Azure Architecture Certification Revision Sheets - PowerPoint Presentation

Slide1

Azure Architecture Certification Revision Sheets

Nicholas Rogoff

Twitter:

@

nrogoff

https://blog.nicholasrogoff.com

IMPORTATNT NOTE:

Microsoft Azure is constantly evolving and so do the topics tested in the exams. The slides here were pretty

accurate’ish

as at January 2017, but check them for yourself!!

Disclaimer: I can not guarantee that the info here is correct, so don’t come back to me if you fail the exams. These are MY notes and not in any way authoritative or complete, but hopefully helpful.Slide2

Azure Certification paths and Exams

MCSD: Azure Solution Architect

Require All Exams

70-532, 70-533, 70-534

Retiring on March 31

st

2017.

MCSA: Cloud Platform

Require 2 exams of:

70-532, 70-533

, 70-534, 70-473, 70-475

MCSE: Cloud Platform and Infrastructure

Require: ‘MCSA: Cloud Platform’, plus 1 exam of:

70-532, 70-533,

70-534

, 70-473, 70-475, 70-744, 70-413, 70-414, 70-246, 70-247 (not already taken for MCSA)

*Red indicates the exams that these notes are focused onSlide3

Exam 70-532: Developing Microsoft Azure Solutions

New Exam Objectives

Here’s the full list of exam objectives for this November 22, 2016 exam update:

Create and manage Azure Resource Manager virtual machines (30 – 35%)

Deploy workloads on Azure Resource Manager (ARM) virtual machines (VMs)

– Identify workloads that can and cannot be deployed; run workloads including Microsoft and Linux; create VMs

Perform configuration management

– Automate configuration management by using PowerShell Desired State Configuration (DSC) and VM Agent (custom script extensions); configure VMs using a configuration management tool such as Puppet or Chef; enable remote debugging

Configure ARM VM networking

– Configure static IP addresses, Network Security Groups (NSGs), DNS, User Defined Routes (UDRs), external and internal load balancing with HTTP and TCP health probes, public IPs, firewall rules, and direct server return; design and implement Application Gateway

Scale ARM VMs

– Scale up and scale down VM sizes; deploy ARM VM Scale Sets (VMSS); configure ARM VMSS auto-scale

Design and Implement ARM VM storage

– Configure disk caching; plan for storage capacity; configure shared storage using Azure File service; configure geo-replication; implement ARM VMs with Standard and Premium Storage

Monitor ARM VMs

– Configure ARM VM monitoring; configure alerts; configure diagnostic and monitoring storage location

Manage ARM VM availability

– Configure multiple ARM VMs in an availability set for redundancy; configure each application tier into separate availability sets; combine the Load Balancer with availability sets

Design and Implement a storage and data strategy (25 – 30%)

Implement Azure Storage blobs and Azure Files

– Read data; change data; set metadata on a container; store data using block and page blobs; stream data using blobs; access blobs securely; implement

async

blob copy; configure Content Delivery Network (CDN); design blob hierarchies; configure custom domains; scale blob storage

Implement Azure storage tables and queues

– Implement CRUD with and without transactions; design and manage partitions; query using OData; scale tables and partitions; add and process queue messages; retrieve a batch of messages; scale queues

Manage access and monitor storage

– Generate shared access signatures, including client renewal and data validation; create stored access policies; regenerate storage account keys; configure and use Cross-Origin Resource Sharing (CORS); set retention policies and logging levels;

analyze

logs

Implement Azure SQL Databases

– Choose the appropriate database tier and performance level; configure and perform point in time recovery; enable geo-replication; import and export data and schema; scale Azure SQL databases

Implement Azure DocumentDB

– Create databases and collections; query documents; run DocumentDB queries

Implement Redis caching

– Choose a cache tier; implement data persistence; implement security and network isolation; tune cluster performance

Implement Azure Search

– Create a service index; add data; search an index; handle search results

Manage identity, application, and network services (15 – 20%)

Integrate an app with Azure Active Directory (AAD)

– Develop apps that use WS-federation, OAuth, and SAML-P endpoints; query the directory by using graph API

Design and Implement a communication strategy

– Implement Hybrid Connections to access data sources on-premises; leverage S2S VPN and ExpressRoute to connect to an on-premises infrastructure

Design and Implement a messaging strategy

– Develop and scale messaging solutions using service bus queues, topics, relays, event hubs, and notification hubs; monitor service bus queues, topics, relays, event hubs and notification hubs

Develop apps that use AAD B2C and AAD B2B

– Design and implement .NET MVC, Web API, and Windows Desktop apps that leverage social identity provider authentication, including Microsoft account, Facebook, Google+, Amazon, and LinkedIn; leverage AAD B2B to design and implement applications that support partner-managed identities

Design and Implement Azure PaaS Compute and Web and Mobile Services (25 – 30%)

Design Azure App Service Web Apps

– Define and manage App Service plans; configure Web Apps settings, certificates, and custom domains; manage Web Apps by using the API, Azure PowerShell, and

Xplat

-CLI; implement diagnostics, monitoring, and analytics; implement web jobs; design and configure Web Apps for scale and resilience

Implement Azure Functions

– Create Azure Functions; implement a

webhook

Function; create an event processing Function; implement an Azure-connected Function

Implement API Management

– Create managed APIs; configure API Management policies; protect APIs with rate limits; add caching to improve performance; monitor APIs; customize the Developer Portal

Design Azure App Service API Apps

– Create and deploy API Apps; automate API discovery by using the

Swashbuckle

; use Swagger API metadata to generate client code for an API app; monitor API Apps

Develop Azure App Service Logic Apps

– Create a Logic App connecting SaaS services; create a Logic App with B2B capabilities; create a Logic App with XML capabilities; trigger a Logic App from another app; create custom and long-running actions; monitor Logic Apps

Develop Azure App Service Mobile Apps

– Create a Mobile App; add offline sync to a Mobile App; add authentication to a Mobile App; add push notifications to a Mobile App

Design and Implement Azure Service Fabric apps

– Create a Service Fabric application; build an Actors-based service; add a web front-end to a Service Fabric application; monitor and diagnose services; migrate apps from cloud services; create, secure, upgrade, and scale Service Fabric Cluster in Azure; scale a Service Fabric app

It’s worth noting that the percentages (%) displayed in the titles of the main exam objectives are the percentages of the exam questions that will be on that topic area.Slide4

Exam 70-533:

Implementing

Microsoft Azure Infrastructure Solutions

New Exam Objectives

Here’s the full list of exam objectives for this November 16, 2016 exam update:

Design and implement Azure App Service apps (15–20%)

Deploy Web Apps

Define deployment slots; roll back deployments; implement pre- and post- deployment actions; create, configure, and deploy packages; create App Service plans; migrate Web Apps between App Service plans; create a Web App within an App Service plan

Configure Web Apps

Define and use app settings, connection strings, handlers, and virtual directories; configure certificates and custom domains; configure SSL bindings and runtime configurations; manage Web Apps by using Azure PowerShell and

Xplat

-CLI

Configure diagnostics, monitoring, and analytics

Retrieve diagnostics data; view streaming logs; configure endpoint monitoring, alerts, and diagnostics; use remote debugging; monitor website resources

Configure Web Apps for scale and resilience

Configure auto-scale using built-in and custom schedules, configure by metric, change the size of an instance, configure Traffic Manager

Create and manage Azure Resource Manager Virtual Machines (20–25%)

Deploy workloads on Azure Resource Manager (ARM) virtual machines (VMs)

Identify workloads that can and cannot be deployed; run workloads, including Microsoft and Linux; create VMs; connect to a Windows/Linux VM

Perform configuration management

Automate configuration management by using PowerShell Desired State Configuration (DSC) and VM Agent (custom script extensions); configure VMs using a configuration management tool, such as Puppet or Chef; enable remote debugging

Design and implement VM storage

Configure disk caching, plan storage capacity, configure operating system disk redundancy, configure shared storage using Azure File service, configure geo-replication, encrypt disks, implement ARM VMs with Standard and Premium Storage

Monitor ARM VMs

Configure ARM VM monitoring, configure alerts, configure diagnostic and monitoring storage location

Monitor ARM VM availability

Configure multiple ARM VMs in an availability set for redundancy, configure each application tier into separate availability sets, combine the Load Balancer with availability sets

Scale ARM VMs

Scale up and scale down VM sizes, deploy ARM VM Scale Sets (VMSS), configure ARM VMSS auto-scale

Design and implement a storage strategy (20–25%)

Implement Azure storage blobs and Azure files

Read data, change data, set metadata on a container, store data using block and page blobs, stream data using blobs, access blobs securely, implement

async

blob copy, configure a Content Delivery Network (CDN), design blob hierarchies, configure custom domains, scale blob storage

Manage access

Create and manage shared access signatures, use stored access policies, regenerate keys

Configure diagnostics, monitoring, and analytics

Set retention policies and logging levels,

analyze

logs

Implement Azure SQL Databases

Choose the appropriate database tier and performance level; configure point-in-time recovery, geo-replication, and data sync; import and export data and schema; design a scaling strategy

Implement recovery services

Create a backup vault, deploy a backup agent, back up and restore data

Implement an Azure Active Directory (15–20%)

Integrate an Azure Active Directory (Azure AD) with existing directories

Implement Azure AD Connect and single sign-on with on-premises Windows Server 2012 R2, add custom domains, monitor Azure AD

Configure Application Access

Configure single sign-on with SaaS applications using federation and password based, add users and groups to applications, revoke access to SaaS applications, configure access, configure federation with Facebook and Google ID

Integrate an app with Azure AD

Implement Azure AD integration in web and desktop applications, leverage Graph API

Implement Azure AD B2C and Azure B2B

Create an Azure AD B2C Directory, register an application, implement social identity provider authentication, enable multi-factor authentication, set up self-service password reset, implement B2B collaboration, configure partner users, integrate with applications

