ideal for Big Data, SQL, and NoSQL databases.
Specialized virtual machines targeted for heavy graphic rendering and video editing. Available with
GPU NV, NC
single or multiple GPUs.
High performance Our fastest and most powerful CPU virtual machines with optional high-throughput network
H, A8-11
compute interfaces (RDMA).
Virtual Machine Components

• Managed Disks
Storage
resources • Storage accounts (Page blobs) – Standard & Premium
Storage

• Virtual machines
– Azure certified Windows – Custom Images
Compute & Linux Marketplace • Availability Sets
resources Images
• VM extensions
– Community Images

• Virtual networks • Network Security Groups

• Network interface cards
Networking (NICs)
resources
• Load balancers
• IP addresses
Storage options
• Optimized for low latency or high bandwidth
• High I/O performance (100K+ IOPS, up to 512 MB/s)
• SSD-based hardware
Premium • Consistent low latency (<5ms latency target for 99.9%,
storage <1 ms for cached reads)
• Billing based on provisioned size (not actual writes)
• Retain strongly consistent 3 copies – No need for Standard Premium
additional redundancy on VM

• Optimized for general purpose storage

Standard
• Up to 20,000 IOPS and 20Gbps per storage account
storage
• Billing based on actual bytes written to storage
Virtual machine storage architecture
Azure virtual machine

C:\
OS disk D:\ E:\, F:\, etc. G:\, H:\, etc.
Temporary disk Data disks SMB share
Disk cache

Azure Blob Azure files

Azure Availability Overview
Availability Zones (AZ)
• Availability Zones help to protect you from
datacenter-level failures.
• Each AZ has its own independent power source,
network, and cooling.
• Minimum of three separate zones in all
enabled regions.
• Services that support Availability Zones
– Linux Virtual Machines EastUS 2 (EUS)
– Windows Virtual Machines
– Zonal Virtual Machine Scale Sets
– Managed Disks
– Load Balancer
VM Scale Sets
• Manage identical VMs at Scale
• Scale your workload:
• Automatically

• On demand

• Provides HA by guaranteeing a number of app instances

• High performance provisioning of 1-1000 VMs
• Auto-configuration at scale
• Auto-scale based on schedule and resource metrics
• Easy updates at scale, you can update the properties of the scale set and choose which VMs to
rollout
• Managed Disk support
• Single ARM resource
• Combine it with Layer 4 or Layer 7 load balancing to access your application
Autoscale with VM Scale Sets
• Define Max – Min VMs
• Define trigger and action rules
• Standard audit/email notifications
• Define webhooks for custom notifications
and actions (e.g. runbooks)
• New VMs are spread across UDs, FDs,
storage accounts
Different ways to create a VM
Hands-on-Labs
 https://microsoftlearning.github.io/AZ-103-
MicrosoftAzureAdministrator/
Implement & Manage Storage
(20-25%)
Interactions with Azure Storage occur at a storage account, the top level of the storage hierarchy

Type Services Performance Tiers Access Tiers Replication options

General Purpose Blob, File, Queue, Standard, Premium N/A LRS, GRS, RA-GRS
v1 Table, and Page Blobs
General Purpose Blob, File, Queue, Standard, Premium Hot, Cool, Archive LRS, ZRS, GRS, RA-GRS
v2 Table, and Page Blobs
Blob Blob only Standard Hot, Cool, Archive LRS, GRS, RA-GRS
Premium Blob Blob only Premium N/A LRS
Azure Storage Offerings
Queues Tables Blobs Disks Files
“Reliable messaging at “Massive auto-scaling “Highly scalable, REST “Persistent disks for Azure “File share like access to
scale for cloud services” NoSQL data store” based cloud object store” IaaS VMs” Azure storage”

Code against (REST API)

