AZ-104 Microsoft Azure Administrator Associate Certification SUPER Study Cram

Video Statistics and Information

Video
Captions Word Cloud
Reddit Comments

10/10 as usual

👍︎︎ 14 👤︎︎ u/4604Spartan117 📅︎︎ Nov 02 2021 🗫︎ replies

I passed AZ-104 after watching a few of your videos. Love that there is a condensed tailored version I can give my team now.

Your stuff is consistently the best Azure content available. Thanks so much for what you do, John.

👍︎︎ 20 👤︎︎ u/brokerceej 📅︎︎ Nov 02 2021 🗫︎ replies

Love the exam cram videos you do, used yours for AZ-900 and almost ready for AZ-104, so this came in at the perfect time! Thanks

👍︎︎ 5 👤︎︎ u/Tyche- 📅︎︎ Nov 02 2021 🗫︎ replies

Spot on dude. Been doing the 104 slowly but need to take the plunge before baby #1 arrives. This might just be the push I need.

👍︎︎ 4 👤︎︎ u/timmehb 📅︎︎ Nov 02 2021 🗫︎ replies

Love your content John! Helped me get through AZ-104 and AZ-303/304.

👍︎︎ 3 👤︎︎ u/jpanda206 📅︎︎ Nov 02 2021 🗫︎ replies

I'm taking this in about 6 weeks, so this is perfectly timed! Can't wait to give it a blast

👍︎︎ 3 👤︎︎ u/slaggadocio 📅︎︎ Nov 02 2021 🗫︎ replies

Great stuff. Timing is awesome, too since I need to renew by the end of the month!

👍︎︎ 2 👤︎︎ u/Ciovala 📅︎︎ Nov 02 2021 🗫︎ replies

Fuck I needed something like this for Sunday. I had a test Monday, and I couldn't find it on my dashboard for some reason and just missed it. Does Microsoft have any of those coupon days again

👍︎︎ 2 👤︎︎ u/Weall23 📅︎︎ Nov 02 2021 🗫︎ replies

Thanks John!! I Appreciate what you do for the Azure community.

