Light IT up.

Microsoft Learning
Ignite | May 4 8, 2015 | Chicago,
IL

Implementing
Microsoft Azure
Infrastructure
Solutions
Exam Preparation
70-533

Mark
Grimes
Residence, SE MI
18 Years MCT, 10 years ft

active
10 years consulting
with Partner,
@Microsoft
Lead Internal Identity
Technical Communities
Lead multiple internal

Azure Certification
70-533

Roadmap Azure Certification

http://bit.ly/Ignite-CertApp

Lets get this party

Break it down section by section for Skills Mapping
started!

70-533 Exam Objectives

Implement Virtual Networks; 20%

Implement Websites; 16%

Implement Virtual Machines; 18%

Implement Azure AD; 16%

Implement Cloud Services; 16%

Implement Storage; 16%

http://aka.ms/certification/70-533

Side-by-side Comparison | 70533/4

70-533

70-534

Implement Websites
Design Websites
Implement Cloud Services
Implement Storage
Design an Application Storage and Data Access Strategy
Implement Cloud Services
Implement Virtual
Networks
Implement an Azure AD
Implement Virtual
Machines

Design Azure Infrastructure and Networking

Implement Cloud Services Design an Advanced Application

Microsoft Azure components

Compute

App Services

Virtual Machines
Web Sites

Media Services
Service Bus

Mobile Services
Cloud Services
Web Roles
Worker Roles

Notification Hubs
Scheduler

Data

Services
Storage
SQL Database
HDInsight
Cache

Automation
BizTalk Services
BizTalk Hybrid Connections
Visual Studio Online
Active Directory
Multi Factor Authentication
API Management
Azure RemoteApp

Network

ExpressRoute
Virtual Network
Traffic Manager
CDN

SDKs

.NET
Java
PHP
Python
Node.js
Ruby

Implement Websites

Azure Websites

Deplo
y
Websi
tes

Confi
gure
Websi
tes
Confi
gure
Diagn
ostics,
Monit
oring,
Analyt
ics
Confi
gure
Scale
&
Resili
ence

Mana
ge
Hostin
g
Plans

See Websites, Cloud Service and Virtual Machines Comparison

Deploy websites
Deployment Slots
Live sites w/ own hostnames
Alpha Numeric only! + hyphens
Requires Standard mode plan
(=1,2, 4 cores | up to 10 instances)

Can Swap for Prod

Swap the slots to Rollback

Webjobs
Scripts or Programs: .bat, ps1, .sh, PHP, .py,
Node.js
2 options: w or w/o web project
RUN:1.Continuous (App_Data/jobs/continuous)
Preview

2. Scheduled 3.On-Demand
(App_Data/jobs/triggered)
Create Schedule

Configure websites

How to configure Websites step-by-step

Settings
Web App loads name/value pairs
.Net Configuration at runtime
PHP, Python, Java and Node.js applications
access as env vars
Connection Strings for SQL db, SQL Server, MySQL,
Custom

Handler Mappings add custom scripts for

custom extensions
Virtual Application specify each dir with root
site
Check Application checkbox to mark as
an app in site config

Connection Stings for linked

resources
.Net Sites
Use connection strings at runtime
HIDDEN by default!

Other languages
Uses Environment Variables at Runtime

EXAMPLES
SQL Server: SQLCONNSTR_
MySQL: MYSQLCONNSTR_
SQL Database: SQLAZURECONNSTR_
Custom: CUSTOMCONNSTR_

IF MySQL connection string was named mystring1

THEN access through the env variable MYSQLCONNSTR_ mystring1
See MySQL Example

Configure websites
Configure Custom Domain Name, SSL &
more!
CNAME (Alias) versus A record
Read more
Video Walkthrough Create Custom Domain Name and Securing Communication
Awverify -> CNAME to prove you own it
Get-AzureDeployment -ServiceName yourservicename | Select Url
Use for CNAME
Need CNAME for WWW also

Use for A record

Configure websites

Manage Websites | PowerShell

Get-AzureWebsite
Get-AzureWebsite siteslotstest
New-AzureWebsite
New-AzureWebsite siteslotstest -Slot staging -Location "West US"
Publish-AzureWebsiteProject
Publish-AzureWebsiteProject -Name siteslotstest -Slot staging
-Package [path].zip
Show-AzureWebsite
Show-AzureWebsite -Name siteslotstest -Slot staging
Switch-AzureWebsiteSlot
Switch-AzureWebsiteSlot -Name siteslotstest
Remove-AzureWebsite (To Delete)
Remove-AzureWebsite -Name siteslotstest -Slot staging

Manage Websites | Xplat-CLI

To list the commands available for Azure Websites in
the xplat-cli, call azure site h
azure
azure
azure
azure
azure

site
site
site
site
site

See more

list siteslotstest
create siteslotstest --slot staging
create --git siteslotstest --slot staging
swap siteslotstest
delete siteslotstest --slot staging

