AZ-104 Azure Administrator Associate

My notes from learning from https://docs.microsoft.com/en-us/learn/certifications/azure-administrator

AZ-104 Deploy and manage Azure compute resources

My notes from the learning path AZ-104 Deploy and manage Azure compute resources of Microsoft Certified: Azure Administrator Associate on Microsoft Docs

Introduction to Azure virtual machines

Size of the VM

Option Description Size Series
General purpose balanced CPU-to-memory ratio. Ideal for testing and development, small to medium databases, and low to medium traffic web servers. B, Dsv3, Dv3, DSv2, Dv2
Compute optimized high CPU-to-memory ratio. Suitable for medium traffic web servers, network appliances, batch processes, and application servers. Fsv2, Fs, F
Memory optimized high memory-to-CPU ratio. Great for relational database servers, medium to large caches, and in-memory analytics. Esv3, Ev3, M, GS, G, DSv2, Dv2
Storage optimized high disk throughput and IO. Ideal for VMs running databases. Ls
GPU heavy graphics rendering and video editing. are ideal options for model training and inferencing with deep learning. NV, NC, NCv2, NCv3, ND
High performance computes the fastest and most powerful CPU virtual machines with optional high-throughput network interfaces. H

Azure Automation Services

Azure Automation allows you to automate management tasks with ease. These services include:

Availability Set

Availability set is a logical feature used to ensure that a group of related VMs are deployed so that they aren't all subject to a single point of failure and not all upgraded at the same time during a host operating system upgrade in the datacenter.

image-1590762311883.png

Failover  Across Locations

Azure Site Recovery replicates workloads from a primary site to a secondary location with two significant business advantages:

  1. Azure as a destination for recovery, thus eliminating the cost and complexity of maintaining a secondary physical datacenter.

  2. Simple to test failovers for recovery drills without impacting production environments. 

Create a Linux virtual machine in Azure

Storage Options

There are two levels of SSD storage available:

Mapping Storage to Disks

Two virtual hard disks (VHDs) will be created for your Linux VM:

  1. The operating system disk: This is your primary drive, and it has a maximum capacity of 2048 GB. It will be labeled as /dev/sda by default.

  2. temporary disk: This provides temporary storage for the OS swap files or any apps. The disk is /dev/sdb and is formatted and mounted to /mnt.

Unmanaged vs. managed disks

Authentication Method for SSH

Generating a key pair

ssh-keygen -t rsa -b 4096

Install public key in an existing VM named myserver with a user azureuser

ssh-copy-id -i ~/.ssh/id_rsa.pub azureuser@myserver

Creating a Linux VM with the Azure Portal

Virtual Network

VM IP Addresses

Connect to a Linux virtual machine with SSH

Initialize data disks

identify the disk

dmesg | grep SCSI

initialize the disk /dev/sdc

(echo n; echo p; echo 1; echo ; echo ; echo w) | sudo fdisk /dev/sdc

write a file system to the partition

sudo mkfs -t ext4 /dev/sdc1

mount the the drive to the file system

sudo mkdir /data && sudo mount /dev/sdc1 /data

Install the Apache web server

Update the local package index

sudo apt-get update

Install Apache server

sudo apt-get install apache2 -y

Check the status if the daemon will start automatically

sudo systemctl status apache2 --no-pager

Network and security settings

Network Security Group

image-1590847748199.png

Security Rules

Configure network settings

Create a Windows virtual machine in Azure

Storage Options

Mapping storage to disks

By default, two virtual hard disks (VHDs) will be created for your Windows VM:

  1. The Operating System disk. This is your primary or C: drive and has a maximum capacity of 2048 GB.

  2. Temporary disk. This provides temporary storage for the Windows paging file or any apps. It is configured as the D: drive by default.

Create a Windows virtual machine

Use RDP to connect to Windows VMs

Connect to the VM with RDP

Install custom software

We have two approaches:

  1. First, this VM is connected to the Internet. If the software you need has a downloadable installer, you can open a web browser in the RDP session, download the software, and install it. 
  2. If your software is custom, you can copy it from your local machine over to the VM to install it.