👍︎︎ 2 👤︎︎ u/areddit00 📅︎︎ Nov 02 2021 🗫︎ replies
Captions
hey everyone welcome to this az104 the microsoft azure administrator studycram video with the recent changes to the curriculum and the fact that the azure administrator sir is now half of the journey to the azure architecture i thought this would be a good time to actually create a study cram for this as always this is useful like subscribe comment and share really is appreciated make sure you hit that bell icon to get notified of new content now i want to stress my goals for this video are to go over the key technical knowledge areas this cannot be your only study now some people like to watch my exam crams at the start of their study then they go through other materials then watch it just before the exam some will just watch it before the exam whatever works for you remember i have chapters all along the bottom of this video and in the description so you can jump to certain areas of cram if that's what you're interested in you can come back and watch it at different times if we actually go and quickly look at kind of the curriculum for this so make sure you're familiar with this site make sure you go and look and understand okay what's in it you can go and schedule from this site it tells you about skills measured and what you definitely want to do is look at the exam skills outline and what ideally we want to be able to do is tick off for each one of these saying yep okay i understand that yes i can do that what's really really important for this is you need to really have kind of that hands-on so you're not going to get this just by i think reading materials or watching videos you actually want to go and get some hands-on experience with this if you look at the microsoft learn modules in that site i just showed so as part of this site down the bottom there's a whole bunch of free learn modules i would definitely definitely go through those and actually have some step by steps to go and do things in terms of actually getting that hands-on i have created kind of a study list of a lot of my other videos and there's one called learn azure in 2021 and that video if you read the description actually has a bunch of links to getting free subscriptions and other things as well the nice thing about this sir is most of the things we talk about are not really expensive resources like you can go and create these things pretty much for free to go and try these things out storage accounts resource groups uh subscriptions even things like a vm with the free plan there's a certain amount of free vms make sure you stop it i can really do a lot of this study without having to really spend money so i would go through the microsoft learn i also have kind of my azure master class so this would really set you up kind of a good place i think it's about i don't know 20 hours of content and i cover a lot of that so if you partnered that with the microsoft learn modules i think you'd be good the github repo for that masterclass has all the sample files but also has links to deeper dive videos i've done about particular aspects so if you're struggling with one aspect you could go and go to this github and watch those videos and i have prepared this kind of az104 study list where it includes the master class videos but it also includes some other videos that i think complement it towards the az104 i've won about using the pricing calculator ad and azure ad different types of identity admin units are back az disaster recovery so this is a bit more detail sometimes i branch into one of my devops master classes about containers so you can get more knowledge about that as well so there's a bunch of fantastic resources to help you be successful and go and use them all everything i'm talking about here is completely free so with that and let's actually get going and start going through the content now the start of everything is identity and when we think about the cloud then it's really azure active directory so we have this azure ad thing and that is the identity provider for the cloud services now it speaks cloud protocols this is an important thing to understand so when i think about the cloud well it's things like open id connect things like saml things like ws fed and then for authorization well there's things like a wharf 2. so azure ad just speaks all of those things and what's nice about these is they're designed really for the internet because all of these essentially function over https i they work really nicely over the internet now if i'm an application and i actually want to go and talk to it well there's kind of these restful apis which again operate over that https for example there's microsoft graph is a great way programmatically i can go and talk to azure ad and what we then have is from this a whole bunch of services can trust it so if i have this azure ad well you might have a whole bunch of kind of sas applications software as a service can use azure ad for its identity provider things like azure things like office 365 well they use it for their identity provider so it's really a big piece of what we're doing now the name is azure ad this is not the same as active directory we have on premises and this is very important to understand so if i think about active directory on premises regular active directory that would run on your network so i had a lot of free flowing kind of communications this would speak things like kerberos that's a different way i can kind of authenticate it would speak things like ntlm ntlm it would use things like ldap to go and actually programmatically talk to it so it's a completely different set of protocols that really wouldn't work well on the internet now ad has its own set of capabilities it has like this organizational unit structure so i can have these nice nested components but azure ad is not ad in the cloud there are no domain controllers in active directory i probably have identities i might have groups for my employees in the company and what is very very common is you actually use something called azure adconnect or azure ad connect cloud sync to replicate objects into my azure ad so this is where the active directory is the source of truth it's where i make changes to the objects but i can essentially make them available in the azure ad but it's pretty much always that flow i can't create the object in azure id and replicate it back to 80 it's flowing in that direction so that's super common so we have these then services can trust the azure id and use that now when i use azure ad what i will actually get from my company is i will get a particular tenant let's just do this white color i will get a tenant so that's kind of an instance of azure ad and there's like a default name that you'll get and then i can add custom domains for example mine might be savotech.net so i'm going to add custom domains to that azure ad and we can see this so if i jump over quickly actually close some of these down very quick don't need those there anymore if i was to just go and look at my azure active directory we can see okay this is my basic azure id i can see i've got kind of my primary domain name here that i've added saviletech.net but if i was to go down the manage menu and i can actually from here go to custom domain names you can see by default it has this onmicrosoft.com name but then you can go and add your own custom now when you add the custom you have to go through a validation exercise but then hey i can create users and use that domain now it's really important to understand azure ad does not live in a subscription we'll talk about subscriptions but azure active directory actually lives outside of the subscription in fact what actually happens is subscriptions will trust a particular azure ad instance so from right here if you notice what i can see is for my subscription this dev subscription it's telling me the directory it trusts so that's saviletech.net and you'll also notice there's the ability to change the directory so when we think about the relationship azure id lives outside any subscription then when we create subscriptions kind of this idea here we tell it a particular instance of azure id that we're going to trust for our identities so all of the identities in our azure ad will be able to give permissions to resources in the subscription that we're trusting that particular tenant now also within that azure active directory you can do customizations so for example if i go back to that azure id for a second i can absolutely do things like company branding so this will show up in a lot of different places but i can have things like a background image so i've customized it here's my little savor tech image when people go to log on screens i can customize the logo i can put special messages for people when they go to attempt i can have little icons mini icons that will show up so i can really customize that whole experience now when i think about this azure id obviously it contains users and there's really different ways i can get users in there now you'll notice some of them say this directory synced so we have this directory synced column so this means it actually came from an active directory via that azure ad connect so i can get users that way i what i showed in the picture that they're replicating so if i had an existing ad and i wanted to start using azure the most logical thing would be hey user azure ad connect to synchronize the accounts and then it's a great experience for the user but you could also create cloud accounts so i could create accounts directly in the azure id that are not related to any active directory account i can also have guest accounts so if we think about for a second well there could actually be for example maybe a different azure ad tenant over here for a different company or it could be things like a microsoft account it could be like a gmail account there's a lot of different options but i can add those as guest users into my azure ad tenant so the authentication i check in their password is done by whatever the originating identity provider is for that account but then i can still control things like authorization check requirements and then i could give these objects all of these permission on any service that trusts this azure ad tenant so that could be azure subscriptions that could be microsoft 365 like a sharepoint it could be some third-party app that is chosen that i've configured to trust my azure 80 tenant there's all these different types of identities i can have in my azure ad so absolutely from here i could just do a new user and realize this is now creating a user this would be a cloud account i'm creating it directly into azure ad or i can add a guest user so remember this is where we are inviting them from some third party so depending on where the account lives it could be from an azure id it could be from a microsoft account it could be gmail it could be yahoo there's all these different options that i can actually light up as guest accounts but this is kind of me adding one at a time but again remember these will not replicate back to my on-premises you can see here i have examples of accounts from yahoo so i've got one from yahoo i've got ones you can see the identity issuer so that was from an e-mail i've got one from facebook over here i've got another mail i've got some from google it says all these different types of identity providers so it's ways that hey i want to collaborate with this person i want to give them access to things now that's one at a time there's also bulk operations so i can do things like a bulk creation so the bulk creation it will actually give me a csv template that has all the correct columns i need i would fill that in with my details and then upload it and it will then go through and bulk create them i could also use things like powershell so i could use powershell to via basically scripting to go and bulk create things now when i think about giving permissions to resources i don't really want to give it to individual users what we generally want to do is add users to groups and then give the group permission to some kind of resource so once again if i had groups in my ad they could replicate up to my azure id or i could go and actually create cloud groups so directly in the azure id and there were some nice things about the cloud groups because i have different options when i think about hey creating a group there's a site where i actually say well bob and john and olly you're in this group or i can do dynamic where i can say hey here's a set of rules based on attributes maybe of the users they automatically get added into these groups so groups are super super useful this is really what we want to use so if i actually went and looked at groups we can see i've got different types and it's telling me this membership type attribute over here and you can see i have assigned where i'm adding the individuals and then also dynamic where it's actually using those kind of rules so if i looked at assigned well the way that works is i'm manually adding members to that group whereas if i look at a dynamic let's look at more interesting dynamic one justice league so if we actually go and look at the justice league one then it has members but notice the add members button is greyed out i don't manually add people instead we have dynamic membership rules and in this case it's super simple i'm just looking at the user's job title matches the word hero star so it could be heroin it would match as well so that now gives me the ability to say i can add users they have different attributes and then automatically add them to groups and then i can think about well then i grant those groups access to things like azure roles now there are azure ad roles as well there's something special about those normally you can't assign azure ad roles to groups but what you can actually do is if you do a new group there's this option azure adrolls can be assigned to this group so if you set that to yes then it has to be assigned it can't be dynamic anymore but now i could assign that group an azure ad role so that's kind of a special thing you have to be aware of so that's kind of my users and groups idea and then i can think about all devices or devices can also be known to azure ad so if i jump over here for a second if i now think about my device so i have some computer and there's really two different methods of making that known to azure ad because i want to make it known because maybe then i can check the health state of that device before i let users on that device access resources via conditional access which are rules that i can enforce on my azure id so my options here is one of the things is i can do a register so with register the device becomes known to azure ad and i can sort of do certain management for example i might use intune microsoft endpoint management to do certain management on the device i can also do a join so it's kind of a registered plus now i can actually log in with azure ad users so it kind of takes it to the next level i can now directly authenticate with accounts that are in that azure ad so that's the two differences so if it was like abuser's personal device it probably a registration because as a company i still want to maybe check the certain health make sure it's not a jailbroken device maybe i want certain security on it it was a corporate device but then i might do join then they can directly authenticate with users in the azure active directory now there are different licenses so azure id itself is free but then i can assign licenses on a per user per month basis to maybe add additional features i keep talking about conditional access so conditional access are basically sets of rules i can say that hey if you want to access this service well maybe you have to be from this location or you've done an mfa multi-factor authentication or your device is healthy i can set these certain rules that's a higher up license so there are these different licenses available if we go and look at them if we look at the pricing page we can see there's the active directory free so with the free well i don't get mfa i don't get app access i don't get any of those full features but they're partially included so i get certain aspects of it so we can see the things i get with those so we expand it out i get bits of that functionality but if i really want like the full all of the different capabilities we start getting into the azure ad premium p1 and the azure 80 premium p2 but you see even with the free ones i still get single sign-on i do get that basic mfa capability i can still do password list there's a big obviously push for multi-factor authentication where i'm not just knowing a password it's maybe something i know yes a password but something i have maybe a device something i am part of a biometric and i want multiples of those but then we see things like with the premium hey group assignment to applications i have things like conditional access so if we go and scroll down hey now i get conditional access with the p1 and the p2 so we get advanced capabilities and then with the p2 license you get additional capabilities around things like hey um entitlement management so i can create an entitlement which is like a package of different capabilities i get things like privileged identity management where i can escalate up to a new role there are advanced identity protection features there are access reviews but essentially there's different sets of functionality one of the really important ones if i want right back so you can imagine for a second i could with the free sku replicate my accounts up this way and i can do self password reset for a cloud account but if i wanted to do a self-service password reset i forgot my password and i want to maybe go through hey answer a set of questions or get some communication if it's a synchronized account the only way to write that password back is if i have a premium license kind of a p1 or p2 so i need to kind of understand those things now when i think about self-service password reset again if it's a cloud account i can do that with the free stuff and what we do is we go and set up well what do we want the users to have to do to be able to do that self-service password reset so if we jump over and look at the portal for a second if i actually go and look at my my azure id again we can actually see there's this option for password reset over here and if i select that i can select well which users and groups am i enabling for password reset i've said all of them and i pick the authentication method so how many do they need to do to perform a reset one or two and then i set which ones i'm going to enable to use for that password reset so i can do things like questions i can say how many do they have to answer to get it right i can select the questions i can add custom ones so what's your least favorite food you can kind of put do any anything you kind of want into there so then hey the user forgot their password rather than having to go and call the help desk hey they can just go themselves as long as they've registered and i can control that registration do i want to require them to register for this and then re-prompt every periodic number of days they'll then be able to go and kind of un-block themselves and give them their own new password and i have to be a global admin to kind of set this up now speaking of global administrators there are roles actually built into azure ad so global admin is kind of like the all-powerful role then there are other roles some of them are app-specific you'll see things like dynamics and office 365 and teams and the roles are basically just sets of permissions you could actually go and look at a role if you look at the description it will tell you the exact permissions that role actually has but these are all kind of global in nature these roles here would apply to the entire tenant remember i said ad has organizational units and that's really good for delegation and the users live in that organizational unit and i'm giving you a role just at this oh you well azure id is flat there's no concept of that so when i have these roles in kind of azure ad normally they are kind of global in nature but there is something called administrative units so what administrative unit lets me do is i can actually kind of create this administrative unit and then add users into it they're not moved it's almost like joining a group in a way and i can add users and groups into an administrative unit so then the roles also for a subset can be granted at the administrative unit level so if we go and look at that for a second we can kind of see hey administrative units i created one called justice league i could put users in there i can also put groups in there but here's a super important point i can then manage the group i cannot manage the people in the group and you might say that's kind of weird but it's really logical because what i'm essentially going to do at this point is i'm going to delegate so i'm now going to give these kind of certain roles permissions to this administrative unit so i can say hey someone maybe can do a help desk functions for this administrative unit and i would add an assignment to there but imagine if i could also manage the users of the groups that are added well i could go and add people to that group and then i've now got admin permission on them which would be a really bad security thing so administrative units adding groups means i can manage attributes of the group but i don't get management of the people in the group i have to actually explicitly add the users into the administrative unit if i want to be able to manage those users someone else has to delegate that to me because it stops me adding users into the group so i can manage them so that's kind of a whole point around that and i have to be a global admin or privileged role administrator to manage that and the regular roles would still have permission as well this is just a way i can delegate so if you saw things like hey you have a help desk they need to be able to do password reset on these group of users hey i'm going to put them in administrative unit and then grant the role at that level so that's kind of the azure ad level when we start thinking about azure we have different kind of constructs now the most obvious construct we have is really this idea of a subscription so i think about the idea that i have one or more subscriptions so maybe this is my kind of subscription one and remember what we said each subscription trusts a particular azure ad tenant and it's those users or groups within that tenant i'll be how to give permissions to the various resources within that subscription so that's kind of the key point i can also have kind of a different account structure of enterprise agreements so people can be account owners that can then go and create subscriptions under that um i can get a subscription from a reseller through a partner um even there are free accounts there's many different ways i can actually go and get subscriptions a key thing to remember is azure like most cloud services is consumption based i pay for what i actually use so i pay for the seconds that vm is running i pay for the data stored in that storage account or data stored in that database so we'll hear time and time again about auto scale changing the number of instances we have of things to really match the demand so we can optimize the amount of money we're actually spending so it's kind of a key point if you're ever curious about what am i spending so there's a really good cost analysis solution so if we were in our subscription we can kind of go over here to cost management and billing down here at the bottom and then there's cost management and there's cost analysis so from here i can kind of see well what am i spending i can see the breakdown of how i kind of spent it i can see how i spent it based on locations based on resource groups i can view differently i can say what my daily costs so i can break this down to see what am i spending on kind of a daily basis there's many different views into that i can also create budgets and the whole idea of budgets is hey look i want to be able to track how i'm spending and there's two types of budget i can actually create so there's the idea of a budget based on how much i've spent so if i edit this budget i can set alerts and we can see one of these alerts is actual so what i've got here is if i spend 80 of my budget based on the budget i set it can do actions for example i could email i could call a function which does some piece of work or there's forecasted so the point of forecast is is it's kind of looking at how am i tracking so what i'm saying here is look if i think i'm going to spend more than my allotted budget notify me because remember it's tracking that if we go and look at our cost analysis we can actually see what it forecasts so if i look at my for example let's go previous let's look at this month notice it's actually got kind of an estimate it starts guessing what it thinks i'm going to spend now near the end of the month anyway but it's they're estimating based on my previous usage what it thinks i'm going to spend so those budgets are really useful not just to say hey how much you spent but how much i could do a forecast budget so hey