Monday, August 28, 2017

AZURE 70-534 Exam Notes and Cheat Sheet -Part 1 (Azure Global Infrastructure)

Quick Summary 

First and  most important objective of AZURE 70-534 Exam is to understand Global infrastructure capability. This page summarized the key capabilities and important point of Azure Global infrastructure. 

Use this page as quick refresher or Cheat Sheet but no way a replacement of actual exam study guide or course 
This Post is part of multi-part series and I will keep posting other part as it progress 

AZURE Data Centers Architecture

  1.  In order to check latency of data center use http://azurespeedtest.azurewebsites.net/
  2. No All the services are available in all regions and Data Centers use service availability page to verify the same. https://azure.microsoft.com/en-us/regions/services/
  3. Azure uses Blade Server in data center either in compute or storage role 
  4. 40-50 Blade server per Rack (mounting unit)
  5. Each Rack has Aggregation Switch 
  6. Some Racks have a special controller called Fabric Controller responsible for VM Life cycle management 
  7. 20 Racks together makes a Stamps or Cluster  


Azure Availability Architecture 

  1. Some region need local billing address for service subscription such as Australia
  2. Each rack works as fault domain 
  3. As a customer you need to also design for HA that means your workload must be distributed in availability Sets 

Azure Active Directory

  1. Azure AD has four Flavor 
    1. AD-DS in IAAS 
      1. it is actually just a    Windows Server VM as Domain controller
      2. It requires a Azure Network , Site to Azure VPN , and Static IP 
      3. In This ways cloud is just another site your your office 
    2. Azure AD (Active Directory as Service)
      1. Cloud based directory service using Office 365
      2. Windows 10 Machine can Join this AD 
      3. Support Multiple Directories and Domain Names 
      4. Only Global Administrator can delete a directory if there is no application or user in directory 
      5. Each AD instance have separate administrator 
      6. Each AD instance gets synchronized independently 
      7. It has Three Version 
        1. Free Edition (Provides Flowing feature)
          1. Use Account Management 
          2. Sync with On Prem AD
          3. SSO for Office 365/intune
        2. Basic Addition 
          1. Group based Access Management 
          2. Self Service Password reset 
          3. Provides Azure AD Application Proxy 
    3. Azure AD Premium
      1. Self Service group management 
      2. Advance reporting 
      3. MFA 
      4. Identity Manager 
      5. Password write back 
      6. Azure AD - Connect Health (detailed monitoring)
    4. Azure AD Domain Services
      1. It is fully managed cloud based AD service and replacement for AD-VM i.e. AD-DS as IAAS
      2. Support Complex Schema Extension 
      3. Supports Domin Join , LDAP, Kerberos , NTLM , GPO, for VM on Azaure network 
      4. Can work as DNS server for Azure Network 
      5. Works with AD Connect 
      6. User and Groups can only be added from Azure Console and PowerShell 

    Directly Synchronization

    1. Currently Azure AD connect is is used for directly synchronization 
    2. Previously people used DIR Sync and Azure AD Sync 
    3. Azure AD connect 
      1. Support Multiple AD Forest to Single AD instance 
      2. Password reset , PW-Write Back 
      3. User Group , Device write back 
      4. Sync Custom AD Sync 
  1. Azure AD - B2C Feature 
    1. Add support for social and third party identity providers.

Azure Static IP Address 

  1. IP Address in Azure (Private IP Address) Network are assigned sequentially based on startup order of VM
  2. Public IP address are based on region and allocated from regional pool 
  3. Non Static IP Addresses may be reclaimed during service disruption 
  4. Internal Static IP address can only be assigned via  New Portal or Power Shell 
  5. removal of static IP address automatically assign DHCP IP address but VM need to be restarted 
  6. Reserve IP Address can only be used with VM and web /worker role 
  7. IP address must be reserve before Deployment, it can`t be applied after deployment 
  8. IP address can only be reserved via Powershell 
  9. Reserve IP address are only applied to service not VM 
  10. Max 20 Reserve IP address per subscription 
  11. Each Reserve IP address has a name associated 
  12. There is special class of public IP address (Instance Public IP Address) that can be applied to instance VM or Role Instance 
  13. (Instance Public IP Address) is earlier known as (Public IP) or PIP
  14. Max 5 IL-PIP per subscription
  15. PIP is additional IP address that do not replace virtual IP address 
  16.  

