AZ-104 Notes- AGENDA- Copyright-Neeraj-(cloudtechtrainers)-

for personal use only!

Module-01> Identity Module-05> Intersite Connectivity Module-09> App Services

• ADDS vs Azure AD • Configure VNet Peering • Configure Azure App Service Plans
• Azure AD licensing • Configure VPN Gateway ○ Implement Azure App Service Plans
• Device Identities • Configure ExpressRoute and Virtual WAN ○ Determine App Service Plan Pricing
• SSPR • Lab 05 - Implement Intersite Connectivity ○ Scale Up and Scale Out the App Service
• Users & Groups Plan
• Lab 01 – Manage Azure Active ○ Configure App Service Plan Scaling
Directory Identities • Configure Azure App Services

Module-02> Governance & Compliance Module-06> Network Traffic Management Module-09> Containers, AKS
• Subscriptions • Configure Network Routing and Endpoints • Configure Containers
• Policy UDR, Service Endpoints, Private link • Configure Azure Kubernetes Service
• RBAC • Azure Load Balancer • Lab 09a - Implement Web Apps
• Lab 02a - Manage Subscriptions and • Azure Application Gateway • Lab 09b - Implement Azure Container
RBAC • Network Watcher Instances
• Lab 02b - Manage Governance via • Lab 06 – Implement Traffic Management • Lab 09c - Implement Azure Kubernetes
Azure Policy Service (optional)

Module-03> Azure Administration Module-07> Azure Storage Module-10>Data Protection

• Azure Portal • Configure Storage Accounts • Configure File and Folder Backups
• CloudShell ○ Blob Storage • Configure Virtual Machine Backups
• PowerShell ○ Storage Security • Lab 10 – Implement Data Protection
• CLI ○ Azure File & File Sync
• ARM • Lab 07 – Manage Azure Storage
• Lab 03a - Manage Azure resources by
Using the Azure Portal
• Lab 03b - Manage Azure resources by
Using ARM Templates
• Lab 03c - Manage Azure resources by
Using Azure PowerShell (optional)
• Lab 03d - Manage Azure resources by
Using Azure CLI (optional)

Module-04> Virtual Networking Module-08> Virtual Machines Module-11> Monitoring

• Virtual Network, Subnet, Public IP, • Configure Virtual Machines • Configure Azure Monitor
Private IP • Configure Virtual Machine Availability • Configure Azure Alerts
• Network Security Groups • Configure Virtual Machine Extensions • Configure Log Analytics
• Azure Firewall • Lab 08 – Manage Virtual Machines • Lab 11 – Implement Monitoring
• Azure DNS
• Lab 04 – Implement Virtual Networks

NOTES Page 1
01- Administer Identity
Sunday, May 8, 2022 10:38 PM

An identity and access management service that helps you access internal and external resources.

Connections to Azure AD

Components of Azure AD

NOTES Page 2
Hybrid Identity

Azure AD Vs ADDS

Concept Active Directory (AD) Azure Active Directory

Users
Provisioning: Organizations create internal users manually or use an Existing AD organizations use Azure AD Connect to sync identities to the cloud.
users in-house or automated provisioning system, such as the Azure AD adds support to automatically create users from cloud HR systems.
Microsoft Identity Manager, to integrate with an HR Azure AD can provision identities in SCIM enabled SaaS apps to automatically provide apps
system. with the necessary details to allow access for users.
Provisioning: Organizations create external users manually as regular Azure AD provides a special class of identity to support external identities. Azure AD B2B will

NOTES Page 3
 Provisioning: Organizations create external users manually as regular Azure AD provides a special class of identity to support external identities. Azure AD B2B will
external users in a dedicated external AD forest, resulting in manage the link to the external user identity to make sure they are valid.
identities administration overhead to manage the lifecycle of
external identities (guest users)
Entitlement Administrators make users members of groups. App Groups are also available in Azure AD and administrators can also use groups to grant
management and resource owners then give groups access to apps permissions to resources. In Azure AD, administrators can assign membership to groups
and groups or resources. manually or use a query to dynamically include users to a group.
Administrators can use Entitlement management in Azure AD to give users access to a
collection of apps and resources using workflows and, if necessary, time-based criteria.
Admin Organizations will use a combination of domains, Azure AD provides built-in roles with its Azure AD role-based access control (Azure AD
management organizational units, and groups in AD to delegate RBAC) system, with limited support for creating custom roles to delegate privileged access
administrative rights to manage the directory and to the identity system, the apps, and resources it controls.
resources it controls. Managing roles can be enhanced with Privileged Identity Management (PIM) to provide just-
in-time, time-restricted, or workflow-based access to privileged roles.
Credential Credentials in Active Directory are based on passwords, Azure AD uses intelligent password protection for cloud and on-premises. Protection
management certificate authentication, and smartcard authentication. includes smart lockout plus blocking common and custom password phrases and
Passwords are managed using password policies that substitutions.
are based on password length, expiry, and complexity. Azure AD significantly boosts security through Multi-factor
authentication and passwordless technologies, like FIDO2.
Azure AD reduces support costs by providing users a self-service password reset system.
Apps
Infrastructure Active Directory forms the basis for many infrastructure In a new cloud world, Azure AD, is the new control plane for accessing apps versus relying
apps on-premises components, for example, DNS, DHCP, on networking controls. When users authenticate, Conditional access (CA), will control which
IPSec, WiFi, NPS, and VPN access users, will have access to which apps under required conditions.
Traditional and Most on-premises apps use LDAP, Windows-Integrated Azure AD can provide access to these types of on-premises apps using Azure AD application
legacy apps Authentication (NTLM and Kerberos), or Header-based proxy agents running on-premises. Using this method Azure AD can authenticate Active
authentication to control access to users. Directory users on-premises using Kerberos while you migrate or need to coexist with legacy
apps.
SaaS apps Active Directory doesn't support SaaS apps natively and SaaS apps supporting OAuth2, SAML, and WS-* authentication can be integrated to use
requires federation system, such as AD FS. Azure AD for authentication.
Line of business Organizations can use AD FS with Active Directory to LOB apps requiring modern authentication can be configured to use Azure AD for
(LOB) apps with support LOB apps requiring modern authentication. authentication.
modern
authentication
Mid-tier/Daemon Services running in on-premises environments normally Azure AD provides managed identities to run other workloads in the cloud. The lifecycle of
services use AD service accounts or group Managed Service these identities is managed by Azure AD and is tied to the resource provider and it can't be
Accounts (gMSA) to run. These apps will then inherit used for other purposes to gain backdoor access.
the permissions of the service account.
Devices
Mobile Active Directory doesn't natively support mobile Microsoft’s mobile device management solution, Microsoft Intune, is integrated with Azure
devices without third-party solutions. AD. Microsoft Intune provides device state information to the identity system to evaluate
during authentication.
Windows Active Directory provides the ability to domain join Windows devices can be joined to Azure AD. Conditional access can check if a device is
desktops Windows devices to manage them using Group Policy, Azure AD joined as part of the authentication process. Windows devices can also be
System Center Configuration Manager, or other third- managed with Microsoft Intune. In this case, conditional access, will consider whether a
party solutions. device is compliant (for example, up-to-date security patches and virus signatures) before
allowing access to the apps.
Windows servers Active Directory provides strong management Windows servers virtual machines in Azure can be managed with Azure AD Domain
capabilities for on-premises Windows servers using Services. Managed identities can be used when VMs need access to the identity system
Group Policy or other management solutions. directory or resources.
Linux/Unix Active Directory doesn't natively support non-Windows Linux/Unix VMs can use managed identities to access the identity system or resources. Some
workloads without third-party solutions, although Linux machines organizations, migrate these workloads to cloud container technologies, which can also use
can be configured to authenticate with Active Directory managed identities.
as a Kerberos realm.