Use on Windows & Linux VMs

• Foundational building block of the Azure Cloud – Cloud – Azure Data Lake, Azure SQL Data Warehouse, Azure
HDInsight, OneDrive, Skype, Xbox,…
• All storage types are encompassed under the Storage Account service offering.
– General Purpose Storage (Magnetic Tape)
– Premium Storage (SSD/Low Latency/High IOPS/ Better performance)
• Hyper Scale: >60 trillion objects, >7 million transactions per second
• REST based API, multi-platform, open sourced client libraries for many languages (e.g. Java, Python, Node.js, PHP,
Ruby, Android, etc.)
• Strong hybrid story - Azure Stack support and integration with StorSimple, Azure Backup and 3rd party
storage vendors
Azure Storage Overview
Files
“SMB Access to
Azure Storage”

Files
Files “SMB Access to Azure Storage”
• Lift and shift on-premises applications
File storage
Access via SMB, REST • Natively supported by OS APIs, libraries and tools
• Built on SMB2.1 and 3.0, works with Windows and Linux
• No limits on number of shares
– 5TB File shares capacity or 100TiB (Preview)
– 1000 IOPS per share, 100000 (Preview)
– Upto 60 MB/s throughput
“Lift & shift” scenarios
• Endpoints
– \\myaccount.file.core.windows.net\myshare\myfile.txt
– http://myaccount.file.core.windows.net/myshare/myfile.txt
Azure Table Storage Overview
Files Tables
“SMB Access to “Massive
Azure Storage” auto-scaling
NoSQL store”

Tables
Tables “Massive auto-scaling NoSQL store”
• User, device and service metadata, structured data
NOSQL storage
Access via REST • Schema-less entities with strong consistency
• Row-Colum, Key-Value oriented solution
• Supports queries in the different SDKs
• No notion of joins or foreign keys
• No limits on number of table rows or table size
KeyValue Store • Dynamic load balancing of table regions
• Best for Key/value lookups on partition key and row key
• Entity group transactions for atomic batching
• Endpoint – http://mystorageaccount.table.core.windows.net
Azure Queues Overview
Files Tables Queues
“SMB Access to “Massive “Reliable
Azure Storage” auto-scaling messaging at scale
NoSQL store” for cloud services”

Queues
Queues “Reliable messaging system at scale for cloud services”
• Asynchronous Message Delivery
Reliable Messaging
Access via REST • Decouple components and scale them independently
• HTTP and SDKs Access
• Building processes/work flows
• No limits on number of queues or messages
• Message visibility timeout to protect from component issues
Scheduling a sync tasks • UpdateMessage to checkpoint progress part way through
• Endpoint – http://mystorageaccount.queue.core.windows.net
Azure Blob Storage Overview
Files Tables Queues Blobs
“SMB Access to “Massive “Reliable “Highly scalable,
Azure Storage” auto-scaling messaging at scale REST based cloud
NoSQL store” for cloud services” object store”

Blobs
Blobs “Highly scalable, REST based cloud object store”
• Data sharing, Big Data, Backups
Object storage
Access via REST • Unstructured storage of binary and text data
• Block Blobs: Read and write data in blocks. Optimized for sequential IO. Most cost effective Storage.
Ideal for files, documents & media
• Page Blobs: Optimized for random access and can be up to 8 TB in size. IaaS VM OS & data disks
are of this type.
• Append Blobs: Similar to block blobs and optimized for append operations. Ideal for logging
Streaming & random
object access scenarios
scenarios and total size can be upto 195GB
• Endpoint – http://mystorageaccount.blob.core.windows.net/mycontainer/myblob.
Storage Access
Authentication:
• Private Keys: for programmatic access, two rotating 512 bit strings, that provide full access

• Shared Access Signature: for programmatic access, generated URIs with restricted and scoped accessAccount name +
storage keys (primary / backup) are used for secure access.

• RBAC for administrative access, to be used to implement security to the resource itself but not contents of the resource.

• Blobs (containers) can be made publicly accessible with anonymous access

Tools:
• Azure Portal

• Azure Storage Explorer/AZCopy

• REST API

• SDKs, Libraries

• 3party clients
Storage Replication
• Locally redundant storage (LRS)
– The default setting that makes 3 copies in the same DataCenter.