Azure ACLs 

  1. Azure ACL (AACL)or Network ACL (NACL) are same thing 
  2. It Only applied to inbound traffic 
  3. NACL work one IP4 addressing scheme 
  4. Up to 50 Rules per VM Endpoints 
  5. No NACL applied by default 
  6. All traffic denied by default 
  7. Each rule have unique order number (Assigned by you)  and lower number is process first 
  8. ACL are managed by Powershell (only?)
  9. All ACL config are stored in a ACL config Variables 
  10. ACL are applied to specific endpoint not whole subnet
  11. Network Security Groups (NSG)
  12. NSG has both inbound and outbound rules. Key factor are Traffice Direction , Protocol , Source /Destination address and port 
  13. Traffic must match an allow rule to pass through 
  14. Each NSG has unique name, NSG rules can be altered and changes takes effect immediately
  15. NSG can only be used in regional VMs i.e. they are regional 
  16. NACL  and NSG can not be applied on same VM instance 
  17. Now NSG are recommended way over NACL that is actually old way of access control 
  18. NSG can be applied to whole subnet 
  19. Default Tags can be used at place of actual address (eg INTERNET)
  20. Each NSG contains default rules that can not be deleted 
  21. Default NSG rule has lowest possible priority so that they can be easily overwritten 
    1. Default NSG all inbound/Ouboud connection is allowed within VNET
    2. ALL inbound load balancer traffic is allowed by default 
    3. other than VNET and LOAD_BALANCER all inbound is denied.
    4. All INTERNET outbound traffic is allowed by default  
    5. Other then VNET and INTERNET all other traffic is denied by default 
  22. NSG Association 
    1. Three Pobbible association 
      1. NSG to VM 
      2. NSG to NIC 
      3. NSG to Subnet
    2. Only one NSG per VM/NIC/Subnet
    3. Same NSG can be assigned to multiple resources 
    4. 100 NSG per Region 
    5. 200 Rule per NSG 
  23. Port 168.63.129.16 (By default allowed) must be allowed because it represent
    1. Azure DHCP Relay , 
    2. DNS Resolver, 
    3. Load Balancer , 
    4. VM Health Probe   
  24. Outbound TCP/UDP 1688 must be open (By default allowed)  because it KMS server to renew licencees  
  25. NSG is created via Powershell 

Azure NSG vs ACL (NACL)

NSG
ACL
Control all inbound and outbound traffic to VM
Works only for inbound traffic exposed via an endpoint
Works on one or more VM instances
Works on Endpoint applied to VM
More Detailed
You can specify Source / Destination IP/Port and protocol
Port and  protocol are defined by end point

Azure VM (IAAS VM)

  1. 50 Azure VM per cloud service 
  2. 150 input endpoint per cloud service 
  3. 100 VM per availability zone  
  4. Subscription limits https://docs.microsoft.com/en-us/azure/azure-subscription-service-limits
  5. Azure VM Tier 
    1. https://docs.microsoft.com/en-us/azure/virtual-machines/windows/sizes

Azure Availability Sets, Fault Domains, and Update Domains

  1. Fault Domain - 
    1. Any single point of failure is called fault rack usually Rack.
    2. Always places resource in separate fault domain 
  2. Update Domain 
    1. Collection of resources that can be updated at same time
    2. Resources must be distributed across multiple update domain 
  3. Availability Set 
    1. configure two things  Fault domain and Update Domain 
    2. VM in Availability set must of identical type 
    3. VM can be assigned to Availability Set at the time of creation or later 
    4. Moving VM to availability set after create will cause reboot.