Configure Diagnostics, Monitoring

Analytics
1. Application Diagnostics | Configure
File System, Table Storage and Blob Storage

2. Site Diagnostics | Configure

Web Svr Logging (WC3), Error Msgs (HTTP Status), Failed Request Tracing, Remote
Debugging

Diagnostic Logs

File, Table, Blob

Download with: FTP, PS, Azure CLI

Monitor in the Portal

View Data, Adding Metrics, Configure Alerts
Also, KUDU! Git support for websites
https://mysite.scm.azurewebsites.net

See How to Monitor Websites

Configure Diagnostics, Monitoring

Analytics
Up to 2 Endpoints, 3 Geographic locations
Uses HTTP Get on web URL. Each location runs test every 5
minutes

How to Monitor Websites

Logging Websites
PowerShell
Save-AzureWebSiteLog -Name websitename
#View Live Stream
Get-AzureWebSiteLog -Name websitename Tail
Azure Command-line
azure site log download websitename
azure site log tail websitename

Configure Diagnostics, Monitoring

Analytics
Configure Scale
IF Select Shared or Basic only get
Hosting Plans
Instance Size
Instance Count
NOTE if Shared, NO instance size!

How to Scale Websites

Configure Diagnostics, Monitoring

Analytics
Configure Scale
Select Standard
Hosting Plans
Instance Size
Instance Count
Schedule Times
Day and Night or
Weekend Weekday
Half hour increments
Then can Scale by Metric
Instance Count
Target CPU

Manage Hosting Plans

Create Hosting Plans
Free , Shared | 32-bit apps only! | Shared Infrastructures
Basic , Standard | Dedicated Infrastructure
Basic: Sm (1 core), Med (2), Large (4)
See What is a Web Hosting Plan
and Web hosting plans In-Depth

Migrate Between Plans

ACTIONS
1. Change Plan
2. Configure Settings
DO NOT require code change or redeploy!

Create Website w/in Plan

Just do it!

Implement Websites know these 5 things

now

Run Web Jobs 3 ways

1. Continuous 2. Schedule 3. On-Demand

Connection Strings

| how made available? .Net vs.

others?
.Net: uses connectionStrings object OTHERS as Environment Variables

Website Diagnostics | # endpoints & # geo

locations
Up to 2 Endpoints, 3 Geographic locations

Configure Scale what additional options w/

STD?

Implement Virtual Machines

Deploy
Worklo
ads

CLOUD SERVICE
VIRTUAL
VIRTUAL
VIRTUAL MACHINE
MACHINE
MACHINE

Imple
ment
Images
and
disks

Config
uration
Manag
ement

VM

VM

VM

Config
ure
networ
king

Config
ure
resilien
cy

Design
Imple
ment
Storag
e

Monito
r VMs

See Websites, Cloud Service and Virtual Machines Comparison

Virtual Machine Sizes

General
Purpose VMs

Memory
Intensive VMs

Compute
Intensive VMs

Compute Instance Name Virtual Cores

RAM

Extra Small (A0)

Shared

768 MB

Small (A1)

1.75 GB

Medium (A2)

3.5 GB

Large (A3)

7 GB

Extra Large (A4)

14 GB

Compute Instance
Name

Virtual Cores

RAM

A5

14 GB

A6

28 GB

A7

56 GB

Compute Instance
Name

Virtual
Cores

RAM

Networking

A8

56 GB

40 Gbit/s InfiniBand

A9

16

112 GB

40 Gbit/s InfiniBand

Each Persistent Data Disk Can be up to 1 TB with up to 16 disks

per VM
http://azure.microsoft.com/en-us/pricing/details/virtual-mach

Deploy Workloads on Azure VMs

Microsoft Supported Workloads

Server Roles: AD, AD FS, DNS, Print, Application, File, RAS, RDP, Web, WSUS | SQL, SP,
SC, Dynamics
NOT GOOD: Low Volume Limited growth. Regulated Environments Read more

Deploy and Connect to a Linux VM

Supported:
UBUNTU 12.04.1+, 13.10 & 14.04
CentOS by OpenLogic 6.3+
Oracle Linux 6.4+
SUSE Linux Enterprise Server SLES SP3
OpenSUSE 13.1+
Create a VM running
Create VMs
Windows.

