#1
Code and test the functions locally
Testing can be tricky. The first place to go for function testing is of course the Azure portal itself. Functions that use manual or HTTP triggering are good candidates for ad hoc manual testing using the tools in the portal. If you prefer, for HTTP triggered functions you can also use external tools like Postman or Fiddler to send the HTTP request to your function URLs.
The append blob gives the ability to append data to an existing blob. This blob type is ideal for storing data that is relevant to logging and auditing.
The user can perform that operation since NotActions is Not a deny rule.
Azure Advisor
Azure Monitor
Azure Policy
Azure Application Insights
Advisor will review your virtual machine usage over the last 30 days and determine if you could save money by purchasing an Azure reservation. Advisor will show you the regions and sizes where you potentially have the most savings and will show you the estimated savings from purchasing reservations.
IoT Edge is a tool for empowering IoT devices. It lets you run code directly on client devices instead of in the cloud. So you can do things like change device configuration, get real-time analytical data, or detect abnormal conditions. The chief value of doing such work directly on the device is that it saves the effort of having to send event data back and forth over the internet. So for example, we might want an IoT home sensor to alert us to some unusual condition without having to phone home to the cloud to run an analysis. You can imagine how valuable this could be for something like an IoT smoke detector or security system. IoT Edge can also empower devices where network connectivity is not always reliable.
The TimerTrigger will allow you to schedule the function to run on a set schedule.
Azure AD Conditional Access
Azure AD Privileged Identity Management
Azure AD Connect is the tool used to integrate Azure AD with your on-premises domain controllers. Azure AD Connect will integrate your on-premises directories with Azure Active Directory.
It is important to know the requirements of your application. This will help you select many parameters when setting up your VMs hosting the application. Storage parameters include selecting the storage type: Standard storage or Premium storage. Once you setup your VM disk as Standard or Premium you may not change or convert this option later. Premium storage is made up of SSDs, or Solid-State Disks providing low-latency and faster I/O performance. Premium storage is best suited for heavy I/O applications like SQL Server databases.
A shared access signature is a safe way to provide access to external parties for resources hosted in a storage account. It is not recommended to provide direct access keys to the person for accessing the relevant data in the storage account. Instead, you can create a shared access signature that provides delegated access to resources in your storage account.
The Trusted IP address feature only works when users sign in through an organization's company intranet. Users that sign in via the internet cannot bypass MFA through the Trusted IP address feature.
Virtual Machine Scale Sets provide the ability of true autoscaling, adding and removing VMs based on preset or spontaneous resource demands which captures the powerful essence of Cloud Computing. There are two ways of scaling VMs: Scaling Up and Scaling Out. Scaling Up, sometimes referred to as scaling vertically, involves upgrading your virtual machine to a more powerful VM. Scaling Out is commonly referred to as scaling horizontally, meaning we keep the same VM size for all our VMs but we instead add more VM instances to our VM Scale Set in order to service resource demand. Not that you cannot move a VM from one Availability set to another. Finally, note that you cannot convert a ZRS storage account to LRS or GRS nor vice-versa.
Azure Backup Server meets all the client requirements because it is Linux compatible, offers cloud and on-premises backup of data, can protect the necessary variety of files, and does not require any licensing fees, unlike System Center DPM.
Logic Apps provide a way to simplify and implement scalable integrations and workflows in the cloud. It provides a visual designer to model and automate your process as a series of steps known as a workflow. There are many connectors across the cloud and on-premises to quickly integrate across services and protocols. A logic app begins with a trigger (like 'When an account is added to Dynamics CRM') and after firing can begin many combinations of actions, conversions, and condition logic.
Active-passive with a hot standby
Active-passive with a cold standby
When it comes to multi-region deployments, there are different options for how you might configure things depending on your availability requirements and your budget.
If you need an extremely high level of availability, then you can use an active/passive model with hot standby. With this approach, you have another version of your solution running in a second region, and it doesn't serve up any traffic unless there's a failure in the primary region.
A variation on that is the active/active model with geo-location based request routing. This is similar to the previous option, but the solution that's running in the second region is actively serving up requests to the users who are closer to that region than the primary.
Then there's the active/passive model with cold standby, which means that there's not a solution running in a second region. Instead, it's dynamically created when the first region is unavailable. This is a great option if you want to balance the cost versus the SLA. The switchover is not going to be immediate, but with a well-defined automation plan, this is a viable option.
Blob storage consists of three types of blob accounts: block blobs, append blobs, and page blobs. Block blobs are optimized for streaming and storing cloud objects such as documents, media files, and backups.
Azure key vaults can be used to store encryption keys, passwords and other types of keys. This service also has a management process that allows for management of the lifecycle of the keys. This service is outside the boundary of the application, and also can be used as a central store for all keys.
Azure App Service consists of several app types: Web Apps, Mobile Apps, API Apps and Logic Apps. If you need to automate business processes, select the Logic Apps type.
UDP
POP
DHCP
HTTPS
To create our network rule, we need to select the Network Rule Collection tab. Now from here, we'll choose the option to add a network rule collection and we'll call this NetworkCollection. Again, we'll set our priority to 200 and we're going to allow our traffic. At this point, we need to define our rule. So under IP addresses, under the Rule section here. For our name, we're going to call it AllowDNS. We'll choose UDP for the protocol since DNS is UDP traffic.
