# DAY 1 ## Azure Monitor tip: print out one of each report, becomes a reference for what's available have to know what you're looking for, can easily spend an hour and not find what you're looking for don't learn during a crisis Admin activities are logged in ACTIVITY LOGS control plane uses APPLICATION LOGS AZURE RESOURCE MONITOR (ARM) is the interface of a menu to access behind-the-scenes resources such as a waitress in a restaurant have five senses in a data sensor; smell ozone, there's a capacitor burning somewhere! SUBSCRIPTION is a unit of billing for resources TENANT is a copy of Azure AD for use CUSTOM SOURCES for monitoring in AZURE MONITOR; will probably deprecate Systems Center Operations Manager (??) 2019 after some time rather than come out with SCM (??) 2023 AZURE INSIGHTS are for (apply to?) Applications, Containers, VMs and Monitoring Solutions if you purchase Application Scale Environment (??) or application sets? you can autoscale in response to alerts Microsoft Flow ----> Power Automate Functions can operate elsewhere besides Azure, but Logic Apps run only in Azure ## Azure Monitor Logs two fundamental types: METRICS and LOGS real time, logs can be stored up to 90 days closed ecosystem analogy to Apple over 100 Microosft products + over 100 open source products DATA EXPLORER has custom query language Azure Monitor can collect at Application, Guest OS, Azure Resource, Azure Subscription and Azure Tenant levels plus custom RESTful APIs INSIGHTS analogy to high-temp glass in cylinder walls to observe ignition with high-speed cameras in engine to troubleshoot engine issues SAKS fifth avenue costs $2000/sq ft/year to rent not own VMs are charged per second; Application Services are charged per millisecond - gives economies of scale scaling up a Web App - dynamically adds an app load balancer in the background what about app running inside a Container rather than in a Web App? Apache Kudu (open source) is built-in at the OS level, as is Splunk Metric Explorer, Data Explorer available will need to memorize icons; over 100 Guest OS Monitoring can work in other clouds and on-prem Azure Fridays; Azure Tuesdays with Corey ## Activity Log what is it: what did someone do, and when did they do it? Log Analytics Workspace WORKSPACE lasts forever ## Azure Advisor on prem tool Server Manager has feature Best Practices, runs once a month Azure Advisor runs continuously, provides optimization recommendations Service Health has five (six! book is wrong) categories: ACTION REQUIRED, ASSISTED RECOVERY, INCIDENT, MAINTENANCE, INFORMATION or SECURITY Alert example: CPU % is greater than 80% over the past 5min (this is an ON-PREM point of view! do NOT need this much overhead in cloud) you get the most money out of your RAM at 90%+ utilization not target 80% POLICY AND RESEARCH HEALTH is "reserved for future use" Tenant isolation is for management of users and groups need subscription to create resources use resource groups inside subscription avoid doing ad-hoc monitoring or setup of anything; instead ask "what do I want to accomplish?" then "what do I create to accomplish that task?" if you do it in reverse it will be nothing but grief ("I'm just going to turn these things on") Monitor Alerts experience has benefits; all alert creation for metrics, logs and activity log across Azure Monitor, Log Analytics and Application Insights in one place ## Alerts key attributes of an alert: Target Resource, Signal, Criteria, Alert Name, Alert Description, Severity, Action target can be any Azure resource if it has the capability of being measured criteria is a combination of Signal and Logic applied on a Target resource; example Server Response Times > 4ms; Result count of a log query > 100 ## Alert Rules same attributes of an Alert (or maybe pointing out problem with the textbook?) ## Action Groups collection of notification preferences defined by the subscription owner action can be configured to notify a person by email or SMS (or Push Notifications or voice call) can also trigger Azure Function, LogicApp, Webhook, ITSM (e.g. Remedy), Automation Runbook a RUNBOOK is the next scale up from PowerShell script; can have PowerShell script in it; can survive a reboot; can build in logic to a runbook; can have up to 10 actions in an Action Group will auto retry up to 2 times on certain 4xx 5xx status codes alert state is independent of the monitor condition; alert is set by the user; monitor condition is set by the system the alert state does not change until the user changes it; need to reset the mouse trap otherwise it won't alert again; from Fired to Ready # 10min break ## Alerts Experience summary of alerts that have occurred; looks like a dashboard of sorts SMART GROUPS <<<<< I missed this, need to review what this is > EXAM: book says alert can support only two metrics signals or one log search signal or one activity log signal per alert; might be different limits today in Azure but exam will follow the book ## Activity Logs Activity Logs do NOT detect Reads, that's considered a normal activity can be exported to Log Analytics, Portal, PowerShell, CLI and REST API can stream to Event Hub ### Categories in Activity Logs operation is either Write, Delete or Action; Administrative category tangent on Azure Service Health; is it my problem or is it Microsoft's infra problem? difference between Service Health vs Resource Health; (he got distracted and didn't come back to this point) Alert category contains record of all activations of AZ alerts Autoscale out and in, not UP; UP is like hermit crab going to a bigger shell something about Elasticity Code is important once you've defined a set of filters, save it as a query that persist across sessions, can also pin a query to a dashboard meaning of "category" in Log Profiles and Activity Log events is DIFFERENT in log profile represents Write, Delete, Action in Activity Log event, category is source of event e.g. Administration, ServiceHealth, Alert, etc. Activity Log in Storage Account; retention policy of zero days means logs are kept forever if I create a retention policy, I disable the ability to store logs in a Storage Account (???) retention policies are applied per-day 24hr UTC midnight can use a storage account or event hub namespace in a different subscription ## Log Analytics scenarios to get started with Log Analytics you have to add a Workspace Append Blob - logs will be appended OMS Workspace|Repository let's use Azure Monitor Workspace|Repository querying syntax is not the purpose of this class the main query tables are: Event, Syslog, Heartbeat and Alert ### Practices are on our own, not part of the class ## Network Watcher like Wireshark on the Azure layer personal routing table is different from a VNET routing table to use Network Watcher, the account you login must be assigned Owner, Contributor or Network Contributor built-in roles, or assigned to a custom role ## Diagnostics - IP Flow Verify functionally used instead of traceroute for example verify whether a security rule is blocking ingress or egress traffic to/from a VM NSG is like a firewall only at the subnet and the NIC level Web App is monitored using an Application Gateway the "IP Flow Verify" capability - chapter 