Académique Documents
Professionnel Documents
Culture Documents
aspx
https://docs.microsoft.com/en-us/learn/
https://www.microsoft.com/handsonlabs/selfpacedlabs
Manage Azure Subscriptions
and resources (15-20%)
Manage Azure Subscriptions - Subscriptions
• A subscription is an agreement that as a
customer or partner has with Microsoft and Azure AD tenant
that gives them access to provision
resources in Azure.
• Every subscription trusts ONE Azure AD
tenant as source of security principals
• Azure AD is identity system for Microsoft
business services
• If you create a subscription with a personal
account, an Azure AD tenant is created for
you Sub1 Sub2 Sub3
• Subscriptions can be transferred between
Azure AD tenants
Enforces corporate standards on resources through policies
Runs evaluations of resources and detects which ones are not
compliant with the defined rules
Examples:
Allow only a certain SKU size of virtual machines in your environment
Ensure that all SQL servers use version 12.0
Restrict the locations to use when deploying resources
Enforce resource tagging
Evaluations happen about once an hour
Policies assigned within specific scope (subscription, RG, Mgmt Group)
Turn on built-in policies Apply policies to a Management
or build custom ones for all Group with control across your Real time remediation
resource types entire organization
Real-time policy evaluation and Apply multiple policies and & Remediation on existing resources
enforcement aggregate policy states with
policy initiative
VM In-Guest Policy
Core
Foundation
aka.ms/Azure/Scaffold
Manage Azure Subscriptions - Scaffold
Enterprise Scaffold:
https://docs.microsoft.com/en-us/azure/architecture/cloud-
adoption/appendix/azure-scaffold
Naming convention:
https://docs.microsoft.com/en-us/azure/architecture/best-
practices/naming-conventions
Manage Azure Subscriptions - Azure
Management Groups
Make environment management Create a hierarchy of management Apply governance controls with
easier by grouping subscriptions groups that fit your organization policies and access controls along
together with other Azure services
• Grouping subscriptions into • Create a flexible hierarchy that • Azure Resource Manager (ARM)
logical groups allow for new can be updated quickly objects that allow integrations
organization models with other Azure services
• Hierarchy doesn’t need to model
• Inheritance allows for single the organizations billing • Azure services:
assignment of controls that apply hierarchy • Azure Policy
to all subscriptions • RBAC
• Can easily scale up or down • Azure Cost Management
• Aggregated views above the depending on the organizational • Azure Blueprints
subscription level needs • Azure Security Center
Manage Azure Subscriptions - Management Group &
Subscription Modeling Strategy
Shared Shared
App D App C
services services
Prod Pre-Prod
(Prod) (Pre-Prod)
Manage Azure Subscriptions - Another
example
Manage Azure Subscriptions - Another
example
Manage Azure Subscriptions - Management
Groups Facts
• Each directory is given a single top-level management group called the "Root" management
group
• A management group tree can support up to six levels of depth (not including root)
Manage Azure Subscriptions - Azure Management Groups
Purpose
aka.ms/Azure/MgtGroups
Manage Azure Subscriptions - Resource groups
• Tightly coupled containers of multiple
resources of similar or different types
• Azure resources contained should
have the same lifecycle
• Every resource *must* exist in one
RESOURCE GROUP and only one resource group
• Resource groups can span regions
• Nesting of resource groups not supported
• Only Subscription Owners can create
resource groups
Manage Azure Subscriptions - Manage Resource
Groups move Resources
Manage Azure Subscriptions - Locks
Manage Azure Subscriptions - Azure Tags
• Name-value pairs to organize resources
• Applied at the resource group or resource level
• Use cases:
• Environment (dev, qa, prod)
• Cost Management (bu, costcenter, region, owner)
• Application
• Compliance (hipaa, pii, germany)
• Configuration Management
• Maintenance window
Manage Azure Subscriptions - Tags add
context
Finance codes TAG = !!! ? Tags should be enforced
CostCenter tag, etc. by configuration policies
resource group
resource provider
Resource
providers
Azure Resource Manager Terminology
Resource Manager template
declarative syntax
ARM Template Deployments
Instantiation of repeatable
What? SQL-A config.
