1. Light IT up.
Microsoft Learning
Ignite | May 4 – 8, 2015 | Chicago, IL

2. Implementing Microsoft Azure Infrastructure Solutions
Exam Preparation
70-533

3. Mark Grimes Residence, SE MI 18 Years MCT, 10 years ft active
10 years consulting
½ with Partner,
Lead Internal Identity Technical Communities
Lead multiple internal Azure Cert programs
Losing weight fast with Joe Cross’ plan!

4. Azure Certification
70-533

5. Roadmap – Azure Certification

6. Let’s get this party started!
Break it down section by section for Skills Mapping

7. http://aka.ms/certification/70-533 TechReady 17 4/17/2017
© 2013 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.
The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

8. Side-by-side Comparison | 70-533/4
70-534
Implement Websites
Implement Cloud Services
Design Websites
Implement Storage
Design an Application Storage and Data Access Strategy
Implement Virtual Networks
Implement an Azure AD
Implement Virtual Machines
Design Azure Infrastructure and Networking
Design an Advanced Application
© 2010 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.
The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

9. Microsoft Azure components
Compute
Virtual Machines
Web Sites
Mobile Services
Cloud Services
Web Roles
Worker Roles
Data Services
Storage
SQL Database
HDInsight
Cache
Redis
Backup
Recovery Manager
App Services
Media Services
Service Bus
Notification Hubs
Scheduler
Automation
BizTalk Services
BizTalk Hybrid Connections
Visual Studio Online
Active Directory
Multi Factor Authentication
API Management
Azure RemoteApp
Network
ExpressRoute
Virtual Network
Traffic Manager
CDN
SDK’s
.NET
Java
PHP
Python
Node.js
Ruby
© 2010 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.
The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

10. Implement Websites Azure Websites
TechReady 17
4/17/2017
Implement Websites
Azure Websites
Deploy Websites
Configure Websites
Configure Diagnostics, Monitoring, Analytics
Configure Scale & Resilience
Manage Hosting Plans
See Websites, Cloud Service and Virtual Machines Comparison
© 2013 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.
The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

11. Deploy websites Deployment Slots Webjobs Live sites w/ own hostnames
Alpha Numeric only! + hyphens
Requires Standard mode plan
(=1,2, 4 cores | up to 10 instances)
Can Swap for Prod
Swap the slots to Rollback
Webjobs
Scripts or Programs: .bat, ps1, .sh, PHP, .py, Node.js
2 options: w or w/o web project
RUN:1.Continuous (App_Data/jobs/continuous) Preview
2. Scheduled 3.On-Demand (App_Data/jobs/triggered)
Create Schedule
Deploy an Console or VS (needs Azure SDK 2.4)

12. Configure websites Settings Web App loads name/value pairs
How to configure Websites – step-by-step
Configure websites
Settings
Web App loads name/value pairs
.Net Configuration at runtime
PHP, Python, Java and Node.js applications access as env vars
Connection Strings for SQL db, SQL Server, MySQL, Custom
Handler Mappings add custom scripts for custom extensions
Virtual Application –specify each dir with root site
Check Application checkbox to mark as an app in site config

13. Connection Stings for linked resources
.Net Sites
Use connection strings at runtime
HIDDEN by default!
Other languages
Uses Environment Variables at Runtime
EXAMPLES
SQL Server: SQLCONNSTR_
MySQL: MYSQLCONNSTR_
SQL Database: SQLAZURECONNSTR_
Custom: CUSTOMCONNSTR_
IF MySQL connection string was named mystring1
THEN access through the env variable MYSQLCONNSTR_ mystring1
See MySQL Example

14. Configure websites Configure Custom Domain Name, SSL & more!
CNAME (Alias) versus A record
Read more
Video Walkthrough Create Custom Domain Name and Securing Communication 
Awverify -> CNAME to prove you own it
Get-AzureDeployment -ServiceName yourservicename | Select Url
Need CNAME for WWW also
Use for CNAME
Use for A record

15. Configure websites

16. Manage Websites | PowerShell
4/17/2017
Manage Websites | PowerShell
Get-AzureWebsite
Get-AzureWebsite siteslotstest
New-AzureWebsite
New-AzureWebsite siteslotstest -Slot staging -Location "West US"
Publish-AzureWebsiteProject
Publish-AzureWebsiteProject -Name siteslotstest -Slot staging -Package [path].zip
Show-AzureWebsite
Show-AzureWebsite -Name siteslotstest -Slot staging
Switch-AzureWebsiteSlot
Switch-AzureWebsiteSlot -Name siteslotstest
Remove-AzureWebsite (To Delete)
Remove-AzureWebsite -Name siteslotstest -Slot staging
© 2014 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

17. Manage Websites | Xplat-CLI
4/17/2017
Manage Websites | Xplat-CLI
To list the commands available for Azure Websites in the xplat-cli, call azure site –h
azure site list siteslotstest
azure site create siteslotstest --slot staging
azure site create --git siteslotstest --slot staging
azure site swap siteslotstest
azure site delete siteslotstest --slot staging
See more
© 2014 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