37 position 136/137; ideal for making sure security rules are being correctly applied > EXAM: "Effective Security Rules" available - which rule is winning IP Flow Verify, Next Hop available for checking against source ip/port dest ip/port priority of 65500 for default rules to make sure most every custom rule is prioritized above the default rules (of course) Next Hop shows the route table ID from which next hop is chosen, if custom, otherwise it returns "System Route" ## Diagnostics - VPN Diagnostics Virtual Network Gateway you can select multiple gateways or connections ot troubleshoot simultaneously or you can focus on an individual component NSG Flow Logs are in JSON format, show inbound/outbound flows on a per-rule basis NSG Auditing Practices allow for security compliance and auditing - ?? can download flow logs from configured storage accounts can create dashboard from NSGs ## Connection Troubleshoot Azure Network Watcher Connection Troubleshoot is a more recent addition to Network Watcher enables to troubleshoot network performance and connectivity issues; like pathping output can do topology in a graphical format can view quantity of packets dropped during the connection troubleshoot check #### break for lunch difference between URL and URI; URL shows a landing page, URI is normally an object everything in Azure is accessible via an URI nothing in the cloud is an OU, but OUs like a Resource Group; to manage resources across more than one subscription: Management Groups Tenant is used to validate identity; a container for authentication (never Kerberos!) create governance policies in Azure Management Groups all subscriptions within a mgmt group automatically inherit the conditions from parent groups > EXAM: management groups are relatively new subscriptions help you organize access to cloud service resources by money Optum big enough to have a direct agreement with Microsoft; also Partner, Free (either Pay-as-you-go or Student) can have up to 200 co-administrators person who creates the subscription is automatically the Account Administrator must call Azure support to add a co-administrator administrator MUST login once every 2 years, otherwise its subscriptions will be deleted/removed ## Resource Tags track resources across resource groups, across subscriptions example; track a project that touches resources in both Dev and Test subscriptions each resource or resource group can have a max of 50 tags tags are NOT inherited tags are for billing purposes, nothing else ## Billing monthly budgets are calculated every 4hr Azure TCO Calculator is separate; look at on-prem environment to estimate a move to Azure Pricing Calculator is for predicting stuff already in the cloud for the rest of the month, etc. (headset issues) ## Reservations quantity discount; pre-paying for 1yr or 3yr ahead Reservations provide billing discount and do NOT affect the runtime state of your resources ## Azure Monitor workbook visualizations data sources; logs, metrics, Azure Resource Graph, Alerts, Workload Health, Azure Resource Health, Azure Data Explorer creates reports "Apdex" = Application Performance Index charts, grids, tiles, sparkline (trend), graphs, etc. converts data into information ## Graphs Cosmo is a graphical relationship rather than tabular database format for viewing unstructured data *** each module's review question could potentially be a test question *** ## Storage Accounts - managed storage removes the IOPS limits - page blobs can be as large as 8TB, otherwise 4TB per blob - **Page**: good for OS - **Append**: good for log files - **Block**: good for MP3, MP4, video files, etc. ## Azure Storage A service you can use to store files, messages, tables and other types of info - Files can emulate a network storage location \\servername\sharename\file - max 252 columns per record, 1MB total size per record - can get striped-set performance by having Azure Storage in 3 different storage accounts... - service bus queue can hold data for up to 7 days, 64KB per message; millions of messages in the queue - disks are persistent block storage for Azure IaaS VMs - Files are fully managed file shares in the cloud - unstructured data = blobs and data lake stores - Data Lake Store is Hadoop DFS as a service - structured data = tables, Cosmos DB and Azure SQL DB (not necessarily relational data) - Azure Tables are schemaless = schema per record (NoSQL) - "modernize" = add a modern front-end to your data - cloud decomposes artificial construct --> microservices - "searching by metadata rather than by folder/file is the new world" - Bing handles all the search for Microsoft under the hood Redeeming codes for Azure accounts Managed Disks and Unmanaged Disks Standard and Premium Storage Accounts Ultra SSD > EXAM: It is NOT possible to convert Standard to/from Premium; separate devices, need to recreate > EXAM: use general-purpose v2 accounts to take advantage of new archive access tier and lower price per GB general purpose v2 (v1 not available anymore) blockblob, blockpage, blockappend inside storage account are "containers" for grouping blobs together intermediate access to storage account by prepending `asverify.` to DNS FQDN (??) > tip: Azure Storage Emulator: "Azurite" geo-replication incurs per-gigabyte charge region-to-region costs on the egress per-gigabyte storage account names can only have 3-24 characters and lowercase ONLY ### Access Keys > EXAM: Access keys to authenticate to your storage account, store securely (e.g. Azure Key Vault) and rotate regularly (2 keys provided for rotation). These provide access to the **entire storage account** ### Replication > EXAM: read-access Geo-Redundant Storage is for failover purpose; the MOST EXPENSIVE of all Geo-Redundant is six copies (two LRS sets) > EXAM: If selecting premium performance, **only LRS replication can be used** > EXAM: If you create availability sets for your VMs, then Azure uses Zone-reduntant Storage (ZRS) LRS is 11 nines of durability; GRS is 16 nines > EXAM: Consider ZRS for scenarios that require strong consistency, strong durability, and high availability even if an outage or natural disaster occurs Every region has a paired region that is over 300 miles away #### Recorvery Point Objective (RPO): Azure Storage typically has an RPO of less than 15 minutes maximum amount (measured in time) of data which could be potentially not replicated (lost) in the event of a catastrophic event #### Recovery Time Objective (RTO) The measure of how long it takes to perform the failover and get storage account back online. > EXAM: if you enable `RA-GRS` and your primary endpoint for the blob service *myaccount.blob.core.windows.net*, then your secondary endpoint is *myaccount-secondary.blob.core.windows.net*. The access keys are the same for both endpoints further redundancy available with GZRS and RA-GZRS > EXAM: lots of PowerShell questions on the test, good to have practice with PowerShell ahead of time ## Import and Export Service uses your local storage drives (2.5" etc.); you ship your hard drives to Microsoft, they import the data Microsoft has an equivalent of AWS Snowball; 100TB capacity 1PB option available called Data Heavy > EXAM: commandline tool called `WAImportExport` available to download from Microsoft > EXAM: `azcopy` is available on Windows, Linux and Mac ## CDN Traffic Manager similar; uses CNAMEs to find lowest-latency connection to push stuff to the cloud CDN is pulling stuff from the cloud to display on my phone; pulling from a cache content has to be static, since it's cached DNS based; similar to SRV records > EXAM: Akamai profiles can propagate in 1min, but Verizon profiles might take 90min+ > EXAM: after you enable CDN access to a storage accont, all *publicly* available object are eligibile for CDN caching. Updated blobs *will not* automatically update in CDN unless explicitly purged or existing cache times out *based on TTL setting of blob*. Careful setting TTL ## Storage Monitoring > Understanding of Storage capacity and transaction metrics Log Alerts have >1min delay; metrics have <1min with the Azure Activity Logs tile you can keep activity logs for longer than the default of 90days ## Virtual Machines > EXAM: Azure requires minimum 2048 bit key length for SSH key pairs on Linux VMs > EXAM: What port does secure copy (`scp`) use? (port 22) RDMA allows you to stitch together multiple VMs to a shared RAM pool, used for processing large Hadoop cluster data which won't fit entirely into RAM of a single VM (e.g. five VMs with 4GB RAM each can process a Hadoop data lake 18GB in size) ## Day 1 links from chat (none of us thought to catalog them yet) # DAY 2 ## Azure Dedicated Host VM series are supported: DSv3 and ESv3 scale sets are not supported good way to utilize Windows Server 2016 or 2019 for more advanced virtualization features ## Azure Site Recovery purpose is to create a hot site failover environment replicate VM resources from on-prem to the cloud not system state; this is backing up the entire machine eliminate need for physical DR site can failback (e.g. back to on-prem); need to install an agent on targets SharePoint, SAP, Oracle examples of "complex workloads" - both web/front-end server and database server on separate boxes ## Virtual Machine Data Protection Snapshots, Azure Backup, Azure Site Recovery VHD snapshot and image snapshots are different; image snapshots include all attached VHDs, OS + Data together when you enable Azure Backup, it installs **an extension** to the Azure VM Agent use the MARS agent on an Azure VM to backup individual files/folders restoring complex workloads require more care to restore the state across multiple VMs together 3rd party backup solutions available in the Azure Marketplace > Tip: Deployed Image Service Management (DISM) ### Replication when you enable replication for an Azure VM: * Site Recovery Mobility service extension * crash-consistent recovery points are generated every **five** minutes (rather than 15min) * Site Recovery processes data in cache to target storage acct or replica managed disks when you initiate a failover, VMs are craeted in the target Resource Group, VNet, Subnet and Availability Set; isolated from original resources; should be easier to cleanup/delete after failback ### Recovery Services Vault is a storage entity in Azure that houses backups including IaaS VMs (<--- I wonder if there are security implications distinct from Storage Accounts??? ~EJP) ### Azure Backup Server Data Protection Manager (DPM) or Microsoft Azure Backup Server (MABS) for specialized workloads such as SharePoint, Exchange and SQL Server provides **app-aware* backups > Exam tip: they'll spell out the full name in the question, then use the acronym in potential answers quote: "shard is a cloud term for partition" (in context of backing up a database) backup steps: 1. install DPM or MABS protection agent on VMs and add to DPM protection group 2. DPM or MABS server must be located on-prem if VMs are on-prem; located in Azure as an Azure VM if VMs are in Azure 3. select backup volumes, shares, files and folders; can also do machine state (bare metal), or specific apps with app-aware backup settings 4. select MABS/DPM local disk for short-term storage and to Azure for online protection 5. select schedule for local backup to DPM/MABS and schedule for online backup to Azure 6. Disk is backed up 7. DPM/MABS disks are backed up to the vault by MARS agent on the DPM/MABS server #### Comparison of MARS agent and Azure Backup Server Azure Backup (MARS) agent backs up files and folders; no separate backup server required; supports only Windows OS; backup 3x per day; **not** application aware; file, folder and volume-level restore only Azure Backup Server does app-aware snapshots; recovery granularity; Linux support; doesn't require System Center license; **cannot backup Oracle workloads; always requires live Azure subscription; no support for tape backup** ### Virtual Machine Extensions small applications that provide post-deployment configuration and automation tasks on Azure VMs e.g. install antivirus protection, config script different extensions for Windows and Linux machines, large choice of third-party extensions too Desired State Configuration (DSC) is an extension Custom Script Extensions (CSE) typically a PowerShell script, can pass arguments, executed immediately upon upload (potential security exposure: malicious actor hooking CSE extension to VMs ~EJP) PowerShell syntax to upload a CSE to a VM: `Set-AzVmCustomScriptExtension -FileUri https://scriptstore.blob.core.windows.net/...` timeout defaults to 90min "declarative" vs. "imperative": DSC is declarative, CSEs are imperative > Exam: Health feature is offered only for AZ VMs and VM scale sets; Performance and Map features support both Azure VMs and VMs that are hosted on-prem or another cloud provider Map and Performance sent to Log Insights namespace Service Map is the whole which is greater than the sum of the parts; provides service discovery > Exam: diagnostic settings on a VM cannot be updated while the VM is running Linux Diagnostic extension v3.0 or higher required in order to edit diag settings in the Azure portal ## Azure Networking Components Load Balancer is OSI layer 4; Application Gateway is OSI layer 7 VPN Gateway must be installed on a VNet called exactly "VPNGateway" (unsure whether contains space) SSTP stores maximum of 128 concurrent connections (for VPN Gateway) NSGs apply only to NICs or VNets; Azure Firewall does the same thing but in front of public-facing components like (App Gateways?) > Tip: Azure Valet Key pattern (one of 20+ design patterns documented by Microsoft) Azure Firewall is on the outside edge Azure DDoS Protection is a free product, not as good as paid 3rd party solutions; blacklist based, "does not do stateful inspection" Virtual WAN service covering later in this course VNet must have a dedicated subnet for the gateway ### Multi-NIC VMs customer-initiated reboot NIC order will remain the same, but some Microsoft maintenance might re-order NICs; need a specific size VM to make sure this doesn't change (**may have mis-heard; validate**) VM, Load Balancer can have dynamic or static IP address; VPN Gateways and Application Gatways can have ONLY dynamic IPs (!!) cannot have a subnet spanning regions; subnet exist in one VNet only #### 10min break ## VNet Addressing not every region supports VNet Peering; can use a VPN appliance