Website
• Source file, can be checked-in [SQL CONFIG] VM (2x) Configuration Resource Group
Why?
• Ensure Idempotency Virtual
SQL - A Website Machines
• Simplify orchestration (dependencies,
nested templates)
SQL CONFIG
ARM Template Syntax
JavaScript Object Notation (JSON) syntax - http://www.json.org/
Objects are unordered sets of name and value pairs
An object begins with left curly brace { and ends with right curly brace }
"type": "Microsoft.Compute/virtualMachines",
"location": "australiaeast",
"apiVersion": "2015-05-01-preview",
"dependsOn": [
Array
"'Microsoft.Storage/storageAccounts/myStor001'",
delimiter
"'Microsoft.Network/networkInterfaces/myNic001'"
],
"tags": { String Nested
delimiter string
"displayName": "Web VM" delimiter
} Name / Value
} delimiter
Template Format
{ Location of the JSON schema file
"$schema": "http://schema.management.azure.com/schemas/2015-01-
01/deploymentTemplate.json#",
"contentVersion": "",
Your version number
}
ARM Template Elements
Variable Format
• Simple Variable "nicName": "myNic01"
A D G N
• Managed Disks
Storage
resources • Storage accounts (Page blobs) – Standard & Premium
Storage
• Virtual machines
– Azure certified Windows – Custom Images
Compute & Linux Marketplace • Availability Sets
resources Images
• VM extensions
– Community Images
C:\
OS disk D:\ E:\, F:\, etc. G:\, H:\, etc.
Temporary disk Data disks SMB share
Disk cache
• On demand
• Foundational building block of the Azure Cloud – Cloud – Azure Data Lake, Azure SQL Data Warehouse, Azure
HDInsight, OneDrive, Skype, Xbox,…
• All storage types are encompassed under the Storage Account service offering.
– General Purpose Storage (Magnetic Tape)
– Premium Storage (SSD/Low Latency/High IOPS/ Better performance)
• Hyper Scale: >60 trillion objects, >7 million transactions per second
• REST based API, multi-platform, open sourced client libraries for many languages (e.g. Java, Python, Node.js, PHP,
Ruby, Android, etc.)
• Strong hybrid story - Azure Stack support and integration with StorSimple, Azure Backup and 3rd party
storage vendors
Azure Storage Overview
Files
“SMB Access to
Azure Storage”
Files
Files “SMB Access to Azure Storage”
• Lift and shift on-premises applications
File storage
Access via SMB, REST • Natively supported by OS APIs, libraries and tools
• Built on SMB2.1 and 3.0, works with Windows and Linux
• No limits on number of shares
– 5TB File shares capacity or 100TiB (Preview)
– 1000 IOPS per share, 100000 (Preview)
– Upto 60 MB/s throughput
“Lift & shift” scenarios
• Endpoints
– \\myaccount.file.core.windows.net\myshare\myfile.txt
– http://myaccount.file.core.windows.net/myshare/myfile.txt
Azure Table Storage Overview
Files Tables
“SMB Access to “Massive
Azure Storage” auto-scaling
NoSQL store”
Tables
Tables “Massive auto-scaling NoSQL store”
• User, device and service metadata, structured data
NOSQL storage
Access via REST • Schema-less entities with strong consistency
• Row-Colum, Key-Value oriented solution
• Supports queries in the different SDKs
• No notion of joins or foreign keys
• No limits on number of table rows or table size
KeyValue Store • Dynamic load balancing of table regions
• Best for Key/value lookups on partition key and row key
• Entity group transactions for atomic batching
• Endpoint – http://mystorageaccount.table.core.windows.net
Azure Queues Overview
Files Tables Queues
“SMB Access to “Massive “Reliable
Azure Storage” auto-scaling messaging at scale
NoSQL store” for cloud services”
Queues
Queues “Reliable messaging system at scale for cloud services”
• Asynchronous Message Delivery
Reliable Messaging
Access via REST • Decouple components and scale them independently
• HTTP and SDKs Access
• Building processes/work flows
• No limits on number of queues or messages
• Message visibility timeout to protect from component issues
Scheduling a sync tasks • UpdateMessage to checkpoint progress part way through
• Endpoint – http://mystorageaccount.queue.core.windows.net
Azure Blob Storage Overview
Files Tables Queues Blobs
“SMB Access to “Massive “Reliable “Highly scalable,
Azure Storage” auto-scaling messaging at scale REST based cloud
NoSQL store” for cloud services” object store”
Blobs
Blobs “Highly scalable, REST based cloud object store”
• Data sharing, Big Data, Backups
Object storage
Access via REST • Unstructured storage of binary and text data
• Block Blobs: Read and write data in blocks. Optimized for sequential IO. Most cost effective Storage.