18. Configure Diagnostics, Monitoring Analytics
Application Diagnostics | “Configure”
File System, Table Storage and Blob Storage
Site Diagnostics | “Configure”
Web Svr Logging (WC3), Error Msgs (HTTP Status), Failed Request Tracing, Remote Debugging
Diagnostic Logs File, Table, Blob
Download with: FTP, PS, Azure CLI
Monitor in the Portal
View Data, Adding Metrics, Configure Alerts
Also, KUDU! Git support for websites
See How to Monitor Websites

19. Configure Diagnostics, Monitoring Analytics
Up to 2 Endpoints, 3 Geographic locations
Uses HTTP Get on web URL. Each location runs test every 5 minutes
How to Monitor Websites

20. Logging Websites PowerShell Save-AzureWebSiteLog -Name websitename
4/17/2017
Logging Websites
PowerShell
Save-AzureWebSiteLog -Name websitename
#View Live Stream
Get-AzureWebSiteLog -Name websitename –Tail
Azure Command-line
azure site log download websitename
azure site log tail websitename
© 2014 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

21. Configure Diagnostics, Monitoring Analytics
Configure Scale
IF Select Shared or Basic only get…
Hosting Plans
Instance Size
Instance Count
NOTE if Shared, NO instance size!
How to Scale Websites

22. Configure Diagnostics, Monitoring Analytics
Configure Scale
Select Standard
Hosting Plans
Instance Size
Instance Count
Schedule Times
Day and Night or
Weekend Weekday
Half hour increments
Then can Scale by Metric
Target CPU

23. Configure Resilience Traffic Manager
Distribute requests to Multiple Websites
Run Instances of apps across Azure Regions
Intelligent Policy Engine to DNS queries
Steps
Add DNS CNAME
Configure DNS Prefix
Must be unique!
Load Balancing
Failover
Round Robin
Performance
Monitoring

24. Manage Hosting Plans Create Hosting Plans Migrate Between Plans
Free , Shared | 32-bit apps only! | Shared Infrastructures
Basic , Standard | Dedicated Infrastructure
Basic: Sm (1 core), Med (2), Large (4)
See What is a Web Hosting Plan
and Web hosting plans In-Depth
Migrate Between Plans
ACTIONS
Change Plan
Configure Settings
DO NOT require code change or redeploy!
Create Website w/in Plan
Just do it!

25. Implement Websites – know these 5 things now
Run Web Jobs 3 ways
1. Continuous 2. Schedule 3. On-Demand
Connection Strings | how made available? .Net vs. others?
.Net: uses connectionStrings object OTHERS as Environment Variables
Website Diagnostics | # endpoints & # geo locations
Up to 2 Endpoints, 3 Geographic locations
Configure Scale –what additional options w/ STD?
Schedule : Day/ Night, Weekday/Weekend, Half hour incr. | By Metric : Instance Count, Target CPU
Hosting Plans – Name the 4
Free | Shared | Basic | Standard

26. Implement Virtual Machines
TechReady 17
4/17/2017
Implement Virtual Machines
Deploy Workloads
Implement Images and disks
Configuration Management
Configure networking
Configure resiliency
Design Implement Storage
Monitor VMs
Cloud Service
Virtual Machine
Virtual Machine
Virtual Machine VM VM VM
See Websites, Cloud Service and Virtual Machines Comparison
© 2013 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.
The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

27. Each Persistent Data Disk Can be up to 1 TB with up to 16 disks per VM
SMSG Readiness
4/17/2017
Virtual Machine Sizes
Compute Instance Name
Virtual Cores
RAM
Extra Small (A0)
Shared
768 MB
Small (A1) 1
1.75 GB
Medium (A2) 2
3.5 GB
Large (A3) 4
7 GB
Extra Large (A4) 8
14 GB
General Purpose VMs
Compute Instance Name
Virtual Cores
RAM A5 2
14 GB A6 4
28 GB A7 8
56 GB
Memory Intensive VMs
Compute Instance Name
Virtual Cores
RAM
Networking A8 8
56 GB
40 Gbit/s InfiniBand A9 16
112 GB
Compute Intensive VMs
Each Persistent Data Disk Can be up to 1 TB with up to 16 disks per VM
© 2013 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.
The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

28. Deploy Workloads on Azure VMs
Microsoft Supported Workloads
Server Roles: AD, AD FS, DNS, Print, Application, File, RAS, RDP, Web, WSUS | SQL, SP, SC, Dynamics
NOT GOOD: Low Volume Limited growth. Regulated Environments Read more
Deploy and Connect to a Linux VM
Supported:
UBUNTU , & 14.04
CentOS by OpenLogic 6.3+
Oracle Linux 6.4+
SUSE Linux Enterprise Server SLES SP3
OpenSUSE 13.1+
Create VMs
Portal
PowerShell
Create a VM running Windows.
Create a VM running Linux

29. PS: Create Virtual Machine
4/17/2017
PS: Create Virtual Machine
BEFORE the command, you would do….
Add-AzureAccount you would enter your creds
Get-AzureSubscription record the subscription
Get-AzureStorageAccount record the storage account
Set-AzureSubscription -CurrentStorageAccountName yourstorageaccountname -
SubscriptionName "your subscription name"
Add-AzureProvisioningConfig -Windows -AdminUsername $adminUser -Password $adminPassword
$webvm2 = New-AzureVMConfig -Name "Webvm2" -InstanceSize Small -ImageName $vmimage |
New-AzureVM –ServiceName $svcname –VMs $webvm1, $webvm2 –Location $location
© 2014 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

