What is Cloud computing?

It is the delivery of computing services over the internet, instead of using

your own servers you are using someone else servers to do your task,
paying them for the amount what you use.
Benefits of cloud computing:
Cost effective – you pay for what you consume, no up-front cost, pay as
you go, thousands of customers sharing the cost of the resources.
Global – launch workloads anywhere in the world, just choose a region.
Secure – cloud providers take care of physical security. Cloud services can
be secure by default or you have ability to configure access down to
granular level.
Reliable – data backups, disaster recovery and data replication and fault
tolerance.
Scalable – increase or decrease resources and services based on demand
Elastic – automate scaling during spikes and drop in demand.

What are the types of cloud services?

IaaS - Infrastructure as a Service, is the most flexible category of cloud
services. It aims to give you complete control over the hardware that runs
your application. Instead of buying hardware, with IaaS, you rent it.
IaaS requires the most user management of all the cloud services. The
user is responsible for managing the operating systems, data, and
applications.
PaaS - Platform as a Service, focus on development and management of
your apps. No need to worry about provisioning, configuring or
understanding the hardware or OS.
PaaS requires less user management. The cloud provider manages the
operating systems and the user is responsible for the applications and
data they run and store.
SaaS – Software as a Service Cloud provider will manage everything and
you just buy the application and use it.
SaaS requires the least amount of management. The cloud provider is
responsible for managing everything, and the end user just uses the
software.

What are azure clod deployment models?

Public Cloud - The public cloud is open to all to store and access
information via the Internet using pay-per-usage method. Any cloud
provider is public cloud and anyone can use.
There is no local hardware to manage or keep up-to-date in a public cloud
– everything runs on your cloud provider’s hardware.
Everything built on the cloud provider also known as cloud-native. Ex: we
have a network on azure, within that network we have a VM running and a
database running.

Private Cloud – Everything built on company’s datacenters also known as

on-premise because it’s within the on-premises of the organization like
the physical location, organization is technically operating their own cloud
and it could be running some open source cloud software such as open
stack, within that open stack we have a VM running and a database
running.

Hybrid Cloud – using both on-premise and a cloud service provider and
they connected together and there is lot of diff networking services that
you can use that will facilitate the connection b/w the two, in this case we
are using express route, express route is a dedicated connection running
from your on-premise data center to azure network.
High Availability – your ability for your service to remain available by
ensuring there is no single point of failure. If you have a server which runs
web application if anything happened to a single server, traffic could
always be routed to other servers that way your service would remain
available.
Now having multiple servers in multiple datacenters because something
could happen to a data center, it could become unavailable because of
networking issue so being able to route the traffic that way you are going
to remain highly available. And running workload across multiple
availability zones so one or two data centers becomes unavailable your
service will remain available. Now to distribute the traffic or manage the
traffic to all three we have azure load balancer come and play.
Azure Load Balancer – LB allows you to evenly distribute traffic to multiple
servers in one or more data centers. If a datacentre or server become
unavailable (unhealthy) the load balancer will route the traffic to only
available data centers with servers.

High scalability – your ability to increase your capacity based on the

increasing demand of traffic, memory and computing power.
Vertical scaling - scaling up:
Scaling down:
Horizontal scaling – scaling out: adding more servers of the same size.
Scaling in: removing more servers of the same size.

Elasticity – your ability to automatically increase or decrease your

capacity based on the current demand of traffic, memory and computing
power.
We have a VM or server and if you need more servers we would add more
servers, and if you need less servers we would remove less servers, this is
using horizontal scaling or VM scale set.
Fault Tolerance
Fault tolerance is part of the resilience of cloud computing.
Zero Down-Time – if one component fails, a backup component takes its
place

High Durability (Disaster Recovery) – your ability to recover from a

disaster and to prevent the loss of data solutions that recover from a
disaster is known as Disaster Recovery.
Plan to recover critical business systems:
Recovery Time Objective (RTO) is the time it takes after a disruption to
restore business process to its service level
Recovery Point Objective (RPO) is the acceptable amount of data loss
measured in time before the disaster occurs

Regions – region is a grouping of multiple data centers they call it as

availability zones. Azure has 58 regions available across 140 countries.
Each region has more than one data center, which is a physical location.

Paired regions: each region is paired with another region 300 miles away.
Why because if one region is being updated then other region is still
available, if you are planning to make sure that you never have downtime,
you can put your resources in that paired regions so you have high
availability, so some azure services rely on paired regions for disaster
recovery, so when you turn on those services automatically launch in that
paired region. One service which would help you leverage your paid
region service called azure geo redundant storage (GRS).

Geographies:
Azure divides the world into geographies that are defined by geopolitical
boundaries or country borders. An Azure geography is containing two or
more regions that preserve data residency and compliance boundaries.
Azure Geographies: United States, Azure Government (US), Canada,
Brazil, Mexico. Ex: I am in Canada and I work for Canada the data will
remain within Canada for whatever government regulatory regions so you
use Canada geography
Each region belongs to a single geography and has specific service
availability, compliance, and data residency/sovereignty rules applied to
it.

