- Series Index
- Azure ARM , networking and GLOBAL Infrastructure (2017-10-01)
- Securing Resources and Azure Security (2017-10-01)
- Design an application storage and data access strategy (2017-10-01)
- Design advanced applications (2017-10-01)
- Design Azure Web and Mobile Apps (2017-10-01)
- Design a management, monitoring, and business continuity strategy (2017-10-01)
- Architect an Azure Compute infrastructure (2017-10-01)
Azure GLOBAL Infrastructure
AZURE Data Centers Architecture
- In order to check latency of data center use http://azurespeedtest.azurewebsites.net/
- No All the services are available in all regions and Data Centers use service availability page to verify the same. https://azure.microsoft.com/en-us/regions/services/
- Azure uses Blade Server in data center either in compute or storage role
- 40-50 Blade server per Rack (mounting unit)
- Each Rack has Aggregation Switch
- Some Racks have a special controller called Fabric Controller responsible for VM Life cycle management
- 20 Racks together makes a Stamps or Cluster
- Some region need local billing address for service subscription such as Australia
- Each rack works as fault domain
- As a customer you need to also design for HA that means your workload must be distributed in availability Sets
Azure Resource Manager
- With ASM even a VM has a cloud service.
- ARM is pure IaaS, not necessarily cloud service.
- Deploy, manage and monitor services as a group; deploy repeatedly throughout the application life cycle; use declarative templates to define deployment; can have dependencies between resources; apply RBAC; organise logically by tagging.
- ASM tightly couples to cloud service – VM in subnet, in VNet, in cloud service, in region, with VIP for DNS and public IP.
- ARM is more loosely coupled – can have multiple VIPs, NICs, etc. All in a RG (which can span regions). Attached via reference.
Azure Service Manager (ASM) vs Azure Resource Manger
- Azure Service Manager (ASM )
- This is an old portal which provides Cloud service for Iaas Workload and few specific Paas Workload
- Access over the Url: https://manage.windowsazure.com
- which termed as V1 portal
- Azure Service Manager are XML driven REST API
- Azure Resource Manager (ARM )
- They are new portal provides service for all Workload of IaaS and PaaS
- Access over the Url: https://portal.azure.com which termed as V2 portal having Blade design Portal View
- Azure Service Manager are JSON driven REST API
Azure Networking Infrastructure
Azure Static IP Address
- IP Address in Azure (Private IP Address) Network are assigned sequentially based on startup order of VM
- Public IP address are based on region and allocated from regional pool
- Non Static IP Addresses may be reclaimed during service disruption
- Internal Static IP address can only be assigned via New Portal or Power Shell
- removal of static IP address automatically assign DHCP IP address but VM need to be restarted
- Reserve IP Address can only be used with VM and web /worker role
- IP address must be reserve before Deployment, it can`t be applied after deployment
- IP address can only be reserved via Powershell
- Reserve IP address are only applied to service not VM
- Max 20 Reserve IP address per subscription
- Each Reserve IP address has a name associated
- There is special class of public IP address (Instance Public IP Address) that can be applied to instance VM or Role Instance
- (Instance Public IP Address) is earlier known as (Public IP) or PIP
- Max 5 IL-PIP per subscription
- PIP is additional IP address that do not replace virtual IP address
Azure Access Control List ACLsAn endpoint access control list (ACL) is a security enhancement available for your Azure deployment. An ACL provides the ability to selectively permit or deny traffic for a virtual machine endpoint.
- Azure ACL (AACL)or Network ACL (NACL) are same thing
- It Only applied to inbound traffic
- NACL work only IP4 addressing scheme
- Up to 50 Rules per VM Endpoints
- No NACL applied by default
- All traffic denied by default
- Each rule have unique order number (Assigned by you) and lower number is process first
- ACL are managed by Powershell (only?)
- All ACL config are stored in a ACL config Variables
- ACL are applied to specific endpoint not whole subnet
- If there is no ACL – all traffic is allowed (whatever endpoints are open will allow access);
- if there is one or more permit, deny all others; if there is one or more deny, allow all others; Combination of permit and deny to define a specific IP range.
- Network ACL affects Incoming traffic only.