Azure AD Terms

Identity

Azure AD Tenant/Directory
An object that can be authenticated

A dedicated and trusted instance of Azure AD, a Tenant is automatically

created when your organization signs up for a Microsoft cloud service
subscription

Azure AD Concepts

Account

NOTES Page 4
 subscription

Azure AD Concepts

Account

An identity that has data associated with it

Azure Subscription

Used to pay for Azure cloud services

Azure AD Account

An identity created through Azure AD or another Microsoft cloud service

Azure AD Feature comparison based on licenses

Feature name Azure Active Office 365 Azure Active Directory Azure Active Directory
Directory Free Premium P1 Premium P2
Authentication, single sign-on and multifactor authentication This feature is partially This feature is partially included included
included included
(MFA)

Cloud authentication included included included included

(Pass-through authentication, password hash synchronization)
Federated authentication included included included included
(Active Directory Federation Services or federation with other identity providers)
Single sign-on (SSO) unlimited3 included included included included

Multifactor authentication (MFA)4 included included included included

Passwordless included included included included

(Windows Hello for Business, Microsoft Authenticator, FIDO2 security key integrations5)
Service-level agreement6 not included not included included included

Applications Access This feature is partially This feature is partially included included
included included

SaaS apps with modern authentication included included included included

(Azure AD application gallery apps, SAML, and OAUTH 2.0)
Group assignment to applications not included not included included included

Cloud app discovery (Microsoft Defender for Cloud Apps)7 not included not included included included

Application Proxy for on-premises, header-based, and Integrated Windows Authentication not included not included included included

Secure hybrid access partnerships8 included included included included

(Kerberos, NTLM, LDAP, RDP, and SSH authentication)

Authorization and Conditional Access This feature is partially This feature is partially This feature is partially included included
included included

Role-based access control (RBAC) included included included included

Conditional Access not included not included included included

SharePoint limited access not included not included included included

Session lifetime management Learn more not included not included included included

Identity Protection not included not included not included included

(Risky sign-ins, risky users, risk-based conditional access)

Administration and hybrid identity This feature is partially This feature is partially included included
included included

User and group management included included included included

Advanced group management not included not included included included

(Dynamic groups, naming policies, expiration, default classification)
Directory synchronization—Azure AD Connect (sync and cloud sync) included included included included

Azure AD Connect Health reporting9 not included not included included included

Delegated administration—built-in roles included included included included

Global password protection and management – cloud-only users included included included included

Global password protection and management – custom banned passwords, users not included not included included included
synchronized from on-premises Active Directory
Microsoft Identity Manager user client access license (CAL)10 not included not included included included

End-user self-service This feature is partially This feature is partially This feature is partially included included
included included

Application launch portal (My Apps) included included included included

NOTES Page 5
Application launch portal (My Apps) included included included included

User application collections in My Apps included included included included

Self-service account management portal (My Account) included included included included

Self-service password change for cloud users included included included included

Self-service password reset/change/unlock with on-premises write-back not included not included included included

Self-service sign-in activity search and reporting not included included included included

Self-service group management (My Groups) not included not included included included

Self-service entitlement management (My Access) not included not included not included included

Identity Governance This feature is partially This feature is partially This feature is partially included included
included included

Automated user provisioning to apps included included included included

Automated group provisioning to apps not included not included included included

HR-driven provisioning not included not included included included

Terms of use attestation not included not included included included

Access certifications and reviews not included not included not included included

Entitlements management not included not included not included included

Privileged Identity Management (PIM), just-in-time access not included not included not included included

Event logging and reporting This feature is partially This feature is partially This feature is partially included included
included included

Basic security and usage reports included included included included

Advanced security and usage reports not included not included included included

Identity Protection: vulnerabilities and risky accounts not included not included not included included

