AzureQuickNotes - henk52/knowledgesharing GitHub Wiki

Azure quick notes

Introduction

References

  • - List of modules available

  • Azure CLI

  • Azure built in variables:

  • Resource manager:

  • Key vault:

  • pipelines

    • Troubleshooting:
    • CLI task:
    • Azure Key Vault task:
    • YAML schema reference:
  • PostGreSQL

  • Latency

  • Powershell

  • Azure training

    • Certificates path to deveops

      • 73h - AZ-103: Microsoft Azure Administrator -
        • 11h -
        • 6h -
        • 9h -
        • 4h -
        • 7h -
        • 7h -
        • 5h -
        • 6h -
        • 7h -
        • 5h -
        • 5h -
        • h -
      • AZ-204: Developing Solutions for Microsoft Azure -
      • 26h - AZ-400: Microsoft Azure DevOps Solutions -
        • 2h -
        • 9h -
        • 7h -
        • 4h -
        • 2h -
      • 36h - AZ-500: Microsoft Azure Security Technologies -
        • 6h -
        • 5h -
        • 6h -
        • 6h -
        • 6h -
        • 7h -
      • AZ-300: Microsoft Azure Architect Technologies -
        • Will become AZ-303
      • AZ-301: Microsoft Azure Architect Design -
        • Will become AZ-304
    • on linked in:

  • az account list --output table

Vocabulary

  • ACL - Access Control List
  • Availability sets - spread accrous fault domains.
  • BGP - ?
  • ExpressRoutes -
  • Fault domain - Servers that share networking and power resources(e.g. a rack)
  • GRS - Geo-Redundant Storage. Data is replicated to another region.
  • IAC - Infrastructure as code.
  • LRS - Locally Redundant Storage. Three copies within the region.
  • Managed Disks - Placed in different storage domains.
  • NSG - Network Security Groups
    • Max 100 NSG allowed, per region, per subscription
    • Max 200 rules per NSG
    • You must not apply to:
      • VPN Gateways
      • ExpressRoute subnet
  • SLA - Service level agreement
  • UDR - User Defined Routes
    • Basically a table with your configured routes in it.
    • Must not have virtual appliance in the same subnet where the traffic originates
    • Must Enable IP forwarding on Azure. (Not on the applicance)
    • Must create a separate network for the appliance
    • Only one route table per subnet
    • Affects all virtual machines in the subnet
    • Can assign rout table to multiple subnets
      • max 256 routes per subnet
  • Unmanaged disks
    • Keep VMs OS and data disks in the same storage account
    • Create a separate storage account for each VM in an availability set.
  • Update domain - Logical group of VMs
    • All VMs in an update domain will be rebooted together.
    • Only one domain is rebooted at a time.
  • VPN - Virtual Private Network

Moving to Azure

Planning

  • Network

  • Storage

  • Workloads

    • Domain controllers
    • DNS servers
    • Line of business applications
    • Remote Desktop Services
    • Most Windows Server operating system and roles
  • High availability

  • Backups

  • Considerations

    • Cost of virtual machines
    • VMs still require update/patches
    • Right size of virtual machines
    • Egress charges(data going out of Azure)
    • Bandwidth restrictions
    • Backups

    See also:

Best practices

  • Disks and storage
    • Understand the limitations of the VM, including disk limits
    • Add a data disk
    • ?Install apps on the data disk
    • Virtual machine scaling (I dont understand what this is)
    • encrypt storage
  • VM Availability
    • Use availability
    • Backup
    • Monitor VMs
      • performance issue
  • General
    • Use secure passwords
    • Stop the VM from the portal, not the VM.
      • This ensures that it is dealocated and thus not billed
    • Autoscaling requires availability set
    • Implement NSG for VMs exposed to the internet
    • Harden the VM
    • Lock down the VM
    • Patch the VM

High availability

  • Availability sets
    • no resource shares the same physical component
  • Availabililty zones
  • Azure region
  • Azure vm scale sets
    • Not HA on itself.

