Category: Azure

Azure Exam Study Guide

The following, is how I go about preparing for an Azure exam which I want to study for. Hopefully this will give you an idea into how I prepare for any Azure exam.

Lets use the AZ-500 Azure Security exam as an example since this is what I will be studying for going forward.

Step 1
Locate the actual Microsoft exam page which contains all the info on the actual exam: –

https://www.microsoft.com/en-us/learning/exam-az-500.aspx

I start by reading through this carefully, checking this page regularly whilst studying for it so that nothing has changed, as this can happen so remember to check back often.

Step 2
I then make a OneNote page of all the Skills being Measured like so:-

  • Manage identity and access (20-25%)
  • Implement platform protection (35-40%)
  • Manage security operations (15-20%)
  • Secure data and applications (30-35%)

This exam looks to be well spread out across all 4 areas. SO now I will take each skill being measured and then copy this into my OneNote page.

Step 3
Now I will go and find links on docs.microsoft.com for each of the skills being measured.

Tip
:- Some people may already have done this so google for AZ-500 exam study guides and use them if you prefer doing that. my twitter friends https://twitter.com/Pixel_Robots and https://twitter.com/tamstar1234 both have excellent study guides on a number of exams.

Step 4
I search for online training on Edx, Udemy, Pluralsight etc and read the reviews, of late I have solely used Edx, as those courses are specifically written with the exam skills being measured in mind (straight to the good stuff). If I want a more rounded course I’ll also check out Udemy and Pluralsight etc.

Step 5
I take notes as I go and pop the main themes and big picture content into my OneNote page for brushing up just before my exam.

Step 6
I have a calendar above my monitor at home and I plan out the end goal for each section with a rough idea of when I hope to have the section completed by.

Step 7
Finish off the course and then I look for practice exams, I’ve used Whizlabs for the AZ-400 which was great, I’ve used Udemy for the Az-100, 200 and 300 exams. Anything I get wrong or just don’t understand I’ll review and try to find other resources, maybe Microsoft Learn or other resources.

Step 8
Once I am getting 80% or above in the practice tests I book the exam soon after it and take it.

I have done this on the last 4 or 5 exams I’ve sat and it works for me, it might work for you it might not.

Notes
I spend 2 hours a night studying for the exam 5 or 6 nights a week, it took a lot of dedication and hard work, not everyone has that time, I made time, I stopped doing some stuff as I wanted to learn, I get it, its not for all.
I am happy to help, give advice to anyone looking for it with the exams, good luck with sitting your exam and hopefully someone find this useful.

 

 

 



Learning Azure, becoming an MVP, failure and more

18 months ago I decided to learn Azure, it was about time I learned some cloud skills (Azure for me). The following is a quick run through of my journey to where I am now, I’m really just getting started but in reflection happy with where I am heading, always to remember to invest in yourself.

I work full-time at Sword IT in Glasgow, Scotland and have had some hands on time with Azure through work, couple of projects have helped me learn. I’ve managed to help our company get more in the way of Gold certifications this year which has been pretty cool, that means we get more benefits as a company, something I am proud of.

When trying to start learning Azure, its easy to get lost in the enormity of the platform, being a dev, I decided to take a look around and formulate a plan for learning Azure. It soon became clear that the best for way me to learn something new is to work towards a goal, so my first goal was to sit and hopefully pass an Azure exam. Goals are important for me as it means I have a plan and can work towards achieving something.

Recently I have had a number of people reach out to me asking how I went about it, what tips can I give them and how did I go about learning Azure and passing exams etc.

Which exam would I start with, and which exam should you start with? –  well that depends on your experience and background, its not the same for everyone but here are my thoughts and how I went about it.

I have a blog title Azure Exam Study Guide which describes my method for studying for Azure exams.

I looked for resources to start learning Azure and read a fair bit to get me started, not too long after that I saw a blog post announcing the AZ-100 beta exam, which was only going to cost me £27 ,the problem was if I recall correctly, I had 2 weeks before the beta closed to sit the exam, it may have been a month but it wasn’t long. I created a OneNote page with all of the links and notes I took whilst I went about my study, for this exam I set a learning goal of 2 hours per night studying. I found some very handy Udemy courses from Scott Duffy and went through the entire course end to end and booked the exam. I sat my very first Azure exam (actually my first Microsoft exam since the days of the MCSD exams) so it had been a while.