• Zone redundant storage (ZRS)

– Maintains the 3 local copies of your data as well as another set of three copies of your data. The second set of three copies is
replicated asynchronously across datacenters within one or two regions
– Only available for block blobs in general-purpose storage accounts
– Cannot convert it to use to any other type of replication, or vice versa.
– ZRS accounts do not have metrics or logging capability

• Geo-redundant storage (GRS)

– Three local copies of your data in a primary region plus another set of three copies in a secondary region hundreds of
miles away.
– In the event of a failure at the primary region, Azure Storage will fail over to the secondary region.

• Read-Access geo-redundant storage (RA-GRS)

– Exactly like GRS except that you get read access to the data in the secondary location
What are Managed Disks
Managed by Azure

OS Disk

Data Disk VHDs

Managed Storage Accounts

 Simple – Abstracts storage accounts from customers, do not live in a storage account
 Granular access control – Top level ARM resource, apply Azure RBAC
 Storage account limits do not apply – No throttling due to storage account IOPS limits
 Big scale – 20,000 disks per region per subscription
 Better Storage Resiliency – Prevents single points of failure
 Can only use LRS replication
Data Movement
AzCopy tool simplifies data migration
at scale
Efficient means of copying millions of
files – large or small Storage Services
Includes journaling for reliability
Supports Blob Storage, Table Storage and
File Storage

Data Movement library supports NAS

developers
Open source core framework from AzCopy
Enables custom applications to be developed

Storage Services
Store, backup, recover your data
Windows Azure Storage
Defend against regional disasters.

East DC
> 400 miles West DC

Geo replication
Hands-on-Labs
 https://microsoftlearning.github.io/AZ-103-
MicrosoftAzureAdministrator/
Deploy & Manage Virtual
Networks (30-35%)
Azure Networking
• Virtual Networks (VNETs)
• Network Security Groups
• Azure DNS
• Azure Load Balancer
• Azure Traffic Manager
• Network Virtual Appliances
Internet connectivity by country
Microsoft’s network is one of the largest in the world

Internet users
■ 500,000,000+
■ 100,000,000 – 499,999,999
■ 50,000,000 – 99,999,999
■ 25,000,000 – 49,999,999
■ 5,000,000 – 24,999,999
■ 100,000 – 4,999,999
■ 50,000 – 999,999
■ 0 – 49,999
Microsoft global WAN—Edge node locations

NORTH
ASIA AMERICA
EUROPE

Atlantic
Ocean

Pacific
Ocean AFRICA
SOUTH
AMERICA Indian
Ocean

AUSTRALIA
Pacific
Ocean
Software-defined networking (SDN)
Building the right abstractions to enable scale and agility

Azure
Abstract
Front-end Management, control, and data planes

Management Tenant
Plane Compose compute & storage roles and networks
Application
Proprietary Plane
Commodity Tell and program
Hardware Control Controller Hardware Instead of discover and react
Appliance Plane

Physical
Transport Control
Plane Plane Example: ACLs
Management Create a tenant

Control Plumb tenant ACLs to switches

Switch
Data Apply ACLs to these flows
The big (network) picture
Virtual Network
Azure
Virtual Network “Bring Your Own Network”
Segment with subnets and
Users Azure
Virtual Network
security groups
Control traffic flow with user-
Internet defined routes
VNet peering

Front-end access
Dynamic/static public IP
addresses Back-end connectivity
Direct VM access, NSGs Point-to-site for dev/test
for security ExpressRoute
VPN Gateways Peering for cross –VNet
Load balancing connectivity in the same region
DNS services: Hosting, VPN Gateways for secure cross
traffic management region connectivity
DDoS protection ExpressRoute for private enterprise
grade connectivity
Your virtual private network in the cloud

https://docs.microsoft.com/en-us/azure/virtual-network/virtual-network-vnet-plan-design-arm
Segmenting the Virtual Network

https://docs.microsoft.com/en-us/azure/virtual-network/virtual-networks-udr-overview
Routing within a Virtual Network
• All subnets can see/route to all other subnets
• Virtual Network subnets (multiple)
– Azure reserves the first three and the last IP from the pool
– First usable address of a /24 is .4