30. Implement Images and Disks
OS Images
Microsoft
Partner
User
Base OS image for new Virtual Machines
Sys-Prepped/Generalized/Read Only
Created by uploading or by capture
Disks (2 min)
OS Disks
Temp disks
Data Disks
Writable Disks for Virtual Machines
Created during VM creation or during upload of existing VHDs.
See About Disks and Images
See “How to Attach a Disk”

31. Perform Configuration Management
Automate Management
PS – Find, Create, Delete. To Automate VM Processes
DSC – w\ Azure Extension To Automate VM Config
Custom Script Exts Helper Extensions e.g.BGInfo, VMAccess, VMM
Enable Puppet Chef Extensions
Chef
Resources managed by“ Recipes”
=reusable definitions for tasks
Knife Azure plug-in
Puppet
Build, Deploy Manage = Lifecycle
“Puppet Master” pre-configured on Ubuntu server
“Puppet Enterprise” Agent – install as agent
See “About Azure VM Configuration settings” & “Manage Images Using PowerShell”

32. Configure VM Networking
Reserved IP Addresses
/8 | /12 | /16
Each can have multiple subnets
Smallest supported subnet is /29.
Size Hosts for 2n-2
Don’t use same as on-premises
Access Control Lists
Permit / Deny Packet Filtering
For Endpoints only
Can’t for Virtual Network or subnet w/in
Ordered first to last. So least->most restrictive!
For VMs in Vnet use NSGs instead!
Read more!

33. Configure VM Networking
Internal Name Resolution
ELEMENT
LOCATION
NAME RESOLUTION PROVISION
Between role instances or VMs
Same Cloud Service
Azure Internal Name Resolution
Between VMs
Same VNet
Same VNet / diff Cloud Services
Same Cloud Services but not in a VNet
NOT POSSIBLE VMs & role instances can’t be deployed this way
Between role instances
Different Cloud Services but not in a VNet
NOT POSSIBLE connectivity between role instances in diff cloud svcs not supported
If Azure <-> on-premises => Use your own DNS Server
If Between on-premises to Azure public endpoints, then use MS Azure external name resolution.
Read more on DNS

34. Configure VM Networking
Load Balancing Endpoints
1 Public (used by ILB) & 1 Private Port (used by VM internally) per endpoint
Azure Balancer distributes based on: Source Address, Protocol, Source /Destination Port
Internal Load Balancing w/in Cloud Service!
Use for RDP, PSRemote, SSH
Health Probes
HTTP/TCP
Provide Base Availability Data
Detail Extensible with custom probes
Firewall Rules
Leveraging public/private/domain profiles
Automatically for RDP / SSH PS Remoting

35. Configure VM Networking
Direct Server Return
Mitigates load balancer bottleneck
vm endpoint create <VM NAME> <LB PORT> --enable-direct-server-return
Keep Alive
TCP Keep-Alive packets will keep the connection from your client to the load balancer open during a long-running HTTP request
.SetTcpKeepAlive(true, 30000, 30000)

36. Configure VM resiliency
Scale Up Scale Down
Slide the slider!
See Azure Limits!
Auto-Scale
Auto-scales Based on Schedule or load
Can leave VMs set initially running or stopped
Configure on the Cloud Service containing them
Configure Availability Sets
VMs in separate Fault Domains | 50 VMs Max per
SLA | HW SW | Windows & Linux
Combine with Load Balancer to increase resiliency
Avoid Single instance machine = NO SLA
See How to configure an Availability Set for VM & VM Configuration Settings

37. Fault and Update Domains
Fault Domains
Groups of resources
Same rack, Server, Power Source, Network Switch
Fabric spreads across min 2 fault domains
Availability Set by default, spreads VMs across two
Update Domains
Groups of resources to be updated together
Host OS updates honour service update domains
Specified in service definition
Default of 5 (up to 20)
Only 1 rebooted at a time
Fabric Controller spreads role instances across Update Domains and Fault Domains
© 2013 Microsoft Corporation. All rights reserved. Microsoft, Windows and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.
The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

38. Key Concepts Hierarchy Limits and Locking Read more Subscription
Object
Limit
Locking
Subscription
120 Create/Add operations in 5 minute window
N/A
Cloud Service
200 per subscription
~3 minutes per update
Virtual Machine
50 per cloud service
2048 per Virtual Network
None
Virtual Network
100 per subscription
Single modification API
Storage Account
Storage Container
No Limit
Storage Blob
40 per storage account
One blob per container per storage account at a time
Subscription
Cloud Service (200)
Virtual Machine (50x200)
Virtual Network (100)
Storage Account (100)
Storage Container
Storage Blob (40x100)
Read more

39. Design and implement VM storage
Configure Disk Caching
OS and Data Disk have host caching setting aka host-cache mode
Host caching - off by default for RW for data disks.
Host-caching is ON by default for RW for operating system disks
Modify using Set-AzureOSDisk or Set-AzureDataDisk
Config OS Disk Redundancy
3 copies by default
If Geo-Redundancy enabled, then also at another site > 400 miles