I failed the exam with a score of 671 out of 1000 (passing score was 700), for me this just whet my appetite and if you know me learning is my thing. Six days later I sat the AZ-101 beta exam and again failed with 655 out of 100 (passing score was 700). Taken 2 exams and failed them both, bummer you might say, nope, I had learned a serious amount from where I had came from and was loving learning all about Azure. Read more about

At this point the burning desire to learn was there, nothing was gonna stop me from passing my first Azure exam, I kept studying even though I knew these 2 exams weren’t really my cup of tea, I didn’t have much hands on experience of the content and I struggled with Azure Networking at the time.

Fast forward 2 months and the Azure Architect Beta exams (AZ-300 and AZ-301) were announced and I thought lets give them a go, I had been studying relentlessly for 2 hours a night every single night, when I say I didn’t even watch television I really didn’t watch any at all, I wanted to pass the Architect exams. I sat both, failed the AZ-300 and passed the AZ-301, I actually thought that I would pass AZ-300 and fail AZ-301, but who cares I had passed an Azure Architect exam (which does cover a lot) my studying was paying off, I had spent a lot of time doing hands on labs, finding the best resources, it was sinking in now, where previously in the other 2 exams I was still unsure to an extent.

Let me say one thing, the feeling of passing your exam is worth all of the hard work, I was super delighted and just wanted to keep going.

Crazy as this sounds I sat the 2 Developer beta exams 3 and 4 days later, I have a dev background, I had been using Azure on a project at work building a distributed system with these tools, I sat both exams and passed them both, I was now a certified Azure Developer, badge and all.

Not long after that I sat the Azure Devops exam AZ-400, Devops was something I had done in a lot of previous jobs and I had a lot of experience with numerous tools. I sat the Azure Devops beta exam and failed with 685 out of 1000 (passing score was 700), man that hurt! – I didn’t put the effort in, I spent time studying but after sitting the exam realised what I had been studying wasn’t the right material, I got lazy basically, didn’t do my homework correctly by carefully looking at the Microsoft exam page and going over each link carefully on places like docs.microsoft.com, lesson learned. I passed the exam after taking some time off from studying, I was officially burned out from 2 hours a night for 3-4 months.

In the end I had sat 9 exams in just under 4 months, crazy yeah, not a great idea in retrospective but when you fail an exam the burning desire to pass and learn more, took over for me.

MVP
All whilst this was happening I had been nominated for the MVP award (I wrote about that here) and I’ll move onto cover what I was doing for that, I’ve covered all of this before in previous blog posts, which I will leave you to find but here’s a list of a few of the main things I was also up to whilst studying.

My advice for people looking to become an MVP is think of ways you can help the community, not just blogging, go further, do more, you’ll learn a lot, you’ll grow as a person by being uncomfortable, push yourself and you’ll be rewarded in many way’s.

I’ve been lucky enough to been asked on podcasts, asked to do training videos, write books, I’ve met Scott Guthrie and a lot more just from being active in the community. Follow more people on twitter, honestly grow your network.

Next up, I don’t share my goals, I have a few still to attain this year and next year is when I’ll start looking at doing more talks.

I have a lot of people to thank for where I have gotten to but I have thanked them all personally or online as I haven’t met them yet, going to Ignite and the MVP Summit I hope to meet many more and also thank them personally.

Hard work pays off.

  • You can find all of posts on Azure here
  • You can find all about the Azure exams here

Please feel free to reach out to me on LinkedIn or Twitter, happy to mentor anyone if I can with anything I can.



Azure Cost Management – 8 tools to help optimise spending and maximise potential in the cloud

Hi folks, earlier this month I wrote an article about Azure Cost Management for Nigel Frank International who are a global leader in Microsoft Recruitment, if you want to learn all about Azure Cost Management you can read my article on 8 tools to help optimise spending and maximise potential in the cloud

I hope you find this article useful and as always leave feedback below.