Implement virtual networks (10–15%)

Configure virtual networks

Deploy a VM into a virtual network; configure external and internal load balancing; implement Application Gateway; design subnets; configure static, public, and private IP addresses; set up Network Security Groups (NSGs), DNS at the virtual network level, HTTP and TCP health probes, public IPs, User Defined Routes (UDRs), firewall rules, and direct server return

Modify network configuration

Modify a subnet, import and export a network configuration

Design and implement a multi-site or hybrid network

Choose the appropriate solution between ExpressRoute, site-to-site, and point-to-site; choose the appropriate gateway; identify supported devices and software VPN solutions; identify networking prerequisites; configure virtual networks and multi-site virtual networks

Design and deploy ARM templates (10–15%)

Implement ARM templates

Author ARM templates; create ARM templates to deploy ARM Resource Providers resources; deploy templates with PowerShell, CLI, and REST API

Implement ARM templates

Leverage service principals with ARM authentication, use Azure Active Directory Authentication with ARM, set management policies, lock resources

Implement ARM templates

Secure resource scopes, such as the ability to create VMs and Azure Web Apps; implement Azure role-based access control (RBAC) standard roles; design Azure RBAC custom Slide5

Exam 70-532: Developing Microsoft Azure Solutions

New Exam Objectives

Here’s the full list of exam objectives for this November 16, 2016 exam update:

Secure resources (20–25%)

Secure resources by using managed identities

Describe the differences between Active Directory on-premises and Azure Active Directory (Azure AD), programmatically access Azure AD using Graph API, secure access to resources from Azure AD applications using OAuth and OpenID Connect

Secure resources by using hybrid identities

Use SAML claims to authenticate to on-premises resources, describe AD Connect synchronization, implement federated identities using Active Directory Federation Services (ADFS)

Secure resources by using identity providers

Provide access to resources using identity providers, such as Microsoft account, Facebook, Google, and Yahoo!; manage identity and access by using Azure AD B2C; implement Azure AD B2B

Identify an appropriate data security solution

Identify security requirements for data in transit and data at rest; identify security requirements using Azure services, including Azure Storage Encryption, Azure Disk Encryption, and Azure SQL Database TDE

Design a role-based access control (RBAC) strategy

Secure resource scopes, such as the ability to create VMs and Azure Web Apps; implement Azure RBAC standard roles; design Azure RBAC custom roles

Manage security risks by using an appropriate security solution

Identify, assess, and mitigate security risks by using Azure Security Center, Operations Management Suite, and other services

Design an application storage and data access strategy (5–10%)

Design data storage

Design storage options for data, including Table Storage, SQL Database, DocumentDB, Blob Storage, MongoDB, and MySQL; design security options for SQL Database or Azure Storage

Select the appropriate storage option

Select the appropriate storage for performance, identify storage options for cloud services and hybrid scenarios with compute on-premises and storage on Azure

Design advanced applications (20–25%)

Create compute-intensive applications

Design high-performance computing (HPC) and other compute-intensive applications using Azure Services

Create long-running applications

Implement Azure Batch for scalable processing, design stateless components to accommodate scale, use Azure Scheduler

Integrate Azure services in a solution

Design Azure architecture using Azure services, such as Azure AD, Azure App Service, API Management, Azure Cache, Azure Search, Service Bus, Event Hubs, Stream Analytics, and

IoT

Hub; identify the appropriate use of Azure Machine Learning, big data, Azure Media Services, and Azure Search services

Implement messaging applications

Use a queue-centric pattern for development; select appropriate technology, such as Azure Storage Queues, Azure Service Bus queues, topics, subscriptions, and Azure Event Hubs

Implement applications for background processing

Implement Azure Batch for compute-intensive tasks, use Azure WebJobs to implement background tasks, use Azure Functions to implement event-driven actions, leverage Azure Scheduler to run processes at

preset

/recurring timeslots

Design connectivity for hybrid applications

Connect to on-premises data from Azure applications using Service Bus Relay, Hybrid Connections, or the Azure Web App virtual private network (VPN) capability; identify constraints for connectivity with VPN; identify options for joining VMs to domains or cloud services

Design Azure Web and Mobile Apps (5–10%)

Design Web Applications

Design Azure App Service Web Apps, design custom web API, offload long-running applications using WebJobs, secure Web API using Azure AD, design Web Apps for scalability and performance, deploy Azure Web Apps to multiple regions for high availability, deploy Web Apps, create App Service plans, design Web Apps for business continuity, configure data replication patterns, update Azure Web Apps with minimal downtime, back up and restore data, design for disaster recovery

Design Mobile Applications

Design Azure Mobile Services; consume Mobile Apps from cross-platform clients; integrate offline sync capabilities into an application; extend Mobile Apps using custom code; implement Mobile Apps using Microsoft .NET or Node.js; secure Mobile Apps using Azure AD; implement push notification services in Mobile Apps; send push notifications to all subscribers, specific subscribers, or a segment of subscribers

Design a management, monitoring, and business continuity strategy (20–25%)

Design a monitoring strategy

Identify the Microsoft products and services for monitoring Azure solutions; leverage the capabilities of Azure Operations Management Suite and Azure Application Insights for monitoring Azure solutions; leverage built-in Azure capabilities; identify third-party monitoring tools, including open source; describe Azure architecture constructs, such as availability sets and update domains, and how they impact a patching strategy;

analyze

logs by using the Azure Operations Management Suite

Describe Azure business continuity/disaster recovery (BC/DR) capabilities

Leverage the architectural capabilities of BC/DR, describe Hyper-V Replica and Azure Site Recovery (ASR), describe use cases for Hyper-V Replica and ASR

Design a disaster recovery strategy

Design and deploy Azure Backup and other Microsoft backup solutions for Azure, leverage use cases when

StorSimple

and System Center Data Protection Manager would be appropriate, design and deploy Azure Site recovery

Design Azure Automation and PowerShell workflows

Create a PowerShell script specific to Azure, automate tasks by using the Azure Operations Management Suite

Describe the use cases for Azure Automation configuration

Evaluate when to use Azure Automation, Chef, Puppet, PowerShell, or Desired State Configuration (DSC)

Architect an Azure Compute infrastructure (10–15%)

Design ARM Virtual Machines (VMs)

Design VM deployments leveraging availability sets, fault domains, and update domains in Azure; select appropriate VM SKUs

Design ARM template deployment

Author ARM templates; deploy ARM templates via the portal, PowerShell, and CL

Design for availability

Implement regional availability and high availability for Azure deploymentsSlide6

PowerShell

#Get Azure

Powershell

version

Get-Module -

ListAvailable

-Name Azure -Refresh

# Get Storage Account

Get-

AzureStorageAccount

Get-AzureRmStorageAccount# create a context for account and key$ctx = New-AzureStorageContext storage-account-name storage-account-key# Set the default storage account (ARM)Set-AzureRmCurrentStorageAccount -Name $strgName -ResourceGroupName $strgName# Set the current sub and storage (ASM)Set-AzureSubscription -SubscriptionName $subName -CurrentStorageAccountName $strgName# Create a New ContainerNew-AzureStorageContainer –Name $name –Permission off# Get Endpoints $storageAcc.PrimaryEndpoints.Blob.ToString() #get current context (ARM)Get-AzureRmContext#list available subscription (ARM)Get-AzureRmSubscription#Set context subscription (ARM)Select-AzureRmSubscription -SubscriptionName "NR MSDN"# Set Context storage accountSet-AzureRmCurrentStorageAccount -ResourceGroupName "vm-training" -Name "hmsvmtraindsc"

GeneralPortalsClassic – Service Management Model (ASM)New – Azure Resource Management (ARM)Resource Groups can span regionsUse Pricing Calculator to estimate costsBilling APIsRateCard API - Allows you to get a list of available azure resources along with its estimated pricing information for various subscription types, such as pay-as you-go, MSDN, BizSpark etcResource Usage API - consumption

Azure - GeneralSlide7

Azure Patterns

Cache-aside

Load data on demand into a cache from a data store

Circuit Breaker

Handle faults that may take a variable amount of time to rectify when connecting to a remote service or resource. This pattern can improve the stability and resiliency of an application

Competing Consumers Pattern

Enable multiple concurrent consumers to process messages received on the same messaging channel. Enables a system to process multiple messages concurrently to optimize throughput, to improve scalability and availability, and to balance the workload

Command and Query Responsibility Segregation (CQRS)

Segregate operations that read data from operations that update data by using separate interfaces. This pattern can maximize performance, scalability, and security;

Event Sourcing Pattern

Use an append-only store to record the full series of events that describe actions taken on data in a domain, rather than storing just the current state, so that the store can be used to materialize the domain objects.Compute Resource Consolidation PatternValet Key PatternExternal Configuration Store PatternFederated Identity PatternGatekeeper PatternIndex Table PatternLeader election PatternMaterialized view patternPriority queue PatternQueue-based load levelling PatternStatic Content Hosting PatternSlide8

PowerShell - VMs

# Deploy using a Template

New-

AzureRmResourceGroupDeployment

-Name $name -

ResourceGroupName

$

resourceGroupName

-

TemplateUri

$templateUri#Modify caching on disksSet-AzureRmOSDiskSet-AzureRmDataDiskNew-AzureAclConfigSet-AzureAclConfigSet-AzureVMSizee.g. Get-AzureVM –ServiceName “MyVM” | Set-AzureVMSize “Large” | Update-AzureVMGeneralResource Groups can span regions2 Endpoint by default (1 external, 1 internal)Ports (3389 – Remote Desktop, 5986 – Remote PowerShell)Availability SetsMax update domains: 20 (5 default), Max Fault Domains: 3 (2 default)Max VMs = 50Affinity Groups (Keep resources together. Being phased out of Vnets)Scale Sets (no need to pre-provision, need to use Azure Resource Explorer to no. deployed)Load Balance Sets – Classic VMs only and Standard and aboveVM Agent – installed by default when using gallery images. Extensions: DSC, Custom Script Extension, Visual Studio Release Manager (DSC based), Octopus Deploy (DSC based),Docker Extension, Puppet Enterprise, Chef client)Azure VMs not recommended for: Low volume limited growth or Regulated environments.DisksOS Images – Base OS images for new VMs. Sys-prepped/Generalized/ReadOnly. SATAHost caching on by defaultC:\ = OS (max 127GB)Disks – Writable for VMs. SCSI. 1TB MaxCaching off by defaultD:\ (/dev/sdb on linux) = temp (not persistent), E,F,G…=Data diskDiagnosticsMetrics ( Basic, Network, .NET, ASP.NET, SQL)Logs (System, Security, Application, Infrastructure, IIS, Boot)