Ideal for files, documents & media
• Page Blobs: Optimized for random access and can be up to 8 TB in size. IaaS VM OS & data disks
are of this type.
• Append Blobs: Similar to block blobs and optimized for append operations. Ideal for logging
Streaming & random
object access scenarios
scenarios and total size can be upto 195GB
• Endpoint – http://mystorageaccount.blob.core.windows.net/mycontainer/myblob.
Storage Access
Authentication:
• Private Keys: for programmatic access, two rotating 512 bit strings, that provide full access
• Shared Access Signature: for programmatic access, generated URIs with restricted and scoped accessAccount name +
storage keys (primary / backup) are used for secure access.
• RBAC for administrative access, to be used to implement security to the resource itself but not contents of the resource.
Tools:
• Azure Portal
• REST API
• SDKs, Libraries
• 3party clients
Storage Replication
• Locally redundant storage (LRS)
– The default setting that makes 3 copies in the same DataCenter.
OS Disk
Simple – Abstracts storage accounts from customers, do not live in a storage account
Granular access control – Top level ARM resource, apply Azure RBAC
Storage account limits do not apply – No throttling due to storage account IOPS limits
Big scale – 20,000 disks per region per subscription
Better Storage Resiliency – Prevents single points of failure
Can only use LRS replication
Data Movement
AzCopy tool simplifies data migration
at scale
Efficient means of copying millions of
files – large or small Storage Services
Includes journaling for reliability
Supports Blob Storage, Table Storage and
File Storage
Storage Services
Store, backup, recover your data
Windows Azure Storage
Defend against regional disasters.
East DC
> 400 miles West DC
Geo replication
Hands-on-Labs
https://microsoftlearning.github.io/AZ-103-
MicrosoftAzureAdministrator/
Deploy & Manage Virtual
Networks (30-35%)
Azure Networking
• Virtual Networks (VNETs)
• Network Security Groups
• Azure DNS
• Azure Load Balancer
• Azure Traffic Manager
• Network Virtual Appliances
Internet connectivity by country
Microsoft’s network is one of the largest in the world
Internet users
■ 500,000,000+
■ 100,000,000 – 499,999,999
■ 50,000,000 – 99,999,999
■ 25,000,000 – 49,999,999
■ 5,000,000 – 24,999,999
■ 100,000 – 4,999,999
■ 50,000 – 999,999
■ 0 – 49,999
Microsoft global WAN—Edge node locations
NORTH
ASIA AMERICA
EUROPE
Atlantic
Ocean
Pacific
Ocean AFRICA
SOUTH
AMERICA Indian
Ocean
AUSTRALIA
Pacific
Ocean
Software-defined networking (SDN)
Building the right abstractions to enable scale and agility
Azure
Abstract
Front-end Management, control, and data planes
Management Tenant
Plane Compose compute & storage roles and networks
Application
Proprietary Plane
Commodity Tell and program
Hardware Control Controller Hardware Instead of discover and react
Appliance Plane
Physical
Transport Control
Plane Plane Example: ACLs
Management Create a tenant
Front-end access
Dynamic/static public IP
addresses Back-end connectivity
Direct VM access, NSGs Point-to-site for dev/test
for security ExpressRoute
VPN Gateways Peering for cross –VNet
Load balancing connectivity in the same region
DNS services: Hosting, VPN Gateways for secure cross
traffic management region connectivity
DDoS protection ExpressRoute for private enterprise
grade connectivity
Your virtual private network in the cloud
https://docs.microsoft.com/en-us/azure/virtual-network/virtual-network-vnet-plan-design-arm
Segmenting the Virtual Network
https://docs.microsoft.com/en-us/azure/virtual-network/virtual-networks-udr-overview