Availability Sets—running a VM with one or more replicated copies on

separate hardware within the same Availability Zone, providing
resiliency against machine failure.
Availability Zones—running a VM with one or more replicated copies
on different Availability Zones, providing resiliency against data center
failure.
Region Pairs— running a VM with one or more replicated copies on
different Azure Regions (but always staying within the same geopolitical
boundary, typically meaning the same country), protecting against
natural disasters and large-scale outages.

What is Availability Zones?

Azure Availability Zones is a high-availability offering that protects your
applications and data from datacenter failures.
These are unique physical locations within an Azure region. Each zone is
made up of one or more data centers equipped with
independent power, cooling, and networking. Tolerant to datacenter
failures via redundancy and isolation.
Zone-redundant services replicate your applications and data across
Azure Zones to protect from single-points-of-failure.
Not every region has support for Availability Zone
Azure. The examples of Availability Zones Are Central US, East US 2,
West US 2, West Europe, France Central, North Europe & Southeast Asia
A region will generally contain 3 availability zones.
Data centers within a region will be isolate from each other (so diff
buildings). Availability zones give us the combination of low latency and
high availability that we need to meet customer requirements.

What is Availability set?

 When we create the virtual machines in the Microsoft Azure cloud
then it is important to think about the availability of the virtual
machine’s hardware and software.
 It is dependent on the percentage of time your application needs to
available and accessible to keep business continuity. It cannot be
100% in some cases.
 Availability of virtual machine may impact because of fault domain
and update domain.
 Fault domain refers to unexpected hardware failure.
 Update domain refers to predetermined software updates on Azure.
 There can be hardware crash, power supply issues, hard disc crash,
motherboard issues etc.
 Also, there can be software issues such as updating the operating
system which needs to be rebooted, operating system security
updates etc.
 In this situation we need to isolate the virtual machines in the Azure
data center, scale out the application with load balancer.
 To make your application with high availability even with the
failures then we should have availability set
 Azure Availability Set is a logical grouping capability for isolating
Virtual Machines from each other when they are deployed in Azure
data center.
 When we put our Azure virtual machine in availability set feature
then VMs are split into multiple faults and updated domains so that
hardware failure or software updates should not impact on other
virtual machines at the same time.
 By default, Azure allocates the three fault domains and five update
domains.
 This limit can increase up to 20.

Fault Domain
 Fault domains define the group of virtual machines that share a
common power source and network switch.
 Each and every fault domain contains some racks and each rack
contains virtual machine.
 If there is a failure in the fault domain then all the resources in the
fault domain become unavailable.
Update Domains
 Virtual machines get update domains automatically once they are
put inside availability set.
  All virtual machines within that update domain will reboot together.
 Update domains are used for patching of the virtual machines.
 Only one update domain would be updated at the time
Key Points to remember
 You need to create virtual machines in the same resource group as
the availability set.
 One virtual machine can only be in one availability set.
 You can assign virtual machines to the availability set only during
the creation of virtual machines.
 You should create separate storage accounts for each virtual
machine.
 Under 1 availability set you can deploy 2000 VMs.

What is azure virtual network?

Azure Virtual Network; i.e., VNet, is a representation of your own network
in the cloud. It is a logical isolation of the Azure cloud that is completely
dedicated to your own subscription. You have total control over the IP
address blocks, DNS settings, security policies and route tables within this
network.
Classless Inter-Domain Routing (CIDR) CIDR range of 10.0.0.0/16 = 65536
IP addresses.
It is representation of an IP address and it is associated with the routing
prefix. It is constructed from an IP address, a slash, and a decimal
number.
Public IP Address: allow azure resources to communicate with the internet
and other azure public facing services like Azure Redis Cache.

Private IP Address: allow communication b/w resources in the virtual

network, along with those connected through a Virtual Private Network
without using an Internet-Routable IP address.

Subnets A subnet is a range of IP addresses in the VNet where you can

divide a VNet into multiple subnets mainly security and for better
organization.
Subnets need to have a smaller CIDR range than to the Vnet represent
their portion.
Ex: subnet CIDR range 10.0.0.0/24 = 256 IP addresses.
Public Subnet is one that can reach the internet.
Private Subnet is one that cannot reach the internet.
To protect the Azure resources in each subnet, use network security
groups.
Vnet Components: NAT Gateway, Route Tables, Vnet Peering
NAT Gateway: Allows your virtual network resources to have an
outbound-only connection. A NAT gateway resource can use up to 16
static IP addresses. You can use multiple subnets in a NAT gateway.

Route Tables: 3 types

System Routes: System routes are created by Azure when you create
subnet. You cannot create, modify or delete system routes. You can only
overwrite them by creating custom routes (BGP policy routes or User
defined routes).
Every subnet has a route table that contains Local Vnet, On-premises and
Internet.
LocalVNet: If address is within the VNet address prefix – route
to LocalVNet
On-Premises:
If the address is within the on-premises address prefixes or BGP published
routes (BGP or Local Site Network (LSN) for S2S) – route to gateway
If destination is an Azure datacenter address and ER (ExpressRoute)
public peering is enabled – it is routed to the gateway.
Internet: If the address is not part of the VNet or the BGP or LSN (Local
Site Network) routes – route to internet via NAT If the destination is an
Azure datacenter with S2S or an ER without public peering enabled, it is
routed to the Host NAT for internet path, but it never leaves the
datacenter.

