04 Azure IAAS 101

Azure IAAS how to

Herman [email protected]

Management models for IaaS Classic Model (v1) Resource Manager

(V2)

Storage Account

Virtual Network

Cloud Service

Subnet-1Disk (blob)

VM w/ IP

Address

Resource Group

VM NICVM IP

Address

Load Balancer w/ IP

Address Load Balanc

er

DependsOn

Reference Reference

Backend Pool (NICs)

VM IP Addres

s

Reference

Network Security Group

VNetSubnet

Storage

Account

Disk (blob)

ReferenceReference

Focus of thispresentation

Azure Templates can:• Ensure Idempotency• Simplify Orchestration• Simplify Roll-back• Provide Cross-Resource

Configuration and Update Support

Azure Templates are: • Source file, checked-in• Specifies resources and

dependencies (VMs, WebSites, DBs) and connections (config, LB sets)

• Parametized input/output

Instantiation of repeatable config.Configuration Resource Group

Power of Repeatability

SQL - A Website VirtualMachines

SQL-AWebsite[SQL CONFIG] VM (2x)

DEPENDS ON SQLDEPENDS ON SQL

SQLCONFIG

Why IaaS under ARM? Cloudformation Compete

Complex application templates Role based Access Control

Enterprise grade security Tags based billing

Superior cost management on the Cloud Deep Integration with

Azure Services Ex: Websites with Virtual Machines Enhanced Portal experiences

Azure Marketplace Solution templates

Regional ArchitectureIncreased Subscription ScaleIncreased throttling scaleEngineering Agility for features/fixes

Decoupled network modelClean separation of compute and network conceptsNetwork model resembles traditional physical devices

Reduced locking semanticsMassively parallel deployment of virtual machines

Enhanced Compute Capabilities Improved SSH Experience 3 fault domains and 20 update domains

Unified Azure StackOne single model to interact with the Microsoft Cloud

Simplified Manageability of Applications on IaaS

Upgrade

• complexity made simple• master template can be used to rollout

upgrades• imperative APIs, Client tools support to update

the resourcesManageability, Auditing

• operations can be tracked upto 90 days• management Locks to lock down resources from

deletion

Wide range of Quickstart Templates

Github Repo Indexed on Azure.com Community & Microsoft contributed

Integration of IaaS with Azure Services

Getting Started with Azure Templates

https://azure.microsoft.com/en-us/documentation/templates/

Github

https://github.com/Azure/azure-quickstart-templates

https://azure.microsoft.com/nl-nl/documentation/articles/powershell-install-configure/

https://www.microsoft.com/web/downloads/platform.aspx

Webplatforminstaller

Microsoft Azure Resource Providers Microsoft.Comput

e virtualMachines

Extensions vmSizes

availabilitySets Microsoft.Storage storageAccounts Microsoft.Network loadBalancers networkInterfaces networkSecurityGroups publicIPAddresses tranfficmanagerprofiles Virtualnetworks

Microsoft.Web geoRegions hostingEnvironments publishingUsers serverfarms sites

And many more…

Get-AzureRmResourceProvider -ListAvailable

Azure infrastructure services hierarchySubscriptionLocationResource groupStorage accountVirtual networkSubnetAvailability setLoad balancerNetwork security groupVirtual machine

LOB1

LOB2

https://www.google.com/url?sa=i&rct=j&q=&esrc=s&source=images&cd=&cad=rja&uact=8&ved=0ahUKEwja1pTu4qfKAhUN5mMKHV8GDPAQjRwIBw&url=https://www.iconfinder.com/icons/311123/coordinates_gps_locate_location_map_position_icon&bvm=bv.111677986,d.cGc&psig=AFQjCNEE_e2RYhGZoJmi7Yr4YMjBZFWeNQ&ust=1452808307796576




38Azure regions2X the number of AWS regions

Atlanta

Chicago

Dallas

Silicon Valley Washington DC

AmsterdamDublin*

London

ChennaiHong Kong

Mumbai*

Melbourne*

Osaka

Singapore

Sydney

Tokyo

New York

US DoD West

US DoD East Korea

South

Korea Central

Coming Soon

Iist locations via powershell(Get-azureRMlocation | out-gridview -Title "Azure locations")

Resource groupsSubscriptionLocationResource groupStorage accountVirtual networkSubnetAvailability setLoad balancerNetwork security groupVirtual machine

LOB1

LOB2





Using resource groups Tagging

Name-value pairs assigned to resources or resource groups Tag by environment (dev/test/prod), role (web/cache/db), department

(finance/retail/legal), responsible party (Bob, Ted, Carol, Alice) RBAC

Allows secure access with granular permissions Assignable to Azure AD subscription users, groups, or service principals Built-in roles make it easy to get started

Why use multiple? Divide the administrative management for roles or IT departments

Resource Tags Name-value pairs assigned to resources

or groups Subscription-wide taxonomy Each resource can have up to 15 tags

Tagging Tips• Notes: Simple note for VM• Creator: track the “owner” of a VM• Department/Cost center: who pays• Environment: production vs. pre-production

vs. test

Tagging & Billing

When you download the usage CSV for services that support tags with billing, the tags will appear in the Tags column.

Resource Group LifecycleQuestion: Should these resources be in the same group or a different one?Hint: Do they have common lifecycle and management?

Answer: Up to you.

Azure Resource Group Limits

https://azure.microsoft.com/en-us/documentation/articles/azure-subscription-service-limits/



Create resource group

New-AzureRmResourceGroup -Name Azure101 -Location "West Europe"

TAGSAdding tags to the collectionNew-AzureRmTag -Name "Demo" -Value "azureworkshop"

Role Based Access Control Used only for

Azure administration

• Manage resource in Azure—i.e. Virtual Machines, storage, networks, etc.

