Nicholas Rogoff Twitter nrogoff httpsblognicholasrogoffcom IMPORTATNT NOTE Microsoft Azure is constantly evolving and so do the topics tested in the exams The slides here were pretty ID: 746716
Download Presentation The PPT/PDF document "Azure Architecture Certification Revisio..." is the property of its rightful owner. Permission is granted to download and print the materials on this web site for personal, non-commercial use only, and to display it on your personal computer provided you do not modify the materials and that you retain all copyright notices contained in the materials. By downloading content from our website, you accept the terms of this agreement.
Slide1
Azure Architecture Certification Revision Sheets
Nicholas Rogoff
Twitter:
@
nrogoff
https://blog.nicholasrogoff.com
IMPORTATNT NOTE:
Microsoft Azure is constantly evolving and so do the topics tested in the exams. The slides here were pretty
accurate’ish
as at January 2017, but check them for yourself!!
Disclaimer: I can not guarantee that the info here is correct, so don’t come back to me if you fail the exams. These are MY notes and not in any way authoritative or complete, but hopefully helpful.Slide2
Azure Certification paths and Exams
MCSD: Azure Solution Architect
Require All Exams
70-532, 70-533, 70-534
Retiring on March 31
st
2017.
MCSA: Cloud Platform
Require 2 exams of:
70-532, 70-533
, 70-534, 70-473, 70-475
MCSE: Cloud Platform and Infrastructure
Require: ‘MCSA: Cloud Platform’, plus 1 exam of:
70-532, 70-533,
70-534
, 70-473, 70-475, 70-744, 70-413, 70-414, 70-246, 70-247 (not already taken for MCSA)
*Red indicates the exams that these notes are focused onSlide3
Exam 70-532: Developing Microsoft Azure Solutions
New Exam Objectives
Here’s the full list of exam objectives for this November 22, 2016 exam update:
Create and manage Azure Resource Manager virtual machines (30 – 35%)
Deploy workloads on Azure Resource Manager (ARM) virtual machines (VMs)
– Identify workloads that can and cannot be deployed; run workloads including Microsoft and Linux; create VMs
Perform configuration management
– Automate configuration management by using PowerShell Desired State Configuration (DSC) and VM Agent (custom script extensions); configure VMs using a configuration management tool such as Puppet or Chef; enable remote debugging
Configure ARM VM networking
– Configure static IP addresses, Network Security Groups (NSGs), DNS, User Defined Routes (UDRs), external and internal load balancing with HTTP and TCP health probes, public IPs, firewall rules, and direct server return; design and implement Application Gateway
Scale ARM VMs
– Scale up and scale down VM sizes; deploy ARM VM Scale Sets (VMSS); configure ARM VMSS auto-scale
Design and Implement ARM VM storage
– Configure disk caching; plan for storage capacity; configure shared storage using Azure File service; configure geo-replication; implement ARM VMs with Standard and Premium Storage
Monitor ARM VMs
– Configure ARM VM monitoring; configure alerts; configure diagnostic and monitoring storage location
Manage ARM VM availability
– Configure multiple ARM VMs in an availability set for redundancy; configure each application tier into separate availability sets; combine the Load Balancer with availability sets
Design and Implement a storage and data strategy (25 – 30%)
Implement Azure Storage blobs and Azure Files
– Read data; change data; set metadata on a container; store data using block and page blobs; stream data using blobs; access blobs securely; implement
async
blob copy; configure Content Delivery Network (CDN); design blob hierarchies; configure custom domains; scale blob storage
Implement Azure storage tables and queues
– Implement CRUD with and without transactions; design and manage partitions; query using OData; scale tables and partitions; add and process queue messages; retrieve a batch of messages; scale queues
Manage access and monitor storage
– Generate shared access signatures, including client renewal and data validation; create stored access policies; regenerate storage account keys; configure and use Cross-Origin Resource Sharing (CORS); set retention policies and logging levels;
analyze
logs
Implement Azure SQL Databases
– Choose the appropriate database tier and performance level; configure and perform point in time recovery; enable geo-replication; import and export data and schema; scale Azure SQL databases
Implement Azure DocumentDB
– Create databases and collections; query documents; run DocumentDB queries
Implement Redis caching
– Choose a cache tier; implement data persistence; implement security and network isolation; tune cluster performance
Implement Azure Search
– Create a service index; add data; search an index; handle search results
Manage identity, application, and network services (15 – 20%)
Integrate an app with Azure Active Directory (AAD)
– Develop apps that use WS-federation, OAuth, and SAML-P endpoints; query the directory by using graph API
Design and Implement a communication strategy
– Implement Hybrid Connections to access data sources on-premises; leverage S2S VPN and ExpressRoute to connect to an on-premises infrastructure
Design and Implement a messaging strategy
– Develop and scale messaging solutions using service bus queues, topics, relays, event hubs, and notification hubs; monitor service bus queues, topics, relays, event hubs and notification hubs
Develop apps that use AAD B2C and AAD B2B
– Design and implement .NET MVC, Web API, and Windows Desktop apps that leverage social identity provider authentication, including Microsoft account, Facebook, Google+, Amazon, and LinkedIn; leverage AAD B2B to design and implement applications that support partner-managed identities
Design and Implement Azure PaaS Compute and Web and Mobile Services (25 – 30%)
Design Azure App Service Web Apps
– Define and manage App Service plans; configure Web Apps settings, certificates, and custom domains; manage Web Apps by using the API, Azure PowerShell, and
Xplat
-CLI; implement diagnostics, monitoring, and analytics; implement web jobs; design and configure Web Apps for scale and resilience
Implement Azure Functions
– Create Azure Functions; implement a
webhook
Function; create an event processing Function; implement an Azure-connected Function
Implement API Management
– Create managed APIs; configure API Management policies; protect APIs with rate limits; add caching to improve performance; monitor APIs; customize the Developer Portal
Design Azure App Service API Apps
– Create and deploy API Apps; automate API discovery by using the
Swashbuckle
; use Swagger API metadata to generate client code for an API app; monitor API Apps
Develop Azure App Service Logic Apps
– Create a Logic App connecting SaaS services; create a Logic App with B2B capabilities; create a Logic App with XML capabilities; trigger a Logic App from another app; create custom and long-running actions; monitor Logic Apps
Develop Azure App Service Mobile Apps
– Create a Mobile App; add offline sync to a Mobile App; add authentication to a Mobile App; add push notifications to a Mobile App
Design and Implement Azure Service Fabric apps
– Create a Service Fabric application; build an Actors-based service; add a web front-end to a Service Fabric application; monitor and diagnose services; migrate apps from cloud services; create, secure, upgrade, and scale Service Fabric Cluster in Azure; scale a Service Fabric app
It’s worth noting that the percentages (%) displayed in the titles of the main exam objectives are the percentages of the exam questions that will be on that topic area.Slide4
Exam 70-533:
Implementing
Microsoft Azure Infrastructure Solutions
New Exam Objectives
Here’s the full list of exam objectives for this November 16, 2016 exam update:
Design and implement Azure App Service apps (15–20%)
Deploy Web Apps
Define deployment slots; roll back deployments; implement pre- and post- deployment actions; create, configure, and deploy packages; create App Service plans; migrate Web Apps between App Service plans; create a Web App within an App Service plan
Configure Web Apps
Define and use app settings, connection strings, handlers, and virtual directories; configure certificates and custom domains; configure SSL bindings and runtime configurations; manage Web Apps by using Azure PowerShell and
Xplat
-CLI
Configure diagnostics, monitoring, and analytics
Retrieve diagnostics data; view streaming logs; configure endpoint monitoring, alerts, and diagnostics; use remote debugging; monitor website resources
Configure Web Apps for scale and resilience
Configure auto-scale using built-in and custom schedules, configure by metric, change the size of an instance, configure Traffic Manager
Create and manage Azure Resource Manager Virtual Machines (20–25%)
Deploy workloads on Azure Resource Manager (ARM) virtual machines (VMs)
Identify workloads that can and cannot be deployed; run workloads, including Microsoft and Linux; create VMs; connect to a Windows/Linux VM
Perform configuration management
Automate configuration management by using PowerShell Desired State Configuration (DSC) and VM Agent (custom script extensions); configure VMs using a configuration management tool, such as Puppet or Chef; enable remote debugging
Design and implement VM storage
Configure disk caching, plan storage capacity, configure operating system disk redundancy, configure shared storage using Azure File service, configure geo-replication, encrypt disks, implement ARM VMs with Standard and Premium Storage
Monitor ARM VMs
