Deploy and Manage Azure

Compute services
Azure Virtual Machines
This tool can be used on Azure virtual machines to download and execute scripts.

This is ideal when you want to deploy any custom configuration of any software installation on a virtual machine.

The scripts can be located in an Azure storage account or even in GitHub.

A time duration of 90 minutes is allowed for the script to run. Any longer and the result will be a failed extension

Custom Script Extensions

provision.

It’s ideal not to place reboots inside the script, because the extension will not continue after the reboot. Hence if
you have other commands that need to run via the extension after the reboot , they won’t run.
If your script does need a reboot , then maybe you can look at other tools such as Desired State Configuration,
Chef or Puppet.

The script will run only once.

The Custom Script Extension will run under the impersonation of the LocalSystem Account.

Custom Script Extensions

• Normally when you create multiple virtual machines or virtual machines that are part of a virtual machine
scale set, these machines could be located on different physical servers.

• Sometimes an application/system that uses multiple virtual machines , want the virtual machines to be
located closer together to get least latency when it comes to communication between the virtual machines.

• By placing the virtual machines as part of a proximity group, the virtual machines will be physically located

Placement Groups
close to each other.
• When using proximity placement groups, ensure the virtual machines have accelerated networking enabled.
This also helps to improve network performance.

• When deploying VM’s from different families or SKU’s , try to deploy them as part of a single template. This
will increase the probability of ensuring all VM’s are deployed successfully.

• A proximity placement group is assigned to a data center when the first resource (VM) is being deployed and

Placement Groups
released once the last resource is being deleted or stopped.
Azure Web App Logging
• You get a set of logging features that are available for the Azure Web App.

• The different types of logging that are available are

• Application Logging – This captures log messages that are generated by your application code.

• Web server logging – This records raw HTTP request data.

Logging
• Detailed Error Messages – This stores copies of the .htm error pages that would have been sent to the client
browser.

• Deployment logging – These are logs when you publish content to an application.

• You can also stream logs in real time.

Logging
Azure Web App Backups
• The backup feature that is available with Azure Web App can be used to create backups of your web app.

• The backups are stored in an Azure storage account.

• Here the App configuration, the file content and the database connected to the application get backed up.

• To use the Backup and Restore feature, the App Service Plan needs to be in the Standard, Premium or Isolated
tier.
• Backups of the app + database can be up to a maximum of 10 GB.

Logging
Configure and manage
Virtual networking
Network Watcher Service
 Network Watcher service

IP Flow Verify
Connection Monitor

Check the network

connectivity between
1 3
This can be used to check if a
packet is allowed or denied to or
from a virtual machine. If a
machines. These can be in
packet is being denied by a
Azure or on your on-
security group, you can see
premises environments.
which rule is denying the packet.
Network Watcher Service

Connection troubleshoot
Next hop
Here you can see the next 2 Check the connection from a

4
virtual machine to a virtual
route for a packet of data. machine, fully qualified
This helps you understand domain name, URI or IPv4
whether the packet is being address.
routed to the correct
destination.
 Network Watcher service

NSG Diagnostic NSG Flow Logs

Provides detailed
information that helps to
1 3
Helps to provide visibility into
user and application activity in
cloud networks.
understand and debug the
security configuration of the
network.
Network Watcher Service

Traffic Analytics
This helps to log information 2
about the IP traffic that is
flowing through an NSG.
4
Sum m ar y
Virtual Network
 Virtual Network

Resources
Isolated
This is an isolated network 1 3 You can then place resources
on Azure cloud. such as Azure virtual machines
within the virtual network.

Managed 2 Internet
Here you don’t need to
deploy an infrastructure to
4 By default all resources in the
virtual network can
Summary

have a network in place. communicate outbound with

the internet.
• Private IP addresses – These allow communication between resources such as Azure virtual machines without
the need of assigning Public IP addresses.

• Public IP addresses – These allow Internet resources to communicate inbound onto Azure resources such as
Azure virtual machines.

• Public IP addresses - Static - The IP address is assigned the time the resource is created.

• Public IP addresses - Dynamic - The IP address is allocated when it is assigned to a resource. Also, the IP
address is released when you stop or delete the resource.

Summary
• This is used to filter network traffic in an Azure virtual network.

• You define different rules as part of the Network Security Group. You have Inbound and Outbound rules.

• For each rule you mention the source and destination of traffic, the port and protocol.

Summary
• This is used when you want to apply network filtering rules for a group of machines.

• Instead of mentioning the IP address of the machine, you can make the machine part of an Application
Security Group.

• And then you can mention the Application Security Group in the Network Security Group.