• Remember that Azure AD is not an Azure resource

Roles composed of• Actions• Not Actions (excluded

operations)• Scopes

Role Based Access Control

Built-in RolesBUILT-IN ROLE ACTIONS NOT ACTIONS

Owner (allow all actions) *

Contributor (allow all actions except writing or deleting role assignments)

* Microsoft.Authorization/*/Write, Microsoft.Authorization/*/Delete

Reader (allow all read actions) */Read

Custom RolesCustom roles can be created using RBAC command-line tools in Azure PowerShell, and Azure Command-Line Interfacehttps://azure.microsoft.com/en-us/documentation/articles/role-based-access-built-in-roles/

RBAC

https://azure.microsoft.com/en-us/documentation/articles/role-based-access-control-manage-access-powershell/

Storage accountsSubscriptionLocationResource groupStorage accountVirtual networkSubnetAvailability setLoad balancerNetwork security groupVirtual machine

LOB1

LOB2





Multiple storage accountsSubscriptionLocationResource groupStorage accountVirtual networkSubnetAvailability setLoad balancerNetwork security groupVirtual machine

LOB1

LOB2

OS

Data





Let us Recap…

Put another way, each VM needs… A load balancer to distribute incoming traffic An availability set for high availability A network security group to protect it A VNet and subnet for addressing and

connectivity A storage account to store its disks A resource group for logical grouping

(management) A location for an Azure datacenter on which

to run A subscription for billing purposes





Required





Optional

The hierarchy for a virtual machine Subscription (required) Location (required) Resource group (required) Storage account (required) Availability set (optional) Load balanced set (optional) Virtual network (required) Subnet (required) Network security group (optional) Virtual machine

Start building

Major design steps1. Naming convention2. Connectivity3. Storage4. Virtual machines5. Identity6. Security

Web-based LOB application

Intranet SharePoint 2013 farm

Step 1: Determine your naming convention All of the Azure infrastructure elements

require unique names The scope of uniqueness varies

Names in the Azure hierarchy Subscription Location (specified by Azure) Resource group (unique to parent location) Storage account (globally unique) Availability set (unique to parent RG) Load balanced set (unique to parent

RG) Virtual network (unique to parent RG) Subnet (unique to parent virtual

network) Network security groups (unique to

parent RG) Virtual machine (15 character

maximum)

Examples of naming conventions Affixes

The beginning of the name (prefix) The end of the name (suffix)

Constructing names

Example: dev-usw-vm-sp04 (15-character maximum)

Name element ExamplesEnvironment or deployment role dev, stg, prdAzure location usw (West US), use (East US 2)Azure component, service, or product

rg for resource group, vnet for virtual network, vm for virtual machine

Role sql, ora, sp, iis Instance 01, 02, 03, etc.

Key questions for the naming convention Is there an existing naming convention for

your networking/machines/infrastructure elements?

How can this naming convention be extended to include new Azure IaaS elements? Resource groups, availability sets, storage accounts, network security

groups, load balancer sets, etc.

Resource: Azure implementation guidelines

https://azure.microsoft.com/documentation/articles/virtual-machines-infrastructure-services-implementation-guidelines/

Results of Step 1 Set of rules to define the names of:

Resource groups Storage accounts Availability sets Virtual networks Subnets Network security groups Load balancer instances Virtual machines

Step 2: Design your connectivity VNet types

Cloud-only or cross-premises VNet connections

Site-to-site VPN, ExpressRoute, VNet-to-VNet Within each VNet

Addressing Subnets DNS

For each VNet Routing to and from the intranet Routing to and from the Internet User-defined routing

Connection types

Cloud Customer Segment and workloads

Secure site-to-site VPN connectivity

• SMB, Enterprises• Connect to Azure

compute

Secure point-to-site connectivity

• Developers• POC Efforts• Small scale

deployments• Connect from

anywhere

ExpressRoute private connectivity

• SMB & Enterprises• Mission critical workloads• Backup/DR, media, HPC• Connect to all Azure

services

Internet Connectivity

• Consumers• Access over public IP• DNS resolution• Connect from anywhere

Key questions for connectivity Will you need multiple instances of the LOB app

in different geographic areas? Do you need direct network access to the VMs of

the LOB app? How will the VMs in the VNet register their

names and resolve names? What names do they need to resolve (each other, intranet, Internet)?

How will packets be routed to and from the intranet, the Internet, or other VNets?

Resource: Microsoft Cloud Networking for Enterprise Architects

http://aka.ms/cloudarchnetworking

https://azure.microsoft.com/en-us/documentation/articles/virtual-networks-overview/

VnetAn Azure virtual network (VNet) is a representation of your own network in the cloud. It is a logical isolation of the Azure cloud dedicated to your subscription. You can fully control the IP address blocks, DNS settings, security policies, and route tables within this network. You can also further segment your VNet into subnets and launch Azure IaaS virtual machines (VMs) and/or Cloud services (PaaS role instances). Additionally you can connect the virtual network to your on-premises network using one of the connectivity options available in Azure

VnetOn-premise Azure

Firewalls are substituted by NSG

Virtual Network Benefits;Isolation. VNets are completely isolated from one another. That allows you to create disjoint networks for development, testing, and production that use the same CIDR address blocks.Access to the public Internet. All IaaS VMs and PaaS role instances in a VNet can access the public Internet by default. You can control access by using Network Security Groups (NSGs).Access to VMs within the VNet. PaaS role instances and IaaS VMs can be launched in the same virtual network and they can connect to each other using private IP addresses even if they are in different subnets without the need to configure a gateway or use public IP addresses.Name resolution. Azure provides internal name resolution for IaaS VMs and PaaS role instances deployed in your VNet. You can also deploy your own DNS servers and configure the VNet to use them.Security. Traffic entering and exiting the virtual machines and PaaS role instances in a VNet can be controlled using Network Security groups.Connectivity. VNets can be connected to each other, and even to your on-premises datacenter, by using a site-to-site VPN connection, or ExpressRoute connection.

Vnet

Results of Step 2 The set of VNets needed to host the LOB app For each VNet:

Type Connections (site-to-site VPN, ExpressRoute, VNet-to-VNet) Address space Subnets (gateway and VM-hosting) and their address spaces DNS configuration Gateways Local gateway devices Local Network address spaces for routing User-defined routes

Step 3: Design your storage Storage types

Standard Premium

Data replication Local/geo

Disk caching On by default for OS disks Off by default for data disks

Key questions for storage What level of data replication is required? Do any virtual machines need premium

storage? If so, they must be created from the DS series.