• Gateway subnet (single)

• One logical gateway per gateway subnet
• All traffic flows through gateway to get to on premises
• Influence routing with user-defined routes (e.g. NVA, S2S Forced Tunneling) and BGP
(e.g. ER Forced Tunneling)
• By default, each VNet has outbound internet access (NAT)
Network Security Groups

Network Security Group (NSG)

Action Name Source Destination Port
Enforced at every host, applied on multiple Allow AllowInternetToWebServers Internet WebServers 80,443(HTTP)

Application Security Groups Allow AllowWebToApp WebServers AppServers 443 (HTTPS)

Allow AllowAppToDb AppServers DatabaseServers 1443 (MSSQL)

Deny DenyAllInbound Any Any Any

Service Tags

Logging and troubleshooting

NSG Example
 Connect 2 VNets in same region
 Routed through Azure Backbone

 Same Region & Across Regions (Global)

 Read-Write to VNet
 Non-overlapping IP Addresses
 Across Subscriptions and tenants

 No overlapping IP address
 Cannot modify the address space, you must delete the
peering for that
 No Transitivity

aka.ms/Azure/Peering Just Do It!

aka.ms/Azure/Addresses
Multiple NICs in Azure VMs
Up to 16 NICs per VM
NSG and Routes on all NICs Virtual Machine
NIC2 NIC1 Default
Can separate frontend, backend, 10.3.3.33 10.2.2.22 10.1.1.11

and management
NIC can have: VIP 133.44.55.66
Internet
• 1 Private IP – Static or Dynamic
• 1 Public IP – Static or Dynamic Backend Mgmt. Frontend
Subnet Subnet Subnet
• 1 LB VIP – Static or Dynamic Virtual Network
DNS in Azure
Name Resolution on a vNet
• Azure created name resolution automatically to all VMs within a vNet
• It does not work outside the vNet or in peerings
• For that you need Azure DNS or a custom server

Azure DNS
• Manage DNS seamlessly with your Azure services
• Globally distributed architecture, resilient to multiple region failure
• Fast global DNS name resolution
• 99.99% Availability SLAAll common DNS record types

All common DNS record types

• A, AAAA, CNAME, MX, NS, PTR, SOA, SRV, and TXT
DNS in Azure
Public and Private
• Azure DNS can host both public and private domains such as contoso.com or
contoso.local depending if it need to be accessed from the Azure Virtual Network or
outside.
Flexible DNS management
• Integrated with Azure Resource Manager for role-based access control, tagging, and template-based
deployment—for both zones and record sets
• Azure Portal, PowerShell, and CLI
• REST API and SDKs for application integration
DHCP
• Azure provided/managed service
• All addresses are DHCP-based
• Address not allocated until object created
• Addresses are recovered when object is deallocated
• Static addresses are DHCP reservations
• Address prefix comes from VNet/subnet definitions
Beware: using Group Policy to configure DHCP can result in isolated VM
without any IP address.
IP addressing models in ARM

Private IP Public IP Public Static Private Static

• Internal address assigned • Public IP address assigned • A static, public-facing • An internal-facing static
by default for Azure for to a VM NIC or an external address that must be address allocated from the
communication within Load Balancer specially requested. There subnet address pool. The
Virtual Networks are a limited number of number is limited by the
• Only exists when a LB is these addresses per addresses assigned to the
• Assigned to a VM NIC or created or address is subscription subnet address pool. This is
Internal Load Balancer assigned to VM NIC implemented as a
• Use only when you need DHCP reservation
a public facing static
IP address • Use only when you need
an internal facing static
IP address
Route tables
Every subnet has a route table that contains the following minimum
system routes:
• Local VNet – Route for local addresses (no next-hop value)
• On-premises – Route for defined on premises address space (VNet gateway is next-hop
address)
• Internet – Route for all traffic destined to the Internet (Internet Gateway is the next-hop
address)