Configure ARM VM monitoring, configure alerts, configure diagnostic and monitoring storage location
Monitor ARM VM availability
Configure multiple ARM VMs in an availability set for redundancy, configure each application tier into separate availability sets, combine the Load Balancer with availability sets
Scale ARM VMs
Scale up and scale down VM sizes, deploy ARM VM Scale Sets (VMSS), configure ARM VMSS auto-scale
Design and implement a storage strategy (20–25%)
Implement Azure storage blobs and Azure files
Read data, change data, set metadata on a container, store data using block and page blobs, stream data using blobs, access blobs securely, implement
async
blob copy, configure a Content Delivery Network (CDN), design blob hierarchies, configure custom domains, scale blob storage
Manage access
Create and manage shared access signatures, use stored access policies, regenerate keys
Configure diagnostics, monitoring, and analytics
Set retention policies and logging levels,
analyze
logs
Implement Azure SQL Databases
Choose the appropriate database tier and performance level; configure point-in-time recovery, geo-replication, and data sync; import and export data and schema; design a scaling strategy
Implement recovery services
Create a backup vault, deploy a backup agent, back up and restore data
Implement an Azure Active Directory (15–20%)
Integrate an Azure Active Directory (Azure AD) with existing directories
Implement Azure AD Connect and single sign-on with on-premises Windows Server 2012 R2, add custom domains, monitor Azure AD
Configure Application Access
Configure single sign-on with SaaS applications using federation and password based, add users and groups to applications, revoke access to SaaS applications, configure access, configure federation with Facebook and Google ID
Integrate an app with Azure AD
Implement Azure AD integration in web and desktop applications, leverage Graph API
Implement Azure AD B2C and Azure B2B
Create an Azure AD B2C Directory, register an application, implement social identity provider authentication, enable multi-factor authentication, set up self-service password reset, implement B2B collaboration, configure partner users, integrate with applications
Implement virtual networks (10–15%)
Configure virtual networks
Deploy a VM into a virtual network; configure external and internal load balancing; implement Application Gateway; design subnets; configure static, public, and private IP addresses; set up Network Security Groups (NSGs), DNS at the virtual network level, HTTP and TCP health probes, public IPs, User Defined Routes (UDRs), firewall rules, and direct server return
Modify network configuration
Modify a subnet, import and export a network configuration
Design and implement a multi-site or hybrid network
Choose the appropriate solution between ExpressRoute, site-to-site, and point-to-site; choose the appropriate gateway; identify supported devices and software VPN solutions; identify networking prerequisites; configure virtual networks and multi-site virtual networks
Design and deploy ARM templates (10–15%)
Implement ARM templates
Author ARM templates; create ARM templates to deploy ARM Resource Providers resources; deploy templates with PowerShell, CLI, and REST API
Implement ARM templates
Leverage service principals with ARM authentication, use Azure Active Directory Authentication with ARM, set management policies, lock resources
Implement ARM templates
Secure resource scopes, such as the ability to create VMs and Azure Web Apps; implement Azure role-based access control (RBAC) standard roles; design Azure RBAC custom Slide5
Exam 70-532: Developing Microsoft Azure Solutions
New Exam Objectives
Here’s the full list of exam objectives for this November 16, 2016 exam update:
Secure resources (20–25%)
Secure resources by using managed identities
Describe the differences between Active Directory on-premises and Azure Active Directory (Azure AD), programmatically access Azure AD using Graph API, secure access to resources from Azure AD applications using OAuth and OpenID Connect
Secure resources by using hybrid identities
Use SAML claims to authenticate to on-premises resources, describe AD Connect synchronization, implement federated identities using Active Directory Federation Services (ADFS)
Secure resources by using identity providers
Provide access to resources using identity providers, such as Microsoft account, Facebook, Google, and Yahoo!; manage identity and access by using Azure AD B2C; implement Azure AD B2B
Identify an appropriate data security solution
Identify security requirements for data in transit and data at rest; identify security requirements using Azure services, including Azure Storage Encryption, Azure Disk Encryption, and Azure SQL Database TDE
Design a role-based access control (RBAC) strategy
Secure resource scopes, such as the ability to create VMs and Azure Web Apps; implement Azure RBAC standard roles; design Azure RBAC custom roles
Manage security risks by using an appropriate security solution
Identify, assess, and mitigate security risks by using Azure Security Center, Operations Management Suite, and other services
Design an application storage and data access strategy (5–10%)
Design data storage
Design storage options for data, including Table Storage, SQL Database, DocumentDB, Blob Storage, MongoDB, and MySQL; design security options for SQL Database or Azure Storage
Select the appropriate storage option
Select the appropriate storage for performance, identify storage options for cloud services and hybrid scenarios with compute on-premises and storage on Azure
Design advanced applications (20–25%)
Create compute-intensive applications
Design high-performance computing (HPC) and other compute-intensive applications using Azure Services
Create long-running applications
Implement Azure Batch for scalable processing, design stateless components to accommodate scale, use Azure Scheduler
Integrate Azure services in a solution
Design Azure architecture using Azure services, such as Azure AD, Azure App Service, API Management, Azure Cache, Azure Search, Service Bus, Event Hubs, Stream Analytics, and
IoT
Hub; identify the appropriate use of Azure Machine Learning, big data, Azure Media Services, and Azure Search services
Implement messaging applications
Use a queue-centric pattern for development; select appropriate technology, such as Azure Storage Queues, Azure Service Bus queues, topics, subscriptions, and Azure Event Hubs
Implement applications for background processing
Implement Azure Batch for compute-intensive tasks, use Azure WebJobs to implement background tasks, use Azure Functions to implement event-driven actions, leverage Azure Scheduler to run processes at
preset
/recurring timeslots
Design connectivity for hybrid applications
Connect to on-premises data from Azure applications using Service Bus Relay, Hybrid Connections, or the Azure Web App virtual private network (VPN) capability; identify constraints for connectivity with VPN; identify options for joining VMs to domains or cloud services
Design Azure Web and Mobile Apps (5–10%)
Design Web Applications
Design Azure App Service Web Apps, design custom web API, offload long-running applications using WebJobs, secure Web API using Azure AD, design Web Apps for scalability and performance, deploy Azure Web Apps to multiple regions for high availability, deploy Web Apps, create App Service plans, design Web Apps for business continuity, configure data replication patterns, update Azure Web Apps with minimal downtime, back up and restore data, design for disaster recovery
Design Mobile Applications
Design Azure Mobile Services; consume Mobile Apps from cross-platform clients; integrate offline sync capabilities into an application; extend Mobile Apps using custom code; implement Mobile Apps using Microsoft .NET or Node.js; secure Mobile Apps using Azure AD; implement push notification services in Mobile Apps; send push notifications to all subscribers, specific subscribers, or a segment of subscribers
Design a management, monitoring, and business continuity strategy (20–25%)
Design a monitoring strategy
Identify the Microsoft products and services for monitoring Azure solutions; leverage the capabilities of Azure Operations Management Suite and Azure Application Insights for monitoring Azure solutions; leverage built-in Azure capabilities; identify third-party monitoring tools, including open source; describe Azure architecture constructs, such as availability sets and update domains, and how they impact a patching strategy;
analyze
logs by using the Azure Operations Management Suite
Describe Azure business continuity/disaster recovery (BC/DR) capabilities
Leverage the architectural capabilities of BC/DR, describe Hyper-V Replica and Azure Site Recovery (ASR), describe use cases for Hyper-V Replica and ASR
Design a disaster recovery strategy
Design and deploy Azure Backup and other Microsoft backup solutions for Azure, leverage use cases when
StorSimple
and System Center Data Protection Manager would be appropriate, design and deploy Azure Site recovery
Design Azure Automation and PowerShell workflows
Create a PowerShell script specific to Azure, automate tasks by using the Azure Operations Management Suite
Describe the use cases for Azure Automation configuration
Evaluate when to use Azure Automation, Chef, Puppet, PowerShell, or Desired State Configuration (DSC)
Architect an Azure Compute infrastructure (10–15%)
Design ARM Virtual Machines (VMs)
Design VM deployments leveraging availability sets, fault domains, and update domains in Azure; select appropriate VM SKUs