40. See How to change the Temp Drive Letter
4/17/2017
Virtual Machine Storage Architecture
Azure Virtual Machine
C:\
OS Disk | SATA
127 GB Max
Temporary Disk
Windows: D:\
Linux /dev/sdb
E:\, F:\, etc.
Data Disks | SCSI
1 TB Max
Disk Cache
Azure Blob
See How to change the Temp Drive Letter
© 2014 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

41. Configure shared storage using Azure File service
Create a context for your storage account and key
$ctx=New-AzureStorageContext account-name account-key
Create a new file share
$s = New-AzureStorageShare sampleshare -Context $ctx
Create a directory in the file share
New-AzureStorageDirectory -Share $s -Path sampledir
Upload a local file to the directory
Set-AzureStorageFileContent -Share $s -Source C:\temp\samplefile.txt -Path sampledir
Persist storage account cred for VM & mount share with them!
See Detailed Steps and PS examples

42. Design and implement VM storage
Config Geo-Replication
LRS – three local copies
ZRS – zone copies w\in single facility & region
GRS is recommended
over ZRS or LRS for maximum durability.
Enabled for Storage Account by default
= 6 copies of data – three times each in two data centers
RA-GRS Read-Access geo-redundant
allows read access at secondary when primary region becomes unavailable.
NOTE:
Once selected, can’t change!
Striping may cause data loss – win/linux

43. Monitor VMs Configure Endpoint Monitoring Configure Alerts
Can Aggregate metrics every hour or minute
Configure Alerts
Select Metric
Condition
Threshold
Alert Evaluation
Can Specify sends
Configure Diagnostics
See monitor, diagnose and troubleshoot Microsoft Azure Storage

44. Implement Virtual Machines – know these 5 things now
3 Ways to Automate Management
PowerShell | Desired State Configuration | Extensions e.g. Custom, Puppet, Chef, Octopus
Load Balancing Endpoints
1 Public 1 Private IP | w/in Cloud Service | Use for RDP, PS Remote, SSH
Access Control Lists
Security Enhancement | Permit/Deny | Per Endpoint Only | By PowerShell or Mgt Portal
Fault Domain | Update Domain
Protects against rack failure | OS Updates
Geo-Replication Options
LRS (Single Region) | ZRS (Across 2-3 facilities within or across 2 regions) | GRS (3x’s in 2 regions)

45. Implement Cloud Services
TechReady 17
4/17/2017
Implement Cloud Services
Configure Cloud Services & Roles
Deploy and Manage Cloud Services
Monitor Cloud Services
See Cloud Services
See Websites, Cloud Service and Virtual Machines Comparison
© 2013 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.
The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

46. Configure cloud services and roles
Instance Count and Size
Size Determines cores & memory
OS Ver and Family
Windows or Linux
2 types of roles:
web role: dedicated IIS for hosting front-end web applications.
worker role: Applications can run asynchronous, long-running or perpetual tasks independent of user interaction or input.

47. Configure cloud services and roles
Upgrade & Fault Domains
Each VM in Avail Set assigned one of each
FD = group of VMs w\ common power source and network switch
By default, VMs across Avail Set are split in FDs
ACLs | Reserved Ips | Network Access Rules

48. Configure cloud services and roles
Configure Local Storage Dedicated & Co-Located Caching Local & Cloud Configs | Local Disks

49. Configure cloud services and roles
Configure Multiple websites Configure Custom Domains

50. Deploy and manage cloud services
3 things Before you begin….
Install Azure SDK, then download the SDK for the language to develop your code.
If any role instances require a certificate, create the certificates. Cloud services require a .pfx file with a private key. Upload to Azure as create and deploy the cloud service
Plan to deploy to Affinity Group? Use to deploy your cloud service and other Azure services to the same location in a region. You can create the affinity group in the Networks area of the Management Portal, on the Affinity Groups page.

51. Deploy and manage cloud services
3 components are required in order to deploy an application as a cloud service in Azure:
service definition file The cloud service definition file (.csdef) defines the service model, including the number of roles.
service configuration file The cloud service configuration file (.cscfg) provides configuration settings for the cloud service and individual roles, including the number of role instances.
service package The service package (.cspkg) contains the application code and the service definition file.
Read more

52. Deploy and manage cloud services
Upgrade Deployment
i.e. new code!
1 or all roles
Need new svc pckg and svc config
VIP Swap
Staging -> Production
update deployment

53. Deploy and manage cloud services
In-Place Updates
Go look!
Runtime Configuration changes - portal
Scale a Cloud Service
Must add VMs to Availability Set to scale an application
Can only scale within limit of cores for subscription
All VMs in Availability Set, Must be the same size
For application HA, ensure deployed w\ two or more role instances or Virtual Machines.