The Azure AD Connect Health allows you to view alerts, performance monitoring, and usage analytics for Azure AD. This information is available in the Azure AD Connect Health Portal. The other choices are incorrect.
Limiting access to a specific IP address or address range
Specifying when access via SAS token starts and ends
Limiting access to specific Azure storage containers or objects
Modifying existing SAS token permissions
Shared access signatures allow you to:
- Define the scope of access - account level (multiple Azure Storage services like queue, blob, etc) or resource level (limited to service, container, or blob)
- Define allowed actions (read, write, and delete, for example)
- Specify start and expiration time
- Specify approved IP address or address range that may use the URI
- Set approved protocols: HTTP or HTTPS
Stored Access Policies allow you to:
- Set at container level
- Modify start and expiration time
- Revoke a SAS token after it is issued
- Modify existing SAS permissions
Deploy the virtual machines in separate availability zones.
Deploy the virtual machines into separate fault domains.
Deploy the virtual machines in separate App Service plans.
Deploy the virtual machines in separate update domains.
Update domains are configured to limit the effects of server maintenance within an Azure data center. You can deploy your virtual machines in separate update domains by configuring them within an availability set.
The App Service plan provides dedicated VM resources on which your function app will reside and execute. This plan works well for function apps that will execute continuously or at least very frequently, and/or in situations where you have existing, under-utilized App Service VMs on which you could deploy a new function app.
There are five categories of Azure VM Scale Set implementations. Memory optimized VM scale sets work well for implementations requiring high memory to core ratios such as those utilizing relational database servers, medium to large caches, and in-memory analytics.
Azure Status
Azure Service Health
Azure Resource Health
Azure Policy
Azure Service Health provides a personalized view of the health of the Azure services and regions you're using. This is the best place to look for service impacting communications about outages, planned maintenance activities, and other health advisories because the authenticated Azure Service Health experience knows which services and resources you currently use. The best way to use Service Health is to set up Service Health alerts to notify you via your preferred communication channels when service issues, planned maintenance, or other changes may affect the Azure services and regions you use.
Instead of getting all the data from the table, the user can reduce the amount of data transfer and hence reduce on bandwidth costs by querying only the relevant data which is required.
Inheritance factor
There are three types of factors used to authenticate a user request via multi-factor authentication (MFA):
- A knowledge factor - something the user knows.
- A possession factor - something the user owns, such as an email address or mobile device.
- An inheritance factor - something that confirms identity via a physical characteristic, such as a fingerprint or other biometric.
/26
/24
/28
/22
Azure Firewall must provision more virtual machine instances as it scales. A /26 address space ensures that the firewall has enough IP addresses available to accommodate the scaling.
If you implement the model with virtual network gateways, all VNets must be in the same region. If you implement the model with VNet peering connections, the VNets can be within different regions.
Whether the connections are made with virtual network gateways or VNet peering connections, the VNets can be within different Azure subscriptions and associated with separate Azure AD tenants.
If you implement the model with virtual network gateways, all VNets can be in different regions. If you implement the model with VNet peering connections, the VNets must be within the same region.
If you implement the model with virtual network gateways, the VNets can be within different Azure subscriptions that are associated with the same Azure tenant. If you implement the VNets with VNet peering connections, the VNets can be within different Azure subscriptions and associated with separate Azure AD tenants.
You could accomplish this network topology using VNet peering or virtual network gateways (VNG), but each option has its requirements and limitations.
- Connecting via VNet peering would require a router to be deployed in the central hub VNet, but this is not required for VNG connections.
- VNet peering works both across separate tenants and subscriptions.
- Hostname resolution is not possible for VMs connecting from different VNets through a peering connection. Azure DNS is required for these VMs to connect. However, name resolution is possible through a VNG connection.
- This type of network topology cannot span regions. All VNets must be in the same region.
Modifying the two processes so they can be performed idempotently increase the chance that the operation can be spread across multiple instances and continue in the event of an instance failure. Integrating a checkpoint mechanism would also allow the process to save its progress in stages, and in the event of an error, the process could restart from where it left off.
Notification Hub takes away most of that pain. It lets you broadcast to all platforms with a single interface. It can work both in the cloud or on-premises and includes security features like SAS, shared access secrets, and federated authentication. See the “How To” guide link for more details.
Azure Backup relies on the framework which can execute pre and post which will ensure that the application is consistent during every backup.
The master target server is installed on-premise and handles replication data during failback from Azure. The management server you created on-premises has a master target server installed by default. However, depending on the volume of failed back traffic you might need to create a separate master target server for failback.
The Activity Log provides insight into the operations that were performed on resources in your subscription using Resource Manager, for example, creating a virtual machine or deleting a logic app. The Activity Log is a subscription-level log. Resource-level diagnostic logs provide insight into operations that were performed within that resource itself, for example, getting a secret from a Key Vault.
Resource-level diagnostic logs provide insight into operations that were performed within that resource itself, for example, getting a secret from a Key Vault.