if you think i'm going to spend above it notify me early so i can start taking corrective measures maybe i shut some things down maybe i shrink something you'd also see there's advisor recommendations so this would be things like hey resize something maybe this is too big based on what it's actually using so those can be really useful there's actually a whole separate advisor section where i can get advisements about cost security reliability performance operational excellence all of those different things so that's just a useful thing to be aware from the cost perspective and don't forget about the cost calculator again there's a separate video on that in the playlist for this az-104 where i talk through how to use the cost calculator to estimate what do i think my cost will be and i'll probably show this a little bit later on okay so i create this idea of a subscription and again i can have multiple subscriptions within the subscription we actually create resource groups now i can have more than one resource group in the subscriptions maybe this is resource group one there could also be a resource group two and a three and a four et cetera et cetera and it's into the resource group i actually create resources now maybe i'm creating kind of a load balancer maybe i'm creating some vms maybe i'm creating some disks that's being used by those vms and a resource group i think about putting things together in a resource group that have a common life cycle they're going to get created together they're running together ultimately they might get deleted together so i think about grouping those all together and what's nice is these will have a common management again i can set roles and permissions at kind of these levels those budgets i talked about well i can apply a budget and a resource group i can apply a budget at a subscription and sometimes it's actually going to be i have lots of subscriptions in my company i don't want to have to think about a signing saying at an individual subscription level so in addition to this idea of subscriptions and resource groups there's actually this idea of management groups now at the root of your azure ad tenant there's kind of this idea of a route management group that ties to my particular tenant and under that i can create a whole hierarchy of management groups maybe there's a dev maybe there's a production then maybe i break it down by locations and then under there ultimately i have subscriptions so what's really useful is when i think about like the budget well hey yeah budget i can assign a budget at the subscription level i can assign a budget at yet a resource group level but i could also assign a budget at kind of the management group level as well i think it's inherited down so those are really kind of super useful to help him manage and plan my spend now in terms of management as well one of the really important things you'll see time and time again is the idea of tagging and attacking is nothing really more than a key value pair but i can apply tags at subscriptions or resource groups or individual resources and it's a way that i can do things like find i can search for resources i can easily from a billing perspective kind of see these things it's a way for me to add metadata to some object so here if i look to my subscription well there's tags i could add a tag which is some name the icon is custom and i put in some value i could likewise if i just go and look at my resource groups if i just pick some resource group trying to think one way i might actually have some tags i can add tags to here as well so maybe cost center is a very common one maybe created by date and then the actual individual resources as well i could just go and select some base resource or a cosmos db account those can also have tags you can see i've got some in here account type cost center there's a default experience so we have these tags which is the ability to add metadata now one of the key things most things i've talked about get inherited down and tags do not so if i set a tag at the resource group level or the subscription it does not get inherited to the child resources so resources in the resource group would not get that tag now there are ways i can accomplish that there's things called policy and policy is a way to really kind of set guard rails which we're going to talk about in a second but i could use policy to say hey look if you're missing a tag copy it from the kind of parent resource group so let's go back to that a second so if i were to look to my policy and we looked at the various definitions we have if i just quickly searched for let's say inherit notice it has different options inherit attack from a resource group if missing or just inherit it or inherit it from subscription or only if it's missing so in that way basically what i am doing is i am essentially copying a tag from a resource group or subscription to the resource itself so i'm kind of doing that thing i just said you kind of can't do but it's saying i'm manually doing now i just said the word policy and the whole point of policy is in the old days when we would create resources let's say it was on premises i would go to some i.t admin and say hey i need this vm or this database they would check my request and make sure i'm meeting company requirements when the cloud it's really a lot of self-service it's a lot of automation it's a lot of pipelines so there's not some human doing that inspection so what we need are kind of guard rails so we need policy that says these are the acceptable things maybe it's the regions we can use uh maybe it's types of account maybe it's agents we want present there's all these different things i can do so i create these policies and so the key point here is remember those budgets i can apply all those regions well another key thing i can apply is policy so i could apply a policy and they get inherited down i could create it directly here i could create it here so i create policy for what are the key kind of conditions i want to be enforced and these are enforced at kind of this core azure resource managers the api that everything goes through i'm using the portal or powershell or cli or templates or some restful api it's going through the azure resource manager that's where azure policy takes effect and that policy could do things like just track it it could enforce it i stopped me it could even maybe remediate so if there's something that's out of it it could actually go and fix it and so what we do with policies we can create individual policies you can kind of see these are individual policies here and if i and just take this out for a second there's like massive numbers of policies and so so many what we'll typically actually do is we'll create an initiative so an initiative you can see here has got a certain number of policies in it so it's the idea of hey i have all of these individual policies that are based on some particular attribute they're known as attribute aliases of my resources and they have the valid values i'm allowing but now with these initiatives it makes it much easier for me to say hey i'm going to take this initiative look at this nist it's made up of 991 separate actual definitions so i wouldn't want to manually assign all those to anything so it makes it easy for me to actually go and assign but the nice also thing is you can kind of see some of my assignments i have here but i can track compliance so these are super useful so i've got ones here about allowed storage account types i can see yes i'm 100 compliant on the amount i've specified there were things like azure security center actually has its own built-in initiative to go and track the overall security of our subscriptions and when i do an assignment let's say i've got this allowed locations actually specify what my allowed values actually are so if i edit the assignment for a second and look at the parameters here as part of the assignment i've selected out of all the possible locations azure exists which ones i'm going to allow so if i try to create something outside of these well depending on my configuration so i've got policy enforcement enabled it would actually stop me as if it was disabled it would then just kind of report england was kind of going to look at what those actually mean if you're not sure so these are everywhere but notice i can still do that compliance assessment so whatever you're not sure how you can kind of it will generally try and give you some kind of help so policies are super powerful to set those guard rails and again there are some initiatives built in there are a huge number of policies built in but i can absolutely go and create my own policies i can create my own initiatives to really focus in on my exact requirements now when i think about all these different types of resources i'm actually creating remember we have the whole idea that well we have users and groups in the azure id i don't want everyone to have full control of everything we probably want different people to have different sets of permissions on different resources so they called resource based access control and that says hey i can think about there are roles so i have this idea of some role and a role is really just kind of a set of permissions and then i have some kind of identity i.e a user a group a service principle used by an application and i have some scope and essentially i'm assigning a role to a certain identity at a certain scope and that's what we call a role assignment and i can do those those scopes that i'm talking about here well guess what that scope hey it could be a management group and again it's inherited down it could be at a subscription level it could be at a resource group level i can even do it directly on resources we don't tend to do that it's just really really ugly to actually try and manage that and we can see these so if we go and look over and again these are separate from azure ad so if i was to look at my just a resource group and if i just pick any kind of resource group there's this access control option here and what i can then see is all the different roles that exist now because it's a resource group well nearly every role could apply because it could contain any type of resource so i'll see a huge number of roles if i was to pick a specific resource i could contain a registry and look at its access control they'll have a smaller set of roles because a lot of them won't apply obviously a subscription would have the same thing but i can go and look at one of these roles and there are some key ones like owner contributor and reader they just kind of show first they're more generic owner can do anything create anything change permissions contributor has pretty much the same permissions as owners that it can create anything modify but it can't change permissions and then reader hey it can view things then there are all these other kind of these built-in roles specific around certain types of resource you can add custom roles so you notice here i actually added a custom role because a role let's just look at one of these built in ones we look at a virtual machine contributor so if we scroll over and view it's just a list of permissions so there's all these different permissions it can do and so i can create a custom role and i could just say the actual permissions i want it to have now a key point is these are mostly at the control plane and that may seem kind of confusing for a second so if i think about azure we have this whole idea of azure and the interactions with azure are typically kind of in the i mentioned that azure resource manager and that's really about control i want to create a resource stop a resource starter resource then the actual resources that live under it well they have different capabilities they might have different apis different types of interaction so these are more the data plane i i create an image file in a storage account well that's an interaction of the data planes you see this kind of idea of a management control plane and then actions at the data plane and what we're seeing here is it separates those so i'm looking at regular actions here that's the control plane but sometimes i'll see data actions now it's not showing me any because the virtual machine has no data plane operations if i was to go and look so there were some special ones around storage so here we can actually see these data roles around blob queue and table if i was to look at one of those instead just go down and let's select one of those there are still control plane permissions now there are actual data permissions as well hey i can actually go and look query table entries the data in the actual object i can insert merge update replace so when i think about permissions more and more now at the data plane as well i can do that through the azure role-based access control and i can absolutely create my own custom roles now i can give it a name i could clone an existing role i could use a json a template file i could start from scratch and when we create our own custom roles there's really the idea of kind of actions and not actions because if i add permissions i might add some very generic set of permissions if i did like network there's there's a network resource provider there go there's a huge number of permissions in there and i could just say hey look at all of them so i've got this massive number but then you can also exclude certain permissions so out of those i don't want it to have a certain set permissions so you can go and create those so it's that whole idea if you think about when i create my own custom role see yes there's a huge number of built-in roles here so i'm going to think hey there's built in there's also this idea of custom these are all built off the resource providers which give azure its functionality and there's the idea that hey i can have actions and i might say something resource provider one dot star and what resource provider one dot star actually gave me for example is maybe there's a bunch of sub actions on here which gives me one two three and four but then what i could say is hey i'm going to do a not action um resource provider 1.3 so i'm essentially taking that one away so the sum set of permissions that role would have well would be one two and four so that's the idea of creating my own custom roles and again they just come together so i have a certain role i give it to a certain identity so this again could be a user it could be a group and a certain scope so a management group a subscription or a resource group or you can't even do it at a resource level that's really kind of ugly it's just hard to manage if i do permissions at individual resources it's really hard and likewise i don't really want to do it to individual users ideally we want to give a group a role uh kind of one of those there'll be more generic permissions higher up the management group chain and get more specific as i get to like resource groups that's typically the way you're going to see those things come together and again remember they're different from the azure ad roles when i think about what's happening who's maybe changing permissions there's an activity log and we will come back to this later on but if i was to go and look at my subscription one of the nice things we actually get is an activity log so this really shows me everything going on at that control plane with azure with this subscription so anything under this subscription hey i can see everything going on so sunday i can see there's kind of one going on right now and you could kind of get the details around that so we have all of these likewise i could go to a particular resource so if i now maybe instead of that went to my storage account now it will just basically trim down the activity log to only those things against this particular resource and let's see it's adding filters so it's automatically when i selected activity log it added a filter just for this particular resource so it goes and does those things but this is things happening at the control plane not the data plane this is not saying hey i created an image i deleted an image none of that would actually show in these kind of things so we have this rich way to go and interact and see exactly what's going on so if i was curious about roles well one of the filters i could add for example would be operation so i'll say hey operation and if i type in role i could see people created role assignments people deleted role assignments so if ever i'm curious about hey who did something someone has permissions who did this i could go and look at the activity log add a filter for operation roles and then actually go and see those things okay so great we have subscriptions we have all these permissions and all these nice ways i can manage it i mentioned locations before so we have this idea of azure and i drew it as this kind of cloud but what is it really so there's kind of a joke there's no such thing as the cloud it's just someone else's pc so if i think about azure as this service when i create a resource most of the time i pick a region so you can really think about azure is this huge huge network around the world and then there are essentially regions lots and lots of regions that are connected to that and a region is really a latency envelope i.e it's different physical buildings within a certain distance and a two millisecond so it's made up of different data centers maybe it's 16 maybe it's two kind of varies it's easy to draw three but this would be a particular region so for example maybe this is east us-2 maybe this is west us-3 whatever that might be there are regions all throughout the world now there are actually different clouds so we think about we just say azure we generally talk about the azure commercial cloud there's also like a gov cloud there's a china cloud there's a germany cloud and we can kind of see those if i open up vs code for a second i can list my environments doing this get a z environment command and you can notice what it's showing me here sure enough there's the azure kind of commercial cloud i can see the china cloud the gov cloud the german cloud so you have different endpoints it's the same azure code but there's there's different buildings and different networks and then the different endpoints that actually talk to them so when i'm talking about this i'm talking about hey um we're dealing primarily with the commercial cloud and so yeah when i create things i pick a certain region where i want that vm or that storage account that database to actually be created under and my subscription i can use pretty much any region there are again some of them are locked to maybe certain land areas but for the most part if i have a subscription i can create things in u.s regions europe regions all throughout the world now those different physical facilities and we'll kind of come back to that but sometimes you actually see them exposed to you so you might see the term availability zone and you'll see an az1 an az2 and an az3 these are logical mappings but essentially within my subscription these availability zones have independent power calling and networking so it's about all about the idea of saying failing so if saying failed in a particular building like power calling or networking it shouldn't impact those things in the other buildings so if i'm creating my resources ideally i would kind of distribute them over the three availability zones to minimize the chance of anything going down or if saying happened at this building hey two thirds of my stuff is still running you'll see different terminology for these things now when i think about this zone resiliency you'll see the idea of something called zone redundant so zone redundant means it is distributed for you it's resilient that could be sound standard load balance or a standard public ip then you might see the term zonal zonal means it's in a specific a z i if it's zonal i create it in a z1 so to be resilient i'd want to create another instance in az2 another one in az3 etc so there are massive numbers of regions and there's a nice little infrastructure map let's kind of load this up quickly so this is a picture of the globe and we can kind of see and we can filter this we change the filter and we'll just show actually networks is interesting but we'll turn off those things so you can kind of see the regions so each of these dots is a particular azure region so we can see obviously the us lots in kind of europe asia australia there's china korea all of these different regions and we see this massive microsoft network that microsoft owns and operates one of the biggest networks in the world now is kind of a flatter version of that picture we can see all of those regions available now not all services are available in all regions but there's kind of like a a set of core resources that are available everywhere those availability zones i talked about but if i look at this picture again it's showing me all the regions right now in the united states it shows me availability zones presence this is where i can go and check do azs exist and we see most of them are available with three zones some of them hey it's coming soon um some of them are saying hey i don't have this right now nearest is somewhere else so we kind of get those different options available to us okay and likewise you can go and actually look at which services are actually available you can dive down and see what's available in what region exceptions they explore products by region then i say what product do i care about and it would show me where it's available in which regions etc etc so if i think about regions when i'm picking my service like which region to use who's consuming it if i have customers on the east coast i've already picked the east regions from a real disaster recovery perspective i don't want all of my instances in one region it's super unlikely but something could happen at a regional level so i want to make sure i have instances in at least kind of two regions ideally from a dr perspective i want these hundreds of miles apart because if there's some natural disaster i want to make sure it can't impact both of them so azure itself has certain services that do this kind of ace it's always asynchronous i'd say always there's a few exceptions between regions because it's a big distance so asynchronous means hey i acknowledge the transaction and then copy it as quick as i can without impacting the performance of the workload so some services have that natively built in like storage accounts it can kind of have a native replication capability as a key vault and so there's a whole number of these kind of paired regions so we're going to go and look at this document and all of these are linked in the description below if you want to go and look at these yourself but they have this idea of pairings so these are the various pairings available and what you'll see is these are generally hundreds of miles apart but they're in the same geopolitical boundary and that's obviously really important when i think about hey if it's data there's data sovereignty or regulatory requirements i don't want my data in europe for example being copied over to the u.s they might break some rules so you'll see most of the time there's only i think one exception so i think brazil um south replicates the south central us because at the time there was only one region in brazil they are now building out another region so that would replicate the south central yeah so you need to be aware of that when i think about okay planning out my various regions so those are kind of the built-in pairings for a lot of services you don't have to use those so for many services i can pick hey i want a replica of my database and read replica in this region and this region you have a lot of control but certain services hey there's this native kind of pairing just kind of built in and you can use those okay so that's the basics around kind of those subscriptions and the idea of my resources and identity and those things so let's actually start drilling down into the particular types of service we actually have why is this drawing okay there we go so i'm going to start with networking there's not kind of a right or wrong order to this but i just think networking really is kind of the foundation for a lot of what we're actually going to talk about now i recommend if you look at the playlist i did an az700 study cram video so it's three hours long that was designed az 700 is a networking certification so i go through more detail than what i'm going to do here but i think it would actually be super useful so my recommendation would be to go and watch that another key point is when i think about networking in azure i generally pay for egress so egress is the kind of data leaving a particular region but i generally don't pay for ingress data coming into azure there are a few exceptions like if i connect networks together that i peer them i do pay an ingress and an egress fee so there are some exceptions to that but for the most part i only pay for data leaving azure so i think about networking there's this core building block of a virtual network so i think about this idea okay i have a virtual network now that virtual network lives within two essential boundaries it lives within a certain subscription