User Defined Route (UDR):

You can create custom, or user-defined(static), routes in Azure to override
Azure’s default system routes, or to add additional routes to a subnet’s
route table.
Each route contains an address prefix and next hop type. When traffic
leaving a subnet is sent to an IP address within the address prefix of a
route, the route that contains the prefix is the route Azure uses.
Whenever a virtual network is created, Azure automatically creates the
Virtual Network, Internet and None default system routes for each subnet
within the virtual network. These are the possible next hop from subnets.

Vnet Peering: Virtual network peering enables you to seamlessly

connect two or more Virtual Networks in Azure. Azure supports the
following types of peering:
Virtual network peering: Connect virtual networks within the same
Azure region.
Global virtual network peering: Connecting virtual networks across
Azure regions.

Gateways and on-premises connectivity:

Peer Virtual Network can communicate to on-premise either by using its
own gateway or it can use hub and spoke network topology where one
VNet called Hub will have VPN Gateway that will be connected to on-
premise. Rest of the VNet will use Allow Gateway Transit and that way
they will use the Hub VNet gateway. This kind of peer VNet is called as
Spoke they use remote gateway to talk to on-premise.
You can create peering between Vnets from same/different subscriptions.

What is Network Security Group (NSG)?

Network Security Groups are used to control inbound and outbound traffic
to Network Interfaces, VMs, and subnets. Each Network Security Group
contains one or more rules that specify whether the traffic is allowed or
denied based on various parameters like the source of IP addresses,
source port, destination IP address and the destination port.

NSGs can be associated with the

Virtual Machines - the rules get applied only to the Virtual Machine to
which it is associated.
Subnets - In this case, the rules get applied to all the Virtual Machines
associated with the Subnet.
These rules work on priority numbers; minimum priority number is 100,
and it goes up to 65000. Priority is very important because lower number
priority will take high precedence in the NSG.
Rule Name Description
Allow Outbound traffic going from any VM to any VM within
AllowVnetOutBound
VNet
AllowInternerOutBou
Allow Outbound traffic going to internet from any VM
nd
Deny traffic from any Internal VM to any other system
DenyAllOutBound
outside VNet

What is azure traffic manager?

A DNS-based traffic load balancer. Improves the responsiveness of your
applications by sending the request to the closest endpoint. It offers a
range of traffic-routing methods and endpoint monitoring options.
Benefits:
We can route the traffic to servers the geographically nearby to reduce
latency.
Fail-over to redundant systems in-case primary systems become
unhealthy.
Traffic manager endpoints: Azure, External and Nested.
Combine multiple traffic routing methods using nested traffic manager
profiles.

Routing Methods
Priority – allows you to set a primary endpoint for all traffic.
Weighted – distribute traffic according to weights.
Performance – routes users to the closest endpoint.
Geographic – direct users to a specific endpoint.
Multivalue – endpoints for IPv4/IPv6 addresses.
Subnet – map a group of end-user IP address range to a specific endpoint.

What is azure DNS?

Azure DNS allows you to host your domains names on azure. You can
create DNS zones and manage your DNS records.
Azure DNS does not allow you to purchase domains. Only ability to
manage DNS records.
Add record set name-beta. Type- A, AAAA, CNAME, MX, PTR, SOA, SRV,
and TXT. Alias record set – yes or no. Alias type – azure resource and zone
record set.

What is Azure Load Balancer?

Azure Load Balancer is used for evenly distributing incoming network
traffic across a group of backend resources or servers. Azure load
balancer operates on OSI layer4 (transport).
The load balancer supports TCP/UDP based protocols. Scales automatically
as traffic increases. Allows you to route traffic based on source IP address
and port to a destination IP address and port.
 NAT allows you to control the inbound and outbound network traffic.
Inbound rules – traffic allowed to a specific virtual machine or instance in
the backend pool.
Outbound rules – enable all resources to communicate to the Internet.
 Load balancer tiers: Basic and Standard
Frontend IP Configuration
It is the IP address for Load Balancer where clients can connect. 2 types public
and private IP.
 Public IP Address is public IP & Port for incoming traffic from the
internet.
 Private IP Address is the IP and Port never exposed to the internet
& only exposed to the VMs internal to the VNet (Virtual Network)
Backend Pool - Backend pool is all of the groups of VMs or VM scale set
inside the VNet serving the incoming request.
Health Probes - Health Probes explains the health status of the instances
in the given backend pool. It supports TCP, HTTP and HTTPs. Basic Load
Balancer can’t support HTTPS probes and only support TCP health probes.
Load Balancing Rules
 Load Balancing rules define the rule for a port to route the traffic
from frontend IP to port of your backend instances of VNet.
For example, you can create a rule to route all traffic from frontend IP port
80 to route to backend pool instances port 80.
 NAT allows you to control the inbound and outbound network traffic.
Inbound rules – traffic allowed to a specific virtual machine or instance in
the backend pool.
Outbound rules – enable all resources to communicate to the Internet.
TCP (Transmission Control Protocol), UDP (User Datagram Protocol), ICMP
(Internet Control Message Protocol).

What are Azure Virtual Machine Scale Sets?