The Long-Term Backup Retention feature enables you to store your Azure SQL Database backups in an Azure Recovery Services vault for up to 10 years. This feature can be used for applications that have regulatory, compliance, or other business purposes that require you to retain the automatic full database backups beyond the 7-35 days provided by SQL Database's automatic backups.
When submitting a request for One-time MFA Bypass code, the administrator must provide the affected user's user-provided name (UPN) and registered email address.
Zone-redundant Storage
Regional redunandant storage
Geo-redundant Storage
Locally redundant Storage
Geo-redundant Storage (GRS) maintains six copies of your data. With GRS, your data is replicated three times within the primary region, and is also replicated three times in a secondary region hundreds of miles away from the primary region, providing the highest level of durability. In the event of a failure at the primary region, Azure Storage will failover to the secondary region. GRS ensures that your data is durable in two separate regions.
Every storage account comes with 2 keys. This helps in regeneration of storage keys without any interruption. The correct sequence of events is:
- Ensure all applications use the secondary key
- Regenerate the primary key
- Move all applications back to the primary key
- Regenerate the secondary key
Azure SQL Database transparent data encryption helps protect against the threat of malicious activity by performing real-time encryption and decryption of the database, associated backups, and transaction log files at rest without requiring changes to the application. TDE encrypts the storage of an entire database by using a symmetric key called the database encryption key. In SQL Database the database encryption key is protected by a built-in server certificate.
Guy has two assigned roles that apply to him, where the NotActions of one role contradict the Actions of the other. So which wins?
Actions overrule NotActions, so Guy will be able to perform the read operation on all virtual machines, including those in the Production resource group.
SQL
Mongo
Gremlin
Table
There are 5 APIs available within Azure Cosmos DB (SQL, Mongo, Gremlin, Cassandra, Table). Gremlin is a graph traversal language used to interact with graph databases.
You need to have at least 2 VMs in an availability set in order to have an SLA.
53
22
25
67 and 68
SSH - 22
- SSH is also referred to as 'Secure Shell'. It operates on the port number 22 of the TCP protocol. It carries out the task of remotely connecting to a remote server or host. It allows you to execute a number of commands and move your files remotely as well. However, it is one of the most secure ways of accessing your files remotely. Using this port, you can remotely connect to a computer and move your files with ease. This port sends the data over the network in an encrypted form which adds an extra layer of security on it. In addition to this, only authorized people will be able to remotely log on to their systems using the Port 22 which makes sure that the information does not get into unauthorized hands. It provides the chance to move files within networks as well as gives the privilege to move files between different networks securely. It operates at the Application Layer of the TCP/IP Model and is considered as one of the most secure and reliable ports for accessing files remotely.
DNS - 53
- DNS is referred to as 'Domain Name System'. It operates on the port 53 of TCP and UDP protocols. DNS makes use of relational databases to link the host names of the computers or networks to their respective IP Addresses. The port 53 waits for requests from DHCP to transfer the data over the network. It operates on the Application Layer of the TCP/IP Model.
DHCP - 67, 68
DHCP is also known as 'Dynamic Host Configuration Protocol'. It basically runs on the UDP protocol. The basic purpose of DHCP is to assign IP Address related information to the clients on a network automatically. This information may comprise of subnet mask, IP Address etc. Many of the devices are automatically configured to look for IP Addresses using DHCP when they connect on a network. It makes it quite reliable to assign all the devices on a network with automatically produced IP Addresses. It generally operates on the Application layer of the TCP/IP Model. DHCP basically makes use of 2 ports; Port 67 and Port 68.
Azure Functions provides two pricing plans: App Service plan and Consumption plan. The Azure Functions consumption plan is billed based on resource consumption and executions. The Consumption plan is good if compute needs are intermittent or your job times tend to be very short as it allows you to only pay for compute resources when they are actually in use.
Each Azure subscription has an Azure Active Directory. Users, groups, and applications from that directory can be granted access to manage resources in the Azure subscription that use the Resource Manager deployment model. This is referred to as Role-Based Access Control (RBAC). To manage this access, you can use the Azure portal, the Azure CLI tools, PowerShell, or the Azure Storage Resource Provider REST APIs.
The types of failovers that are supported depend on your deployment scenario.
Primary (Virtual Machine Manager) VMM site to Secondary VMM site:
Test failover: Supported
Planned failover: Supported
Unplanned failover: Supported
Log Analytics
Azure Security Center is the source of the comprehensive monitoring of all the aspects of security of the virtual machine. It also provides its recommendations through Azure Advisor. Its recommendations consist of not only configuration changes but also potential partner solutions, such as web application firewalls.
Federated Trusted IPs would allow office workers to bypass MFA, and the conditional access policy will allow remote workers to login via devices joined to Azure AD.
Basic
Standard
Premium
App Service Linux
The Standard service plan for web apps allows for up to 10 instances, auto scaling and 50 GB of disk space.
