Book Image

Learn Azure Administration

By : Kamil Mrzygłód
Book Image

Learn Azure Administration

By: Kamil Mrzygłód

Overview of this book

Microsoft Azure is one of the upcoming cloud platforms that provide cost-effective solutions and services to help businesses overcome complex infrastructure-related challenges. This book will help you scale your cloud administration skills with Microsoft Azure. Learn Azure Administration starts with an introduction to the management of Azure subscriptions, and then takes you through Azure resource management. Next, you'll configure and manage virtual networks and find out how to integrate them with a set of Azure services. You'll then handle the identity and security for users with the help of Azure Active Directory, and manage access from a single place using policies and defined roles. As you advance, you'll get to grips with receipts to manage a virtual machine. The next set of chapters will teach you how to solve advanced problems such as DDoS protection, load balancing, and networking for containers. You'll also learn how to set up file servers, along with managing and storing backups. Later, you'll review monitoring solutions and backup plans for a host of services. The last set of chapters will help you to integrate different services with Azure Event Grid, Azure Automation, and Azure Logic Apps, and teach you how to manage Azure DevOps. By the end of this Azure book, you'll be proficient enough to easily administer your Azure-based cloud environment.

Related Content you might be interested in

Current Title:

Small book image
Learn Azure Administration
Kamil Mrzygłód
Sep, 2020 | 452 pages
No titles found
Table of Contents (15 chapters)
Preface
Preface
Who this book is for
What this book covers
To get the most out of this book
Code in Action
Download the color images
Conventions used
Get in touch
Reviews
1
Section 1: Understanding the Basics
Section 1: Understanding the Basics
Free Chapter
2
Getting Started with Azure Subscriptions
Getting Started with Azure Subscriptions
Technical requirements
Getting an Azure subscription
PAYG
CSP
Enterprise Agreement
Understanding different subscription models
Implementing subscription policies
Getting started with Azure Policy
Policy validation results
Examples of Azure policies
Using Azure Blueprints for repeatable deploy and update operations
Getting started with Blueprint assignment
Assigning an Azure blueprint
Checking usage and managing quotas
Cost monitoring and analysis
Cost analysis
Budgets
Azure Advisor
Implementing management automation
Summary
Further reading
3
Managing Azure Resources
Managing Azure Resources
Technical requirements
Managing resource providers
Managing resource groups
Browsing resource groups
Listing the available resources
Moving resources
Understanding resource providers
Performing deployments using ARM with templates
Writing a template from scratch
Automation scripts
Other tools
Implementing resource locks
Subscription locks
Resource group locks
Automating resource group management with Azure Event Grid
Creating an event subscription
Analyzing the gathered data
Implementing proper resource naming conventions
Subscription
Resource group
Resources
Summary
4
Configuring and Managing Virtual Networks
Configuring and Managing Virtual Networks
Technical requirements
Creating and configuring VNet peering
The Azure portal
The Azure CLI
Creating and configuring VNet-to-VNet connection
Single region
Multiple regions
Connecting the networks
The same resource group
Different resource groups
Creating and configuring subnets
Creating a VNet
Creating a subnet
Understanding subnet configuration
Securing critical Azure services with service endpoints
Creating a VNet and Azure Storage account
Creating a service endpoint
Configuring a service endpoint
Configuring a naming resolutions
Creating a DNS zone
Configuring the DNS within a VNet
Creating and configuring network security groups (NSGs)
Creating a VNet with a subnet
Adding an NSG to a subnet
Reviewing NSG rules
Adding an NSG rule
Summary
5
Section 2: Identity and Access Management
Section 2: Identity and Access Management
6
Identity Management
Identity Management
Technical requirements
Creating users in Azure AD
Getting started with user creation
Creating a user in an Azure Active Directory tenant
Creating a guest user
Describing the user creation process
Assigning a role to a user
Registering an application in Azure AD
Creating a new application
Creating groups