and a certain region so i can really think about those boundaries so a virtual network cannot span regions it cannot span subscriptions but it those availability zones i talked about it does span availability zones as to the subnets that i will ultimately break this down into so just like a regular network where i break it down into subnets i will break my virtual network into maybe kind of a subnet one two three i can give them proper names i break them down into smaller parts now for the address space a virtual network is always an ipv4 cider range and it can actually be multiple i can add multiple ipv4 ranges i can optionally add an ipv6 or multiple ranges if i add an ipv6 i have to have at least one subnet have an ipv6 range as well see subnets obviously take a portion of whatever ip range i use it's common to use rfc 1918 so very commonly you'll kind of see these as the rfc 1918 so 1918 is the whole idea of kind of hey look it's the ten slash eight the one seven two sixteen slash twelve and the one nine two one six eight slash sixteen so it's very common to see those address ranges used but you don't have to you could bring your own ip range but realize if you bring like maybe a public portion of the ip space it will still be only privately used it would not be accessible to the internet so yes you can bring whatever ip range you want but it will not be usable to the internet will still be classed as kind of this private ip range when i'm picking my ip range make sure you plan ahead they need to be unique don't pick the same ip ranges i'm using on premises don't pick the same ip ranges i'm using for other virtual networks that i may want to connect use a unique ip space so that i could then connect and route between them so really think through that ip for every one of the subnets you need to think about this from a sizing perspective so for each subnet you lose five ips now normally just with ip you would lose two you would lose kind of the dot zero which is the network address and you would kind of lose the dot 255 which is the broadcast but you're also going to lose the dot 1 which is the gateway and the dot 2.3 for dns purposes so when you're planning out sizes of your subnets you're always going to lose five ip addresses just make sure you bear that in mind for your planning around the sizing but these are all private when i think about creating a resource if i create some resource in here let's say i create a resource vm a container it doesn't matter it's going to get via the hcp and ip address that's available from that subnet so maybe if it's the first resource it's probably going to be a dot 4 because remember i lose the first essential 4 ip addresses 0 1 2 and 3. so dot 4 be the first available in there but this is its private ip so we can use it to talk to other things on the network things on connected networks whatever that might be but i could not connect to this from the internet that would not work now they can get to the internet there's nothing i have to do special just by default things in a virtual network can do outbound to the internet and will get the responses through kind of this stateful native firewall this is built into the service and i can restrict that we'll kind of see that later on but if i want to make services publicly available i have to add a public ip now i could absolutely kind of add a public ip and then i can kind of associate it to a particular resource we don't like to do that the the reason is now i've got this public ip going directly to a resource what's better is to use the load balancer maybe with firewall functionality because what if that resource is rebooting or it crashes if i want to make sync available to the internet chances are i want it to be resilient so i'd have multiple resources behind a load balance and we're going to talk about that and the load balancer would have the public ip address but technically you can it's just not saying we typically would want to do because it's not the right idea a public ip is always bound to a particular region i can't take a public ip and move it to another region it's not the way the routing works so public ip lives there are two types of public ip so if i was to go and kind of look at my subscription look at public ip addresses if i create a new one you can see i can do ipv4 or ipv6 or both there's standard and basic so if it's standard it's always going to be static so static means it's always going to be the same ip address if it's basic well then it can be dynamic or standard i can add a kind of dns label to it and one of the nice things about standard as well is remember i talked about that zone redundant well standard is zone redundant if my region has availability zones it's resilient across them and i would always pair it with the same type of sku load balancer for example i would use a standard load balancer so i can go and create those and i could associate that with some kind of service so i'll close that down so you create public ips and i can associate it with something the resource itself like a vm has no knowledge of that public ip azure is essentially bringing the traffic in for the public ip and forwarding it to that resource but it doesn't really know anything about it so resources within the virtual network automatically get a private ip again it's essentially using dhcp azure is acting as that when it sees this starts up says hey i need an ip address azure is basically acting as a dhcp server and we'll give it an ip address from what's ever available in the subnet now some types of service i need the same ip address every time it starts up i'm a domain controller i'm a sql server i'm an appliance i'm using ip based security i've got certificates that are tied to an ip address you but may happen so what i can do is the resource itself like the vm is always going to use dhcp but what i could say at the azure level is essentially like a dhcp reservation hey this resource when it asks for an ip make sure you always give it this specific ip address so for example if i was to go and look at let's look at my domain controller i have in azure so if i look at my domain controller and look at my networking it has a network adapter and it has an ip configuration and in that ip configuration you can specify the ipconfig and notice what i've got configured here is assignment static and i tell it the ip address i want azure to always give this resource so if i need a resource to always have the same ip i don't configure it within the guest os itself it's still set to dhcp but then i tell the azure fabric hey always give this resource this particular ip address so that's really kind of a a key point around that the the resource itself is still using dhcp now i mentioned there's this boundary of a region and a subscription what if i have more than one virtual network but i want them to be able to talk so we have the idea of peering and peering can be v-nets in the same region or it can be global v-net peering they can be in different regions so now i can imagine the idea that okay we have some other v-nets i have v net two it could be the same subscription it could be a different subscription it could even be a different azure ad tenant that it trusts it doesn't matter so i've got vnet2 maybe i've got a vnet3 and what i can add is peering again it's either just going to be regular peering or global peering depending on if they're in different regions or not they have to be different ip ranges if this v-net was using the same or part of the same ip range i would not be able to peer them one of the nice features that recently just went in preview is i can actually change the ip space of a v-net that's appeared now without having to break the pier but it still could not overlap there's a tiny permission that i do need to be able to add a piece of this is two directions i create the pier in each direction if i have the permissions i can do it in one step but for this v-net to establish appear in this to this v-net there's a very small permission i actually have to have it's a detail you wouldn't need to know in the exam but i just create a custom role for mine if i looked at my environment if i was to quickly look at my virtual networks and you can see this virtual network i have a bunch of peers and some of these are actually peers in a completely different subscription that trusts a different tenant it does not matter i can do that but from a permissions perspective so if i was to look here at my roles again this is a tiny detail i'm spending way too much time on this but you have this network peering target role so i created that and that essentially has one permission in it pure virtual networks that's it that's the permission i need on the network i'm trying to create a p2 but once i've done that hey now i can peer them again they can't overlap now one of the attributes of the peering you'll actually notice when i looked at these things was you'll notice they were they're all turned off but i had this option of just pick this one hey um use virtual network gateway none and kind of there's also this huge remote remote virtual networks gateway or subnet so i've said none to this particular option here so this is kind of the important one and the idea of these settings right here is imagine i have the scenario where maybe this is like a main hub so this main hub i actually have maybe um like a gateway so i actually have a gateway maybe it's to a site site vpn or an expresswrap it's connecting to other things well what i can actually say is for these other v-nets i want them to use it so on this end of the pier i can allow gateway transit i am going to let them use my gateway and on this end of the pier i say use remote gateway so what that will do is a couple of things but essentially now these will learn about all of the ip spaces that the gateway has learned through bgp and it will now have to send the traffic through and get to those locations another really important point about network peering is it is not transitive so v-net 2 and v-net 3 cannot talk just because they trust the same v-net does not mean they can now communicate they would have to add their own explicit peer to be able to communicate or some of those other settings i could have like a network virtual appliance in here or something like azure firewall and what i could actually say is hey look vnet3 to get to vnet2 talk to this appliance which would then forward the traffic to vnet2 so there are ways to accomplish it but it's not native they are they're not transitive i would have a whole mesh of peers unless i use some kind of appliance actually in there and when i add these peers again the traffic can free flow there's no native restrictions they'll all be able to talk to each other what if i do want to restrict the traffic what if maybe hey um i want to restrict maybe talk to the internet maybe i want to restrict certain subnets talking to each other certain things to on-premises because by default all of that will open up when i had a site vpn or an express route which is a private connection to on-premises to other networks to peer networks they can all communicate so to restrict that we have something called network security groups nsgs and nsg is just multiple rules and those rules are really just made up of i can have a priority then i have a name for the rule then i have the source now there's going to be a source and a destination now there's different types and the exact options available will vary depending on if this is an inbound or an outbound rule but there are things like ip addresses groups of ips there are things called service tags again it may not always be available depending on the direction of the raw and if this is the in or the out there are application security groups which is a tag i can put a network adapter and it can also just be hey the entire v-net so basically create these rules and then i can add a certain port and then an action allow or deny so i create this whole set of rules and if we look at these here we'll quickly just go and look at my nsgs so there's a huge number of these obviously but we could just look at one very simple one and what you'll see is there's inbound rules and outbound rules and these ones here those i can hide or show default rules so inbound by default it allows any inbound traffic v-net to v-net so anything within the virtual network now virtual network does not mean the virtual network virtual network actually means why can't i get my whiteboard up show me my whiteboard oh i don't know why virtual network actually means the known ip space of the virtual network so virtual network that tag actually includes the ip space of this and this if it was connected to on premises and those as well they would all count as the virtual network and when there's another one called internet internet is everything that's not the virtual network so it's important to kind of understand what virtual network means so this rule basically lets any communication between the known ip spaces it allows communication from the load balancer and then denies everything else likewise outbound there are default rules that once again anything virtual networks virtual network also anything out to the internet and it will get the stateful response back but then it denies everything else outbound but then you can add your own rules so you can see here i added a rule for port 80. so i'm allowing pool 80 you can see the port is 80 for tcp and i'm saying it can come from anything but only to this particular ip address so if i add an inbound rule you can see i have different types of source so i can do is app security groups which again are just tags on network adapters it saves me having to worry about which subnet or ip addresses a resource has there are service tags so these represent all different types of azure service azure services have these massive numbers of ip address and ranges they use throughout the internet almost impossible for me to try and maintain those so instead those service tags exist so here for example i could get a list of all the service tags in south central us and then show me all of the actual ip addresses for storage in south central us so these are all the cider ranges for storage and there's actually 48 different cider ranges just for storage in south central us so you get why i would not want to try and maintain those in my own set of rules so i'm allowing in this case for example communication from storage to get to my v-net likewise destination because this is an inbound rule well inbound to my v-net is not going to be to a service it's going to be to a certain ip address or a certain my just whole virtual network or hey a particular tag i have on network adapters so i would go and create these whole list of rules that i need for my environment and then once i create the network security group i associate it so i associate it with particular subnets now you can also link it directly to a nic but that's again really ugly from a management perspective i don't want to try and manage that so we generally associate it to the subnet it's not an edge resource if i associate it at the subnet or the nic level it's actually enforced in the switch of the host itself that hosts that virtual machine or whatever that resource is so there's no difference if i apply an nsg at the neck and the subnet i'm not doubling my protection they're all enforced at the same place so i associate that there so then those rules would be checked that inbound and outbound traffic so that's really kind of a key point so those built-in rules i can override because they have such a low priority and i can always go and check what rules are actually being enforced let's say i'm like why can't i get to this virtual machine this seems broken one of the nice things i can actually do is if i go back to my virtual machines and if i just pick a particular virtual machine i don't know pick this one i can look at the networking i can pick the network interface so i'm kind of clicking here on the network interface and straight away it's got this button for effective security rules kind of next to me so i could go and look at them there it's also showing right below me inbound port rules and outbound port rules if i just click the nick one of the nice things we have kind of these effective security rules and the other really nice thing that you might use as well is this other option for effective routes so if you start having more complex routing custom routes all of those types of things that is super super useful to actually work out what is going on what is the routing actually taking effect in my environment i can actually go and look at that so now i can see the security rules are actually taking effect you can see why you can see the exact rule that's doing it and again here's the kind of effective routes that i could go and see hey the built-in ones everything else that's happening so this is super useful for troubleshooting when i want to work out look why is this not working why can't i get to this thing oh okay i can look at the hops and the rules and everything else so the nsg is not a physical edge device it's a set of rules that's enforced in the virtual filtering platform of the switch where this resource runs also operate at layer four so if you think come the old osi model it understands tcp and udp so ports has zero clue about http um urls which have a path in them it can't do any of that it doesn't understand really fully qualified domain names or filtering based on a dns name so there are appliances in the azure marketplace that do that and then there's obviously a first party one so if i want to control traffic based on fully qualified domain names or urls i want to encrypt ssl encrypted traffic i want to filter on certain categories i'm going to look for malicious traffic then there is azure firewall so azure firewall is something that i would actually deploy into my virtual network it deploys into its own subnet so it's actually called azure firewall subnet i have to call it and it's a slash 26 kind of in terms of the size of that subnet and it's native it's a native highly available appliance it can span availability zones and it has a whole set of different capabilities so like we talked about rules of the nsg well this has its own types of rules it has rules for example for destination that so i can think about nat rules which is hey when traffic comes in me in this send it maybe i want to send traffic to a particular virtual machine it has network rules which are really just layer 4 rules but then it also has application rules and then layer seven so that's why i can do things like look at the dns name um look at the path um decrypt that https traffic because it can kind of sit man in the middle and actually go and look at this and the way i would use this this is obviously an appliance sitting in a certain subnet i remember i talked before about modifying the routes well if i want my traffic to actually go through the azure firewall what i would generally do is i'll have some called user defined routing so i'll create a routing table and what i would do is i would associate that routing table so i create a routing table and it's basically going to say hey look my next hop is that azure firewall and then i associate that routing table with different subnets and networks so now if i'm trying to talk to some resource even if it's in that subnet it'll actually go via the firewall so we can inspect it and then go to the target if it was out to the internet how it's going to go to the firewall first so i'd create the firewall create the rules and then i would create a route table to say hey instead of going by your regular path go here first and then it will go and forward it on and i could use that to enable that transitive nature in these v-nets i could say hey to get to the ip space of that virtual network your next hop is actually the azure firewall which would then go and actually forward it on so i can use it for that purpose so if we go and look over here firstly my firewall itself so i'm using the newer azure firewall so it uses firewall policies so this is where i can essentially create a list of rules you can see i have dnet rules so hey if i get certain communications on certain ports i'm sending it to so that's the destination of the azure files public ip i'm sending it to certain vms in my network so that's dna rules i have network rules which can allow certain communications and then i have application rules which actually understand things like categories actually different site names actually different urls i've got in here it also has tls inspection so i've got special certificates set up so it can sit man in the middle and actually decrypt ssl traffic and i can go and check for things through there i can go and see which networks are protected with this it has uh idps so we can go and look for certain types of attacks and intrusion so it's a really powerful solution and then to actually make it work if i look at my route tables i created different route tables that essentially just say for everything for this one your next hop well that's the private ip of the azure firewall and then i associate this with the subnets where my workload likewise i have another network once again it's going to send everything to that azure firewall and again i associate it with the subnets so now everything they talk about is going to go via that azure firewall so i'm kind of bringing those multiple things all together to accomplish that and most commonly i'm going to have kind of an azure firewall at least per region i don't really want to go across regions just because the latency and the performance degradation that would actually introduce okay so that's about restricting and controlling traffic i mentioned fully qualified domain names obviously dns so dns is huge now as humans we're terrible with ip addresses and we're not going to remember those we like names for things and so dns provides that mapping of a name to an ip address and azure actually has dns services both for public resolution and for kind of private internal resolutions so if i think about kind of the azure dns so if it's a public right it's public facing that's really focused around host records kind of the a and the a a a so ipv6 and kind of those c name the alias kind of records and i'm going to manually go and create those so i'll go and create a zone i can add records great if it's private well then that's just being used internally so for private i have actually a bunch of different functionality if it's a private one so i'm going to kind of draw this as a box so once again i can add them manually so i can add them manually but it can also have kind of this automatic registration capability and i have a massive number of different types of records so there's kind of the a the c name there's text there's service uh kind of the list goes on massive number of records available for this i pick the name of the zone exactly the same i would for public i pick whatever my zone name is but now what i can actually do is i can associate these private zones with virtual networks and the relationship is this so for a virtual network i can configure it to auto register any resources i create into this zone now the registration is such that for registration a virtual network that's kind of a terrible ah it's bad even for me registration a virtual network can register to one private dns zone for registration so i create a resource bob it will create a record in here called bob.savoltech.net that was the zone name but only one each private zone can be linked to up to 100 v-nets so up to 100 different virtual networks could be auto registering to this zone and the benefit here is that now they would have consistent name resolution across different virtual networks which brings me to v-necks can also i can imagine there are lots of other zones that i create i can also register for resolution i i don't want the resources to actually create records but maybe there's records in there i want to be able to resolve um ollie.savtec dot co dot uk or something so each v-neck can actually associate with up to a thousand private dns zones for resolution and each private zone can actually associate with a thousand v-nets so i think if i'm a virtual network hey resources can get automatically registered into one zone but i can actually get resolution i resolve this across different zones to up to a thousand so i have those kind of associations now the way the azure dns actually works is if i create a resource like a vm there is a ip address that just works that always represents azure dns so there is a 168.63.129.129.16. that is azure dns always so if i talk to that i am talking to azure dns and i will then get all these various resolutions and of course azure dns will also go and resolve internet zones it will go and do that for me as well now realize that ip address only works in azure if i wanted to go and talk to these private zones from on premises i'll have to have some kind of dns folder set up so it on premises it talks to some resource of dns forwarder and then that dns folder can talk to azure dns to actually go and get the records um so these private dns zones are global i can use them from any region any subscription any v-net any