Summary
• This service is used to distribute the incoming network traffic across a group of backend resources of servers

• You can define two types of load balancers – Public or Private Load Balancers

• You have 2 SKUs for the Load Balancer – Standard and Basic Load Balancer

Summary
 Basic Load Balancer

Pricing SLA
You are not charged for There is no SLA
the Load Balancer

Features

Backend machines Support for zones

Summary

Here the machines need to There is no support for

be part of an availability set availability zones
or scale set
 Standard Load Balancer

Pricing SLA
There is a price per hour There is an SLA of 99.99%

Features

Backend machines Support for zones

Summary

Here the machines need to Here you get support for

be part of an availability availability zones
set or scale set or they can
be individual machines
 Components of a Load Balancer

Frontend Backend Health Rules

IP pool probes

Here you define an IP This contains the This helps to check the The Load Balancing
address for the load backend virtual status of the backend rules define how to
Summary

balancer machines pool distribute the incoming

traffic
• This is a web traffic load balancer that works at layer 7 of the OSI model.

• Here the application gateway can make routing decisions based on the HTTP attributes.

• You also get other features such as Secure Sockets, Zone Redundancy etc.

Summary
• This allows you to connect two or more Azure virtual networks.

• Here the traffic between the virtual machines in the virtual networks are routed via the Microsoft backbone
infrastructure.

• Remember that you can just use one deployment of Azure Bastion in one network to RDP/SSH into machines
in peered virtual networks.

• You can also peer virtual networks located in different Azure regions.

Summary
• An Azure VPN gateway can be used to send encrypted traffic between an Azure virtual network and on-
premises location over the Internet.

• Point-to-Site VPN – This let’s you create a secure connection from the Azure virtual network to an individual
client computer.

• Site-to-Site VPN – This provides connectivity between an on-premises network and an Azure virtual network.

Summary
• This service allows you to connect to a virtual machine by using the browser and the Azure portal.

• Here you can either RDP or SSH into your Azure virtual machines.

• This is a fully managed PaaS service. Here your machines don’t need to have a public IP address.

Connectivity
A z u r e S t o ra g e A c c o u n t s
Obj e ct re plication
• This feature can be used to copy blobs between a source and destination storage account.

• You can create rules to specify which objects get replicated from the source to the destination.

• Storage Account support – General Purpose V2 and Premium Blob accounts.

• Blob versioning should be enabled on both the source and destination storage account.

• Change feed is enabled on the source storage account.

Object replication
Copying data
 Azure Import/Export Service

Disk Drives
Copying Data

This is used for copying large

amounts of data to Azure
1 3
Here you make use of Disk
Drives. You can use your own
Disk drives or use the ones
Blob storage and Azure Files.
provided by Microsoft.

Jobs
Transfer data
2 You basically create a job via
Copying data

You can also transfer data

4
the Azure Portal. This will be
from Azure Blob storage to used for transferring data to
your on-premises a storage account.
environment.
 Azure Import/Export Service
components
Import/Export Service WAImportExport tool
This is available in the Azure Portal. It encrypts the data on the drive.
It helps to track the data import or
export job.

WAImportExport tool WAImportExport tool

Components
It prepare the disk drives that It generates the drive journal files
are required for import. that are used during the import
creation.

WAImportExport tool WAImportExport tool

Copying data

It helps to copy the data onto It helps identify the number of drives
the disk drive. needed for the export jobs.
c
 Azure
Data Box
1 Data transfer Helps to send terabytes of data
in and out of Azure.

You don’t need to use your

2 No Internet
Internet connection to transfer the
data.

Ideal when you want to transfer data

3 Scenario
sizes that are larger than 40 TB.
Copying data

4 Device You order the Data Box device via the

Azure Portal.
c
Sum m ar y
• This service allows you to store objects on the cloud.

• Here you can make use of different services – Blob, Queue, File and Table.

• There are also different types of storage accounts.

Azure Storage accounts

 Storage account types

Standard-general purpose v2 Premium file shares

Gives you access to Blob, 1 3 This is a premium storage
Queue, Table and File account for your file shares.
service
Azure storage accounts

Premium block blobs

2 Premium page blobs
This is premium storage
for your block blobs 4 This is premium storage
for your page blobs.
• This service is optimized for storing large amounts of unstructured data.

• Use case examples – storing images, videos, log files, documents.

• In the blob service, you will create a container. This is used to organize a set of blobs.

• Block blobs – This is used to store text and binary data.

Azure Storage accounts

• Page blobs – This is used to store virtual hard drive files that are used as disks for your Azure virtual machines.
• This is used for hosting file shares on the cloud.

• This shares can be accessed via the SMB – Server Message Block protocol.

• You can mount the file shares from Windows, Linux and macOS clients.

Azure Storage accounts

 Access tiers

Hot Cool Archive

Azure Storage accounts

This is optimized for This is optimized for data

This is optimized for
data that is accessed that is infrequently
storing data that is
frequently. accessed and stored for
rarely accessed and
at least 30 days.
stored for at least 180
days.
• The Archive access tier is good for long-term backups.

• You can set the access tier at the Storage account level to Hot or Cool.

• At the object level, you can also set the Archive access tier.