to go between VNets in different regions distinct SKUs for "Basic" and "Standard" public IP addresses "standard" is unusable by VPN Gateways and App Gateways (use "basic"); NICs and public load balancers can use either standard is zone redundant by default; basic is not zone redundant basic is "open" security by default; standard is secure/no inbound traffic by default private IP addresses are not handed out by DHCP System Routes - VNet-to-VNet, plumbing to Internet, to Express Route, etc. > Exam: if a matching route can't be found, the packet is dropped ### Routes, Route Tables, etc. > Exam: if a destination has two routes, Azure selects the more granular prefix (more specific route, naturally), but user-defined routes take priority over system default routes ^^this means user defined routes flowing through IP forwarding appliance can fallback to system routes without loss of connectivity, just loss of security/visibility provided by the appliance use VNet-to-VNet VPNs when VNet peering is not available (i.e. cross-region) > Exam: Connections to on-prem networks are called Site-to-Site (S2S) connections provisioning VPN Gateway can take up to 45min > Exam: if VNets are in separate subscriptions, you need to use PowerShell `New-AzVirtualNetworkGatewayConnection` to make the connection (test question guaranteed - they'll give you a partial PS command like `New-AzVirtualNetwork...` and you have to pick the correct command completion) when you create multiple VPN Gateways, all VPN tunnels share the available gateway bandwidth (!!) > Exam: after gateway is created, view IP address by looking at the VNet in the portal; gateway should show as a Connected Device two VPN types: Policy-Based and Route-Based Policy Based can only be used on Basic Gateway SKU, not compatible with other SKUs; ONLY one tunnel; ONLY Policy-based for S3S connections and certain configs Route-Based use routes in route table based on destination cannot change VPN type after network gateway has been created > Exam: Basic SKU is considered legacy; can't upgrade, need to recreate; choose the new one (Standard) there is a Validated VPN Devices list; known and proven by Microsoft; config scripts available to auto configure the tunnel on some supported devices, config guides for others; e.g. Juniper, Palo Alto, SonicWall, etc. Regional VNet peering is for same region; Global VNet peering is across regions peered VNets appear as one it is possible to do pass-through in VNet peering (unlike AWS peering) VNet peering is encrypted by Microsoft transparently if you select "Allow Gateway Transit" on one VNet, you would select "Use Remote Gateways" on the other VNet so that the other VNet can pass-through to other routes of the remote VNet (e.g. Express Route back in to on-prem?) > Exam: avoid adding NSG to the GatewaySubnet subnet otherwise you might break the VPN VNet peering not available across National Clouds (e.g. Germany, China, etc.) # Break for lunch ## Service Chaining VNets are non-transitive by default but you can enable the ability to transit through to other peered VNets ### Network Security Groups can assign to subnets and/or NICs > Exam: generally use NSG on a NIC for specific Network Virtual Appliances (NVAs), otherwise only link NSGs to subnets **AND reuse across VNets and subnets** ## Azure Active Directory single sign on to any cloud or on-prem web app user can have same experience whether they're working on iOS, Mac OS X, Android and Windows devices features (each with their own icon you might have to memorize for the exam): * Azure AD Connect * B2B Collaboration * Provisioning/Deprovisioning * Conditional Access * SSO to SaaS * Self-service capabilities * Connect Health * Multi-Factor Auth (MFA) * Addition of custom cloud apps * Access Panel/MyApps * Dynamic Groups * Identity Protection * Remote Access to on-prem apps * Azure AD B2C * Group-Based Licensing * Privileged Identity Management * Microsoft Authenticator - passwordless access * Azure AD Join * MDM-auto enrollment/Enterprise State Roaming * Security Reporting * Azure AD DS * Office 365 App Launcher * HR App Integration * Access Reviews different from AD DS; Azure AD cannot be queried via LDAP, instead it uses REST API does not use Kerberos, instead SAML, WS-Federation (??), OpenID Connect + OAuth (authentication + authorization) Azure AD can federate with many 3rd parties such as Facebook flat structure - no OUs or GPOs pricing options: Free, Basic, Premium P1, Premium P2 Basic has SLA of 99.9% uptime, group based access mgmt, self-service password reset for cloud apps, App Proxy Premium P1 self-service IAM Premium P2 privileged identity management (monitoring/protection of super-privileged accounts - insider threat mitigation) joined devices have SSO to apps, enterprise policy compliant roaming of user settings across devices, access to Windows Store for Biz, Windows Hello for Biz, restricted access to apps and resources from devices compliant with corporate policy AD DS requires all VMs to be in the same VNet Azure AD admins will always be able to reset their passwords no matter what the config is set to Azure AD roles have Actions, NotActions, DataActions and NotDataActions all simultaneously (both control plane and data plane) ## Azure AD Connect there are 9 fields which can be written back in to the on-prem, one of which is Password Writeback (simply a box to check) Azure AD Connect used to be called Directory Synchronization (dirsync = enable Azure AD Connect) pass-thru auth allows same password on-prem as the cloud but doesn't require additional infra of a federated environment federation is separate takes the on-prem password hash, uses that hash for Azure AD (encrypted in transit then decrypted) > Exam: Azure AD Connect is "same sign-in" NOT "single sign-on" > Exam: using AD Connect Health works by installing an agent on each of your on-prem sync servers to get a device under control of Azure AD, two options: registering, for personally owned devices joining (a subset of registering) allows the ability to auth through other identity providers (e.g. Facebook, on-prem domain) not the same thing as InTune joining devices # Implementing Workloads and Security ## Migration Goals hardware refresh? security or operational issues? Azure Arc VMs -> Web Apps -> Containers refactor, rearchitect and rebuild is different than lift, optimize and shift # 10 min break migration phases: Assess: Azure Migrate, Data Migration Assistant, SQL Server Migration Assistant Migrate: Azure Site Recovery (ASR), Azure Database Migration Service, Azure Data Box Optimize: Azure Cost Management, Azure Advisor Secure & Manage: Azure Security and Management - Blueprints, Security Center, Azure Backup, Azure Monitor on-prem collector; 18GB download .OVA file; will crawl network, upload metadata to a cloud service, spit out report of how many VM resources needed > Exam: alternative to performance based sizing is "As on-premises" sizing; default storage type of Azure Migrate is Premium disks what-if analysis often includes features of cloud not available on-prem; results in inflated costs, surprises grouping VMs for assessment - app dependency mapping - migrate all machines and dependencies which make up an