Portal
PowerShell

Create a VM running Linux

PS: Create Virtual Machine

BEFORE
the command, you
would do.
Set-AzureSubscription
-CurrentStorageAccountName
yourstorageaccountname
Add-AzureAccount
you would enter your creds
Get-AzureSubscription
record the name"
subscription
SubscriptionName "your subscription
Get-AzureStorageAccount
the-AdminUsername
storage account
Add-AzureProvisioningConfigrecord
-Windows
$adminUser -Password $adminPassword
$webvm2 = New-AzureVMConfig -Name "Webvm2"
-InstanceSize Small -ImageName $vmimage |
Add-AzureProvisioningConfig -Windows -AdminUsername
$adminUser -Password $adminPassword
New-AzureVM ServiceName $svcname VMs $webvm1, $webvm2
Location $location

Implement Images and Disks

OS Images
Microsoft
Partner
User

Base OS image for new Virtual Machines

Sys-Prepped/Generalized/Read Only
Created by uploading or by capture

Disks

(2 min)

OS Disks
Temp disks
Data Disks

Writable Disks for Virtual Machines

Created during VM creation or during upload of
existing VHDs.
See About Disks and Image
s

See How to Attach a Disk

Perform Configuration
Management
Automate Management

PS Find, Create, Delete. To Automate VM Processes

DSC w\ Azure Extension To Automate VM Config
Custom Script Exts Helper Extensions e.g.BGInfo, VMAccess, VMM

Enable Puppet Chef Extensions

Chef
Resources managed by Recipes
=reusable definitions for tasks
Knife Azure plug-in

Puppet
Build, Deploy Manage = Lifecycle
Puppet Master pre-configured on Ubuntu server
Puppet Enterprise Agent install as agent
See About Azure VM Configuration settings &
Manage Images Using PowerShell

Configure VM Networking
Reserved IP Addresses
10.0.0.0/8 | 172.16.0.0/12 | 192.168.0.0/16
Each can have multiple subnets
Smallest supported subnet is /29.
Size Hosts for 2n-2
Dont use same as on-premises

Access Control Lists

Permit / Deny Packet Filtering
For Endpoints only
Cant for Virtual Network or subnet w/in
Ordered first to last. So least->most restrictive!
For VMs in Vnet use NSGs instead!
Read more!

Configure VM Networking
Internal Name Resolution

ELEMENT

LOCATION

NAME RESOLUTION
PROVISION

Between role instances or

VMs

Same Cloud Service

Azure Internal Name

Resolution

Between VMs

Same VNet

Azure Internal Name

Resolution

Between role instances or

VMs

Same VNet / diff Cloud Services

Azure Internal Name

Resolution

Between role instances or

VMs

Same Cloud Services but not in a

VNet

NOT POSSIBLE VMs & role

instances cant be deployed this
way

Between role instances

Different Cloud Services but not in a

NOT POSSIBLE connectivity

1. If Azure <-> on-premises => Use your own DNS Server

VNet
between role instances in diff
2. If Between on-premises to Azure public endpoints, then use
MS svcs not supported
cloud
Azure external name resolution.
Read more on DNS

Configure VM Networking
Load Balancing Endpoints
1 Public (used by ILB) & 1 Private Port (used by VM internally) per endpoint
Azure Balancer distributes based on: Source Address, Protocol, Source /Destination
Port
Internal Load Balancing w/in Cloud Service!
Use for RDP, PSRemote, SSH

Health Probes
HTTP/TCP
Provide Base Availability Data
Detail Extensible with custom probes

Firewall Rules
Leveraging public/private/domain profiles
Automatically for RDP / SSH PS Remoting

Configure VM resiliency
Scale Up Scale Down
Slide the slider!
See Azure Limits!

Auto-Scale
Auto-scales Based on Schedule or load
Can leave VMs set initially running or stopped
Configure on the Cloud Service containing them

Configure Availability Sets

VMs in separate Fault Domains | 50 VMs Max per
SLA 99.95 | HW SW | Windows & Linux
Combine with Load Balancer to increase resiliency
Avoid Single instance machine = NO SLA
See How to configure an Availability Set for VM & VM Configuration Settings

Fault and Update Domains

Fault Domains
Groups of resources
Same rack, Server, Power Source, Network Switch
Fabric spreads across min 2 fault domains
Availability Set by default, spreads VMs across two

Update Domains
Groups of resources to be updated together
Host OS updates honour service update domains
Specified in service definition
Default of 5 (up to 20)
Only 1 rebooted at a time

Fabric Controller spreads role instances across Update Domains

and Fault Domains

Key Concepts
Hierarchy
Subscription
Cloud Service (200)

Limits and
Object
Limit
Locking 120 Create/Add

Locking

Subscription

operations in 5
minute window

N/A

200 per subscription

~3 minutes per update

None

Virtual Machine (50x200) Cloud Service

Virtual Network (100)

Virtual Machine

50 per cloud service

2048 per Virtual
Network

Storage Account (100)

Virtual Network

100 per subscription

Single modification API

Storage
Account

100 per subscription

None

No Limit

None

Storage Container

Storage

Storage Blob (40x100) Container

Storage Blob

40 per storage
account

One blob per container

Read
more
per
storage
account at a

Design and implement VM storage

Configure Disk Caching
OS and Data Disk have host caching setting aka host-cache mode
Host caching - off by default for RW for data disks.
Host-caching is ON by default for RW for operating system disks
Modify using Set-AzureOSDisk or Set-AzureDataDisk

Config OS Disk Redundancy

3 copies by default
If Geo-Redundancy enabled, then also at another site > 400 miles

Virtual Machine Storage

Architecture
Azure Virtual Machine
C:\
OS Disk | SATA
127 GB Max

Disk Cache

Temporary Disk
Windows: D:\
Linux /dev/sdb

E:\, F:\, etc.

