AzureQuickNotes - henk52/knowledgesharing GitHub Wiki
Azure quick notes
Introduction
References
-
Azure CLI
-
Azure built in variables:
-
Resource manager:
-
Key vault:
-
pipelines
-
PostGreSQL
-
Latency
-
Powershell
-
Azure training
-
Certificates path to deveops
- 73h - AZ-103: Microsoft Azure Administrator -
- AZ-204: Developing Solutions for Microsoft Azure -
- 26h - AZ-400: Microsoft Azure DevOps Solutions -
- 36h - AZ-500: Microsoft Azure Security Technologies -
- AZ-300: Microsoft Azure Architect Technologies -
- Will become AZ-303
- AZ-301: Microsoft Azure Architect Design -
- Will become AZ-304
-
az account list --output table
Vocabulary
- ACL - Access Control List
- Availability sets - spread accrous fault domains.
- BGP - ?
- ExpressRoutes -
- Fault domain - Servers that share networking and power resources(e.g. a rack)
- GRS - Geo-Redundant Storage. Data is replicated to another region.
- IAC - Infrastructure as code.
- LRS - Locally Redundant Storage. Three copies within the region.
- Managed Disks - Placed in different storage domains.
- NSG - Network Security Groups
- Max 100 NSG allowed, per region, per subscription
- Max 200 rules per NSG
- You must not apply to:
- VPN Gateways
- ExpressRoute subnet
- SLA - Service level agreement
- UDR - User Defined Routes
- Basically a table with your configured routes in it.
- Must not have virtual appliance in the same subnet where the traffic originates
- Must Enable IP forwarding on Azure. (Not on the applicance)
- Must create a separate network for the appliance
- Only one route table per subnet
- Affects all virtual machines in the subnet
- Can assign rout table to multiple subnets
- max 256 routes per subnet
- Unmanaged disks
- Keep VMs OS and data disks in the same storage account
- Create a separate storage account for each VM in an availability set.
- Update domain - Logical group of VMs
- All VMs in an update domain will be rebooted together.
- Only one domain is rebooted at a time.
- VPN - Virtual Private Network
Moving to Azure
Planning
-
Network
-
Storage
-
Workloads
- Domain controllers
- DNS servers
- Line of business applications
- Remote Desktop Services
- Most Windows Server operating system and roles
-
High availability
-
Backups
-
Considerations
- Cost of virtual machines
- VMs still require update/patches
- Right size of virtual machines
- Egress charges(data going out of Azure)
- Bandwidth restrictions
- Backups
Best practices
- Disks and storage
- Understand the limitations of the VM, including disk limits
- Add a data disk
- ?Install apps on the data disk
- Virtual machine scaling (I dont understand what this is)
- encrypt storage
- VM Availability
- Use availability
- Backup
- Monitor VMs
- performance issue
- General
- Use secure passwords
- Stop the VM from the portal, not the VM.
- This ensures that it is dealocated and thus not billed
- Autoscaling requires availability set
- Implement NSG for VMs exposed to the internet
- Harden the VM
- Lock down the VM
- Patch the VM
High availability
- Availability sets
- no resource shares the same physical component
- Availabililty zones
- Azure region
- Azure vm scale sets
- Not HA on itself.
HA for VMs
MS SLA for VMs
- for VMs with 2+ instances in 2+ Availability Zones, in the same region, at least one VM will be available 99.99% of the time
- for VMs with 2+ instances in the same Availability set, at least one VM will be available 99.95% of the time
- For VMs with 1 instance, using premium storage for all OS and data disks VM connectivity is at least 99.9%
Networking
DNS
Azure Gateways
- ExpressRoute
- VPN gateway
- Site to site
- Point to site
- VNet to VNet
- Peering(gw not required)
Limits:
- VNets/subscription: 50(default)/500(max)
- Subnets/VNet: 1000/*
- NSG: 100/400
- NSG rules/NSG: 200/500
Subnets:
- Loose 5 ip addresses to Azure
- Subnet addr
- multicast
- three for internal (Azure) use.
- You need to delete and recreate subnets that are undersized.
- Virtual appliances and gateways require their own subnet.
ExpressRoute
- Dedicated private connection
- Secure
- Reliable
- Fast
- Offered by regional carriers
- TODO What does this mean?
- Not available in all regions.
- Not all services can use ExpressRoute
- Does not support:
- CDN
- Visual Studio Team Services load testing
- Multifactor authentication
- Traffic Manager
- Does not support:
VPN
-
VNet to On-Premise via a VPN Gateway
-
Order of routing:
- User defined routes
- BGP routes(Express Routes)
- Must use force tunneling
- System routes
If you are using ExpressRoute, you need to use force tunneling via BGP not UDR.
- Basic
- Policy based
- Site to site only
- Only one tunnel
- Route based VPN
- will
Types:
- Site to site (S2S)
- IPsex/IKE VPN tunnel
- 1 VPN gw per virtual network.
- VPN device is required.
- Public IP requried
- Multisite Site to Site
- Single VPN GW
- All connections share the bandwidth.
- Route based VPN
- Point to Site (P2S)
- For Remote users
- Anyone behind NAT.