Initialize data disks

Configure network settings

Manage VMs with the Azure CLI

Create a virtual machine

The Azure CLI includes the vm command to work with VMs. The most common subcommands include:

Sub-command Description
create Create a new virtual machine
deallocate Deallocate a virtual machine
delete Delete a virtual machine
list List the created virtual machines in your subscription
open-port Open a specific network port for inbound traffic
restart Restart a virtual machine
show Get the details for a virtual machine
start Start a stopped virtual machine
stop Stop a running virtual machine
update Update a property of a virtual machine

az vm create is used to create a virtual machine in a resource group. There are several parameters but the four parameters that must be supplied are:

 
Parameter Description
--resource-group The resource group that will own the virtual machine.
--name The name of the virtual machine - must be unique within the resource group.
--image The operating system image to use to create the VM.
--location The region to place the VM in. Typically this would be close to the consumer of the VM. In this exercise, choose a location nearby from the following list.

Here is an example:

az vm create \
  --resource-group [sandbox resource group name] \
  --location westus \
  --name SampleVM \
  --image UbuntuLTS \
  --admin-username azureuser \
  --generate-ssh-keys \
  --verbose
{
  "fqdns": "",
  "id": "/subscriptions/20f4b944-fc7a-4d38-b02c-900c8223c3a0/resourceGroups/Learn-2568d0d0-efe3-4d04-a08f-df7f009f822a/providers/Microsoft.Compute/virtualMachines/SampleVM",
  "location": "westus",
  "macAddress": "00-0D-3A-58-F8-45",
  "powerState": "VM running",
  "privateIpAddress": "10.0.0.4",
  "publicIpAddress": "40.83.165.85",
  "resourceGroup": "2568d0d0-efe3-4d04-a08f-df7f009f822a",
  "zones": ""
}

Explore other VM images

This will output the most popular images that are part of an offline list built into the Azure CLI. 

az vm image list --output table

You can get a full list by adding the --all flag to the command. it is helpful to filter the list with the --publisher--sku or –-offer options.

az vm image list --sku Wordpress --output table --all
az vm image list --publisher Microsoft --output table --all

Some images are only available in certain locations

az vm image list --location eastus --output table

you can also create and upload your own custom images to create VMs based on unique configurations

Sizing VMs properly

The available sizes change based on the region you're creating the VM in.

az vm list-sizes --location eastus --output table

You can specify size of the VM in the creation command:

az vm create \
    --resource-group [sandbox resource group name] \
    --name SampleVM2 \
    --image UbuntuLTS \
    --admin-username azureuser \
    --generate-ssh-keys \
    --verbose \
    --size "Standard_DS5_v2"

Resize an existing VM

Before a resize is requested, we must check to see if the desired size is available in the cluster our VM is part of.

az vm list-vm-resize-options \
    --resource-group [sandbox resource group name] \
    --name SampleVM \
    --output table

Resize command:

az vm resize \
    --resource-group [sandbox resource group name] \
    --name SampleVM \
    --size Standard_D2s_v3

once it's done, it will return a new JSON configuration.

Query system and runtime information about the VM

This command will return all virtual machines defined in this subscription.

az vm list --output table

you can specify json (the default), jsonc (colorized JSON), or tsv (Tab-Separated Values) as the --output type

Getting the IP address

{
    "name": "Barney",
    "age": 25
}
az vm list-ip-addresses -n SampleVM -o table

Getting VM details

az vm show --resource-group [sandbox resource group name] --name SampleVM

This will return a fairly large JSON block with all sorts of information about the VM.

Adding filters to queries with JMESPath

For example, given the object:

{
  "people": [
    {
      "name": "Fred",
      "age": 28
    },
    {
      "name": "Barney",
      "age": 25
    },
    {
      "name": "Wilma",
      "age": 27
    }
  ]
}

For example, people[1] would return:

{
    "name": "Barney",
    "age": 25
}

For example, adding the qualifier people[?age > '25'] would return:

[
  {
    "name": "Fred",
    "age": 28
  },
  {
    "name": "Wilma",
    "age": 27
  }
]

by adding a select: people[?age > '25'].[name] that returns just the names:

[
  [
    "Fred"
  ],
  [
    "Wilma"
  ]
]

Filtering our Azure CLI queries

For example, we can retrieve the admin user name:

az vm show \
    --resource-group [sandbox resource group name] \
    --name SampleVM \
    --query "osProfile.adminUsername"

to retrieve all the IDs for your network interfaces, you can use the query:

az vm show \
    --resource-group [sandbox resource group name] \
    --name SampleVM \
    --query "networkProfile.networkInterfaces[].id"

Start and stop your VM with the Azure CLI

Stopping a VM

az vm stop \
    --name SampleVM \
    --resource-group [sandbox resource group name]

We can verify it has stopped by attempting to ping the public IP address, using ssh, or through the vm get-instance-view command.