Do any of the extra disks for the virtual machines need to have disk caching enabled?



Storage

Blob storage stores file data. A blob can be any type of text or binary data, such as a document, media file, or application installer.

Table storage stores structured datasets. Table storage is a NoSQL key-attribute data store, which allows for rapid development and fast access to large quantities of data.

Queue storage provides reliable messaging for workflow processing and for communication between components of cloud services.

File storage offers shared storage for legacy applications using the standard SMB 2.1 protocol. Azure virtual machines and cloud services can share file data across application components via mounted shares, and on-premise applications can access file data in a share via the File service REST AP

3 types- Page (harddisk image, vm’s)- Block (video, images)- Append (logging)

LRS, ZRS, GRS

Hot and Cold

Standard or Premium

https://docs.microsoft.com/en-us/azure/storage/storage-introduction

Premium for VM’s only

ZRS

LRS

Azure Virtual Machine Storage

• Based on page blobs in Azure Storage

• Up to 500 IOPS per disk• Up to 1 TB per disk storage

capacity• Support for geo-redundancy• Supports all instance sizes

• Based on low latency high performance SSD storage

• Up to 5,000 IOPS per disk• Support for local-redundancy only• Supports the DS and GS instance

sizes

Standard Storage Premium Storage

Standard Storage Capacity Planning IOPS Per Disk300 for Basic Tier500 for Standard Tier (60 Mbps)

IOPS Per Storage Account: 20,000Supports up to 40 data disks using maximum IOPS per disk

Group disks into striped sets to for more IOPS• Example: 4-disk X 500 IOPS = 2000 IOPS

~40xDisksperStorage Account

Azure Premium Storage Consistent low latency SSD based with predictable IO throughput Suitable for high-performance IO-intensive database workloads Single digit milliseconds latencies Supports up to 1 TB blob/disk size Stripe up to 32 disks for a total of 32TB and more than 80,000 IOPS Premium Storage Disks work in with DS and GS sizes

Disk Types P10 P20 P30Disk Size 128 GB 512 GB 1024 GB

IOPS per Disk 500 2300 5000

Throughput per Disk 100 MB/sec 150 MB/sec 200 MB/sec

Azure Storage Capacity Planning Standard Storage 300 IOPs per Disk with Basic Tier and Standard Storage 500 IOPs per Disk with Standard Tier and Standard Storage Up to 20,000 IOPs per Azure Storage Account (Standard) ~40 disks

Premium Storage Up to 5000 IOPs per disk with Standard Tier and Premium Storage

Up to 32 disks per Premium Storage Account

Note: On DS and GS instances you can mix standard and premium storage disks

Storage account

#storageaccount$stName = “workshopbin123"$locName = "West Europe"$rgName = “Azureworkshop“

$storageAcc = New-AzureRmStorageAccount -ResourceGroupName $rgName -Name $stName -Type "Standard_GRS" -Location $locName

Note:Storage account names must be between 3 and 24 characters in length and may contain numbers and lowercase letters only.Your storage account name must be unique within Azure. The Azure Portal will indicate if the storage account name you select is already in use

Storage accountStorage account endpointsEvery object that you store in Azure Storage has a unique URL address. The storage account name forms the subdomain of that address. The combination of subdomain and domain name, which is specific to each service, forms an endpoint for your storage account.For example, if your storage account is named mystorageaccount, then the default endpoints for your storage account are:

Blob service: http://mystorageaccount.blob.core.windows.netTable service: http://mystorageaccount.table.core.windows.netQueue service: http://mystorageaccount.queue.core.windows.netFile service: http://mystorageaccount.file.core.windows.net

Storage account

Azure storage explorerhttp://storageexplorer.com/

https://channel9.msdn.com/Blogs/Windows-Azure/Whats-new-on-Microsoft-Azure-Storage-Explorer-v07201603250

Blob access rights

New-AzureStorageContainer -Context $StorageContext -Permission Container -Name media

-- Off, which restricts access to only the storage account owner.-- Blob, which provides read access to blob data within a container through anonymous request, but does not provide access to container data. Clients cannot enumerate blobs within the container via anonymous request.-- Container, which provides full read access to a container and its blobs. Clients can enumerate blobs within the container through anonymous request, but cannot enumerate containers within the storage account.

Results of Step 3 The set of storage accounts for VMs and

their disks One for each LOB application Additional one for premium storage

For each storage account: Intended use Location Resource group Name Data replication Type (standard or premium)

For each extra disk Host caching setting

Step 4: Design your VMs Tiers of your LOB app Sizes and series

DS series if using premium storage High availability with multiple VMs at each

tier and availability sets Distribute incoming traffic to multiple VMs

with a load balancer Azure load balancer instance and inbound NAT rules Azure network appliance

Compute size options

HIGHEST VALUE LARGEST SCALE-UP

Av2Av2

Av2 L S N H ZAv

2Av2

Dv2A D F G

>80,000 IOPsPremium Storage

Dev/Test and entry-level workloadsEarliest generation, HDD100 ACU/core

Good combination of memory, SSD for most common production applicationsMemory-intensive variants210 ACU/core

Compute-intensive apps like Gaming, AnalyticsMore CPU to memory ratio210 ACU/core

Large VMs for large databases requiring fast StorageIntel Haswell processor with 0.5TB RAM180 ACU/core

https://azure.microsoft.com/en-us/documentation/articles/virtual-machines-windows-sizes/

Key questions for VMs What tiers do you need? How many VMs per tier for availability and

load? Do you need to provide load distribution

across the tier? DNS round robin Azure load balancing Network appliance in Azure

Which VMS need to run 24x7 and which do not



Azure availability setFault DomainsRepresent groups of resources anticipated to fail together i.e. Same rack, same serverFabric spreads instances across min 2 fault domains

Update DomainsGroups of resources that will be updated togetherHost OS updates honour service update domainsSpecified in service definitionDefault of 5 (up to 20)

Availability SetsVMs in separate Fault DomainsSLA 99.95 | HW SW | Windows & Linux