- Secure connection from client using SSTP
- Does not require a public-facing IP
- Conciderations
- Must be on Win7+
- Server 2008 R2+
- Requires certificate
- Self-signed
- Existing CA solution
- For Remote users
- VNet to VNet
- IPsec/IKE VPN tunnel
- Used for
- connecting sites in different regions
- networks in different subscriptions
- VNet peering
- Same region
- Networks must not have overlapping IPs
- ARM to classic
Azure application gateway
Provides:
- Load balancing
- Only for HTTP, HTTPS and WebSocket.
- SSL Offload
- GW handles SSL decryption and enpcryption, and sends the traffic as clear(HTTP) to the backends.
- Cookie-Based Session Affinity(aka Sticky-session)
- Ensures all user requests are sent to the same instance during the session
- TODO what happens if the backend VM crashes during the session?
- End-to-End SSL
- EtE encryption
- Does not support SSL 2.0 nor 3.0(Due to security issues)
- Support TLSv1.0 etc
- Requires a certificate.
- Seems to re-encrypt the traffic between the Application GW and the backend.
- URL-Based Content Routing.
- Basic rule - round-robin
- Path-based rule - round robin and path pattern
- Send traffic to specific backend pools based on the path in the URL e.g. '/images/' traffic is sent to the 'Image pool'.
- Multisite Routing
- Destination name is used to choose the pool.
- E.g. a.com is pool A, bb.com is pool B etc.
- Up to 20 websites on one application GW
- Routing based on the host header
- Destination name is used to choose the pool.
- Health monitoring
- monitors health of servers and does not route traffic to an unhealthy server
- Advanced diagnostics
- Web application Firewall
- Protecs agains common attacks
- e.g. XSS, SQL injection etc.
- Protecs agains common attacks
- Supports WebSocket traffic.
Differences between Load Balancers:
- Azure Load balancer - works on layer 4
- Any protocol
- Application Gateway - Works on Layer 7
- Only HTTP(S) and WebSocket.
- Traffic Manager - DNS
- Any protocol.
Load balancing
See also application gateway
- Passes everything through to the backend, including the SSL stuff
- source IP is also unmodified
Probes:
- TCP: The minimum probe interval is 5 seconds and the minimum number of unhealthy responses is 2. The total duration of all intervals cannot exceed 120 seconds.
- HTTP(s): The minimum probe interval is 5 seconds. The total duration of all intervals cannot exceed 120 seconds.
Load Balancer uses a distributed probing service for its internal health model. The probing service resides on each host where VMs and can be programmed on-demand to generate health probes per the customer's configuration.
Load Balancer health probes originate from the IP address 168.63.129.16 as their source.
VMs
Azure ARM templates
Functions, like e.g. 'concat':
Resources in Azure ARM templates
datadisks
Functions in Azure ARM templates
copyIndex()
See:
The offset is added to the index number of the copy look. The copy loop starts with 0 as index.
So if the index is: 0,1,2 and you have copyIndex(1), then you get: 1,2,3
Requires a 'copy' section in the resource section.
Storage
Storage components
- MS Azure Storage Explorer
Azure storage
- Supports 'almost any' type of data
- Provides security
- Provides redundancy
- scalable access
Storage Account
provides access to objects in Azure storage for a specific subscription.
VMs always have one or more storage accounts to hold each attached virtual disk.
-
A single storage account has a fixed-rate limit of 20,000 I/O operations/sec
- This means that a storage account is capable of supporting 40 standard virtual hard disks at full utilization.
-
Container blob service
- Unstructured files
- virtual machine disks
- backups
- logs
- media
- Block blobs
- used for media content
- sequential?
- Page blobs
- Optimized for random access
- used for VM disks
- Append blobs
- logs and auditing activities
- Unstructured files
-
File service
- SMB file shares
- Mount and manage
-
Queue service
-
Table service
Storage 2
The data for the VHD' is held in Azure Storage as page blobs
- Unmanaged disks: you are responsible for the storage accounts that are used to hold the VHDs that correspond to your VM disks.
- Managed disks: putting the burden of managing the storage accounts onto Azure. You specify the size of the disk, up to 4 TB, and Azure creates and manages both the disk and the storage. You don't have to worry about storage account limits, which makes managed disks easier to scale out.
Types of storage
- Blob
Additional storage disks on Ubuntu
Add data disk to a VM, from scratch
- Create the disk image
- Attach the disk image to a VM
- Format the disk image
- Automatically attach image to a VM
Troubleshooting
Troubleshooting Pipelines
Troubleshooting AzureCLI
debconf: unable to initialize frontend: Dialog
debconf: unable to initialize frontend: Dialog
debconf: (Dialog frontend will not work on a dumb terminal, an emacs shell buffer, or without a controlling terminal.)
debconf: falling back to frontend: Readline
debconf: unable to initialize frontend: Readline
debconf: (This frontend requires a controlling tty.)
debconf: falling back to frontend: Teletype
WARNING: terminal is not fully functional
`export TERM=xterm``
dpkg-preconfigure: unable to re-open stdin: No such file or directory
export LANGUAGE=en_US.UTF-8
export LANG=en_US.UTF-8
export LC_ALL=en_US.UTF-8
locale-gen en_US.UTF-8
dpkg-reconfigure locales
export DEBIAN_FRONTEND=noninteractive
The DEBIAN_FRONTEND may or may not have an effect.