tenant i just have to have permissions on it again super super useful super powerful so that's the core about the name resolution now for the next part i actually want to think about connectivity for a second so we had this idea that we have a virtual network this one's getting kind of busy so let's draw another virtual network for a second so we'll draw another v-net being think of it it's not changing anything in terms of the concepts of just running out of space so we have our virtual network and great we can peer to things but we have things on premises i have maybe data centers buildings whatever that might be that i actually want to go and talk to and there are already two primary ways i can connect a virtual network to some other network now i'm doing this as on-premises this could actually be another cloud provider or something else it actually doesn't matter but i have some other network and obviously it is some ipsider range it is represented as some ip range here so i can connect using a site-to-site vpn which goes over the internet or express route there is also point-to-site vpn point-to-site vpn connects a particular machine to the virtual network so if i want to use a vpn first of all uh site-to-site vpn we have to have a vpn gateway so the idea here is we have a certain subnet i don't do that color we have a subnet so we have a gateway subnet now the recommendation for that gateway subnet is to create it as a slash 27 it can be a slash 29 but the problem becomes is what if one day i want to use sites like vpn and express route they are different gateway devices i wouldn't have enough space so if you can unless you're really short of ip space you want to do this as a 27. now there are two types of vpn so i'm going to create this vpn gateway and they support different types of actual vpn now there's one of them is called policy that's also called static routing and the problem with policy is well i can only have one tunnel it doesn't support point-to-site vpn the way it works is it encrypts the traffic and then sends it to the tunnel based on some configured list of address prefix that's allowed to travel it's only supported by the basic sku vpn gateway and it's really not very common so i would not and this think of this is really this static policy as legacy most likely what you're going to do is a route based i dynamic so what this does it directs the traffic to a particular tunnel and then encrypts it so now i have support for n number of tunnels it does point support site vpn it does support coexistence with the express route gateway if you were going to add that so this this is the the smiley one this is the one you're really going to want to use and what we're essentially going to do is establish this connection over the internet now it is over the internet so it's going to be a certain speed and that's fine it's encrypted ipsec so it's encrypted and secure latency it's going to have the internet that could vary if we actually go and look at the gateways we can see essentially yes there's this basic gateway that is essentially doesn't support point to site over here of ike v2 only the old sstp but as you'll see later on in this document it really talks about this is just not recommended anymore so we really talk about these vpn gateways one two three ones with az support these gen2 ones you can see they have different speeds different numbers of connections we are still the speeds we can get so we can actually go up to 10 gigabits per second and notice we can actually have how many tunnels can we have well these high ones up to 30 tunnels with that now what's important to realize if let's say it's 10 gigabits per second and 30 tunnels that 10 gigabits per second is aggregate if i had one connection it could go at 10 gigabits per second if i had 30 connections their total is 10 gigabits per second so i don't get that per these are basically vms they have a certain amount of computational power to handle that ipsec encryption so they the speed is really governed by how much they can process so it's not per tunnel if i add 30 tunnels they're sharing that capacity of handling that computation now to actually run these i said these are virtual machines fundamentally there's actually different models because i can run them if i think there's an azure side and then there's kind of the on-premises side now i might just have one gateway on premises and on the azure side i can run my gateways as kind of an active and a passive so there's one public ip and so the connection is essentially going to be that but i can actually run them as active active so another option is i could do active active where they each have their own public ips and likewise on premises i could actually have multiple gateways so then i would actually have kind of that very resilient um set of connections or there's some combination maybe i run activex if i have one on prem gateway so it just establishes those there are different combinations i can do so what i'm thinking about here is hey look i create my v-net i'm going to create my subnet i create my vpn gateway i create a local network gateway object which basically represents this so this there's some gateway here that has a public ip so i create a local network gateway that gives me the public id of my on-prem gateway and the ip address range it represents then i configure this gateway with whatever pre-shared key and the ip address of this and i add the vpn connection and then i'm happy and i'm connected the other option to connect is i mentioned before azure has this massive global backbone network well that massive backbone global network obviously connects into all the azure regions etc but it also extends out to a lot of kind of facilities called meet me locations and then i with my network could actually extend into those same meat mirrors where we kind of cross connect the networks now this could be a direct connection it could be i have an mpls and my mpls provider also can kind of onboard at this point but with express route what i'm basically doing is i'm connecting privately so this is not going over the internet this is kind of private connectivity now what i'm doing i'm connecting my network to the azure backbone network the microsoft backbone network i'm not connecting to a particular region i'm connecting my network to their network now i might have multiple locations and actually one of the interesting things i can actually do with express rail is hey imagine i have this scenario there's a feature of express route actually called global p global reach so what global reach actually lets me do is via that microsoft network i can actually talk to my own facilities maybe i don't have some maybe they're different geographies there's not some carrier to connect them they each have their own kind of meet me connection of express throughout their own circuits if i turn on global reach i pay for that they can actually now talk to each other over that connection so that's what global reach is going to do whenever i have express route i've i drew two lines it's always active active i have redundant bgp sessions so it's very very resilient if i do express route premium i can actually connect to any azure region globally regular express route is any region in the same geopolitical boundary price is based on the speed and egress so if i look at my express route i buy a certain circuit so i pay a certain amount notice premium costs more inbound is always unlimited but there's no outbound included i will pay for the amount of data that goes outbound or i can actually pick there's an unmetered plan i don't know if i'm not finding it the right place i'm unmetered so here it's unlimited egress as well but i pay a lot more for the circuit so those are kind of options available to me so that's great this is all about actually connecting to the microsoft backbone but i've not actually connected to my virtual network so what we do on top of this express route is if i want to connect to a virtual network's address space what i'm then actually going to do is something called private peering now this time i have to have an express route gateway so it can co-exist and now what's going to happen is it's going to establish over this that connection so i'm linking this ip space with the ipspace of my virtual network remember that peering option i had allow gateway transit and use remote gateway it could also be for paired v-nets could use this as well so now i've connected these spaces together this can be ipv4 this can be ipv6 the same express rack gateway can connect to multiple different circuits for resiliency likewise a single circuit can be connected to multiple express route gateways by different v-nets different gateways support a different number of connections so by default if i look at express route circuit this is all about premium but only because notice express route circuits per region per subscription is kind of 10 but then it talks about number of virtual networks so it's 10 for a standard always no matter what the speed of the circuit i can connect to 10 different virtual networks if i add premium i can actually connect to more so with premium i can connect to a as the speed goes up so too can the number of virtual networks likewise the different virtual network gateway is for express route depending on the sku it supports a different number of circuits i can connect to so the minimum is four but if i get the really really big um express route um gateways that can obviously do a higher amount of traffic higher bandwidth then i can actually connect to more circuits as well key point about express route traffic coming in goes via the gateway traffic going out does not there's no point it goes straight to the kind of microsoft enterprise edge routers if you actually looked at the routes you would see the next hop for this ip space is not the ip address of the gateway it's the ip address of the microsoft enterprise edge inbound there's a feature called fast path if you turn on fast path and i have to have the ultra gate ways to do this even the inbound traffic doesn't go by the gateway it will go directly to the target so it will reduce my latency so i'm taking out a hop as part of the direction so that's private peering now realize there are other resources there's storage accounts there's databases there's all these other things that essentially i showed you those service tags are all available via a set of kind of public ip address ranges so the other type of peering we can actually do is the galaxy pen it ain't called microsoft peering what microsoft peering does is we actually create something called a route filter now in that route filter what we're actually doing is we're listing the services that we want to be advertised over express route so we have this list of the services and now the ip addresses those services gets kind of advertised down through bgp which is how we announce how these routes are available is how you get to something so now when someone here wants to talk to some service that's been offered instead of going out via the internet it will go over the express route connection so that's what microsoft peering is all about and again if we look super super quick if i'm going to shut these down quick too many tags if we look at a route filter so we would create the route filter and then what we do is we add the service communities which are really the same as kind of those service tags see all the different types of service that i could make available if i checked the box then these communities which are those groups of ip ranges would now get advertised as part of this route filter so i would add all the services i want to be made available and then i would associate this with a circuit so then that circuit would use this route filter and would obviously then offer all of those various services so that's how i would use that now one important consideration just when we do think about kind of express route it is over private connection so it's not encrypted so by default there is no encryption just natively of express run obviously if the service i'm talking to is https for example then it's encrypted there are things i can do if i use something called direct port which is where i have kind of my own set of ports at the meet me that i can think of mac sec to encrypt just over at the meet me location but that's still not end to end one thing i can do if i really needed that end-to-end encryption is i can actually run the vpn gateway over express route so i could actually have a site site vpn running over my private peering so i get that encryption so that is possible now with all of this you can kind of see hey look i'm setting up peers i'm setting up gateways i'm setting up connections and i can absolutely do that but there might be scenarios where i really just don't want to get into that kind of business i don't want to be setting those things up and so you may hear a thing called virtual one so this is really a managed kind of black box service where i create this virtual wan instance often i would have kind of one of these per region and the whole point of what virtual one is doing is i manage virtual networks we don't really see this but what i can then do is there's two different tiers really of virtual one so there's this basic tier so the basic tier it supports kind of site to site vpn connections so that's kind of the basic and then there's a standard tier and so i can also do sites like vpn with the standard tier with the standard tier i can also add things like well i can use express route so again that's kind of that standard uh tier capability i can have things like remember those i can have a point to site vpn again with kind of that standard tier only and also if i have the whole point is here is i have different v-nets that i would kind of have peered to this one of the nice things that standard does is it enables that kind of strat um transitive communication between them the other thing i could obviously do is i might have other virtual ones in other regions and so with standard i get those kind of i can connect them together so virtual one the whole point of this is it provides that managed kind of connectivity solution for me so i don't have to worry about the gateways and connecting things there's a secured virtual one where azure firewall runs in here as well so that's kind of a really nice solution i can leverage now when i think about routing another thing virtual wind does is makes it easy for me to control kind of what component can talk to what component i showed the idea that i can modify the routes so that sounds gonna be in the test is user defined routes remember i showed you the whole idea of those route tables that i link so i can modify the next hop so hey normally i might go directly to this location but a udr lets me change my hey i want to make it go a different route so i can configure those things remember with a site to site so the software defined networking which is what we're dealing with here in a physical network when i have routes my next hop has to be something typically on my subnet because it's the next place it's actually going to so i have to be able to get direct path from where i am to that thing i want to talk to in software defined networking that is not the case i can absolutely have this scenario and you saw when i showed you those route tables my next hop was actually something in an entirely different virtual network i can do that in azure i don't have to have multiple nics and you again a virtual machine can only have nics in the same virtual network i could have them in different subnets but i can't span virtual networks of a single virtual machine so the whole point is hey these route tables this user-defined routing that i leveraged over here i can override those default routes and i showed you before how i can actually go and view those now the next thing i really kind of want to talk about is controlling the flow to pass services so pass could be something like hey a storage account for example now i had the idea of an nsg and remember we saw those service tag ideas that could represent a certain service so i could restrict access to maybe storage or sql databases or cosmos through the nsg's going in that direction but i always want to think about what are the other ways i can kind of control accessing services that don't exist within my virtual network so if i took this example here for example and we give it some more subnets over here so we've got like a subnet two and a subnet three remember there's these other services so for example maybe hey yeah i've got another storage account storage account one now most resources actually have their own kind of firewall native to them so in front of this there's some kind of control so i can control what is allowed to talk to that particular instance of a service now ordinarily what i would do with that is i could control hey from these public ips allow or disallow communication but if i wanted to control access from something in a virtual network remember these are private ip spaces this doesn't it wouldn't see those ip address so i can't say hey allow access from this private ip range it wouldn't work so the way we actually do this is a number of different means to control access to services the first thing we can actually do is something called a service endpoint so the way service endpoints work is basically i make a certain subnet known to different types of services so i can add a service endpoint for let's just say storage just as an example so now subnet 2 it can be known by storage accounts and then what i can say is on this particular instance i'm going to say i want to allow subnet to additionally what the service endpoint does is it actually gives me kind of a better route as well so it it knows it's talking to a public endpoint which is normally via the internet and even without doing anything traffic does not bounce out to the internet azure is smart enough to know before it hits the internet hey actually this service is accessible on my backbone and it will keep it on its internal network but there's still going to be some various hops around there when i add a service endpoint actually you'll see this also in the route table it adds a special kind of route that says hey i know what you're trying to do here's a more direct path so service endpoints enable me to make specific subnets that i enable known to types of service so then on the firewall of that service i can say hey only allow traffic in from this particular subnet so if we was to go and look if i firstly if we look at the virtual networks so if i look at one of my virtual networks and i look at myself central and look at my subnets i use this infrasubnet all the time this kind of first one so what we'll see is service endpoints i've enabled sql and storage so on that subnet i've enabled those two there's a bunch of other ones that i could enable as well and what's that already done so if we super quickly looked again this is more detail than you probably really need to know but if i was to go and look at a resource if we looked at networking for that and we looked at its effective routes just by adding that service endpoint what we'll see is a whole bunch of basically address prefixes now it'll have a special type of communication so notice these virtual network service endpoint so it knows for all of these services that i lit up for that subnet it has a different it's not the default internet it's actually going to take kind of a different route a more direct route but the other thing that has now done because i lit that that subnet up if i now go and look at an example of one of those services so if i look at my storage accounts for example this is where you'll see i can't remember what the right icon is for storage accounts there we go if i go and look at one of my storage accounts that's in here so what we're doing here is now this is common across most of the paz types of services but one of the things you actually see is we have this networking option right here now if i go look at my networking by default it just enables connectivity from all networks if i do selected networks it's doing a number of different things but i can add particular ip ranges you can see down here kind of the firewall it knows my client ip so we can automatically add that or i could add particular ones but also what i could do is add an existing virtual network so at this point it's going to show me all the various virtual networks in the same region and then from that i can then pick particular subnets now notice for that infrasubnet i enabled the service endpoint for it's just kind of available to check now what it is offering is like hey look this one needs a service endpoint required but it would actually do it for me it would actually go and create the service endpoint so i can do it all in one go but generally you'd go and set up the service endpoint on the particular subnet and then i could actually go and then light up on the fireball of that particular pass service to actually go and enable it so that's the whole point about service endpoints it gives me that ability to make a particular subnet known to all types of a service gives me a nicer route and then on an instance of that service i can then at the rule level say hey allow this to come in service endpoints are not usable outside of that subnet so only for resources that actually live in that subnet so if i'm actually kind of a vm in here great i can use that if i'm on a peered network or on premises i can't use that route to go and get there so there's another type of resource so the other thing we have is thing called a private endpoint this is part of private link so ordinarily remember these have public ip ranges we can kind of see those so there's a bunch of ips for a particular instance so let's take another instance called storage account 2. this could be a postgres database it really doesn't matter it has certain public ips what i'm now going to do is i'm actually going to go ahead we'll use a different color so we can distinguish between these i'm going to create a private endpoint so a private endpoint uses an ip address from the particular subnet it's like a virtual network interface and it represents a specific instance of the service now the public ip now no longer works and there's some special dns so if i'm using like the azure private zones it can kind of create these records for me but now it creates a special private link version of the service that actually points to this private ip instead of those public ones and because it's just an ip address i could be on premises through a site like vpn or private peering as long as i have this kind of dns set up that says hey for this private link varia variant of the name go to this ip address which is just a regular ip from the subnet it would actually work so this can actually be used from all different places so if we saw this super quickly so firstly if i go and look at um let's look at a different storage account so i actually have a private link demo storage account now firstly this storage account actually has a bunch of endpoints so there's a particular name as you can see there's one for blob and i'm actually going to copy that but then what i've done is i've actually added i go to networking private endpoints so i've actually added private endpoints for the different types of service there's one for blob there's one for files for example and those get added into a particular virtual network now as you might kind of guess the actual virtual network i used was my kind of south central infrastructure and what you'd actually see is you see all these weird types of things but it actually just used an ip address so if we look at the name so notice these two names here that's my blob and my files and they just got ip addresses from that virtual network so now i can access the service using that private ip now the way this actually looks if so this is a virtual machine within that network and if i didn't ns look up for that regular kind of name so let me just get that name that we just did that name notice what's special so what actually happens over here is we get this alias to a private link variant of the name and what you see is it now resolves to that private ip address instead so i just need consistent dns resolution and now for when it accesses that it will just go and use that particular ip address so it will now use the private link connection instead of having to actually go via some public ip it's using it from that special zone now the other thing you can actually do here that's super cool is it's not limited to kind of azure pass services imagine i had my own service so imagine for a second i have some other virtual network and i've got a v-net over here remember i talked about i can't peer things that had overlapping ip ranges maybe this overlaps but over here i've got some service and it's sitting behind a standard load balancer i can add single to private link service and then i can actually add a private endpoint to that service i can have it from multiple places so now i'm adding my own private link enabled service which again could be accessible to any connected network as well so it's not just azure pass services i can really