54. Deploy and manage cloud services
Create Service Bus Namespaces & choose tier
See How to Use Service Bus Queues – for “Create a Service Namespace Steps!”
Max # of service namespaces per subscription = 100
Connectivity options for WCF, REST endpoints
Endpoints can be behind NAT or
Apply Scalability Targets

55. Monitor cloud services
Create Storage Account
Enable Azure Diagnostics
Azure Extensions to
Collect diagnostic telemetry data from
Worker role, Web Role, or VM in Azure
Need connection strings to Storage Accounts
Then, can do verbose – stored for 10 days
Configure Diagnostic Connection Strings
Default format looks like DefaultEndpointsProtocol=https;AccountName=StorageAccountName;AccountKey=StorageAccountKey
Monitor Cloud Services

56. Implement Cloud Services – know these 5 things now
What is a Web Role
dedicated IIS for hosting front-end web apps
3 Components to deploy application in Azure Cloud Service?
Service Definition file (.csdef) | Service Config File (.csdef) | Service Package (.cscfg)
What is a Worker Role
Apps run asynch, long-running or perpetual tasks independent of user interaction or input.
Diagnostics can collect from…
Worker Role | Web Role | VM’s in Azure | All from TELEMETRY Data
What are the 2 types of Service Bus Messaging capabilities?
Relayed | Brokered

57. TechReady 17
4/17/2017
Implement Storage
Implement Blobs and Azure Files
Manage Access
Configure Diagnostics, Monitoring & Analytics
Implement SQL Databases
Implement Recovery Services
See Websites, Cloud Service and Virtual Machines Comparison
© 2013 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.
The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

58. Implement Blobs
Highly scalable, REST interface based object store in the cloud
Data sharing – share documents, pictures, video, music, etc.
Big Data – store raw data/logs and compute/map reduce over data
Backups – data and device backups
Block blobs - (read/write/update blocks of data, great for sequential IO like files). Up to 200GB each. Most cost effective storage.
Page Blobs - (read and write in 512 byte pages, sparse files and random access, e.g. for disks). Up to 1TB each
AZCopy cli high-performance uploading, downloading, and copying data to and from Microsoft Azure Blob, File, and Table storage

59. Set Metadata on Container
Go to
Storage
Select some
Containers tab
Edit at bottom

60. Azure Files Shared Network File Storage for Azure
4/17/2017
Azure Files
Shared Network File Storage for Azure
Availability, durability, scalability are managed automatically
Supports two interfaces: SMB and REST
IaaS VM
IaaS VM
IaaS VM
PaaS VM
Azure File Share
(PaaS)
© 2014 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

61. Azure Files - SMB 2.1 Protocol
Enables moving on-premises applications that rely on shared file storage to Azure
Azure VMs can “net use” to a share
Natively supported by OS APIs, libraries, and tools
Windows (CreateFile, ReadFile, WriteFile, …)
CRTs (fopen, fread, fwrite, …)
.Net (FileStream.Read, FileStream.Write, …)
Many more
Supports standard file system semantics
Move and rename files and directories
Read-only, write through, overlapped
Change notifications

62. Azure Files - File REST APIs
Allows internet access to the same shared file system
Build hybrid applications (on premises + cloud)
Supports a variety of common APIs:
Create/Delete Files and Directories
Write/Read Files
Get File and Directory properties
List Files

63. Manage Access SAS – Shared Access Signatures Stored Access Policies
2 Types : Ad Hoc SAS & SAS with Stored Access Policy
Delegated access to Storage Account Resources > Blobs, Queues, Tables
URI format with permissions and specified time | signedidentifier specifies Stored Access Policy
Client then passes the SAS to constructor or method
Stored Access Policies
Groups SASs + provide additional restrictions | up to 64 char
Greater control | Best Practice to use with SAS
5 policies per Container, queue or table. Each policy-unlimited SASs
Regenerate Keys
WHY? Increase security
Affects virtual machines, media services, and any applications dependent on the storage account. Must update all clients to use the new key.
Share Access Signatures, Pt 1 | Stored Access Policies

64. Configure diagnostics, monitoring and analytics
Configure Retention Policies
# Days (1-365) | zero = set no policy
Logging Levels
Minimal e.g. ingress/egress, availability, latency, & success %’s
Aggregated for the Blob, Table, and Queue services.
Verbose – Same as above + collects same metrics
per each storage operation in Azure Storage Service API. Enables closer analysis of issues occurring during application operations.
Off - Turns off monitoring. Existing monitoring data persisted till end of retention period.
Analyze Logs
Logs saved in blob container $logs in storage account.
Use Blob svc API to access
See Monitor Storage Account

65. Implement SQL databases
Database Tiers .
Change Tiers and Service Levels
Must Read!
Service Tier
Common App Pattern
Perf Objectives
Max Size
Basic
Small databases with a single operation at a given point in time
Reliability per hour
2 GB
Standard
Workgroup and cloud applications with multiple concurrent transactions
Reliability per minute
250 GB
Premium
Mission-critical, high transactional volume with many concurrent users
Reliability per second
500 GB

66. Implement SQL databases
Im/Export Data
Geo-Restore & Point in Time preferred
Can use for Archiving
Can combine with Database Copy
Temp increase perf level to decrease export times
Export is in bulk | no guarantee on transactional consistency
Export = BACPAC files | requires Storage Account | Use Export Data-tier Application Wizard
Can Schedule Automated Exports & Also Can Import/Export using REST API
Im/Export Schema
A DAC package vs BACPAC target different scenarios.
A BACPAC contains both schema and data, but does not support being imported to a database project for schema modification. DAC packages contain only schema information import into an SSDT database project for further development work. The primary use for a DAC package is in deploying a database schema to development, testing, and then production environments.
Read More