Azure Network Security Groups (NSG)A network security group (NSG) contains a list of security rules that allow or deny network traffic to resources connected to Azure Virtual Networks (VNet). NSGs can be associated to subnets, individual VMs (classic), or individual network interfaces (NIC) attached to VMs (Resource Manager)
- NSG has both inbound and outbound rules. Key factor are Traffic Direction , Protocol , Source /Destination address and port
- Traffic must match an allow rule to pass through
- Each NSG has unique name, NSG rules can be altered and changes takes effect immediately
- NSG can only be used in regional VMs i.e. they are regional
- NACL and NSG can not be applied on same VM instance
- Now NSG are recommended way over NACL that is actually old way of access control
- NSG can be applied to whole subnet
- Default Tags can be used at place of actual address (eg INTERNET)
- Each NSG contains default rules that can not be deleted
- NSGs can be assigned to a subnet or a NIC. It cannot be assigned to an entire virtual network, nor any other resource in Azure.
- Default NSG rule has lowest possible priority so that they can be easily overwritten
- Default NSG all inbound/Ouboud connection is allowed within VNET
- ALL inbound load balancer traffic is allowed by default
- other than VNET and LOAD_BALANCER all inbound is denied.
- All INTERNET outbound traffic is allowed by default
- Other then VNET and INTERNET all other traffic is denied by default
- NSG Association
- Three Pobbible association
- NSG to VM
- NSG to NIC
- NSG to Subnet
- Only one NSG per VM/NIC/Subnet
- Same NSG can be assigned to multiple resources
- 100 NSG per Region
- 200 Rule per NSG
- Port 184.108.40.206 (By default allowed) must be allowed because it represent
- Azure DHCP Relay ,
- DNS Resolver,
- Load Balancer ,
- VM Health Probe
- Outbound TCP/UDP 1688 must be open (By default allowed) because it KMS server to renew licencees
- NSG is created via Powershell
Azure NSG vs ACL (NACL)
Control all inbound and outbound traffic to VM
Works only for inbound traffic exposed via an endpoint
Works on one or more VM instances
Works on Endpoint applied to VM
You can specify Source / Destination IP/Port and protocol
Port and protocol are defined by end point
User-defined routes (UDR)
here is some key notes
- Most Common Use-cases
- Monitoring traffic with an intrusion detection system (IDS)
- Controlling traffic with a firewall
- User-defined routes are applied to traffic leaving a subnet from any resource (such as network interfaces attached to VMs) in the subnet.
- You cannot create routes to specify how traffic enters a subnet from the Internet, for instance.
- The appliance you are forwarding traffic to cannot be in the same subnet where the traffic originates. Always create a separate subnet for your appliances.
- User defined routes are only applied to Azure VMs and cloud services.
Azure VM (IAAS VM)
- Virtual machines per cloud service1(ASM Model) 50/50 (Default /Max)
- Input endpoints per cloud service2 (ASM Model) 150/150 (Default /Max)
- Virtual machines per availability set 200
- Maximum number of VMs in a scale set 1000/1000 (Default /Max)
- Maximum number of VMs based on a custom VM image in a scale set 300/300 (Default /Max)
- Maximum number of scale sets in a region 2000/2000 (Default /Max)
- Subscription limits https://docs.microsoft.com/en-us/azure/azure-subscription-service-limits
- Azure VM Tier
Azure Availability Sets, Fault Domains, and Update Domains
- Fault Domain -
- Any single point of failure is called fault rack usually Rack.
- Always places resource in separate fault domain
- Microsoft automatically assigns Virtual Machines across 3 fault domains (physical servers) and 5 update domains to maximize up-time during planned and unplanned outages.
- Update Domain
- Collection of resources that can be updated at same time
- Resources must be distributed across multiple update domain
- Availability Set
- configure two things Fault domain and Update Domain
- VM in Availability set must of identical type
- VM can be assigned to Availability Set at the time of creation or later
- Moving VM to availability set after create will cause reboot.
- Azure provide three mechanism four mechanism of connecting on-premise to cloud network Point to Site , Site to Site , Express Route , VNet-VNet
- Virtual networks (VNets) are used to manage networking in Azure. Can only exist in one Azure region.
- CIDR notation is used to describe networks and subnet.
- All virtual machines (VMs) in a VNet can communicate (by default) but anything outside cannot talk (by default) – so VNet is default network boundary.
