Professional Documents
Culture Documents
20533B
L E A R N I N G
P R O D U C T
O F F I C I A L
ii
Information in this document, including URL and other Internet Web site references, is subject to change
without notice. Unless otherwise noted, the example companies, organizations, products, domain names,
e-mail addresses, logos, people, places, and events depicted herein are fictitious, and no association with
any real company, organization, product, domain name, e-mail address, logo, person, place or event is
intended or should be inferred. Complying with all applicable copyright laws is the responsibility of the
user. Without limiting the rights under copyright, no part of this document may be reproduced, stored in
or introduced into a retrieval system, or transmitted in any form or by any means (electronic, mechanical,
photocopying, recording, or otherwise), or for any purpose, without the express written permission of
Microsoft Corporation.
Microsoft may have patents, patent applications, trademarks, copyrights, or other intellectual property
rights covering subject matter in this document. Except as expressly provided in any written license
agreement from Microsoft, the furnishing of this document does not give you any license to these
patents, trademarks, copyrights, or other intellectual property.
The names of manufacturers, products, or URLs are provided for informational purposes only and
Microsoft makes no representations and warranties, either expressed, implied, or statutory, regarding
these manufacturers or the use of the products with any Microsoft technologies. The inclusion of a
manufacturer or product does not imply endorsement of Microsoft of the manufacturer or product. Links
may be provided to third party sites. Such sites are not under the control of Microsoft and Microsoft is not
responsible for the contents of any linked site or any link contained in a linked site, or any changes or
updates to such sites. Microsoft is not responsible for webcasting or any other form of transmission
received from any linked site. Microsoft is providing these links to you only as a convenience, and the
inclusion of any link does not imply endorsement of Microsoft of the site or the products contained
therein.
2015 Microsoft Corporation. All rights reserved.
These license terms are an agreement between Microsoft Corporation (or based on where you live, one of its
affiliates) and you. Please read them. They apply to your use of the content accompanying this agreement which
includes the media on which you received it, if any. These license terms also apply to Trainer Content and any
updates and supplements for the Licensed Content unless other terms accompany those items. If so, those terms
apply.
BY ACCESSING, DOWNLOADING OR USING THE LICENSED CONTENT, YOU ACCEPT THESE TERMS.
IF YOU DO NOT ACCEPT THEM, DO NOT ACCESS, DOWNLOAD OR USE THE LICENSED CONTENT.
If you comply with these license terms, you have the rights below for each license you acquire.
1.
DEFINITIONS.
a. Authorized Learning Center means a Microsoft IT Academy Program Member, Microsoft Learning
Competency Member, or such other entity as Microsoft may designate from time to time.
b. Authorized Training Session means the instructor-led training class using Microsoft Instructor-Led
Courseware conducted by a Trainer at or through an Authorized Learning Center.
c.
Classroom Device means one (1) dedicated, secure computer that an Authorized Learning Center owns
or controls that is located at an Authorized Learning Centers training facilities that meets or exceeds the
hardware level specified for the particular Microsoft Instructor-Led Courseware.
d. End User means an individual who is (i) duly enrolled in and attending an Authorized Training Session
or Private Training Session, (ii) an employee of a MPN Member, or (iii) a Microsoft full-time employee.
e. Licensed Content means the content accompanying this agreement which may include the Microsoft
Instructor-Led Courseware or Trainer Content.
f.
Microsoft Certified Trainer or MCT means an individual who is (i) engaged to teach a training session
to End Users on behalf of an Authorized Learning Center or MPN Member, and (ii) currently certified as a
Microsoft Certified Trainer under the Microsoft Certification Program.
g. Microsoft Instructor-Led Courseware means the Microsoft-branded instructor-led training course that
educates IT professionals and developers on Microsoft technologies. A Microsoft Instructor-Led
Courseware title may be branded as MOC, Microsoft Dynamics or Microsoft Business Group courseware.
h. Microsoft IT Academy Program Member means an active member of the Microsoft IT Academy
Program.
i.