Group creation
Managing groups
Managing directory roles
Monitoring and auditing users
Enabling MFA authentication
Securing an Azure Service Fabric cluster
Summary
7
Access Management
Access Management
Technical requirements
Creating a custom role
Configuring access to Azure resources
Configuring MSI
Securing Azure App Services
Using and revoking Shared Access Policies
Creating and managing Shared Access Policies
Generating SAS tokens for different services
Summary
8
Managing Virtual Machines
Managing Virtual Machines
Technical requirements
Adding data disks
Creating a data disk
Adding network interfaces
Using Desired State Configuration
Scaling VMs up/out
Scaling caveats
Configuring monitoring
Configuring guest-level monitoring
Extending monitoring capabilities
Enabling connection monitor
Configuring high availability
Deploying VMs
Browsing the solutions
Deploying resources using various tools
Securing access to VMs
Connecting to a VM
Connecting to a VM
Using RDP and SSH to connect
Summary
9
Section 3: Advanced Topics
Section 3: Advanced Topics
10
Advanced Networking
Advanced Networking
Technical requirements
Implementing load balancing
Monitoring and diagnosing networks
IP flow verify
Next hop
Effective security rules
VPN troubleshoot, Packet capture, and Connection troubleshoot
Configuring DDoS protection
Enabling VNets in AKS
Enabling VNets for ACI
Enabling VNets in Redis Cache
Summary
11
Implementing Storage and Backup
Implementing Storage and Backup
Technical requirements
Configuring network access for Azure Storage accounts
Enabling monitoring and finding logs for Azure Storage accounts
Managing the replication of Azure Storage accounts
Selecting the replication mode
Setting up Azure file shares
Transferring large datasets with low or no network bandwidth
Understanding your case – low or no bandwidth
Transferring data from on-premises to Azure
Transferring large datasets with medium or high network bandwidth
Understanding your case – medium or high bandwidth
The available options
Exploring periodic data transfer
Enabling security for Azure Storage
Summary
12
High Availability and Disaster Recovery Scenarios
High Availability and Disaster Recovery Scenarios
Technical requirements
Monitoring Azure VMs
Creating a VM
Enabling monitoring
Understanding the details
Monitoring Azure Storage services
Monitoring Azure App Service
Exploring capabilities of Azure Application Insights
Implementing Azure SQL backup
Creating our SQL server and database
Backing up your databases
Implementing Azure Storage backup
Backing up your storage account data
Implementing Availability Zones for VMs and HA
Availability Sets versus Availability Zones
Implementing AZs
Understanding how AZs work
Monitoring and managing global routing for web traffic with Azure Front Door
Understanding Azure Front Door
Creating an Azure Front Door instance
Designing backup plans for VMs
Summary
Further reading
13
Automating Administration in Azure
Automating Administration in Azure
Technical requirements
Starting/stopping Azure VMs during off-hours
Getting started with a VM
Creating an Automation account
Monitoring Blob storage with Azure Event Grid
Extending your setup
Monitoring ACR with Azure Event Grid
Integrating ACR with Azure Event Grid
Integrating FTP/SFTP servers with Azure Logic Apps
Creating an Azure Logic App instance
Understanding the setup
Integrating Office 365 with Azure Logic Apps
Integrating Azure SQL Server with Azure Logic Apps
Getting started with Azure Logic Apps
Managing updates for VMs
Getting started with the Update Management feature
Enabling the feature for multiple machines
Tracking changes in VMs
Summary
Further reading
14
Other Books You May Enjoy
Other Books You May Enjoy
Leave a review - let other readers know what you think

Assigning an Azure blueprint

When making an assignment, you will see a screen where you will have to provide the following:

  • Subscription(s): This means which subscriptions this particular blueprint should be assigned to.
  • Assignment name: As the same blueprint can be assigned to multiple subscriptions, you have to give the assignment a unique name to avoid confusion.
  • Location: When deploying resources, a blueprint requires a Managed Identity to authenticate the operation. This field allows you to set the location where credentials will be stored.
  • Blueprint definition version: If your blueprint has more than only one version, here, you can select the one you are interested in.