How to Use The Azure KeyVault Service

The Azure Key Vault Service is where you store certificate keys, passwords and more instead of having them stored within your application.

Reducing the chance that application secrets can be leaked is always a good thing, don’t store things like access key’s and usernames and passwords in your application config files etc. – Azure Key Vault is where you will want to store these types of secrets.

Here is a quick list of things you can use Azure Key Vault for:-

  • Certificate Management
  • Secret Management
  • Key Management

A good example of ways to improve existing code is say you have a connection string to SQL Server and you have hard-coded this connection string to use the username and password of an account to gain access to the data held within your SQL Database (back in the day this was fairly common), even encrypting the connection string isn’t as secure as it could be. Changing the code to store the connection string inside Azure Key Vault is one idea (there are a few available), this way you can lock down who can see the connection string, so that people wont be able to get access to the database unless they have the rights to read the connection string from Azure Key Vault (this is just a very simple example).

Other useful things you can use Azure Key Vault for is to create and therefor control encryption keys, instead of doing this manually you can leverage Azure Key Vault functionality to do this on your behalf,  and you can also provision and manage SSL Certificates which is extremely useful.

With Azure Key Vault you can control access to the Vault using policies. This means you decide who can do things like read, write, edit secrets and keys stored within the KeyVault.

Azure Key Vault can be integrated with a number of services including: –

  • Sql Server
  • Azure Functions
  • Azure Web Apps and many more

To read more about Azure Key Vault here is a link to the official documentation.



How to Use The Azure Traffic Manager

Azure Traffic Manager is a DNS-based traffic load balancer that enables you to distribute traffic optimally to services across global Azure regions, while providing high availability and responsiveness.

What this mean is that you can distribute the traffic your web application receives across different regions throughout the world and this is a great Azure feature – other features like the Azure Load Balancer and Application Gateway cant distribute traffic across regions.

Azure Traffic Manager has a number of routing methods and its important to know the options available and what you can use them for: –

  • Priority: Use Priority when you want to use a primary service endpoint for all traffic, and provide backups in case the primary or the backup endpoints are unavailable.
  • Weighted: Use Weighted when you want to distribute traffic across a set of endpoints, either evenly or according to weights, which you define.
  • Performance: Use Performance when you have endpoints in different geographic locations and you want end users to use the “closest” endpoint in terms of the lowest network latency.
  • Geographic: Use Geographic so that users are directed to specific endpoints (Azure, External, or Nested) based on which geographic location their DNS query originates from. This empowers Traffic Manager customers to enable scenarios where knowing a user’s geographic region and routing them based on that is important.
  • Multivalue: Use MultiValue for Traffic Manager profiles that can only have IPv4/IPv6 addresses as endpoints. When a query is received for this profile, all healthy endpoints are returned.
  • Subnet: Use Subnet traffic-routing method to map sets of end-user IP address ranges to a specific endpoint within a Traffic Manager profile. When a request is received, the endpoint returned will be the one mapped for that request’s source IP address.

A good example of why Traffic Manager is super awesome, lets say you have your web app running in the North Europe region,  all users get directed to this region, what would happen if this region were to go down, not good! – with Traffic Manager you could have a second region (lets say UK South for this example) which has a copy of the web application and If the first region (North Europe) were to go down then Traffic manager would move all of your traffic to the second region meaning your website stays up and running, your users stay happy and bingo, now you have a highly available web application, this is known as performing a failover, also note your now paying for both regions but you have the added reliability and high availability your users may demand.

On a project at work we had a requirement which was basically make the website responsive to users around the globe, one way to aid in this is to use Traffic Manager and implement the Performance routing method, we had a copy of the web application deployed to 3 or 4 regions and when users would hit the website they would be directed to their nearest region which helps with faster response times.

You can read the official documentation on Azure Traffic Manager for lots more information.



How to Use Azure Managed Service Identity

In this blog post I will cover Azure Managed Service Identity covering the basics for what you should know regarding this feature in Azure.

Managed Service Identity allows you to securely access your Azure resources and avoid storing credentials in your code like to access these resources, think of things like adding access keys to storage accounts as an example, this is bad practice and you certainly don’t want to add them to your code bas to be checked into git for example.