Identity Protection: risk events investigation, SIEM connectivity not included not included not included included

Frontline workers not included not included included included

SMS sign-in not included not included included included

Shared device sign-out not included not included included included

Delegated user management portal (My Staff) not included not included included included

Compare Microsoft Office Product features

From <https://www.microsoft.com/en-in/security/business/identity-access-management/azure-ad-pricing>

Azure AD Device Identities

Azure AD registered devices Azure AD joined devices Hybrid Azure AD joined devices

• Intended for cloud-first or cloud-only organizations

• Supports Bring Your Own Device • Organization-owned devices • You have Win32 apps deployed to these
• Registered devices sign-in using a • Joined only to Azure AD - organizational account required devices using Active Directory machine
Microsoft account • Can use Conditional Access policies authentication
• Attached to an Azure AD account • OS – Windows 10+ devices • You want to continue to use Group Policy
granting access to resources to manage the device
• Control using Mobile Device • You want to use existing image solutions
to deploy devices

NOTES Page 6
 • • Joined only to Azure AD - organizational account required
Microsoft account • Can use Conditional Access policies authentication
• Attached to an Azure AD account • OS – Windows 10+ devices • You want to continue to use Group Policy
granting access to resources to manage the device
• Control using Mobile Device • You want to use existing image solutions
Management (MDM) tools like to deploy devices
Microsoft Intune • OS - Windows 7+ devices
• OS – Windows 10+, iOS, Android,
and MacOS

https://docs.microsoft.com/en-us/azure/active-directory/devices/concept-azure-ad-register

SSRP- Self Service Password Reset

SSPR Authentication Methods

NOTES Page 7
 SSPR Authentication Methods

MODULE 2> Users & Groups

NOTES Page 8
 USER ACCOUNTS

CLOUD IDENTITIES DIRECTORY SYNCHRONIZED IDENTITIES ON PREM IDENTITIES

GUEST
USERS

GROUP ACCOUNTS

MICROSOFT 365 GROUPS

SECURITY GROUPS

• Azure AD Security Groups are analogous to Security Groups in

on-prem Windows Active Directory. Microsoft 365 groups are used for collaboration, giving members access to
• They are Security Principals, which means they can be used to a shared mailbox, calendar, files, SharePoint site, and so on. Group
secure objects in Azure AD. members can only be users.
• They can be created natively in Azure AD, or synced from
Windows AD with Azure AD Connect.
• Their membership can be static, or it can be generated
dynamically with rules.
• Security groups are used to give group members access to
applications, resources and assign licenses. Group members
can be users, devices, service principals, and other groups.

NOTES Page 9
 ASSIGNMENT TYPES

ASSIGNED MEMBERSHIP DYNAMIC USERS DYNAMIC DEVICE

(user.country -eq "India") and (user.department -eq "IT")

License Assignment

• Important to mention the location of user

• Assign licenses to groups> good practice to follow
• Location helps decide pricing, regulatory compliance based on country
• Premium P1 or P2 offers the best features

License Operations
• View license plans and plan details
• Set the Usage Location parameter
• Assign licenses to users and groups
• Change license plans for users and groups
• Remove a license

ADMINISTRATIVE UNIT

An administrative unit is an Azure AD resource that can be a container for other Azure AD resources. An administrative unit can contain only users, groups, or devices.

Administrative units restrict permissions in a role to any portion of your organization that you define.

NOTES Page 10
Administrative units restrict permissions in a role to any portion of your organization that you define.
for example, use administrative units to delegate the Helpdesk Administrator role to regional support specialists, so they can manage users only in the region that they support.

License requirements
Using administrative units requires an Azure AD Premium P1 license for each administrative unit administrator, and an Azure AD Free license for each administrative unit member

https://docs.microsoft.com/en-us/azure/active-directory/roles/administrative-units

ARCHITECTURES

Integrate on-premises AD domains with Azure AD

https://docs.microsoft.com/en-us/azure/architecture/reference-architectures/identity/azure-ad

Multiple forests with AD DS and Azure AD

NOTES Page 11
Multiple forests with AD DS and Azure AD

https://docs.microsoft.com/en-us/azure/architecture/example-scenario/wvd/multi-forest

KNOWLEDGE CHECK

NOTES Page 12
NOTES Page 13
02- Governance
Sunday, October 31, 2021 2:58 AM

Azure Governance & Compliance

Azure Global Infrastructure

https://azure.microsoft.com/en-in/global-infrastructure/

3D Virtual Tour- Azure Datacenter

https://news.microsoft.com/stories/microsoft-datacenter-tour/

Azure Subscriptions

NOTES Page 14
https://docs.microsoft.com/en-us/azure/cloud-adoption-framework/decision-guides/subscriptions/

Subscription Offer types

OFFER NAME OFFER NUMBER SPENDING LIMIT

Azure Plan 0017G Blank

Enterprise Agreement Support Blank Blank
Microsoft Azure EA Sponsorship 0136P Blank
Pay-As-You-Go 0003P Blank
Support Plans 0041P, 0042P, 0043P Blank
Free Trial 0044P Available
Visual Studio Professional subscribers 0059P Available
Visual Studio Test Professional subscribers 0060P Available
MSDN Platforms subscribers 0062P Available
Visual Studio Enterprise subscribers 0063P Available
Visual Studio Enterprise (BizSpark) subscribers 0064P Available
Visual Studio Enterprise (MPN) subscribers 0029P Available
Pay-As-You-Go Dev/Test 0023P Blank
Enterprise Dev/Test 0148P Blank
Action Pack 0025P Available
Microsoft Azure Sponsored Offer 0036P Blank
Azure Pass 0243P Blank
Azure in Open Licensing 0111p Available
Azure for Students 0170p Available
Microsoft Azure for Students Starter 0144P Available
Azure in CSP 0145P Blank
Microsoft Azure Dev Tools for Teaching Blank

https://azure.microsoft.com/en-in/support/legal/offer-details/

How to Get a Subscription?