Besides the preceding settings, you will have to also decide whether Lock Assignment should be enabled or not. Locking artifacts created via Azure Blueprints makes much sense when you consider that they are governed by an administrator, not the resource owner. To make a long story short, the scenarios are as follows:

  • When a lock is assigned, even a subscription owner cannot change/delete a resource. This ensures that it works exactly as assumed and planned.
  • The lock cannot be removed without removing a blueprint assignment.

An example setup for a blueprint assignment could look like this:

Figure 1.20 - Assign blueprint form

As Azure Blueprints is quite a new service, it is constantly enhanced to provide functionality expected in the market. It is a great tool for ensuring a certain level of compliance and will be used mostly in heavily regulated environments. When adding artifacts to a blueprint definition, you have four different artifacts available:

  • Policy assignment
  • Role assignment 
  • Azure Resource Manager template
  • Resource group

By using each artifact, you can create a complex definition that will ease the process of deployment and setting up resources. Let's think about the following scenario—I would like to make sure that both Azure App Services and Azure Functions are deployed with HTTPS Only enabled. Additionally, I want to assign a specific user with a specific role to each deployment. Last but not least, I want to deploy a resource group with an ARM template, which creates a storage account. My current setup looks like this:

Figure 1.21 - Blueprint artifact parameters

Note the following:

  • You do not have to enter all parameters during the process of creating a blueprint—they can be evaluated while creating a deployment.
  • When using the resource group artifact type, each deployment covered by a blueprint will create additional resources defined by it. Using it makes the most sense when attaching an ARM template with extra resources (such as a custom monitoring solution, shared storage, or other similar elements).

To test an assigned blueprint, you can do the following:

  1. Deploy a new function app called azureblueprint inside a resource group called blueprint-euw-rg. You should see a similar result to mine, shown in the following screenshot:

Figure 1.22 - The result of running a blueprint with an additional resource group created
  1. Besides the declared resource group, Azure Blueprint created an additional group called azureadministration-euw-rg (the name is the result of the passed parameter to a definition, which creates a resource group). This extra resource group contains a storage account with a generated unique name, which I can use for any purpose:

Figure 1.23 - The storage account automatically created by a blueprint
  1. Let's check other resource assignments. One of the rules of my blueprint was to assign a user with a particular role (check the role assignment artifact in Figure 1.24). A quick look at the IAM blade gives the expected result:

Figure 1.24 - Role assignment automatically created by a blueprint
  1. The last thing to check is that the extra two policies were created. To do so, I go to the Policies blade in my subscription:

Figure 1.25 - Policies blade

From that, you can clearly see that I have additional policies added to the previous ones (Audit HTTPS only access for a Function / Web App):

Figure 1.26 - Azure policies with compliance status

Policies allow for a certain level of inertia—even if somebody managed to create a resource, which was forbidden, very often you do not have to act immediately. The preceding screen (Figure 1.26), however, gives you the possibility to quickly check whether the compliance level is not below the assumed level. 

With the preceding information, you should be able to enhance your current administration tasks and be able to automate many activities such as user assignments or mandatory resources provisioning. When working with Azure Blueprints, remember the following rules:

  • Name the assignments uniquely to avoid collisions.
  • Use the versioning feature of Azure Blueprints to introduce breaking changes without breaking current assignments.
  • Use Lock Assignments to ensure that no one can mess with artifacts deployed by a blueprint. The only thing to remember is the feature inertia—Resource Manager may need up to 30 minutes to finish propagating locks for the artifacts.

Azure Blueprints is one of the best tools when it comes to managing subscriptions and resources at an enterprise level. The next topic we will cover will guide you through the process of usage and quotas management.

Previous Section
End of Section 14
Next Section