Data Disks | SCSI
1 TB Max

Azure Blob
See How to change the Temp Drive Letter
M I C R O S O F T C O N F I D E N T I A L I N T E R N A L O N LY

Configure shared storage using Azure File

service
1. Create a context for your storage account
and key
$ctx=New-AzureStorageContext account-name account-key

2. Create a new file share

$s = New-AzureStorageShare sampleshare -Context $ctx

3. Create a directory in the file share

New-AzureStorageDirectory -Share $s -Path sampledir

4. Upload a local file to the directory

Set-AzureStorageFileContent -Share $s -Source C:\temp\samplefile.txt -Path
sampledir
See Detailed Steps and PS examples

5. Persist storage account cred for VM &

Design and implement VM storage

Config GeoReplication
LRS three local copies
ZRS zone copies w\in single facility
& region
GRS is recommended
over ZRS or LRS for maximum
durability.
Enabled for Storage Account by
default
= 6 copies of data three times each
in two data centers
RA-GRS Read-Access geo-redundant
allows read access at secondary
when primary region becomes
unavailable.

Monitor VMs
Configure Endpoint Monitoring
Can Aggregate metrics every hour or minute

Configure Alerts
Select Metric
Condition
Threshold
Alert Evaluation
Can Specify email sends

Configure Diagnostics
See monitor, diagnose and troubleshoot Microsoft Azure Storage

Implement Virtual Machines know these 5

things now

3 Ways to Automate Management

PowerShell | Desired State Configuration | Extensions e.g. Custom, Puppet, Chef,
Octopus

Load Balancing Endpoints

1 Public 1 Private IP | w/in Cloud Service | Use for RDP, PS Remote, SSH

Access Control Lists

Security Enhancement | Permit/Deny | Per Endpoint Only | By PowerShell or Mgt Portal

Fault Domain | Update Domain

Protects against rack failure | OS Updates

Geo-Replication Options
LRS (Single Region) | ZRS (Across 2-3 facilities within or across 2 regions) | GRS (3xs
in 2 regions)

Implement Cloud Services

Confi
gure
Cloud
Servi
ces &
Roles
Depl
oy
and
Mana
ge
Cloud
Servi
ces
Monit
or
Cloud
Servi
ces

See Cloud Services

See Websites, Cloud Service and Virtual Machines Comparis

Configure cloud services and roles

Instance Count and Size
Size Determines cores & memory

OS Ver and Family

Windows or Linux

2 types of roles:
web role: dedicated IIS for hosting front-end web
applications.
worker role: Applications can run asynchronous, longrunning or perpetual tasks independent of user
interaction or input.

Configure cloud services and roles

Configure Local Storage
Dedicated & Co-Located Caching
Local & Cloud Configs | Local Disks

Configure cloud services and roles

Configure Multiple websites
Configure Custom Domains

Deploy and manage cloud services

3 things Before you begin.
1.

Install Azure SDK, then download the SDK for the language to develop your code.

2.

If any role instances require a certificate, create the certificates. Cloud services
require a .pfx file with a private key. Upload to Azure as create and deploy the cloud
service

3.

Plan to deploy to Affinity Group? Use to deploy your cloud service and other Azure
services to the same location in a region. You can create the affinity group in the
Networks area of the Management Portal, on the Affinity Groups page.

Deploy and manage cloud services

3 components are required in order to
deploy an application as a cloud service in
Azure:
1.

service definition file The cloud service definition file (.csdef) defines the service
model, including the number of roles.

2.

service configuration file The cloud service configuration file (.cscfg) provides
configuration settings for the cloud service and individual roles, including the
number of role instances.

3.

service package The service package (.cspkg) contains the application code and the
service definition file.
Read more

Deploy and manage cloud services

Upgrade Deployment
i.e. new code!
1 or all roles
Need new svc pckg and svc config

VIP Swap
Staging -> Production

update deploymen
t

Deploy and manage cloud services

In-Place Updates
Go look!

Runtime Configuration changes - portal

Scale a Cloud Service
Must add VMs to Availability Set to scale an application
Can only scale within limit of cores for subscription
All VMs in Availability Set, Must be the same size
For application HA, ensure deployed w\ two or more role instances or Virtual Machines.