Tags can be used in templates to differentiate resources. For example, you can add a tag with a name of “Environment.” You can then assign values of “Production” to production-based instances and “Development” to development-based instances
The dependsOn element can be used to ensure a dependency on one resource on another. In a simple example shown below, suppose if you defined a resource element of the type Microsoft.Network/virtualNetworks with a name of Demonw, and then defining a network interface for your virtual machine. You can then use the dependsOn element to ensure the network interface gets created after the virtualNetworks is created.
"type" : "Microsoft.Network/virtualNetworks",
"name" : "Demonw"
"type" : Microsoft.Network/networkInterfaces",
"dependsOn" : "Microsoft.Network/virtualNetworks/Demonw"
A timer-based trigger
A webhook trigger
An event-based trigger
An HTTP trigger
An event-based trigger is ideal because the function is invoked once a file is uploaded to Azure Storage.
A Database Transaction Unit (DTU) is a blended measure of CPU, memory, and data I/O and transaction log I/O in a ratio determined by an OLTP benchmark workload designed to be typical of real-world OLTP workloads.
Enable Azure AD Identity Protection. Configure an Azure MFA registration policy requiring all users to register and enable MFA. Configure all office IP addresses as trusted IP addresses that can skip MFA.
With Azure Active Directory's Identity Protection service, you can set up registration policies that enforce your MFA requirements for all directory users. You can also setup all office IP addresses as federated (not managed) Trusted IP addresses, which will not require MFA, or administrative updates as your office IP addresses change.
The time limit set for your end-to-end recovery point objective
How often data recovery point snapshots are created
How long data recovery points are stored
The failover method Azure Site Recovery will initiate
The RPO threshold setting within Azure Site Recovery's Target Environment configuration panel controls how often data recovery point snapshots are created.
First and foremost, scale-out operations always have priority over scale-in operations. Anytime that multiple scale-out operations conflict with one another, the rule that takes precedence will be the one that initiates the largest increase in the number of instances. When it comes to scale-in conflicts, the rule that initiates the smallest decrease in the number of instances will take precedence.
If you find yourself in a situation where you need to run a WebJob on a single instance, instead of all instances, you can create a file called settings.job that contains the line you see on your screen.
{ "is_singleton": true }
After adding the line you see on your screen to the settings.job file, save the file to the root folder for the continuous WebJob. What this will do is get your WebJob running as a single instance despite being installed on multiple instances.
A Point Query is the most efficient lookup to use and is recommended to be used for high-volume lookups or lookups requiring lowest latency.
Application rules
Network rules
Network Security Group rules
Application Security Group rules
Azure Firewall supports rules and rule collections. A rule collection is a set of rules that share the same order and priority. Rule collections are executed in order of their priority. Network rule collections are higher priority than application rule collections, and all rules are terminating.
There are three types of rule collections:
Application rules: Configure fully qualified domain names (FQDNs) that can be accessed from a subnet.
Network rules: Configure rules that contain source addresses, protocols, destination ports, and destination addresses.
NAT rules: Configure DNAT rules to allow incoming connections.
When considering simplicity, availability and redundancy, you should configure the service in the following way:
- Create a vault in each region, as the range of the vaults is regional.
- Enable geo-redundant storage, so that in the event of a regional outage, the data from each region is replicated to another region and will be intact.
- Create a backup policy for each vault rather than for each virtual machine, to simplify the management of the system in the likely event that scaling is necessary, or new virtual machines are created to replace any that have failed.
Azure Disk encryption can be used to encrypt the data at rest for Windows and Linux based virtual machines. This service can be used along with the Azure Key Vault which can be used to maintain the keys used for encryption purposes
System-assigned Managed Identity
User-Assigned Managed Identity
A user-assigned managed Identity is a managed identity type that is a standalone resource that can be used with multiple resources, and is independent of any resource lifecycle.
Traffic analytics is a cloud-based solution that provides visibility into user and application activity in cloud networks. Traffic analytics analyzes Network Watcher network security group (NSG) flow logs to provide insights into traffic flow in your Azure cloud.
When fraud alerts are enabled in Azure MFA, Azure blocks access to any user accounts involved in any reported fraud alert. Administrators can unblock the account with a specific reason for the unblock request, but cannot unblock multiple accounts programmatically and then prevent accounts from being blocked in the future.
The designated approver role is related to role elevation requests within the scope of the Privileged Identity Management feature of Azure Active Directory, and would have no authorization to unblock accounts in the event of a fraud alert.
Reporting to help remove/reduce security risks
Automated detection of compromised user IDs
Enforce multi-factor authentication policy
Enable "just-in-time" role assignments
Identity Protection allows you to enforce MFA policy, automate detection of potentially compromised user credentials, and can create reports to help you identify and remove or mitigate security risks. However, identity project does not include 'just-in-time' role assignments. This is a feature of privileged identity management, a separate service offered through Azure Active Directory.
When you clone configuration from another deployment slot, the cloned configuration is editable. Furthermore, some configuration elements will follow the content across a swap (not slot specific) while other configuration elements will stay in the same slot after a swap (slot specific). The following lists show the configuration that will change when you swap slots -
- General settings - such as framework version, 32/64-bit, Web sockets
- App settings (can be configured to stick to a slot)
- Connection strings (can be configured to stick to a slot)
- Handler mappings
- Monitoring and diagnostic settings
- WebJobs content
When creating a custom route for a routing table, there are three main values to consider. The first is the destination CIDR block for the traffic, which all custom routes require. Then there is the “next hop.” This tells Azure where to route the traffic before it gets to the destination defined above.
