AZ-104 Microsoft Azure Administrator Study Notes

From roonics
Jump to navigation Jump to search

https://learn.microsoft.com/en-us/certifications/exams/az-104/

Manage Azure identities and governance

Implement and manage storage

Azure blobs

  • Provides object storage for the cloud
  • Optimised to support massive amounts of unstructured data
  • Unstructured data is data that does not fit a specific model e.g. text and binary data
  • Typically used for images/videos , documents which could be used on websites.
  • Also good for streaming videos/audio
  • Storing of log files, archive or backup data
  • Can be accessed using HTTP or HTTPS
  • Can be accessed using Azture Storage, PowerShell, Azure CLI, JAJA, PHP, .NET
  • The storage account creates a unique namespace that you use to access the data, like http://mystorage.blob.core.windows.net
  • Containers in the blob storage are used to organise the blobs within the account (think of them like directories). You can create a unlimited number of containers and a container can store an unlimited number of blobs
  • Container names muust be lowercase
  • Blobs are the files, so image001.jpg would be considered a blob
  • There are 3 types of blobs that are supported:
    • Block blobs
      • These can contain up to about 190.7TiB of text and dinary data
      • They are called block bloba as they can be managed individually
    • Append blobs
      • Similar to block bloba however they are optimised for append operations
      • This makes append blobs a good choice for logging data from virtaul machines
    • Page blobs
      • Used to storage random access files up to 8TiB in size
      • You would typically use page blobks to store VHD files which would serve as disks for Azure virtual machines

Azure files

  • Fully managed file share system available in the cloud
  • You can access Azure files through SMB protocol
  • You can mount file shares from Windows, Linux and MacOS machines that reside both on-prem and in the cloud
  • You can cache file shares on Windows servers, using the Azure file sync service
  • Azure File AD Authentication allows Azure file share permissions to be controlled through on-prem active directories
  • You can create as many file shares as required
  • You can use PowerShell, Azure CLI, Azure portal and storage explorer to create, mount and manage Azure File shares
  • Azure file share names have to be lowercase letters, numbers and hyphens

Azure queue storage

  • Designed for storing large numbers of messages used in communications between the different components of the distributed application. These messages can be accessed from anywhere in the world through authenticated calls via HTTP or HTTPS.
  • Each queue message can be up to 64KB in size
  • A typical queue can contain millions of messages
  • A queue name must be lowercase letters, number or hyphens
  • A queue URL will be as follows https://<storage_account>.queue.core.windows.net/<queue_name>

Azure table storage

  • This is intended for the storage of structured NoSQL data
  • It offers a key/attribute store and a schema-less design
  • Schema-less design allows you to more easily adapt data to the needs of your business or application
  • You can have as many tables you need up to the limit of the storage itself
  • Ideal for large amounts of data that does not contain complex joins, foreign keys or stored procedures. Non relational.
  • The URL to access it will be as follows https://<storage_account>.table.core.windows.net/
  • A table is just entities, it doesnt enforce a schema on these entities within it
  • Entities are basically like a database ROW
  • Each entity can be up to 1MB in size
  • You can have up to 252 properties for each entity
  • There are 3 system properties for each entity as well which are:
    • A partition key
    • A row key
    • A timestamp
  • Premium table experience is offered via Azure Cosmos DB which is a globally distributed database service
  • Azure managed disks

    • Block level storage volumes
    • These are used to provide storage capabilities for virtual machines
    • A managed disk is much like a disk that you would see in an on-prem server only virtualised
    • Available disk types are ultra disks, premium SSD disks, standard SSD disks and standard HDD disks
    • Azure backup supports disk sizes up to 32TB
    • You can use direct upload to transfer local VHD files to Azure managed disks
    • There are two stypes of encryption you can use with managed disks:
      • Server-side encryption (SS)
        • This performed by the Azure storage service and is enabled by default for all managed disks
        • This provides encryption at rest for your data
        • This is also enabled by default for snapshots and images in regions where managed disks are available
      • Azure disk encryption (ADE)
        • Enabled on the OS and data disks of the VM
        • On Windows vms disks are encrypted by BitLocker
        • On Linux vms disks are encrypted using DM-crypt
    • There are 3 disk roles in Azure:
      • Data
        • Manage disks attached to a vm, used to store applications and other data
        • When you attach the disk its registered as a SCSI drive
        • Data disks have a max capacity as 32TB
        • The number of managed disks you can attach to a vm depends on the size of the vm
      • OS
        • Simply hosts the vms operating system and boot volume
        • Max capacity of an OS disk is 4TB
      • Temp
        • Every vm contains a temp disk
        • Not a managed disk
        • Host page files, swap files
        • Data on these disks are lost in maint or if the vm is re deployed
        • Temp disks are given the D:
        • On Linux vms the temp disk is /dev/sdb/