Virtual machine storage architecture

Virtual MachineC:\

OS DiskE:\, F:\, etc.Data Disks

D:\Temporary Disk Dynamic VHDLocal Disk Cache

Azure Blobs

On shared local disk• Performance can be variable• Contents can be lost

Azure Blobs

Virtual Machine Disk LayoutOS Disk• Persistent• SATA• Drive C:

Virtual Machine Disk LayoutTemporary Storage Disk• Local (Not Persistent)• SATA• Drive D:

Virtual Machine Disk LayoutData Disk(s)• Persistent• SCSI• Customer Defined

Letter

Multiple Nics per VM

https://azure.microsoft.com/en-us/documentation/articles/virtual-networks-multiple-nics/https://azure.microsoft.com/en-us/documentation/articles/virtual-network-deploy-multinic-arm-ps/?cdn=disable

The VM size determines the number of NICS that you can create for a VM!Configure only via Powershell, CLI or Template !

https://azure.microsoft.com/en-us/documentation/articles/virtual-networks-multiple-nics/

Adding disk to a VM

Results of Step 4 The set of VMs in their tiers The set of Azure settings for each tier

Resource group Subnet Availability set Load balancer

The set of Azure settings and elements for each VM Environment settings VM-specific settings

For each VM Azure environment

settings Location Resource group Storage account VNet Subnet Availability set Load balancer instance

VM-specific settingsNameImage (Publisher, Offer, Sku)Size (VM series)Extra disks w/host caching settingStatic IP addresses

Step 5: Design your identity tier Authentication provider and methods

Windows Active Directory or other Client authentication Server-to-server authentication

High availability for authentication requests Authentication request traffic distribution

DNS round robin Azure load balancer Network appliance in Azure

Key questions for your identity tier What is the identity provider? How will authentication/authorization request

traffic travel to the identity providers? How to provide availability and scalability?

Resource: Azure identity management

https://azure.microsoft.com/documentation/articles/fundamentals-identity/

Results of Step 5 The set of VMs to support identity for the

LOB application The load distribution method The set of network security groups and

settings to allow authentication/authorization request traffic

Step 6: Design security Inbound and outbound traffic flows

Stateful, host-based firewalls Network security groups

Traffic flow inspection Azure network appliance

End-to-end encryption IPsec policies

Disk encryption Anti-malware

Agents running on virtual machines

Key questions for security How will you protect the virtual machines

from incoming traffic from the Internet? How will you protect the traffic traveling

between virtual machines (subnet isolation, end-to-end encryption)?

How will you protect your virtual machines from malware?

Resource: Virtual Machines-Security

https://azure.microsoft.com/services/virtual-machines/security/

NSG, Network Security GroepNetwork security group (NSG) contains a list of Access Control List (ACL) rules that allow or deny network traffic to your VM instances in a Virtual Network. NSGs can be associated with either subnets or individual VM instances within that subnet. When a NSG is associated with a subnet, the ACL rules apply to all the VM instances in that subnet. In addition, traffic to an individual VM can be restricted further by associating a NSG directly to that VM

https://azure.microsoft.com/en-us/documentation/articles/virtual-networks-nsg/

Note:Endpoint-based ACLs and network security groups are not supported on the same VM instance. If you want to use an NSG and have an endpoint ACL already in place, first remove the endpoint ACL. For information about how to do this, see Managing Access Control Lists (ACLs) for Endpoints by using PowerShell

https://azure.microsoft.com/en-us/documentation/articles/virtual-networks-acl-powershell/

https://azure.microsoft.com/en-us/documentation/articles/virtual-networks-acl-powershell/

NSG

NSGDefault TAGS;VIRTUAL_NETWORKAZURE_LOADBALANCERINTERNET

https://azure.microsoft.com/nl-nl/documentation/articles/virtual-networks-create-nsg-arm-pportal/

NSG

Public IP ranges Microsoft azure datacenter

https://www.microsoft.com/en-in/download/confirmation.aspx?id=41653

Results of Step 6 The set of network security groups

VM interface or subnet-based, rules for inbound and outbound addresses and ports

The use of network appliances Enhanced firewalling Traffic inspection, intrusion detection, etc.

IPsec policies for end-to-end encryption Disk encryption policies Anti-malware agents for VMs

Results of the overall LOB application design process for Azure IaaS The set of Azure elements for the LOB

application and their settings Subscription Locations Resource groups Storage accounts Virtual networks Subnets Network security groups Availability sets Load balancers Virtual machines

subscriptionResourcegroup: HKTestRG

Storageaccount: hk193testcsp

Virtual Network

virtualnet;: TestnetSubnet:10.0.0.0/24PIP

Standard A1Windows server

2012 R2

#create the vm$stName = "hk193testcsp"$locName = "West Europe"$rgName = "HKTestRG“

New-AzureRmResourceGroup -Name $rgName -Location $locName$storageAcc = New-AzureRmStorageAccount -ResourceGroupName $rgName -Name $stName -Type "Standard_GRS" -Location $locName$singleSubnet = New-AzureRmVirtualNetworkSubnetConfig -Name singleSubnet -AddressPrefix 10.0.0.0/24$vnet = New-AzureRmVirtualNetwork -Name TestNet -ResourceGroupName $rgName -Location $locName -AddressPrefix 10.0.0.0/16 -Subnet $singleSubnet$pip = New-AzureRmPublicIpAddress -Name TestPIP -ResourceGroupName $rgName -Location $locName -AllocationMethod Dynamic$nic = New-AzureRmNetworkInterface -Name TestNIC -ResourceGroupName $rgName -Location $locName -SubnetId $vnet.Subnets[0].Id -PublicIpAddressId $pip.Id$cred = Get-Credential -Message "Type the name and password of the local administrator account."$vm = New-AzureRmVMConfig -VMName WindowsVM -VMSize "Standard_A1"$vm = Set-AzureRmVMOperatingSystem -VM $vm -Windows -ComputerName MyWindowsVM -Credential $cred -ProvisionVMAgent -EnableAutoUpdate$vm = Set-AzureRmVMSourceImage -VM $vm -PublisherName MicrosoftWindowsServer -Offer WindowsServer -Skus 2012-R2-Datacenter -Version "latest"$vm = Add-AzureRmVMNetworkInterface -VM $vm -Id $nic.Id$osDiskUri = $storageAcc.PrimaryEndpoints.Blob.ToString() + "vhds/WindowsVMosDisk.vhd"$vm = Set-AzureRmVMOSDisk -VM $vm -Name "windowsvmosdisk" -VhdUri $osDiskUri -CreateOption fromImageNew-AzureRmVM -ResourceGroupName $rgName -Location $locName -VM $vm