Microsoft Learning Competency Member means an active member of the Microsoft Partner Network
program in good standing that currently holds the Learning Competency status.
j.
MOC means the Official Microsoft Learning Product instructor-led courseware known as Microsoft
Official Course that educates IT professionals and developers on Microsoft technologies.
k.
MPN Member means an active silver or gold-level Microsoft Partner Network program member in good
standing.
l.
Personal Device means one (1) personal computer, device, workstation or other digital electronic device
that you personally own or control that meets or exceeds the hardware level specified for the particular
Microsoft Instructor-Led Courseware.
m. Private Training Session means the instructor-led training classes provided by MPN Members for
corporate customers to teach a predefined learning objective using Microsoft Instructor-Led Courseware.
These classes are not advertised or promoted to the general public and class attendance is restricted to
individuals employed by or contracted by the corporate customer.
n. Trainer means (i) an academically accredited educator engaged by a Microsoft IT Academy Program
Member to teach an Authorized Training Session, and/or (ii) a MCT.
o. Trainer Content means the trainer version of the Microsoft Instructor-Led Courseware and additional
supplemental content designated solely for Trainers use to teach a training session using the Microsoft
Instructor-Led Courseware. Trainer Content may include Microsoft PowerPoint presentations, trainer
preparation guide, train the trainer materials, Microsoft One Note packs, classroom setup guide and Prerelease course feedback form. To clarify, Trainer Content does not include any software, virtual hard
disks or virtual machines.
2.
USE RIGHTS. The Licensed Content is licensed not sold. The Licensed Content is licensed on a one copy
per user basis, such that you must acquire a license for each individual that accesses or uses the Licensed
Content.
2.1
Below are five separate sets of use rights. Only one set of rights apply to you.
vii. you will only use qualified Trainers who have in-depth knowledge of and experience with the
Microsoft technology that is the subject of the Microsoft Instructor-Led Courseware being taught for
all your Authorized Training Sessions,
viii. you will only deliver a maximum of 15 hours of training per week for each Authorized Training
Session that uses a MOC title, and
ix. you acknowledge that Trainers that are not MCTs will not have access to all of the trainer resources
for the Microsoft Instructor-Led Courseware.
c.
ii.
You may customize the written portions of the Trainer Content that are logically associated with
instruction of a training session in accordance with the most recent version of the MCT agreement.
If you elect to exercise the foregoing rights, you agree to comply with the following: (i)
customizations may only be used for teaching Authorized Training Sessions and Private Training
Sessions, and (ii) all customizations will comply with this agreement. For clarity, any use of
customize refers only to changing the order of slides and content, and/or not using all the slides or
content, it does not mean changing or modifying any slide or content.
2.2 Separation of Components. The Licensed Content is licensed as a single unit and you may not
separate their components and install them on different devices.
2.3 Redistribution of Licensed Content. Except as expressly provided in the use rights above, you may
not distribute any Licensed Content or any portion thereof (including any permitted modifications) to any
third parties without the express written permission of Microsoft.
2.4 Third Party Programs and Services. The Licensed Content may contain third party programs or
services. These license terms will apply to your use of those third party programs or services, unless other
terms accompany those programs and services.
2.5 Additional Terms. Some Licensed Content may contain components with additional terms,
conditions, and licenses regarding its use. Any non-conflicting terms in those conditions and licenses also
apply to your use of that respective component and supplements the terms described in this agreement.
3.
a. Pre-Release Licensed Content. This Licensed Content subject matter is on the Pre-release version of
the Microsoft technology. The technology may not work the way a final version of the technology will
and we may change the technology for the final version. We also may not release a final version.