Azure VMs - GeneralSlide9

General

A-Series (and Av2)

Entry Level - Basic A0 to Standard A4 (A0 is oversubscribed on physical)

High Memory Entry Level - Standard A5 to A7

High Performance - Standard A8 to A11 (

compute intensive

). A8 & A9 have 2

nd

NIC for remote direct memory access (

RDMA

) connectivityD-SeriesGeneral purpose production - Standard D1 to D14Higher compute power, higher mem to core ratio, SSD for temp diskDv2 – 35% faster, same mem & disk conf. 2.4GHz XeonF-Series (and Fs)Standard F1, F2, F4, F8, F16, F1s, F2s, F4s, F8s, F16sSame CPU as Dv2, but lower mem to core ratio and per-hour list price.No, matches CPU cores. Fs-Series Optimized for Premium storageG-SeriesHigh memory and dense local storage - G1 to G5DS-SeriesGeneral purpose production - Standard DS1 to DS14 – premium storage ssdGS-SeriesHigh memory and dense local storage - GS1 to GS5 – premium storage ssdN*-SeriesGPU by NvideaH-SeriesStandard H8, H16, H8m, H16m, H8r, H16mrNext gen high performance. For HPC clusters. r, mr feature 2nd Nic for remote direct memory access (RDMA) connectivityAzure VMs – Sizes…Virtual Machine Size CPU Cores Memory Disk Space for Local Storage Resources Max data disks

Max data disk throughput: IOPSMax NICs / Network bandwidthExtraSmall (A0)

Shared

768 MB

20 GB

1

1x500

1 / low

Small (A1)

1

1.75 GB

225 GB

2

2x500

1 / moderate

Medium (A2)

2

3.5 GB

490 GB

4

4x500

1 / moderate

Large (A3)

4

7 GB

1000 GB88x5002 / highExtraLarge (A4)814 GB2040 GB1616x5004 / highA5 (high mem)214 GBA6 (high mem)428 GBA7 (high mem)856 GBA8 (high network)856 GB40 Gbit/s InfiniBandA9 (high network)16112 GB40 Gbit/s InfiniBand

Standard A0 - A4 using CLI and PowerShell

 Slide10

PowerShell - VMs

# Convert VHDX to VHD

Convert-VHD

–Path c:\test\MY-VM.vhdx –

DestinationPath

c:\test\MY-NEW-VM.vhd -

VHDType

Fixed

# Upload VHD to Azure

$

urlOfUploadedImageVhd = "https://mystorageaccount.blob.core.windows.net/mycontainer/myUploadedVHD.vhd"Add-AzureRmVhd -ResourceGroupName $rgName -Destination $urlOfUploadedImageVhd -LocalFilePath "C:\Users\Public\Documents\Virtual hard disks\myVHD.vhd“# Set NIC ACL????? #Add-AzureProvisioningConfig –Windows –AdminUsername $adminUser –Password $adminPasword |$webvm1 = New-AzureVMConfig –Name “Webvm1” –InstanceSize Small –ImageName $vmimageNew-AzureVM –ServiceName $svcname –VMs $webvm1 –Location $locationIf Hyper-V then Prepare (complex)SysPrep to Generalize a VM%windir%\system32\sysprep | OOBE & Generalize & ShutdownIf VHDX then convert to VHD (see PowerShell ) or use Hyper-V manager (Action > Edit Disk > Convert > VHD)If local VM upload VHD (see PowerShell ). PowerShell will make disk fixed on upload.Migrate a VM ProcessShut down the VMCopy the VHD from source to destination storage account

Create an Azure Disk from BlobCreate new VM using Azure DiskAzure VMs – Migrating and DeployingSlide11

PowerShell - VMs

# Publish DSC

Publish-

AzureVMDscConfiguration

Publish-

AzureRmVMDscConfiguration

# Set disk

config

(e.g. Caching)

Set-AzureOSDiskSet-AzureDataDiskGeneralDesired State ConfigurationState Drift Control using Azure VM Agent, ARM templates, DSC, Chef (recipes, Knife azure plug-in) and Puppet (Puppet master, puppet enterprise agent)The Azure DSC Extension takes in DSC configuration documents and enacts them on Azure VMsCustom Script ExtensionLoggingLogs are placed in: C:\WindowsAzure\Logs\Plugins\Microsoft.Powershell.DSC[Version Number]Compile configuration into a MOF documentAzure VMs – Config and DSCConfiguration MyDscConfiguration{ node (“localhost”) { WindowsFeature IIS { Ensure = “present” # Alternatively, to ensure the role is uninstalled, set Ensure to "Absent" Name = “Web-Server” # Use the Name property from Get-WindowsFeature } File WebPage { Ensure = “Present” DestinationPath = “c:\inetpub\wwwroot\index.html” Force = $true Type = “File” Contents = ‘<html><body><h1>Hello!</h1></body></html>’ DependsOn

= "[WindowsFeature]IIS" #ensures this runs after the IIS install } Log AfterWebPageCreation { # The message below gets written to the Microsoft-Windows-Desired State Configuration/Analytic log

Message = "Finished adding the default web page" DependsOn = "[File]

WebPage

"

# This means run "

WebPage

" first.

}

}

}

Built-in Resources

Archive Resource

Environment Resource

File Resource

Group Resource

Log Resource

Package Resource

Registry Resource

Script Resource

Service Resource

User Resource

WindowsFeature

Resource

WindowsProcess

ResourceNOT Networking!!Slide12

Migration

Supported versions

2014, 2012, 2008 R2 and templates

Licensing - pay per hour or migrate own license (create own image)

Best Practice

Verify disk cache settings on data disks

Avoid using OS drives

Put data and logs on separate disks

Use SQL Server File Groups instead of Disk Striping

Consider using database page compression to reduce i/o

Consider latency between primary and replica when choosing sync modeUse availability setsDisable geo-replication on storage account for consistencyCapacity is 20,000 IOPS per Storage Account - 500 IOPS per diskSQL Always On Availability (AOA). Enable Direct Server Return on NLB!SQL VMsSlide13

General

Microsoft HPC Pack 2016 Templates

Require a PFX certificate to secure comms

between HPC Nodes. Upload to Key Vault.

Hybrid (Burst to cloud)

On premise head must be joined to an AD domain

HPC Pack installs a self signed certificate that can be uploaded to Azure

Create an ‘Azure Node’ template

Azure HPC Pack

PowerShell create cert:

New-SelfSignedCertificate -Subject "CN=HPC Pack 2016 Communication" -KeySpec KeyExchange -TextExtension @("2.5.29.37={text}1.3.6.1.5.5.7.3.1,1.3.6.1.5.5.7.3.2") -CertStoreLocation cert:\CurrentUser\My -KeyExportPolicy Exportable -NotAfter (Get-Date).AddYears(5)https://docs.microsoft.com/en-us/azure/cloud-services/cloud-services-setup-hybrid-hpcpack-clusterSlide14

PowerShell – Storage General

# Create New ARM Storage Account

New-

AzureRmStorageAccount

-

ResourceGroupName

myResourceGroup

-Name

mystorageaccount

-Location "West US" -SkuName "Standard_LRS" -Kind "Storage"# Get Storage AccountGet-AzureStorageAccountGet-AzureRmStorageAccount# create a context for account and key$ctx=New-AzureStorageContext storage-account-name storage-account-key# Set the default storage account (ARM)Set-AzureRmCurrentStorageAccount -Name $strgName -ResourceGroupName $strgName# Set the current sub and storage (ASM)Set-AzureSubscription -SubscriptionName $subName -CurrentStorageAccountName $strgName# Create a New ContainerNew-AzureStorageContainer –Name $name –Permission off# Get Endpoints $storageAcc.PrimaryEndpoints.Blob.ToString() # Get SAS Url$sasUrl = New-AzureStorageContainerSASToken -Name $blobContainerName -Permission rwdl -Context $ctx

-ExpiryTime (Get-Date).AddMonths(1) -FullUriGeneralAccount KindBlobStandard Performance onlyAccess Tiers – Hot or coldGeneral Purpose

PerformanceStandardPremium

SSDs - Currently only store

vhdsUp

to 64TB per VM

80,000 IOPS per VM, 50,000 IOPS per disk, 2GB per sec throughput

~5ms read/write latency (

uncached

), <1ms read latency (cached)

Used by

DS or GS

series VMs (creates premium storage automatically)

Limited sizes:

128, 512, 1023

GiB

Replication (once selected can’t change)

LRS

- Locally redundant - 3 reps, 1 data center

ZRS

- Zone-redundant - 3 reps across 2-3 data centers in 1 or 2 regions

GRS

- Geo-redundant - 6 reps in 2 regions

RA-GRS

- Read Access Geo - 6 reps in 2 regions, 2nd readable

Azure Storage ExplorerSecurityHTTPS or SMB is encrypted. Can encrypt at rest.Storage Access Keys (2) – Full accessStorage Access Policy (SAP) – Policies defined, can be revokedShared Access Signatures (SAS) - Time limited, container or resource levelURL - sv=storage version, st=start time, se=expiry, sr= resource type, sp=permissions, sip=ip range, spr=protocol, sig= auth keyRole-Based Access Control (RBAC) – admin controlsStorage Diagnostics (Minimal, Verbose, Off)Azure Storage - GeneralValid values for -SkuName are:Standard_LRS - Locally redundant storage. Standard_ZRS - Zone redundant storage.Standard_GRS - Geo redundant storage. Standard_RAGRS - Read access geo redundant storage. Premium_LRS - Premium locally redundant storage. Slide15