application to be migrated together time sync (off by >5min) can cause migration failure Azure DB Migration Service can migrate SQL Server, MySQL and Oracle if you migrate Server 2008 or Server 2008 R2 or SQL Server 2008 (which went EOL by Jan14 2020) to Azure, Microsoft will extend support for additional 3yr Rehost: IaaS Refactor: Containers and PaaS Rearchitect: PaaS, Serverless, Microservices Rebuild: cloud native, PaaS, Serverless, Microservices > Tip: lookup the Dimming Award ## Security Dynamic Access Control - part of Active Directory - in cloud called Just In Time (JIT) Access; dynamic port SQL Server Management Studio has an Always Encrypted Wizard you can use Storage Service Encryption is enabled for all new **and** existing storage accounts and cannot be disabled (Erik lost internet connection shortly before class ended) ## Day 2 links from chat: https://www.packer.io/ https://docs.microsoft.com/en-us/azure/architecture/patterns/valet-key https://www.bing.com/videos/search?q=api+gateway+in+azure&view=detail&mid=8D4671549AEE7D128A5C8D4671549AEE7D128A5C&FORM=VIRE https://docs.microsoft.com/en-us/azure/service-bus-relay/relay-faq https://docs.microsoft.com/en-us/azure/role-based-access-control/built-in-roles https://azure.microsoft.com/en-us/overview/azure-stack/ https://docs.microsoft.com/en-us/azure/azure-arc/servers/overview https://windows.com.ipaddress.com/time.windows.com # Day 3 ## Serverless core components functions have triggers and bindings with AZ Cosmos DB > Tip: Azure Cognitive Services API talked about triggers being age, height, race, etc. based on analysis of a video stream serverless use cases: real-time stream analytics, SaaS event processing, web app architecture, real-time bot messaging (back to migrations for a bit) never use HR, accounting or legal departments as guinea pigs for a migration; they never have a sense of humor for migration issues ## Web Apps ### App Service App Service VMs have multiple language support: ASP.NET, Node.js, Java, PHP, Python, PowerShell and other executables DevOps optimization (covering later) CI/CD with VSTS, GitHub, BitBucket; promote through test/staging, perform A/B testing connections to SaaS platforms and on-prem data - choose from more than 50 connectors (SAP, Siebel, Oracle) and SaaS services (SalesForce, O365), internet svcs Facebook/Twitter app templates such as WordPress, Joomla, Drupal Visual Studio integration > Exam: continuous deployment is a good option for projects where multiple and frequent contributions are being integrated overview of blue-green deployments in CD has a feature called Auto-Swap, sounds like it can redirect up to 10% of live prod traffic to test (why not slider bar to 100% like AWS?) app must be Standard or Premium to enable multiple Deployment Slots has to be standard installation of OS, Apache web server, IIS, etc. any customizations will preclude serverless and must use a VM instead "slots" are the things which are swapped to do blue-green deployments > Exam: you can configure app settings and connections to stick to a particular slot (don't swap these); this is done in the App Settings blade; a dev can create new settings for the web app App Service Environment for "Power Apps" - built-in connectivity to more than 270 3rd party platforms, deep integration with Azure services, machine learning/AI Power Apps have guard rails in terms of what you can do with them, perhaps not as efficient as purpose-built but Microsoft prioritizes time-to-value more > Exam: defining dependencies for web apps requires understanding of the app; if you specify dependencies in an incorrect order, causes deployment errors or creates a race condition that stalls the deployment if you choose Premium tier or higher, platform automatically saves snapshots snapshots are incremental shadow copies that have advantages over backups; no file copy errors due to file locks, no storage size limitation (because on Premium), no configuration > Exam: you can restore snapshots only for the last 30 days cloning an App (App Service Environment/ASE is an instance of the web app) perhaps for recreating in a different region cloning supported in Premium tier or higher not cloned: autoscale settings, backup schedule, VNet, Easy Auth, Kudu extensions, TiP rules, Database content, App Insights, outbound IP addresses ## Security Azure App Service has two security levels: Infrastructure And Platform Security, Application Security customer is responsible for writing the app in a secure manner an App can redir unauthenticated users to an auth provider, most likely Azure AD > Exam: you are not required to use App Service for authentication/authorization; if you need more flexibility than App Service provides, use 3rd party or write your own utilities walkthrough of how federation works, for understanding by default, anonymous access is enabled on an App Service app ## Serverless Computing compute: Azure Functions messaging: Event Grid, Service Bus workflow orchestration: Logic Apps ### Event Grids you create a channel in an event grid much like a particular frequency on a multiplex connection storage account bus is used for accessing data in storage blobs; service bus is used for accessing data from other services Event Grid is push model of pub-sub; service bus topic is pull model of pub-sub service bus can use AMQP, TCP/IP, HTTP; event grid is based on HTTP can peek ahead in the service bus topic logic apps provide serverless workflows to integrate data rather than writing complex glue code logic app like a "wheelman" in a restaurant making sure order is as written on the ticket > Exam: WebJobs are background jobs (in context of Logic Apps) Azure Functions vs. Logic Apps Durable Functions are imperative; Logic Apps are declarative Enterprise Integration Pack (EIP) works with Azure Logic Apps for B2B integration Azure Runbooks are another Azure automation mechanism Functions are monitored by App Insights vs. Logic Apps via Log Analytics and AZ Portal Functions can run locally or in the cloud; Logic Apps run only in the cloud WebJobs are a feature of App Service; single activity triggered by your Web App; AZ Functions are built in WebJobs AZ Functions support NuGet and NPM allowing use of preferred libraries/dependencies ## Azure Functions Azure Functions must be hosted on a hosting plan, there are two types: Consumption Plan and App Service Plan; defaults to Consumption Plan; Linux hosting is currently only available on App Service Plan Consumption Plan scales out automatically, pay only when functions are running > Exam: be able to articulate why Consumption Plan is the default triggers: timer, HTTP, blob, event hub, github, webhook, queue by default 5min timeout for a function, max 10min timeout From David Foard to Everyone: (11:55) FYI - anyone doing the lab where you have to add Owner role for az3000501-mi from CLI , note there is a defect and it will fail using the name - but if you use the ObjectId instead it will work. # break for lunch ### Bindings fixed set of where the function can receive from, where it can write to to see what bindings are available, use the Integrate link a function can have multiple; always optional a single function can scale only to a max