 VMSS let you create and manage a group of identical, load balanced
VMs.
 Virtual Machine Scale Set (VMSS) let
you Create and Manage a group of load balanced VMs. The
number of VM instances can automatically increase or
decrease in response to demand or a defined schedule.
 Scale sets provide high availability to your applications, and
allow you to centrally manage, configure, and update a large
number of VMs.
We deploy our services into many different servers to scale them up and
meet our demand. However, managing all servers for load-balancing,
scaling, make application highly available is super challenging on
cloud. Azure Virtual Machine Scale sets is the great tool which does all of
these automatically with no extra cost for you.
Vertical Scaling- increasing CPU and memory
Scale Up/Down
In Vertical scaling if you have 1 core CPU and 4GB memory and if you can
upgrade this configuration to 2 core CPU and 8 GB memory. This is called
as Scale UP. You can reduce the configuration back to baseline which is
called as Scale Down.
Horizontal Scaling- adding more instances of VM
Scale Out/In
Horizontal Scaling is you start with one VM and you keep adding more VM
with same configuration is called as Scale Out. You can also reduce back
to 1 VM once your Sale or Business demand is over this process is called
as Scale In.
How Virtual Machine Scale Set (VMSS) works
VMSS uses minimum instance to start with and you can set the maximum
instance of your virtual machine. You can setup rules based
on Time, Metrics based to increase or decrease VM instances.
Metrics Based Scaling
If you don’t know where you are going to get the maximum business, it
may be today, next day or any 5 continuous days then you must go for
Metrics based scaling. You can set rule like If my VM CPU utilization is >
75% then add one more VM if it is less than ( < ) 25% then remove the
VM.
Time Based Scaling
Custom: You can do Time Based increment or decrement Here you can
schedule your VMs to scale out and scale in. For example, every Saturday
increase the VM instance to 4 and on Sunday reduce it back to 1. You can
schedule these rules.

Why use Virtual Machine Scale Sets?

 Automatically increase VM instances: Auto scale based on metrics
and Auto scale based on a defined schedule.
 Easy to create and manage multiple VMs
 Provides high availability and application resiliency
 Allows your application to automatically scale as resource demand
changes
 Works at large-scale: Up to 1000 Azure VM, and custom VM images
up to 600 VM.

Azure PowerShell: a set of cmdlets for managing azure resources directly

from the PowerShell command line.

Azure Cloud Shell: is an interactive, authenticated, browser-accessible

shell for managing azure resources. It provides the flexibility of choosing
the shell experience that best suits the way you work, either Bash or
PowerShell.

Azure CLI: process commands to a computer program in the form of lines

of text. OS implements a command line interface in a shell or terminal.
The azure CLI can be installed on windows, Mac, Linux. Once installed you
can type “az” followed by other commands to create, update, delete, view
and manage azure resources.
Create azure resource group: az group create - - name myResoureGroup -
- location westeurope
Create a virtual machine: az vm create - -resource-group
myResoureGroup - -name myVM - - image UbuntuLTS - -generate-ssh-keys

What is Azure Active Directory (AD)?

Azure AD is Microsoft’s cloud-based identity and access management
service, which helps your employees sign in and access resources.
External resources: Microsoft Office 365, azure portal, SaaS applications.
Internal Resources: Applications within your internal networking. Access to
workstations on-premise.
With Azure AD you can implement Single-Sign On (SSO), Azure AD come
in four editions:
1. Free which provides MFA, SSO, basic security, usage reports, user
management.
2. Office 365 Apps to get company branding, SLA, Two-Sync b/w on-
premise and cloud
3. Premium 1 you get hybrid architecture, advanced group access,
conditional access.
4. Premium 2 identity protection, identity governance.

What is an Azure account?

To create or work with an Azure subscription, you must have an Azure
account. An Azure account is simply an identity in Azure Active directory
(Azure AD).

Relationship between Azure Subscription & Azure Active Directory

Every Azure subscription has a trust relationship with an Azure AD
instance. This means that it trusts that directory to authenticate users,
services, and devices. Multiple subscriptions can trust the same directory,
but a subscription trusts only one.
Creating user groups is a good way to manage access to resources in a
subscription by using role-based access control (RBAC).
The users and groups within directory can be assigned role based access
control (RBAC) to access resources like storage, compute, network,
database and more.

What is Azure AD Tenant?

A tenant represents an organization. A tenant is used by an organization.
Azure AD gets created automatically when you create a Microsoft account
from Microsoft 365 or Microsoft Intune.

What is Multi-Factor Authentication (MFA)?

A security control where after you fill in your username/email and
password you have to use a second device such as a phone to confirm
that it’s you logging in.
Why do we use MFA?
MFA protects against people who have stolen your password. MFA is an
option in most cloud providers and even social media websites such
Facebook, Twitter.
Ex: I have a forum where I am entering my email and password, then we
have a phone which is your MFA then we get an authorization.

What is Azure Security Center?

Azure Security center is a unified infrastructure security management
system.
This is your “base layer” for monitoring the security configuration
and health of your workloads. Azure Security Center collects events
from Azure or log analytics agents and correlates them in a security
analytics engine, to provide you with tailored recommendations
(hardening tasks). Strengthening your security posture can be achieved
by implementing these recommendations.
Azure defender: advanced workload protection for selected resource
types.
Azure Sentinel: security information event management, orchestration &
automation across your environment, including 3 rd party devices.

What is azure key vault?