Typing the following command into Azure Cloud Shell to see the current running state of your VM:

az vm get-instance-view \
    --name SampleVM \
    --resource-group [sandbox resource group name] \
    --query "instanceView.statuses[?starts_with(code, 'PowerState/')].displayStatus" -o tsv

This command should return VM stopped as the result.

Starting a VM

az vm start \
    --name SampleVM \
    --resource-group [sandbox resource group name]

You can verify the status should return VM running.

Restarting a VM

Use the vm restart command.

Install software on your VM

Install NGINX web server

SSH to your VM and use this command:

sudo apt-get -y update && sudo apt-get -y install nginx
Retrieve our default page
curl -m 10 <PublicIPAddress>

This command will fail because the Linux virtual machine doesn't expose port 80 (http).

Use the following command to open up port 80:

az vm open-port \
    --port 80 \
    --resource-group [sandbox resource group name] \
    --name SampleVM

Run the curl command again and it should return data.

AZ-104 Prerequisites for Azure administrators

My notes from learning path AZ-104 Prerequisites for Azure administrators of Microsoft Certified: Azure Administrator Associate on Microsoft Docs

Module 1 - Apply and monitor infrastructure standards with Azure Policy

Azure Policy

Creating a policy

  1. Create a policy definition
  2. Assign a definition to a scope of resources
  3. View policy evaluation results
Creating a policy definition

A policy definition expresses what to evaluate and what action to take. It is represented as a JSON file

Here is an example of a Compute policy:

{
  "if": {
    "allOf": [
      {
        "field": "type",
        "equals": "Microsoft.Compute/virtualMachines"
      },
      {
        "not": {
          "field": "Microsoft.Compute/virtualMachines/sku.name",
          "in": "[parameters('listOfAllowedSKUs')]"
        }
      }
    ]
  },
  "then": {
    "effect": "Deny"
  }
}

Notice the [parameters('listofAllowedSKUs')] value; this value is a replacement token that will be filled in when the policy definition is applied to a scope.

Applying Azure policy

Register the resource provider if it's not already registered.

Register-AzResourceProvider -ProviderNamespace 'Microsoft.PolicyInsights'

For example, here's a policy definition that identifies virtual machines not using managed disks.

# Get a reference to the resource group that will be the scope of the assignment
$rg = Get-AzResourceGroup -Name '<resourceGroupName>'

# Get a reference to the built-in policy definition that will be assigned
$definition = Get-AzPolicyDefinition | Where-Object { $_.Properties.DisplayName -eq 'Audit VMs that do not use managed disks' }

# Create the policy assignment with the built-in definition against your resource group
New-AzPolicyAssignment -Name 'audit-vm-manageddisks' -DisplayName 'Audit VMs without managed disks Assignment' -Scope $rg.ResourceId -PolicyDefinition $definition
Identifying non-compliant resources

The results can be seen in the Resource compliance tab of a policy assignment in the Azure portal use the command-line tools:

Get-AzPolicyState -ResourceGroupName $rg.ResourceGroupName -PolicyAssignmentName 'audit-vm-manageddisks' -Filter 'IsCompliant eq false'
Policy effects
Policy Effect What happens?
Deny The resource creation/update fails due to policy.
Disabled The policy rule is ignored (disabled). Often used for testing.
Append Adds additional parameters/fields to the requested resource e.g. tags
Audit, AuditIfNotExists Creates a warning event in the activity log but it doesn't stop the request.
DeployIfNotExists Executes a template deployment when a specific condition is met.
View policy evaluation results

Azure portal showing the policy overview screen

Removing a policy definition
Remove-AzPolicyAssignment -Name 'audit-vm-manageddisks' -Scope '/subscriptions/<subscriptionID>/resourceGroups/<resourceGroupName>'

Organize policy with initiatives

Screenshot showing Azure portal defining initiatives and definitions

Enterprise governance management

Here is an example of creating a hierarchy for governance using management groups:

Image showing Azure Management Groups as a tree graph of relationships

Another scenario where you would use management groups is to provide user access to multiple subscriptions. You can create one role-based access control (RBAC) assignment on the management group that will allow that access to all the subscriptions.