of 200 instances; new instances allocated only once every 10sec ## Event Grid manages routing of all events from any source to any destination designed for high availability, consistent performance, dynamic scale marketing-speak "benefits" of Event Grids four basic concepts: Source, Topics, Subscriptions, Handlers event sources include: blob storage, media services, azure subscriptions, resource groups, event hubs, IoT hub, service bus, custom topics (outside Azure) event handlers include: Azure Functions, logic apps, Azure Automation, WebHooks, Queue Storage, Hybrid Connections, Event Hubs topics are the bindings from a source to the Event Grid; endpoint for the source to send events event subscriptions are the bindings from the Event Grid to event handlers; can filter which events are sent ## Queues AZ Service Bus deliver FIFO service bus provides load leveling, loose coupling, load balancing service bus services partitioned into namespaces for both service and security boundary Service Bus offered in Basic, Standard and Premium tiers creating a namespace automatically generates a Shared Access Signature (SAS) which has primary and secondary keys that each grant full control over all aspects of the namespace; need SAS and connection string to use it max queue size is 80GB; then you must use storage queues **** look into monitoring Service Bus and Diagnostic Logs more on chapter 89 position 1 and following **** there are 10-15 bindings for AZ Functions vs hundreds (at last count, 237+) of connectors for Logic Apps logic apps provide built-in triggers, actions and schedule-based workflows > Tip: Microsoft's Channel 9, YouTube for additional learning such as deeper on Logic Apps Logic Apps offers over 200 connectors use the "Scheduler - Add message to queue" template to understand Logic App templates ## Advanced Networking: Load Balancers Load Balancer can do both TCP and UDP > Exam: four components that must be configured for a load balancer: Frontend IP Config, Backend Pools, Health Probes, Load Balancing Rules two types: public and internal > Exam: what is the difference between App Gateway and Load Balancer? App GW is for Web Apps internal LB used within a VNet, from on-prem to VNet, for multi-tier apps SKUs for Basic and Standard; basic goes to 100 instances, standard to 1000 LB cannot span two VNets, both frontends and backends must be in the same VNet # 10 min break NAT rule is explicitly attached to a VM or NIC, whereas LB rule applies to whole backend pool two types of LB rules: no backend port reuse, or backend port reuse via Floating IP no-reuse uses Dynamic IPs; Floating IPs uses VIPs provides session stickiness TCP custom probes plus guest agent probe; guest agent not recommended when using HTTP traffic ## Traffic Manager MS Azure Traffic Manager recommends a server based on DNS results; client connects directly to the endpoint for the connection; DNS-based billing; routes any type of traffic since it works via DNS Azure Front Door service probvides dynamic website acceleration; works ONLY with HTTP; called Inline Security; has rules, rate limits; works in conjunction with Azure Firewall (layer 7); far more granularity with rules (per microservice/URLs) Traffic Manager can redir to a different AZ region (region goes down) four basic routing methods: Priority, Performance, Geographic, Weighted Traffic Manager does **not** receive DNS requests from clients; rather the IP address of the client's recursive DNS service; client's recursive DNS server is used as a proxy for the client > Exam: using the same weight across all endpoints results in an even traffic distribution ## Front Door can protect internet-facing service outside Azure supports TLS termination, custom domain name Front Door service itself is protected by Azure DDoS Protection Basic natively supports IPv6 and HTTP/2 ## VNet-to-VNet Connections use when you cannot use VNet peering (as in, certain regions) > Exam: connections to on-prem virtual networks are called Site-to-Site (S2S) connections ## Cloud Architect Technology Solutions ## Day 3 links from chat: https://www.bing.com/videos/search?q=cognative+services&view=detail&mid=DE95BF72DFF1C30D2332DE95BF72DFF1C30D2332&FORM=VIRE https://azure.microsoft.com/en-us/products/powerapps/ https://www.bing.com/search?q=difference+between+service+bus+and+event+grid https://azurebiztalkread.wordpress.com/2018/05/19/azure-service-bus-topic-vs-azure-event-grid-topic/ https://www.bing.com/videos/search?q=cognative+services&view=detail&mid=DE95BF72DFF1C30D2332DE95BF72DFF1C30D2332&FORM=VIRE https://www.codit.eu/blog/10-differences-between-azure-functions-and-logic-apps/?country_sel=be https://docs.microsoft.com/en-us/learn/browse/ https://medium.com/awesome-azure/azure-difference-between-traffic-manager-and-front-door-service-in-azure-4bd112ed812f https://azure.microsoft.com/en-us/services/frontdoor/ https://docs.microsoft.com/en-us/azure/architecture/architectures/?filter=reference-architecture&sort=-publish_date # Day 4 ACID = Atomic, Consistent, Isolated and Durable caching works best when data remains relatively static; slow compared to the cache's speed, subject to a significant level of contention, and/or when network latency can cause access to far-away resources to be slow "private cache" = in-memory store "shared cache" = separate service such as Microsoft Redis Cache when to cache, when not to cache ## Redis Cache Azure has two primary cache mechanisms: Azure Cache and Azure Redis Cache; Azure Cache is deprecated and exists only to support existing cloud apps Redis Cache is open source NoSQL key-value pair storage; Redis Cache is unique because it allows complex data structures for keys AZ Redis Cache has two tiers (surprise!): Basic, Standard; basic single node, standard has primary-replica redundancy and SLA "normalized unit": unit of measurement for the purpose of billing; somtimes these units have direct relation to on-prem DB equivalents, but better to think of as relative performance guarantees in Azure SQL Database, performance is in terms of Database Throughput Units (DTUs) Azure Cosmos DB tracks the relationships between objects; measured by Request Units (RUs) processing per second of guaranteed throughput availability; guaranteed a minimum, can purchase a maximum (free from throttling) 1 KB of data read per 1sec = 1 RU Cosmos DB sounds/feels a lot like AWS DynamoDB "polygot persistence" means a solution that uses a mixture of data store technologies "Microsoft Graph" graph API and "Microsoft Graph Explorer" for visually exploring unstructured data such as Cosmos DB ## Implementing Authentication certificate based - can use TLS on API calls (better hope so) Azure AD Connect does not have any high availability; that's ok AD Connect can filter on domains, OUs or **attributes**; if you use `adsiedit` and set custom attribute #15 to `nosync` on particular accounts, no matter what the settings are that account will never sync to the cloud password hash synchronization syncs the passwords to the cloud, managed only on-prem password writeback allow users to reset passwords in cloud and sync back to on-prem device writeback will allow a device registered in Azure AD to be written back to on-prem for