NOTES Page 15
Resource Groups
Resources with Similar lifecycles should be part of same RG- resources that are created together, updated
together & deleted together should be part of same RG.

NOTES Page 16
Naming

Resource Quotas

NOTES Page 17
Resource Quotas

Tags

Cost Management
• AHB- Azure Hybrid Benefit
• Reserved Instances
• Scheduled Stoppage of VM's during non-required hours
• Deletion of Unattached disks
• Right Sizing workloads
• Select right resources
• Right regions- Locations
• Data Transfer costs
• Optimize-Alerts, budgets & azure Advisor

NOTES Page 18
https://azure.microsoft.com/en-in/pricing/calculator/

TCO calulator
https://azure.microsoft.com/en-in/pricing/tco/calculator/

Azure Policy

https://docs.microsoft.com/en-us/powershell/module/az.resources/get-azpolicydefinition?view=azps-6.5.0

NOTES Page 19
#Get policies
Get-AzPolicyDefinition

# Register the resource provider if it's not already registered

Register-AzResourceProvider -ProviderNamespace 'Microsoft.PolicyInsights'

# Get a reference to the resource group that is the scope of the assignment
$rg = Get-AzResourceGroup -Name '<resourceGroupName>'

# Get a reference to the built-in policy definition to assign

$definition = Get-AzPolicyDefinition | Where-Object { $_.Properties.DisplayName -eq 'Audit VMs that do not use managed
disks' }

# Create the policy assignment with the built-in definition against your resource group
New-AzPolicyAssignment -Name 'audit-vm-manageddisks' -DisplayName 'Audit VMs without managed disks Assignment' -
Scope $rg.ResourceId -PolicyDefinition $definition

NOTES Page 20
RBAC-Role Based Access Control

Azure AD vs Azure RBAC Roles

Role Assignment

NOTES Page 21
Knowledge Check

NOTES Page 22
NOTES Page 23
03- Azure Administration
Tuesday, May 31, 2022 3:16 PM

How Azure Deployments work?

What Is ARM?

A template (JSON Format) that defines the Infrastructure &

configuration of Azure solution

Why Do we need ARM?

Repeatedly Deploy Solutions throughout their lifecycle & the

resources are deployed in a consistent state

NOTES Page 24
Element name Required Description
$schema Yes Location of the JSON schema file that describes the
version of the template language
contentVersion Yes Version of the template
parameters No Values that are provided when deployment is
executed to customize resource deployment
variables No Values that are used as JSON fragments in the
template to simplify template language expressions
functions No Values that are used as JSON fragments in the
template to simplify template language expressions
resources Yes Resource types that are deployed or updated in a
resource group
outputs No Values that are returned after deployment

NOTES Page 25
04- Networking
Thursday, September 23, 2021 9:06 PM

Virtual Networking
Internet Remote Users

RDP.SSH
P-2-S connection
Point to site connections

EAST US

SE DDOS Protection(Azure, shield AWS, Cloud Armor-GCP)

Network ELB
watcher Firewall (Azure or 3rd Party)

NSG
Web servers UDR's/ Route Network virtual VPN
10.1.0.0/24 tables appliance g/w
Security
Center IP/ID systems
Bastian host

Application
ILB Gateway

Sentinel Vnet to Vnet Connection

VPN gateway
ASG (Gateway Subnet)
Local Gateway
Database servers Web Servers 2
10.2.0.0/24

Log
analytics Site to site connection
IKEv2
128.8.8.8

Local Peering Global peering

101.10.0.0/12
Customer Gateway
EAST US WEST US
102.10.0.0/12

Vnet 2 VNET 3

ExpressRoute Connections

Legend
Azure = AWS= GCP

NSG= SG = Firewall
Microsoft Perspective EXPRESSROUTE= Direct connect= Direct Interconnect

• Vnet in Azure is regional DDOS= AWS shield= Cloud Armor

• Subnets are part of the address space in VNet VM= EC2= GCE

• Subnet Mask Range /7-/29

Virtual Networks
When creating a VNet, it is recommended that you use the address ranges enumerated in RFC 1918, which have been set aside by the IETF for private, non-routable address spaces:
• 10.0.0.0 - 10.255.255.255 (10/8 prefix)
• 172.16.0.0 - 172.31.255.255 (172.16/12 prefix)
• 192.168.0.0 - 192.168.255.255 (192.168/16 prefix)

In addition, you cannot add the following address ranges:

• 224.0.0.0/4 (Multicast)
• 255.255.255.255/32 (Broadcast)
• 127.0.0.0/8 (Loopback)
• 169.254.0.0/16 (Link-local)
• 168.63.129.16/32 (Internal DNS)

Azure assigns resources in a virtual network a private IP address from the address space that you provision. For example, if you deploy a VM in a VNet with address space 10.0.0.0/16, the
VM will be assigned a private IP like 10.0.0.4. it is important to note that Azure reserves 5 IP addresses within each subnet. These are x.x.x.0-x.x.x.3 and the last address of the subnet. x.x.x.1-
x.x.x.3 is reserved in each subnet for Azure services.
• x.x.x.0: Network address
• x.x.x.1: Reserved by Azure for the default gateway
• x.x.x.2, x.x.x.3: Reserved by Azure to map the Azure DNS IPs to the VNet space
• x.x.x.255: Network broadcast address