Routing within a Virtual Network
• All subnets can see/route to all other subnets
• Virtual Network subnets (multiple)
– Azure reserves the first three and the last IP from the pool
– First usable address of a /24 is .4
Service Tags
No overlapping IP address
Cannot modify the address space, you must delete the
peering for that
No Transitivity
and management
NIC can have: VIP 133.44.55.66
Internet
• 1 Private IP – Static or Dynamic
• 1 Public IP – Static or Dynamic Backend Mgmt. Frontend
Subnet Subnet Subnet
• 1 LB VIP – Static or Dynamic Virtual Network
DNS in Azure
Name Resolution on a vNet
• Azure created name resolution automatically to all VMs within a vNet
• It does not work outside the vNet or in peerings
• For that you need Azure DNS or a custom server
Azure DNS
• Manage DNS seamlessly with your Azure services
• Globally distributed architecture, resilient to multiple region failure
• Fast global DNS name resolution
• 99.99% Availability SLAAll common DNS record types
VM/Appliance
User-defined
route
Networking limits
Resource Default Limit Maximum Limit
Virtual Networks per subscription 50 500
DNS Servers per VN 9 25
Private IP Addresses per VN 4,096 4,096
Concurrent TCP connections for a VM or role instance 500,000 500,000
Network Interfaces (NIC) 300 10,000
Network Security Groups (NSG) 100 400
NSG Rules per NSG 200 500
User defined route tables 100 200
User defined routes per route table 100 400
Public IP addresses (dynamic) 60 Contact Support
Public IP addresses (static) 20 Contact Support
Load balancers (internal or internet facing) 100 Contact Support
Load balancer rules per balancer 150 150
Public front end IP per balancer 5 Contact Support
Private front end IP per balancer 30 Contact Support
Vnets peerings per VN 10 50
Azure Load Balancer
What key features does the Azure LB support?
• Hash-based traffic distribution
• TCP and UDP support
• Port Forwarding
• Idle Timeout Adjustment
• Client IP Affinity
• TCP and HTTP health monitoring
• NAT and SNAT
Internet-facing LB (ARM)
25.1.2.3:443
• Load Balancing over Public Ips Contoso.cloudapp.azure.com
Rule/NAT Rule
Internal LB (ARM) 25.1.2.3:443
ExpressRoute Circuit
Microsoft Peering for Dynamics 365, Azure public services (public IPs)
Service 1 per Azure •Manage services in the Azure portal By default, for a new subscription, the Account
Administrator subscriptio •Assign users to the Co-Administrator role Administrator is also the Service Administrator.
n The Service Administrator has the equivalent access
of a user who is assigned the Owner role at the
subscription scope.
The Service Administrator has full access to the
Azure portal.
Co- 200 per •Same access privileges as the Service Administrator, The Co-Administrator has the equivalent access of
Administrator subscriptio but can’t change the association of subscriptions to a user who is assigned the Owner role at the
n Azure directories subscription scope.
•Assign users to the Co-Administrator role, but cannot
change the Service Administrator
Role Permissions Notes
Global Administrator •Manage access to all administrative features in Azure The person who signs up for the Azure Active
Active Directory, as well as services that federate to Azure Directory tenant becomes a Global
Active Directory Administrator.
•Assign administrator roles to others
•Reset the password for any user and all other
administrators
User Administrator •Create and manage all aspects of users and groups
•Manage support tickets
•Monitor service health
•Change passwords for users, Helpdesk administrators,
and other User Administrators