go and add really anything i want so those are kind of the two ways that i can control access to other types of service from my virtual network now just to a load balancer okay load balancing load balancing is super super important when i think about azure a key point of what we want is normally scale i want multiple instances of smaller things so that i can delete and add them so i only pay for what i need with any kind of amount of work coming in at any one time so what we'll have the idea is though i don't want to give clients so someone using it different ip addresses for instance one two and three so we need a load balancer so that load balancer has some kind of front end ip address that the client can go and talk to now the first load balancer very simply is the azure load balancer now this is a layer 4 load balancer i.e it understands tcp udp the idea of a port has zero clue about http https any of those things so it's kind of the protocol the port and then i can think about well i understand the destination and the source kind of ip address that that's what it is really basing things around so i have a front end ip and what i essentially want to get to is i have pools i have a back end pool one which has got different resources in it offering a service maybe i've got a back end pool too which links to a different resources maybe different websites or something some service so then what we have is we actually have our load balancer so we create our load balancer and what we have on the load balancer is really just rules so we have sets of rules and the rules are really just based around the idea of hey i have a hash based distribution so i'm distributing and it creates the hash based on five protocol port destination source and the port one each time three or two so i have these different kind of distribution options of five three or two tuples ie again destination ipn source ip ports on each side and then the protocol so if i have to match on all five of those so the source ip and source port and destination ip and source port and protocol all have to match that's five tuple but maybe i say i don't care if the port changes so it's just destination ips also p and the protocol that would be three tuple two tuple would say i don't even care if the protocol changes as long as the destination ip and source appear the same match so it's how sticky i want to be with whatever that distribution is to that back end set so we have these distributions we also have the idea of a nat rule and that rule really is just kind of a certain port goes to a specific resource i.e hey this port make it go rdp to some virtual machine over here there's also health probes to go and check if they actually exist but essentially what these rules are doing saying hey this front end ip if it matches these things i might just go to this particular back end pool now these front end ips are either internal or external so it's an internal load balancer or an external load balancer it cannot be both i can have multiple ips but they're all of the same type either all internal from the virtual network or they're all public ip addresses if i want to be able to offer things internally and externally i'd have two sets of load balancers so we can kind of see super quick if we jump over and look then we look at load balancers i have a super simple load balancer here i have a front end ip so this is external it's a public ip address i have a back end pool that's made up of a virtual machine i can pick how i'm checking for the health i have load balancing rules so i'm doing ipv4 tcp you can see the mapping session persistence so notice i can say take just client ip or client ipm pro school so that's kind of the five three and two tuple options that i can kind of do from there and various other more advanced options i talk about in other videos it's a bit too much detail than what i want to cover in this cram but basically hey i can map all those different things um together through there but look at this rule my back end paul i've got two resources and there is both kind of a free and a standard version of the load balancer so if it's the free one then i can have up to 300 backend resources they have to be either from the same availability set or the same vm scale set also there's no paid sla because it's a free resource if i do the standard then it's up to a thousand in the same v-net and i can actually point to ip addresses or i can point to kind of nicks it has availability zone support so i can be like zone redundant or zonal i can pin it to a certain one so i have different options actually for this for that load balancer so that's my my basic um load balancer right there that's my layer four and give me those different capabilities i remember i must match the sku so this is a public this is a standard i have to have a standard public ips go with my standard load balancer you really kind of have to bring those all together so that was a layer four but then also we have the idea of kind of a a layer seven so remember layer seven would really be the idea of hey layer seven is i understand http um https i understand websockets http 2 so i have all these kind of different things and if we're staying as a regional solution i this is resilient at a region level this is not a global resource the solution here is azure app gateway now it's important to like if it says hey this is a http site i want to try and use the best load balancer because if it understands like http i can do things like session based affinity ssl offload i can do routing based on the url on the fully qualified domain name so i get additional capabilities so if it says hey http workload what load balancer should i use could i use this one sure but i don't get any value ads capabilities for http https to websockets whereas this i would and it some of the concepts are similar once again again i have kind of the idea of a front end ip now this time i always have a public optionally i can also have a private this actually deploys into my virtual network now the way this kind of fits together is obviously an ip has lots of different ports so what we create is a listener and the listener is tied to a particular kind of front end ip configuration on the listener i can perform certain configurations hey do i want to do for example ssl offload certificates i'm kind of using there's also different types of listener rules there's kind of a basic rule that says hey everything to that i'm just going to send you to a particular rule well there's actually multi-site listeners so a multi-site listener what it lets me do is i can essentially use the same i can have multiple listeners using the same front end ip and what i can now say is hey based on the fully qualified domain name or part of it go to a particular rule but a different fully qualified domain name go to a different rule so i can route things differently so these use rules so this uses rules and the whole point of rules is basically hey again there's those basic rules there's path-based rules so i can actually look at the path and one of the great things this can do is i can do that and look at do the ssl offloading so i can actually then see the path which is part of the url after the fully qualified domain name and then route so if it's going to blog or go to one set of backends if it's shopping cart go to a different set of backend so i can do that i can even do a rewrite i can change part of the url to make it behave differently there are things like http settings and those http settings actually tie into those rules like affinity encryption but ultimately what happens is once again i have different back end pulls and so based on those rules based on the url whatever those things might be i send it to different groups of resources so we have a whole bunch of nice capabilities um the standard v2 skew of the app gateway has things like auto scale zone redundancy or it's zonal but it's all those really same components these back ends can be a virtual machine a virtual machine scale set an ip address a fully qualified domain name and app service uh it can even be on-premises resources i'm accessing via kind of a site site vpn express route it can even be a public endpoint a public ip once again there's health probes going in on all of this and all these various capabilities if we quickly jump over so if i go and look this time in my app gateway we can see i've got one and we can see all those different things in action so we have the idea of a front end configuration so as a public and a private i have various back end pools so we've got a couple of virtual machines for my back end pool then we have the idea of the http settings that member is used by the rules so a different types of affinity options in there then i actually have my listeners so i've got a kind of a basic listener then i have the multi-site and in the multi-site notice we give it parts of the url so we're called different rules based on parts of the fully qualified domain name then we have the rules themselves in this case hey for this listener send it to this group of back-ends with this particular http settings and all that good kind of stuff so there's a whole bunch of options there there's actually a nice feature in the portal if i just type load balancing help me choose he has this really nice service comparison so it shows me hey what's supported by the different solutions um are they regional or are they global and then what are the supported environments it tells you what the back ends can be so this is actually really nice to go and quickly understand what are the different capabilities what security is available so you'll see the two we talked about app gateway and load balancer are not global load balancing so those services these are existing in a particular region so both of these this app gateway and the azure load balancer these are regional solutions they exist and are resilient just within that particular region that region goes down it's deployed to it's not available anymore now there are global solutions and kind of like there's different layers here there are global solutions so for example globally at layer 7 it's azure front door and that has a whole bunch of very similar capabilities where it can do different kind of ssl offload different types of affinity can do rewrites and redirections so that's kind of a layer seven global for a layer 4 global then there's actually an azure global load balancer which is essentially can point to regional regular load balancers that's the layer four there's also a dns based solution so that is azure traffic manager azure traffic manager gives you a new name and then it has different targets that it can point to that would then resolve it's a way of again balancing between these regionals if i had different regional deployments again i don't want to give a customer a different regional endpoint so i'd give them one of these global solutions that again would check the health of those different regional solutions and would point them to it so that's kind of the goal about those so i'm not gonna go into any more detail about that but if you're interested the that study cram the sc700 i go into detail on those i have a whole bunch of other videos that go into those details so now i want to shift tact completely so now let's actually go and talk about storage so this was all networking and there's networking is by far i think the most complicated part of azure um it's networking now let's talk about the storage part i think this whiteboard is getting too big and this new whiteboard app is struggling with the amount of data i'm writing on this so i'm going to have different types of data i might have structured so maybe it follows a particular type of schema so i can put in a database it might be unstructured i need to put it just in a binary large object maybe a data lake the data could be disks being used by a virtual machine or container instances so we have different types of requirement actually for our storage needs but the most basic fundamental building block is a storage account so if i think about storage we have this idea of a storage account now that storage account has different attributes so that storage account has a certain name now what's interesting this is one of the first azure types of resource this name has to be all lowercase and it has to be globally unique so across all of azure this name has to be unique i deploy it to a particular region so if i actually go and show this very quickly we could actually start building one of these out so if i go and look over here and i just go to storage accounts and i say create i everything gets deployed in a resource group but you give it a name now notice here if i try and do an upper case it complains hey lower case letters numbers only between three and 24. so i need to pick something unique if i was to try and do storage one i'm gonna get someone's taken out already so i'd probably use my company name sav tech s a maybe my region as part of grab a naming standard 01 and that's that's good it deploys to a particular region so i pick the region now the region i pick is probably going to be the region where i want to use this service there's probably going to be some compute service that's going to talk to this i would want it in the same region as the compute service so i have that low latency so a great connection between them now before i go any further into the properties of kind of the storage account because we're kind of there's a whole bunch of different things i can do there are different services exposed through a storage account and storage account is very very versatile so the basic we have a blob a binary large object there's actually different types of blob so there's block blob which is the name suggests is made up of blocks so this is just general data and this can get really really big then there's a page blob which as the name suggests is made up of pages and that's really optimized for random kind of read write across all of the this is very commonly used for disks because i want to be able to randomly read and write from anywhere and then there's actually something called an append and as the name suggests this is optimized for add operation so i'm appending to the end of the blob if i had a log for example append would be super super useful for that and one of the nice things is when we talk about role-based access control well this has support for data plane azure role-based access control so i can create a role that gives me permissions to operate across block um so i can actually go and do things then the next service is files so if you've ever used like an nfs file share on smb file share that's what files is so it was primarily smb but they do now have the option to add nfs as well now for its authentication it can actually tie into active directory so there's a way i can hook into ad and use that for the authentication then we have cues really kind of a first in first out experience some small up to 64 kilobyte in size unit of data and then tables it's a table there's no schema but it's really this structured non-relational data i think about like key value pairs that make up the entities so it might be easier to just kind of look at one of these super super quickly so this is storage explorer this is a free tool for microsoft and it's really good to kind of get a quick understanding of these so if i look at my dev subscription and i'll look at my storage account i can see i have different types of service blob file shares queues and tables if i look at blob so blobs are organized in containers so i have a container called images and here i can see hey i have just these files they're media files it can be any kind of unstructured data if i look at my file shares well i have a file share this would then be accessible via for example smb in my case here now i could also access azure files through the restful api so i have different options for how to talk to that a queue is i just deposit some message so test message one and then something else might dequeue the message so it's a first in first out messaging and then tables there's no schema it's just sets of key values and i can have anything i want in here i've got various ones about the justice league with different attributes but you can see i i can really add anything i want so there's existing property names but i could add a new property name to add it to my particular entry so that's really useful if i have that kind of requirement now what's actually going on behind the scenes is if i was to look at a storage account for a second we look at the same storage account so likewise i can see the containers so i can see all those same things i could create new containers i could see my file shares and notice this is where i could integrate things like active directory and i'll i'll come back to this a little bit but as part of this if i add new file share notice it's kind of transaction optimized hot core so i can set different characteristics on there but depending on the way i'm doing this i can actually do things like nfs as well um when i actually use this it's one or the other and that's in my cues and my tables so there are default endpoints to actually go and get to these various services but you can actually add custom domains as well so these are kind of the default different names that i have for my different services in here but absolutely some of the things you could do is i could add custom domain names if i wanted to to actually have a different name to use for that communication now there's also different actual capabilities added to these services like a static website i can actually host a very basic website just by storing it in my kind of blob area i have configuration where i can go and enable and disable different types of capabilities but there's a lot of rich functionality to this so it's way more than just some very very basic simple thing now if i was to continue doing that creation for a second the next big thing you kind of see is this performance so you see this option of standard or premium and if it's standard it's telling me it's going to be a general purpose v2 account whereas if i pick premium now i pick the type of object i'm going to put into this because it creates a different type of account so when i think about my storage account in addition to those attributes well i also have performance so again the standard is really kind of hard disk drive based whereas the premium is built on kind of ssds it's really not picking up the writing very well anymore um but that's premium it's more ssd based so i get lower latency as high performance but then we have to pick a particular type of account so standard it's going to be that general purpose v2 so i'm pretty much use all of these types of features when i do premium then it's a particular type so it's either block so i can only put blocks or it's page or its files there's no concept of a premium queue or table you just don't need it now the next thing we have you might see it was a replication option and this is really important so when i think of replication this is really about the redundancy so i have a replication i think the actual naming on the site is redundancy yeah so redundancy and there's different options there's always three copies of your data so if i think for a second let's dive into that replication we have the idea remember of blue a region so i can think about a region and remember some regions supported availability zones they didn't all but some of them did so for some of the regions i actually had kind of those three availability zones and i have a whole deep dive video on availability zones if you're interested but if it doesn't just think about it as a certain building so the different options i have is firstly locally redundant storage lrs so with lrs there's three copies of your data but those three copies of the data is all kind of in the same storage stamp my next option is kind of zrs zone redundant storage now if the region doesn't support availability zones this won't be an option but now i still have three copies but those three copies are now distributed over the three availability zones in that region so now i've got a better resiliency i can now think about remember those paired regions so i have there's another region hundreds of miles away where it has multiple data centers i'm just going to draw one so my next option for my data storage is grs so with grs there's three copies of the data in one facility and then there's another three copies in a facility in that paired region hundreds of miles away and then finally we'll do orange there's g z r s so here the three copies are distributed over three availability zones but then with the redundant region they're in kind of the same facility so that's gz rs and there's also an optional kind of read access variant of those so that lets me do is for blob queue and table but not files i can actually get read access so if i do the ra variant then i can actually go and access for reading only that asynchronous remember this is always asynchronous because it's hundreds of miles apart so it's going to be behind by a certain amount now if you're curious about all how much is it behind this asynchronous copy you can actually go and look so if i go back to a storage account for a second and this time let's look at my two firstly we can see the geo replication so i can see that in there and it will show me hey look because this is a grs replication storage account so i can see that in there it shows me the primary in the secondary regions so hey i can see where i'm replicating hundreds of miles apart but if i do prepare for failover it will actually show me hey this is the last sync time so if i was to fail over now i might lose that data yes it's sunday morning i started recording this just before 6am i'm in a rush so i've got to take my kids to dave and busters at 11 o'clock so that's our sunday fun time so i started recording this extra early so this last thing was at 9 17. um so i can actually go and look to work out hey this this is where i am right now so it is asynchronous but i can actually go and see now there are um lots of other capabilities on the storage account now i'm definitely not going to go through them all but there are things that i can enable a data lake so it makes it a hierarchical namespace so that actually has true folders rather than a virtual file system that's really just part of the name which is kind of faking it so i can actually do that i can set things like a default um tier the access to your hot or call i can do things like disable the storage account key which i'm going to talk about in a second but i can actually go and disable that kind of over here if i'm allowing public access there's a whole set of different configurations once again it has the idea of its own firewall network configurations as i showed previously now i want to double click a little bit into some of the services so one of the very common things let's try this again um let's try it one more time okay i think that's hung okay so this is the brand new version of the whiteboard it's obviously having a few issues all right so we're gonna close that a second technical challenges let's hope it hasn't lost all my data so we'll start that again fingers crossed okay apologies for that i had to reboot my entire machine against a new version the whiteboard out i think they're still working out some bugs so when i think about blobs for a second um again they live in a container and often i'm going to want to get a large amount of data actually kind of into my blob and there are many many different tools i can use for that like i can absolutely go to the portal and i can upload but that's not going to work for a large scale there's things like storage explorer that's that tool i showed earlier that's like really nice to do that there's a tool called az copy which is a really powerful tool that comes multiple threads to like a bulk move this is like data box so data box is an appliance that microsoft will ship to your data center i plug it in i can copy data to it over kind of for example smb nfs apis to get data onto it and then i should get back to microsoft and they'll read that into my storage account so i have a huge amount of data i want to move offline data box is great for that or there's data box disk where's individual disks um there's also things like data factory so that's a service in azure that's really a data orchestration solution it can integrate with blob but just lots and lots of ways to get data actually in here now when i think about this for example the actual data i'm storing i pay based on different types of interaction i pay for the amount i'm storing then i actually pay for the transactions the interactions now i might have some data i'm constantly interacting with and if i want really really high performance well that's when i would pick that kind of premium performance tier but if i don't need that really low latency top performance but there's still different ways of interacting maybe i integrate a lot maybe i interact very little maybe i just need to store it but i have no intention of interacting with it in any kind of timely fashion if i do need to interact i could wait a few hours