The available options are:- Virtual Network
- The next option is the Virtual Network Gateway
- Next is the Internet
- Then there’s the Virtual Appliance option.
- And finally, there’s the None option.
This service makes it easy to provide APIs that can be used by both internal developers and external partners and customers. It acts as a gateway between clients and your backend microservices. Not only does it provide an easily accessible front-end to your application, but it also handles important management tasks, such as security, monitoring, analytics, and rate limiting.
It’s easy to add an existing API to the API Management service. You only need to supply a few details, such as its name and URL. Then you can secure it and manage it.
Network security group (NSG) flow logs are a feature of Network Watcher that allows you to view information about ingress and egress IP traffic through an NSG.
The types of failovers that are supported depend on your deployment scenario.
Physical server to Azure:
Test failover: Unsupported
Planned failover: This scenario uses continuous replication so there's no distinction between planned and unplanned failover. You select Failover
Unplanned failover: NA
Application rules
Network rules
Application Security Group rules
Network Security Group Rules
Azure Firewall supports rules and rule collections. A rule collection is a set of rules that share the same order and priority. Rule collections are executed in order of their priority. Network rule collections are higher priority than application rule collections, and all rules are terminating.
There are three types of rule collections:
Application rules: Configure fully qualified domain names (FQDNs) that can be accessed from a subnet.
Network rules: Configure rules that contain source addresses, protocols, destination ports, and destination addresses.
NAT rules: Configure DNAT rules to allow incoming connections.
Azure AD Connect Health for sync can generate a report that will help identify the duplicates.
Each of these steps is required for a VNet-to-VNet connection via virtual network gateway except enabling "Allow VNet access," which is required for VNet peering configurations.
Shards
Elastic Clusters
Containers
SQL Database elastic pools are a simple, cost-effective solution for managing and scaling multiple databases that have varying and unpredictable usage demands. The databases in an elastic pool are on a single Azure SQL Database server and share a set number of resources (elastic Database Transaction Units (eDTUs)) at a set price. Elastic pools in Azure SQL Database enable SaaS developers to optimize the price performance for a group of databases within a prescribed budget while delivering performance elasticity for each database.
There are five categories of Azure VM Scale Set implementations. General purpose VM Scale Sets work well for implementations requiring small to medium databases and low to medium traffic Web servers.
In Access control (IAM), you can Add permissions to the resources. To assign a role to a user, you simply select the desired Role, Assign access to an Azure AD user, group, or application, Select the user from the list, and click Save.
There are several factors to keep in mind here related to requirements for a VM restore through Azure Backup.
- The storage tier of the staging location determines the storage tier of the restored VM.
- The VM in question is premium, and the only storage tier that offers premium is Local Redundant Storage.
- When your VM uses managed disks, the storage account acting as the staging location cannot have Azure Storage Service Encryption enabled at any time.
The Web Apps service in Azure App Service allows you to create deployment slots to have a separate staging environment for testing updates before they get rolled out to production. The deployment slot creates a new environment which can then be swapped with the production environment after all testing is complete.
Azure to Hyper-V site is not supported during a test failover.
One storage account for each virtual machine in a scale set.
One storage account for every two virtual machines in a scale set.
Two storage accounts for every virtual machine in a scale set.
Two storage accounts for every three virtual machines in a scale set.
If at all possible, Microsoft would like to see a one to one ratio and have a storage account for each virtual machine created in a scale set. If this is not possible, Microsoft recommends using no more than 20 VMs per storage account.
Provide the accountant with read-only access to the specific Azure Blob and File storage services with a service-level shared access signature token. Allow all read requests but limit write requests to LIST and GET. Specify the HTTPS protocol is required to accept requests.
Assign the accountant a guest role in Azure Active Directory with read-only access to the specific Azure Blob and File services in the Azure Storage account.
Assign the accountant a contributor role access to the entire storage account using Azure AD role-based access control (RBAC).
Provide the accountant with read-only access to the specific Azure Blob and File storage services with an account-level shared access signature token. Allow all read requests but limit write requests to LIST and GET. Specify the HTTPS protocol is required to accept requests.
In this case, an account-level SAS is required because the accountant needs access to two separate services in the account. You do not have the necessary information to create a guest or contributor account to control the accountant's access, but you can add controls to require requests are sent via an HTTPS protocol, and also control the specific read/write actions.
Active-passive with a hot standby
Active-passive with a cold standby
When it comes to multi-region deployments, there are different options for how you might configure things depending on your availability requirements and your budget.
If you need an extremely high level of availability, then you can use an active/passive model with hot standby. With this approach, you have another version of your solution running in a second region, and it doesn't serve up any traffic unless there's a failure in the primary region.
A variation on that is the active/active model with geo-location based request routing. This is similar to the previous option, but the solution that's running in the second region is actively serving up requests to the users who are closer to that region than the primary.