You can create service identities for a number of Azure resources already and more are coming, examples of the resources you can create service identities include the following: –

  • Azure Virtual Machines
  • Azure Virtual Machine Scale Sets
  • Azure App Service
  • Azure Functions
  • Azure Logic Apps
  • Azure Service Bus
  • Azure Event Hubs
  • Azure API Management
  • Azure Container Instances
  • Azure Container Registry Tasks

If you have some code that needs to access a storage account and you have added the access key to the code in order to access the storage account (please never do this its very bad practice and someone might gain access to your storage account if you do this), perhaps you’ve even moved the access key into Key Vault which is another option,  well you could even go a step further and improve security even further.
To do this you can take advantage of managed service identities and instead of using an access key you use a temporary access token, which is generated at run-time. This can then be used to assign role based access control for other resources.

The managed identity for the resource is generated within Azure AD.

Managed Identities come in 2 forms: –

  • System-assigned managed identity (enabled on an Azure service instance)
  • User-assigned managed identity (Created for a stand alone Azure resource)

You can learn more from the docs.

 



How to Use Azure Role Based Access Control

When it comes to Azure Security there are several options available, in this blog post I’ll cover Role Based Access Control (RBAC for short).

RBAC is about giving access to Azure resources at a granular level, you can give access to the Subscription all the way down to just a single resource within a subscription. This is perfect if you have the scenario where you have a lot of Azure resources and you may just want to give someone access to just a Virtual Machine or maybe just read-only access to say a storage account.

Azure has built in Roles which you can assign to users, the most common of these roles are as follows: –

  • Owner – Has full access to all resources including the right to delegate access to others.
  • Contributor – Can create and manage all types of Azure resources but can’t grant access to others.
  • Reader – Can view existing Azure resources.
  • User Access Administrator – Lets you manage user access to Azure resources.

You can also create your own custom roles which can be made of different access.

RBAC works when assigned against what’s known as a Security Principal in other words a User, Group, Service Principal or a Managed Identity.

RBAs is made of role definitions and these have action which are assigned to the role definition, an example of this would be say Billing Reader, this allows the user read access to Billing Data. The list of roles are seen below: –

 

 

The last thing we need to touch on is the Scope that the RBAC can be assigned, this can take the form of the following: –

  • Management Group Level
  • Subscription Level
  • Resource Group Level
  • Resource Level

At work we normally give people in the project Contributor access to a Resource Group or Groups and normally one, maybe two at most are Owners of the Subscription. If we wish to give some one read-only access to view resources then we make them a Reader.

If we are working on a project and want to give a new dev Contributor access to a Resource Group, then I would log in as an Owner and then find the subscription, chose the subscription and then select Access Control (IAM), and then Add a Role Assignment.

You can also setup alerts when an Owner gives some other user access to your Azure resources if required.


Tags:


Azure Resource Locks

Azure resource locks will at some point save your bacon, it will trust me.
If you want to stop people being able to delete a development resource when they think it’s no longer being used, or more importantly on production resources so that they cannot be deleted (until the lock is deleted), then Azure locks are your friend

Azure Resource Locks are often over looked, most people know about them but never implement them, its always a good idea to use them, so what are you waiting for?

They can be applied at different levels ranging from the Resource Group (think of a folder where your Azure resources reside), down the individual resources themselves.

If there are a few people in your organisation that have one of the roles where they have access privileges to delete resources then Azure resource locks might be something to look into further.

To add a Resource Lock to any resource, simply locate the resource and then click on Locks as per below

As you can see, there are 2 different types of resource locks: –

  • Read-Only – means authorized users can read a resource, but they can’t delete or update the resource. Applying this lock is similar to restricting all authorized users to the permissions granted by the Reader role.
  • Delete – means authorized users can still read and modify a resource, but they can’t delete the resource.

So how do locks actually work?

When you apply a lock at a parent scope, all resources within that scope inherit the same lock. Even resources you add later inherit the lock from the parent. The most restrictive lock in the inheritance takes precedence.
Unlike role-based access control, you use management locks to apply a restriction across all users and roles.

You can read up more on Azure Locks from the documentation. Go add locks to your production resources just in case, better to be safe than sorry.