NOTES Page 26
 nslookup contoso.internal.cloudapp.net 168.63.129.16

nslookup delhi.neerajtech.com. 168.63.129.16

nslookup delhi.Neerajorg.com. 168.63.129.16

nslookup contoso.internal.cloudapp.net 168.63.129.16

win-10-eus-lab.neerajtech.com.

win-10-eus-lab.internal.cloudapp.net

nslookup win-10-eus-lab.internal.cloudapp.net 168.63.129.16

https://docs.microsoft.com/en-us/azure/cloud-adoption-framework/ready/enterprise-scale/architecture

NOTES Page 27
NOTES Page 28
NOTES Page 29
Load Balancing
Sunday, June 5, 2022 2:01 PM

Load Balancing Options

Load Balancer

• Distribute inbound traffic to backend vm's for scalability & HA

• Layer 4 of OSI- TCP/UDP traffic
• Internal/ Public Facing
• Multiple apps support with multiple IP's & ports
• VM's Must be in same Vnet- can be different AZ's
• Supports Inbound/Outbound use cases- DNAT/SNAT rules
• Supports IPv6 addresses

NOTES Page 30
NOTES Page 31
NOTES Page 32
07- Storage-main
Saturday, May 21, 2022 6:00 PM

An Azure storage account - Contains Azure Storage data objects, including

• blobs,
• file shares,
• queues,
• tables,
• disks.

AZURE STORAGE OPTIONS

Azure Storage
• Object Storage
• 1 storage accounts =5.6 Petabytes storage, only pay for data being stored
• Multiple Data Replication Options
• Storage Tiering options available(Hot, Cool, Archive)
• REST API Compliant
Multiple client libraries supported-.Net, Java, PHP, Python, Ruby, NodeJS

NOTES Page 33
 • Multiple client libraries supported-.Net, Java, PHP, Python, Ruby, NodeJS

Blob= Binary large Object= any unstructured data can be uploaded

Architect and optimize your internet traffic with Azure routing preference | Azure Blog and Updates | Microsoft Azure

NOTES Page 34
Network routing preference - Azure Storage | Microsoft Docs

DISK OPTIONS

TYPES OF STORAGE
Type of storage account Supported storage Redundancy options Usage

NOTES Page 35
Type of storage account Supported storage Redundancy options Usage
services
Standard general- Blob Storage Locally redundant storage Standard storage account type for blobs, file
purpose v2 (including Data Lake (LRS) / geo-redundant shares, queues, and tables. Recommended
Storage1), Queue storage (GRS) / read-access for most scenarios using Azure Storage. If
Storage, Table geo-redundant storage you want support for network file system
Storage, and Azure (RA-GRS) (NFS) in Azure Files, use the premium file
Files shares account type.
Zone-redundant storage
(ZRS) / geo-zone-
redundant storage (GZRS) /
read-access geo-zone-
redundant storage (RA-
GZRS)2
Premium block blobs3 Blob Storage LRS Premium storage account type for block
(including Data Lake blobs and append blobs. Recommended for
Storage1) ZRS2 scenarios with high transaction rates or that
use smaller objects or require consistently
low storage latency. Learn more about
example workloads.
Premium file shares3 Azure Files LRS Premium storage account type for file shares
only. Recommended for enterprise or high-
ZRS2 performance scale applications. Use this
account type if you want a storage account
that supports both Server Message Block
(SMB) and NFS file shares.
Premium page blobs3 Page blobs only LRS Premium storage account type for page
blobs only. Learn more about page blobs
and sample use cases.

From <https://docs.microsoft.com/en-us/azure/storage/common/storage-account-overview>

Storage account endpoints

Storage service Endpoint

Blob Storage https://<storage-account>.blob.core.windows.net
Data Lake Storage Gen2 https://<storage-account>.dfs.core.windows.net
Azure Files https://<storage-account>.file.core.windows.net
Queue Storage https://<storage-account>.queue.core.windows.net
Table Storage https://<storage-account>.table.core.windows.net

Replication Strategies

Locally redundant storage

NOTES Page 36
• Three replicas, one region
• Protects against disk, node, rack failures
• Write is acknowledged when all replicas are committed
• Superior to dual-parity RAID

Zone-redundant storage

• Three replicas, three zones, one region

• Protects against disk, node, rack, and zone failures
• Synchronous writes to all three zones

Geo-redundant storage

• Six replicas, two regions (three per region)

• Protects against major regional disasters
• Asynchronous copy to secondary

Read Access- Geo-redundant storage (RA-GRS)

• GRS + read access to secondary
• Separate secondary endpoint
• Recovery point objective (RPO) delay to secondary can be queried

NOTES Page 37
• Recovery point objective (RPO) delay to secondary can be queried

Geo-zone-redundant storage(GZRS)

• Six replicas, 3+1 zones, two regions

• Protects against disk, node, rack, zone, and region failures
• Synchronous writes to all three zones and asynchronous copy to secondary

Read Access-Geo-zone-redundant storage (RA-GZRS)

• GZRS + read access to secondary
• Separate secondary endpoint
• RPO delay to secondary can be queried

For more info see-Link

Storage Endpoints

Nslookup yield public IP of storage pools

nslookup storagedemose.blob.core.windows.net

Private Endpoint

After adding private endpoint nslookup yields private IP of the PE Network Interface Card on a VM allowed to connect to a
Storage account

NOTES Page 38
Storage account

NOTES Page 39
NOTES Page 40
NOTES Page 41
nslookup storagedemose.blob.core.windows.net

STORAGE ACCOUNT SECURITY

NOTES Page 42
SAS URI

Includes parameters for resource URI, storage services version, services,

resource types, start time, expiry time, resource, permissions, IP range, protocol, signature

FILE SYNC

NOTES Page 43
 Azure File
Sync - Na...