Design ARM template deployment
Author ARM templates; deploy ARM templates via the portal, PowerShell, and CL
Design for availability
Implement regional availability and high availability for Azure deploymentsSlide6
PowerShell
#Get Azure
Powershell
version
Get-Module -
ListAvailable
-Name Azure -Refresh
# Get Storage Account
Get-
AzureStorageAccount
Get-AzureRmStorageAccount# create a context for account and key$ctx = New-AzureStorageContext storage-account-name storage-account-key# Set the default storage account (ARM)Set-AzureRmCurrentStorageAccount -Name $strgName -ResourceGroupName $strgName# Set the current sub and storage (ASM)Set-AzureSubscription -SubscriptionName $subName -CurrentStorageAccountName $strgName# Create a New ContainerNew-AzureStorageContainer –Name $name –Permission off# Get Endpoints $storageAcc.PrimaryEndpoints.Blob.ToString() #get current context (ARM)Get-AzureRmContext#list available subscription (ARM)Get-AzureRmSubscription#Set context subscription (ARM)Select-AzureRmSubscription -SubscriptionName "NR MSDN"# Set Context storage accountSet-AzureRmCurrentStorageAccount -ResourceGroupName "vm-training" -Name "hmsvmtraindsc"
GeneralPortalsClassic – Service Management Model (ASM)New – Azure Resource Management (ARM)Resource Groups can span regionsUse Pricing Calculator to estimate costsBilling APIsRateCard API - Allows you to get a list of available azure resources along with its estimated pricing information for various subscription types, such as pay-as you-go, MSDN, BizSpark etcResource Usage API - consumption
Azure - GeneralSlide7
Azure Patterns
Cache-aside
Load data on demand into a cache from a data store
Circuit Breaker
Handle faults that may take a variable amount of time to rectify when connecting to a remote service or resource. This pattern can improve the stability and resiliency of an application
Competing Consumers Pattern
Enable multiple concurrent consumers to process messages received on the same messaging channel. Enables a system to process multiple messages concurrently to optimize throughput, to improve scalability and availability, and to balance the workload
Command and Query Responsibility Segregation (CQRS)
Segregate operations that read data from operations that update data by using separate interfaces. This pattern can maximize performance, scalability, and security;
Event Sourcing Pattern
Use an append-only store to record the full series of events that describe actions taken on data in a domain, rather than storing just the current state, so that the store can be used to materialize the domain objects.Compute Resource Consolidation PatternValet Key PatternExternal Configuration Store PatternFederated Identity PatternGatekeeper PatternIndex Table PatternLeader election PatternMaterialized view patternPriority queue PatternQueue-based load levelling PatternStatic Content Hosting PatternSlide8
PowerShell - VMs
# Deploy using a Template
New-
AzureRmResourceGroupDeployment
-Name $name -
ResourceGroupName
$
resourceGroupName
-
TemplateUri
$templateUri#Modify caching on disksSet-AzureRmOSDiskSet-AzureRmDataDiskNew-AzureAclConfigSet-AzureAclConfigSet-AzureVMSizee.g. Get-AzureVM –ServiceName “MyVM” | Set-AzureVMSize “Large” | Update-AzureVMGeneralResource Groups can span regions2 Endpoint by default (1 external, 1 internal)Ports (3389 – Remote Desktop, 5986 – Remote PowerShell)Availability SetsMax update domains: 20 (5 default), Max Fault Domains: 3 (2 default)Max VMs = 50Affinity Groups (Keep resources together. Being phased out of Vnets)Scale Sets (no need to pre-provision, need to use Azure Resource Explorer to no. deployed)Load Balance Sets – Classic VMs only and Standard and aboveVM Agent – installed by default when using gallery images. Extensions: DSC, Custom Script Extension, Visual Studio Release Manager (DSC based), Octopus Deploy (DSC based),Docker Extension, Puppet Enterprise, Chef client)Azure VMs not recommended for: Low volume limited growth or Regulated environments.DisksOS Images – Base OS images for new VMs. Sys-prepped/Generalized/ReadOnly. SATAHost caching on by defaultC:\ = OS (max 127GB)Disks – Writable for VMs. SCSI. 1TB MaxCaching off by defaultD:\ (/dev/sdb on linux) = temp (not persistent), E,F,G…=Data diskDiagnosticsMetrics ( Basic, Network, .NET, ASP.NET, SQL)Logs (System, Security, Application, Infrastructure, IIS, Boot)
Azure VMs - GeneralSlide9
General
A-Series (and Av2)
Entry Level - Basic A0 to Standard A4 (A0 is oversubscribed on physical)
High Memory Entry Level - Standard A5 to A7
High Performance - Standard A8 to A11 (
compute intensive
). A8 & A9 have 2
nd
NIC for remote direct memory access (
RDMA
) connectivityD-SeriesGeneral purpose production - Standard D1 to D14Higher compute power, higher mem to core ratio, SSD for temp diskDv2 – 35% faster, same mem & disk conf. 2.4GHz XeonF-Series (and Fs)Standard F1, F2, F4, F8, F16, F1s, F2s, F4s, F8s, F16sSame CPU as Dv2, but lower mem to core ratio and per-hour list price.No, matches CPU cores. Fs-Series Optimized for Premium storageG-SeriesHigh memory and dense local storage - G1 to G5DS-SeriesGeneral purpose production - Standard DS1 to DS14 – premium storage ssdGS-SeriesHigh memory and dense local storage - GS1 to GS5 – premium storage ssdN*-SeriesGPU by NvideaH-SeriesStandard H8, H16, H8m, H16m, H8r, H16mrNext gen high performance. For HPC clusters. r, mr feature 2nd Nic for remote direct memory access (RDMA) connectivityAzure VMs – Sizes…Virtual Machine Size CPU Cores Memory Disk Space for Local Storage Resources Max data disks
Max data disk throughput: IOPSMax NICs / Network bandwidthExtraSmall (A0)
Shared
768 MB
20 GB
1
1x500
1 / low
Small (A1)
1
1.75 GB
225 GB
2
2x500
1 / moderate
Medium (A2)
2
3.5 GB
490 GB
4
4x500
1 / moderate
Large (A3)
4
7 GB
1000 GB88x5002 / highExtraLarge (A4)814 GB2040 GB1616x5004 / highA5 (high mem)214 GBA6 (high mem)428 GBA7 (high mem)856 GBA8 (high network)856 GB40 Gbit/s InfiniBandA9 (high network)16112 GB40 Gbit/s InfiniBand
Standard A0 - A4 using CLI and PowerShell
Slide10
PowerShell - VMs
# Convert VHDX to VHD
Convert-VHD
–Path c:\test\MY-VM.vhdx –
DestinationPath
c:\test\MY-NEW-VM.vhd -
VHDType
Fixed
# Upload VHD to Azure
$
urlOfUploadedImageVhd = "https://mystorageaccount.blob.core.windows.net/mycontainer/myUploadedVHD.vhd"Add-AzureRmVhd -ResourceGroupName $rgName -Destination $urlOfUploadedImageVhd -LocalFilePath "C:\Users\Public\Documents\Virtual hard disks\myVHD.vhd“# Set NIC ACL????? #Add-AzureProvisioningConfig –Windows –AdminUsername $adminUser –Password $adminPasword |$webvm1 = New-AzureVMConfig –Name “Webvm1” –InstanceSize Small –ImageName $vmimageNew-AzureVM –ServiceName $svcname –VMs $webvm1 –Location $locationIf Hyper-V then Prepare (complex)SysPrep to Generalize a VM%windir%\system32\sysprep | OOBE & Generalize & ShutdownIf VHDX then convert to VHD (see PowerShell ) or use Hyper-V manager (Action > Edit Disk > Convert > VHD)If local VM upload VHD (see PowerShell ). PowerShell will make disk fixed on upload.Migrate a VM ProcessShut down the VMCopy the VHD from source to destination storage account
Create an Azure Disk from BlobCreate new VM using Azure DiskAzure VMs – Migrating and DeployingSlide11
PowerShell - VMs
# Publish DSC
Publish-
AzureVMDscConfiguration
Publish-
AzureRmVMDscConfiguration
# Set disk
config
(e.g. Caching)
Set-AzureOSDiskSet-AzureDataDiskGeneralDesired State ConfigurationState Drift Control using Azure VM Agent, ARM templates, DSC, Chef (recipes, Knife azure plug-in) and Puppet (Puppet master, puppet enterprise agent)The Azure DSC Extension takes in DSC configuration documents and enacts them on Azure VMsCustom Script ExtensionLoggingLogs are placed in: C:\WindowsAzure\Logs\Plugins\Microsoft.Powershell.DSC[Version Number]Compile configuration into a MOF documentAzure VMs – Config and DSCConfiguration MyDscConfiguration{ node (“localhost”) { WindowsFeature IIS { Ensure = “present” # Alternatively, to ensure the role is uninstalled, set Ensure to "Absent" Name = “Web-Server” # Use the Name property from Get-WindowsFeature } File WebPage { Ensure = “Present” DestinationPath = “c:\inetpub\wwwroot\index.html” Force = $true Type = “File” Contents = ‘<html><body><h1>Hello!</h1></body></html>’ DependsOn
= "[WindowsFeature]IIS" #ensures this runs after the IIS install } Log AfterWebPageCreation { # The message below gets written to the Microsoft-Windows-Desired State Configuration/Analytic log
Message = "Finished adding the default web page" DependsOn = "[File]
WebPage
"
# This means run "
WebPage
" first.
}
}
}
Built-in Resources
Archive Resource
Environment Resource
File Resource
Group Resource
Log Resource
Package Resource
Registry Resource
Script Resource
Service Resource
User Resource
WindowsFeature
Resource
WindowsProcess
ResourceNOT Networking!!Slide12
Migration
Supported versions
2014, 2012, 2008 R2 and templates
Licensing - pay per hour or migrate own license (create own image)
Best Practice
Verify disk cache settings on data disks
Avoid using OS drives
Put data and logs on separate disks
Use SQL Server File Groups instead of Disk Striping
Consider using database page compression to reduce i/o
Consider latency between primary and replica when choosing sync modeUse availability setsDisable geo-replication on storage account for consistencyCapacity is 20,000 IOPS per Storage Account - 500 IOPS per diskSQL Always On Availability (AOA). Enable Direct Server Return on NLB!SQL VMsSlide13
General
Microsoft HPC Pack 2016 Templates
Require a PFX certificate to secure comms
between HPC Nodes. Upload to Key Vault.