Deploy and manage cloud services

Create Service Bus Namespaces & choose
tier
See How to Use Service Bus Queues for Create a Service Namespace Steps!
Max # of service namespaces per subscription = 100
Connectivity options for WCF, REST endpoints
Endpoints can be behind NAT or

Apply Scalability Targets

Monitor cloud services

Create Storage Account
Enable Azure Diagnostics
Azure Extensions to
Collect diagnostic telemetry data from
Worker role, Web Role, or VM in Azure
Need connection strings to Storage Accounts
Then, can do verbose stored for 10 days

Configure Diagnostic Connection Strings

Default format looks like

DefaultEndpointsProtocol=https;AccountName=StorageAccountName;AccountKey=StorageAcco
untKey
Monitor Cloud Services

Implement Cloud Services know these 5

things now

What is a Web Role

dedicated IIS for hosting front-end web apps

3 Components to deploy application in Azure Cloud

Service?
Service Definition file (.csdef) | Service Config File (.csdef) | Service Package (.cscfg)

What is a Worker Role

Apps run asynch, long-running or perpetual tasks independent of user interaction or input.

Diagnostics can collect from

Worker Role | Web Role | VMs in Azure | All from TELEMETRY Data

What are the 2 types of Service Bus Messaging

capabilities?

Implement Storage
Imple
ment
Blobs
and
Azure
Files

Manag
e
Acces
s
Config
ure
Diagn
ostics,
Monit
oring
&
Analyt
ics
Imple
ment
SQL
Datab
ases

Imple
ment
Recov
ery
Servic
es

See Websites, Cloud Service and Virtual Machines Comparis

Implement Blobs
Highly scalable, REST interface based object
store in the cloud
Data sharing share documents, pictures, video, music, etc.
Big Data store raw data/logs and compute/map reduce over data
Backups data and device backups
Block blobs - (read/write/update blocks of data, great for sequential IO like files). Up to
200GB each. Most cost effective storage.
Page Blobs - (read and write in 512 byte pages, sparse files and random access, e.g.
for disks). Up to 1TB each
AZCopy cli high-performance uploading, downloading, and copying data to and from
Microsoft Azure Blob, File, and Table storage

Set Metadata on Container

Go to
1. Storage
2. Select some
3. Containers
tab
4. Edit at bottom

Azure Files
Shared Network File Storage for Azure
Availability, durability, scalability are managed
automatically
Supports two interfaces: SMB
REST IaaS
IaaS and IaaS
VM

VM

Azure File
Share
(PaaS)

VM

PaaS
VM

Azure Files - SMB 2.1 Protocol

Enables moving on-premises applications that rely
on shared file storage to Azure
Azure VMs can net use to a share

Natively supported by OS APIs, libraries, and tools

Windows (CreateFile, ReadFile, WriteFile, )

CRTs (fopen, fread, fwrite, )
.Net (FileStream.Read, FileStream.Write, )
Many more

Supports standard file system semantics

Move and rename files and directories
Read-only, write through, overlapped

Azure Files - File REST APIs

Allows internet access to the same shared
file system
Build hybrid applications (on premises +
cloud)
Supports a variety of common APIs:
Create/Delete Files and Directories
Write/Read Files
Get File and Directory properties
List Files

Manage Access

SAS Shared Access Signatures

2 Types : Ad Hoc SAS & SAS with Stored Access Policy
Delegated access to Storage Account Resources > Blobs, Queues, Tables
URI format with permissions and specified time | signedidentifier specifies Stored
Access Policy
Client then passes the SAS to constructor or method

Stored Access Policies

Groups SASs + provide additional restrictions | up to 64 char
Greater control | Best Practice to use with SAS
5 policies per Container, queue or table. Each policy-unlimited SASs

Regenerate Keys

WHY? Increase security

Affects virtual machines, media services, and any applications dependent on the
Share
Access
Signatures,
Pt 1 | Stored Access Policie
storage account. Must update all clients
to use
the new
key.

Configure diagnostics, monitoring and

analytics
Configure Retention Policies
# Days (1-365) | zero = set no policy

Logging Levels
Minimal e.g. ingress/egress, availability, latency, &
success %s
Aggregated for the Blob, Table, and Queue services.
Verbose Same as above + collects same metrics
per each storage operation in Azure Storage Service
API. Enables closer analysis of issues occurring during
application operations.
Off - Turns off monitoring. Existing monitoring data
persisted till end of retention period.

Analyze Logs
Logs saved in blob container $logs in storage account.
Use Blob svc API to access

See Monitor Storage Account

Implement SQL databases

Database Tiers
.

Service
Tier

Common App Pattern

Perf Objectives

Max Size

Basic

Small databases with a single operation at a

given point in time

Reliability per hour

2 GB

Standard

Workgroup and cloud applications with multiple

concurrent transactions

Reliability per
minute

250 GB

Premium

Mission-critical, high transactional volume with

many concurrent users

Reliability per
second

500 GB

Change Tiers and Service Levels

Must Read!