Licensed Content based on the final version of the technology may not contain the same information as
the Licensed Content based on the Pre-release version. Microsoft is under no obligation to provide you
with any further content, including any Licensed Content based on the final version of the technology.
b. Feedback. If you agree to give feedback about the Licensed Content to Microsoft, either directly or
through its third party designee, you give to Microsoft without charge, the right to use, share and
commercialize your feedback in any way and for any purpose. You also give to third parties, without
charge, any patent rights needed for their products, technologies and services to use or interface with
any specific parts of a Microsoft software, Microsoft product, or service that includes the feedback. You
will not give feedback that is subject to a license that requires Microsoft to license its software,
technologies, or products to third parties because we include your feedback in them. These rights
survive this agreement.
c.
Pre-release Term. If you are an Microsoft IT Academy Program Member, Microsoft Learning
Competency Member, MPN Member or Trainer, you will cease using all copies of the Licensed Content on
the Pre-release technology upon (i) the date which Microsoft informs you is the end date for using the
Licensed Content on the Pre-release technology, or (ii) sixty (60) days after the commercial release of the
technology that is the subject of the Licensed Content, whichever is earliest (Pre-release term).
Upon expiration or termination of the Pre-release term, you will irretrievably delete and destroy all copies
of the Licensed Content in your possession or under your control.
4.
SCOPE OF LICENSE. The Licensed Content is licensed, not sold. This agreement only gives you some
rights to use the Licensed Content. Microsoft reserves all other rights. Unless applicable law gives you more
rights despite this limitation, you may use the Licensed Content only as expressly permitted in this
agreement. In doing so, you must comply with any technical limitations in the Licensed Content that only
allows you to use it in certain ways. Except as expressly permitted in this agreement, you may not:
access or allow any individual to access the Licensed Content if they have not acquired a valid license
for the Licensed Content,
alter, remove or obscure any copyright or other protective notices (including watermarks), branding
or identifications contained in the Licensed Content,
publicly display, or make the Licensed Content available for others to access or use,
copy, print, install, sell, publish, transmit, lend, adapt, reuse, link to or post, make available or
distribute the Licensed Content to any third party,
reverse engineer, decompile, remove or otherwise thwart any protections or disassemble the
Licensed Content except and only to the extent that applicable law expressly permits, despite this
limitation.
5. RESERVATION OF RIGHTS AND OWNERSHIP. Microsoft reserves all rights not expressly granted to
you in this agreement. The Licensed Content is protected by copyright and other intellectual property laws
and treaties. Microsoft or its suppliers own the title, copyright, and other intellectual property rights in the
Licensed Content.
6.
EXPORT RESTRICTIONS. The Licensed Content is subject to United States export laws and regulations.
You must comply with all domestic and international export laws and regulations that apply to the Licensed
Content. These laws include restrictions on destinations, end users and end use. For additional information,
see www.microsoft.com/exporting.
7.
SUPPORT SERVICES. Because the Licensed Content is as is, we may not provide support services for it.
8.
TERMINATION. Without prejudice to any other rights, Microsoft may terminate this agreement if you fail
to comply with the terms and conditions of this agreement. Upon termination of this agreement for any
reason, you will immediately stop all use of and delete and destroy all copies of the Licensed Content in
your possession or under your control.
9.
LINKS TO THIRD PARTY SITES. You may link to third party sites through the use of the Licensed
Content. The third party sites are not under the control of Microsoft, and Microsoft is not responsible for
the contents of any third party sites, any links contained in third party sites, or any changes or updates to
third party sites. Microsoft is not responsible for webcasting or any other form of transmission received
from any third party sites. Microsoft is providing these links to third party sites to you only as a
convenience, and the inclusion of any link does not imply an endorsement by Microsoft of the third party
site.
10.
ENTIRE AGREEMENT. This agreement, and any additional terms for the Trainer Content, updates and
supplements are the entire agreement for the Licensed Content, updates and supplements.
11.