Azure VPNs and ExpressRoute

  1. Azure provide three mechanism four mechanism of connecting on-premise to cloud network Point to Site , Site to Site , Express Route 
  2. Point to Site 
    1.  PC to Azure connection , Required client install on every on-premise machine that want to access Azure
    2. Azure address space must not overlap with on Premise address 
  3. Site to Site VPN
    1. Suitable for large corporate
    2. it can connect one Azure Subscription to Other  
    3. Can be use to Extent on premise network 
    4. Required On Premise router to be configured 
    5. Azure address space must not overlap with on Premise address 
    6. Site to Site is IPSec VPN 
  4. Express Route 
    1. High bandwidth (up to 10 GBPS) Direct link in between on-premise to Azure Data Centers
    2. Service may or may not be available locally 
    3. Two way to connect 
      1. Connect via Exchange Provider Data Center facility 
      2. Direct Connection using supported Network service provider

Azure Load Balancing and Traffic Manager

  1. Load Balancer 
    1. There are two types of load Balancers , Internal and Internet Facing 
    2. All load Balancers work at regional level not cross region.
    3. Internet Facing Load Balancer 
      1. You need to create a load Balancer end point on first VM
      2. All VMs must be in same cloud service 
      3.  Health probe must be configured 
    4. Internal Load Balancers 
      1. Internal traffic only 
      2. VMs must be in same cloud service or virtual network with a regional scope
      3. First step to create a Internal Load Balancer is to create Internal Load Balancing endpoint 
        1. Then add endpoint to internal VM to accept traffic 
        2. configure all Front end server to send traffic to 'Internal Load Balancing endpoint"
      4. Only Powershell can be used for creating and configuring Internal Load Balancers.
  2. Azure Traffic manager 
    1. Thinks this as highest level of load Balancers work cross region
    2. Controls distribution of user traffic across multiple enpoint including cloud services , external sites etc.
    3. It work by modifying DNS settings  
    4. Uses three load balancing (Routing) methods
      1. Failover 
      2. Performance 
      3. Round Robin  

Azure Media Services and Content Delivery Network 

  1. Azure Media Services 
    1. Based in REST APIs
    2. Media are stored in BLOB container called Asset 
    3. BLOB container is set of blobs is actually Boundry point for access control 
    4. Number of Blobs per account is unlimited but max size is 500 TB per account
    5. Supported Encryption 
      1. None 
      2. Common Encryption or Play Ready DRM
      3. Envelop Encryption for HTTP live Streaming (HIL)
    6. Access policy is used to permission and duration of access 
    7. Locators 
      1. Locators Provides entry point for accessing files an asset 
      2. Locators  can have different start type and connection times using same permission and duration settings
      3. There are two type of Locators 
        1. On Demand Origin locators are used for streaming 
        2. SAS URL are locators used to upload or download media files for streaming 
    8. Job And Task 
      1. Job are used to process audio and video 
      2. Jobs are bind to media and Each media requires individual job to do any processing 
      3. Job is combination of Task and task can be chained 
    9. Channels (Streaming End Points)
      1. Media service account by default provides five channels 
      2. Each channel can have running Programs, Max three currently running program at any time per account.
      3. program is an administrative tool to control publishing and storage of live stream segment 
      4. Programs are times events on channels and managed by channels 
      5. Archive Window Length - how long recorded content will be saved 
    10. Streaming End Point 
      1. Delivers content directly to client player, application or CDN
      2. Support live stream or Video on demand 
      3. Scaling in 200MPBS increments
      4. default 2 Streaming end point per Media service account  
  2. Azure Content Delivery Network 
    1. Only Public BLOB with anonymous access  are cached at CDN
    2. CND URL format http;//<ID>.vo.msecnd.net/<path>
    3. Suggested to use only for Static content are supported with Azure CDN
    4. Cloud Service must deliver content via port HTTP:80  for CDN caching with AZURE
    5. If CND need to be used with HTTPS then
      1. BYO certificate not supported , CDN only Certificated are supported.
      2. Must use CDN domain name not custom domain name 
      3. Even if HTTP is on HTTP is still supported.

Multi factors authentication 

  1. Supported Third factors are 
    1. Cell Call 
    2. SMS
    3. One time Password 
    4. App Password 
      1. gets generated per app basis 
      2. mainly used for app that do not support MFA
    5. App Generated Time based code 
  2. Administrator can change MFA option like phone number 
  3. MFA is charge per user basis no on call/SMS basis

---------------End of Page---------------

No comments:

Post a Comment