Hybrid (Burst to cloud)
On premise head must be joined to an AD domain
HPC Pack installs a self signed certificate that can be uploaded to Azure
Create an ‘Azure Node’ template
Azure HPC Pack
PowerShell create cert:
New-SelfSignedCertificate -Subject "CN=HPC Pack 2016 Communication" -KeySpec KeyExchange -TextExtension @("2.5.29.37={text}1.3.6.1.5.5.7.3.1,1.3.6.1.5.5.7.3.2") -CertStoreLocation cert:\CurrentUser\My -KeyExportPolicy Exportable -NotAfter (Get-Date).AddYears(5)https://docs.microsoft.com/en-us/azure/cloud-services/cloud-services-setup-hybrid-hpcpack-clusterSlide14
PowerShell – Storage General
# Create New ARM Storage Account
New-
AzureRmStorageAccount
-
ResourceGroupName
myResourceGroup
-Name
mystorageaccount
-Location "West US" -SkuName "Standard_LRS" -Kind "Storage"# Get Storage AccountGet-AzureStorageAccountGet-AzureRmStorageAccount# create a context for account and key$ctx=New-AzureStorageContext storage-account-name storage-account-key# Set the default storage account (ARM)Set-AzureRmCurrentStorageAccount -Name $strgName -ResourceGroupName $strgName# Set the current sub and storage (ASM)Set-AzureSubscription -SubscriptionName $subName -CurrentStorageAccountName $strgName# Create a New ContainerNew-AzureStorageContainer –Name $name –Permission off# Get Endpoints $storageAcc.PrimaryEndpoints.Blob.ToString() # Get SAS Url$sasUrl = New-AzureStorageContainerSASToken -Name $blobContainerName -Permission rwdl -Context $ctx
-ExpiryTime (Get-Date).AddMonths(1) -FullUriGeneralAccount KindBlobStandard Performance onlyAccess Tiers – Hot or coldGeneral Purpose
PerformanceStandardPremium
SSDs - Currently only store
vhdsUp
to 64TB per VM
80,000 IOPS per VM, 50,000 IOPS per disk, 2GB per sec throughput
~5ms read/write latency (
uncached
), <1ms read latency (cached)
Used by
DS or GS
series VMs (creates premium storage automatically)
Limited sizes:
128, 512, 1023
GiB
Replication (once selected can’t change)
LRS
- Locally redundant - 3 reps, 1 data center
ZRS
- Zone-redundant - 3 reps across 2-3 data centers in 1 or 2 regions
GRS
- Geo-redundant - 6 reps in 2 regions
RA-GRS
- Read Access Geo - 6 reps in 2 regions, 2nd readable
Azure Storage ExplorerSecurityHTTPS or SMB is encrypted. Can encrypt at rest.Storage Access Keys (2) – Full accessStorage Access Policy (SAP) – Policies defined, can be revokedShared Access Signatures (SAS) - Time limited, container or resource levelURL - sv=storage version, st=start time, se=expiry, sr= resource type, sp=permissions, sip=ip range, spr=protocol, sig= auth keyRole-Based Access Control (RBAC) – admin controlsStorage Diagnostics (Minimal, Verbose, Off)Azure Storage - GeneralValid values for -SkuName are:Standard_LRS - Locally redundant storage. Standard_ZRS - Zone redundant storage.Standard_GRS - Geo redundant storage. Standard_RAGRS - Read access geo redundant storage. Premium_LRS - Premium locally redundant storage. Slide15
PowerShell – Storage General
# Get Storage Account
#set current sub and storage
acc
Set-
AzureSubscription
-
SubscriptionName
$
subName
-CurrentStorageAccountName $strgName# set the default account ARMSet-AzureRmCurrentStorageAccount -Name $strgName -ResourceGroupName $strgName# Set Logging for TablesSet-AzureStorageServiceLoggingProperty -ServiceType Table -LoggingOperations Delete,Write -RetentionDays 35Set-AzureStorageServiceLoggingProperty -ServiceType Blob -LoggingOperations All -RetentionDays 35Set-AzureStorageServiceLoggingProperty -ServiceType Queue -LoggingOperations None -RetentionDays 35Set-AzureStorageServiceLoggingProperty -ServiceType File -LoggingOperations Read -RetentionDays 35# ========== Blobs =============Get-AzureStorageAccount -StorageAccountName#Add new container
New-AzureStorageContainer -Name "MyContainer" -Permission BlobNew-AzureStorageContainer -Name "MyContainer" -Permission ContainerNew-AzureStorageContainer -Name "MyContainer
" -Permission OffSAS Patterns
Value-Key Pattern
Azure Storage – General
cont
…Slide16
PowerShell - Blobs
# Get Storage Account
Get-
AzureStorageAccount
# Create a new container
New-
AzureStorageContainer
-Name $name -Permission Blob
# Copy
Start-
AzureStorageBlobCopy# Upload VHDAdd-AzureRmVHD#Download a VHDSave-AzureRmVHDX-plat CLIREM Upload to blobazure storage blob upload --file "c:\temp\demofile.txt" --container "files" --blob "uploadedfile.txt" --connection-string "DefaultEndpointsProtocol=https;AccountName=edxtrain1;AccountKey=JGpglv3oxUmu3fgDln4aXK1ohDPfhL449WIU/vqdO1Vj5iQW6JAMjKsmgj792n8jwu0cQbrEGZJBg5cY1Li2aQ==;"REM Create a Storage Access Policy and Share Access Signature$policy = New-AzureStorageContainerStoredAccessPolicy -Container files -Policy downloadPolicy -Permission rdl -Context $context $token = New-AzureStorageContainerSASToken -Name files -Policy downloadPolicy -Context $contextGeneralBlock blobs (Max 200GB each), Append Blobs (like Block, but optimised for append, e.g. logging), Page Blobs (Max 1TB, Good with high read/write, VHDs, 512 byte pages)All blobs must be in a containerPrivate (default) (Off)Blob - Blobs can be read by anyone (Public) (Blob)Container – metadata read only (Container)Unlimited files and containersOS and Data disk s can be encrypted using Azure Disk EncryptionAccount KindBlob (Standard Performance only - Access Tiers: Hot or Cold)General PurposePerformanceStandardPremium (SSDs - Currently only store vhds, Use for Exchange, SQL Server Dynamix etc.., Up to 64TB per VM, 80,000 IOPS per VM, 50,000 IOPS per disk, 2GB per sec throughput, ~5ms read/write latency (uncached), <1ms read latency (cached),Used by DS or GS series VMs (creates premium storage automatically), Limited sizes: 128, 512, 1023 GiB,Needs consideration - ReplicationLRS - Locally redundant - 3 reps, 1 data center | ZRS - Zone-redundant - 3 reps across 2-3 Datacenters in 1 or 2 regions | GRS - Geo-redundant - 6 reps in 2 regions | RA-GRS - Read Access Geo - 6 reps in 2 regions, 2nd readable
EncryptionDefault offAzCopyAzure Storage - BlobsListBlobs()Can specify a prefixYou can list blobs hierarchically, in a manner similar to traversing a file system, or in a flat listing, where all blobs matching the specified prefix are returned by the listing operation.
You can specify additional details to return with the listing, including copy properties, metadata, snapshots, and uncommitted blobs.ListBlobsSegmented()Returns a mx of 5,000 items, Can specify a prefix, continuation tokenSlide17
PowerShell - Files
# Create new file share
$s = New-
AzureStorageShare
myshare
–Context $
ctx
# Create a directory
New-
AzureStorageDirectory –Share $s –Path mydirectory# Upload a local fileSet-AzureStorageFileContent –Share $s –Source c:\temp\myfile.txt# Copy to a new directory Start-AzureStorageFileCopyConnect commands:net use [drive letter] \\hmstrainingdefaultstore.file.core.windows.net\test1 /u:hmstrainingdefaultstore [storage account access key]sudo mount -t cifs //hmstrainingdefaultstore.file.core.windows.net/test1 [mount point] -o vers=3.0, username=hmstrainingdefaultstore,password=[storage account access key], dir_mode=0777,file_mode=0777GeneralSMB 2.1 and 3.0 supported1TB max file sizeMax size of File Share = 5TB, unlimited number of filesAccess URLhttps://<storage account name>.file.core.windows.net/<share>/<directory>/<directories…>/<file>Accessible from anywhere by defaultAzure Storage - FilesSlide18
PowerShell - Files
# Create a directory
New-
AzureStorageDirectory
.Net
Get SAS
public string
GetSharedAccessSignature
(
SharedAccessTablePolicy policy, string accessPolicyIdentifier, string startPartitionKey, string startRowKey, string endPartitionKey, string endRowKey)tableKey = this.myTable.GetSharedAccessSignature(new SharedAcessTablePolicy(),myPolicy,JonesM01,null,null,null);SampleCloudStorageAccount storageAccount = CloudStorageAccount.Parse("DefaultEndpointsProtocol=https;AccountName=your_account;AccountKey=your_account_key");CloudTableClient tableClient = storageAccount.CreateCloudTableClient();CloudTable table = tableClient.GetTableReference("customers");CustomerEntity customer = new CustomerEntity("Harp", "Walter");customer.Email = "Walter@contoso.com";customer.PhoneNumber = "425-555-0101";TableOperation insertOperation = TableOperation.Insert(customer);await table.ExecuteAsync(insertOperation);TableOperation retrieveOperation = TableOperation.Retrieve<customerentity>("Harp", "Walter");TableResult result = await table.ExecuteAsync(retrieveOperation);
GeneralNoSQL key/attribute storeSchema-lessMassively scalableAzure Storage - TablesSlide19
PowerShell - Files
# Create a directory
New-
AzureStorageDirectory
X-plat CLI
General
Azure Storage - QueuesSlide20
PowerShell - Files
#
Start-
OBRecovery
–
RecoverableItem
$
myItem
–
RecoveryOption
$secureString –Credential $credGeneralBackup files from Windows to AzureCreate backup Vault in geographic regionVault credentials replace certificatesBackup Agent RequiredWABInstallerRequires Windows Identity Framework (WIF) and PowerShellAgent TypeAzure Backup AgentWindows Server and System Center Data Protection ManagerWindows Server EssentialsCan install on Server 2008 R2 SP1 +, 64 bit Win 7+, extension available for essentials 2012Azure Backup VaultSetting up WorkflowConfigure Azure Backup VaultDownload vault credentialsRun MARSAgentInstaller.exe /m /q (m=check for updates)Create a passphrase to encrypt and decrypt backupsSpecify backup scheduleSlide21
PowerShell - AAD
# Active
Get-Msoluser
New-
Msoluser
Remove-
msoluser
Restore-
msoluser
Set-
MsolUserSet-MsolUserPasswordSet-MsolUserPrincipleNameAdd-MsolGroupMemberGet-MsolGroupGet-MsolGroupMemberNew-MsolGroupRemove-MsolGroupSet-MsolGroupSet-MsolDomainAuthenticationConvert-MsolFederatedUserGeneralStill uses classic portal<xyz>.onmicrosoft.comSSO, Multi-factor, RBAC, Device RegistrationSelf-service password and group managementSubscriptionsFree – 500,000 objects, 10 apps per user SSOStandard – Free + No object limits, Application proxy apps, Groups, Self service, branding, app proxy, SLA, 99.9%Premium – Standard + No SSO App limits, Service App integration templates, Self-service app management, on-premise write back, multi-factor auth, identity manager cal, cloud app discovery, connect health, privileged id management.Multi-Factor Authentication (MFA)Mobile App, Phone call, text, email, third party oathAvailable as stand-alone or AD PremiumCan configure to skip on federated users on intranets and known subnets. Also to suspend on remembered devices for x daysHybridExtend - Add AD Server VM in Azure. New site. Global Catalog server.Synchronize – Azure AD Connect (DirSync, Azure AD Sync, FIM+AD Connector). Simplest, password sync and write-back. Multi-forest, filtering objects and attributes.Federated Trust with Azure ADAD FS to allow AzureAD to authenticate against internal AD.Azure AD Connect Health (supports ADFS, Sync and AD DS)SSO – Pre-integrated SaaS Apps (uses SAML federation)
