-
Notifications
You must be signed in to change notification settings - Fork 2
AzureQuickNotes
Henry m edited this page Aug 16, 2023
·
70 revisions
-
Azure CLI
-
Azure built in variables:
-
Resource manager:
-
Key vault:
-
pipelines
-
PostGreSQL
-
Latency
-
Powershell
-
Azure training
-
Certificates path to deveops
- 73h - AZ-103: Microsoft Azure Administrator -
- AZ-204: Developing Solutions for Microsoft Azure -
- 26h - AZ-400: Microsoft Azure DevOps Solutions -
- 36h - AZ-500: Microsoft Azure Security Technologies -
- AZ-300: Microsoft Azure Architect Technologies -
- Will become AZ-303
- AZ-301: Microsoft Azure Architect Design -
- Will become AZ-304
-
az account list --output table
- ACL - Access Control List
- Availability sets - spread accrous fault domains.
- BGP - ?
- ExpressRoutes -
- Fault domain - Servers that share networking and power resources(e.g. a rack)
- GRS - Geo-Redundant Storage. Data is replicated to another region.
- IAC - Infrastructure as code.
- LRS - Locally Redundant Storage. Three copies within the region.
- Managed Disks - Placed in different storage domains.
- NSG - Network Security Groups
- Max 100 NSG allowed, per region, per subscription
- Max 200 rules per NSG
- You must not apply to:
- VPN Gateways
- ExpressRoute subnet
- SLA - Service level agreement
- UDR - User Defined Routes
- Basically a table with your configured routes in it.
- Must not have virtual appliance in the same subnet where the traffic originates
- Must Enable IP forwarding on Azure. (Not on the applicance)
- Must create a separate network for the appliance
- Only one route table per subnet
- Affects all virtual machines in the subnet
- Can assign rout table to multiple subnets
- max 256 routes per subnet
- Unmanaged disks
- Keep VMs OS and data disks in the same storage account
- Create a separate storage account for each VM in an availability set.
- Update domain - Logical group of VMs
- All VMs in an update domain will be rebooted together.
- Only one domain is rebooted at a time.
- VPN - Virtual Private Network
-
Network
-
Storage
-
Workloads
- Domain controllers
- DNS servers
- Line of business applications
- Remote Desktop Services
- Most Windows Server operating system and roles
-
High availability
-
Backups
-
Considerations
- Cost of virtual machines
- VMs still require update/patches
- Right size of virtual machines
- Egress charges(data going out of Azure)
- Bandwidth restrictions
- Backups
- Disks and storage
- Understand the limitations of the VM, including disk limits
- Add a data disk
- ?Install apps on the data disk
- Virtual machine scaling (I dont understand what this is)
- encrypt storage
- VM Availability
- Use availability
- Backup
- Monitor VMs
- performance issue
- General
- Use secure passwords
- Stop the VM from the portal, not the VM.
- This ensures that it is dealocated and thus not billed
- Autoscaling requires availability set
- Implement NSG for VMs exposed to the internet
- Harden the VM
- Lock down the VM
- Patch the VM
- Availability sets
- no resource shares the same physical component
- Availabililty zones
- Azure region
- Azure vm scale sets
- Not HA on itself.
MS SLA for VMs
- for VMs with 2+ instances in 2+ Availability Zones, in the same region, at least one VM will be available 99.99% of the time
- for VMs with 2+ instances in the same Availability set, at least one VM will be available 99.95% of the time
- For VMs with 1 instance, using premium storage for all OS and data disks VM connectivity is at least 99.9%
- ExpressRoute
- VPN gateway
- Site to site
- Point to site
- VNet to VNet
- Peering(gw not required)
Limits:
- VNets/subscription: 50(default)/500(max)
- Subnets/VNet: 1000/*
- NSG: 100/400
- NSG rules/NSG: 200/500
Subnets:
- Loose 5 ip addresses to Azure
- Subnet addr
- multicast
- three for internal (Azure) use.
- You need to delete and recreate subnets that are undersized.
- Virtual appliances and gateways require their own subnet.
- Dedicated private connection
- Secure
- Reliable
- Fast
- Offered by regional carriers
- TODO What does this mean?
- Not available in all regions.
- Not all services can use ExpressRoute
- Does not support:
- CDN
- Visual Studio Team Services load testing
- Multifactor authentication
- Traffic Manager
- Does not support:
-
VNet to On-Premise via a VPN Gateway
-
Order of routing:
- User defined routes
- BGP routes(Express Routes)
- Must use force tunneling
- System routes
If you are using ExpressRoute, you need to use force tunneling via BGP not UDR.
- Basic
- Policy based
- Site to site only
- Only one tunnel
- Route based VPN
- will
Types:
- Site to site (S2S)
- IPsex/IKE VPN tunnel
- 1 VPN gw per virtual network.
- VPN device is required.
- Public IP requried
- Multisite Site to Site
- Single VPN GW
- All connections share the bandwidth.