67. Implement SQL databases
Azure SQL Database Copy
Create transnationally consistent copy
Then Export the copy and use for Archiving
Store Export in Azure Blob Storage Account
Automated exports always creates a copy of the DB, then exports from the copy
Read More

68. Implement SQL databases
Sharding Defined
Partitions data across multiple databases. 
Each database in this model is referred to as a shard.
Design Scaling Strategy
3 methods to implement Sharding
Elastic Scale
Custom Sharding
Federations
Read More

69. Implement recovery services
Create Backup Vault
Backs up files/data from Win Server to Azure
Create a backup vault in geographic region
Vault Credentials Replace Certificates
Backup & Restore Data
“Protected Items” = been backed up
Recover 2012 or 2008 R2 SP1
Alternate Server Recovery
Start-OBRecovery -RecoverableItem $FinalItem -RecoveryOption $secureString -Credential $cstrial
See Configure Azure Back Up to back up Windows Server
Also Azure Backup Overview

70. Implement recovery services
Deploy Backup Agent
REQUIRES: WIF and PS
WABInstaller.exe
Can install on:
Servers: 2012 R2, 2012, 2008 R2 SP1
64 bit Win 7, 8, 8.1
Ext available for Server 2012 Essentials
If using DPM, requires Update Roll up 2 for SCDPM SP1
Recovery Services –> Quick Start –> to generate and download credential
Select Agent Type:
Azure Backup Agent
Windows Server and System Center Data Protection Manager
Windows Server Essentials
See Install Backup Agent and upload vault credential
Also Administer Azure Backup with Windows PowerShell

71. Implement Storage – know these 5 things now
Implement Blobs
Block Blobs (Sequential IO) up to 200GB each | Page Blobs (Random Access) up to 1 TB
Shared Access Storage
Delegated Access | Limit Permissions to Blobs, Queues, Tables | URI format w\perms & spec. time
Logging Levels
For Blobs, Tables and Queue Services | Off , Minimal, Verbose - > per Storage operations
SQL Import/Export | 2 File Types & Scenarios
BACPAC contains both schema and data | DAC packages contain only schema
Deploy Backup Agent | can install on….
Servers 2012 R2, 2012, 2008 R2 SP1, 64 bit Win 7, 8, 8.1, Ext available - Server 2012 Essentials

72. Implement Azure Active Directory
TechReady 17
4/17/2017
Implement Azure Active Directory
Integrate Azure AD with other dirs
Configure the Application Panel
Integrate an app with Azure AD
© 2013 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.
The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

73. Integrate an Azure AD with existing directories
Synchronization
Active Directory
Active Directory
Identity Sync with password hash sync
User attributes are synchronized including the password hash, Authentication can be completed against either Azure or Windows Server Active Directory
*Write back of attributes to support cloud first and co-existence
Federation
Active Directory
Active Directory
Identity Sync
AD FS
User attributes are synchronized, Authentication is passed back through federation and completed against Windows Server Active Directory
AD FS provides conditional access to resources, Work Place Join for device registration and integrated Multi-Factor Authentication

74. Integrate an Azure AD with existing directories
SSO with On-premises 2012 R2
AD FS and Web Application Proxy
Add Custom Domains
Create CNAME in Registrar’s DNS Table
With Azure PowerShell run
Get-AzureDeployment -ServiceName yourservicename | Select Url
Use for CNAME
Add www alias or subdomain if needed
Read More

75. Configure the Application Access Panel
Configure SaaS SSO
SaaS providers leverage AAD as an IdP STS.
This is similar to the relationship they would otherwise have with AD FS
AAD decides how to authenticate the user:
federated or standard, MFA or simple password
SSO is facilitated using the protocols expected by the SaaS provider:
SAML-P, WS-Federation, OpenID Connect
Depending on the app, single-sign out and password reset integration will be supported

76. Configure the Application Access Panel
Add Users/Groups to Apps
Access Panel by
Custom branding? Load by appending your organization’s domain
USERS CAN:
change PW, Edit PW Reset, MFA prefs, view account details, view/launch apps
Self-manage groups
Authentication
Users must be authenticated by Organizational account in AAD
If Federation, then can AuthN against on-premises
Read more…

77. Configure the Application Access Panel

78. Configure the Application Access Panel

79. Integrate an app with Azure AD
Web Apps | WS-Fed
SOAP Clients | WS-Trust spec | RST/RSTR
Desktop Apps | OAuth
RESTful Apps | HTTP Methods | Stateless
Graph API
Programmatic access to AAD through REST API Endpoint
Apps use to perform CRUD operations on Directory data and objects
To call on directory must register APP with AAD
RBAC – Security Groups used to perform RBAC in Graph API
EXAMPLES
Create New User, Get Properties, Disable
Check Group Membership, update, delete, etc
Query an Azure AD directory using the Graph API