Route tables can be influenced using:

• BGP routes (using ExpressRoute, preferred over system routes)
• User-defined routes (preferred over BGP and system routes)
User-defined routes
Internet
• Control traffic flow in your network with
custom routes Virtual
Network
• Attach route tables to subnets System
Route VM with “IP Forwarding”
• Specify next hop for any address prefix
Back-end subnet
• Set default route to force tunnel all traffic Front-end subnet

to on-premises or appliance Default

System
Route
route

VM/Appliance
User-defined
route
Networking limits
Resource Default Limit Maximum Limit
Virtual Networks per subscription 50 500
DNS Servers per VN 9 25
Private IP Addresses per VN 4,096 4,096
Concurrent TCP connections for a VM or role instance 500,000 500,000
Network Interfaces (NIC) 300 10,000
Network Security Groups (NSG) 100 400
NSG Rules per NSG 200 500
User defined route tables 100 200
User defined routes per route table 100 400
Public IP addresses (dynamic) 60 Contact Support
Public IP addresses (static) 20 Contact Support
Load balancers (internal or internet facing) 100 Contact Support
Load balancer rules per balancer 150 150
Public front end IP per balancer 5 Contact Support
Private front end IP per balancer 30 Contact Support
Vnets peerings per VN 10 50
Azure Load Balancer
What key features does the Azure LB support?
• Hash-based traffic distribution
• TCP and UDP support
• Port Forwarding
• Idle Timeout Adjustment
• Client IP Affinity
• TCP and HTTP health monitoring
• NAT and SNAT
Internet-facing LB (ARM)
25.1.2.3:443
• Load Balancing over Public Ips Contoso.cloudapp.azure.com

• Load Balancer configuration: 25.1.2.3:50022

– Front-end IPs (Public VIPs)

– Backend Pools
– Probes 10.1.1.0/24

– Load Balancing Rules :22

:443 :443 :443

– Inbound Nat Rules
• Dependency chain:
• FE IP > AV Set > BE Pool > Probe > LB .11 .12 .13

Rule/NAT Rule
Internal LB (ARM) 25.1.2.3:443

• Load Balancing over Private IPs

10.1.1.0/24
• ILB has many use cases:
:443 :443 :443
• Tiered LB between applications
• VNet to VNet LB via peering .11 .12 .13

• On-prem to Azure LB over VPN 10.1.2.50:8080

• On-prem to Azure LB over ER

• App Gateway to ILB tier 10.1.2.0/24

• NVA to ILB tier or vise-versa :8080 :8080 :8080

• Internal LB within an App Service

Environment .11 .12 .13
Azure Load Balancer hierarchy
Azure
What Example
service
Internet
Traffic Cross-region http://news.com
Manager redirection &  apac.news.com
availability  emea.news.com
 us.news.com
Azure traffic manager (DNS load balancer)

Azure Load In-region emea.news.com

Balancer scalability &  AppGw1 ALB (L4 load balancer) ALB (L4 load balancer)
availability  AppGw2
 AppGw2

Azure URL/content- news.com/topnews Application Application Application Application

Gateway Gateway Gateway Gateway
Application based routing news.com/sports
Gateway & load
news.com/images
balancing

VMs Web Servers IIS, Apache, Tomcat VM VM VM VM VM VM VM VM

Customer’s Primary Connection
Network
Partner Microsoft
Edge Edge
Secondary Connection

ExpressRoute Circuit

Microsoft Peering for Dynamics 365, Azure public services (public IPs)