Scottish Summit 2020

On February 29th 2020, we are hosting a brand new, FREE event here in Scotland, UK which is called the Scottish Summit which will have several tracks running.

We are bringing over 60 sessions to you covering multiple tracks as per below:-

  • Dynamics for Customer Engagement
  • Azure
  • Big Data
  • Power Platform
  • Microsoft ERP
  • Personal Development
  • SharePoint
  • Office 365

To find out more about the event you can view the website and see the list of speakers.

I am giving  a talk titled “Super charge your Azure learning” where I will cover how I have learned Azure and go over all the very best resources I have came across in the last 18 months of learning Azure. This talk will be for all levels, people getting started, people who know some Azure and want to learn a bit more, right up to Azure experts who might want to branch out their learning into new areas.

Topics will include:-

  • My Journey
  • Getting started learning Azure
  • Azure Services
  • Azure Devops
  • Exams
  • Top tips and best learning resources
  • And much more

I cant wait to welcome people from around the world to the Scottish Summit and hopefully you catch the world premier of my talk.

If you wish to attend then grab your FREE ticket – hope to see you there!



Azure Architect Expert Study Notes

The following is a quick and dirty list I made for the Architect exams so that I could read them quickly before the exam itself. This is mostly for the AZ-302 but good to know regardless of what exam your doing.

  • Blob Storage is NOT for storing Virtual machine vhd files, blob storage is for block blobs and append blobs and not page blobs)
  • You can use Traffic Manager to sit above 2 virtual machines and register endpoints, if one of the region goes down the other stays up.

The following traffic routing methods are available in Traffic Manager:

  • Priority: Select Priority when you want to use a primary service endpoint for all traffic, and provide backups in case the primary or the backup endpoints are unavailable.
  • Weighted: Select Weighted when you want to distribute traffic across a set of endpoints, either evenly or according to weights, which you define.
  • Performance: Select Performance when you have endpoints in different geographic locations and you want end users to use the “closest” endpoint in terms of the lowest network latency.
  • Geographic: Select Geographic so that users are directed to specific endpoints (Azure, External, or Nested) based on which geographic location their DNS query originates from. This empowers Traffic Manager customers to enable scenarios where knowing a user’s geographic region and routing them based on that is important. Examples include complying with data sovereignty mandates, localization of content & user experience and measuring traffic from different regions.
  • Multivalue: Select MultiValue for Traffic Manager profiles that can only have IPv4/IPv6 addresses as endpoints. When a query is received for this profile, all healthy endpoints are returned.
  • Subnet: Select Subnet traffic-routing method to map sets of end-user IP address ranges to a specific endpoint within a Traffic Manager profile. When a request is received, the endpoint returned will be the one mapped for that request’s source IP address.

App Service plan pricing Tiers

There are a few categories of pricing tiers:

  • Shared compute: Free and Shared, the two base tiers, runs an app on the same Azure VM as other App Service apps, including apps of other customers. These tiers allocate CPU quotas to each app that runs on the shared resources, and the resources cannot scale out.
  • Dedicated compute: The Basic, Standard, Premium, and PremiumV2 tiers run apps on dedicated Azure VMs. Only apps in the same App Service plan share the same compute resources. The higher the tier, the more VM instances are available to you for scale-out.
  • Isolated: This tier runs dedicated Azure VMs on dedicated Azure Virtual Networks, which provides network isolation on top of compute isolation to your apps. It provides the maximum scale-out capabilities.
  • Consumption: This tier is only available to function apps. It scales the functions dynamically depending on workload. For more information, see Azure Functions hosting plans comparison

Logic Apps

TO enable high throughput on a Logic App you can go to workflow settings and then choose High Throughput and click ON, this allows up to 300,000 executions every 5 minutes.