PowerShell – Storage General

# Get Storage Account

#set current sub and storage

acc

Set-

AzureSubscription

-

SubscriptionName

$

subName

-CurrentStorageAccountName $strgName# set the default account ARMSet-AzureRmCurrentStorageAccount -Name $strgName -ResourceGroupName $strgName# Set Logging for TablesSet-AzureStorageServiceLoggingProperty -ServiceType Table -LoggingOperations Delete,Write -RetentionDays 35Set-AzureStorageServiceLoggingProperty -ServiceType Blob -LoggingOperations All -RetentionDays 35Set-AzureStorageServiceLoggingProperty -ServiceType Queue -LoggingOperations None -RetentionDays 35Set-AzureStorageServiceLoggingProperty -ServiceType File -LoggingOperations Read -RetentionDays 35# ========== Blobs =============Get-AzureStorageAccount -StorageAccountName#Add new container

New-AzureStorageContainer -Name "MyContainer" -Permission BlobNew-AzureStorageContainer -Name "MyContainer" -Permission ContainerNew-AzureStorageContainer -Name "MyContainer

" -Permission OffSAS Patterns

Value-Key Pattern

Azure Storage – General

cont

…Slide16

PowerShell - Blobs

# Get Storage Account

Get-

AzureStorageAccount

# Create a new container

New-

AzureStorageContainer

-Name $name -Permission Blob

# Copy

Start-

AzureStorageBlobCopy# Upload VHDAdd-AzureRmVHD#Download a VHDSave-AzureRmVHDX-plat CLIREM Upload to blobazure storage blob upload --file "c:\temp\demofile.txt" --container "files" --blob "uploadedfile.txt" --connection-string "DefaultEndpointsProtocol=https;AccountName=edxtrain1;AccountKey=JGpglv3oxUmu3fgDln4aXK1ohDPfhL449WIU/vqdO1Vj5iQW6JAMjKsmgj792n8jwu0cQbrEGZJBg5cY1Li2aQ==;"REM Create a Storage Access Policy and Share Access Signature$policy = New-AzureStorageContainerStoredAccessPolicy -Container files -Policy downloadPolicy -Permission rdl -Context $context $token = New-AzureStorageContainerSASToken -Name files -Policy downloadPolicy -Context $contextGeneralBlock blobs (Max 200GB each), Append Blobs (like Block, but optimised for append, e.g. logging), Page Blobs (Max 1TB, Good with high read/write, VHDs, 512 byte pages)All blobs must be in a containerPrivate (default) (Off)Blob - Blobs can be read by anyone (Public) (Blob)Container – metadata read only (Container)Unlimited files and containersOS and Data disk s can be encrypted using Azure Disk EncryptionAccount KindBlob (Standard Performance only - Access Tiers: Hot or Cold)General PurposePerformanceStandardPremium (SSDs - Currently only store vhds, Use for Exchange, SQL Server Dynamix etc.., Up to 64TB per VM, 80,000 IOPS per VM, 50,000 IOPS per disk, 2GB per sec throughput, ~5ms read/write latency (uncached), <1ms read latency (cached),Used by DS or GS series VMs (creates premium storage automatically), Limited sizes: 128, 512, 1023 GiB,Needs consideration - ReplicationLRS - Locally redundant - 3 reps, 1 data center | ZRS - Zone-redundant - 3 reps across 2-3 Datacenters in 1 or 2 regions | GRS - Geo-redundant - 6 reps in 2 regions | RA-GRS - Read Access Geo - 6 reps in 2 regions, 2nd readable

EncryptionDefault offAzCopyAzure Storage - BlobsListBlobs()Can specify a prefixYou can list blobs hierarchically, in a manner similar to traversing a file system, or in a flat listing, where all blobs matching the specified prefix are returned by the listing operation.

You can specify additional details to return with the listing, including copy properties, metadata, snapshots, and uncommitted blobs.ListBlobsSegmented()Returns a mx of 5,000 items, Can specify a prefix, continuation tokenSlide17

PowerShell - Files

# Create new file share

$s = New-

AzureStorageShare

myshare

–Context $

ctx

# Create a directory

New-

AzureStorageDirectory –Share $s –Path mydirectory# Upload a local fileSet-AzureStorageFileContent –Share $s –Source c:\temp\myfile.txt# Copy to a new directory Start-AzureStorageFileCopyConnect commands:net use [drive letter] \\hmstrainingdefaultstore.file.core.windows.net\test1 /u:hmstrainingdefaultstore [storage account access key]sudo mount -t cifs //hmstrainingdefaultstore.file.core.windows.net/test1 [mount point] -o vers=3.0, username=hmstrainingdefaultstore,password=[storage account access key], dir_mode=0777,file_mode=0777GeneralSMB 2.1 and 3.0 supported1TB max file sizeMax size of File Share = 5TB, unlimited number of filesAccess URLhttps://<storage account name>.file.core.windows.net/<share>/<directory>/<directories…>/<file>Accessible from anywhere by defaultAzure Storage - FilesSlide18

PowerShell - Files

# Create a directory

New-

AzureStorageDirectory

.Net

Get SAS

public string

GetSharedAccessSignature

(

SharedAccessTablePolicy policy, string accessPolicyIdentifier, string startPartitionKey, string startRowKey, string endPartitionKey, string endRowKey)tableKey = this.myTable.GetSharedAccessSignature(new SharedAcessTablePolicy(),myPolicy,JonesM01,null,null,null);SampleCloudStorageAccount storageAccount = CloudStorageAccount.Parse("DefaultEndpointsProtocol=https;AccountName=your_account;AccountKey=your_account_key");CloudTableClient tableClient = storageAccount.CreateCloudTableClient();CloudTable table = tableClient.GetTableReference("customers");CustomerEntity customer = new CustomerEntity("Harp", "Walter");customer.Email = "Walter@contoso.com";customer.PhoneNumber = "425-555-0101";TableOperation insertOperation = TableOperation.Insert(customer);await table.ExecuteAsync(insertOperation);TableOperation retrieveOperation = TableOperation.Retrieve<customerentity>("Harp", "Walter");TableResult result = await table.ExecuteAsync(retrieveOperation);

GeneralNoSQL key/attribute storeSchema-lessMassively scalableAzure Storage - TablesSlide19

PowerShell - Files

# Create a directory

New-

AzureStorageDirectory

X-plat CLI

General

Azure Storage - QueuesSlide20

PowerShell - Files

#

Start-

OBRecovery

–

RecoverableItem

$

myItem

–

RecoveryOption

$secureString –Credential $credGeneralBackup files from Windows to AzureCreate backup Vault in geographic regionVault credentials replace certificatesBackup Agent RequiredWABInstallerRequires Windows Identity Framework (WIF) and PowerShellAgent TypeAzure Backup AgentWindows Server and System Center Data Protection ManagerWindows Server EssentialsCan install on Server 2008 R2 SP1 +, 64 bit Win 7+, extension available for essentials 2012Azure Backup VaultSetting up WorkflowConfigure Azure Backup VaultDownload vault credentialsRun MARSAgentInstaller.exe /m /q (m=check for updates)Create a passphrase to encrypt and decrypt backupsSpecify backup scheduleSlide21

PowerShell - AAD

# Active

Get-Msoluser

New-

Msoluser

Remove-

msoluser

Restore-

msoluser

Set-

MsolUserSet-MsolUserPasswordSet-MsolUserPrincipleNameAdd-MsolGroupMemberGet-MsolGroupGet-MsolGroupMemberNew-MsolGroupRemove-MsolGroupSet-MsolGroupSet-MsolDomainAuthenticationConvert-MsolFederatedUserGeneralStill uses classic portal<xyz>.onmicrosoft.comSSO, Multi-factor, RBAC, Device RegistrationSelf-service password and group managementSubscriptionsFree – 500,000 objects, 10 apps per user SSOStandard – Free + No object limits, Application proxy apps, Groups, Self service, branding, app proxy, SLA, 99.9%Premium – Standard + No SSO App limits, Service App integration templates, Self-service app management, on-premise write back, multi-factor auth, identity manager cal, cloud app discovery, connect health, privileged id management.Multi-Factor Authentication (MFA)Mobile App, Phone call, text, email, third party oathAvailable as stand-alone or AD PremiumCan configure to skip on federated users on intranets and known subnets. Also to suspend on remembered devices for x daysHybridExtend - Add AD Server VM in Azure. New site. Global Catalog server.Synchronize – Azure AD Connect (DirSync, Azure AD Sync, FIM+AD Connector). Simplest, password sync and write-back. Multi-forest, filtering objects and attributes.Federated Trust with Azure ADAD FS to allow AzureAD to authenticate against internal AD.Azure AD Connect Health (supports ADFS, Sync and AD DS)SSO – Pre-integrated SaaS Apps (uses SAML federation)

Cloud App Discovery – Premium only! find users app usage.Federation – Passes on Authentication. No local accounts. Claims based authentication.Security Token Services (STS)Azure Active DirectorySlide22