HA for VMs

MS SLA for VMs

  • for VMs with 2+ instances in 2+ Availability Zones, in the same region, at least one VM will be available 99.99% of the time
  • for VMs with 2+ instances in the same Availability set, at least one VM will be available 99.95% of the time
  • For VMs with 1 instance, using premium storage for all OS and data disks VM connectivity is at least 99.9%

Networking

DNS

  • Azure provided DNS
  • Bringing your own DNS

Azure Gateways

  • ExpressRoute
  • VPN gateway
    • Site to site
    • Point to site
  • VNet to VNet
  • Peering(gw not required)

Limits:

  • VNets/subscription: 50(default)/500(max)
  • Subnets/VNet: 1000/*
  • NSG: 100/400
  • NSG rules/NSG: 200/500

Subnets:

  • Loose 5 ip addresses to Azure
    • Subnet addr
    • multicast
    • three for internal (Azure) use.
  • You need to delete and recreate subnets that are undersized.
  • Virtual appliances and gateways require their own subnet.

ExpressRoute

  • Dedicated private connection
  • Secure
  • Reliable
  • Fast
  • Offered by regional carriers
    • TODO What does this mean?
    • Not available in all regions.
  • Not all services can use ExpressRoute
    • Does not support:
      • CDN
      • Visual Studio Team Services load testing
      • Multifactor authentication
      • Traffic Manager

VPN

  • VNet to On-Premise via a VPN Gateway

  • Order of routing:

    • User defined routes
    • BGP routes(Express Routes)
      • Must use force tunneling
    • System routes

If you are using ExpressRoute, you need to use force tunneling via BGP not UDR.

  • Basic
  • Policy based
    • Site to site only
    • Only one tunnel
  • Route based VPN
    • will

Types:

  • Site to site (S2S)
    • IPsex/IKE VPN tunnel
    • 1 VPN gw per virtual network.
    • VPN device is required.
    • Public IP requried
  • Multisite Site to Site
    • Single VPN GW
    • All connections share the bandwidth.
    • Route based VPN
  • Point to Site (P2S)
    • For Remote users
      • Anyone behind NAT.
    • Secure connection from client using SSTP
    • Does not require a public-facing IP
    • Conciderations
      • Must be on Win7+
      • Server 2008 R2+
      • Requires certificate
        • Self-signed
        • Existing CA solution
  • VNet to VNet
    • IPsec/IKE VPN tunnel
    • Used for
      • connecting sites in different regions
      • networks in different subscriptions
  • VNet peering
    • Same region
    • Networks must not have overlapping IPs
    • ARM to classic

Azure application gateway

Provides:

  • Load balancing
    • Only for HTTP, HTTPS and WebSocket.
  • SSL Offload
    • GW handles SSL decryption and enpcryption, and sends the traffic as clear(HTTP) to the backends.
  • Cookie-Based Session Affinity(aka Sticky-session)
    • Ensures all user requests are sent to the same instance during the session
    • TODO what happens if the backend VM crashes during the session?
  • End-to-End SSL
    • EtE encryption
    • Does not support SSL 2.0 nor 3.0(Due to security issues)
    • Support TLSv1.0 etc
    • Requires a certificate.
    • Seems to re-encrypt the traffic between the Application GW and the backend.
  • URL-Based Content Routing.
    • Basic rule - round-robin
    • Path-based rule - round robin and path pattern
      • Send traffic to specific backend pools based on the path in the URL e.g. '/images/' traffic is sent to the 'Image pool'.
  • Multisite Routing
    • Destination name is used to choose the pool.
      • E.g. a.com is pool A, bb.com is pool B etc.
    • Up to 20 websites on one application GW
    • Routing based on the host header
  • Health monitoring
    • monitors health of servers and does not route traffic to an unhealthy server
  • Advanced diagnostics
  • Web application Firewall
    • Protecs agains common attacks
      • e.g. XSS, SQL injection etc.
  • Supports WebSocket traffic.