App Service Plans

The basic App Service Plan doesn’t support auto-scaling


Create a Linux virtual machine with Accelerated Networking

To create a Windows VM with Accelerated Networking, see Create a Windows VM with Accelerated Networking. Accelerated networking enables single root I/O virtualization (SR-IOV) to a VM, greatly improving its networking performance. This high-performance path bypasses the host from the datapath, reducing latency, jitter, and CPU utilization, for use with the most demanding network workloads on supported VM types. The following picture shows communication between two VMs with and without accelerated networking


Azure Migrate

Migrate databases to Azure with familiar tools

Azure Database Migration Service integrates some of the functionality of our existing tools and services. It provides customers with a comprehensive, highly available solution. The service uses the Data Migration Assistant to generate assessment reports that provide recommendations to guide you through the changes required prior to performing a migration. It’s up to you to perform any remediation required. When you’re ready to begin the migration process, Azure Database Migration Service performs all of the required steps. You can fire and forget your migration projects with peace of mind, knowing that the process takes advantage of best practices as determined by Microsoft.

Note: Using Azure Database Migration Service to perform an online migration requires creating an instance based on the Premium pricing tier.


Types of storage accounts

Azure Storage offers several types of storage accounts. Each type supports different features and has its own pricing model. Consider these differences before you create a storage account to determine the type of account that is best for your applications. The types of storage accounts are:

  • General-purpose v2 accounts: Basic storage account type for blobs, files, queues, and tables. Recommended for most scenarios using Azure Storage.
  • General-purpose v1 accounts: Legacy account type for blobs, files, queues, and tables. Use general-purpose v2 accounts instead when possible.
  • Block blob storage accounts: Blob-only storage accounts with premium performance characteristics. Recommended for scenarios with high transactions rates, using smaller objects, or requiring consistently low storage latency.
  • FileStorage (preview) storage accounts: Files-only storage accounts with premium performance characteristics. Recommended for enterprise or high performance scale applications.
  • Blob storage accounts: Blob-only storage accounts. Use general-purpose v2 accounts instead when possible.

Azure Functions ARR affinity

If you create azure functions as part of the Basic app service plan, you can enable ARR Affinity which basically allows support for sticky sessions.

Azure App Service Access Restrictions

Access Restrictions enable you to define a priority ordered allow/deny list that controls network access to your app. The list can include IP addresses or Azure Virtual Network subnets. When there are one or more entries, there is then an implicit “deny all” that exists at the end of the list.

Auto Swap Staging Slots (Auto Swap isn’t supported in web apps on Linux.)

VNet Peering – connecting VM’s within the same Azure Region

Global VNet Peering – connecting VM’s across Azure Regions

Choose between Azure messaging services – Event Grid, Event Hubs, and Service Bus

Comparison of services

Service Purpose Type When to use
Event Grid Reactive programming Event distribution (discrete) React to status changes
Event Hubs Big data pipeline Event streaming (series) Telemetry and distributed data streaming
Service Bus High-value enterprise messaging Message Order processing and financial transactions

Event Grid

Event Grid is an eventing backplane that enables event-driven, reactive programming. It uses a publish-subscribe model. Publishers emit events, but have no expectation about which events are handled. Subscribers decide which events they want to handle.

Event Grid is deeply integrated with Azure services and can be integrated with third-party services. It simplifies event consumption and lowers costs by eliminating the need for constant polling. Event Grid efficiently and reliably routes events from Azure and non-Azure resources. It distributes the events to registered subscriber endpoints. The event message has the information you need to react to changes in services and applications. Event Grid isn’t a data pipeline, and doesn’t deliver the actual object that was updated.

Event Grid supports dead-lettering for events that aren’t delivered to an endpoint.

It has the following characteristics:

  • dynamically scalable
  • low cost
  • serverless
  • at least once delivery

Event Hubs

Azure Event Hubs is a big data pipeline. It facilitates the capture, retention, and replay of telemetry and event stream data. The data can come from many concurrent sources. Event Hubs allows telemetry and event data to be made available to a variety of stream-processing infrastructures and analytics services. It is available either as data streams or bundled event batches. This service provides a single solution that enables rapid data retrieval for real-time processing as well as repeated replay of stored raw data. It can capture the streaming data into a file for processing and analysis.

It has the following characteristics:

  • low latency
  • capable of receiving and processing millions of events per second
  • at least once delivery

Service Bus

Service Bus is intended for traditional enterprise applications. These enterprise applications require transactions, ordering, duplicate detection, and instantaneous consistency. Service Bus enables cloud-native applications to provide reliable state transition management for business processes. When handling high-value messages that cannot be lost or duplicated, use Azure Service Bus. Service Bus also facilitates highly secure communication across hybrid cloud solutions and can connect existing on-premises systems to cloud solutions.