General

Still uses classic portal

Azure Active Directory

cont

…

Convert-

MsolDomainToFederatedSlide23

App Endpoints

Federation Metadata Document

WS-Federation Sign-on Endpoint

SAML-P Sign-On endpoint

SAML-P Sign-Out endpoint

Microsoft Azure AD Graph API endpoint

OAuth 2.0 Token endpoint

OAuth 2.0 Authorization endpoint

Azure Active Directory

cont

… 2FederationPowershell Convert-MsolDomainToFederatedITR (Issuance Transform Rule)Controls how claims are issued to a trusting relying partyBy default, the ITR transforms the WindowsAccountName, UPN and ImmutableID from the claims provider so they can be used for tokens2 rules created, unless ‘-SupportMultipleDomains’, then 3.Rule 3 should be edited if subdomains neededIAR (Issuance Authorization Rule)Controls access to a trusting relying party. E.g. Office365Defaults to “Permit Access to All Users”Azure AD supports three different ways to sign in to applications: Federated Single Sign-On enables applications to redirect to Azure AD for user authentication instead of prompting for its own password. This is supported for applications that support protocols such as SAML 2.0, WS-Federation, or OpenID Connect, and is the richest mode of single sign-on.Password-based Single Sign-On enables secure application password storage and replay using a web browser extension or mobile app. This leverages the existing sign-in process provided by the application, but enables an administrator to manage the passwords and does not require the user to know the password.Existing Single Sign-On enables Azure AD to leverage any existing single sign-on that has been set up for the application, but enables these applications to be linked to the Office 365 or Azure AD access panel portals, and also enables additional reporting in Azure AD when the applications are launched there.GeneralSSO ProtocolsSAML-P3rd party vendorsWS-FederationOpenID ConnectOAuth2Graph Apihttps://graph.windows.net/{tenant_id}/{resource_id}/{resource_path}?{api_version}ADAL??Slide24

Azure Active Directory

cont

… 3Slide25

General

Modern Apps – APIs,

Mobile Apps, Web Apps, IoT, Cognitive

Web Apps, Mobile Apps, Logic Apps,

API Apps

, Functions (server-less)

.Net

, Python, node.js, PHP, Java

App Service Plan

- Defines Region, Scale count, Instance Size, SKU (Free, Shared, Basic, Standard, Premium) Max 20 servers

App Service Environment – premium service, private isolated, very high scale and security, dedicated compute pools, Max 50 serversDynamic Service Plan – for Azure Functions. Cost is a function execution time, memory size and number of executions. 128MB to 1,536MBAzure Stack – own data center App Service fabricCloud App Discovery – Premium only! find users app usage.Federation – Passes on Authentication. No local accounts. Claims based authentication.Security Token Services (STS)Azure App ServicesSlide26

Azure App Services Plans capability

Free

Shared

Host Basic Apps

Basic

More Features for Dev / Test

Standard

Go Live with Web and Mobile

Premium

Enterprise Scale and Integration

Web, mobile, or API apps10 100 Unlimited Unlimited Unlimited Disk space1 GB 1 GB 10 GB 50 GB 250 GB Logic App Actions (per day) *200 200 200 10,000 50,000 Maximum instances––Up to 3 Up to 10 Up to 50 App Service Environments (req. min 6 cores)––––SupportedSLA––99.95% 99.95% 99.95% Slots---520Auto-scale---SupportedSupported

Backups /day---250Custom domains-SupportedSupportedSupportedSupported

SSL Certs--

Unlimited SNI

Unlimited SNI + 1 IP

Unlimited SNI + 1 IP

Logic App Definitions

10

10

10

25

100Slide27

PowerShell

# Create App Service Plan

New-

AzureRmAppServicePlan

-Location "South Central US" -

ResourceGroupName

DestinationAzureResourceGroup

-Name

NewAppServicePlan

-Tier Premium# Create a BackupNew-AzureRmWebAppBackup -ResourceGroupName $resourceGroupName -Name $appName -StorageAccountUrl $sasUrl# Restore from backup$backupList = $app | Get-AzureRmWebAppBackupList$backup = $app | Get-AzureRmWebAppBackup -BackupId 10102$backup | Restore-AzureRmWebAppBackup -Overwrite# Clone an existing App (Premium Only)$srcapp = Get-AzureRmWebApp -ResourceGroupName SourceAzureResourceGroup -Name source-webapp$destapp = New-AzureRmWebApp -ResourceGroupName DestinationAzureResourceGroup -Name dest-webapp -Location "North Central US" -AppServicePlan DestinationAppServicePlan -SourceWebApp $srcapp

GeneralLock (CanNotDelete, ReadOnly)Swap SlotsSee below for which settings swapKudu – Command InterfaceExtensions (application Insights, New Relic, Php Manager, Jekyll…)Deployment (FTP, Web Deploy, OneDrive, Dropbox, Kudu (can unzip), VSO, Local Git, GitHub, Bitbucket, Azure CLI )

Azure App Services cont..Slide28

PowerShell

#

Get-

AzureRmWebApp

–Name $

sitename

New-

AzureRmWebApp

-Name $

sitename

-AppServicePlan $appServicePlan -ResourceGroupName $rgName -Location $loc -ASEName $aseName -ASEResourceGroupName $aseRgNameSet-AzureRmWebApp -Name $sitenameRestart-AzureRmWebappStop-AzureRmWebappStart-AzureRmWebappRemove-AzureRmWebApp Get-AzureRmWebAppPublishingProfile -Name $sitename -ResourceGroupName $rgName-OutputFile .\publishingprofile.txtX-plat CLI# App Service Plansazure appserviceplan list --resource-group MyRGazure appserviceplan createazure appserviceplan show azure appserviceplan

configazure appserviceplan delete# Create, delete and listazure webapp create --name ContosoWebApp --resource-group ContosoAzureResourceGroup --plan

ContosoAppServicePlan --location "South Central US"azure webapp

delete

--name

ContosoWebApp

--resource-group

ContosoAzureResourceGroup

azure

webapp

list

--resource-group

ContosoAzureResourceGroup

#

Config

, restart etc..

azure

webapp

config

set

azure

webapp

config hostnamesazure webapp config appsettingsazure webapp restartazure webapp stopazure webapp start# Get publishing profileazure webapp publishingprofile --name ContosoWebApp --resource-group MyGGAzure App Services - Web AppsSlide29

Azure App Services - Mobile Apps

Cross platform SDK

Offline data and data sync (uses SQLite)

Incl. Notification Hub (Push)

Free

(1M pushes, 500 active devices) |

Basic

(10M pushes, 200K Active Devices)|

Standard

(10M pushes, 10M Active Devices, Rich telemetry, Bulk Operations, Scheduled, Multi-tenancy)

Require namespace Register App for Push Services (App secret password and package SID)TagsClient RequestedAutomatically AddedBroadcast | Unicast/Multicast | Segmentation (Tags)TemplatesPlatform Notification System (PNS)Windows Phone (Windows Notification Service (WNS)) – Tiles, Badges, NotificationsiOS (Apple Push Notification Service (APNS))FREE 1BASICSTANDARDPrice 2Free (up to 10 services / month) £11.17 / month per unit £104.34 / month per unit API Calls 2500 K 1.5 M / unit 15 M / unit Active Devices 3500 Unlimited Unlimited ScaleN/A Up to 6 units Unlimited units Push NotificationsNotification Hubs Free Tier included, up to 1 M pushes Notification Hubs Basic Tier included, up to 10 M pushes Notification Hubs Standard Tier included, up to 10 M pushes Real time messaging & Web SocketsLimited 350 / mobile service Unlimited Offline synchronizationsLimited Included Included Scheduled jobs 4Limited 1 Job, 1 exec/hrIncluded Included SQL Database 5(required)20 MB included for 1yr,Standard rates apply after20 MB included for 1yr,Standard rates apply after20 MB included for 1yr,Standard rates apply after

CPU capacity60 minutes / day Unlimited Unlimited Outbound data transfer165 MB per day (daily Rollover)* 5GB per 30 daysIncluded 50GB per 30 daysIncluded 500GB per 30 daysSlide30

Azure App Services - Mobile Apps

cont

…

Incl. Notification Hub (Push)

Free

(1M pushes, 500 active devices) |

Basic

(10M pushes, 200K Active Devices)|

Standard

(10M pushes, 10M Active Devices, Rich telemetry, Bulk Operations, Scheduled, Multi-tenancy)

iOS, Android, WNS, Require namespace Register App for Push Services (App secret password and package SID)TagsClient RequestedAutomatically AddedBroadcast | Unicast/Multicast | Segmentation (Tags/Tag expression)Templates – Each device type can have multiple templatesPlatform Notification System (PNS)Services SupportedWindows Notification Service (WNS) or Windows Phone (MPNS) – Tiles, Badges, NotificationsiOS (Apple Push Notification Service (APNS))Google Firebase Cloud Messaging (FCM), use Google Cloud Messaging (GCM) in Notification Hub. Amazon (ADM)Baidu (Android China)Slide31

PowerShell

# Websites

Get

-

AzureWebsite

$

sitename

New

-

AzureWebsite

$sitename –Slot staging –Location “North Europe”Publish-AzureWebsiteProject $sitename –Slot staging –Package [path].zipShow-AzureWebsite –Name $sitename –Slot stagingSwitch-AzureWebsiteSlot –Name staingRemove-AzureWebsite –Name $sitename –Slot staging# Download logSave-AzureWebSiteLog –Name $sitename# View live streamGet-AzureWebSiteLog –Name $sitename -TailX-plat CLI# List command available for WebsitesCall azure site –hazure site list mysiteazure site create mysite –slot stagingazure site create --git mysite --slot stagingazure site swap stagingazure site delete mysite --slot stagingAzure site log download mysiteAzure site log tail mywebsite

GeneralSlots only available in Standard or PremiumDeploy using Portal, GitHub, VSO, FTP, OneDrive, DropBoxHosting PlansFree (1GB storage)Shared (Free + Custom Domains)Basic (instance sizes [mall, medium, large], 10GB, SSL, 3 instances)Standard (50GB, autoscaling, schedules, metrics (CPU,Instance), Traffic Manager, 5 slots, 10 instances, daily backup)Premium

(250GB, 20 Instances, 20 Slots, Backup 50 times per day, BizTalk services)64-bit only, Web sockets, SSL Certs, Custom domains (Shared too), SSL Binding to custom domains, Add End Points, available in Basic or Standard

Default domain

azurewebsites.net

-

Awverify

.