https://docs.microsoft.com/en-us/azure/storage/file-sync/file-sync-planning

NOTES Page 44
https://docs.microsoft.com/en-us/azure/storage/file-sync/file-sync-planning

https://docs.microsoft.com/en-us/azure/architecture/hybrid/hybrid-file-services

STORAGE TOOLS

STORAGE EXPLORER

IMPORT EXPORT SERVICE

NOTES Page 45
IMPORT EXPORT SERVICE

AZCOPY

azcopy copy "C:\local\path" "sas uri" --recursive=true

azcopy copy "C:\local\path" "sas uri" --recursive=true

NOTES Page 46
08- COMPUTE
Saturday, May 21, 2022 7:36 PM

Virtual Machines

Virtual Machine Architecture

Containers

VM Planning

NOTES Page 47
VM Sizing

How VM Gets Deployed

NOTES Page 48
 Planning Virtual Machines

• Start with the network

• Name the VM
• Decide the location for the VM
• Determine the size of the VM
• Understanding the pricing model
• Storage for the VM
• Select an operating system

Virtual Machine Storage

NOTES Page 49
Each Azure VM has two or more disks:
-OS disk
-Temporary disk (contents can be lost)
-Data disks (optional)

OS and data disks reside in Azure Storage accounts:

-Azure-based storage service
-Standard (HDD, SSD) or Premium (SSD), or Ultra (SSD)

When creating an Azure VM, you can choose between:

-Managed disks (recommended)
-Unmanaged disks

VM Connection Options-

NOTES Page 50
1> Azure Bastian

Azure Bastion provides a secure remote connection from the Azure portal to Azure virtual machines (VMs) over Transport Layer Security (TLS). Provision Azure
Bastion to the same Azure virtual network as your VMs or to a peered virtual network. Then connect to any VM on that virtual network or a peered virtual
network directly from the Azure portal.

https://docs.microsoft.com/en-us/azure/bastion/bastion-overview

NOTES Page 51
2>RDP for Window
3>SSH For Linux

Availability Set

Fault domain
• Prevent Hardware failures like limit the impact of potential physical hardware failures, network outages, or power interruptions
• 1 Rack that share common power source and network switch.
• Max= 3 FD per availability set, Default value=2

Update domain
• Max= 20 UD, Default=5
• Update domains indicate groups of virtual machines and underlying physical hardware that can be rebooted at the same time
• The order of update domains being rebooted may not proceed sequentially during planned maintenance, but only one update domain is rebooted at a
time. A rebooted update domain is given 30 minutes to recover before maintenance is initiated on a different update domain.

Two or more instances in Availability Sets = 99.95% SLA

NOTES Page 52
https://docs.microsoft.com/en-us/azure/virtual-machines/availability-set-overview

AVAILABILITY ZONES

• Unique physical locations in a region

• Includes datacenters with independent power, cooling, and networking
• Protects from datacenter failures
• Combines update and fault domains
• Provides 99.99% SLA

NOTES Page 53
Scaling

• Vertical scaling (scale up and scale down) is the process of increasing or decreasing power to a single instance of a workload; usually manual
• Horizontal scaling (scale out and scale in) is the process of increasing or decreasing the number of instances of a workload; frequently automated

VM extensions

NOTES Page 54
Desired State Configuration

configuration IISInstall
{
Node “localhost”
{
WindowsFeature IIS
{
Ensure = “Present”
Name = “Web-Server”
}
}
}

• Configuration block(s) have a name

• Node blocks define the computers or VMs that you are configuring
• Resource block(s) configure the resource and its properties
• There are many built-in configuration resources

NOTES Page 55
09-Webapp
Sunday, May 22, 2022 11:00 AM

A fully managed platform (PaaS) for building, deploying, and scaling your web apps.

• Different types of App Services: Web Apps, Web Apps for Containers, and API Apps
• Automatically patches and maintains the OS and language frameworks.
• App Service can scale up or out manually or automatically.

App Service supports the following languages:

○ .NET
○ .NET Core
○ Java
○ Ruby
○ Node.js
○ PHP
○ Python

APP SERVICE PLAN

APP Service Plan Pricing

NOTES Page 56
https://azure.microsoft.com/en-in/pricing/details/app-service/windows/

HTML Code

<body style= "background-color:lightblue">

<h1>Microsoft learning Webapp</h1>
<h2></h2>
<h3>Azure Solutions architect</h3>
<h4>Course Content</h4>
<p></p>
<p>1_Intro to azure</p>
<p>2_Azure Networking</p>
<p>3_Azure Compute</p>
<p>4_Azure Storage</p>
<p>5_Azure Active directory</p>
</body>

NOTES Page 57
09-Containers & AKS
Monday, June 13, 2022 4:05 PM

Virtual Machine vs a Container

Virtual Machine

Containers

Virtual Machine:
• It runs on top of an emulating software called the hypervisor which sit between the hardware and the virtual machine.
• The hypervisor is the key to enable virtualization. It manages the sharing of physical resources into virtual machines.
• Each virtual machine runs its own guest operating system. They are less agile and have low portability than containers.
Container:
• It sits on the top of a physical server and its host operating system.
• They share a common operating system that requires care and feeding for bug fixes and patches.
• They are more agile and have high portability than virtual machines.

SNo. Virtual Machines(VM) Containers

1 VM is piece of software that allows you to install other software inside of it so While a container is a software that allows different
you basically control it virtually as opposed to installing the software directly functionalities of an application independently.
on the computer.
2. Applications running on VM system can run different OS. While applications running in a container
environment share a single OS.
3. VM virtualizes the computer system. While containers virtualize the operating system
only.
4. VM size is very large. While the size of container is very light; i.e. a few
megabytes.
5. VM takes minutes to run, due to large size. While containers take a few seconds to run.
6. VM uses a lot of system memory. While containers require very less memory.