Service Bus is a brokered messaging system. It stores messages in a “broker” (for example, a queue) until the consuming party is ready to receive the messages.

It has the following characteristics:

  • reliable asynchronous message delivery (enterprise messaging as a service) that requires polling
  • advanced messaging features like FIFO, batching/sessions, transactions, dead-lettering, temporal control, routing and filtering, and duplicate detection
  • at least once delivery
  • optional in-order delivery

Notification Hubs

Has an SLA of 99.99% on the Basic and Standard tiers

RPO – Recovery Point Objective – The amount of data loss if a recovery needs to be done

RTO – Recovery Time Objective – The amount of time it takes to complete a recovery or restore

Azure Backup

Recover Points

  • Application Consistent – Here the backup takes into consideration any pending i/o operations and memory content operations. This allows the application to start in a consistent state after recovery.
  • File System Consistent – This provides a consistent backup of disk files. Here the application needs to maintain its own mechanism to manage its consistency.
  • Crash Consistent – Happens when the VM Shuts down at the time of the backup. Data exists on the disk at the time of the backup, but not guarantee on the disk consistency.

Azure Backup is good for retention periods of days, weeks, months and eve years.

Virtual Machines SLA’s

One VM = 99.9% availability

Two or more VM’s in an Availability Zone = 99.99% availability

Two or more VM’s in an Availability Set = 99.95% availability

Availability Zones

Within 1 Region you may have 2 availability zones

So this can mean 2 Availability Zones each having 2 data centres.

Deploy 2 copies of your vm, 1 to a datacentre in zone1, the other vm to the other availability zone

Availability Sets

  • Fault domains (3 by default), ie separate server racks which have separate power etc. Your vm is deployed to say all 3 fault domains and then if a fault domain goes down your still good on the other 2.
  • Update Domains (5 by default), when your vm might need updating, this concept means that some copies can be updated so that others stay up

If you add 6 vm’s to an availability set then the 6th vm would go into update domain 0 as the numbering starts at 0.

Azure Load Balancer (works at layer 4)

  • Is used to distribute traffic to virtual machines
  • Increases fault tolerance and availability for your application
  • Works at the network layer
  • Uses a public Ip address in front of the Azure Load Balancer
  • The back end pool is literally your Virtual Machines
  • The load balancer uses a health probe which needs the protocol, port, interval and threshold set

Important Notes:-

  • The load balancer cannot be used to route traffic between resources in different regions, only the same region.
  • If you want to achieve a higher availability of 99.99% then you should use a Standard Load Balancer instead of a Basic Load Balancer, and have at least 2 healthy virtual machines in the backend pool of the load balancer.
  • The vm’s should be assigned a standard static public IP address

Application Gateway (works at layer 7)

  • Web Traffic Load Balancer
  • Works at the application layer
  • URL Routing – example would be /video goes to backendpool1, /images goes to backendpool2
  • SSL termination

WAF (web application firewall)

  • Centralized protection for your web applications from common exploits and vulnerabilities
  • If you want to deploy an application gateway you need an empty subnet available for your virtual network.
  • SLA 99.5% – 2 or more medium or large instances