Implement SQL databases

Im/Export Data
Geo-Restore & Point in Time preferred
Can use for Archiving
Can combine with Database Copy
Temp increase perf level to decrease export times
Export is in bulk | no guarantee on transactional consistency
Export = BACPAC files | requires Storage Account | Use Export Data-tier Application
Wizard
Can Schedule Automated Exports & Also Can Import/Export using REST API

Im/Export Schema
A DAC package vs BACPAC target different scenarios.
A BACPAC contains both schema and data, but does not support being imported to a
database project for schema modification. DAC packages contain only schema
information import into an SSDT database project for further development work. The
Read More
primary use for a DAC package is in deploying a database schema to development,

Implement SQL databases

Azure SQL Database Copy
Create transnationally consistent copy
Then Export the copy and use for Archiving
Store Export in Azure Blob Storage Account
Automated exports always creates a copy of the DB, then exports from the copy

Read More

Implement SQL databases

Sharding Defined
Partitions data across multiple databases.
Each database in this model is referred to as a shard.

Design Scaling Strategy

3 methods to implement Sharding
1. Elastic Scale
2. Custom Sharding
3. Federations
Read More

Implement recovery services

Create Backup Vault
Backs up files/data from Win Server to Azure
Create a backup vault in geographic region
Vault Credentials Replace Certificates

Backup & Restore Data

Protected Items = been backed up
Recover 2012 or 2008 R2 SP1
Alternate Server Recovery
Start-OBRecovery -RecoverableItem $FinalItem -RecoveryOption $secureString
-Credential $cstrial
See Configure Azure Back Up to back up Windows
Server
Also Azure Backup Overview

Implement recovery services

Deploy Backup Agent

REQUIRES: WIF and PS

WABInstaller.exe
Can install on:
Servers: 2012 R2, 2012, 2008 R2 SP1
64 bit Win 7, 8, 8.1
Ext available for Server 2012 Essentials
If using DPM, requires Update Roll up 2 for SCDPM SP1
Recovery Services > Quick Start > to generate and download credential
Select Agent Type:
Azure Backup Agent
Windows Server and System Center Data Protection Manager
Windows Server Essentials
See Install Backup Agent and upload vault credentia
Also
Administer Azure Backup with Windows PowerShell

Implement Storage know these 5 things now

Implement Blobs
Block Blobs (Sequential IO) up to 200GB each | Page Blobs (Random Access) up to
1 TB

Shared Access Storage

Delegated Access | Limit Permissions to Blobs, Queues, Tables | URI format w\perms &
spec. time

Logging Levels
For Blobs, Tables and Queue Services | Off , Minimal, Verbose - > per Storage
operations

SQL Import/Export | 2 File Types & Scenarios

BACPAC contains both schema and data | DAC packages contain only schema

Deploy Backup Agent | can install on.

Implement Azure Active Directory

Integr
ate
Azure
AD
with
other
dirs
Confi
gure
the
Appli
catio
n
Panel
Integr
ate
an
app
with
Azure
AD

Integrate an Azure AD with existing

directories
Synchronization

Active Directory
Active
Directory

*Write back of attributes to support

cloud first and co-existence

Identity Sync with

password hash
sync

User attributes are synchronized including the

password hash, Authentication can be completed
against either Azure or Windows Server Active
Directory

Federation

Identity
Sync

Active Directory

Active
Directory

AD FS provides conditional access

to resources, Work Place Join for
device registration and integrated
Multi-Factor Authentication

AD FS

User attributes are synchronized,

Authentication is passed back through
federation and completed against Windows
Server Active Directory

Integrate an Azure AD with existing

directories
SSO with On-premises 2012 R2
AD FS and Web Application Proxy

Add Custom Domains

Create CNAME in Registrars DNS Table
2. With Azure PowerShell run
1.

Get-AzureDeployment -ServiceName yourservicename | Select Url

Use for CNAME

4. Add www alias or subdomain if needed
3.

Read More

Configure the Application Access

Panel
Configure SaaS SSO
SaaS providers leverage AAD as an IdP STS.
This is similar to the relationship they would otherwise have with AD FS
AAD decides how to authenticate the user:
federated or standard, MFA or simple password
SSO is facilitated using the protocols expected by the SaaS provider:
SAML-P, WS-Federation, OpenID Connect
Depending on the app, single-sign out and password reset integration will be
supported

Configure the Application Access

Panel
Add Users/Groups to Apps
Access Panel by http://myapps.microsoft.com
Custom branding? Load by appending your organizations domain
http://myapps.microsoft.com/contosobuild.com
USERS CAN:
change PW, Edit PW Reset, MFA prefs, view account details, view/launch apps
Self-manage groups

Authentication
Users must be authenticated by Organizational account in AAD
If Federation, then can AuthN against on-premises
Read more