Monitoring

Endpoints (2 endpoints, 3 geographic locations, every 5 mins)

Performance monitoring

Diagnostics

Application (lasts 12 hours), Web server (W3C extended log format), Detailed error messages, failed request tracing (xml).

Can FTP download logs

Kudu –

http://mysite.

scm

.azurewebsites.net

Connection Strings

.Net

uses

connectionStrings

, not

.Net

Environment variables

Azure Websites (Classic)Slide32

PowerShell

#

X-plat CLI and batch

# List command available for Websites

Call azure site –h

cspack

[

DirectoryName

]\[

ServiceDefinition

] /role:[RoleName];[RoleBinariesDirectory] /sites:[RoleName];[VirtualPath];[PhysicalPath]/out:[OutputFileName]cspack [DirectoryName]\[ServiceDefinition] /out:[OutputFileName] /role:[RoleName];[RoleBinariesDirectory] /sites:[RoleName];[VirtualPath];[PhysicalPath] /role:[RoleName];[RoleBinariesDirectory];[RoleAssemblyName]GeneralSlots only available in Standard or Premium. Only two, staging and production.Web Roles and Worker Roles (no public endpoints)3 Deployment componentsService Definition file (.csdef)Defines service model incl. what roles.Sites, InputEndpoints, InternalEndpoints, ConfigurationSettings, Certificates, LocalResources, Imports, StartupDiagnosticsService Configuration File (.cscfg)Configuration for the cloud service and roles, incl. number of role instances.Instances, ConfigurationSettings, CertificatesCan reconfigure cloud service by altering this after deploymentNetwork configuration (Specify Reserved IP <ReservedIP name=“” />,

VLAN <VirtualNetworkSite>)Uploaded separately from .cspkgService Package (.cspkg)Contains application code and service definition file (.csdef)Generated from the .csdefCan deploy updates to 1 or all roles. Can use portal, VSCSPack.exe command line tool to create .cspkg

Azure Cloud Service (classic)Slide33

PowerShell

# New cache

New-

AzureRmRedisCache

-

ResourceGroupName

$

resourceGroupName

-Name $

cacheName -Location "North Europe" -Sku $sku -Size 13GB -ShardCount 6 .Net// connection refers to a previously configured ConnectionMultiplexerIDatabase cache = connection.GetDatabase();// NOTE:// The object returned from the GetDatabase method is a// lightweight pass-through object and does not need to be stored.// CopyConnectionMultiplexer connection = ConnectionMultiplexer.Connect("contoso5.redis.cache.windows.net,abortConnect=false,ssl=true,password=...");IDatabase cache = connection.GetDatabase();// Perform cache operations using the cache object...// Simple put of integral data types into the cachecache.StringSet("key1", "value");cache.StringSet("key2", 25);// Simple get of data types from the cachestring key1 = cache.StringGet("key1");int key2 = (int)cache.StringGet("key2");// If key1 exists, it is overwritten.cache.StringSet("key1", "value1");string value = cache.StringGet("key1");if (value == null){ // The item keyed by "key1" is not in the cache. Obtain // it from the desired data source and add it to the cache. value = GetValueFromDataSource();cache.StringSet("key1", value);}GeneralOnly Premium tier supports clustering99.9% SLA on Standard and Premium, Not Basic SKUAzure Redis CachePricing tierSizeCPU cores

Available bandwidth1 KB Key sizeStandard cache sizes  Megabits per sec (Mb/s) / Megabytes per sec (MB/s)Requests per second (RPS)

C0250 MB

Shared

5 / 0.625

600

C1

1 GB

1

100 / 12.5

12200

C2

2.5 GB

2

200 / 25

24000

C3

6 GB

4

400 / 50

49000

C4

13 GB

2

500 / 62.5

61000C526 GB41000 / 125115000C653 GB82000 / 250150000Premium cache sizes CPU cores per shard Requests per second (RPS), per shardP16 GB21000 / 125140000P213 GB42000 / 250220000P326 GB42000 / 250220000P453 GB84000 / 500250000Slide34

PowerShell

# Active

G

X-plat CLI

General

Tool: Service Bus Explorer

Queues

Topics

Relay

has now moved

to a separate Azure ServiceNotification Hub has now moved to a separate Azure Services.Azure Service BusFeatureBasicStandardPremiumQueuesyyyScheduled messages

yyy

Topics

–

y

y

Transactions

–

y

y

De-duplication

–

y

y

Sessions

–

y

y

ForwardTo / SendVia

–

y

y

Message Size

256 KB

256 KB

1 MBBrokered connections included1001,00011,000 per MUBrokered connections (overage allowed)–(billable)Up to 1,000 per MUResource isolationN - SharedN - SharedySlide35

General

Add

NuGet “Microsoft Azure Service Bus”

Azure Relay

ServiceHost

sh

= new

ServiceHost

(

typeof(ProblemSolver));sh.AddServiceEndpoint( typeof (IProblemSolver), new NetTcpBinding(), "net.tcp://localhost:9358/solver");sh.AddServiceEndpoint( typeof(IProblemSolver), new NetTcpRelayBinding(), ServiceBusEnvironment.CreateServiceUri("sb", "namespace", "solver")) .Behaviors.Add(new TransportClientEndpointBehavior { TokenProvider = TokenProvider.CreateSharedAccessSignatureTokenProvider("RootManageSharedAccessKey", "<yourKey>")});sh.Open();Console.WriteLine("Press ENTER to close");Console.ReadLine();sh.Close();In the example, you create two endpoints that are on the same contract implementation. One is local and one is projected through Service Bus. The key differences between them are the bindings;

NetTcpBinding for the local one and NetTcpRelayBinding for the Service Bus endpoint and the addresses.Slide36

PowerShell

#Creates a job in the Batch service.

New-

AzureBatchJob

#Creates a pool in the Batch service.

New-

AzureBatchPool

#Creates a Batch task under a job.

New-

AzureBatchTask

GeneralFully managed HPC facilityREST, .NET, Python, node.js, JavaSchedulesPay for what you useApp must haveBatchAccountNameBatchAccountKeyBatchAccountUrlStorageAccontName & StorageAccountKeyAzure BatchStep 1. Create containers in Azure Blob Storage.Step 2. Upload task application files and input files to containers.Step 3. Create a Batch pool.    3a. The pool StartTask downloads the task binary files (TaskApplication) to nodes as they join the pool.Step 4. Create a Batch job.Step 5. Add tasks to the job.    5a. The tasks are scheduled to execute on nodes.    5b. Each task downloads its input data from Azure Storage, then begins execution.Step 6. Monitor tasks.    6a. As tasks are completed, they upload their output data to Azure Storage.Step 7. Download task output from Storage.Slide37

PowerShell

# Get an Azure Automation Credential

Get-

AzureAutomationCredential

–

AutomationAccountName

$

accName

New-

AzureAutomationAccount

New-AzureAutomationCredentialNew-AzureAutomationScheduleNew-AzureAutomationVariableNew-AzureAutomationCertificateNew-AzureAutomationConnectionNew-AzureAutomationModuleNew-AzureAutomationRunBookPublish-AzureAutomationRunBookRegister-AzureAutomationScheduledRunbookStart-AzureAutomationRunbookStop-AzureAutomationRunbookSuspend-AzureAutomationRunbook Register-AzureAutomationScheduledRunbook Unregister-AzureAutomationScheduledRunbook GeneralCreate a Run As accountAzure AutomationSlide38

General

Templates

Limited to XML or JSON

Use for cross-platform

Use for Personalisation

Need to Register Templates

Azure

Notification

Template Expression

Description

$(prop)Reference to an event property with the given name. Property names are not case-sensitive. This expression resolves into the property’s text value or into an empty string if the property is not present.$(prop, n)As above, but the text is explicitly clipped at n characters, for example $(title, 20) clips the contents of the title property at 20 characters..(prop, n)As above, but the text is suffixed with three dots as it is clipped. The total size of the clipped string and the suffix does not exceed n characters. .(title, 20) with an input property of “This is the title line” results in This is the title...%(prop)Similar to $(name) except that the output is URI-encoded.#(prop)Used in JSON templates (for example, for iOS and Android templates).This function works exactly the same as $(prop) previously specified, except when used in JSON templates (for example, Apple templates). In this case, if this function is not surrounded by “{‘,’}” (for example, ‘myJsonProperty’ : ‘#(name)’), and it evaluates to a number in Javascript format, for example, regexp: (0|([1-9][0-9]*))(.[0-9]+)?((e|E)(+|-)?[0-9]+)?, then the output JSON is a number.For example, ‘badge : ‘#(name)’ becomes ‘badge’ : 40 (and not ‘40‘).‘text’ or “text”A literal. Literals contain arbitrary text enclosed in single or double quotes.expr1 + expr2The concatenation operator joining two expressions into a single string.Slide39

.Net

// Environment Variables in App Settings use:

System.Environment.GetEnvironmentVariable

("

mySetting

",

EnvironmentVariableTarget.Process

)

Azure Functions

General

Languages (c#, f#, node.js, python, PHP, Batch, Bash, Exe)Uses WebJobs SDK, Supports Nuget, Supports oAuth providers2 PlansConsumption and App Service (dedicated VM. Use for continuous functions)Project FilesAppsettings.json (VS – Connection strings)Hosts.json (VS – Config behaviour of Azure Functions host)Function.json (Input and output bindings. Random GUID syntax for path = {rand-guid}Project.json (dependencies, NuGets)Run.csx (c# code)TriggersBlobTrigger - Process Azure Storage blobs when they are added to containers. You might use this function for image resizing.EventHubTrigger - Respond to events delivered to an Azure Event Hub. Particularly useful in application instrumentation, user experience or workflow processing, and Internet of Things (IoT) scenarios.Generic webhook - Process webhook HTTP requests from any service that supports webhooks.GitHub webhook - Respond to events that occur in your GitHub repositories. For an example, see Create a webhook or API function.HTTPTrigger - Trigger the execution of your code by using an HTTP request.QueueTrigger - Respond to messages as they arrive in an Azure Storage queue. For an example, see Create an Azure Function that binds to an Azure service. (default 1 min polling)ServiceBusQueueTrigger - Connect your code to other Azure services or on-premise services by listening to message queues. ServiceBusTopicTrigger - Connect your code to other Azure services or on-premise services by subscribing to topics. TimerTrigger - Execute cleanup or other batch tasks on a predefined schedule. For an example, see Create an event processing function.IntegrationsAzure DocumentDB, Azure Event Hubs ,Azure Mobile Apps (tables), Azure Notification Hubs, Azure Service Bus (queues and topics), Azure Storage (blob, queues, and tables) , GitHub (webhooks), On-premises (using Service Bus)Slide40

PowerShell

# Active

New-

AzureRmLogicApp

Creates a logic app in a resource group.