- In ASM, every VM has an associated cloud service (with its own name @cloudapp.net). Without subnets the VMs can only communicate via a public IP. If multiple cloud services are on same VNet then VMs can communicate using private IP.
- Endpoints are used to manage connections: internal (private) endpoint listening on a given port (e.g. for RDP on 3389); external (public) endpoint on defined port number – therefore go to a particular server, rather than just to the cloud service.
- Dynamic IP (DIP) is the private IP associated with a VM; only resolvable inside the VNet – external access needs a public IP. Can chose an IP address to use – and will be reserved.
- Virtual IP (VIP) – assigned to a cloud service – static public IP for as long as at least one VM running inside the cloud service.
- Instance Level Public IP (ILPIP) – for direct connection to Azure VM from Internet (not via the cloud service); public IP attached to a VM. In this configuration, whatever ports open on the VM are open to the Internet – effectively bypassing the security of the VNet.
- Point to Site VPN
- PC to Azure connection , Required client install on every on-premise machine that want to access Azure
- Azure address space must not overlap with on Premise address
- Site to Site VPN
- Suitable for large corporate
- it can connect one Azure Subscription to Other
- Can be use to Extent on premise network
- Required On Premise router to be configured
- Azure address space must not overlap with on Premise address
- Site to Site is IPSec VPN
- Use a VNet-to-VNet VPN to create a tunnel between VNets in different regions. This extends VNets to appear as if they were one.
- Multi-site VPN is a combination of the other methods, combined.
- High bandwidth (up to 10 GBPS) Direct link in between on-premise to Azure Data Centers
- Service may or may not be available locally
- Two way to connect
- Connect via Exchange Provider Data Center facility
- Direct Connection using supported Network service provider
- ExpressRoute Providers provide point-to-point Ethernet of connect via a cloud exchange. BGP sessions with edge routers on customer site. 200Mbps/500Mbps/1Gbps/10Gbps.
- Can use for Azure computing (IaaS); Azure public services (web apps, etc. – PaaS) or Office 365 (SaaS).
Azure Load Balancing and Traffic Manager
- Azure Load Balancer
- works at the transport layer (Layer 4 in the OSI network reference stack). It provides network-level distribution of traffic across instances of an application running in the same Azure data center.
- There are two types of load Balancers , Internal and Internet Facing
- All load Balancers work at regional level not cross region.
- Internet Facing Load Balancer
- You need to create a load Balancer end point on first VM
- All VMs must be in same cloud service
- Health probe must be configured
- Internal Load Balancers
- Internal traffic only
- VMs must be in same cloud service or virtual network with a regional scope
- First step to create a Internal Load Balancer is to create Internal Load Balancing endpoint
- Then add endpoint to internal VM to accept traffic
- configure all Front end server to send traffic to 'Internal Load Balancing endpoint"
- Only Powershell can be used for creating and configuring Internal Load Balancers.
- Azure Application Gateway
- works at the application layer (Layer 7 in the OSI network reference stack). It acts as a reverse-proxy service, terminating the client connection and forwarding requests to back-end endpoints.
- Azure Traffic manager
- works at the DNS level. It uses DNS responses to direct end-user traffic to globally distributed endpoints. Clients then connect to those endpoints directly.
- Thinks this as highest level of load Balancers work cross region
- Support any IP endpoint
- Controls distribution of user traffic across multiple enpoint including cloud services , external sites etc.
- It work by modifying DNS settings
- Uses Four load balancing (Routing) methods
- Priority: Select Priority when you want to use a primary service endpoint for all traffic, and provide backups in case the primary or the backup endpoints are unavailable.
- Weighted: Select Weighted when you want to distribute traffic across a set of endpoints, either evenly or according to weights, which you define.
- Performance: Select Performance when you have endpoints in different geographic locations and you want end users to use the "closest" endpoint in terms of the lowest network latency.
- Geographic: Select Geographic so that users are directed to specific endpoints (Azure, External, or Nested) based on which geographic location their DNS query originates from. This empowers Traffic Manager customers to enable scenarios where knowing a user’s geographic region and routing them based on that is important. Examples include complying with data sovereignty mandates, localization of content & user experience and measuring traffic from different regions.
Use this page as quick refresher or Cheat Sheet but no way a replacement of actual exam study guide or course