Built the VM using powershell prescriptive

Export resource group template

Deployment via ARM declarative

New-AzureRmResourceGroupDeployment -Name testDeployment -ResourceGroupName $rgname -TemplateUri https://raw.githubusercontent.com/Azure/azure-quickstart-templates/master/101-vm-simple-windows/azuredeploy.json -Mode Incremental

Cloud principles• Freedom of

choice• Marketplaces• Cloud Inspired

Infrastructure• Multi Vendor• Hybrid• Hyper scale• Self-service• Build in and on

top of Security• Build in

Compliancy• Automation

Continuous ChangeSharedSoftware definedScalablePay per UseBuild to failMulti VendorLock in ReductionOpen- and closed sourceBuild in Security

Thank you !

Appendix

Appendix: PowerShell command blocks

Specify the Azure subscription $subscrName="<subscription name>"

Get-AzureRmSubscription –SubscriptionName $subscrName | Select-AzureRmSubscription

Create a new resource group $locName="<an Azure location, such as West US>"

$rgName="<resource group name>"New-AzureRMResourceGroup -Name $rgName -Location $locName

Create a new storage account # Create a new standard storage account

$locName="<an Azure location, such as West US>"$rgName="<resource group name>"$saName="<storage account name>"New-AzureRMStorageAccount -Name $saName -ResourceGroupName $rgName –Type Standard_LRS -Location $locName

# Create a new premium storage account$locName="<an Azure location, such as West US>"$rgName="<resource group name>"$saName="<storage account name>"New-AzureRMStorageAccount -Name $saName -ResourceGroupName $rgName –Type Premium_LRS -Location $locName

Create a new availability set $locName="<an Azure location, such as West US>"

$rgName="<resource group name>"$avName="<availability set name>"New-AzureRMAvailabilitySet –Name $avName –ResourceGroupName $rgName -Location $locName

Create a new cross-premises VNet $locName="<an Azure location, such as West US>"

$rgName="<resource group name>" $vnetName="<VNet name>"$vnetAddrPrefix="<VNet address space>"$spSubnetName="<subnet name>"$spSubnetPrefix="<subnet address space>"$gwSubnetPrefix="<gateway subnet address space>"$dnsServers=@( "<DNS server IP address>", "<DNS server IP address>" )

$gwSubnet=New-AzureRMVirtualNetworkSubnetConfig -Name "GatewaySubnet" -AddressPrefix $gwSubnetPrefix$spSubnet=New-AzureRMVirtualNetworkSubnetConfig -Name $spSubnetName -AddressPrefix $spSubnetPrefixNew-AzureRMVirtualNetwork -Name $vnetName -ResourceGroupName $rgName -Location $locName -AddressPrefix $vnetAddrPrefix -Subnet $gwSubnet,$spSubnet -DNSServer $dnsServers

Create VNet gateways and a connection $locName="<an Azure location, such as West US>" $rgName="<resource group name>" $vnetName="<VNet name>" $vnet=Get-AzureRMVirtualNetwork -Name $vnetName -ResourceGroupName $rgName

# Attach a virtual network gateway to a public IP address and the gateway subnet $publicGatewayVipName="<name>" $vnetGatewayIpConfigName="<name>" New-AzureRMPublicIpAddress -Name $vnetGatewayIpConfigName -ResourceGroupName $rgName -Location $locName -AllocationMethod Dynamic $publicGatewayVip=Get-AzureRMPublicIpAddress -Name $vnetGatewayIpConfigName -ResourceGroupName $rgName $vnetGatewayIpConfig=New-AzureRMVirtualNetworkGatewayIpConfig -Name $vnetGatewayIpConfigName -PublicIpAddressId $publicGatewayVip.Id -SubnetId

$vnet.Subnets[0].Id

# Create the Azure gateway $vnetGatewayName="<name>" $vnetGateway=New-AzureRMVirtualNetworkGateway -Name $vnetGatewayName -ResourceGroupName $rgName -Location $locName -GatewayType Vpn -VpnType

RouteBased -IpConfigurations $vnetGatewayIpConfig

# Create the gateway for the local network $localGatewayName="<name>" $localGatewayIP="<public IP address of >" $localNetworkPrefix=@( <comma-separated, double-quote enclosed list of the local network address prefixes, example: "10.1.0.0/24", "10.2.0.0/24"> ) $localGateway=New-AzureRMLocalNetworkGateway -Name $localGatewayName -ResourceGroupName $rgName -Location $locName -GatewayIpAddress

$localGatewayIP -AddressPrefix $localNetworkPrefix

# Create the Azure virtual network VPN connection $vnetConnectionName="<name>" $vnetConnectionKey="<IPsec preshared key>" $vnetConnection=New-AzureRMVirtualNetworkGatewayConnection -Name $vnetConnectionName -ResourceGroupName $rgName -Location $locName -

ConnectionType IPsec -SharedKey $vnetConnectionKey -VirtualNetworkGateway1 $vnetGateway -LocalNetworkGateway2 $localGateway

Create a new load balancer instance # This example block assumes HTTP-based traffic to web servers. Modify as needed. $locName="<an Azure location, such as West US>" $rgName="<resource group name>" $vnetName="<VNet name>“ $subnetName="<subnet name>" $privIP="<available IP address on the subnet>"

$vnet=Get-AzureRMVirtualNetwork -Name $vnetName -ResourceGroupName $rgName $subnet=Get-AzureRmVirtualNetworkSubnetConfig -VirtualNetwork $vnetName -Name $subnetName

$frontendIP=New-AzureRMLoadBalancerFrontendIpConfig -Name WebServers-LBFE -PrivateIPAddress $privIP -Subnet $subnet