X-plat CLI

General

Triggers

HTTP request

Webhook

PollingBatches and LoopingSplitOnForEachUntilFunctions integrationUse Generic Webhook template Connectors that includes Salesforce, Office 365, Twitter, Dropbox, Google Services and moreIntegration AccountsAzure Logic AppsSlide41

PowerShell

# Active

X-plat CLI

General

Encryption Options

StorageEncrypted

CommonEncryptionProtected

EnvelopEncryptionProtected

Dynamic Packaging (Standard or Premium)

Encoders

FLV (with H.264 and AAC codec)MXFGXFMPEG2MWV / ASFMP4 / ISMV.dvr-ms.MKVWAVQuickTime (.mov)…plus many moreAzure Media ServicesSlide42

PowerShell

# Active

G

General

.exe, .

cmd

(Batch), .ps1 (PowerShell), .

py

(Python), .

php

(PHP), .js (Node.js)How to runContinuousDo NOT use with scheduleScheduled (classic portal)Triggered / On DemandUse with schedule in Settings.jobWith or without web serviceZip DeploymentSettings.job contains schedules with CRON expression. Root of Zip file {second} {minute} {hour} {day} {month} {day of the week}Every hour (0 0 * * * *), Every hour from 9AM to 5PM (0 0 9-17 * * *), at 9:30am every day (0 30 9 * * *) et 9:30am every week day (0 30 9 * * 1-5), every 15 minutes (0 */15 * * * *)Azure WebJobs.Net// Example Queue Triggerpublic static void Main(){ JobHost host = new JobHost(); host.RunAndBlock();} public static void ProcessQueueMessage([QueueTrigger("webjobsqueue")] string inputText,[Blob("containername/blobname")]TextWriter writer){ writer.WriteLine(inputText);}Slide43

PowerShell

# Active

G

X-plat CLI

General

DTU – Data Transaction Unit

Azure SQLSlide44

PowerShell

# Active

G

X-plat CLI

Migration

Min Downtime

SQL Server Transactional replication

Some Downtime

Deploy Wizard in SSMS Migration Wizard (DAC Package)

SQL Azure Migration Wizard

BACPAC contains both schema and dataDAC packages contain ONLY schemaElastic Databasehttps://docs.microsoft.com/en-us/azure/sql-database/sql-database-elastic-scale-introductionElastic Database Client Library – Allow multi database management including shard managementElastic Database Job – execute T-SQL that span multiple databasesAzure SQL cont…Slide45

PowerShell

# Get and Set

Vnet

config

xml

Get-

AzureVNetConfig

-

ConfigurationPath

c:\temp\oldconfig.xmlSet-AzureVNetConfig -ConfigurationPath c:\temp\updatedconfig.xml#Create a new Vnet$frontendSubnet = New-AzureRmVirtualNetworkSubnetConfig -Name frontendSubnet -AddressPrefix "10.1.1.0/24"$backendSubnet = New-AzureRmVirtualNetworkSubnetConfig -Name backendSubnet -AddressPrefix "10.1.2.0/24"New-AzureRmVirtualNetwork -Name "hms-train-vnet-arm-1" -ResourceGroupName $rgName -Location "North Europe" -AddressPrefix "10.1.0.0/16" -Subnet $frontendSubnet, $backendSubnetGeneral50 per subscription per regionCIDR Subnet Hosts in Azure = 2n-5 (normally 2n-2), ‘/29’ is smallest subnetMultiple NICsCan't make a VM multi NIC after deployment. Need to delete and redeployD1 - 1 NIC, D2 - 2 NICs, D3 - 4 NICs, D4 - 8 NICSAccess Control Lists (ACL)For endpoints only. Inbound only!) Not preferred, use NSGs.Network Security Groups (NSG)Can’t use if ACL’s. Remove ACL’s firstName, Direction, Priority, Access (allow or NOT), Source IP, Source port, Destination IP, Destination Port, ProtocolSubnet can only 1 NSGApplied to one or more VMs or subnetSubnet can only have 1 NSG appliedEach NSG can have up to 200 rulesIs associated to a region100 NSGs per region per subscriptionDefault Tags (Internet, Virtual_network, Azure_loadbalancer)

Do NOT Block 168.63.129.16 and port 1688!!UDR (Routing Tables)VPNs (Site-to-Site, VNet2Vnet, Point-to-Site, Express-Route (private network))Express-route – Exchange providers (layer 3, 200Mbps – 10Gbps, Site2Site, BGP with client), Network Service Providers (10Mbps – 1Gbps, Any2Any, BGP with telco)Max 30 VPN tunnels per VPN Gateway and 128 connections from clientsAzure Virtual NetworksSlide46

PowerShell

# Create a PIP for the Gateway

$pip =

New-

AzureRmPublicIpAddress

-

AllocationMethod

Dynamic -

ResourceGroupName

$

rgName -Name "hms-train-gateway-1"X-plat CLIVPNsSite-to-Site, VNet2VnetMax 10 tunnels, 100 Mbps (Basic and Standard) | 30 tunnels, 200 Mbps (High Performance)Point-to-SiteMax 128 connections, Secure Socket Tunneling Protocol (SSTP)Use makecert to create a self-signed root certificate (can’t use a CA)Import .ver file with private key to AzureGenerate a client certificate for each client to installDownload package from portal and then install clientExpress-Route (private network))Express-route – Exchange providers (layer 3, 500 Mbps – 10Gbps, Site2Site, BGP with client), Network Service Providers (10 Mbps – 1Gbps, Any2Any, BGP with telco)Max 30 VPN tunnels per VPN Gateway and 128 connections from clientsGateway SKUs – Basic (BGP & ExpressRoute not supported), Standard, High PerformanceConsiderationsNo overlapping IP address rangesOnly 1 VPN gateway per VNetAzure Virtual Networks - VPNsSlide47

PowerShell

# Active

# List reserved IPs

Get-

AzureReservedIP

# Reserve a new IP address

New-

AzureReservedIP

-

ReservedIPName

AGSReservedIP -Location "North Europe"# List reserved IPsGet-AzureReservedIP#List all azure servicesGet-AzureService#allocate the ip to a serviceSet-AzureReservedIPAssociation -ReservedIPName AGSReservedIP -ServiceName FFApi-VBTestGeneralAzure Load Balancer (Layer 4 – Transport Layer), Random network levelling. Health probes (Custom for non 200ACK)Application Gateway (50 per subscription, max 10 instances each)SKUs: WAF and StandardSmall (7.5Mbps / 35Mbps), Medium (10Mbps / 100Mbps), Large (50Mbps / 200Mbps)Firewall, Round Robin LB, Cookie session affinity, SSL offload, URL based content routing, up to 20 websites consolidation, websocket support, health monitoring, advanced diagnostics.Traffic Manager (Layer 7 – DNS based LB)Weighted (Round-robin)Performance (Performance/latency)Priority (DR/Failover)Azure Virtual Networks cont…Slide48

PowerShell

# Active

# List reserved IPs

Get-

AzureReservedIP

# Reserve a new IP address

New-

AzureReservedIP

-

ReservedIPName

AGSReservedIP -Location "North Europe"# List reserved IPsGet-AzureReservedIP#List all azure servicesGet-AzureService#allocate the ip to a serviceSet-AzureReservedIPAssociation -ReservedIPName AGSReservedIP -ServiceName FFApi-VBTestAdvancedPeering – Connects 2 VNets in the same region through the Azure backboneCan use between subscriptions if both associated with same AD tenantPeering between ARM and ASM VNets can be done if both in same subscriptionRequirementsSame regionNon-overlapping IP address spacesAzure Virtual Networks cont…Slide49

PowerShell

# List all

Get-Module –

ListAvailable

# Install the Azure Resource Manager modules from the PowerShell Gallery

Install-Module

AzureRM

# Install the Azure Service Management modules from the PowerShell Gallery

Install-Module Azure

# Get a list of cmdlets in the Azure module

Get-Command -Module Azure | Get-Help | Format-Table Name, Synopsis# Get a list of cmdlets in the Resource Manager moduleGet-Command -Module AzureRM | Get-Help | Format-Table Name, Synopsis# Login (Classic)Add-AzureAccount# Login (ARM) alias is ‘Login-AzureRmAccount’Add-AzureRmAccount# Get a list of subscriptionsGet-AzureSubscriptionGet-AzureRmSubscription# Get Context (ARM)Get-AzureRmContext# Set the subscription for the session (ARM)Select-AzureRmSubscription# select default storage contextSet-AzureRmCurrentStorageAccount -ResourceGroupName $rgname -StorageAccountName $strgname# Remote PowerShell – Install certificate.\InstallwinRMCertAzureVM.ps1 –SubscriptionName $s –ServiceName $svc –Name $vm# Retrieve the URI of the VM$uri = Get-AzureRmUri –ServiceName $svc –Name $vm# Execute a script remotely$cred = Get-Credential

Invoke-Command –ConnectionUri $uri –FilePath ‘.\deployad.ps1’ –Credentials $credX-plat CLIREM Set mode to ARMAzure config mode arm

REM Set mode to Service Management ModeAzure config mode

asm

REM Login

Azure login

REM List subscriptions

Azure account list

REM Set Current Subscription

Azure account set "{name of subscription}"

REM Create Resource Group

Azure group create -n "{name}" -l "{location}"

PowerShell & x-plat CLI - General

Use

npm

to install on Linus

Docker container available for version 2.0Slide50

PowerShell - Files

# Active

G

X-plat CLI

General

Azure Data Lake Store -

A data repository that enables you to store any type of data in its raw format without defining schema. The store offers unlimited storage with immediate read/write access to it and scaling the throughput you need for your workloads. The store is Hadoop Data File System (

HDFS

) compatible so you can use your existing tools.