Azure Private Peering for Virtual Networks

Hands-on-Labs
 https://microsoftlearning.github.io/AZ-103-
MicrosoftAzureAdministrator/
Manage Identities (15-20%)
• LDAP
• Domain Join
• Group Policy
• Kerberos/NTLM authentication
• Password Hash Sync:
• Configured via AD Connect
• Syncs a hash, of the hash, of the user’s password
• Can reduce the passwords to mantain
• Microsoft searchs for compromised passwords on the dark web
• Can be combined with SSO
• Passthrough Authentication:
• Configured via an AD connect agent (outbound connection)
• Authentication is done in the cloud after a secure password verification exchange with the on-
premises authentication agent
• Does not sync the password but Azure AD validates against the on-premise
• Can be combined with SSO
• Federation
• Establishes a trust relationship using Active Directory Federation Services
• Authentication happens on-prem
• If the federation fails or is down you Will be out of Azure, to avoid it combine it with PHS as a
backup
Sign-In: Password Hash Sync
• AD hash is re-hashed 1000 times, result is synced to
Azure AD
• Updates synced every 2 minutes
• https://docs.microsoft.com/en-us/azure/active-
directory/connect/active-directory-aadconnectsync-
implement-password-hash-synchronization
Sign-In: Pass-through Authentication
Sign-In: Federation
Multi-Factor Authentication
• Two-step verification approach
• Provides an additional layer of security by requesting not only the password but something you
know, own or are.
• You can use different methods such as:
• App Passwords
• App
• OATH Token
• SMS
Call
• E-mail
• Security Questions
• Passwords
• Comes in Azure AD Premium
• Allows you to work with external partners your tenant even if they don’t have Azure AD
• Invite external partners by creating guest users
• The guest organization will keep their authentication methods so there is no overhead
• The guest signs in with their own identity
• They receive an invitation to your Azure AD tenant on their email address
• Allows you to customize and control how your customers interact with with your web, desktop, mobile,
or single-page applications
• users can sign up, sign in, reset passwords, and edit profiles
• Implements a form of the OpenID Connect and OAuth 2.0 protocols
• In your applications, you may want to enable users to sign in with different identity providers:
• Amazon
• Facebook
• Microsoft account
• Amazon
• Google
• Microsoft account
• LinkedIn
• To access resources that are secured by an Azure AD tenant, the entity that requires access must be represented by
a security principal.
• The security principal defines the access policy and permissions for the user/application in the Azure AD tenant.
This enables core features such as authentication of the user/application during sign-in, and authorization during
resource access.
• In Azure there are two types of Principals:
• For regular users called: User principal
• For applications called: Service principal
• An Azure service principal is an identity created for use with applications, hosted services, and automated tools to
access Azure resources.
• This access is restricted by the roles assigned to the service principal, giving you control over which resources can
be accessed and at which level.
• For security reasons, it's always recommended to use service principals with automated tools rather than allowing
them to log in with a user identity.
• A common challenge when building cloud applications is how to manage the credentials in your code for
authenticating to cloud services. Keeping the credentials secure is an important task.
• Azure Key Vault provides a way to securely store credentials, secrets, and other keys, but your code has to
authenticate to Key Vault to retrieve them. The managed identities for Azure resources feature in Azure Active
Directory (Azure AD) solves this problem.
• Managed identities are service principals of a special type, which are locked to only be used with Azure
resources. When the managed identity is deleted, the corresponding service principal is automatically removed.
• There are two types of managed identities:
• A system-assigned managed identity is enabled directly on an Azure service instance. When the identity is
enabled, Azure creates an identity for the instance in the Azure AD tenant that's trusted by the subscription
of the instance. After the identity is created, the credentials are provisioned onto the instance. The lifecycle
of a system-assigned identity is directly tied to the Azure service instance that it's enabled on. If the
instance is deleted, Azure automatically cleans up the credentials and the identity in Azure AD.
• A user-assigned managed identity is created as a standalone Azure resource. Through a create process,
Azure creates an identity in the Azure AD tenant that's trusted by the subscription in use. After the identity
is created, the identity can be assigned to one or more Azure service instances. The lifecycle of a user-
assigned identity is managed separately from the lifecycle of the Azure service instances to which it's
assigned.
Azure has different roles in Azure.
• Classic subscription administrator roles: used when Azure was initially released to access to resources, three
administrator roles: Account Administrator, Service Administrator, and Co-Administrator.
• Azure role-based access control (RBAC) roles: later, role-based access control (RBAC) for Azure resources
was added. Azure RBAC is a newer authorization system that provides fine-grained access management to
Azure resources.
• Azure Active Directory (Azure AD) administrator roles: used to manage Azure AD resources in a directory
such as create or edit users, assign administrative roles to others, reset user passwords, manage user
licenses, and manage domains. The following table describes a few of the more important Azure AD
administrator roles.
 Role Limit Permissions Notes
Account 1 per Azure •Access the Azure Account Center Conceptually, the billing owner of the subscription.
Administrator account •Manage all subscriptions in an account The Account Administrator has no access to the
•Create new subscriptions Azure portal.
•Cancel subscriptions
•Change the billing for a subscription
•Change the Service Administrator