NOTES Page 58
6. VM uses a lot of system memory. While containers require very less memory.
7. VM is more secure. While containers are less secure.
8. VM’s are useful when we require all of OS resources to run various While containers are useful when we are required
applications. to maximise the running applications using
minimal servers.
9. Examples of VM are: Hyper-V, KVM, Xen, VMware. While examples of containers are:RancherOS,
PhotonOS, Containers by Docker.

Container Architecture

NOTES Page 59
ISSUES

Azure Kubernetes Service

NOTES Page 60
Azure Kubernetes Service

NOTES Page 61
10-Backup and Disaster Recovery
Sunday, July 3, 2022 7:40 PM

Need For Backup

Benefits of Backup

Azure Backup Center

• One Stop shop for all your backup needs

• Centralized management Option

Files- Backup Options

Where are the files Located?

NOTES Page 62
Microsoft Azure Recovery Services Agent

AZURE PORTAL

1. Create a Recovery Services vault

2. Configure the vault
3. Install and register the agent
4. Create the backup policy
5. Backup files and folders
6. Explore the recover settings
7. Explore the backup properties
8. Delete your backup schedule

Azure Virtual Machine

NOTES Page 63
Backup Virtual Machines

1. Create a recovery services vault

2. Use the Portal to define the backup
3. Backup the virtual machine

Restore VM's

1. On the same VM
2. On another VM
3. Restore only files

Restore VM

NOTES Page 64
Replace Existing

NOTES Page 65
File Recovery

MARS agent vs MABS

Component Benefits Limits Protects Backup Storage

• Backup files and folders on physical or virtual • Backup 3x per day • Files • Recovery
Windows OS services vault

Azure Backup • Not application aware • Folders

(MARS) • No separate backup
agent server required
• File, folder, and volume-level
restore only

• No support for Linux

• App aware snapshots • Cannot backup Oracle workloads • Files • Recovery

services vault

Azure • Full flex for when to backups • Always requires live Azure subscription • Folders
• Locally
Backup Server

NOTES Page 66
 • Locally
Backup Server
attached disk
(MABS) • Recovery granularity • No support for tape backup • Volumes

• Linux support on Hyper-V and VMware VMs • VMs

• Backup and restore • Applications

VMware VMs
• Workloads
• Doesn’t require a System Center license

Soft Delete

NOTES Page 67
Soft delete on Storage accounts

For more details visit: Link

Azure Site Recovery

NOTES Page 68
NOTES Page 69
11-Monitoring
Thursday, June 16, 2022 2:12 PM

NOTES Page 70
Study Links
Tuesday, May 31, 2022 11:07 AM

Course AZ-104T00--A: Microsoft Azure Administrator - Learn | Microsoft Docs

Manage Azure Identities and Governance (15-20%)

Manage Azure AD objects

• Creating a new user in Azure AD

• Add or delete users using Azure Active Directory
• Create a basic group and add members using Azure Active Directory
• New-AzureADUser
• Add or update a user’s profile information using Azure Active Directory
• Edit your group information using Azure Active Directory
• Manage device identities using the Azure portal
• How To: Manage stale devices in Azure AD
• Bulk import group members (preview) in Azure Active Directory
• What is guest user access in Azure Active Directory B2B?
• Manage guest access with Azure AD access reviews
• Quickstart: Add guest users to your directory in the Azure portal
• How to: Plan your Azure AD join implementation
• Licensing requirements for Azure AD self-service password reset
• Tutorial: Configure hybrid Azure Active Directory join for managed domains
• Plan an Azure Active Directory self-service password reset

Manage role-based access control (RBAC)

• Tutorial: Create a custom role for Azure resources using Azure CLI
• Tutorial: Create a custom role for Azure resources using Azure PowerShell
• Add or remove role assignments using Azure RBAC and the Azure portal
• List role assignments using Azure RBAC and the Azure portal
• Understand deny assignments for Azure resources
• Understand how multiple Azure Active Directory tenants interact

Manage subscriptions and governance

• Overview of Management services in Azure
• What is Azure Policy?
• Tutorial: Create and manage policies to enforce compliance
• Quickstart: Create a policy assignment to identify non-compliant resources
• Lock resources to prevent unexpected changes
• Use tags to organize your Azure resources
• Manage Azure resource groups by using Azure PowerShell
• Manage Azure Resource Manager resource groups by using the Azure portal
• Create an additional Azure subscription
• Change your Azure subscription to a different offer
• What is Azure Cost Management and Billing?
• Quickstart: Explore and analyze costs with cost analysis
• Move resources to a new resource group or subscription
• Create management groups for resource organization and management
• Manage your resources with management groups

IMPLEMENT AND MANAGE STORAGE

Implement and Manage Storage (10-15%)

Manage storage accounts

• Intro to Azure Storage

• Configure Azure Storage firewalls and virtual networks
• Storage account overview
• Create an Azure Storage account
• Upgrade to a general-purpose v2 storage account
• Delegate access with a shared access signature
• Grant limited access to Azure Storage resources using shared access signatures (SAS)
• Manage storage account access keys
• Azure Storage redundancy

Manage data in Azure Storage

• Use the Azure Import/Export service to export data from Azure Blob storage
• Use the Azure Import/Export service to import data to Azure Blob Storage
• Get started with Storage Explorer
• Get started with AzCopy

Configure Azure Files and Azure Blog Storage

What is Azure Files?

Links Page 71
 • What is Azure Files?
• Quickstart: Create and manage Azure file shares with the Azure portal
• Create an Azure file share
• Planning for an Azure File Sync deployment
• Deploy Azure File Sync
• Tutorial: Extend Windows file servers with Azure File Sync
• Quickstart: Upload, download, and list blobs with the Azure portal
• Azure Blob storage: hot, cool, and archive access tiers

DEPLOY AND MANAGE AZURE COMPUTE RESOURCES

Deploy and Manage Azure Compute Resources (25-30%)

Configure VMs for high availability and scalability

• Availability options for virtual machines in Azure

• Manage the availability of Windows virtual machines in Azure
• Tutorial: Create and deploy highly available virtual machines with Azure PowerShell
• What are virtual machine scale sets?