$beAddressPool=New-AzureRMLoadBalancerBackendAddressPoolConfig -Name WebServers-LBBE

$healthProbe=New-AzureRMLoadBalancerProbeConfig -Name WebServersProbe -Protocol "TCP" -Port 80 -IntervalInSeconds 15 -ProbeCount 2

$lbrule=New-AzureRMLoadBalancerRuleConfig -Name "WebTraffic" -FrontendIpConfiguration $frontendIP -BackendAddressPool $beAddressPool -Probe $healthProbe -Protocol "TCP" -FrontendPort 80 -BackendPort 80

New-AzureRMLoadBalancer -ResourceGroupName $rgName -Name "WebServersInAzure" -Location $locName -LoadBalancingRule $lbrule -BackendAddressPool $beAddressPool -Probe $healthProbe -FrontendIpConfiguration $frontendIP

Create Network Security Groups # This example creates two rules and two network security groups for two subnets # Set up key variables $rgName="<your resource group name>" $locName="<the Azure location, such as West US>" $vnetNam="<VNet name>" $feSubnetName="<name of the front end subnet>" $feSubnetAddrPref="<address prefix of the front end subnet>" $beSubnetName="<name of the back end subnet>" $beSubnetAddrPref="<address prefix of the back end subnet>"

# Rule to allow incoming RDP protocol traffic $rule1 = New-AzureRMNetworkSecurityRuleConfig -Name "RDPTraffic" -Description "Allow RDP to all VMs on the subnet" -Access Allow -Protocol Tcp -Direction

Inbound -Priority 100 -SourceAddressPrefix Internet -SourcePortRange * -DestinationAddressPrefix * -DestinationPortRange 3389 # Rule to allow incoming HTTP traffic only to the web servers on the front-end subnet $rule2 = New-AzureRMNetworkSecurityRuleConfig -Name "WebTraffic" -Description "Allow HTTP to the Web servers" -Access Allow -Protocol Tcp -Direction

Inbound -Priority 101 -SourceAddressPrefix Internet -SourcePortRange * -DestinationAddressPrefix $feSubnetAddrPref -DestinationPortRange 80

# Create a new network security group for the front end subnet with the RDP and HTTP rules New-AzureRMNetworkSecurityGroup -Name "Front End LOB App" -ResourceGroupName $rgName -Location $locShortName -SecurityRules $rule1,$rule2 # Create a new network security group for the back end subnet with the RDP rule New-AzureRMNetworkSecurityGroup -Name "Back End LOB App" -ResourceGroupName $rgName -Location $locShortName -SecurityRules $rule1

$vnet=Get-AzureRMVirtualNetwork -ResourceGroupName $rgName -Name $vnetName

# Apply the new network security group to the front end subnet. $nsg=Get-AzureRMNetworkSecurityGroup -Name "Front End LOB App" -ResourceGroupName $rgName Set-AzureRMVirtualNetworkSubnetConfig -VirtualNetwork $vnet -Name $feSubnetName -AddressPrefix $feSubnetAddrPref -NetworkSecurityGroup $nsg

# Apply the new network security group to the back end subnet. $nsg=Get-AzureRMNetworkSecurityGroup -Name "Back End LOB App" -ResourceGroupName $rgName Set-AzureRMVirtualNetworkSubnetConfig -VirtualNetwork $vnet -Name $beSubnetName -AddressPrefix $beSubnetAddrPref -NetworkSecurityGroup $nsg

Create a new VM (generic basic) # Create a new virtual machine (generic, you must specify the publisher, offer, and sku values of the VM image)

$locName="<Azure location of your resource group>"$rgName="<resource group name>"$saName="<storage account name>"$vnetName="<VNet name>"$subnetName="<subnet name>"

$vmName="<virtual machine name>"$vmSize="<virtual machine size>"

$pubName="<VM image publisher name>" $offerName="<VM image offer name>" $skuName="<VM image SKU name>"

$vnet=Get-AzureRMVirtualNetwork -Name $vnetName -ResourceGroupName $rgName$subnet=Get-AzureRmVirtualNetworkSubnetConfig -VirtualNetwork $vnetName -Name $subnetName$nic=New-AzureRMNetworkInterface -Name ($vmName +"-NIC") -ResourceGroupName $rgName -Location $locName –Subnet $subnet$vm=New-AzureRMVMConfig -VMName $vmName -VMSize $vmSize

$storageAcc=Get-AzureRMStorageAccount -ResourceGroupName $rgName -Name $saName$cred=Get-Credential -Message "Type the name and password of the administrator account for this virtual machine." $vm=Set-AzureRMVMOperatingSystem -VM $vm -Windows -ComputerName $vmName -Credential $cred -ProvisionVMAgent -EnableAutoUpdate$vm=Set-AzureRMVMSourceImage -VM $vm -PublisherName $pubName -Offer $offerName -Skus $skuName -Version "latest"$vm=Add-AzureRMVMNetworkInterface -VM $vm -Id $nic.Id$storageAcc=Get-AzureRMStorageAccount -ResourceGroupName $rgName -Name $saName$osDiskUri=$storageAcc.PrimaryEndpoints.Blob.ToString() + "vhds/" + $vmName + "-OSDisk.vhd"$vm=Set-AzureRMVMOSDisk -VM $vm -Name "OSDisk" -VhdUri $osDiskUri -CreateOption fromImageNew-AzureRMVM -ResourceGroupName $rgName -Location $locName -VM $vm

Create a new VM (Windows Sever basic) WIndows) # Create a new Windows Server 2012 R2 Datacenter virtual machine

$locName="<Azure location of your resource group>"$rgName="<resource group name>"$saName="<storage account name>"$vnetName="<VNet name>"$subnetName="<subnet name>"

$vmName="<virtual machine name>"$vmSize="<virtual machine size>"

$vnet=Get-AzureRMVirtualNetwork -Name $vnetName -ResourceGroupName $rgName$subnet=Get-AzureRmVirtualNetworkSubnetConfig -VirtualNetwork $vnetName -Name $subnetName$nic=New-AzureRMNetworkInterface -Name ($vmName +"-NIC") -ResourceGroupName $rgName -Location $locName –Subnet $subnet$vm=New-AzureRMVMConfig -VMName $vmName -VMSize $vmSize