    Storage accounts

    • A container that houses all of your storage data objects
    • All storage is encrypted
    • Virtual machines using Premium SSDs for ALL of their disks qualify for a 99.9% SLA
    • Zone redundant storage and Geo zone redundant storage are only available for:
      • General-Purpose V2
      • Block Blob Storage
      • File Storage
    • Storage account types:
      • General-Purpose V2
        • Basic account that can be used to host blobs, files, queues and tables
        • Microsoft recommends using this account for more scenarios
      • General-Purpose V1
        • Can host blobs, files, queues and tables
        • Can do the same as V2 but Microsoft recommend using V2, this means this V1 is probably going to go away in the near future
      • Block Blob Storage
        • Offers premium performance for block blobs and append blobs
        • Typically used for situations where high transaction rates are in play
        • Also good if the requirement is for low storage latency
      • File Storage
        • Files only storage accounts
        • Feature high performance characteristics
        • Microsoft recommends using for enterprise applications or high-performing applications
      • Blob Storage
        • A legacy account used for blob-storage only
        • Microsoft recommend instead of using blob storage accounts to use General-Purpose V2
    • SAS= Shared Access Signature. This gives access to resources in a storage account for a limited amount of time

    Azure Storage Tiers

    • Hot:
      • Frequently accessed data
      • Storage costs are highest but access costs lowest
    • Cool
      • Infrequently accessed data
      • Storage costs are lower but access costs are higher.
      • You must also leave data in here for 30 days, if you remove it before then you will be charged a "early removal penalty"
    • Archive
      • For data that doesnt need to be accessed much like long term backups
      • Storage costs lowest but highest access costs.
      • To avoid early deletion penalty data must remain in this tier for 180 days.
      • You also cannot access data right away, its offline storage meaning the data has to be redydrated before you can get to it. This process can take up to 15 hours.

    Life Cycle Management

    This is used to move data between tiers. An example would be to move data from hot to cool if it has not been accessed in XX days, then to move it from cool to achive if it then has not been access for another XX days.

    • Life Cycle Management only works for General Purpose V2 accounts and blob storage accounts
    • Life Cycle Management policies only run once a day, so it could take 24hrs from when you create the policy before anything happens

    Deploy and manage Azure compute resources

    Virtual Machines

    • If a vm is using unmanaged disks a storage account will be required
    • If the vm is using managed disks a storage account is not required
    • Reserved instances can be 1 or 3 years, this can get you 72% cheaper than pay-as-you-go
    • Spot pricing uses unused compute capacity, can be up to 90% cheaper than pay-as-you-go however these can be shutdown, rebooted etc at short notice by Azure when that unused compute is needed
      • Virtual machine options
        • General purpose - Balanced CPU to MEM ratio
        • Compute optimized - High CPU to MEM ratio
        • Memory optimized - High MEM to core ratio
        • Storage optimized - High disk throughput and IO
        • GPU - Intended for heavy graphic and video rendering. Has dedicated GPUs
        • High performance compute - Fastest and most powerfull CPU

    Availability Sets

    • When you deploy at least 2 machines in to an Availability set you qualify for a 99.95% uptime
    • If you deploy a single vm in to an Availability set you still qualify for 99.95% uptime providing you use a premium SSD or ultra-disk for all the OS disks and data disks attached to the vm
    • An Availability set contains 5 update domains by default, this can be increased to 20 in resource manager deployments
    • An update domain is a group of hosts that can be updated and rebooted at the same time
    • When updates or maint is performed by MS, only 1 update domain is rebooted at a time
    • A fault domain is a group of hosts that share a common power source and network switch
    • When virtual machines are added to a Availability set they are distributed across up to 3 different fault domains in a resource manage deplyment or across 2 domains in classic deployments

    Availability Zones

    • When you deploy a vm to an availability zone they will be covered by a 99.99% uptime