- Route based VPN
- Point to Site (P2S)
- For Remote users
- Anyone behind NAT.
- Secure connection from client using SSTP
- Does not require a public-facing IP
- Conciderations
- Must be on Win7+
- Server 2008 R2+
- Requires certificate
- Self-signed
- Existing CA solution
- For Remote users
- VNet to VNet
- IPsec/IKE VPN tunnel
- Used for
- connecting sites in different regions
- networks in different subscriptions
- VNet peering
- Same region
- Networks must not have overlapping IPs
- ARM to classic
Provides:
- Load balancing
- Only for HTTP, HTTPS and WebSocket.
- SSL Offload
- GW handles SSL decryption and enpcryption, and sends the traffic as clear(HTTP) to the backends.
- Cookie-Based Session Affinity(aka Sticky-session)
- Ensures all user requests are sent to the same instance during the session
- TODO what happens if the backend VM crashes during the session?
- End-to-End SSL
- EtE encryption
- Does not support SSL 2.0 nor 3.0(Due to security issues)
- Support TLSv1.0 etc
- Requires a certificate.
- Seems to re-encrypt the traffic between the Application GW and the backend.
- URL-Based Content Routing.
- Basic rule - round-robin
- Path-based rule - round robin and path pattern
- Send traffic to specific backend pools based on the path in the URL e.g. '/images/' traffic is sent to the 'Image pool'.
- Multisite Routing
- Destination name is used to choose the pool.
- E.g. a.com is pool A, bb.com is pool B etc.
- Up to 20 websites on one application GW
- Routing based on the host header
- Destination name is used to choose the pool.
- Health monitoring
- monitors health of servers and does not route traffic to an unhealthy server
- Advanced diagnostics
- Web application Firewall
- Protecs agains common attacks
- e.g. XSS, SQL injection etc.
- Protecs agains common attacks
- Supports WebSocket traffic.
Differences between Load Balancers:
- Azure Load balancer - works on layer 4
- Any protocol
- Application Gateway - Works on Layer 7
- Only HTTP(S) and WebSocket.
- Traffic Manager - DNS
- Any protocol.
See also application gateway
- Passes everything through to the backend, including the SSL stuff
- source IP is also unmodified
Probes:
- TCP: The minimum probe interval is 5 seconds and the minimum number of unhealthy responses is 2. The total duration of all intervals cannot exceed 120 seconds.
- HTTP(s): The minimum probe interval is 5 seconds. The total duration of all intervals cannot exceed 120 seconds.
Load Balancer uses a distributed probing service for its internal health model. The probing service resides on each host where VMs and can be programmed on-demand to generate health probes per the customer's configuration.
Load Balancer health probes originate from the IP address 168.63.129.16 as their source.
Functions, like e.g. 'concat':
See:
The offset is added to the index number of the copy look. The copy loop starts with 0 as index.
So if the index is: 0,1,2 and you have copyIndex(1), then you get: 1,2,3
Requires a 'copy' section in the resource section.
- MS Azure Storage Explorer
- Supports 'almost any' type of data
- Provides security
- Provides redundancy
- scalable access
provides access to objects in Azure storage for a specific subscription.
VMs always have one or more storage accounts to hold each attached virtual disk.
-
A single storage account has a fixed-rate limit of 20,000 I/O operations/sec
- This means that a storage account is capable of supporting 40 standard virtual hard disks at full utilization.
-
Container blob service
- Unstructured files
- virtual machine disks
- backups
- logs
- media
- Block blobs
- used for media content
- sequential?
- Page blobs
- Optimized for random access
- used for VM disks
- Append blobs
- logs and auditing activities
- Unstructured files
-
File service
- SMB file shares
- Mount and manage
-
Queue service
-
Table service
The data for the VHD' is held in Azure Storage as page blobs
- Unmanaged disks: you are responsible for the storage accounts that are used to hold the VHDs that correspond to your VM disks.
- Managed disks: putting the burden of managing the storage accounts onto Azure. You specify the size of the disk, up to 4 TB, and Azure creates and manages both the disk and the storage. You don't have to worry about storage account limits, which makes managed disks easier to scale out.
- Blob
- Create the disk image
- Attach the disk image to a VM
- Format the disk image
- Automatically attach image to a VM
debconf: unable to initialize frontend: Dialog
debconf: (Dialog frontend will not work on a dumb terminal, an emacs shell buffer, or without a controlling terminal.)
debconf: falling back to frontend: Readline
debconf: unable to initialize frontend: Readline
debconf: (This frontend requires a controlling tty.)
debconf: falling back to frontend: Teletype
`export TERM=xterm``
export LANGUAGE=en_US.UTF-8
export LANG=en_US.UTF-8
export LC_ALL=en_US.UTF-8
locale-gen en_US.UTF-8
dpkg-reconfigure locales
export DEBIAN_FRONTEND=noninteractive
The DEBIAN_FRONTEND may or may not have an effect.