Automate deployment and configuration of VMs

• Extend Azure Resource Manager template functionality

• Azure Resource Manager templates overview
• Tutorial: Create and deploy your first Azure Resource Manager template
• Update a resource in an Azure Resource Manager template
• Create a Windows virtual machine from a Resource Manager template
• Create a VM from a VHD by using the Azure portal
• Quickstart: Create and deploy Azure Resource Manager templates by using the Azure portal
• Download the template for a VM
• Custom Script Extension for Windows
• Use the Azure Custom Script Extension Version 2 with Linux virtual machines

Create and configure VMs

• Azure Disk Encryption for Linux VMs

• Azure Disk Encryption for Windows VMs
• Quickstart: Create and encrypt a Windows virtual machine with the Azure portal
• Move a Windows VM to another Azure subscription or resource group
• Sizes for Windows virtual machines in Azure
• Resize a Windows VM
• Attach a managed data disk to a Windows VM by using the Azure portal
• Attach a data disk to a Windows VM with PowerShell
• Common PowerShell commands for Azure Virtual Networks
• How to open ports to a virtual machine with the Azure portal
• Create and manage a Windows virtual machine that has multiple NICs

Create and configure containers

• Azure Kubernetes Service (AKS)

• Quickstart: Deploy an Azure Kubernetes Service (AKS) cluster using the Azure portal
• What is Azure Container Instances?
• Quickstart: Deploy a container instance in Azure using the Azure CLI
• Quickstart: Deploy a container instance in Azure using the Azure portal

Create and configure Web Apps

• App Service overview

• Create an ASP.NET Core web app in Azure
• Azure App Service plan overview
• Manage an App Service plan in Azure

CONFIGURE AND MANAGE VIRTUAL NETWORKING

Configure and Manage Virtual Networking (30-35%)

Implement and manage virtual networking Create and configure VNET peering • configure private and public IP addresses, network routes, network interface, subnets, and virtual network
• Virtual network peering
• Create, change, or delete virtual network peering
• Tutorial: Connect virtual networks with virtual network peering using the Azure portal
• Configure private IP addresses for a virtual machine using the Azure portal
• Quickstart: Create a virtual network using the Azure portal
• Create, change, or delete a network interface
• Add, change, or delete a virtual network subnet
• Create, change, or delete a virtual network

Configure name resolution

• Create, change, or delete a virtual network peering

• Name resolution for resources in Azure virtual networks
Use Azure DNS to provide custom domain settings for an Azure service

Links Page 72
 • Use Azure DNS to provide custom domain settings for an Azure service
• How to manage DNS Zones in the Azure portal
• Quickstart: Configure Azure DNS for name resolution using the Azure Portal
• Tutorial: Host your domain in Azure DNS
• Quickstart: Create an Azure private DNS zone using the Azure portal

Secure access to virtual networks

• Work with security roles
• Create, change, or delete a network security group
• Tutorial: Deploy and configure Azure Firewall using the Azure portal
• Create an Azure Bastion host

Configure load balancing

• Application Gateway configuration overview
• Quickstart: Direct web traffic with Azure Application Gateway using Azure PowerShell
• Tutorial: Balance internal traffic load with a Basic load balancer in the Azure portal
• Create an internal load balancer by using the Azure PowerShell module
• Quickstart: Create a Load Balancer to load balance VMs using the Azure portal
• Troubleshoot Azure Load Balancer

Monitor and troubleshoot virtual networking

• Step-By-Step: Monitoring On-Premise Active Directory via Azure AD Connect Health
• Diagnose on-premises connectivity via VPN gateways
• Network Performance Monitor solution: Performance monitoring
• What is Azure Network Watcher?
• Create an Azure Network Watcher instance
• Troubleshoot Virtual Network Gateway and Connections using Azure Network Watcher Azure CLI
• Troubleshoot connections with Azure Network Watcher using the Azure portal

Integrate an on-premises network with an Azure virtual network

• Tutorial: Create and manage a VPN gateway using PowerShell

• Create a route-based VPN gateway using the Azure portal
• Create a Site-to-Site connection in the Azure portal
• ExpressRoute overview
• Tutorial: Create and modify an ExpressRoute circuit
• About Azure Virtual WAN
• Tutorial: Create a Site-to-Site connection using Azure Virtual WAN
• Connect a VPN Gateway (virtual network gateway) to Virtual WAN

MONITOR AND BACK UP AZURE RESOURCES

Monitor and Back up Azure Resources (10-15%)

Monitor resources by using Azure Monitor

• Metrics in Azure Monitor
• Advanced features of Azure Metrics Explorer
• Quickstart: Monitor an Azure resource with Azure Monitor
• Get started with Log Analytics in Azure Monitor
• Get started with log queries in Azure Monitor
• Overview of log queries in Azure Monitor
• Create, view, and manage metric alerts using Azure Monitor
• Metric Alerts with Dynamic Thresholds in Azure Monitor
• Create Metric Alerts for Logs in Azure Monitor
• Manage Application Insights resources using PowerShell

Implement backup and recovery

• Configure Azure Backup reports
• Back up a virtual machine in Azure
• How to restore Azure VM data in Azure portal
• Restore a disk and create a recovered VM in Azure
• Create a Recovery Services vault
• Manage Azure VM backups with Azure Backup service
• About Site Recovery
• Set up disaster recovery of on-premises VMware virtual machines or physical servers to a secondary site

Links Page 73