Configure the Application Access

Panel

Configure the Application Access

Panel

Integrate an app with Azure AD

Web Apps | WS-Fed
SOAP Clients | WS-Trust spec | RST/RSTR

Desktop Apps | OAuth

RESTful Apps | HTTP Methods | Stateless

Graph API
Programmatic access to AAD through REST API Endpoint
Apps use to perform CRUD operations on Directory data and objects
To call on directory must register APP with AAD
RBAC Security Groups used to perform RBAC in Graph API
EXAMPLES
Create New User, Get Properties, Disable
Check Group Membership, update, delete, etc

Query an Azure AD directory using the Graph API

Implement Azure Active Directory

know

these 5 things now

Azure AD Integration Options

Azure AD Sync | Dirsync | FIM 2012 R2

Add Custom Domains

Create CNAME | Get-AzureDeployment -ServiceName yourservicename | Select Url

Configure SaaS SSO

AAD is the IdP | AAD determines AuthN, fed/std/MFA/Password, SSO: SAML-P, WS-Fed,
Open ID Connect

WS-Fed vs. Oauth Apps

SOAP Clients, WS-Trust spec, RST/RSTR | RESTful Apps, HTTP Methods, Stateless

Graph API
Access AAD | REST | CRUD operations | Must register App with AAD | Security Groups
use RBAC

Implement Virtual Networks

See Virtual Network Configuration Tasks

Config
ure a
Virtual
Netwo
rk

Modify
a
Netwo
rk
Config
uratio
n
Design
and
imple
ment
a
multisite or
hybrid
netwo
rk

Implement Virtual Networks

Service
consumers

Azure
Virtual Network

Virtual Networks
Flexible, multi-tier
topology
Network
segmentation
Internal load
balancing

Internet
Front-End Network Access
Load-balanced and direct VIPs

Hybrid
Connectivity

ACLs & DDoS protection

Traffic Manager & Azure DNS

On premises

Secure Internet cross

premises VPN
connectivity
ExpressRoute direct

Internet
Connectivity

Traffic Manager: DNS-based Load

Balancing

www.yourapp.com

Load balancing policies

Performance - Direct to closest service based on
network latency
Round-robin - Distribute equally across all services
Failover - Direct to backup service if primary fails

Nested Profile for Traffic Manager

MyApp.TrafficManager.net

Performance
Load Balancing

WestUS.
EastUS.
CloudApp.net CloudApp.net

EUNorth.
TrafficManager.net

Weight=95%

JapanWest.
AsiaEast.
EUWest.
CloudApp.net CloudApp.net CloudApp.net

Weight=5%

EUNorth. EUNorth-new.
CloudApp.netCloudApp.net

Internet IP Addresses & Load

Balancing
Internet

VIP
Internet IP load balanced among one or more VM

instances
MUST explicitly open input endpoints
Primarily for load balanced, highly available, or
auto-scale scenarios

PIP
Internet IP assigned to a single VM exclusively
Entire port ranges are accessible by default
For applications that dispatch/redirect to a

secondary port(s) on the same VM or require to

151.2.3.4
LB

131.3.3.3

Cloud
service
Reserved
VIP

Microsoft Azure

131.4.4.4

VM1

VM2

DIP1

DIP2

Azure Load Balancing Algorithms

Client
1

Client
2

Client
3

Default
5-tuple-hash based; spreading incoming

connections to all active instances

VIP

Source-IP-based affinity

Azure Load Balancer

All connections from the same Internet

client IP to the same backend server

Scenarios
Applications that require multiple connections to

the same server

Example: media streaming to establish control

VM
Server
Instance

VM
Server
Instance

Click icon to add picture

Virtual
Network

See Virtual Network Configuration Tasks

Azure Virtual Network

On Premises
10.0/16

Bring Your Own Network

Address spaces Private/RFC1918 & Public IP*
Multi-tier subnet topology
Bring your own AD & DNS
Linux, virtual appliances, & Windows

Logical isolation with control

over network segmentation

using Network Security Groups
Secure cross premises

Internet
Direct
Internet
Connectivity

S2S VPNs &

ExpressRout
e
VPN
GW

AD / DNS

Backend
10.3/16

Mid-tier
10.2/16

Frontend
10.1/16

Azure Virtual Network

Network Security
Groups

See About NSGs

On Premises 10.0/16

Internet

Enables network

segmentation & DMZ

Access Control List

S2S
VPNs

Filter conditions with allow/deny

Individual addresses, address prefixes,

wildcards

Associate with VMs or

subnets
Ingress Subnet ACLs VM ACLs VM

Internet

VPN
GW

Backend
10.3/16

Virtual
Network

Mid-tier
10.2/16

Frontend
10.1/16

Network Security
Groups
Workflow Steps to Create
Create a network security group (NSG).
1. Add network security rules, unless the default rules are

sufficient.
2. Associate the NSG to a VM.
3. Update the VM.
4. After update, the NSG rules will take effect immediately.