Azure key vault helps you safeguard cryptographic keys and other secrets
used by cloud apps and services.
Secrets Management: store and tightly control access to tokens,
passwords, certificates, API keys, and other secrets.
Key Management: create and control the encryption keys used to encrypt
your data.
Certification Management: easily provision, manage and deploy public and
private SSL certificates for use with azure and internal connected
resources.

What is Azure DDoS (Distributed Denial of Service) attack?

To protect your Azure resources from denial of service (DoS) attacks.
DDoS protection (layers 3 and 4) offers two service
tiers: Basic and Standard.
A malicious attempt to disrupt normal traffic by flooding a website with
large amounts of fake traffic.

Both basic and standard protects IPv4 and IPv6 public IP addresses.
Standard has advanced capabilities to protect you against network
attacks such as logging, alerting, and telemetry.
Mitigates attacks like; Volumetric attacks – flood the network layer with
attacks.
Protocol attacks – exploit a weakness in layers 3 and 4.
Resource layer attacks – a layer 7 attack that disrupts the transmission of
data between hosts.
What is azure Firewall?
It is managed, cloud-based network security service that protects your
azure virtual network resources. Uses a static public IP address to protect
your Vnet resources. High availability is built in; no additional load
balancers are required. No additional cost for a firewall deployed in an AZ.

What is the role of Firewall?

When your device within your local network (company) wants to open a
site that could be malicious for your company. How can you control that?
Similarly, from the outside world (internet) someone wants to connect to
your company device and steal data or important private information.
How would you control them?
You can create a whitelist where you allow a few IP addresses to
communicate with your local network. Similarly, for outbound traffic you
can create black list of websites that you are not allowed to visit. All of
this work is done by FIREWALL. In your network you can install a single
firewall that can guard all devices, subnets within your network.
Think firewall as a security check-up for all traffic going out and into your
local network.

What is NAT?
NAT stands for Network Address Translation. In networking world there is
NAT Device which is responsible for changing the IP address. It can either
change destination or source address depending on how data has to flow.
We are using NAT to convert all traffic going towards internet or coming
from internet. NAT Device is changing change IP address to 200.0.0.1 for
the data coming from local network. NAT is used to convert all inbound
traffic (from internet to your local network) to convert destination address
to your local network’s common IP address which is 192.168.0.1

NAT has a separate role and Firewall has separate. They cannot substitute
each other. However, you need both of them if you want to communicate
between 2 networks or the internet from a local network. you must put
firewall and NAT together to manage outbound and inbound traffic.

What is DNS?
The Domain Name System (DNS) is the phonebook of the Internet. Each
device connected to the Internet has a unique IP address which other
machines use to find the device. DNS servers eliminate the need for
humans to memorize IP addresses such as 192.168.1.1 (in IPv4), or more
complex newer alphanumeric IP addresses such as
2400:cb00:2048:1::c629:d7a2 (in IPv6).

What is Application Gateway?

Azure Application Gateway: is a web-traffic load balancer (layer 7 HTTP)
that re-route traffic based on a set of rules. A web application Firewall
(WAF) can be attached for additional protection on OSI Layer7.
It allows you to distribute incoming traffic based on HTTP request
properties such as URL and host headers.
Application gateway has four tiers: Standard, Standard V2, WAF, and WAF
v2
You can use the same application gateway for up to 100+ websites with
multi-site hosting.

Features
 Secure your data with end-to-end SSL.
 Route traffic based on URL path or host header-based.
 Protect your applications from common web vulnerabilities using
WAF.
 Scales automatically based on your web application traffic load.
 With gateway-managed cookies, you can direct subsequent traffic
from a user session to the same server.
What is Azure VPN Gateway and Types of VPN Gateway?
A virtual private network (VPN) is a type of private interconnected
network. VPNs use an encrypted tunnel within another network. Protocols:
Internet Protocol Security (IPsec) and Internet Key Exchange (IKE).
VPN gateway connections: VNet-to-VNet, Site-to-Site, and Point-to-Site
 Connect on-premises data centers to Azure virtual networks through
a site-to-site connection.
Used to connect on-premises network to an azure virtual network over an
IPsec/IKE (IKEv1 or IKEv2) VPN tunnel. This type of connection requires a
VPN device located on-premises that has an externally facing public IP
address assigned to it.
 Connect individual devices to Azure virtual networks through
a point-to-site connection.
It allows you to create a secure connection to your virtual network from an
individual client computer. A P2S connection is established by starting it
from the client’s computer. This solution is useful for telecommuters who
want to connect to Azure Vnet’s from a remote location such as from
home or a conference. P2S VPN is also a useful solution to use instead of
S2S VPN when you have only a few clients that need to connect to a Vnet.
As part of the P2S configuration, you install a certificate and a VPN client
configuration package, which contains the settings that allow your
computer to connect to any virtual machine or role instance within the
virtual network.
 Connect Azure virtual networks to other Azure virtual networks
through a network-to-network connection.
VPN types: 2 types
Policy-Based VPNs: Policy-based VPN gateways specify statically the IP
address of packets that should be encrypted through each tunnel. Support
for IKEv1 only.