Differences between Load Balancers:

  • Azure Load balancer - works on layer 4
    • Any protocol
  • Application Gateway - Works on Layer 7
    • Only HTTP(S) and WebSocket.
  • Traffic Manager - DNS
    • Any protocol.

Load balancing

See also application gateway

  • Passes everything through to the backend, including the SSL stuff
    • source IP is also unmodified

Probes:

  • TCP: The minimum probe interval is 5 seconds and the minimum number of unhealthy responses is 2. The total duration of all intervals cannot exceed 120 seconds.
  • HTTP(s): The minimum probe interval is 5 seconds. The total duration of all intervals cannot exceed 120 seconds.

Load Balancer uses a distributed probing service for its internal health model. The probing service resides on each host where VMs and can be programmed on-demand to generate health probes per the customer's configuration.

Load Balancer health probes originate from the IP address 168.63.129.16 as their source.

VMs

Azure ARM templates

See:

Functions, like e.g. 'concat':

Resources in Azure ARM templates

See:

datadisks

See:

Functions in Azure ARM templates

copyIndex()

See:

The offset is added to the index number of the copy look. The copy loop starts with 0 as index.

So if the index is: 0,1,2 and you have copyIndex(1), then you get: 1,2,3

Requires a 'copy' section in the resource section.

Storage

Storage components

  • MS Azure Storage Explorer

Azure storage

  • Supports 'almost any' type of data
  • Provides security
  • Provides redundancy
  • scalable access

Storage Account

provides access to objects in Azure storage for a specific subscription.

VMs always have one or more storage accounts to hold each attached virtual disk.

  • A single storage account has a fixed-rate limit of 20,000 I/O operations/sec

    • This means that a storage account is capable of supporting 40 standard virtual hard disks at full utilization.
  • Container blob service

    • Unstructured files
      • virtual machine disks
      • backups
      • logs
      • media
    • Block blobs
      • used for media content
      • sequential?
    • Page blobs
      • Optimized for random access
      • used for VM disks
    • Append blobs
      • logs and auditing activities
  • File service

    • SMB file shares
    • Mount and manage
  • Queue service

  • Table service

Storage 2

The data for the VHD' is held in Azure Storage as page blobs

  • Unmanaged disks: you are responsible for the storage accounts that are used to hold the VHDs that correspond to your VM disks.
  • Managed disks: putting the burden of managing the storage accounts onto Azure. You specify the size of the disk, up to 4 TB, and Azure creates and manages both the disk and the storage. You don't have to worry about storage account limits, which makes managed disks easier to scale out.

Types of storage

  • Blob

Additional storage disks on Ubuntu

Add data disk to a VM, from scratch

  • Create the disk image
    • Log in to
    • The easiest way seems to be to create the disk as part of a VM
  • Attach the disk image to a VM
  • Format the disk image
  • Automatically attach image to a VM

See:

Troubleshooting

Troubleshooting Pipelines

Troubleshooting AzureCLI

debconf: unable to initialize frontend: Dialog

debconf: unable to initialize frontend: Dialog
debconf: (Dialog frontend will not work on a dumb terminal, an emacs shell buffer, or without a controlling terminal.)
debconf: falling back to frontend: Readline
debconf: unable to initialize frontend: Readline
debconf: (This frontend requires a controlling tty.)
debconf: falling back to frontend: Teletype

WARNING: terminal is not fully functional

`export TERM=xterm``

See:

dpkg-preconfigure: unable to re-open stdin: No such file or directory

See:

export LANGUAGE=en_US.UTF-8
export LANG=en_US.UTF-8
export LC_ALL=en_US.UTF-8
locale-gen en_US.UTF-8
dpkg-reconfigure locales
export DEBIAN_FRONTEND=noninteractive

The DEBIAN_FRONTEND may or may not have an effect.