Cloud App Discovery – Premium only! find users app usage.Federation – Passes on Authentication. No local accounts. Claims based authentication.Security Token Services (STS)Azure Active DirectorySlide22
General
Still uses classic portal
Azure Active Directory
cont
…
Convert-
MsolDomainToFederatedSlide23
App Endpoints
Federation Metadata Document
WS-Federation Sign-on Endpoint
SAML-P Sign-On endpoint
SAML-P Sign-Out endpoint
Microsoft Azure AD Graph API endpoint
OAuth 2.0 Token endpoint
OAuth 2.0 Authorization endpoint
Azure Active Directory
cont
… 2FederationPowershell Convert-MsolDomainToFederatedITR (Issuance Transform Rule)Controls how claims are issued to a trusting relying partyBy default, the ITR transforms the WindowsAccountName, UPN and ImmutableID from the claims provider so they can be used for tokens2 rules created, unless ‘-SupportMultipleDomains’, then 3.Rule 3 should be edited if subdomains neededIAR (Issuance Authorization Rule)Controls access to a trusting relying party. E.g. Office365Defaults to “Permit Access to All Users”Azure AD supports three different ways to sign in to applications: Federated Single Sign-On enables applications to redirect to Azure AD for user authentication instead of prompting for its own password. This is supported for applications that support protocols such as SAML 2.0, WS-Federation, or OpenID Connect, and is the richest mode of single sign-on.Password-based Single Sign-On enables secure application password storage and replay using a web browser extension or mobile app. This leverages the existing sign-in process provided by the application, but enables an administrator to manage the passwords and does not require the user to know the password.Existing Single Sign-On enables Azure AD to leverage any existing single sign-on that has been set up for the application, but enables these applications to be linked to the Office 365 or Azure AD access panel portals, and also enables additional reporting in Azure AD when the applications are launched there.GeneralSSO ProtocolsSAML-P3rd party vendorsWS-FederationOpenID ConnectOAuth2Graph Apihttps://graph.windows.net/{tenant_id}/{resource_id}/{resource_path}?{api_version}ADAL??Slide24
Azure Active Directory
cont
… 3Slide25
General
Modern Apps – APIs,
Mobile Apps, Web Apps, IoT, Cognitive
Web Apps, Mobile Apps, Logic Apps,
API Apps
, Functions (server-less)
.Net
, Python, node.js, PHP, Java
App Service Plan
- Defines Region, Scale count, Instance Size, SKU (Free, Shared, Basic, Standard, Premium) Max 20 servers
App Service Environment – premium service, private isolated, very high scale and security, dedicated compute pools, Max 50 serversDynamic Service Plan – for Azure Functions. Cost is a function execution time, memory size and number of executions. 128MB to 1,536MBAzure Stack – own data center App Service fabricCloud App Discovery – Premium only! find users app usage.Federation – Passes on Authentication. No local accounts. Claims based authentication.Security Token Services (STS)Azure App ServicesSlide26
Azure App Services Plans capability
Free
Shared
Host Basic Apps
Basic
More Features for Dev / Test
Standard
Go Live with Web and Mobile
Premium
Enterprise Scale and Integration
Web, mobile, or API apps10 100 Unlimited Unlimited Unlimited Disk space1 GB 1 GB 10 GB 50 GB 250 GB Logic App Actions (per day) *200 200 200 10,000 50,000 Maximum instances––Up to 3 Up to 10 Up to 50 App Service Environments (req. min 6 cores)––––SupportedSLA––99.95% 99.95% 99.95% Slots---520Auto-scale---SupportedSupported
Backups /day---250Custom domains-SupportedSupportedSupportedSupported
SSL Certs--
Unlimited SNI
Unlimited SNI + 1 IP
Unlimited SNI + 1 IP
Logic App Definitions
10
10
10
25
100Slide27
PowerShell
# Create App Service Plan
New-
AzureRmAppServicePlan
-Location "South Central US" -
ResourceGroupName
DestinationAzureResourceGroup
-Name
NewAppServicePlan
-Tier Premium# Create a BackupNew-AzureRmWebAppBackup -ResourceGroupName $resourceGroupName -Name $appName -StorageAccountUrl $sasUrl# Restore from backup$backupList = $app | Get-AzureRmWebAppBackupList$backup = $app | Get-AzureRmWebAppBackup -BackupId 10102$backup | Restore-AzureRmWebAppBackup -Overwrite# Clone an existing App (Premium Only)$srcapp = Get-AzureRmWebApp -ResourceGroupName SourceAzureResourceGroup -Name source-webapp$destapp = New-AzureRmWebApp -ResourceGroupName DestinationAzureResourceGroup -Name dest-webapp -Location "North Central US" -AppServicePlan DestinationAppServicePlan -SourceWebApp $srcapp
GeneralLock (CanNotDelete, ReadOnly)Swap SlotsSee below for which settings swapKudu – Command InterfaceExtensions (application Insights, New Relic, Php Manager, Jekyll…)Deployment (FTP, Web Deploy, OneDrive, Dropbox, Kudu (can unzip), VSO, Local Git, GitHub, Bitbucket, Azure CLI )
Azure App Services cont..Slide28
PowerShell
#
Get-
AzureRmWebApp
–Name $
sitename
New-
AzureRmWebApp
-Name $
sitename
-AppServicePlan $appServicePlan -ResourceGroupName $rgName -Location $loc -ASEName $aseName -ASEResourceGroupName $aseRgNameSet-AzureRmWebApp -Name $sitenameRestart-AzureRmWebappStop-AzureRmWebappStart-AzureRmWebappRemove-AzureRmWebApp Get-AzureRmWebAppPublishingProfile -Name $sitename -ResourceGroupName $rgName-OutputFile .\publishingprofile.txtX-plat CLI# App Service Plansazure appserviceplan list --resource-group MyRGazure appserviceplan createazure appserviceplan show azure appserviceplan
configazure appserviceplan delete# Create, delete and listazure webapp create --name ContosoWebApp --resource-group ContosoAzureResourceGroup --plan
ContosoAppServicePlan --location "South Central US"azure webapp
delete
--name
ContosoWebApp
--resource-group
ContosoAzureResourceGroup
azure
webapp
list
--resource-group
ContosoAzureResourceGroup
#
Config
, restart etc..
azure
webapp
config
set
azure
webapp
config hostnamesazure webapp config appsettingsazure webapp restartazure webapp stopazure webapp start# Get publishing profileazure webapp publishingprofile --name ContosoWebApp --resource-group MyGGAzure App Services - Web AppsSlide29
Azure App Services - Mobile Apps
Cross platform SDK
Offline data and data sync (uses SQLite)
Incl. Notification Hub (Push)
Free
(1M pushes, 500 active devices) |
Basic
(10M pushes, 200K Active Devices)|
Standard
(10M pushes, 10M Active Devices, Rich telemetry, Bulk Operations, Scheduled, Multi-tenancy)
Require namespace Register App for Push Services (App secret password and package SID)TagsClient RequestedAutomatically AddedBroadcast | Unicast/Multicast | Segmentation (Tags)TemplatesPlatform Notification System (PNS)Windows Phone (Windows Notification Service (WNS)) – Tiles, Badges, NotificationsiOS (Apple Push Notification Service (APNS))FREE 1BASICSTANDARDPrice 2Free (up to 10 services / month) £11.17 / month per unit £104.34 / month per unit API Calls 2500 K 1.5 M / unit 15 M / unit Active Devices 3500 Unlimited Unlimited ScaleN/A Up to 6 units Unlimited units Push NotificationsNotification Hubs Free Tier included, up to 1 M pushes Notification Hubs Basic Tier included, up to 10 M pushes Notification Hubs Standard Tier included, up to 10 M pushes Real time messaging & Web SocketsLimited 350 / mobile service Unlimited Offline synchronizationsLimited Included Included Scheduled jobs 4Limited 1 Job, 1 exec/hrIncluded Included SQL Database 5(required)20 MB included for 1yr,Standard rates apply after20 MB included for 1yr,Standard rates apply after20 MB included for 1yr,Standard rates apply after
CPU capacity60 minutes / day Unlimited Unlimited Outbound data transfer165 MB per day (daily Rollover)* 5GB per 30 daysIncluded 50GB per 30 daysIncluded 500GB per 30 daysSlide30
Azure App Services - Mobile Apps
cont
…
Incl. Notification Hub (Push)
Free
(1M pushes, 500 active devices) |
Basic
(10M pushes, 200K Active Devices)|
Standard
(10M pushes, 10M Active Devices, Rich telemetry, Bulk Operations, Scheduled, Multi-tenancy)
iOS, Android, WNS, Require namespace Register App for Push Services (App secret password and package SID)TagsClient RequestedAutomatically AddedBroadcast | Unicast/Multicast | Segmentation (Tags/Tag expression)Templates – Each device type can have multiple templatesPlatform Notification System (PNS)Services SupportedWindows Notification Service (WNS) or Windows Phone (MPNS) – Tiles, Badges, NotificationsiOS (Apple Push Notification Service (APNS))Google Firebase Cloud Messaging (FCM), use Google Cloud Messaging (GCM) in Notification Hub. Amazon (ADM)Baidu (Android China)Slide31
PowerShell
# Websites
Get
-
AzureWebsite
$
sitename
New
-
AzureWebsite
$sitename –Slot staging –Location “North Europe”Publish-AzureWebsiteProject $sitename –Slot staging –Package [path].zipShow-AzureWebsite –Name $sitename –Slot stagingSwitch-AzureWebsiteSlot –Name staingRemove-AzureWebsite –Name $sitename –Slot staging# Download logSave-AzureWebSiteLog –Name $sitename# View live streamGet-AzureWebSiteLog –Name $sitename -TailX-plat CLI# List command available for WebsitesCall azure site –hazure site list mysiteazure site create mysite –slot stagingazure site create --git mysite --slot stagingazure site swap stagingazure site delete mysite --slot stagingAzure site log download mysiteAzure site log tail mywebsite
GeneralSlots only available in Standard or PremiumDeploy using Portal, GitHub, VSO, FTP, OneDrive, DropBoxHosting PlansFree (1GB storage)Shared (Free + Custom Domains)Basic (instance sizes [mall, medium, large], 10GB, SSL, 3 instances)Standard (50GB, autoscaling, schedules, metrics (CPU,Instance), Traffic Manager, 5 slots, 10 instances, daily backup)Premium
(250GB, 20 Instances, 20 Slots, Backup 50 times per day, BizTalk services)64-bit only, Web sockets, SSL Certs, Custom domains (Shared too), SSL Binding to custom domains, Add End Points, available in Basic or Standard
Default domain
azurewebsites.net
-
Awverify
.