conditional access "prevent accidental deletes" feature turned on by default; set to 500 per API call by default, can be changed forms-based auth is not an internet standard in hybrid environments, it is common to use Azure AD as authoritative for AD > Exam: is a software token on a phone an MFA factor, if so which type is it? MFA SDK using .NET know authentication vs. authorization claims-based authorization checks are declarative; are policy based > Exam: know Owner, Contributor, Reader, User Access Administrator permissions and the fact that Service Administrators and Co-Administrators are assigned the Owner role at the subscription scope OpenID Connect is the MS recommendation if you are building a web app hosted on a server and accessed via a browser OAuth2 bearer token approach preferred over using cookies for sessions # 10 min break client doesn't need to register itself to obtain an access token under its own service principal; can request an app-only access token for particular resources which uses the managed identity's service principal (hope I got that right? ~EJP) Transparent Data Encryption (TDE) encrypts SQL Server, Azure SQL Database and Azure SWL Data Warehouse data files "Always Encrypted" feature of Azure SQL Database and SWL Server; requires special driver on the host "Trusted Execution Environments (TEEs)" = enclaves Azure Key Vault covered but mostly spent on HSMs ## BC/DR/Resiliency understand RTO vs RPO don't mistake eleven-9s of LRS storage uptime for a backup; if you've never done a restore, you don't have a backup way of thinking: avoid SPOF additional resiliency tips: use HA message broker for critical transactions; gracefully degrade; throttle high-volume users; use load leveling to smooth spikes in traffic; monitor 3rd party services; implement retry and circuit breaker patterns for remote operations where appropriate; implement async ops where possible; apply compensating transactions (undoes effects of another completed transaction in a distributed system) # Break for lunch ## App Service Environments ASI are isolated to running only a single customer's apps and always deployed into a VNet apps running on ASEs can use WAFs an ASE is per-subscription and can host 100 App Service Plan instances; either 100 instances in a single App Service plan or 100 single-instance App Services plans, or anything in between "front ends" responsible for HTTPS termination and auto load balancing; auto-added as the ASE scaled out "workers" are roles that host customer apps, three fixed sizes: One CPU/3.5GB RAM, Two CPU/7GB RAM, Four CPU/14GB RAM flat monthly rate for infra plus cost per App Service plan vCPU for microservice architecture, consider "Service Fabric" pricing tiers: Free and Shared use shared VMs with other customers, Basic Standard Premium and PremiumV2 run apps on dedicated VMs, Isolated uses not only dedicated VMs but dedicated VNet as well, Consumption is pay-per-use and for AZ Functions only unless using Isolated, difficult to assert that egress public IP is not shared with other Azure customers; check with Martijn Van Overbeek things you cannot do with Hybrid Connections: mount a drive, use UDP, use dynamic-port protocols (e.g. FTP passive mode or extended passive), support LDAP (due to uses UDP), support Active Directory (because cannot domain-join an App Service worker) control App Service traffic by using AZ Traffic Manager - all the various routing methods AZ App Service Local Cache: write-but-discard cache of storage content created async on startup WebJobs have ability to set retry policy, unlike AZ Functions nobody in class could articulate the difference between Logic App and Power Apps # 10 min break ## Service Fabric each database hosted on Azure SQL Database service is a Service Fabric stateful microservice; hundreds of thousands of such databases hosted on tens of thousands of containers running on hundreds of machines which comprise a single cluster of the Azure SQL Database service Service Fabric is cloud-based replacement for what used to be known as Windows Nano Server to achieve high density for VMs on prem Service Fabric is focused on stateful microservices rather than stateless ## Reliable Services feature of Azure Service Fabric service type: your service implementation; defined by the class you write that extends `StatelessService` named service instance: to run your service, create named instances of your type; name uses `fabric:/MyApp/MyService` format service host: the process where instances of your service can run service registration: registers all these components together with the Service Fabric to run ## Reliable Actors feature of Service Fabric Reliable Actors is an app framework based on `Virtual Actor` pattern actor is an isolated, independent unit of compute and state with single-threaded execution use actor pattern to model your problem/scenario if: problem space involves thousands or more of small, independent, isolated units of state and logic; want to work with single-threaded objects that do not require significant interaction from external components; actor instances won't block callers with unpredictable delays by issuing I/O operations **note to self (EJP)**: wonder if Reliable Actors pattern might work for replacing Logic Apps for log producers? ## Azure Kubernetes Service (AKS) cluster master nodes provide core K8S services nodes are servers that run app workloads cluster has one or more node pools; node pool is a grouping of nodes with the same configuration pods are instances of your application; typically 1:1 mapping with containers but apps can have more than one container in a pod; pod is a logical resource, container(s) is where the application workload actually runs package management is done with Helm StatefulSets and DaemonSets basically skipped due to willful ignorance Namespaces K8S service accounts, Azure AD integration available RBAC - assign permissions to an AKS Role; there is no concept of `deny` permission RoleBindings and ClusterRoleBindings - again, pretty much skipped AKS Security - another instructor whoosh - self study only skipped the entire rest of the module ## Azure Functions triggers: HTTP, timer, GitHub webhook, CosmosDB, Blob (AZ Storage), Queue, EventHub, ServiceBusQueue, ServiceBusTopic integrations: AZ CosmosDB, AZ Event Hubs, AZ Event Grid, AZ Notification Hubs, AZ Service Bus (queues and topics), AZ Storage (blobs, queues, tables), On-prem (using Service Bus), Twillio (SMS messages) two different modes: Consumption plan and AZ App Service plan consumption plan is default and scales out automatically app service plan: have existing underutilized VMs which are already running other App Service instances, function app runs continuously (or nearly-so - more cost effective), need more CPU/RAM than Consumption plan, code runs longer than 10min, Linux or custom image on which to run your function if you run on App Service plan, you should enable the `Always on` setting so the app runs correctly; goes idle after a few minutes, so only HTTP triggers will "wake up" your function when using blob trigger, can be up to 10min delay in processing new blobs; to avoid cold-start delay, use App Service plan with `Always on` or