to get access to it so when i think about this there are actually tears so obviously there's that performance tier which is a different type of account but then even within just standard i can think there's a hot tier there's a call tier then there's actually an archive tier and again there's the premium but that premium tier that's a different type of storage account completely so i actually have to create a premium type of storage account whereas these three they all live within standard so these are all part of kind of my standard storage account now the point of this is it costs more to store it the higher the tier but i pay less for the transactions whereas archive is super super cheap so i could keep stuff for years and years but i can't interact with it live i have to bring it back so if i was to go and look at for example one of my storage accounts so here if i just pick one of kind of my accounts um let's look at my images again over here you'll see at a per blob level i can set the access tier so i've got some of them in hot which is the default i could change that to call as a default i've moved one to call move one to archive and the whole point of this is so i'm paying less for the archive for the storage but i can't actually interact with it i would have to bring it back to cool or hot and that might take many hours unless i do a premium move to actually do that now i can manually set these tiers what is actually something nice called life cycle management so life cycle management lets me actually go and i can create rules and what i can do with these rules is well i'll just create some name based on hey when it was last changed or even just last accessed i can do different things hey i can delete it i can move it to call i can move it to archive so this lets me have a kind of automated life cycle management to use those tiers so i really think about leveraging that and i think this board has crashed again but i could use the life cycle management to actually interact so imagine there's life cycle management now and what i'm going to do is i'm just going to start a new board because clearly it can't handle um the sheer sizes i apologize um but i will start a new board with this okay so now we have a nice fresh board in the download below i will try and kind of put these back together so you can see it in kind of one goal but the whole point is those different tiers you can bring them together now another thing i can actually do is we talked about that replication i can do an actual container object level replication so one of the nice things i can actually have is imagine i had kind of my blob remember that blob can contain different containers so maybe it's kind of container one and container two and ordinarily at the storage account level it will just replicate to the paired region with object level replication maybe i've got a storage account too i've got a storage account three these could be in other regions and i've got a different container here and i've got another container kind of here and what i can do is i can say hey this container replicates there this container replicates there so that is object level replication so i can be more granular actually in that configuration so if we go and look at this quickly so what we see here is under object replication i can actually set up replication rules so i can say hey this is the storage account i want to replicate to and from this container i want to replicate to that container and i could go and add another rule for a different storage account so i get a lot of flexibility actually for that different types of capability and what i want that replication to actually be now what this functionality actually does if i was using this is there's actually some really nice capabilities actually part of blob so this idea of data protections now i'm integrating with azure backup so azure backup is telling it to go and create blob snapshots at certain points in time but you have this idea of soft delete for containers if i delete the container i can kind of undelete the container i have soft delete for blobs i have point in time restore so point in time still lets me go back to kind of any time over the last 14 days and it does that by using soft delete for blobs versioning and a change feed so if you put all of those things together i can actually go back to different point in time so that's a really nice way to actually get protection actually for my blobs now files also has some really great capabilities so just like blob files also has the idea of those different kind of tiers now for files it has the idea of kind of again there's that performance different type of account but then there's kind of transaction optimized hot and cool there's no archive but i can pick that tier based on performance and again i pay differently i pay more for the storage for transaction optimize but less for the actual transactions if we actually go and look at the pricing calculator we can kind of get an idea of blobs is kind of the same idea so we have this idea that hey how much i paid to store it so i pay a lot for premium for the actual storage i pay hey less for transaction optimized i pay even less for hot and even less for call but then if we actually go and look at the transactions well i don't pay anything for transactions against premium i pay some for transaction optimized i pay more for hot and even more for call so it's kind of this idea of how am i interacting with the data i want to try and optimize that so i know i'm going to interact a lot it probably makes sense to have transaction optimized or hot if i'm just storing it for attention i don't anticipate interacting with it very much i can use kind of the call options that's going to be the best choice for me and just like blob there are snapshots that i can leverage for that for azure files and as i talked about one of the other things i can do about your files is for the permissions i can't do azure r back but what i can actually do is if i was to go and look for a second let me find my ad one if i go and look at my shares notice i've got this active directory configured so here i've actually integrated it with my on-prem to regular active directory domain services the storage account actually has an account in my ad so i can actually now have my ad users connect to this file share and use their ad account basically kerberos and it would enforce the regular apples i have on the file so that's like a really rich way to control those actual permissionings now when i think about on-premises we probably have file shares already so i can think about hey today on prem i have file shares so i have some file shares sitting on a server so one of the really nice things we can have obviously with azure i have this whole day of a file share so this is an azure file share basically a cloud endpoint because what i can do is there's something called azure file sync and what azure file sync lets me do is i can have one cloud endpoint but multiple on-premises kind of file shares i think it's up to 100. and the way this will actually work is these will all replicate against that cloud endpoint so essentially synchronizing with each other via that cloud endpoint and it will keep any apples i have in there replicate those as well it can also do tearing so imagine i have a finite amount of space on this local file share well i can say hey if data has not been accessed over xperia at a time just store it on the cloud endpoint remove it from this server or if i get to within 80 percent of my capacity start offloading the least recently used content so that's a really powerful capability when i actually think about hey i have these hybrid solutions if i had a file share on prem i want to maybe migrate it to the cloud or give it dr azure file sync to a cloud endpoint is probably going to be the right solution for that and i've got one of those kind of set up over here so if i go firstly to my storage sync services so you create an instance of the storage sync service you register your on-prem servers to it it's not good that appears offline and then what you do is you create a sync group and the sync group contains a cloud endpoint so only one that file share and then your actual file servers and it's going to replicate between them i can see the data going across it automatically updates the agent so all of those really great capabilities now i guess while i'm talking about security realize that storage accounts do have this kind of all-powerful storage account key so you can go to access keys and you'll see these two keys it's actually hiding them by default you get two because the idea is hey if i need to rotate them my application could go and use the other one while i regenerate and then reprogram the other key these are all powerful and i really don't want to use these if i can get away with it and you'll actually see now there's actually a configuration option that lets me actually turn off using storage account keys now one thing i will kind of stress on this so yes we have this idea of the storage account key and the storage account key is kind of exists at the storage account level so we have our storage account one and we have these two keys key one and key two and again they're all powerful now i can also create something called shared access signatures shared access signatures can either be at a particular service level i.e just blob or file or queue or at the account level so i can pick what service i want to enable and what you can then do is be more granular i can limit it to a certain amount of time maybe from certain ip addresses certain permissions but those shared access signatures are signed by those keys so if i disable these keys i can't create a share that says signatures either so just bear that in mind and you can kind of see if i look at storage account i can actually go to shed access signatures so this is creating an account key so i can do multiple services i can pick the permissions i can pick dates particular ip addresses all of those different things but i have to tell it the signing key so i can kind of see that in there so if i disable those keys i can't use shared access signatures and then through the apis through storage explorer i could actually create service level keys it's just for a particular service as well again i already showed you the role based access controller kind of the data plane so built in there are roles for blob and queue and table see if i looked at for example blob data contributor so we've got that role over there i don't know what is going on my portal i can't see the view button but you can see hey at the data plane i can actually read blobs write blobs so that's a nice way through again i could give a group that permission so they would be able to have that and it is inherited so if i set this role at a resource group or subscription i would have those data plane permissions for whatever lives under that scope the other thing when i think about security is encryption itself so the storage account is always encrypted now normally it's a microsoft managed key but it is possible to bring your own so if i've got this storage account and i go and look at encryption you see i'm using a customer managed key that key lives within your azure key vault so azure key vault is an azure service using special hardware security modules to securely store secrets things i can read and get them back out keys things i can generate inside or import and then perform cryptographic configurations operations inside it but i can't export them or certificates actually distribution of life cycle so it stores the key in the azure key vault and uses that to actually perform that at rest encryption where it uses it actually to encrypt the encryption key kind of the same thing and what it lets me do is actually enable the latest key so if i create a new version of the key in the keyboard the storage account will automatically pick it up and start using it there's also encryption scopes some encryption scopes let me say hey maybe i'm using this storage account to run some service that i have different customers and so i actually want to use a different encryption key for the data of the different customers so what i can actually do with this is exactly that i can have a different key for different sets of data and actually leverage that so this key for example i could use for one container this key may be a different set of blobs i have all of those different abilities now before i move on past storage um a huge use trip with many things are actually disks and i kind of talked about well page blobs are fantastic for storing disks because it's that page-based random read-write access and in the old days we would kind of create a storage account we would create a page blob and then inside there there would be a vhd but then we had to worry about limits on the storage account it wasn't a first-class citizen that it didn't have role-based access control or images or all those capabilities so what actually happened is there's now this concept of a managed disk all of this still exists but it's completely abstracted away all i see is the managed disk behind the scenes azure takes care of storage accounts and page blobs and everything else now there's different attributes i think of with a disc like with a disc i think about short capacity but there's also the idea of a latency there's also the idea of iops import output operations i'm performing and there's throughput depending on the size of the operation how much data can actually pump through and so there's actually different types of managed disks there's the idea of kind of a standard hard disk drive there's the idea of a standard ssd so that's got kind of single digit latencies there's the idea of a premium ssd even lower latencies i can get to higher performance and then ultra disk so these different types of disks and again as you go down they get more expensive because they get better performance all those things now to use anything below the kind of the premium ssd and the ultra disk to use these i need the s variant so with this makes more sense for me to about virtual machines but of a vm there's like a d series but there's a d s series the s means i can use premium storage so i have to use the s variant when i actually want to use premium ssd or ultra disks now one of the common things in azure if i think ordinarily i could think of kind of capacity and then iops and throughput and the bigger the disk essentially the higher my iops and the throughput will be they correspond it's just the way and that that's really for the premium ssd standard ssd and the standard hard disk drive ultradisc actually lets me have separate dials for capacity iops and throughput and in fact these i can dynamically change i.e the disk is being used i've got some big batch job about to happen i can crank up the iops crank up the throughput and pay more money but i can change it for period of time i need it and i can drop it back down again so there's kind of super cool individual dials some of these discs have burst capabilities so like i get a certain amount of bursting that hey maybe 30 minutes i can go to a higher performance for a period of time i can increase the size of a disc but i cannot shrink a disc so imagine i had a scenario where hey i need a higher performance for 12 hours well i couldn't increase the disc size because i won't be able to shrink it again 12 hours later because of that what we actually have is if we go and look at kind of a premium disc if i look at my disks and i'll pick one i have size and performance so one of the nice things i can do is hey yeah you can see the different sizes and you can see the iops and the throughput go up the bigger the disk the higher these numbers but i can also set a different performance tier so here i could change the performance tier to a higher performance i'll pay for this new sku so i'll pay more money but it's not going to resize the disk so i could then shrink it again in the future so i could go up to a higher performance maybe beyond what i could burst with maybe longer higher numbers but then i can actually shrink it back down again so that performance tier for kind of the premium is a really nice capability so that that's kind of a key thing we can do when i think about the types of disk also for both the standard ssd premium ssd and ultradisc i can do disk sharing so what that lets me actually do is for all of these i can share so there's a certain maximum number supported generally based on the size of the disk but i can have multiple vms connect to the same disk and it supports things like scuzzy persistent reservations so it can actually be used as a clustered disk such things like cluster shared volumes on windows i could do that the exact numbers again vary if we look at the documentation it will tell us how many i can have so here we go so premium ssds between three five and ten depending on the size standard three five ten ultra between one and five it doesn't really matter about the size because again it's different dials we can really do anything we want one final point disks have a performance set of characteristics iops throughput you're going to connect them to a resource that resource will have its own limits of iops and throughput so remember when we're trying to balance the right combination i have to actually tie them together it's no good having some massive number of iops and throughput on the disk and i've got a tiny vm that can't use that amount so you need to look at the limits of the vm to make sure it matches the limits of the actual disk you're trying to attach to it to actually make it work okay so we've got storage we've got networking we've got the identity governance obviously we kind of now get to compute and again i'm going to try and stitch these two white balls together it's unfortunate i had to start a brand new one um that can be some feedback to the new whiteboard team so i think about compute there's different layers so i can think about well there's storage there's networking there's compute there's a hypervisor there's the operating system running on the virtual machine i create on the hypervisor there might be different runtimes like dot net and j2e there might be some middlewares then i have my app and my data and this all comes down to different types of service that we can have like if i'm on premises for example i'm essentially responsible for all of them that is me as the customer i might have different teams but ultimately i'm responsible for all of those things when i start looking at the cloud we kind of start with i as infrastructure as a service and we get this line so now the vendor i in this case azure is responsible for the fabric the hypervisor i don't see any of that what i get is a certain service exposed to me in this case it's a virtual machine so essentially i'm getting a vm that also means i'm responsible for all of the things associated with that i'm responsible for thinking about high availability and dr and backup and patching and configuration [Music] i'm responsible for all of those things there's things to help me but i'm responsible for all of that then we start moving into well there's like platform as a service here the line's all the way up there so now there might still be vms but i don't see them really i might see them in terms of a sizing i pick the the size of the sku i want but really my responsibility is for getting my app deployed that's my function now there's different types of services moving through here we have things like virtual machine scale sets we have azure container instances we have azure kubernetes services we have app services we have things like serverless offerings like azure functions uh logic apps there's all different types of service we can kind of get more and more passy and then there's software as a service this would be where the vendor is entirely responsible like office 365 microsoft 365. i'm not installing exchange or sharepoint or patching those things it's just kind of done for me now as i think about these and let's kind of focus in for a second let's start with virtual machine so a virtual machine is really kind of a basic we get some vm and think about what that vm is that vm has certain characteristics now it has a certain number of cpus it has a certain amount of memory it has certain storage characteristics that it can support storage iops throughput it has certain network connectivity it might have special requirements like gpus or rdma network adapters or nvme storage but this workload has a certain shape so this vm is doing some work now the work coming in when i process that work there's certain resources i require now those resources are going to be in terms of how much cpu how much memory what is the storage look like what is the network these other dimensions and it's really about different ratios so i can think about well what's my ratio of cpu to memory for example and different like databases might need a lot more memory than cpu whereas some app layer might be very centric or maybe i have some balanced mix so the whole point here is azure has a whole set of different virtual machine sizes and they're based about the different types of workloads so i could think about well general actually we start with compute optimized supposed to look at compute optimized what you can kind of see here is that the more cpus i get the more memory i get the more temporary storage so the attributes go up together but essentially for these compute centric there's a ratio of one to two so for every two cpus four gig of memory four cpus eight good memory so it's a one to two ratio then there's general purpose and that was these s variants which means they can use the premium storage if i look at general purpose well it's a one to four ratio two to eight fours or 16. okay so it's more balanced then there's memory optimized skus here oh it's a one to eight ratio so there's all these different families and again as the vm gets bigger i also get more storage i get more network performance everything kind of goes up together because i'm getting a bigger portion of the underlying host that it's actually running on some have burst on storage so my burst on the vms like the b series i can actually burst the virtual machine as well now if i think about the actual resource it's not running on thin air so it's running on a host there's a particular box that this is running on so there's a host this runs on now what happens is that host has sets of resources as well now that virtual machine for example for its os connects to a managed disk i might also connect to data disks multiple data disks i can connect to the host itself also has local storage and what it does for most of them is it creates a vhd a virtual hard disk and it maps that to the vm as well as kind of a temp a scratch drive so it's not durable the managed disks live outside of the host there's three copies of the data they can even be zone redundant so saying happened to the host i've not lost the content on my os and data this temp drive lives on the host itself so this thing happened to the host well i would lose the content of it but it's really low latency high performance so it's great for scratch area i just need somewhere to write to but i'm okay losing the content of that so i kind of use these things together some of these boxes have nvme local storage like the n series vms use that some of them have gpus the nv series they use that so this is the l series this is the various n series there's a high performance that have rdma network adapters so there's different types of vms based on my requirements based on those ratios of cpu to storage there's all different ones to actually meet my various needs i pay for when it's running so shut things down de-allocate them when i know i don't need it to stop paying for it i can use the pricing calculator to really go and work out hey what is this actually costing me if i know i'm going to run so inc for a period of time well you can do things like reserved instances this is the pricing calculator i can say i want to do pricing about a virtual machine and here i can go and work it out i can say hey what's the size of the virtual machine it's showing me the price per hour but again i pay for the seconds it's running but notice this if i know i'm going to be using these for one year or three years i know i'm going to have 20 or 50. i can do these reserved instances so i get a big discount but obviously i need to make sure i'm paying for those and i'm going to go into detail on this in the azure pricing calculator video creating a vm is super super simple now there's disks that are kind of built in to the gallery so i can create windows i can create linux i see some standard images it's kind of presenting to me here windows linux i can pick the size i create it in a region obviously the disks are going to be in the same region as the actual virtual machine so you just go through create a vm just make sure you stop it when you're not using it to save yourself money make sure if you don't need it anymore you delete it so notice here i've got this stopped deallocated that means i'm not paying for the compute but i'm still paying for its managed disks so that's why it's a really