See About NSGs

Network Security
Groups

See About NSGs

Additional Key Points

Can associate NSG to VM, or subnet w/in a VNet.
VM or subnet can be associated w\only1 NSG,
but each NSG can contain up to 200 rules.
Can Associate NSG to BOTH a VM and a Subnet !
You can have 100 NSGs per subscription.
Endpoint-based ACLs and network security groups are not supported on
the same VM instance. First remove Endpoint ACL before associating an
NSG.
Default rules cannot be deleted, but can be overridden because at
lowest priority

Internal Load Balancing

Internet

Enables load balancing

among VMs with private IP

addresses

Public VIP

Accessible only by customers virtual network

Azure Virtual Network

External
load
balancer

and on-premises networks

Multi-tier applications with

internal facing tiers require

load balancing
HA LOB apps
SQL Always On
RDP to internal endpoints

Internal
VIP
Internal
load
balancer

Back end

Front end

Web frontend tier

Logic tier

Configure a Virtual Network

Configure Static IPs
Verify IP Address free
Test-AzureStaticVNetIP VNetName TestVNet IPAddress 192.168.4.7
Specify when creating new VM or for existing
Can remove when done see all PS Examples!

Configure Internal Load Balancing

Create ILB Instance
2. Add endpoint to the ILB Instance
3. Configure Servers to send their traffic to the new ILB Endpoint
Existing virtual networks that have been configured for an affinity group cannot use
ILB
Read More See PowerShell Examples!
1.

Design Subnets

Modify a Network Configuration

Modify a Subnet
Import a Network Configuration
Export a Network Configuration

Read Mor
e

Bring Your Appliances to the Cloud

Azure Certified
Building blocks
Multiple NICs
MAC address persistence

Appliance

ecosystem
Barracuda NG Firewall
Citrix NetScaler
Riverbed Steelhead,

Click icon to add picture

Hybrid
Connectivity

Design and implement a multi-site or

hybrid network
Cloud

Customer

Secure point-to-site
connectivity

Secure site-to-site
VPN connectivity

ExpressRoute
private connectivity

Segment and workloads

Developers
POC Efforts
Small scale
deployments
Connect from
anywhere
SMB, Enterprises
Connect to Azure
compute

SMB & Enterprises

Mission critical workloads
Backup/DR, media, HPC
Connect to all Azure
services

Virtual Network
Express Route
Traffic Manager

Multi-site & VNet-to-VNet

Multi-site & VNet-toconnectivity
VNet
Multiple Site-to-Site

connections
Multiple on-premises sites connect to same

virtual network

Connect to multiple
virtual networks
and
on-premises
locations

VNet1
US
West
10.1/16

VNet2
East
Asia
10.2/16

VNet-to-VNet connectivity

to any Azure datacenter

Same region or cross regions
For HA and DR, customers create virtual

networks in different Azure regions

Cross-subscription

Contoso NorthAm
HQ (10.0.0.0/16)

Contoso East Asia

(10.3.0.0/16)

Forced Tunneling
On Premises

Force or redirect

customer Internet-bound
traffic to an on-premises
site
Auditing & inspecting

outbound traffic from Azure

Needed by many scenarios

for critical security and IT

Internet
S2S
VPNs

Forced Tunneled
via S2S VPN

Internet

VPN
GW

Backend
10.3/16

Mid-tier
10.2/16

Frontend
10.1/16

Virtual Network

Gateway Enhancements
High Performance

Gateway

option

Better throughput
More S2S tunnels

Better throughput for Vnet-to-

Pricing
$0.49 per gateway hour
Data transfer & VNet traffic rates

unchanged
Gateway
SKU

Default

ExpressRout S2S
e
Throughpu
Throughput t*
*

Max
Tunnels

500 Mbps

10

100 Mbps

* Subject
to traffic 1000
conditions
behavior
Performan
Mbpsand application
200 Mbps
30

ce

No Encryption
Vnet within Azure
Intra-/Inter-region Vnet-toVnet traffic stays within
Microsoft networks, not
Internet

PFS Support for

IKE
Compliance requirements &

better security

M I C R O S O F T C O N F I D E N T I A L I N T E R N A L O N LY

Implement Virtual Networks

know these 5

things now

Network Security Groups

Free | Shared | Basic | Standard

Configure ILB
Change Plan + Configure Settings

Import Network Config | Modify Subnets

Just do it!

P2S | S2S
Just do it!

Express Route
Just do it!

Resources
Microsoft Learning Site (

http://bit.ly/Ignite-Learning)
Your one-stop location for info on all available Microsoft certifications, training, and

exam prep resources

Microsoft Virtual Academy (

http://bit.ly/Ignite-VirtAcad)

Your source for on-demand, online technical training

Microsoft Training and Certification Guide (

http://bit.ly/Ignite-CertApp)

Interactive Windows 8.1 app, to help you choose and traverse your path

aka.ms/certification/70-533

 2015 Microsoft Corporation. All rights reserved.