Azure Traffic Manager

  • DNS based traffic load balancer
  • Can Distribute traffic across regions
  • You can use different traffic routing methods
    • Priority – choose which region you prefer
    • Geographic – direct end users to specific endpoints based on geographic location
    • Multivalue – all healthy endpoints are returned to the user
  • If your using Azure Site Recovery then you have to create an Azure Site Recovery Vault to store the data
  • Premium Storage tier only allows storage of blobs, nothing else
  • Default NSG Rules – deny all inbound from internet, allow all outbound to the internet, to stop subnets having access out add a new NSG rule and add a service tag of internet, destination port ranges * and then Action Deny with a low priority value of say 100 so that it over rules the default NSG outbound security rules
  • If you want to get access to the Windows Graphic Device interface use Azure Batch
  • When creating an Azure gateway the Ip Address has to be a public static ip address (sku standard)
  • Using Powershell to get an azure keyvault secret
    (Get-AZKeyVaultSecret -vaultname ‘myvaultname’ -name ‘mysecretname’ ).SecretValueText
  • Azure AD Conditional access requires Premium Tier on Azure AD
  • When you set up ASR in another region and point it to some VMs, it installs the Azure Site Recovery extension called Mobility Service in the source VMs
  • Azure Site Recovery is for replicating Virtual or Physical Machines from various sources. It does NOT support Azure App Services. But it does support Hyper-V and VMWare Virtual Machines, and Windows or Linux Physical Machines.
  • ASR requires port 443 and 9443 in order to do it’s replication from the source servers
  • To replicate Hyper-V virtual machines between two on-premises data centers, you need SCVMM to be on both systems already
  • ASR can replicate sites between regions as long as they are in the same geography. It would not support US East machines being replicated to Japan East because it crosses a geographic boundary.
  • VMs across multiple Availability Zones provides the highest Microsoft SLA at 99.99%. Using availability sets provides 99.95% SLA. Standalone VMs behind a load balancer does not provide an SLA. Using Azure Site Recovery provides Business Continuity, and not a high-availability.
  • How does SQL Database implement high availability at the Premium Tier?

The Premium tier of SQL Database runs the database in a 4-node Always On Availability Group Cluster. This has one primary database node with 3 secondary processes keeping copies of the data.

  • Using SQL Database Always On Encryption with Deterministic Encryption. This allows the database to perform database operations on the table such as joins and equality tests, while keeping the data encrypted in the table and from regular application reads. SQL Database Always On Encryption with Randomized Encryption does not allow table operations
  • With Storage Queues, calling UpdateMessage can be used to extend the lease and prevent the message from being given to another process. RenewLock is for Service Bus Queue and not Storage Queues. Rearchitecting the application may not be a simple solution, although it may be wise.
  • You can scale a web app using metrics provided by Application Insights, which needs to be implemented before you can enable such scaling
  • Transparent Data Encryption allows the data stored on the disk to be encrypted and it supports geo-replication and geo-restore. Always Encrypted will not suffice as this is focused on transport encryption (data in transit is encrypted)
  • Azure Confidential Compute (ACC) is only supported on the DC-Series VMs, Azure Confidential Compute allows code and data in the processor to be secured when running. Azure Confidential Compute is not supported on any other VM series except DC-series.
  • SendGrid is an email solution which provides email functionality via distribution groups as well as metric gathering
  • Azure AD Privileged Identity Management is a tool that will allow you to see who has elevated permissions within your environment. You can examine the history of that access, and whether they use those permissions. And you can ask users to justify the need for those elevated permissions in a security review.
  • Azure Site Recovery (ASR) does not support the recovery of most PaaS solutions such as Azure Storage and Azure App Services. ASR is for infrastructure workloads such as Windows and Linux VM’s, SAP, VMWare, Sharepoint, IIS, and SQL Server
  • Function Keys and Azure API Management can both protect a Function app’s public endpoint. Function keys are unique codes that can be required to be used when calling an endpoint. This only protects the endpoint when the function key is a true secret. Azure API Management can be put in front of the function and require other forms of authentication such as Azure AD or OAuth. Functions do not support Shared Access Signatures (SAS).
  • Shared Access Signatures (SAS) and Azure API Management can both protect a Service Bus’ public endpoint. Shared Access Signatures (SAS) are unique codes that can be required to be used when calling an endpoint. This is why they are called “shared”. This only protects the endpoint when the SAS is a true secret. Azure API Management can be put in front of the function and require other forms of authentication such as Azure AD or OAuth. Service Bus does not support Function Keys or Multi-Factor Authentication.
  • Always Encrypt allows you to choose which columns to encrypt, and SQL Database will do the work for you. When using a command line, the data will come out encrypted. But a trusted application can see the data, and use it in JOINs, SELECTs, and WHERE clauses. Application side encryption will not allow JOINs, etc. A Trusted Execution Environment (TEE) is not used for SQL Database service. All data is stored at rest encrypted using TDE by default.