Then there's the active/passive model with cold standby, which means that there's not a solution running in a second region. Instead, it's dynamically created when the first region is unavailable. This is a great option if you want to balance the cost versus the SLA. The switchover is not going to be immediate, but with a well-defined automation plan, this is a viable option.
One the timeout has elapsed, the load balancer marks the VM as unhealthy and stops sending requests to it.
The types of failovers that are supported depend on your deployment scenario.
Azure to VMM site:
- Test failover: Unsupported
- Planned failover: Supported
- Unplanned failover: Unsupported
Connection Troubleshoot
IP Flow Verify
Connection Monitor
Traffic Analytics
The connection monitor capability monitors communication at a regular interval and informs you of reachability, latency, and network topology changes between the VM and the endpoint. For example, you might have a web server VM that communicates with a database server VM. Someone in your organization may, unknown to you, apply a custom route or network security rule to the web server or database server VM or subnet.
The App Service plan provides dedicated VM resources on which your function app will reside and execute. This plan works well for function apps that will execute continuously or at least very frequently, and/or in situations where you have existing, under-utilized App Service VMs on which you could deploy a new function app.
It is important to understand the pros and cons of the various available operating systems that can run on a VM. For Microsoft Windows VMs, the license is built-in and included as part of the cost of the VM saving money. For deployment, there are slight differences between Windows and Linux VMs primarily concerning how the connection to the VM itself is made. Also, Linux authentication is slightly different in that there are two options for the Authentication type, whereas Windows offers just one authentication method.
Network Performance Monitor is a cloud-based hybrid network monitoring solution that helps you monitor network performance between various points in your network infrastructure. It also helps you monitor network connectivity to service and application endpoints and monitor the performance of Azure ExpressRoute.
When you have multiple forests, there can be users in each forest with the same attributes. The recommendation is to consolidate the information and use Azure AD Connect. When carrying out the synchronization, it can be done by matching the email addresses and consolidating the information.
The Active Directory Federation Services agent shows alerts, monitoring, and usage analytics of AD Federation Service. An Azure Active Directory Domain Services agent shows all of the AD Domain Services forests and the Azure AD Connect Sync agent shows the Azure AD Connect servers that are being monitored.
Pricing Calculator
Total Cost of Ownership (TCO) Calculator
Azure Advisor
Azure Cost Management Tool
The Pricing Calculator tool is an excellent online tool to assist in estimating your Azure costs. This tool allows you to select and estimate the costs of deploying resources to Azure. Of course, to generate the best cost estimate, you’ll need to know exactly what resources you plan to deploy to Azure and their compute and storage requirements.
If at all possible, Microsoft would like to see a one to one ratio and have a storage account for each virtual machine created in a scale set. If this is not possible, Microsoft recommends using no more than 20 VMs per storage account.
First and foremost, scale-out operations always have priority over scale-in operations. Anytime that multiple scale-out operations conflict with one another, the rule that takes precedence will be the one that initiates the largest increase in the number of instances. When it comes to scale-in conflicts, the rule that initiates the smallest decrease in the number of instances will take precedence.
A recovery service vault with Azure Backup
A vault with Azure Key Vault
An alarm in Azure Monitor
A resource policy with Azure Policy
If you use snapshots on blobs, monitor the snapshots and delete those which are outdated or no longer needed. An even better way to avoid the costs associated with snapshots is to implement a comprehensive backup solution by deploying an Azure Recovery Vault.
Azure Function provides many types of triggers. Some examples include: The EventHubTrigger responds to events delivered to an Azure Event Hub. Particularly useful in application instrumentation, user experience or workflow processing, and Internet of Things (IoT) scenarios. The HTTPTrigger triggers the execution of your code by using an HTTP request. The QueueTrigger respond to messages as they arrive in an Azure Storage queue. The BlobTrigger processes Azure Storage blobs when they are added to containers. You might use this function for image resizing.
The Azure Cosmos DB SQL API database implementation differs from traditional relational database or SQL techniques. NoSQL databases that enable storing unstructured and heterogeneous data at scale, and therefore, they are often utilized in modern cloud applications.
Azure AD Connect Health allows you monitor both Azure and On-Premises resources by deploying specialized agents. MFA is responsible for ensuring secure user login. RBAC controls users access to resources, and there is no such thing as Azure AD Health Monitor.
WebJobs is a feature of Azure App Service that enables you to run a program or script in the same context as a web app, API app, or mobile app, but as a separate process. And using App Services will minimize management, and web apps support deployment slots, allowing for deployment promotion.
The Azure Site Recovery can replicate the data on the Virtual machines to another environment to emulate a failover environment that can be switched to immediately. For Azure backup, it can take time to restore the backup and get an available solution in case of a disaster.
Azure Status
Azure Service Health
Azure Resource Health
Azure Monitor
Azure Status is a global view of the health of all Azure services across all Azure regions. The status page is a good reference for incidents with widespread impact, but we strongly recommend that current Azure users leverage Azure Service Health to stay informed about Azure incidents and maintenance.
Provide the accountant with read-only access to the specific Azure Blob container with a service-level shared access signature token to expire at the end of the business day. Specify the HTTPS protocol is required to accept requests.