Monitoring
Endpoints (2 endpoints, 3 geographic locations, every 5 mins)
Performance monitoring
Diagnostics
Application (lasts 12 hours), Web server (W3C extended log format), Detailed error messages, failed request tracing (xml).
Can FTP download logs
Kudu –
http://mysite.
scm
.azurewebsites.net
Connection Strings
.Net
uses
connectionStrings
, not
.Net
Environment variables
Azure Websites (Classic)Slide32
PowerShell
#
X-plat CLI and batch
# List command available for Websites
Call azure site –h
cspack
[
DirectoryName
]\[
ServiceDefinition
] /role:[RoleName];[RoleBinariesDirectory] /sites:[RoleName];[VirtualPath];[PhysicalPath]/out:[OutputFileName]cspack [DirectoryName]\[ServiceDefinition] /out:[OutputFileName] /role:[RoleName];[RoleBinariesDirectory] /sites:[RoleName];[VirtualPath];[PhysicalPath] /role:[RoleName];[RoleBinariesDirectory];[RoleAssemblyName]GeneralSlots only available in Standard or Premium. Only two, staging and production.Web Roles and Worker Roles (no public endpoints)3 Deployment componentsService Definition file (.csdef)Defines service model incl. what roles.Sites, InputEndpoints, InternalEndpoints, ConfigurationSettings, Certificates, LocalResources, Imports, StartupDiagnosticsService Configuration File (.cscfg)Configuration for the cloud service and roles, incl. number of role instances.Instances, ConfigurationSettings, CertificatesCan reconfigure cloud service by altering this after deploymentNetwork configuration (Specify Reserved IP <ReservedIP name=“” />,
VLAN <VirtualNetworkSite>)Uploaded separately from .cspkgService Package (.cspkg)Contains application code and service definition file (.csdef)Generated from the .csdefCan deploy updates to 1 or all roles. Can use portal, VSCSPack.exe command line tool to create .cspkg
Azure Cloud Service (classic)Slide33
PowerShell
# New cache
New-
AzureRmRedisCache
-
ResourceGroupName
$
resourceGroupName
-Name $
cacheName -Location "North Europe" -Sku $sku -Size 13GB -ShardCount 6 .Net// connection refers to a previously configured ConnectionMultiplexerIDatabase cache = connection.GetDatabase();// NOTE:// The object returned from the GetDatabase method is a// lightweight pass-through object and does not need to be stored.// CopyConnectionMultiplexer connection = ConnectionMultiplexer.Connect("contoso5.redis.cache.windows.net,abortConnect=false,ssl=true,password=...");IDatabase cache = connection.GetDatabase();// Perform cache operations using the cache object...// Simple put of integral data types into the cachecache.StringSet("key1", "value");cache.StringSet("key2", 25);// Simple get of data types from the cachestring key1 = cache.StringGet("key1");int key2 = (int)cache.StringGet("key2");// If key1 exists, it is overwritten.cache.StringSet("key1", "value1");string value = cache.StringGet("key1");if (value == null){ // The item keyed by "key1" is not in the cache. Obtain // it from the desired data source and add it to the cache. value = GetValueFromDataSource();cache.StringSet("key1", value);}GeneralOnly Premium tier supports clustering99.9% SLA on Standard and Premium, Not Basic SKUAzure Redis CachePricing tierSizeCPU cores
Available bandwidth1 KB Key sizeStandard cache sizes Megabits per sec (Mb/s) / Megabytes per sec (MB/s)Requests per second (RPS)
C0250 MB
Shared
5 / 0.625
600
C1
1 GB
1
100 / 12.5
12200
C2
2.5 GB
2
200 / 25
24000
C3
6 GB
4
400 / 50
49000
C4
13 GB
2
500 / 62.5
61000C526 GB41000 / 125115000C653 GB82000 / 250150000Premium cache sizes CPU cores per shard Requests per second (RPS), per shardP16 GB21000 / 125140000P213 GB42000 / 250220000P326 GB42000 / 250220000P453 GB84000 / 500250000Slide34
PowerShell
# Active
G
X-plat CLI
General
Tool: Service Bus Explorer
Queues
Topics
Relay
has now moved
to a separate Azure ServiceNotification Hub has now moved to a separate Azure Services.Azure Service BusFeatureBasicStandardPremiumQueuesyyyScheduled messages
yyy
Topics
–
y
y
Transactions
–
y
y
De-duplication
–
y
y
Sessions
–
y
y
ForwardTo / SendVia
–
y
y
Message Size
256 KB
256 KB
1 MBBrokered connections included1001,00011,000 per MUBrokered connections (overage allowed)–(billable)Up to 1,000 per MUResource isolationN - SharedN - SharedySlide35
General
Add
NuGet “Microsoft Azure Service Bus”
Azure Relay
ServiceHost
sh
= new
ServiceHost
(
typeof(ProblemSolver));sh.AddServiceEndpoint( typeof (IProblemSolver), new NetTcpBinding(), "net.tcp://localhost:9358/solver");sh.AddServiceEndpoint( typeof(IProblemSolver), new NetTcpRelayBinding(), ServiceBusEnvironment.CreateServiceUri("sb", "namespace", "solver")) .Behaviors.Add(new TransportClientEndpointBehavior { TokenProvider = TokenProvider.CreateSharedAccessSignatureTokenProvider("RootManageSharedAccessKey", "<yourKey>")});sh.Open();Console.WriteLine("Press ENTER to close");Console.ReadLine();sh.Close();In the example, you create two endpoints that are on the same contract implementation. One is local and one is projected through Service Bus. The key differences between them are the bindings;
NetTcpBinding for the local one and NetTcpRelayBinding for the Service Bus endpoint and the addresses.Slide36
PowerShell
#Creates a job in the Batch service.
New-
AzureBatchJob
#Creates a pool in the Batch service.
New-
AzureBatchPool
#Creates a Batch task under a job.
New-
AzureBatchTask
GeneralFully managed HPC facilityREST, .NET, Python, node.js, JavaSchedulesPay for what you useApp must haveBatchAccountNameBatchAccountKeyBatchAccountUrlStorageAccontName & StorageAccountKeyAzure BatchStep 1. Create containers in Azure Blob Storage.Step 2. Upload task application files and input files to containers.Step 3. Create a Batch pool. 3a. The pool StartTask downloads the task binary files (TaskApplication) to nodes as they join the pool.Step 4. Create a Batch job.Step 5. Add tasks to the job. 5a. The tasks are scheduled to execute on nodes. 5b. Each task downloads its input data from Azure Storage, then begins execution.Step 6. Monitor tasks. 6a. As tasks are completed, they upload their output data to Azure Storage.Step 7. Download task output from Storage.Slide37
PowerShell
# Get an Azure Automation Credential
Get-
AzureAutomationCredential
–
AutomationAccountName
$
accName
New-
AzureAutomationAccount
New-AzureAutomationCredentialNew-AzureAutomationScheduleNew-AzureAutomationVariableNew-AzureAutomationCertificateNew-AzureAutomationConnectionNew-AzureAutomationModuleNew-AzureAutomationRunBookPublish-AzureAutomationRunBookRegister-AzureAutomationScheduledRunbookStart-AzureAutomationRunbookStop-AzureAutomationRunbookSuspend-AzureAutomationRunbook Register-AzureAutomationScheduledRunbook Unregister-AzureAutomationScheduledRunbook GeneralCreate a Run As accountAzure AutomationSlide38
General
Templates
Limited to XML or JSON
Use for cross-platform
Use for Personalisation
Need to Register Templates
Azure
Notification
Template Expression
Description
$(prop)Reference to an event property with the given name. Property names are not case-sensitive. This expression resolves into the property’s text value or into an empty string if the property is not present.$(prop, n)As above, but the text is explicitly clipped at n characters, for example $(title, 20) clips the contents of the title property at 20 characters..(prop, n)As above, but the text is suffixed with three dots as it is clipped. The total size of the clipped string and the suffix does not exceed n characters. .(title, 20) with an input property of “This is the title line” results in This is the title...%(prop)Similar to $(name) except that the output is URI-encoded.#(prop)Used in JSON templates (for example, for iOS and Android templates).This function works exactly the same as $(prop) previously specified, except when used in JSON templates (for example, Apple templates). In this case, if this function is not surrounded by “{‘,’}” (for example, ‘myJsonProperty’ : ‘#(name)’), and it evaluates to a number in Javascript format, for example, regexp: (0|([1-9][0-9]*))(.[0-9]+)?((e|E)(+|-)?[0-9]+)?, then the output JSON is a number.For example, ‘badge : ‘#(name)’ becomes ‘badge’ : 40 (and not ‘40‘).‘text’ or “text”A literal. Literals contain arbitrary text enclosed in single or double quotes.expr1 + expr2The concatenation operator joining two expressions into a single string.Slide39
.Net
// Environment Variables in App Settings use:
System.Environment.GetEnvironmentVariable
("
mySetting
",
EnvironmentVariableTarget.Process
)
Azure Functions
General
Languages (c#, f#, node.js, python, PHP, Batch, Bash, Exe)Uses WebJobs SDK, Supports Nuget, Supports oAuth providers2 PlansConsumption and App Service (dedicated VM. Use for continuous functions)Project FilesAppsettings.json (VS – Connection strings)Hosts.json (VS – Config behaviour of Azure Functions host)Function.json (Input and output bindings. Random GUID syntax for path = {rand-guid}Project.json (dependencies, NuGets)Run.csx (c# code)TriggersBlobTrigger - Process Azure Storage blobs when they are added to containers. You might use this function for image resizing.EventHubTrigger - Respond to events delivered to an Azure Event Hub. Particularly useful in application instrumentation, user experience or workflow processing, and Internet of Things (IoT) scenarios.Generic webhook - Process webhook HTTP requests from any service that supports webhooks.GitHub webhook - Respond to events that occur in your GitHub repositories. For an example, see Create a webhook or API function.HTTPTrigger - Trigger the execution of your code by using an HTTP request.QueueTrigger - Respond to messages as they arrive in an Azure Storage queue. For an example, see Create an Azure Function that binds to an Azure service. (default 1 min polling)ServiceBusQueueTrigger - Connect your code to other Azure services or on-premise services by listening to message queues. ServiceBusTopicTrigger - Connect your code to other Azure services or on-premise services by subscribing to topics. TimerTrigger - Execute cleanup or other batch tasks on a predefined schedule. For an example, see Create an event processing function.IntegrationsAzure DocumentDB, Azure Event Hubs ,Azure Mobile Apps (tables), Azure Notification Hubs, Azure Service Bus (queues and topics), Azure Storage (blob, queues, and tables) , GitHub (webhooks), On-premises (using Service Bus)Slide40
PowerShell
# Active
New-
AzureRmLogicApp
Creates a logic app in a resource group.