Define standard resources with Azure Blueprints

Blueprint vs. ARM templates

Blueprint vs. Azure Policy

Compliance Manager

You also have to understand how the provider manages the underlying resources you are building on.

Microsoft Privacy Statement

What personal data Microsoft processes, how Microsoft processes it, and for what purposes.

Microsoft Trust Center

Service Trust Portal

Compliance Manager

Monitor your service health

You will want to know about any issues or performance problems they might encounter.

Azure Monitor

Data sources can range from your application, any operating system and services:

 
Data tier Description
Application monitoring data Data about the performance and functionality of the code you have written, regardless of its platform.
Guest OS monitoring data Data about the operating system on which your application is running. This could be running in Azure, another cloud, or on-premises.
Azure resource monitoring data Data about the operation of an Azure resource.
Azure subscription monitoring data Data about the operation and management of an Azure subscription, as well as data about the health and operation of Azure itself.
Azure tenant monitoring data Data about the operation of tenant-level Azure services, such as Azure Active Directory.
Diagnostic settings
Getting more data from your apps
Responding to alert conditions

Azure Service Health

Azure Service Health is a suite of experiences that provide personalized guidance and support when issues with Azure services affect you. It comprises of:

Module 2 - Introduction to Azure virtual machines

Size of the VM

Option Description Size Series
General purpose balanced CPU-to-memory ratio. Ideal for testing and development, small to medium databases, and low to medium traffic web servers. B, Dsv3, Dv3, DSv2, Dv2
Compute optimized high CPU-to-memory ratio. Suitable for medium traffic web servers, network appliances, batch processes, and application servers. Fsv2, Fs, F
Memory optimized high memory-to-CPU ratio. Great for relational database servers, medium to large caches, and in-memory analytics. Esv3, Ev3, M, GS, G, DSv2, Dv2
Storage optimized high disk throughput and IO. Ideal for VMs running databases. Ls
GPU heavy graphics rendering and video editing. are ideal options for model training and inferencing with deep learning. NV, NC, NCv2, NCv3, ND
High performance computes the fastest and most powerful CPU virtual machines with optional high-throughput network interfaces. H

Azure Automation Services

Azure Automation allows you to automate management tasks with ease. These services include:

Availability Set

Availability set is a logical feature used to ensure that a group of related VMs are deployed so that they aren't all subject to a single point of failure and not all upgraded at the same time during a host operating system upgrade in the datacenter.

image-1590762311883.png

Failover  Across Locations

Azure Site Recovery replicates workloads from a primary site to a secondary location with two significant business advantages:

  1. Azure as a destination for recovery, thus eliminating the cost and complexity of maintaining a secondary physical datacenter.

  2. Simple to test failovers for recovery drills without impacting production environments. 

Key Points: Microsoft Azure Administrator (AZ-103)

Key points consolidated from the course Exam Tips: Microsoft Azure Administrator (AZ-103) of learning path Prepare for Microsoft Azure Administrator Certification (AZ-103) on Linkedin Learning

Manage Azure Subscriptions and Resources

Manage Azure Subscriptions

Analyze Resource Utilization

Manage Resource Groups

Manage Role-Based Access Control

Implement and Manage Storage

Create and Configure Storage Accounts

Import and Export Data to Azure

Configure Azure File

Implement Azure Backup

Deploy and Manage Virtual Machines (VMs)

Create and Configure a VM for Windows and Linux

Automate Deployment of VMs

Manage an Azure VM

Manage VM Backups

Configure and Manage Virtual Networks

Create Connectivity Between Virtual Networks

Implement and Manage Virtual Networking

Configure Name Resolution

Create and Configure a Network Security Group (NSG)

Implement Azure Load Balancer

Monitor and Troubleshoot Virtual Networking

Integrate On-premise Network with an Azure Vitual Network

Manage Identities

Manage Azure Active Directory (AD)

