AZ-104¶

Deploy, update, or delete multiple resources in coordination
When you send a request through any of the Azure APIs, tools, or SDKs, Resource Manager receives the request.
Overview

Configure Azure Resources Tools

VIRTUAL NETWORKING¶

https://learn.microsoft.com/en-us/azure/virtual-network/virtual-networks-faq#what-protocols-can-i-use-within-vnets https://learn.microsoft.com/en-us/azure/virtual-network/virtual-networks-udr-overview

4 IPs are reserverd by Azure. Each subnet need its own address range.

.0 : Network address .1 : Reserved by Azure for the default gateway .2,.3 : Reserved by Azure to map the Azure DNS IPs to the VNet space .255 : Network broadcast address.

Private IP addresses: VPN gateway or ExpressRoute

Public IPs costs around 5€ per month You can buy one to expose a Load Balancer

Dyanimc/Static IP Virtual machine VPN GW App GW LB

Network Security Group https://learn.microsoft.com/en-us/azure/virtual-network/network-security-group-how-it-works Rules:
Source
Destination
Service
App Security Groups group VM and Servers You can wrap the ASG with a NSG
Firewall Stateful service. Hihly available and scalable. Log applications Threat filtering. Price around 10.000€year + extra GB traffic

Azure DNS zones hosts the DNS records for a domain. Child zones are registered in the parent domain. 20 records per record set.

Private DNS zones name resoultion for VMs in a VNET reverse DNS resolution works only in the same VNET

Global and Regional across subscription and tenants Uses Azure backbone

Allow gateway Transit

VPN (virtual network) GW 1 GW subnet 2 VPN GW route or policy based. VPN/ExpressRoute. Public IP. site-to-site (S2S/ IPSEC) and Net-to-VNet By default Active/Standby 3 Local network GW refers to the on-premises location 4 VPN device on-premise 5 VPN connection
UDR
ExpressRoute Direct connect directly into Microsoft's global network at peering location. ExpressRoute Direct provides dual 100 Gbps or 10 Gbps connectivity, which supports Active/Active connectivity at scale. Always S2S
User defined Routes route table contains routes for packages in a vnet

Private Link VS Peering ? Private Endpoint can be connected with Private Link to other resources

LOAD BALANCER Application gateway: Http, Https, WAF, Private (region specific), also non Azure resources Front Door: microservice apps, HTTP HTTPS, Global, WAF, NSG Load Balancer: TCP, UDP, private balancing between Azure resources SKU: Basic: no SLA Standard: any kind of VM o VM set Session persistance

Traffic Manager: based on DNS distributes traffic between global public resources.

Network Watcher Regional service. Next HOP check. Connectivity issues. VPN diagnostics. IP flow verifier: ping + tracer.

STORAGE¶

local disk hard drives for creating a big pool on the hyperV server

Containers BLOB: unstructured data (img, web docs, video, audio...) accounts have unlimited containers Tables structured, non relational data Queues FIFO storage for msg Files VM hard drives SMB + REST interface incremental Snapshot File Sync (extend on-prem storage): storage sync service prepare win server install agent register win server

Containers + Files Access Tiers: Hot = frequent access Cool = large amount of data not freq accessed Archive = hours of retrieval latency You can switch between them. Lifecycle management rules.

Storage Account standard premium blobs premium file: high performance file share apps premium page blobs All data is locked by Storage Service Encryption (SSE)

Replication: - LRS: 1 region, 3 replicas - ZRS: 1 region, 3 replicas, 3 zones - GRS: 2 regions, 6 replicas - RA-GRS - GZRS: 6 rep, 3+1 zon, 2 reg - RA-GZRS

You should restrict network access to the St Ac after creation.

A shared access signature (SAS) is a URI that grants restricted access to an Azure Storage blob.

VM¶

Can't change VNet anymore os disk + temp disk + data disk os and data disk reside in storage accounts Best to use SSH connection behind a VPN GW

Availability Zones independent locations ina a region update + fault domains 99,99% SLA

APP Services¶

.NET, Node.js, PHP, Java, Python, HTML, containers

Deployment slots

AKS¶

Cluster autoscaler Horizontal POD autoscaler

Azure Backup Center¶

You need a backup agent to transfer data to the vault. 1. create recovery service vault 2. download and install the agent and credential file 3. configure the backup

Microsoft Azure Recovery Services (MARS) Agents.

Azure backup vault -> blobs, disks, postgreSQL, AKS services
Recovery Services -> VM snaphost, Azure files,
Azure backup Server -> linux support, recover granularity

Azure Monitor¶

apps
VM
Storage accounts
containers
networks
DBs
key vaults

Log Analytics -> stream to Event Hub Can create Workspace to collect data.

FAQ¶

management group Several azure polices can be applied with at once with Policy INITIATIVE Az management group are a way to organize multiple subscriptions
Role to modify settings on a VM Contributor
Custom role definitions
Team member access IAM > check access
geo redundant storage VS Zone RS
storage account global unique
blob storage replication
secure access for azure storage users access keys
easiest way to implement secure storage for hundred of resources stored access policies

Vnet gateway next hop types
private dns custom domains