Service 1 per Azure •Manage services in the Azure portal By default, for a new subscription, the Account
Administrator subscriptio •Assign users to the Co-Administrator role Administrator is also the Service Administrator.
n The Service Administrator has the equivalent access
of a user who is assigned the Owner role at the
subscription scope.
The Service Administrator has full access to the
Azure portal.

Co- 200 per •Same access privileges as the Service Administrator, The Co-Administrator has the equivalent access of
Administrator subscriptio but can’t change the association of subscriptions to a user who is assigned the Owner role at the
n Azure directories subscription scope.
•Assign users to the Co-Administrator role, but cannot
change the Service Administrator
 Role Permissions Notes
Global Administrator •Manage access to all administrative features in Azure The person who signs up for the Azure Active
Active Directory, as well as services that federate to Azure Directory tenant becomes a Global
Active Directory Administrator.
•Assign administrator roles to others
•Reset the password for any user and all other
administrators

User Administrator •Create and manage all aspects of users and groups
•Manage support tickets
•Monitor service health
•Change passwords for users, Helpdesk administrators,
and other User Administrators

Billing Administrator •Make purchases

•Manage subscriptions
•Manage support tickets
•Monitors service health
 Role Permissions
Owner •Full access to all resources
•Delegate access to others
Contributor •Create and manage all of
types of Azure resources
•Cannot grant access to others
Reader •View Azure resources
User Access Administrator •Manage user access to Azure
resources
Notes
The Service Administrator and
Co-Administrators are
assigned the Owner role at the
subscription scope
Applies to all resource types.
Applies to all resource types.
Applies to all resource types.
 {
If the built-in roles for Azure resources
don't meet the specific needs of your
organization, you can create your own
custom roles.
}
"Name": "Virtual Machine Operator",
"Id": "88888888-8888-8888-8888-888888888888",
"IsCustom": true,
"Description": "Can monitor and restart virtual machines.",
"Actions": [
"Microsoft.Storage/*/read",
"Microsoft.Network/*/read",
"Microsoft.Compute/*/read",
"Microsoft.Compute/virtualMachines/start/action",
"Microsoft.Compute/virtualMachines/restart/action",
"Microsoft.Authorization/*/read",
"Microsoft.ResourceHealth/availabilityStatuses/read",
"Microsoft.Resources/subscriptions/resourceGroups/read",
"Microsoft.Insights/alertRules/*",
"Microsoft.Insights/diagnosticSettings/*",
"Microsoft.Support/*"
],
"NotActions": [],
"DataActions": [],
"NotDataActions": [],
"AssignableScopes": [
"/subscriptions/{subscriptionId1}",
"/subscriptions/{subscriptionId2}",
"/subscriptions/{subscriptionId3}"
]
Hands-on-Labs
 https://microsoftlearning.github.io/AZ-103-
MicrosoftAzureAdministrator/