use Event Grid trigger single function app only scales up to max of 200 instances; new instances spun up at most once every 10sec function must have exactly one trigger instructor said he didn't know the term `no-op` and asked not to inform him what it is; he doesn't want to know; as he was paging past features he didn't understand ### General good practices avoid long-running functions cross-function communication; use storage queues, or Service Bus topics if filtering is needed write functions to be stateless write defensive functions; could encounter an exception at any time share and manage connections; reuse if possible don't mix test and prod code in the same function app use async code but avoid blocking calls receive messages in batch whenever possible configure host behaviors to handle concurrency ## Day 4 links from chat https://developer.microsoft.com/en-us/graph/graph-explorer https://thehackernews.com/2020/01/microsoft-azure-vulnerabilities.html https://docs.microsoft.com/en-us/azure/virtual-network/manage-ddos-protection https://docs.microsoft.com/en-us/azure/azure-functions/functions-compare-logic-apps-ms-flow-webjobs https://docs.microsoft.com/en-us/azure/azure-functions/functions-create-function-app-portal # Day 5 ## High Performance Computing (HPC) "HPC" is the aggregation of complex processes across many different machines; machines share RAM in low-latency manner H-series VMs are aimed at this use case; 8- and 16-CPU using Intel Haswell, DDR4 RAM and SSDs also uses Remote DMA (RDMA) using "Fourteen Data Rate" (FDR) InfiniBand some other non-H series VMs have RDMA feature, can tell by a lowercase `r` at the end of the VM type name, e.g. "H16r" or "NC24r" ## Azure Batch service that manages VMs for large-scale parallel and HPC applications; PaaS batch works well with "intrinsically parallel"/"embarassingly parallel" such as fluid dynamics or (?) modeling every type of molecule which could potentially attach to a cell wall ** check into this as possible solution for blob log processing for centralized logging ** ~EJP Azure Storage Queues and Azure Service Bus Queues both work as messaging queues; sender to pub, receiver to sub (pull off the queue), and peek without pulling Storage Queues are described as async whereas Service Bus Queues are specifically called out as FIFO ## Event Driven Architecture producers are decoupled from consumers simple processing: AZ Functions or AZ Service Bus, one at a time complex processing: consumer processes several events looking for patterns; AZ Stream Analytics or Apache Storm event stream processing: data streaming platform like AZ IoT Hub or Apache Kafka used as a pipeline ## Event Grid AZ services that can send events to an event grid: * subscription management operations * custom topics * AZ event hubs * IoT Hub * AZ Media Services * resource group mgmt operations * service bus * blob storage * general purpose v2 storage AZ services which can handle events from an event grid: * AZ Automation * AZ Functions * Event Hubs * Hybrid connections * AZ Logic Apps * Microsoft Flow * AZ Queue storage * webhooks (external) ## Azure Relay keeps a network session open for the purpose of relaying internal on-prem services to/from cloud workloads, typically over Express Route "Hybrid Connections" is a feature of AZ Relay; more secure; can relay WebSocket and HTTP/HTTPS ## AZ Notification Hub like event grid in reverse; push notification handler ## AZ Event Hubs async, parallelism # 10min break Task Parallel Library: set of APIs and functions in the `System.Threading` namespace; create a `Task` instance which has a delegate param, then use Task.run async computing ## Developing for Auto-scaling patterns: on-and-off, growing fast, predictable bursting, unpredictable bursting auto-scale against any metric (according to the MS overview marketing-speak page) handle transient errors by retrying... thanks SkillPipe for that ## MS Cognitive Services formerly Project Oxford senses intelligent features like emotion, facial expressions, etc. Computer Vision API can recognize over 2000 objects, living beings, scenery, actions categorizing images - 86 category concept # Break for lunch Bing web search API used for general-purpose search, only call Image Search API etc. if you need responses ONLY from that subset Custom Speech Service can have different acoustic models that work with customizable language models to do speech-to-text acoustic models are made up of phonemes which are indvidual spoken sounds from which words are spoken by humans - e.g. "speech" is made up of `s` + `p` + `iy` + `ch` ## QnA Maker used for making chat bots to respond to people via chat channels psychologically, people may be more truthful/straightforward with an AI chatbot than when chatting to a person; not as much pressure to lie/hide ## Azure IoT Hub only 1 free IoT Hub per AZ subscription ## Azure Cosmos DB storage consistency gradients: Strong <--> Bounded-stateless <--> Session <--> Consistent prefix <--> Eventual if you're using a consistency level of anything other than Strong, the metric for the probability that clients get the most up-to-date data on a read is called Probabilistic Bounded Staleness (PBS); measured in milliseconds of getting strongly consistend reads "Consistent prefix" is equivalent of MongoDB `LOCAL` and Cassandra `LOCAL_ONE` or [`ONE`,`TWO`, `THREE`] Cosmos DB can be accessed via five APIs: MongoDB, Table, Gremlin, Cassandra and SQL; data is atomic under the hood, more APIs coming in the future to migrate to Cosmos DB, allocate containers ahead of time and upgrade throughput to at least 1000 RUs so that the import tools are not throttled; scale them back down after migration in Cosmos DB, "collections" are containers for JSON documents and the associated Javascript app logic; databases are containers for collections ## Relational Database options/Azure SQL Database service deployment options: single DB, pooled DB in elastic pool with shared resources, managed instance (collection of databases) which contains system and user DBs when you copy a database to a different logical server, it wipes out the database users and only the login which performed the migration can login to it Azure Storage Emulator blobs are limited to 2GB max size ## using MS Azure Blob Storage service no FIFO on blob storage queue, so messages can arrive out of order > Tip: use the etag fields to understand if objects are still up to date when you create an SAS and attach it to a stored access policy, it inherits the constraints ## Links from Day 5 https://en.wikipedia.org/wiki/InfiniBand https://docs.microsoft.com/en-us/azure/data-factory/introduction https://docs.microsoft.com/en-us/azure/batch/batch-api-basics https://azure.microsoft.com/en-us/blog/azure-event-hubs-for-kafka-ecosystems-in-public-preview/ https://kafkaesque.io/kafkaesque-adds-azure-support-for-apache-pulsar/ https://rcpmag.com/articles/2011/02/01/the-2011-microsoft-product-roadmap.aspx https://docs.microsoft.com/en-us/azure/automation/start-runbooks https://docs.microsoft.com/en-us/azure/cognitive-services/ https://www.reuters.com/article/us-facebook-privacy-idUSKBN1ZS38Y https://docs.microsoft.com/en-us/azure/cosmos-db/how-to-manage-consistency