Manage Azure AD Objects: Users, Groups, and Devices

Implement and Manage Hybrid Identities

Implement Multi-Factor Authentication (MFA)

 

Azure Administration: Manage Subscriptions and Resources

My notes from the course Azure Administration: Manage Subscriptions and Resources of Prepare for Microsoft Azure Administrator Certification (AZ-103) learning path on Linkedin Learning

Manage Azure Subscriptions

Administrator Roles

Azure Policy

Analyze Resource Utilization and Consumption

Types of Logs

image-1592729683029.png

image-1592729715546.png

Configure Diagnostic Settings

image-1592729888931.png

PowerShell

# List all resources
Get-AzureRmResource | ft

# Enable diagnostic settings
Set-AzureRmDiagnosticSetting -ResourceId 'ResourceID' -Enabled $True -StorageAccountId 'StorageID' 

# Display resource detail and settings
Get-AzureRmDiagnosticSetting -ResourceId 'ResourceID'

# Disable diagnostic settings
Set-AzureRmDiagnosticSetting -ResourceId 'ResourceID' -Enabled $False

Baseline for Resources

Azure Alerts

image-1592745333465.png

Rate Limiting

Azure Advisor

VM Optimization

Manage Resource Groups

Apply Policies

# Get resource group and policy definition
$RG = Get-AzureRmResourceGroup - Name 'AZ-100'
$Definition = Get-AzureRmPolicyDefinition | Where-Object { $_.Properties.DisplayName -eq 'Audit VMs that do not use managed disks' }

# Create a policy assignment
New-AzureRmPolicyAssignment -Name 'VM-manageddisk' - DisplayName 'Vitual Machines without Managed Disks' -Scope $RG.ResourceID -PolicyDefinition $Definition

# List all policy definitions
Get-AzureRmPolicyDefinition

# Get policy assignment
$PolicyAssignment = Get-AzureRmPolicyAssignment | Where-Object { $_.Properties.DisplayName -eq 'Vitual Machines without Managed Disks' }
$PolicyAssignment.PolicyAssignmentId

# Remove policy assignment
Remove-AZureRmPolicyAssignment -Name 'VM-manageddisk' -Scope $RG.ResourceID

Resource Locks

# Create a new resource lock
New-AzureRmResourceLock -LockName NoDelete -LockLevel CanNotDelete -LockNotes "Cannot Delete Resources" -ResourceGroupName 'AZ-100'

# List all resource locks
Get-AzureRmResourceLock

# List resource lock in specific resource group
Get-AzureRmResourceLock -ResourceGroupName 'AZ-100'

# Remove resource lock
Remove-AzureRmResourceLock -LockName NoDelete -ResourceGroupName 'AZ-100'

Setting Tags

# List all tags in the subscription
Get-AzureRmTag

# Create a new tag
New-AzureRmTag -Name 'IT' -Value "Dev"

# Set tags on resource group
Set-AzureRmResourceGroup -Name "AZ-100" -Tag @{IT = 'Prod'}

# Get count and values of specific tag name
Get-AzureRmTag -Name "IT"

# Assign tag to a resource
$resource = Get-AzureRmResource -ResourceName 'Server2012R2' -ResourceGroupName 'AZ-100'
Set-AzureRmResource -Tag @{IT = "Dev"} -ResourceID $resource.ResourceID -Force

# Delete tags from resource group
Set-AzureRmResourceGroup -Tag @{} -Name 'AZ-100'

# Delete tags from a resource
Set-AzureRmResource -Tag @{} -ResourceID $resource.ResourceID -Force

# Delete tag
Remove-AzureRmTag -Name 'IT'

Moving Resources

# List all resource IDs in resource group
Get-AzureRmResource -oDataQuery "`$filter=resourcegroup eq 'OldRGPS'" | Format-Table -Property ResourceID

# Move a resource
Move-AzureRmResource -DestinationResourceGroupName "NewRGPS" -ResourceId ""

# List all resource IDs in the new resource group
Get-AzureRmResource -oDataQuery "`$filter=resourcegroup eq 'NewRGPS'" | Format-Table -Property ResourceID

Remove Resource Group

Remove-AzureRmResourceGroup -Name 'NewRGPS'

Manage Role-Based Access Control (RBAC)

Overview