X-plat CLI
General
Triggers
HTTP request
Webhook
PollingBatches and LoopingSplitOnForEachUntilFunctions integrationUse Generic Webhook template Connectors that includes Salesforce, Office 365, Twitter, Dropbox, Google Services and moreIntegration AccountsAzure Logic AppsSlide41
PowerShell
# Active
X-plat CLI
General
Encryption Options
StorageEncrypted
CommonEncryptionProtected
EnvelopEncryptionProtected
Dynamic Packaging (Standard or Premium)
Encoders
FLV (with H.264 and AAC codec)MXFGXFMPEG2MWV / ASFMP4 / ISMV.dvr-ms.MKVWAVQuickTime (.mov)…plus many moreAzure Media ServicesSlide42
PowerShell
# Active
G
General
.exe, .
cmd
(Batch), .ps1 (PowerShell), .
py
(Python), .
php
(PHP), .js (Node.js)How to runContinuousDo NOT use with scheduleScheduled (classic portal)Triggered / On DemandUse with schedule in Settings.jobWith or without web serviceZip DeploymentSettings.job contains schedules with CRON expression. Root of Zip file {second} {minute} {hour} {day} {month} {day of the week}Every hour (0 0 * * * *), Every hour from 9AM to 5PM (0 0 9-17 * * *), at 9:30am every day (0 30 9 * * *) et 9:30am every week day (0 30 9 * * 1-5), every 15 minutes (0 */15 * * * *)Azure WebJobs.Net// Example Queue Triggerpublic static void Main(){ JobHost host = new JobHost(); host.RunAndBlock();} public static void ProcessQueueMessage([QueueTrigger("webjobsqueue")] string inputText,[Blob("containername/blobname")]TextWriter writer){ writer.WriteLine(inputText);}Slide43
PowerShell
# Active
G
X-plat CLI
General
DTU – Data Transaction Unit
Azure SQLSlide44
PowerShell
# Active
G
X-plat CLI
Migration
Min Downtime
SQL Server Transactional replication
Some Downtime
Deploy Wizard in SSMS Migration Wizard (DAC Package)
SQL Azure Migration Wizard
BACPAC contains both schema and dataDAC packages contain ONLY schemaElastic Databasehttps://docs.microsoft.com/en-us/azure/sql-database/sql-database-elastic-scale-introductionElastic Database Client Library – Allow multi database management including shard managementElastic Database Job – execute T-SQL that span multiple databasesAzure SQL cont…Slide45
PowerShell
# Get and Set
Vnet
config
xml
Get-
AzureVNetConfig
-
ConfigurationPath
c:\temp\oldconfig.xmlSet-AzureVNetConfig -ConfigurationPath c:\temp\updatedconfig.xml#Create a new Vnet$frontendSubnet = New-AzureRmVirtualNetworkSubnetConfig -Name frontendSubnet -AddressPrefix "10.1.1.0/24"$backendSubnet = New-AzureRmVirtualNetworkSubnetConfig -Name backendSubnet -AddressPrefix "10.1.2.0/24"New-AzureRmVirtualNetwork -Name "hms-train-vnet-arm-1" -ResourceGroupName $rgName -Location "North Europe" -AddressPrefix "10.1.0.0/16" -Subnet $frontendSubnet, $backendSubnetGeneral50 per subscription per regionCIDR Subnet Hosts in Azure = 2n-5 (normally 2n-2), ‘/29’ is smallest subnetMultiple NICsCan't make a VM multi NIC after deployment. Need to delete and redeployD1 - 1 NIC, D2 - 2 NICs, D3 - 4 NICs, D4 - 8 NICSAccess Control Lists (ACL)For endpoints only. Inbound only!) Not preferred, use NSGs.Network Security Groups (NSG)Can’t use if ACL’s. Remove ACL’s firstName, Direction, Priority, Access (allow or NOT), Source IP, Source port, Destination IP, Destination Port, ProtocolSubnet can only 1 NSGApplied to one or more VMs or subnetSubnet can only have 1 NSG appliedEach NSG can have up to 200 rulesIs associated to a region100 NSGs per region per subscriptionDefault Tags (Internet, Virtual_network, Azure_loadbalancer)
Do NOT Block 168.63.129.16 and port 1688!!UDR (Routing Tables)VPNs (Site-to-Site, VNet2Vnet, Point-to-Site, Express-Route (private network))Express-route – Exchange providers (layer 3, 200Mbps – 10Gbps, Site2Site, BGP with client), Network Service Providers (10Mbps – 1Gbps, Any2Any, BGP with telco)Max 30 VPN tunnels per VPN Gateway and 128 connections from clientsAzure Virtual NetworksSlide46
PowerShell
# Create a PIP for the Gateway
$pip =
New-
AzureRmPublicIpAddress
-
AllocationMethod
Dynamic -
ResourceGroupName
$
rgName -Name "hms-train-gateway-1"X-plat CLIVPNsSite-to-Site, VNet2VnetMax 10 tunnels, 100 Mbps (Basic and Standard) | 30 tunnels, 200 Mbps (High Performance)Point-to-SiteMax 128 connections, Secure Socket Tunneling Protocol (SSTP)Use makecert to create a self-signed root certificate (can’t use a CA)Import .ver file with private key to AzureGenerate a client certificate for each client to installDownload package from portal and then install clientExpress-Route (private network))Express-route – Exchange providers (layer 3, 500 Mbps – 10Gbps, Site2Site, BGP with client), Network Service Providers (10 Mbps – 1Gbps, Any2Any, BGP with telco)Max 30 VPN tunnels per VPN Gateway and 128 connections from clientsGateway SKUs – Basic (BGP & ExpressRoute not supported), Standard, High PerformanceConsiderationsNo overlapping IP address rangesOnly 1 VPN gateway per VNetAzure Virtual Networks - VPNsSlide47
PowerShell
# Active
# List reserved IPs
Get-
AzureReservedIP
# Reserve a new IP address
New-
AzureReservedIP
-
ReservedIPName
AGSReservedIP -Location "North Europe"# List reserved IPsGet-AzureReservedIP#List all azure servicesGet-AzureService#allocate the ip to a serviceSet-AzureReservedIPAssociation -ReservedIPName AGSReservedIP -ServiceName FFApi-VBTestGeneralAzure Load Balancer (Layer 4 – Transport Layer), Random network levelling. Health probes (Custom for non 200ACK)Application Gateway (50 per subscription, max 10 instances each)SKUs: WAF and StandardSmall (7.5Mbps / 35Mbps), Medium (10Mbps / 100Mbps), Large (50Mbps / 200Mbps)Firewall, Round Robin LB, Cookie session affinity, SSL offload, URL based content routing, up to 20 websites consolidation, websocket support, health monitoring, advanced diagnostics.Traffic Manager (Layer 7 – DNS based LB)Weighted (Round-robin)Performance (Performance/latency)Priority (DR/Failover)Azure Virtual Networks cont…Slide48
PowerShell
# Active
# List reserved IPs
Get-
AzureReservedIP
# Reserve a new IP address
New-
AzureReservedIP
-
ReservedIPName
AGSReservedIP -Location "North Europe"# List reserved IPsGet-AzureReservedIP#List all azure servicesGet-AzureService#allocate the ip to a serviceSet-AzureReservedIPAssociation -ReservedIPName AGSReservedIP -ServiceName FFApi-VBTestAdvancedPeering – Connects 2 VNets in the same region through the Azure backboneCan use between subscriptions if both associated with same AD tenantPeering between ARM and ASM VNets can be done if both in same subscriptionRequirementsSame regionNon-overlapping IP address spacesAzure Virtual Networks cont…Slide49
PowerShell
# List all
Get-Module –
ListAvailable
# Install the Azure Resource Manager modules from the PowerShell Gallery
Install-Module
AzureRM
# Install the Azure Service Management modules from the PowerShell Gallery
Install-Module Azure
# Get a list of cmdlets in the Azure module
Get-Command -Module Azure | Get-Help | Format-Table Name, Synopsis# Get a list of cmdlets in the Resource Manager moduleGet-Command -Module AzureRM | Get-Help | Format-Table Name, Synopsis# Login (Classic)Add-AzureAccount# Login (ARM) alias is ‘Login-AzureRmAccount’Add-AzureRmAccount# Get a list of subscriptionsGet-AzureSubscriptionGet-AzureRmSubscription# Get Context (ARM)Get-AzureRmContext# Set the subscription for the session (ARM)Select-AzureRmSubscription# select default storage contextSet-AzureRmCurrentStorageAccount -ResourceGroupName $rgname -StorageAccountName $strgname# Remote PowerShell – Install certificate.\InstallwinRMCertAzureVM.ps1 –SubscriptionName $s –ServiceName $svc –Name $vm# Retrieve the URI of the VM$uri = Get-AzureRmUri –ServiceName $svc –Name $vm# Execute a script remotely$cred = Get-Credential
Invoke-Command –ConnectionUri $uri –FilePath ‘.\deployad.ps1’ –Credentials $credX-plat CLIREM Set mode to ARMAzure config mode arm
REM Set mode to Service Management ModeAzure config mode
asm
REM Login
Azure login
REM List subscriptions
Azure account list
REM Set Current Subscription
Azure account set "{name of subscription}"
REM Create Resource Group
Azure group create -n "{name}" -l "{location}"
PowerShell & x-plat CLI - General
Use
npm
to install on Linus
Docker container available for version 2.0Slide50
PowerShell - Files
# Active
G
X-plat CLI
General
Azure Data Lake Store -
A data repository that enables you to store any type of data in its raw format without defining schema. The store offers unlimited storage with immediate read/write access to it and scaling the throughput you need for your workloads. The store is Hadoop Data File System (
HDFS
) compatible so you can use your existing tools.