good idea to create resources and resource groups together the storage the disk the vm then when i know i'm done with it i can delete the whole resource group and then i don't leave some disk behind that's costing me money so really make sure you think about all of those different resources now when i drew this picture i had this idea of responsibility and i thought all these negative things like backup and patching and config well there are things to help me for virtual machines we have the idea of extensions and they perform certain functions so for example if i go and look at some of my virtual machines we can go and look at extensions and there i've got a huge number of extensions here like anti-malware there's a huge library of extensions i can leverage to perform certain functions for my environment some really nice ones this custom script extension here i can easily run a powershell script or bash script of its linux to perform some set of actions there's things like powershell desired state configuration to have a declarative configuration to deploy into that guest operating system so that's a really powerful so these extensions are really useful to actually go and do configurations and help me manage these environments i don't have to manually go and do things inside them even things like backing up there's the azure backup service and what i can actually do if i do backup for a second one of the nice things we can do with backup is i can create a policy so an example if i create a backup policy over here i might have a virtual machine policy and my policy might say hey i want a daily backup that i want to retain for a certain number of days but then i also want to retain a weekly backup for a certain period of time and then a monthly back up for a certain period of time and then maybe even an annual donation taking so long but i have these different options and then it will go and do those backups it will orchestrate that and it will kind of orchestrate that retention as well so here we can see hey i've got the the daily i set keep it for 30 days but i could also say i want to keep a weekly for 12 weeks a monthly for 60 months an annual for 7 10 years whatever i want and the policy will go and make that so it's doing delta based storage into this vault so this backup capability is super super powerful so that's a way i can help and actually go and do the backup there's also azure backup while i'm here sometimes it will orchestrate a solution but doesn't actually copy the data to the vault like file shares here i've got a policy that what it will do is go and take a snapshot of the file share and keep it for 30 days but it's not actually copying it to the vault it's actually just going to use the native azure file snapshot capability for example i think it's over here i've got that running it was just used a native capability so if i was to look at this and my file shares and let's say i looked at images look at all these snapshots well they were actually taken by azure backup and then it will go and clean them up based on that retention period so it's not copying the data to azure backup but azure backup is creating the snapshots retaining them and then deleting them once i get past that period of time so the recovery vaults really help bring and manage all of those different things now if i'm creating virtual machines i probably want to get to my virtual machine yes i can give it a public ip i really don't want to do that i should not be rdping or sshing or winrming over the internet um you're going to get hacked within a couple of hours so it has a private ip remember if i'm connected via site to site vpn or express rail i can connect to the private ip if i don't have that and i do have to connect from the internet there's actually something called azure bastion so azure bastian provides a managed public-facing service integration of the portal so it's not exposing any direct ips and then i can go and connect to any resource in the v-net of the bastion or any paired v-net so if i was to go and look i have azure bastion deployed into my subscription so if i look at my bastion so i have azure bastion in my south central network what that lets me do now is if i go and look at vm even in a different region but it's on a network that's peered to myself central network if i do connect i can say connect by my bastion i want to use bastian it works out where there is one then i would just give it the various credentials and if i do connect it's actually going to go and connect in the browser to that virtual machine so now it's not exposing anything directly from this i could have conditional access on this to have things like mfa so this is a really nice solution that i can now light up i have it in av net and i can even go and use it from other virtual networks as well now while i'm thinking about just a virtual machine realize that virtual machine is on a certain host that host fundamentally is on a certain rack in a certain physical building so i can think about that rack as a fault domain something could go wrong top of rap switch the power supply unit it could break so one of the ways we can think about making things highly available is within the different data centers there's lots of racks and what we can actually do is we could think about hey this is full domain 0 full domain 1 fault domain 2 i can create something called an availability set and when i create an availability set let's say it's three fault domains when i add resources into that availability set it will go and distribute them over three racks now the other thing it actually has so i'm now resilient against a rack failing what it will also do is it has something called update domain so you can imagine these are actually different blades in the rack so when it applies updates i can have between five and 20 update domains it would only take down a fifth at a time as it goes and rolls out updates to that actual area so those are actually really powerful to use realize this is just distributing them do not mix workloads if i mixed my domain controllers and sql servers and web servers in the same availability set through sheer bad luck all my iis might be on this rack domain controllers on this one sql on this one so what i would do is i would have okay i'll have an iis availability set and i'd put all my iis servers in that one to get them distributed i'd have a sql availability set a domain control availability set to make sure those things are distributed now remember though those things are all within the same kind of physical building remember i talked about the idea of a region well that region is actually made up of in some cases different physical facilities that have kind of that isolated power cooling and networking so if my region supports availability zones this is a nicer option because whereas availability sets give me resiliency against a rack level failure well this gives me resiliency actually from an entire facility having some kind of failure so i want to think about use those if i can and again make sure we deploy to multiple regions if we can for even kind of better resiliency now building up from virtual machines i can create vms i can create an individual virtual machine but what would be nicer is i want some unit that will go and create them for me based on some template so we have the idea of a virtual machine scale set so i have some disk template that maybe is the os maybe it has some app on it i have some configuration maybe it's extensions to go and install certain features or do certain things also it's a certain kind of vm size maybe it's spot vms which are cheaper maybe it's not maybe i have a minimum number maybe a maximum number of instances maybe i even have auto scale i can have rules that say hey look if the cpu is greater than 70 average add two if the cpu is less than 30 average remove one then it will go and add and remove them as i need to and this auto scale is a key point in azure on-prem we might have 10 instances we run them all the time why not we bought the hardware it's sitting there in azure i pay per second of it running see if i think about hey i have kind of time and i have load well imagine it changes so imagine right now i've got a medium well i want three instances of my app running then i get busy oh okay i should add two then i get really quiet okay i should delete three of them okay now i get busier again i should add one back that's auto scale so this is kind of this horizontal scale i'm adjusting the instances i have to match my workload that's what's going to really make me optimize the money i spend so that really is a key point so i a minimum i really want to not use vms on their own if i have multiple instances which normally we will it's a web service it's something i want to use virtual machine scale sets to automatically create and adjust based on the numbers i actually have and if i jump over it doesn't have to be cpu if i look at my vm scale set in my example here again i i can set instances i have just one running right now in the scaling i can kind of say hey i'm actually scaling based on a metric so mine says when a q depth is greater than five if i look at the rule if it's greater than five increase the count by one if the q depth is less than to decrease by one i have between one and five so i'll only go up to five instances so i can configure all of these things and again i base it on a certain size i have certain configurations so this will go and auto scale exactly what i have actually based on that so i can think about okay vm scale sets they're they're good they're getting me beyond just basic virtual machines if i keep going up the stack vms virtualize the hardware they split physical boxes into units of cpu memory aspects then we have containers so what containers do is containers actually kind of virtualize the operating system so i can think about i have a container host and they have there's obviously an os running on this thing they have a container runtime maybe like container d something like that which basically creates these sand boxes these isolated environments where i can run containers so the containers will actually run in each of these things and they're generally isolated at a user mode space they're running on the same os instance so a shared kernel but each of them has these kind of isolated name spaces networking um controls around there and the way this actually works is what we typically would actually have is we have a container registry there's like there's azure container registry this is where we store images and the way this actually works is what a container is is we might have maybe some base os container image that was generated by the os provider and then we have a composition file that says hey i want to build on this image and then run these various commands to customize it this is kind of a docker file and the output of this is our new custom image that's our application now i'm going to run that in a container instance so that's how these kind of things run together um this i could run as a vm sure but a really basic level azure has something called azure container instances that i can go and run my image in here it actually uses like a special special virtual machine so i also have kernel mode isolation from anyone else um running on there so that's important in a shared environment and i can see this so if i jump over firstly if i look at my registry um this is the container i created my own registry of my own image actually in there so i have an image a container image and then if i look at my container instances um i actually don't have any in this one right now actually maybe it's over in this one too many subscriptions no it's not there either okay but i could easily create one and basically all i have to do is give it a name a location i can say i want to build it off of an image i have i can give it a size and it will go and actually create a container for me that is public facing as a public ip so it's a super easy way to get up and running with a container but the challenge is if i start to think at a bigger scale there's other things i need for containers like i want multiple instances of my containers i want to auto scale them i want to be able to have these rich deployments of multiple layers which i can't easily do with azure container instance so what we actually get to next is things like kubernetes so kubernetes is a cncf standard as a container orchestrator and what this does is i could just again deploy kubernetes to virtual machines if i wanted to but there's a lot of work to actually set up kubernetes so what we actually have in azure is azure kubernetes service so this is a managed kubernetes environment now there's a whole set of control plane to kubernetes so there's a whole management set of functions for example i can think about well there's an api server that we actually interact with there's an cd database for the state there's a scheduler that goes and looks at well what pods do i need pods is the container for containers in kubernetes containers running a pod and there are various controllers there's all of these things so these are just done for me with aks i don't see it it's just a managed service what i get is i have my nodes so i specify sizes and i get kind of my node pools which are nodes of certain types so these are just boxes they run the cubelet which is again is a standard part of kubernetes and again look at the video in the playlist for details i'm not going to go there's too much detail to try and go for all of this but these essentially go and talk and this is all managed for me and then essentially i just get my pods so i have a pod that runs my various container workload within there there's different types of networking there's cubenet where the networking is all abstracted from the underlying virtual network uses network address translation there's azure cni where i actually get real ip addresses for the pods this container networking interface from the actual real v-net there's different load balancer integrations like load balancer app gateway third parties like nginx i can have persistent storage so i can absolutely in a pod say i have a persistent volume claim which is hey i want to use some persistent storage that maps to a persistent volume which is of a certain type this could be azure files standard or premium this could be an azure disk so then that pod will see that storage so it can store things for a long time there's auto scale native to all of this so there's kind of this idea of pod auto scale so if the work on my pods varies well i can add and remove pods based on the need and then based on adding and removing pods that scheduler will say hey i've got pods that need to be scheduled and i've run out of space so it actually can then do auto scale at the cluster level so based on the availability of scheduling pods there's a cluster auto scaler to actually add and remove nodes from the node pool based on my ability to schedule the pods on the hardware so there's those capabilities as well so this huge amounts of things here and then you can kind of keep moving up then this is our app services so app services is kind of how actually azure started um these are all kind of http https web apps mobile apps api apps and what i do is i create an app service plan which consists of various resources maybe it's a certain number of boxes and then i can deploy it onto that app services which is a particular instance of an app and there's different skus available so for example if i look at the different plans there are different capabilities so here i can see hey there's the basic there's free so i can actually create an app service plan that's free to play around it's shared compute then there's like basic and standard standard is where we start getting features like auto scale so i have to get to that standard sku i can have different numbers of instances we get things like private endpoint support we talked about custom domain names and deployment slots so deployment slots are the idea where hey i can think my app has a production instance so maybe i have had my i can my multiple apps on the same plan this is my app to production but i can also maybe create an app to staging it's using the same hardware but then i can kind of deploy my new code into staging warm it up test it and then when i'm ready i can swap the vip swap virtual ip swap and then make this production then if i needed to i could roll back very very easily um so this gives me a lot of capability that again i can really focus on my app things like app service environments where i have entire dedicated sets of hardware into my virtual network a normal app service plan although the nodes are mine there's another set of components that are actually shared between multiple customers it's still isolation but they're shared components so it makes it a bit more difficult to integrate things like virtual networks i have to use private endpoints per app at the app service plan i have to do v-net integration for example but if i use an app service environment it actually deploys into my virtual network so it's kind of completely isolated so lots of different capabilities around there and i've been recording for a really really long time now so i'm going to kind of to finish off super quickly monitoring now that's a really important point but for all of these different things again i'm going to try and stitch these white balls together somehow we obviously have monitoring and there's monitoring at all different levels there's monitoring when i think about performance and metrics there's perform as logs so i showed you the subscription activity log before so i can think about hey i have my subscription the subscription has its own activity log so that's things happening at kind of that azure resource manager fabric level and then i can think of individual resources well resources have metrics and then they have logs as well now what happens here is metrics by default just go to azure monitor metrics i can just see these don't have to do anything special they are just there if we go and look at a resource and let's just pick virtual machines are actually quite nice all storage accounts are nice as well but i can just go and look monitoring metrics and i see a whole bunch of metrics from the vm host i can see disk iops bandwidth obviously storage account things um all different things available for this so i can see all these different types of counters available for me and again these these operate across all different types of resource if i pick for example sql database it has and it's actually showing me some on the main page right at the start some of the more common ones that i might want to see but it has a whole set of metrics as well that i could go and look at and see information about the resource so metrics are just available natively but then we also have this idea of logs now logs are not stored anywhere by default so what i have to do for logs is for logs we have this idea of diagnostic settings and i can centrally manage these through things like azure policy so diagnostic settings lets me say hey which there might be different types of logs i want that log and that log and i can also capture metrics and i want to send these to some target and that target could be storage storage is good for long-term retention it's cheap but i can't do a huge amount of it i might want to send it to an event hub an event hub is a publish subscribe tool that would be really useful if i had some external sim that i wanted to actually go and fetch those so i could read it into the external sim or i could do a log analytics workspace that's kind of like the premium azure solution for the ingestion of really any kind of data and i can then use acousto query language to actually perform analysis of it i can create these nice dashboards i can get this cool view of it so i can then go and actually send the data so again on this sql while i'm here i have diagnostic settings i can now go and add okay yeah i want to capture these logs all different ones i can capture certain metrics and where do i want to send it to okay event hub storage account log analytics workspace so we have those different hooks to actually send the data to different locations and once it's in log analytics like there's a ton of different things that build on top of that for example say native is you might see sometimes this idea of let me actually look at a different resource if i pick a virtual machine you'll often see something called insights so insights is a curated view of the resource and it's built on top of log analytics but here for example it's got this kind of map that it's worked out i can see basic performance information about it this is all gathered through there built on top azure security center azure sentinel um use things like log analytics so there's many solutions built on top of this so the whole point is i have all these kind of great pieces of information going to this log analytics workspace and then what i can actually do is activity logs azimuth metrics in this log analytics workspace i can then actually create alert rules from any of these kind of signals so logs in log analytics a metric same from the activity log and then if it triggers i can then fire an alert group which is a set of things i want to do this could be sms it could be send an email it could be file off a function or a logic app or an azure automation or web hook do some stuff to actually react so if we look at that so what we can do is we can go and look at azure monitor we can go to alerts so firstly we can manage our alert rules and we can see i'm going to have different types here so i'm going to have some alert rules that are based off you can see the signal type on the the far right over here so i have some based off of metrics some based off of a log search some based off of my activity log then i also think like smart detectors so there's some more advanced things we can actually do service health so the health of my resources is another input i can have so i can create these rules so like dur sync over 50 cpu so i can have actions deliver all details i can actually modify the condition so it's showing me historically and then i can create alert rule now this was me setting a definite real number there's also dynamic rules with dynamic rules it actually uses machine learning to look at what's common and then i could say how aggressive do i want to be so it's going to look at the history and it could be medium sensitivity low sensitivity or higher sensitivity you can see that it's changing it's showing me what it's going to start alerting on based on history how sensitive i want to be so i can also do those kind of dynamic rules doesn't have to just be a single number and then it calls an action group so an action group is some combination of things to do email sms push voice azure resource manager role communicate also hey run a run book call a function integrate with an iot sm like service now call a logic app called a web hook called a secure web hook all these different combinations of things there's more advanced things i can do with action rules like hey if i see an alert at a certain resource group do this or i could suppress so there are there are other things i can do but that's really kind of a key point and i guess while i'm in here a final thing i want to show is network watcher so here we can see i've got network watcher instances on different regions and then we can do things like look at the topology i can check ip flow i can do diagnostics around network security groups i can work out what the next hop would be for these communications i can work out the effective security rules i can do packet captures i can capture network security group flow logs that let me do traffic analytics to look at things like hey common partners that talk hey bad traffic coming from particular regions i can do a whole set of really advanced stuff so again make sure you kind of go through these and understand exactly what these are doing so that was it um i think that's so much content i apologize i knew this video was going to be long but go through the microsoft learn modules of this i created that playlist i would go through that playlist i would maybe watch this just before the exam but get the hands-on i think that is the key point to be successful you need the hands on know how to do it from the portal understand there's like cli commands as well so try the different methods that it talks about in those things take your time if you don't pass the first time go back and look at where you did week and go and re-study those areas and i'm sure you'll get it the next time i really hope this was useful a huge amount of work goes into this so please please do like and subscribe but good luck until next time take care you
Info
Channel: John Savill's Technical Training
Views: 47,954
Rating: undefined out of 5
Keywords: azure, azure cloud, microsoft azure, microsoft, cloud, az-104, certification, azure administrator associate
Id: VOod_VNgdJk
Channel Id: undefined
Length: 225min 1sec (13501 seconds)
Published: Tue Nov 02 2021
Related Videos
Note
Please note that this website is currently a work in progress! Lots of interesting data and statistics to come.