80. Implement Azure Active Directory – know these 5 things now
Azure AD Integration Options
Azure AD Sync | Dirsync | FIM 2012 R2
Add Custom Domains
Create CNAME | Get-AzureDeployment -ServiceName yourservicename | Select Url
Configure SaaS SSO
AAD is the IdP | AAD determines AuthN, fed/std/MFA/Password, SSO: SAML-P, WS-Fed, Open ID Connect
WS-Fed vs. Oauth Apps
SOAP Clients, WS-Trust spec, RST/RSTR | RESTful Apps, HTTP Methods, Stateless
Graph API
Access AAD | REST | CRUD operations | Must register App with AAD | Security Groups use RBAC

81. Implement Virtual Networks
TechReady 17
4/17/2017
Implement Virtual Networks
See Virtual Network Configuration Tasks
Configure a Virtual Network
Modify a Network Configuration
Design and implement a multi-site or hybrid network
© 2013 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.
The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

82. Implement Virtual Networks
TechReady 17
4/17/2017
Implement Virtual Networks
Azure
Virtual Network
Service consumers
Internet
Virtual Networks
Flexible, multi-tier topology
Network segmentation
Internal load balancing
Front-End Network Access
Load-balanced and direct VIPs
ACLs & DDoS protection
Traffic Manager & Azure DNS
On premises Datacenter
Hybrid Connectivity
Secure Internet cross premises VPN connectivity
ExpressRoute – direct connectivity
© 2013 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.
The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

83. Internet Connectivity

84. Traffic Manager: DNS-based Load Balancing
4/17/2017
Traffic Manager: DNS-based Load Balancing
Performance - Direct to “closest” service based on network latency
Round-robin - Distribute equally across all services
Failover - Direct to “backup” service if primary fails —also included in other policies
Load balancing policies
© 2014 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

85. Nested Profile for Traffic Manager
4/17/2017
Nested Profile for Traffic Manager
MyApp.TrafficManager.net
Performance
Load Balancing
WestUS. CloudApp.net
EastUS. CloudApp.net
EUNorth. TrafficManager.net
EUWest. CloudApp.net
AsiaEast. CloudApp.net
JapanWest. CloudApp.net
Weight=95%
Weight=5%
EUNorth. CloudApp.net
EUNorth-new. CloudApp.net
© 2014 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

86. Internet IP Addresses & Load Balancing
4/17/2017
Internet IP Addresses & Load Balancing
Internet
VIP
Internet IP load balanced among one or more VM instances
MUST explicitly “open” input endpoints
Primarily for load balanced, highly available, or auto-scale scenarios
PIP
Internet IP assigned to a single VM exclusively
Entire port ranges are accessible by default
For applications that dispatch/redirect to a secondary port(s) on the same VM or require to target a specific VM
Microsoft Azure LB
Cloud service Reserved VIP
VM1
VM2
DIP1
DIP2
© 2014 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

87. Azure Load Balancing Algorithms
4/17/2017
Azure Load Balancing Algorithms
Client 1
Client 2
Client 3
Default
5-tuple-hash based; spreading incoming connections to all active instances
Source-IP-based affinity
All connections from the same Internet client IP to the same backend server
Scenarios
Applications that require multiple connections to the same server
Example: media streaming to establish control and data channel to same backend server
VIP
Azure Load Balancer
VM Server Instance 1
VM Server Instance 2
© 2014 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

88. Virtual Network See Virtual Network Configuration Tasks 4/17/2017
© 2014 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

89. Azure Virtual Network Bring Your Own Network
4/17/2017
Azure Virtual Network
On Premises
10.0/16
Internet
Bring Your Own Network
Address spaces – Private/RFC1918 & Public IP*
Multi-tier subnet topology
Bring your own AD & DNS
Linux, virtual appliances, & Windows
Logical isolation with control over network segmentation using Network Security Groups
Secure cross premises connectivity
S2S VPNs &
ExpressRoute
Direct Internet
Connectivity
VPN GW
Backend
10.3/16
Mid-tier
10.2/16
Frontend
10.1/16
AD / DNS
Azure Virtual Network
© 2014 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

90. Network Security Groups
4/17/2017
Network Security Groups
See About NSGs
On Premises 10.0/16
Internet
Enables network segmentation & DMZ
Access Control List
Filter conditions with allow/deny
Individual addresses, address prefixes, wildcards
Associate with VMs or subnets
Ingress  Subnet ACLs  VM ACLs  VM
Egress  Subnet ACLs  VM ACLs  VM
Internet
S2S
VPNs √ √ √ √
VPN GW
Backend
10.3/16
Mid-tier
10.2/16
Frontend
10.1/16
Virtual
Network
© 2014 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

91. Network Security Groups
4/17/2017
Network Security Groups
See About NSGs
Workflow Steps to Create
Create a network security group (NSG).
Add network security rules, unless the default rules are sufficient.
Associate the NSG to a VM.
Update the VM.
After update, the NSG rules will take effect immediately.
© 2014 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

