AZ104¶
STUDY: https://www.youtube.com/playlist?list=PLlVtbbG169nGlGPWs9xaLKT1KfwqREHbs ~40h ====================
1) AD¶
Invited accounts will stay as gests and can't become admin. https://www.youtube.com/watch?v=6Vm-h_3nKjc&list=PLlVtbbG169nGlGPWs9xaLKT1KfwqREHbs&index=7&ab_channel=JohnSavill%27sTechnicalTraining
-
Regions A region is a collection of datacenters.
-
Subscription: billing boundary free payu as you go cloud Solutiuon partner enterprise student You can ask an increase in Sub resource limits
-
Resouce groups resources can be in only one RG groups can not be nested locks can prevent deletions or modifications
-
management groups above subscriptions global spending budgets
-
tagging logically organization in taxonomy
-
Costs differ by location, inbound/outbound traffic pre-pay azure reserved instances re-use on-prem licenses
-
Azure Policies resource types, SKU, location, required tags, backups You can combine multiple policies deletions in an INITIATIVE Assignable to management group subscriptions resource group
-
RBAC bind a role definition to a user, group or Service Principal
-
Resource manager (ARM) Deploy update or delete multiple resources in coordination When you send a request through any of the Azure APIs, tools, or SDKs, Resource Manager receives the request.
https://learn.microsoft.com/en-us/azure/azure-resource-manager/management/overview https://learn.microsoft.com/en-us/training/modules/configure-azure-resources-tools/?WT.mc_id=ilt_partner_webpage_wwl&ocid=1019698
- https://learn.microsoft.com/en-us/training/modules/configure-azure-resources-tools/?WT.mc_id=ilt_partner_webpage_wwl&ocid=1019698
====================¶
VIRTUAL NETWORKING
https://learn.microsoft.com/en-us/azure/virtual-network/virtual-networks-faq#what-protocols-can-i-use-within-vnets https://learn.microsoft.com/en-us/azure/virtual-network/virtual-networks-udr-overview
4 IPs are reserverd by Azure. Each subnet need its own address range.
.0 : Network address .1 : Reserved by Azure for the default gateway .2,.3 : Reserved by Azure to map the Azure DNS IPs to the VNet space .255 : Network broadcast address.
Private IP addresses: VPN gateway or ExpressRoute
Public IPs costs around 5€ per month You can buy one to expose a Load Balancer
Dyanimc/Static IP Virtual machine VPN GW App GW LB
- Network Security Group https://learn.microsoft.com/en-us/azure/virtual-network/network-security-group-how-it-works Rules:
- Source
- Destination
-
Service
-
App Security Groups group VM and Servers You can wrap the ASG with a NSG
-
Firewall Stateful service. Hihly available and scalable. Log applications Threat filtering. Price around 10.000€year + extra GB traffic
Hub - Spoke architecture Bastion | | VM1 Firewall | peering | VM2 Bastion | |
- Azure DNS zones hosts the DNS records for a domain. Child zones are registered in the parent domain. 20 records per record set.
Private DNS zones name resoultion for VMs in a VNET reverse DNS resolution works only in the same VNET
-
VPN Gateway https://learn.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-about-vpngateways
-
PEERING https://learn.microsoft.com/en-gb/training/modules/configure-vnet-peering/7-knowledge-check?WT.mc_id=ilt_partner_webpage_wwl&ocid=1019698
Global and Regional across subscription and tenants Uses Azure backbone
Allow gateway Trasit
- VPN (virtual network) GW 1 GW subnet 2 VPN GW route or policy based. VPN/ExpressRoute. Public IP. site-to-site (S2S/ IPSEC) and Net-to-VNet By default Active/Standby 3 Local network GW refers to the on-premises location 4 VPN device on-premise 5 VPN connection
-
UDR
-
ExpressRoute Direct connect directly into Microsoft's global network at peering location. ExpressRoute Direct provides dual 100 Gbps or 10 Gbps connectivity, which supports Active/Active connectivity at scale. Always S2S
-
User defined Routes route table contains routes for packages in a vnet
Private Link VS Peering ? Private Endpoint can be connected with Private Link to other resources
- LOAD BALANCER Application gateway: Http, Https, WAF, Private (region specific), also non Azure resources Front Door: microservice apps, HTTP HTTPS, Global, WAF, NSG Load Balancer: TCP, UDP, private balancing between Azure resources SKU: Basic: no SLA Standard: any kind of VM o VM set Session persistance
Traffic Manager: based on DNS distributes traffic between global public resources.
- Network Watcher Regional service. Next HOP check. Connectivity issues. VPN diagnostics. IP flow verifier: ping + tracer.
============================== STORAGE ============================== local disk hard drives for creating a big pool on the hyperV server
Containers BLOB: unstructured data (img, web docs, video, audio...) accounts have unlimited containers Tables structured, non relational data Queues FIFO storage for msg Files VM hard drives SMB + REST interface incremental Snapshot File Sync (extend on-prem storage): storage sync service prepare win server install agent register win server
Containers + Files Access Tiers: Hot = frequent access Cool = large amount of data not freq accessed Archive = hours of retrieval latency You can switch between them. Lifecycle management rules.
Storage Account standard premium blobs premium file: high performance file share apps premium page blobs All data is locked by Storage Service Encryption (SSE)
Replication: - LRS: 1 region, 3 replicas - ZRS: 1 region, 3 replicas, 3 zones - GRS: 2 regions, 6 replicas - RA-GRS - GZRS: 6 rep, 3+1 zon, 2 reg - RA-GZRS
You should restrict network access to the St Ac after creation.
A shared access signature (SAS) is a URI that grants restricted access to an Azure Storage blob.
=========== VM =========== Can't change VNet anymore os disk + temp disk + data disk os and data disk reside in storage accounts Best to use SSH connection behind a VPN GW
Availability Zones independent locations ina a region update + fault domains 99,99% SLA
============ APP Services ============ .NET, Node.js, PHP, Java, Python, HTML, containers
Deployment slots
============ AKS ============ Cluster autoscaler Horizontal POD autoscaler
============ Azure Backup Center ============ You need a backup agent to transfer data to the vault. 1. create recovery service vault 2. download and install the agent and credential file 3. configure the backup
Microsoft Azure Recovery Services (MARS) Agents.
- Azure backup vault -> blobs, disks, postgreSQL, AKS services
-
Recovery Services -> VM snaphost, Azure files,
-
Azure backup Server -> linux support, recover granularity
============ Azure Monitor ============ - apps - VM - Storage accounts - containers - networks - DBs - key vaults
Log Analytics -> stream to Event Hub Can create Workspace to collect data.
FAQ - management group Several azure polices can be applied with at once with Policy INITIATIVE Az management group are a way to organize multiple subscriptions
- Role to modify settings on a VM Contributor
- Custom role definitions
- Team member access IAM > check access
- geo redundant storage VS Zone RS
- storage account global unique
- blob storage replication
- secure access for azure storage users access keys
- easiest way to implement secure storage for hundred of resources stored access policies
Vnet gateway next hop types private dns custom domains