Azure Data Lake Analytics -
An analytics service that allows you to run analysis jobs on data. Analytics using Apache YARN to manage its resources for the processing engine. By using the U-SQL query language you can process data from several data sources such as Azure Data Lake Store, Azure Blob Storage, Azure SQL Database but also from other data stores built on HDFS.Azure Data Lake HDInsight - An analytics service that enables you to analyze data sets on a managed cluster running open-source technologies such as Hadoop, Spark, Storm & HBase.Azure Data LakeSlide51
PowerShell - Files
# Active
G
X-plat CLI
General
99.9% enterprise scale SLA
Hadoop:
Petabyte scale processing with Hadoop components like
Hive
(SQL on Hadoop)
HiveQL, Apache Pig is a platform for creating programs for Hadoop by using a procedural language known as Pig LatinSqoop - tool designed to transfer data between Hadoop clusters and relational databases. You can use it to import data from a relational database management system (RDBMS) such as SQL ServerHCatalog is a table and storage management layer for Hadoop that enables users with different data processing tools — Pig, MapReduce — to more easily read and write data on the gridHBase: Fast and scalable NoSQL OfferingStorm: Allows the processing of infinite streams of data in real-time.Spark: Fast data analytics and cluster using in-memory processing. Interactive Hive (preview): Enterprise Data Warehouse with in-memory analytics using Hive(SQL on Hadoop) and Long Live and Process (LLAP)R Server: Terabyte scale, provides enterprise grade R analytics used for machine learning models.Kafka (preview): High throughput, low latency, real-time streaming platform, typically used in streaming and IoT scenariosMahout - One of the Microsoft HDInsight key components is Mahout, a scalable machine learning library that provides a number of algorithms relying on the Hadoop platformOozie - Apache Oozie is a workflow/coordination system that manages Hadoop jobs.HDInsightSlide52
PowerShell - Files
# Active
G
General
API Gateway (99.9% SLA, 99.95% SLA for Premium across two or more regions)
Features - access control, rate limiting, monitoring, event logging, and response caching
Groups – Administrators, Developers, Guests
Policy Types (Access restriction, Advanced, Authentication, Caching, Cross domain, Transformation)
API
Management
DeveloperStandardPremiumPrice£0.9652/day£13.78/day per unit£56.14/day per unitAPI Calls (per unit)32 K / day ( ~1 M / month ) 7 M / day ( ~217 M / month ) 32 M / day ( ~1 B / month ) Data Transfer (per unit)161 MB / day( ~5 GB / month ) 32 GB / day( ~1 TB / month ) 161 GB / day( ~5 TB / month ) Cache10 MB 1 GB 5 GB Scale-outNone 4 units Contact us for more Unlimited SLANo 99.9% 99.95% Multi-Region DeploymentNo No Yes Azure Active Directory IntegrationUnlimited User Accounts No Unlimited User Accounts VPNYes
No Yes Slide53
Policy reference index
Access restriction policies
Check HTTP header Limit call rate by subscription
Limit call rate by key
Restrict caller IPs
Set usage quota by subscription
Set usage quota by key
Validate JWT
Advanced policiesControl flow Forward request Log to Event Hub - Sends messages in the specified format to a message target defined by a Logger entity.Retry Return response Send one way request Send request Set request method Set status Set variable Trace Wait Authentication policiesAuthenticate with Basic Authenticate with client certificate Caching policies Get from cache Store to cache Get value from cache Store value in cache Remove value from cache Cross domain policies Allow cross-domain calls - Makes the API accessible from Adobe Flash and Microsoft Silverlight browser-based clients.CORS - Adds cross-origin resource sharing (CORS) JSONP - Adds JSON with padding (JSONP) support to an operation or an API to allow cross-domain calls from JavaScript browser-based clients.Transformation policies Convert JSON to XML Convert XML to JSON Find and replace string in body Mask URLs in content - Re-writes (masks) links in the response body so that they point to the equivalent link via the gateway.Set backend service Set body Set HTTP header Set query string parameter Rewrite URL - Converts a request URL from its public form to the form expected by the web service.API Management – cont…Slide54
Notifications Hub
Autoscale
Social Integration
Offline Data Sync
SQLLite
IMobileServicesSyncTable
(
.net
),
MSSyncTable
(IOS), mClient.getSyncTable() (android)PushAsync, PullAsync, updateAt (Incremental Sync), IMobileServicesSyncTable.PurgeAsync (clear local store)Free Try for freeShared Host basic appsBasic More features for Dev/TestStandard Go live with web and mobilePremium Enterprise scale and integrationWeb, mobile or API apps10 100 Unlimited Unlimited Unlimited Disk space1 GB 1 GB 10 GB 50 GB 250 GB Logic App Actions (per day) *200 200 200 10,000 50,000 Maximum instances––Up to 3 Up to 10 Up to 50 App Service Environments (require min. 6 cores)––––SupportedSLA––99.95% 99.95% 99.95%
Service PlanCoresRAMDISKF1Shared1GB1GBD1shared0.5GB1GBB1,2,41.75, 3.5,7GB
10GBS1,2,4
1.75,
3.5,7GB
50GB
P
1,2,4,8
1.75,
3.5,7, 14GB
250GB
Mobile AppsSlide55
Azure Container Service
Standard infrastructure for Docker cluster
Scale and orchestrate using DC/OS, Docker Swarm, or Kubernetes
Saves about 6,000 lines of
config
code
Has no registry or other customisationSlide56
Azure Service Fabric
Provides fast deployment, Placement and activation, high density, reliability, scaling, health reporting, coordinated upgrades, service endpoint discovery
Programming models
Guest executable (as-is code) plus ServiceManifest.xml
Reliable Services Model
VS development using Fabric
sdk
. Package and deploy and debug etc..
Dynamic resource balancing based on actual usage.
.Net
or JavaScript?Stateful Programming modelReliable collectionsReliable QueuesReliable …Application ManifestCluster port: 19080Slide57
Azure Key Vault
Tiers –
Standard
|
Premium
(incl. Hardware Security Module (
HSM
) backed keys)
Secrets
Any sequence of bytes under 10KB. E.g. Passwords and connection strings that can be encrypted, PFX file.
AES key used to encrypt dataLow latencyKeysA cryptography key. RSA 2048. Can’t be read back, but can ask the service to decrypt using the key or sign using a key.Use when security requirement is greater than performance.Advanced Access PoliciesEnable access to Azure VMs for deploymentEnable access to Azure Resource Manager for template deploymentEnable access to Azure Disk Encryption for volume encryptionAccess PoliciesKey & Secret ManagementKey ManagementSecret ManagementSQL Server ConnectorAdmins & Consumers MUST have an Azure AD account incl. applications.Url: https://{vaultname}.vault.azure.net/secrets/{secret name}/{version [optional]}PowerShell - Files# Create key vaultNew-AzureRmKeyVault -VaultName $kvName -ResourceGroupName $rgName -Location $location -Sku Standard -EnabledForDeployment -EnabledForTemplateDeployment -EnabledForDiskEncryption#Set Permissions to key vault for serviceSet-AzureRmKeyVaultAccessPolicy -VaultName $kvName -ResourceGroupName $rgName -ServicePrincipalName $spn -PermissionsToKeys all -PermissionsToSecrets all -PermissionsToCertificates all#Gets key vaults.Get-AzureRmKeyVault#Adds a certificate to a key vault.Add-AzureKeyVaultCertificate# Creates a key in a key vault or imports a key into a key vault.Add-AzureKeyVaultKey#Gets the secrets in a key vault.Get-AzureKeyVaultSecret
#Creates or updates a secret in a key vault.Set-AzureKeyVaultSecret#Updates attributes of a secret in a key vault.Set-AzureKeyVaultSecretAttribute#Deletes a secret in a key vault.Remove-AzureKeyVaultSecret Slide58
Azure Key Vault
cont
…
Workflow with AAD
CSO creates Vault adds keys and authorizes AAD users
CSO uploads a ‘Service Certificate’ (
pfx
incl. private key) to Azure
Operator then creates App Instances (VMs)
Azure injects the Service Certificate into each VM
Now the App (which has used the same certificate as it’s Auth in AAD) can retrieve and authorize against AADAAD returns the TokenApp can now access the Key VaultXplat-CLI - Files# Create key vaultNApp Config Needed when NOT using certificate (app or web.config or app settings)VaultUrlAAD AuthClientIdAAD AuthClientSecret (Shared Key)Slide59
Stuff to do
Azure Backup
Azure AutomationAzure BatchService BusHPC and HPC PackBizTalk Hybrid Connection
StorSimple
Azure Key Vault
Azure Media Services
Microsoft Enterprise Library
Autoscaling
Application Block (
WASABi
)Hyper-V (MVMM)Check out neo4jAzure RMSEvent HubsRelayHyper-V Replica