Assign the accountant a guest role in Azure Active Directory with read-only access to the specific Azure Blob storage service in the Azure Storage account.
Provide the accountant with read-only access to the specific Azure Blob container with a user-delegation shared access signature token to expire at the end of the business day. Allow all read requests but limit write requests to LIST and GET. Specify the HTTPS protocol is required to accept requests.
In this case, Azure Storage's Shared Access Signature (SAS) is the best tool to provide limited, authorized access to the necessary blob resources. Remember, SAS allows two levels of access: service-level, which limits access to one type of storage within the Azure storage account, such as Blob, Table, Queue or File storage, and account level, which provides access to all storage types in a single account. The service level also allows you to limit access to specific containers, or even specific blobs, and control the actions that can be performed on the blobs by selecting approved common permission types such as read, write, list, or process.
You cannot provide a user-delegated SAS in this case because you do not know if the accountant has Azure AD credentials, which are required for this type of SAS.
Availability zones are physically separate locations within a region. They are not available in all regions, but in regions where they are available, deploying VM replicas to separate regions will ensure your system will remain available in the event a data center fails.
Recovery plans can be used to define groups of machines that failover together, and then start up together; model dependencies between machines; run a failover.
Queries return multiple entities in PartitionKey and RowKey order. To avoid resorting entities choose a RowKey that defines the most common sort order.
For premium storage accounts the only replication option that is available is LRS. The significance of this is that you need to look for other means of replicating your data to protect for the site outage.
If you want to set up a routing policy so that different endpoints work as an active-passive failover scenario, then you can use the Priority based routing. Here you would define the US endpoint having a priority of 1 and the endpoint in Europe having a priority of 2.
Conditional Access allows you to restrict access to devices and applications based on predefined rules. RBAC only controls user access to resources. MFA deals with authenticating user sign-in, and Azure AD Connect is a tool for Synchronizing On-premises Identity with Azure AD and monitoring.
Identity Protection and Privileged Identity Management requires Azure AD Premium P2 Edition. Azure AD Connect Health is an Azure AD Premium P1 feature while Group-based access management and provisioning is a feature enabled at the Basic tier.
Merge is not supported because encryption may have occurred with different keys. Simply merging the new properties will result in data loss.
Inbound Rule Source: 10.0.2.0/24 Source Port: 0-65535 Destination: 10.0.3.4 Destination Port: 0-65535 Protocol: ANY Priority: 4096 Action: Deny
Outbound Rule Source: 10.0.2.0/24 Source Port: 0-65535 Destination: 10.0.3.4 Destination Port: 0-65535 Protocol: ANY Priority: 20 Action: Deny
Inbound Rule Source: 10.0.1.0/16 Source Port: * Destination: 10.0.3.4 Destination Port: * Protocol: ANY Priority: 4096 Action: Deny
Outbound Rule Source: 0.0.0.0/0 Source Port: * Destination: 10.0.3.4 Destination Port: * Protocol: ANY Priority: 20 Action: Deny
The correct NSG rule configuration is:
- Inbound Rule
- Source: 0.0.0.0/0
- Source Port: *
- Destination: 10.0.3.4
- Destination Port: *
- Protocol: ANY
- Priority: 4096
- Action: Deny
Azure Status
Azure Service Health
Azure Resource Health
Azure Policy
Azure Service Health provides a personalized view of the health of the Azure services and regions you're using. This is the best place to look for service impacting communications about outages, planned maintenance activities, and other health advisories because the authenticated Azure Service Health experience knows which services and resources you currently use. The best way to use Service Health is to set up Service Health alerts to notify you via your preferred communication channels when service issues, planned maintenance, or other changes may affect the Azure services and regions you use.
Read-access geo-redundant storage replicates your data to a second geographic location and also provides read access to your data in the secondary location. Read-access geo-redundant storage allows you to access your data from either the primary or the secondary location, in the event that one location becomes unavailable. Read-access geo-redundant storage is the default option for your storage account by default when you create it.
Blob storage consists of three types of blob accounts: block blobs, append blobs, and page blobs. Append blobs are optimized for append operations, in which data updates occur by adding a new block to the end. A log data entry is one such example.
The Activity Log provides insight into the operations that were performed on resources in your subscription using Resource Manager, for example, creating a virtual machine or deleting a logic app. The Activity Log is a subscription-level log. Resource-level diagnostic logs provide insight into operations that were performed within that resource itself, for example, getting a secret from a Key Vault.
Resource-level diagnostic logs provide insight into operations that were performed within that resource itself, for example, getting a secret from a Key Vault.
Azure Disk encryption can be used to encrypt the data at rest for Windows and Linux based virtual machines. This service can be used along with the Azure Key Vault which can be used to maintain the keys used for encryption purposes
With role-based access controls (RBAC), the permissions applied at a certain scope apply to all child resources within that scope. This means a subscription owner also has owner permissions for all resource groups and resources within the subscription.
As such, both Guy and Thomas could complete the task required in the question below.
Network security group (NSG) flow logs are a feature of Network Watcher that allows you to view information about ingress and egress IP traffic through an NSG.