Azure Data Lake Analytics -

An analytics service that allows you to run analysis jobs on data. Analytics using Apache YARN to manage its resources for the processing engine. By using the U-SQL query language you can process data from several data sources such as Azure Data Lake Store, Azure Blob Storage, Azure SQL Database but also from other data stores built on HDFS.Azure Data Lake HDInsight - An analytics service that enables you to analyze data sets on a managed cluster running open-source technologies such as Hadoop, Spark, Storm & HBase.Azure Data LakeSlide51

PowerShell - Files

# Active

G

X-plat CLI

General

99.9% enterprise scale SLA

Hadoop:

 Petabyte scale processing with Hadoop components like

Hive

(SQL on Hadoop)

HiveQL, Apache Pig is a platform for creating programs for Hadoop by using a procedural language known as Pig LatinSqoop - tool designed to transfer data between Hadoop clusters and relational databases. You can use it to import data from a relational database management system (RDBMS) such as SQL ServerHCatalog is a table and storage management layer for Hadoop that enables users with different data processing tools — Pig, MapReduce — to more easily read and write data on the gridHBase: Fast and scalable NoSQL OfferingStorm: Allows the processing of infinite streams of data in real-time.Spark: Fast data analytics and cluster using in-memory processing. Interactive Hive (preview): Enterprise Data Warehouse with in-memory analytics using Hive(SQL on Hadoop) and Long Live and Process (LLAP)R Server: Terabyte scale, provides enterprise grade R analytics used for machine learning models.Kafka (preview): High throughput, low latency, real-time streaming platform, typically used in streaming and IoT scenariosMahout - One of the Microsoft HDInsight key components is Mahout, a scalable machine learning library that provides a number of algorithms relying on the Hadoop platformOozie - Apache Oozie is a workflow/coordination system that manages Hadoop jobs.HDInsightSlide52

PowerShell - Files

# Active

G

General

API Gateway (99.9% SLA, 99.95% SLA for Premium across two or more regions)

Features - access control, rate limiting, monitoring, event logging, and response caching

Groups – Administrators, Developers, Guests

Policy Types (Access restriction, Advanced, Authentication, Caching, Cross domain, Transformation)

API

Management

DeveloperStandardPremiumPrice£0.9652/day£13.78/day per unit£56.14/day per unitAPI Calls (per unit)32 K / day ( ~1 M / month ) 7 M / day ( ~217 M / month ) 32 M / day ( ~1 B / month ) Data Transfer (per unit)161 MB / day( ~5 GB / month ) 32 GB / day( ~1 TB / month ) 161 GB / day( ~5 TB / month ) Cache10 MB 1 GB 5 GB Scale-outNone 4 units Contact us for more Unlimited SLANo 99.9% 99.95% Multi-Region DeploymentNo No Yes Azure Active Directory IntegrationUnlimited User Accounts No Unlimited User Accounts VPNYes

No Yes Slide53

Policy reference index

Access restriction policies

Check HTTP header Limit call rate by subscription

Limit call rate by key

Restrict caller IPs

Set usage quota by subscription

Set usage quota by key

Validate JWT

Advanced policiesControl flow Forward request Log to Event Hub - Sends messages in the specified format to a message target defined by a Logger entity.Retry Return response Send one way request Send request Set request method Set status Set variable Trace Wait Authentication policiesAuthenticate with Basic Authenticate with client certificate Caching policies Get from cache Store to cache Get value from cache Store value in cache Remove value from cache Cross domain policies Allow cross-domain calls - Makes the API accessible from Adobe Flash and Microsoft Silverlight browser-based clients.CORS - Adds cross-origin resource sharing (CORS) JSONP - Adds JSON with padding (JSONP) support to an operation or an API to allow cross-domain calls from JavaScript browser-based clients.Transformation policies Convert JSON to XML Convert XML to JSON Find and replace string in body Mask URLs in content - Re-writes (masks) links in the response body so that they point to the equivalent link via the gateway.Set backend service Set body Set HTTP header Set query string parameter Rewrite URL - Converts a request URL from its public form to the form expected by the web service.API Management – cont…Slide54

Notifications Hub

Autoscale

Social Integration

Offline Data Sync

SQLLite

IMobileServicesSyncTable

(

.net

),

MSSyncTable

(IOS), mClient.getSyncTable() (android)PushAsync, PullAsync, updateAt (Incremental Sync), IMobileServicesSyncTable.PurgeAsync (clear local store)Free Try for freeShared Host basic appsBasic More features for Dev/TestStandard Go live with web and mobilePremium Enterprise scale and integrationWeb, mobile or API apps10 100 Unlimited Unlimited Unlimited Disk space1 GB 1 GB 10 GB 50 GB 250 GB Logic App Actions (per day) *200 200 200 10,000 50,000 Maximum instances––Up to 3 Up to 10 Up to 50 App Service Environments (require min. 6 cores)––––SupportedSLA––99.95% 99.95% 99.95%

Service PlanCoresRAMDISKF1Shared1GB1GBD1shared0.5GB1GBB1,2,41.75, 3.5,7GB

10GBS1,2,4

1.75,

3.5,7GB

50GB

P

1,2,4,8

1.75,

3.5,7, 14GB

250GB

Mobile AppsSlide55

Azure Container Service

Standard infrastructure for Docker cluster

Scale and orchestrate using DC/OS, Docker Swarm, or Kubernetes

Saves about 6,000 lines of

config

code

Has no registry or other customisationSlide56

Azure Service Fabric

Provides fast deployment, Placement and activation, high density, reliability, scaling, health reporting, coordinated upgrades, service endpoint discovery

Programming models

Guest executable (as-is code) plus ServiceManifest.xml

Reliable Services Model

VS development using Fabric

sdk

. Package and deploy and debug etc..

Dynamic resource balancing based on actual usage.

.Net

or JavaScript?Stateful Programming modelReliable collectionsReliable QueuesReliable …Application ManifestCluster port: 19080Slide57

Azure Key Vault

Tiers –

Standard

|

Premium

(incl. Hardware Security Module (

HSM

) backed keys)

Secrets

Any sequence of bytes under 10KB. E.g. Passwords and connection strings that can be encrypted, PFX file.

AES key used to encrypt dataLow latencyKeysA cryptography key. RSA 2048. Can’t be read back, but can ask the service to decrypt using the key or sign using a key.Use when security requirement is greater than performance.Advanced Access PoliciesEnable access to Azure VMs for deploymentEnable access to Azure Resource Manager for template deploymentEnable access to Azure Disk Encryption for volume encryptionAccess PoliciesKey & Secret ManagementKey ManagementSecret ManagementSQL Server ConnectorAdmins & Consumers MUST have an Azure AD account incl. applications.Url: https://{vaultname}.vault.azure.net/secrets/{secret name}/{version [optional]}PowerShell - Files# Create key vaultNew-AzureRmKeyVault -VaultName $kvName -ResourceGroupName $rgName -Location $location -Sku Standard -EnabledForDeployment -EnabledForTemplateDeployment -EnabledForDiskEncryption#Set Permissions to key vault for serviceSet-AzureRmKeyVaultAccessPolicy -VaultName $kvName -ResourceGroupName $rgName -ServicePrincipalName $spn -PermissionsToKeys all -PermissionsToSecrets all -PermissionsToCertificates all#Gets key vaults.Get-AzureRmKeyVault#Adds a certificate to a key vault.Add-AzureKeyVaultCertificate# Creates a key in a key vault or imports a key into a key vault.Add-AzureKeyVaultKey#Gets the secrets in a key vault.Get-AzureKeyVaultSecret

#Creates or updates a secret in a key vault.Set-AzureKeyVaultSecret#Updates attributes of a secret in a key vault.Set-AzureKeyVaultSecretAttribute#Deletes a secret in a key vault.Remove-AzureKeyVaultSecret Slide58

Azure Key Vault

cont

…

Workflow with AAD

CSO creates Vault adds keys and authorizes AAD users

CSO uploads a ‘Service Certificate’ (

pfx

incl. private key) to Azure

Operator then creates App Instances (VMs)

Azure injects the Service Certificate into each VM

Now the App (which has used the same certificate as it’s Auth in AAD) can retrieve and authorize against AADAAD returns the TokenApp can now access the Key VaultXplat-CLI - Files# Create key vaultNApp Config Needed when NOT using certificate (app or web.config or app settings)VaultUrlAAD AuthClientIdAAD AuthClientSecret (Shared Key)Slide59

Stuff to do

Azure Backup

Azure AutomationAzure BatchService BusHPC and HPC PackBizTalk Hybrid Connection

StorSimple

Azure Key Vault

Azure Media Services

Microsoft Enterprise Library

Autoscaling

Application Block (

WASABi

)Hyper-V (MVMM)Check out neo4jAzure RMSEvent HubsRelayHyper-V Replica