$storageAcc=Get-AzureRMStorageAccount -ResourceGroupName $rgName -Name $saName$cred=Get-Credential -Message "Type the name and password of the local administrator account for this virtual machine." $vm=Set-AzureRMVMOperatingSystem -VM $vm -Windows -ComputerName $vmName -Credential $cred -ProvisionVMAgent -EnableAutoUpdate$vm=Set-AzureRMVMSourceImage -VM $vm -PublisherName MicrosoftWindowsServer -Offer WindowsServer -Skus 2012-R2-Datacenter -Version "latest"$vm=Add-AzureRMVMNetworkInterface -VM $vm -Id $nic.Id$storageAcc=Get-AzureRMStorageAccount -ResourceGroupName $rgName -Name $saName$osDiskUri=$storageAcc.PrimaryEndpoints.Blob.ToString() + "vhds/" + $vmName + "-OSDisk.vhd"$vm=Set-AzureRMVMOSDisk -VM $vm -Name "OSDisk" -VhdUri $osDiskUri -CreateOption fromImageNew-AzureRMVM -ResourceGroupName $rgName -Location $locName -VM $vm

Create a new VM in an availability set# Create a new Windows Server 2012 R2 Datacenter virtual machine$locName="<Azure location of your resource group>"$rgName="<resource group name>"$saName="<storage account name>"$vnetName="<VNet name>"$subnetName="<subnet name>"$avName="<availability set name>"$vmName="<virtual machine name>"$vmSize="<virtual machine size>"

$vnet=Get-AzureRMVirtualNetwork -Name $vnetName -ResourceGroupName $rgName$subnet=Get-AzureRmVirtualNetworkSubnetConfig -VirtualNetwork $vnetName -Name $subnetName$nic=New-AzureRMNetworkInterface -Name ($vmName +"-NIC") -ResourceGroupName $rgName -Location $locName –Subnet $subnet$avSet=Get-AzureRMAvailabilitySet –Name $avName –ResourceGroupName $rgName $vm=New-AzureRMVMConfig -VMName $vmName -VMSize $vmSize -AvailabilitySetId $avset.Id


Create a new VM with a static IP address# Create a new Windows Server 2012 R2 Datacenter virtual machine with a static IP address$locName="<Azure location of your resource group>"$rgName="<resource group name>"$saName="<storage account name>"$vnetName="<VNet name>"$subnetName="<subnet name>"$avName="<availability set name>"$vmName="<virtual machine name>"$vmSize="<virtual machine size>"$staticIP="<static IP address>"

$vnet=Get-AzureRMVirtualNetwork -Name $vnetName -ResourceGroupName $rgName$subnet=Get-AzureRmVirtualNetworkSubnetConfig -VirtualNetwork $vnetName -Name $subnetName$nic=New-AzureRMNetworkInterface -Name ($vmName +"-NIC") -ResourceGroupName $rgName -Location $locName –Subnet $subnet -PrivateIpAddress $staticIP$avSet=Get-AzureRMAvailabilitySet –Name $avName –ResourceGroupName $rgName $vm=New-AzureRMVMConfig -VMName $vmName -VMSize $vmSize -AvailabilitySetId $avset.Id


Create a new VM with an extra disk# Create a new Windows Server 2012 R2 Datacenter virtual machine with a single extra disk$locName="<Azure location of your resource group>"$rgName="<resource group name>"$saName="<storage account name>"$vnetName="<VNet name>"$subnetName="<subnet name>"$avName="<availability set name>"$vmName="<virtual machine name>"$vmSize="<virtual machine size>"$diskSize=<size of the extra disk in GB>

$vnet=Get-AzureRMVirtualNetwork -Name $vnetName -ResourceGroupName $rgName$subnet=Get-AzureRmVirtualNetworkSubnetConfig -VirtualNetwork $vnetName -Name $subnetName$nic=New-AzureRMNetworkInterface -Name ($vmName +"-NIC") -ResourceGroupName $rgName -Location $locName –Subnet $subnet$avSet=Get-AzureRMAvailabilitySet –Name $avName –ResourceGroupName $rgName $vm=New-AzureRMVMConfig -VMName $vmName -VMSize $vmSize -AvailabilitySetId $avset.Id

$storageAcc=Get-AzureRMStorageAccount -ResourceGroupName $rgName -Name $saName$vhdURI=$storageAcc.PrimaryEndpoints.Blob.ToString() + "vhds/" + $vmName + "-ADDSDisk.vhd"Add-AzureRMVMDataDisk -VM $vm -Name "ADDSData" -DiskSizeInGB $diskSize -VhdUri $vhdURI -CreateOption empty

$cred=Get-Credential -Message "Type the name and password of the local administrator account for this virtual machine." $vm=Set-AzureRMVMOperatingSystem -VM $vm -Windows -ComputerName $vmName -Credential $cred -ProvisionVMAgent -EnableAutoUpdate$vm=Set-AzureRMVMSourceImage -VM $vm -PublisherName MicrosoftWindowsServer -Offer WindowsServer -Skus 2012-R2-Datacenter -Version "latest"$vm=Add-AzureRMVMNetworkInterface -VM $vm -Id $nic.Id$storageAcc=Get-AzureRMStorageAccount -ResourceGroupName $rgName -Name $saName$osDiskUri=$storageAcc.PrimaryEndpoints.Blob.ToString() + "vhds/" + $vmName + "-OSDisk.vhd"$vm=Set-AzureRMVMOSDisk -VM $vm -Name "OSDisk" -VhdUri $osDiskUri -CreateOption fromImageNew-AzureRMVM -ResourceGroupName $rgName -Location $locName -VM $vm

Create a new VM as an LB set member # Create a new Windows Server 2012 R2 Datacenter virtual machine with membership in a load balancer set$locName="<Azure location of your resource group>"$rgName="<resource group name>"$saName="<storage account name>"$vnetName="<VNet name>"$subnetName="<subnet name>"$avName="<availability set name>"$vmName="<virtual machine name>"$vmSize="<virtual machine size>"$lbName="<load balancer instance name>"$bePoolIndex=<index of the backend address pool,starting with 0>