    Scale sets

    • A scale set it a group of identical virtual machines
    • It can be configured to automatically increase or decrease the vms instances
    • A load balancer is generally used to point to the scale set and distribute the worklod to the nodes in the scale set
    • In a scale set all virtual machines os is all created from the one base config meaning you can update/manage the virtual machines in the scaleset easily
    • A scale set with load balancer allows you to do layer 4 traffic rules
    • A scale set with Azure Application Gateway allows you to do layer 7 traffic rules with SSL termination
    • A scale set can support 1000 virtual machines if you use Azure images if you use your own or custom images then its 600
    • You can use Azure Monitor For VMs to monitor the vms in the scale set and Application Insights to collection information and monitor the application

    Kubernetes

    • The "Control Plane" is what manages the nodes and pods
    • The standard way to perform authentication is Azure Active Directory
    • You can manage Kubernetes using the kubectl command
    • Min number of nodes recommended for a prod cluster is 3

    Autoscaling

    • If two rules conflict, i.e CPU has reduced to scale down and IO is high so scale out. Scale out aleways wins over scale in.
    • Autoscaling uses Azure monitor for its metrics

    Configure and manage virtual networking

    Virtual Networks

    • A vnet must have an address spaces that conforms to the RFC 1918 standard
    • A vnet is scoped to a specific location and subscription
    • A vnet can connect to another vnet using peering
    • You should never create a subnet that encompasses the entire address space of the vnet network
    • Fewer larger subnets is recommended over lots of smaller subnets
    • It is recommended each subnet has a NSG on it so you can controller access to and from it
    • Outbound communication to the inetnet is enabled by default

    Application Security Groups

    • You can logically group all the nics from several virtual machines and apply rules to them

    Network virtual appliance

    • These can be a firewall or a WAN optimisation applicance

    Route tables/BGP routes

    • Route tables are custom tables that allow you to define custom routes that control how traffic is routed for each of your subnets
    • BGP Routes are typically used to connect and Azure virtual network to an op-prem network via Express Route or Azure VPN Gateway

    VPN Gateways

    • You can only have 1 VPN Gateway per vnet but the gateway supports multiple connections to it, meaning you can connect multiple vnets to it
    • When you deploy a vpn gateway 2 hidden vms are deployed and they are deployed to the vpn subnet you supplied when setting it up. These vms contain routing tables and gateway services
    • You can create a vnet to vnet vpn gateway, site to site or point to site
      • Site to site vpn
        • Can be an ipsec or ike vpn tunnel
        • You must have a vpn gateway subnet on the vnet before creating the gateway
        • The local network gateway represents the on prem vpn device
        • Once the vpn gateway and local network gateway is configured you can creat a VPN Connection which links the two sites
        • Policy based only supported
      • Point to site
        • Route based only supported
        • Protocols supported:
          • OpenVPN (SSL/TLS based) can be used through a firewall, can be used with Windows, Mac, Linux and Android
          • SSTP (TLS based) only supports Windows devices
          • IKEv2, can be used from MacOSX devices
        • Supported authentication:
          • Native Azure certificate authentication
          • Native Azure AD authenticated
          • Traditional Active Directory Domain Server

    Expressroute

    • Can establish connectibity from:
      • An any to any network
      • A point to point ethernet network
      • A virtual cross connection through a connectivity provider at a colocation facility
    • Expressroute connections to NOT traverse the internet
    • Dynamoc routing between your on prem network and microsoft via BGP
    • Connection uptime SLA for Expressroute is 99.95%
    • Expressroute can be used to access Azure and Office365 services

    Vnet Peering

    • Vitual Network Peering
      • Allows you to connect virtual networks that are in the same Azure regio
    • Global Virtual Network Peering
      • Allows you to connect virtual networks that are in different regions

    Load Balancers

    • Basic Load Balacner
      • Supports 300 instances
      • No availability zones supported
      • Health probes TCP, HTTP
      • Transport layer, IP and port to IP and port
    • Standard Load Balancer
      • Supports 1000 instances
      • Availability zones supported
      • Health probes TCP, HTTP, HTTPS
      • Can do outbound NAT
      • 99.99% SLA
      • Transport layer, IP and port to IP and port
    • Azure Application Gateway
      • Create rules based on host headers
      • Route traffic to specific servers based on URL
      • Used to load balance web traffic to web applications
      • Application layer routing (layer 7)
      • Can do SSL termination
      • Autoscaling, auto scale up or down based on traffic load (only supported in standard v2)
      • Web application firewall, protects against many common expliots, SQL injections, wordpress hacks etc
      • Zone redundancy, standard v2 application gateway can span availability zones
      • Application gateway must be deployed to an empty subnet

    Monitor and back up Azure resources