Route-Based VPNs: With route-based gateways, IPsec tunnels are

modelled as a network interface or VTI (virtual tunnel interface). IP routing
(static routes or dynamic routing protocols) decide across which one of
these tunnel interfaces to send each packet.
You cannot change a policy-based VPN to a route-based VPN, and vice
versa.
Create S2S: we need 6 resources to create and configure in order to setup
S2S connection with VPN Gateway.
VNet: Only one VPN Gateway can be deployed in a Single VNet. While
creating VNet give enough address space to accommodate future
subnets.
Gateway Subnet: You need a dedicated subnet for VPN Gateway. You
have to call this as Gateway Subnet. You cannot use this subnet for other
service. Make sure you give /27 address mask to make sure you have
enough IP addresses for future growth. Also remember sometime you
want to put 2 VPN Gateways in Active/Standby or Active/Active mode
within this subnet in order for redundancy.
Virtual Network Gateway: Create Virtual Network Gateway of VPN type.
This will route the traffic from on-premise to Azure VNet and vice-versa.
Public IP address: Create Dynamic Public IP Address resource. This
address will only change if you delete and recreate the VPN. This IP will be
internet facing and your on-premise VPN Device can point to this IP
Address.
Local Network Gateway: This is created to represent on-premise
network’s configurations. This configuration includes the on-premises VPN
device’s public IPv4 address and the on-premises routable networks. This
information is used by the VPN gateway to route packets that are destined
for on-premises networks through the IPsec tunnel.
Connection: Create a connection resource. Connect VPN Gateway with
on-premise VPN Device IPv4 address. Connect VPN Gateway with its Public
IP Address.

Search for azure virtual network gateway, go to connections, click on add,

give name, connection type – select site-to-site, virtual network gateway
name, local network gateway name, shared key, IKE protocol. Click on
download configuration.

Active / Standby
On any planned maintenance or un-planned interruption affects active
instance then within 90 seconds the standby gateway will become
active automatically without any human involvement. This is excellent
feature.
Active/ Active
In this mode you have to deploy 2 VPN gateways with 2 distinct IP
Addresses. Then on-premise will have 2 VPN devices to connect with
them. With this you see how much traffic can be distributed among these
2 gateways.

Gateway Types: VPN and Express Route

Express Route: is a service that provides a direct connection from your on-
premises data center to the Microsoft cloud. Express Route is the another
gateway type which is most efficient and costly. If your organization uses
Office 365. It wants to reduce traffic over the internet and send this traffic
over a dedicated connection to Azure. One disadvantage is it has no
encrypted network communication.
Supports dynamic routing between your network and Microsoft via Border
Gateway Protocol (BGP).
Azure Security Policy: is a service you can use to create, assign and
manage policies. A policy allows you to enforce or control the properties of
a resource.
Azure policy evaluates resources in azure by comparing the properties of
those resources to business rules. These business rules, described in JSON
format, are known as policy definitions.

Policy vs RBAC
A policy maintains compliance with the resource state, while RBAC
focuses on controlling user actions at different scopes.
Even if the user has access to perform an action, if the result is a non-
compliant resource, the policy will still block the create or update option.
Azure policy effects: Disabled, Append/Modify, Deny and Audit

What is Azure Role-Based Access Control (RBAC)?

It helps you manage who has access to azure resources, what they can do
with those resources, and what areas they have access to.
It is an authorization system based on Azure Resource Manager, which
provides fine-grained access management of Azure resources.
A role assignment is consisting of 3 elements; security principal, role
definition, and scope.
Security Principal – an object representing a user, group, service
principal, and managed identity that requests access to Azure resources.
Role Definition – is a collection of permissions. A role definition lists that
can be performed, such as read, write and delete.
Scope – set of resources that access for the role assignment applies to.
Scope access controls at the management, subscription or resource group
level.
Azure has built-in roles and you can define custom roles.
Azure Roles – Azure RBAC has over 70 built-in roles. The following are the
four fundamental Azure roles: Owner, Contributor, Reader, User Access
Administrator.
Azure AD Roles – Provide access to manage Azure AD resources in a
directory such as create users, assign administrative roles to others,
manage licenses, reset passwords, and manage domains.
Global Administrator, User Administrator, Billing Administrator.

Azure Management Groups: managing multiple subscriptions (Accounts)

into a hierarchical structure.
Each directory is given a single top-level management group called “Root”
management group.
All subscriptions within a management group automatically inherit the
conditions applied to the management group.

Azure Monitor: it is a monitoring tool for azure resources and applications.

It’s a service to display the metrics of your resources. You can also
configure alerts that send notifications when a threshold is breached.
Azure Monitor has features like;
Application Insights: It helps you maximize the availability and
performance of your applications and services by collecting, analysing and
acting on telemetry from cloud and on-premises environment.
It collects log, telemetry, metrics data from cloud and on-premises
resources.
Example: When you created a static site in your storage account. Azure
monitor will automatically collect performance metrics information and
start showing metrics to you. You can access and visualize its metrics how
many request and response your site is handling from the resource itself
by going to the Azure portal.

Azure Monitor Collects Data from 3 places: Azure platform services,

Infrastructure, Applications into Metrics or Log.
Performance Metrics are stored in Time Series Database (TSDB) and Logs
are stored in Azure Log Analytics Workspace inside a table called as Azure
Activity.