Azure Storage accounts

 Data Redundancy

Locally redundant Zone-redundant Geo-redundant Geo-zone-

storage storage storage redundant
storage
Here data is copied Here data is copied Here data is copied
synchronously three synchronously synchronously three Here data is copied
times within a single across three Azure times within a single synchronously
physical location in availability zones in physical location in the across three Azure
the primary region the primary region primary region using availability zones in
LRS. It then copies the primary region
your data using ZRS. It then
Azure Storage accounts

asynchronously to a copies your data

single physical location asynchronously to a
in the secondary single physical
region location in the
secondary region
Manage Azure identities
and governance
Re source tags
This can be used to organize your resources.

Each tag consists of a name and a value pair.

For example, if you want to tag resources to a specific department, you can make use of resource tags.

Resource tags
Re source locks
Protecting resources
Locking resources can help ensure users don’t accidently delete or modify resources.

There are two types of locks

CanNotDelete - authorized users can still read and modify a resource, but they can't delete the resource..

ReadOnly - authorized users can read a resource, but they can't delete or update the resource.

Resource locks
Self
Self-Service

This feature helps users to reset their

password without the need of
contacting the IT help desk staff.

Password Reset
LEARN NOW

c
 Password Reset

License Number of methods

Password reset needs Azure Define the number of

AD Premium P1 or P2 licenses authentication methods
for users. required to reset the
password.

Password writeback Number of days

Password
If there is a hybrid
environment, the changed
Reset Number of days before users
need to reconfirm their
passwords can be written back authentication information.
to the on-premises Active
Directory
Notification
Password Reset

Authentication Methods
Notify users when password is
You can define authentication reset.
methods to reset the
password.
c
Sum m ar y
Azure Active Directory
 Azure Active Directory

Identity Azure and Microsoft 365

This is a cloud-based 1 3 This identity provider works

for both Azure and
identity and access
Microsoft 365.
management service.

Access
2 Security
You can authenticate
4 You have different
Summary

users and grant access to security features

resources. available.
• Azure Active Directory Free – Here you get user and group management, basic reports.

• Azure Active Directory Premium P1 – Dynamic groups, more hybrid capabilities.

• Azure Active Directory Premium P2 – Azure AD Identity Protection, Privileged Identity Management.

Summary
• There is a trust relationship between an Azure Active Directory and an Azure subscription.

• Each subscription can only trust a single Azure AD directory.

• Multiple subscriptions can trust the same Azure AD directory.

Summary
• You can give access to resources within your subscription with the use of Role-based access control.

• There are many in-built roles.

• You can create your own custom roles. When creating a custom role, you can clone an existing in-built role or
even clone an existing custom role.

• You can assign roles at different levels. If you assign the role at a higher level , the role will apply to all of the
child resources. For example, a resource group, it will apply to all resources within the resource group.

Summary
• You can map your own custom domain to an Azure Active Directory tenant.

• To implement this, you need to add a TXT record to your domain registrar.

Summary
• The use of MFA - Multi-Factor Authentication to provide an extra layer of security when it comes to
authentication.

• It’s a good practice to enable MFA for your privileged users.

Summary
Conditional
 Azure AD Conditional Access
Conditions
Access
Here you can define conditions
1
Based on the condition you
based on which you want to give
access to users for a resource. 3 can decide whether the
user should be allowed
access , blocked access or
they require the user of
MFA.
Enforced
Signals
These rules are enforced
You can make use of
different signals for the 2 after the first-factor

conditions – User and their

location, device they are
4 authentication is complete.
Summary

logging from, the

Application , real-time risk.
c
• This is a resource in Azure Active Directory that can be used as a container for other Azure Active Directory
resources.

• Here the administrative unit can only contain users, groups or devices.

• Here you can restrict permissions in a role to a portion of the defined organization.

Summary
Management Groups
 Management
Groups
1 Organization You can organize your
subscriptions into management
groups.

All subscriptions in the

2 Azure AD Tenant
Management group must trust the
same Azure AD tenant.

You can apply access permissions at the

3 Access permissions
Management Group Level.
Summary

4 Policy You can apply policies at the

Management Group Level.
c
 Root Management Group

Root Group

1
Elevation
There is a top-level
management group called
3 The Azure AD Global
“Root” management group. administrator needs to elevate
themselves to the User Access
Administrator role for this root
group.

Tenant Root Group 2 Policies and Access Permissions

The name assigned to the

4 You can assign permissions
and role assignments at this
Summary

root group is the Tenant

Root Group. level.
Monitor and backup Azure
resources
Azu re V M In sights
 Azure VM Insights

Monitor
This helps to monitor the 1 3
Support
Works for Azure virtual
performance and health of machines, Virtual Machine
virtual machines. Scale sets, On-premises virtual
machines.

Identify Issues 2 Data

4
VM Insights

You can identify performance Here the data collected is

and network issues based on stored in Azure Monitor logs.
the data collected.
Azure Recovery Services Agent
 Microsoft Azure Recovery Services agent

Machines
Selective backups

Here you can perform

selective backups of files and
1 3
This can be done on your Azure
virtual machines or your on-
premises machines.
folders.

Agent
Backup
2 Here you download and
MARS agent

Windows Files and Folders.

4
install the Recovery service
Protect an entire Windows agent.
volume.
Protect the Windows system
state.