$vnet=Get-AzureRMVirtualNetwork -Name $vnetName -ResourceGroupName $rgName$subnet=Get-AzureRmVirtualNetworkSubnetConfig -VirtualNetwork $vnetName -Name $subnetName$lb=Get-AzureRMLoadBalancer -ResourceGroupName $rgName -Name $lbName

$nic=New-AzureRMNetworkInterface -Name ($vmName +"-NIC") -ResourceGroupName $rgName -Location $locName –Subnet $subnet -LoadBalancerBackendAddressPool $lb.BackendAddressPools[$bePoolIndex]$avSet=Get-AzureRMAvailabilitySet –Name $avName –ResourceGroupName $rgName $vm=New-AzureRMVMConfig -VMName $vmName -VMSize $vmSize -AvailabilitySetId $avset.Id

$storageAcc=Get-AzureRMStorageAccount -ResourceGroupName $rgName -Name $saName$vhdURI=$storageAcc.PrimaryEndpoints.Blob.ToString() + "vhds/" + $vmName + "-ADDSDisk.vhd"Add-AzureRMVMDataDisk -VM $vm -Name "ADDSData" -DiskSizeInGB $diskSize -VhdUri $vhdURI -CreateOption empty

$cred=Get-Credential -Message "Type the name and password of the local administrator account for this virtual machine." $vm=Set-AzureRMVMOperatingSystem -VM $vm -Windows -ComputerName $vmName -Credential $cred -ProvisionVMAgent -EnableAutoUpdate$vm=Set-AzureRMVMSourceImage -VM $vm -PublisherName MicrosoftWindowsServer -Offer WindowsServer -Skus 2012-R2-Datacenter -Version "latest"$vm=Add-AzureRMVMNetworkInterface -VM $vm -Id $nic.Id$storageAcc=Get-AzureRMStorageAccount -ResourceGroupName $rgName -Name $saName$osDiskUri=$storageAcc.PrimaryEndpoints.Blob.ToString() + "vhds/" + $vmName + "-OSDisk.vhd"$vm=Set-AzureRMVMOSDisk -VM $vm -Name "OSDisk" -VhdUri $osDiskUri -CreateOption fromImageNew-AzureRMVM -ResourceGroupName $rgName -Location $locName -VM $vm

Getting publisher, SKU, offerhttps://blogs.msdn.microsoft.com/cloud_solution_architect/2015/05/05/creating-azure-vms-with-arm-powershell-cmdlets/

Get-AzureRmVMImageSku – get the SKUs for a publisher and offerGet-AzureRmVMImagePublisher – get the available publishersGet-AzureRmVMImageOffer – get the avalailable offers from a publisherGet-AzureRmVMImage – get the image for a specific SKUThe following ARM cmdlet get the details for a specific Windows Server source image:Get-AzureRmVMImage -Location “westus” ` -PublisherName “MicrosoftWindowsServer” ` -Offer “WindowsServer” -Skus “2012-R2-Datacenter” -Version “4.0.20150916”

Deploy arm template

-Verbose New-AzureRmResourceGroupDeployment -Name test1 -ResourceGroupName

$resourceGroupName -TemplateFile $templateFile -TemplateParameterFile $templatePrameterFile -Verbose

Authentication – ssh or password"parameters": { ... "authenticationType": { "allowedValues": [ "password", "ssh" ], "defaultValue": "password", "type": "string" },

"adminPassword": {"type": "securestring"

},

"sshPublicKey": { "defaultValue": "", "type": "string" }, ...

"variables": { ... "password": { "adminPassword": "[parameters('adminPassword')]", ... },

"ssh": { ... "linuxConfiguration": { "disablePasswordAuthentication": "true", "ssh": { "publicKeys": [ { "keyData": "[parameters('sshPublicKey')]", ... ...

"osProfileObj": "[variables(parameters('authenticationType'))]",

Example template at https://github.com/Azure/azure-quickstart-templates/blob/master/checkpoint-single-nic/azuredeploy.json#L11

https://github.com/Azure/azure-quickstart-templates/blob/master/checkpoint-single-nic/azuredeploy.json#L11

https://github.com/Azure/azure-quickstart-templates/blob/master/checkpoint-single-nic/azuredeploy.json#L11

VNET – existing or new{ "vnetNewOrExisting": { "type": "string", "defaultValue": "new", "allowedValues": [ "new", "existing" ] }, "vnetExistingRGName": { "type": "string", "defaultValue": "", }, ...}

Example template at https://github.com/Azure/azure-quickstart-templates/blob/master/mysql-replication/azuredeploy.json#L68

https://github.com/Azure/azure-quickstart-templates/blob/master/mysql-replication/azuredeploy.json#L68

https://github.com/Azure/azure-quickstart-templates/blob/master/mysql-replication/azuredeploy.json#L68

Setup connection gateway

https://azure.microsoft.com/en-us/documentation/articles/vpn-gateway-howto-site-to-site-resource-manager-portal/https://blogs.technet.microsoft.com/askpfeplat/2016/01/20/creating-a-site-to-site-vpn-connection-in-arm-through-the-new-azure-portal-2/

https://azure.microsoft.com/en-us/documentation/articles/vpn-gateway-about-vpn-devices/

Configuring windows server 2012R2 for as VPN devicehttps://technet.microsoft.com/en-us/library/dn641937(v=ws.11).aspx

Site2Site

https://azure.microsoft.com/en-us/documentation/articles/vpn-gateway-howto-site-to-site-resource-manager-portal/

https://azure.microsoft.com/en-us/documentation/articles/vpn-gateway-howto-site-to-site-resource-manager-portal/

https://technet.microsoft.com/en-us/library/dn641937(v=ws.11).aspx

https://azure.microsoft.com/en-us/documentation/articles/vpn-gateway-howto-point-to-site-rm-ps/

For ARM this is only possible via Powerhsell

You will be needing a certificate for the gatewayhttps://azure.microsoft.com/en-us/documentation/articles/vpn-gateway-certificates-point-to-site/

Point2site

Security layers

Visualizing the security layers

Documents

04 Azure IAAS 101