ITSM
IT Service Management (ITSM) Few ITSM tools are ServiceNow, System
Center Service Manager, Provance, Cherwell. You can use IT Service
Management Connector in Azure to connect your own ITSM tools.
Log Analytics
 All log data obtained by Azure Monitor shall be stored in a Log
Analytics workspace
 Query simple to advanced logs.
 The data is retrieved from a workspace using a log query written
using Kusto Query Language (KQL).
 Log analytics agent cannot send data to Azure Monitor Metrics,
Azure Storage, or Azure Event Hubs.

Azure Service Health

Gives you a personalized view of the status of your Azure services and
regions.
Azure Service Health is composed of three services:
Azure status – informs you of service outages in Azure.
Service Health – helps you have a customized view of your services’
health in a region.
Resource Health – provides health information on your Azure resources.

Active events in service health:

Service issues
Planned maintenance
Health advisories
Security advisories
Azure Advisor
Advisor analyses your configurations and offers personalized, actionable
recommendations; those are Cost, Security, High Availability, Performance
and Operational Excellence.

Azure Arc
A hybrid cloud management platform for managing servers, Kubernetes
clusters, and applications across on-premises, multi-cloud, and edge
environments.
Centralize resource management and deploy consistent Azure services
anywhere.
Azure Arc Features
You can deploy Azure services (Azure Policy, Azure Monitor, and Azure
Defender) anywhere, allowing them to use the same tools and processes
across their entire hybrid cloud estate.

Azure Service Level Agreement (SLA): describes azure’s commitments for

uptime and connectivity. SLA’s are individualized per azure service.
Uptime and connectivity is described as performance targets.

Azure Subscription: is the same as saying our azure account. There are 4
tiers of azure subscriptions: Free subscription, Pay-As-You-Go
Subscription, Enterprise Agreement and Student Subscription.

Tell about your experience and role and responsibilities?

I have 3 years of experience in azure platform, I take care of creating VMs
and managing VMs. Once I build the VMs we need to validate whether VMs
are deployed in correct subscription, resource group, location, Vnet,
subnet and NSG configured. VM backup has been configured and disaster
recovery configured and when it comes to replication we use azure site
recovery for the disaster recovery solutions in case if one of the region is
down we do the failover to the another region in this case we are trying to
reduce the downtime with azure site recovery so we configure the
replication.

Explain most critical issues that you have troubleshoot?

One of the customer complaining that they are experience slowness from
their application it causes because of various reasons it could be due to
network or it could be misconfiguration or it could be network end or
server end and application is not configured properly and DB queries not
optimized properly and I can take lead and start working with customer to
understand what is the actual behaviour of the application is it slowness
on a specific time frame or it is continuously slow and started looking at
metrics at azure VM and that one of the application service is consuming
more CPU and RAM ideally as per the application is not supposed to
consume such lot of multiple discussions I came to know the application is
using older version of the java because of that process consuming more
resources than application team decided to upgrade the java version and
issue has been fixed.
I have documented all the challenges that I faced.
What are the tasks you are handling day to day?
As an azure administrator I am responsible for managing the azure
infrastructure that includes creation of VMs and managing the VMs, VM is
configured properly means the VM has been deployed in a correct subnet,
correct v-net and location and in subscription and as well resource group.
And once the VM has deployed ensure that VM has properly configured
with the network, storage. Storage means a disk configurations choosing
the correct disk and n number of disks that attached disks correctly and
also backup is configured if disaster recovery is applicable and monitoring
also properly configured and VMs are connected to the update manager
and done with initial patching before you deliver to the operations and
also you get request to add additional disk to your VM because the given
space for VM may not be sufficient all the time or detach a disk from the
VM and sometimes you have to take a snapshot of the disk to
troubleshoot or to have some backup of your disk and also daily
compliances like our VM backups are working well and database backups
are working well in case any troubleshoot issues I am going to
troubleshoot failures. And also not able to connect application server to
database servers vice versa b/w the servers they could be some
communication issues and also users not able to RDP to the server and
not able to SSH to the server these kind of issues day to day I am going to
troubleshoot those issues. Sometime I have configured patching the
patching might fail I am going to troubleshoot those patching failures. And
allowing the port, modifying the port in NSG and also users not able to
access the application due to performance of your application server or
database server or web server so I am going to start monitoring the
performance metrics and analyse which application is consuming more
resources I am going to estimate or I need to go for resize of the VM.

What are the Computing Services?