Inbound Rule Source: 10.0.1.6 Source Port: * Destination: 10.0.2.5 Destination Port: 443 Protocol: TCP Priority: 100 Action: Allow
Inbound RuleSource: 10.0.2.5Source Port: 80Destination:172.16.50.35Destination Port: *Protocol: UDPPriority: 100Action: Allow
Inbound Rule Source: 10.0.1.6 Source Port: * Destination: 10.0.3.4 Destination Port: 8080 Protocol: TCP Priority 5000 Action: Allow
Inbound Rule Source: 10.0.2.5 Source Port: * Destination: 10.0.3.4 Destination Port: 443 Protocol: HTTPS Priority: 9999 Action: Allow
The correct rule parameters are:
- Inbound Rule
- Source: 10.0.1.6
- Source Port: *
- Destination: 10.0.2.5
- Destination Port: 443
- Protocol: TCP
- Priority 100
- Action: Allow
Each of these steps is required for a VNet-to-VNet connection via virtual network gateway except enabling "Allow VNet access," which is required for VNet peering configurations.
Notification Hub takes away most of that pain. It lets you broadcast to all platforms with a single interface. It can work both in the cloud or on-premises and includes security features like SAS, shared access secrets, and federated authentication. See the “How To” guide link for more details.
Code and test the functions locally
Testing can be tricky. The first place to go for function testing is of course the Azure portal itself. Functions that use manual or HTTP triggering are good candidates for ad hoc manual testing using the tools in the portal. If you prefer, for HTTP triggered functions you can also use external tools like Postman or Fiddler to send the HTTP request to your function URLs.
Azure Backup relies on the framework which can execute pre and post which will ensure that the application is consistent during every backup.
If you find yourself in a situation where you need to run a WebJob on a single instance, instead of all instances, you can create a file called settings.job that contains the line you see on your screen.
{ "is_singleton": true }
After adding the line you see on your screen to the settings.job file, save the file to the root folder for the continuous WebJob. What this will do is get your WebJob running as a single instance despite being installed on multiple instances.
Azure Status
Azure Service Health
Azure Resource Health
Azure Security Center
Azure Resource Health helps you diagnose and get support when an Azure service problem affects your resources. It informs you about the current and past health of your resources. And it provides technical support to help you mitigate problems.
The Geographic Traffic Manager routing method allows users to be directed to specific endpoints (Azure, External or Nested) based on which geographic location from which their DNS query originates.
Traffic analytics is a cloud-based solution that provides visibility into user and application activity in cloud networks. Traffic analytics analyzes Network Watcher network security group (NSG) flow logs to provide insights into traffic flow in your Azure cloud.
Allow or deny inbound and outbound traffic to or from specific IP addresses
Allow or deny inbound and outbound traffic to or from IP address ranges
Allow or deny inbound traffic to or from specific domain names
Control traffic in and out of an entire virtual network
Network security groups, or NSGs for short, are an Azure firewall technology that implements a stateful packet inspection with some simple inbound and outbound rules to deny or allow connections, based on a few properties. These include the source IP address and port, the destine IP address and port, and the protocol, whether it's TCP or UDP. The source IPs and destination IPs can either be individual IPs, or they can be ranges of IPs. You can attach a network security group to a virtual network, or to a NIC card, a network interface card.
The advantage of using Azure Firewall is that it’s more feature-rich. For example, you can tell it to allow outbound traffic only to certain domain names. NSGs can’t do that. They only allow you to specify IP addresses, not entire domains. An Azure Firewall is centralized, so it works across virtual networks and even across subscriptions.
WebJobs is a feature of Azure App Service that enables you to run a program or script in the same context as a web app, API app, or mobile app, but as a separate process. And using App Services will minimize management, and web apps support deployment slots, allowing for deployment promotion.
Low-priority VMs are cheaper, but can be terminated at any time by Azure. They are ideal for this type of use case, but not to support applications that must persist reliably and be highly available.
Use Azure AD Connect's password hash synchronization (PHS).
Azure Active Directory (Azure AD) Pass-through Authentication allows your users to sign in to both on-premises and cloud-based applications using the same passwords. This feature provides your users a better experience - one less password to remember, and reduces IT helpdesk costs because your users are less likely to forget how to sign in. When users sign in using Azure AD, this feature validates users' passwords directly against your on-premises Active Directory.
This feature is an alternative to Azure AD Password Hash Synchronization, which provides the same benefit of cloud authentication to organizations. However, certain organizations wanting to enforce their on-premises Active Directory security and password policies, can choose to use Pass-through Authentication instead.
- The OS disk should be basic, and not dynamic. The data disk can be dynamic.
- One can't replicate virtual machines with encrypted disks, or virtual machines with UEFI/EFI boot.
- Storage and network accounts must be in the same region as the vault
- The host name should be 15 characters or less
Azure AD Connect Health for sync can generate a report that will help identify the duplicates.
Azure App Service consists of several app types: Web Apps, Mobile Apps, API Apps and Logic Apps. If you need to automate business processes, select the Logic Apps type.
thanks this is good blog. password reset windows 10
ReplyDeleteThank you very much for sharing such a useful article. Will definitely saved and revisit your site best MS-301T04: Migrating to SharePoint Online
ReplyDelete