92. Network Security Groups
4/17/2017
Network Security Groups
See About NSGs
Additional Key Points
Can associate NSG to VM, or subnet w/in a VNet.
VM or subnet can be associated w\only1 NSG,
but each NSG can contain up to 200 rules.
Can Associate NSG to BOTH a VM and a Subnet !
You can have 100 NSGs per subscription.
Endpoint-based ACLs and network security groups are not supported on the same VM instance. First remove Endpoint ACL before associating an NSG.
Default rules cannot be deleted, but can be overridden because at lowest priority
© 2014 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

93. Internal Load Balancing
Internet
Enables load balancing among VMs with private IP addresses
Accessible only by customer’s virtual network and on-premises networks
Multi-tier applications with internal facing tiers require load balancing
HA LOB apps
SQL Always On
RDP to internal endpoints for added default security
Replaces “Floating IPs”
Public VIP
Azure Virtual Network
External load balancer
Internal VIP
Internal
load balancer
Back end
Front end
Web frontend tier
Logic tier

94. Multiple NICs in Azure VMs
Up to 4 NICs per VM
Multiple NICs enable virtual appliances in Azure
IaaS (Azure VMs); VNet only
MAC/IP addresses persist through VM life cycle
No user action required
Separate frontend-backend traffic, and management-data planes
Azure Virtual Machine
NIC2
NIC1
Default
Azure Virtual Network
VIP:
Internet
Backend
Subnet
App
Subnet
Frontend
Subnet

95. Configure a Virtual Network
Configure Static IPs
Verify IP Address free
Test-AzureStaticVNetIP –VNetName TestVNet –IPAddress
Specify when creating new VM or for existing
Can remove when done see all PS Examples!
Configure Internal Load Balancing
Create ILB Instance
Add endpoint to the ILB Instance
Configure Servers to send their traffic to the new ILB Endpoint
Existing virtual networks that have been configured for an affinity group cannot use ILB
Read More – See PowerShell Examples!
Design Subnets

96. Modify a Network Configuration
Read More
Modify a Subnet Import a Network Configuration Export a Network Configuration

97. Bring Your Appliances to the Cloud
4/17/2017
Bring Your Appliances to the Cloud
“Azure Certified”
Building blocks
Multiple NICs
MAC address persistence
Appliance ecosystem
Barracuda NG Firewall
Citrix NetScaler
Riverbed Steelhead, SteelApp, SteelStore
More to come!
© 2014 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

98. Hybrid Connectivity

99. Design and implement a multi-site or hybrid network
Cloud
Customer
Segment and workloads
Secure point-to-site connectivity
Developers
POC Efforts
Small scale deployments
Connect from anywhere
SMB, Enterprises
Connect to Azure compute
Secure site-to-site
VPN connectivity
ExpressRoute private connectivity
SMB & Enterprises
Mission critical workloads
Backup/DR, media, HPC
Connect to all Azure services
Virtual Network
Express Route
Traffic Manager   

100. Multi-site & VNet-to-VNet connectivity
4/17/2017
Multi-site & VNet-to-VNet connectivity
Multi-site & VNet-to-VNet
Multiple Site-to-Site connections
Multiple on-premises sites connect to same virtual network
VNet-to-VNet connectivity to any Azure datacenter
Same region or cross regions
For HA and DR, customers create virtual networks in different Azure regions
Cross-subscription connectivity
Virtual networks in different subscriptions can securely communicate using private IP addresses
Connect to multiple virtual networks and on-premises locations
VNet2
East Asia
10.2/16
VNet1
US West
10.1/16
Contoso NorthAm HQ ( /16)
Contoso East Asia ( /16)
© 2014 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

101. Forced Tunneling
On Premises
Internet
“Force” or redirect customer Internet-bound traffic to an on-premises site
Auditing & inspecting outbound traffic from Azure
Needed by many scenarios for critical security and IT policy requirements
Forced Tunneled
via S2S VPN
S2S
VPNs
Internet
VPN GW
Backend
10.3/16
Mid-tier
10.2/16
Frontend
10.1/16
Virtual Network

102. Gateway Enhancements High Performance Gateway No Encryption option
Better throughput
More S2S tunnels
Pricing
$0.49 per gateway hour
Data transfer & VNet traffic rates unchanged
No Encryption option
Better throughput for Vnet-to-Vnet within Azure
Intra-/Inter-region Vnet-to-Vnet traffic stays within Microsoft networks, not Internet
PFS Support for IKE
Compliance requirements & better security
Operations Logs
Visibility into critical gateway events
Gateway SKU
ExpressRoute Throughput*
S2S Throughput*
Max
Tunnels
Default
500 Mbps
100 Mbps 10
Performance
1000 Mbps
200 Mbps 30
* Subject to traffic conditions and application behavior

103. Implement Virtual Networks – know these 5 things now
Network Security Groups
Free | Shared | Basic | Standard
Configure ILB
Change Plan + Configure Settings
Import Network Config | Modify Subnets
Just do it!
P2S | S2S
Express Route

104. Resources Microsoft Learning Site (http://bit.ly/Ignite-Learning)
Your one-stop location for info on all available Microsoft certifications, training, and exam prep resources
Microsoft Virtual Academy (
Your source for on-demand, online technical training
Microsoft Training and Certification Guide (
Interactive Windows 8.1 app, to help you choose and traverse your path
aka.ms/certification/70-533

105. © 2015 Microsoft Corporation. All rights reserved.