Azure Virtual Machines – windows or Linux VMs. The most common type of
compute. You choose your OS, memory, CPU, storage. You share
hardware with other customers.
Azure Container Instances – Docker as a service run containerized apps on
azure without provisioning servers or VMs.
Azure Kubernetes Service – kubernetes as a service, easy to deploy,
manage and scale containerized applications. Uses the open source
kubernetes software.
Azure service fabric – tier 1 enterprise containers as a service, distributed
systems platform. Runs in azure or on-premises. Easy to package, deploy
and manage scalable and reliable microservice.
Azure functions – event-driven, Serverless compute (functions) run code
without provisioning or managing servers. You pay only for the compute
time you consume.
Azure batch – plans, schedules and executes your batch computer
workloads across running 100+ jobs in parallel. Use spot VMs to save
money.
What are Azure Storage Services?
Azure Blob Storage – object Serverless storage. Store very large files and
large amounts of unstructured files. Pay for what you store, unlimited
storage, no-resizing volumes, file system protocols.
Azure Disk Storage – a virtual volume. Choose SSD or HDD, encryption by
default, attach volume to VMs.
Azure File Storage – a shared volume that you can access and manage
like a file server. Eg SMB.
Azure Queue Storage – messaging queue, a data store for queuing and
reliably delivering messages b/w applications.
Azure Table Storage – wide-column NoSQL database, a NoSQL store that
hosts unstructured data independent of any schema.
Azure Archive Storage – long term cold storage for when you need to hold
onto files for years on the cheapest storage options.
Azure Data Lake Storage – a centralized repository that allows you to
store all your structured and unstructured data at any scale.
What are Database Services?
Azure Cosmos DB – a fully managed NoSQL database, designed for scale
with guarantee of 99.999% availability.
Azure SQL database – fully managed MS SQL database with auto-scale,
integral intelligence, and robust security.
Azure database for MySQL/PSQL/MariaDB – fully managed and scalable
MySQL /PostgreSQL /MariaDB database with high availability and security.
SQL Server on VM – host enterprise SQL server apps in the cloud. Lift-and-
shift MS SQL servers from on-premise to Azure cloud.
Azure Synapse Analytics (Azure SQL Data Warehouse) – fully managed
data warehouse with integral security at every level of scale at no extra
cost.
Azure database migration service – migrates your databases to the cloud
with no application code changes.
Azure Cache for Redis – caches frequently used and static data to reduce
data and application latency.
Azure Table Storage – wide-column NoSQL database, a NoSQL store that
hosts unstructured data independent of any schema.

Azure DevOps Services:

Azure Boards, Azure Repos, Azure Pipeline, Azure Test Plans, Azure
Artefacts and Azure DevTest Labs.

Azure Resource Manager (ARM):

What is Infrastructure as Code (IaC)?
The process of managing and provisioning computer data centers through
machine-readable definition files, rather than physical hardware
configuration or interactive configuration tools.

ARM allows you to programmatically create azure resources via JSON

template.

What is Serverless?
Enables you to build applications without managing infrastructure.
 Abstraction of Servers
Still there is a server somewhere that you don’t need to configure just
deploy your code.
 Event-Driven / Instant Scale
Your code will react to some events happened on Serverless platform or
cloud.
 Micro Billing
Application can be deployed in single container or thousands of
containers. However, you will only pay when event occurred and your
function/code executes. This is micro-billing. So You don’t pay if your code
is not running. You don’t pay continuously to maintain the server, to scale,
to secure your server etc.

Azure Serverless Components:

Azure Functions, Logic Apps & Event Grid are the basic components
of Azure Serverless Application Platform.
Azure Functions:
 This is where you will write your code/logic. Azure
Functions executes your code based on events you specify.
 Supported languages: C#, Java, JavaScript, Python, and PowerShell
 You can run your code based on the HTTP requests or schedule
when your function runs.
Azure Logic Apps:
Many times you want to manage the workflow of your Functions. You
can use Connectors present in Logic Apps. Logic Apps Connectors like
send an email through office 365 etc. You do not need to write the code to
connect to those office 365 API’s they already done by Logic Apps
Connectors.
Components:
Workflow helps you create a series of steps for your logic app.
Managed connectors allow you to access and work with your data.
Trigger is the first step to run your logic app.
Actions are steps that happen after the trigger and perform tasks in the
workflow of your logic app.
Enterprise Integration Pack allows you to create an automated,
scalable enterprise integration workflow.
Azure Event Grid
Event Grid manages all events that can trigger code or logic.

Azure Portal: it is a web based, unified console that provides an

alternative to command-line tools. You can manage your azure
subscription with the azure portal. Build, manage and monitor everything
from simple web apps to complex cloud deployments. Portal.azure.com

What is PowerShell?
PowerShell is a task automation and configuration management
framework. A command-line shell and a scripting language.
PowerShell is built on top of the .NET common Language Runtime (CLR),
and accepts and returns .NET objects.

What is SNAT?
Source Network Address Translation (SNAT) allows traffic from a private
network to go out to the internet. Virtual machines launched on a private
network can get to the internet by going through a gateway capable of
performing SNAT. The device performing NAT changes the private IP
address of the source host to public IP address.
An employee sitting inside your company LAN and behind the firewall
wants to browse google.com that time first routing decision will trigger
once it is allowed to route to the internet then SNAT process will kick off.
During SNAT process only source address of the data packet is changed
while passing through the NAT Device. SNAT can be done for the traffic
going outside from your local network. SNAT is possible from many hosts
within your local network to many hosts outside network.

What is DNAT?
DNAT changes the destination address of packets passing through the
Router. DNAT can be done for the traffic coming from outside your local
network. DNAT is possible from many hosts from outside network to only
host within your local network.

What are managed disks and unmanaged disks?

Managed disk - Microsoft manages the storage platform, you don't to
create any storage account you see disk directly available and attach disk
to VM, there is no storage limit, you can create snapshot from the disk,
you can create VM directly from disk, high availability of VM.

Unmanaged disk - user needs to create storage account to manage the

disk, within the storage account you are going to place your disk, once
disk is available in the storage account and attach to your VM, you have
storage limit based on the storage account type, if you have premium
storage account type the limit is 35TB which means that you cannot have
more disks attached to your VM, you need to takes care of your Storage
account