APPLICABLE LAW.
a. United States. If you acquired the Licensed Content in the United States, Washington state law governs
the interpretation of this agreement and applies to claims for breach of it, regardless of conflict of laws
principles. The laws of the state where you live govern all other claims, including claims under state
consumer protection laws, unfair competition laws, and in tort.
b. Outside the United States. If you acquired the Licensed Content in any other country, the laws of that
country apply.
12.
LEGAL EFFECT. This agreement describes certain legal rights. You may have other rights under the laws
of your country. You may also have rights with respect to the party from whom you acquired the Licensed
Content. This agreement does not change your rights under the laws of your country if the laws of your
country do not permit it to do so.
13.
14.
LIMITATION ON AND EXCLUSION OF REMEDIES AND DAMAGES. YOU CAN RECOVER FROM
MICROSOFT, ITS RESPECTIVE AFFILIATES AND ITS SUPPLIERS ONLY DIRECT DAMAGES UP
TO US$5.00. YOU CANNOT RECOVER ANY OTHER DAMAGES, INCLUDING CONSEQUENTIAL,
LOST PROFITS, SPECIAL, INDIRECT OR INCIDENTAL DAMAGES.
Please note: As this Licensed Content is distributed in Quebec, Canada, some of the clauses in this
agreement are provided below in French.
Remarque : Ce le contenu sous licence tant distribu au Qubec, Canada, certaines des clauses
dans ce contrat sont fournies ci-dessous en franais.
EXONRATION DE GARANTIE. Le contenu sous licence vis par une licence est offert tel quel . Toute
utilisation de ce contenu sous licence est votre seule risque et pril. Microsoft naccorde aucune autre garantie
expresse. Vous pouvez bnficier de droits additionnels en vertu du droit local sur la protection dues
consommateurs, que ce contrat ne peut modifier. La ou elles sont permises par le droit locale, les garanties
implicites de qualit marchande, dadquation un usage particulier et dabsence de contrefaon sont exclues.
Elle sapplique galement, mme si Microsoft connaissait ou devrait connatre lventualit dun tel dommage. Si
votre pays nautorise pas lexclusion ou la limitation de responsabilit pour les dommages indirects, accessoires
ou de quelque nature que ce soit, il se peut que la limitation ou lexclusion ci-dessus ne sappliquera pas votre
gard.
EFFET JURIDIQUE. Le prsent contrat dcrit certains droits juridiques. Vous pourriez avoir dautres droits
prvus par les lois de votre pays. Le prsent contrat ne modifie pas les droits que vous confrent les lois de votre
pays si celles-ci ne le permettent pas.
Revised September 2012
xi
Acknowledgements
Microsoft Learning would like to acknowledge and thank the following for their contribution towards
developing this title. Their effort at various stages in the development has ensured that you have a good
classroom experience.
Andrew Fogg - QA
Contents
Module 1: Introduction to Microsoft Azure
Module Overview
1-1
1-2
1-7
1-13
1-18
1-25
1-28
2-1
2-2
2-13
2-19
2-22
2-29
2-34
3-1
3-2
3-10
3-17
3-29
3-32
4-1
4-2
4-12
4-19
4-31
4-36
xiii
5-1
5-2
5-9
5-18
5-23
5-27
5-33
5-39
6-1
6-2
6-11
6-20
6-26
6-31
7-1
7-2
7-8
7-15
7-23
7-27
7-31
7-36
8-1
8-2
8-12
8-18
8-25
8-29
8-34
9-1
9-2
9-8
9-10
9-16
9-20
10-1
10-2
10-13
10-16
10-24
10-31
11-1
11-2
11-9
11-24
11-35
11-39
12-1
12-2
12-7
12-10
12-15
12-20
13-1
13-2
13-6
13-9
xv
L01-1
L02-1
L02-5
L03-1
L04-1
L05-1
L06-1
L07-1
L08-1
L09-1
L10-1
L11-1
L12-1
This section provides you with a brief description of the course, audience, suggested prerequisites, and
course objectives.
Course Description
This training course teaches IT professionals how to provision and manage services in Microsoft Azure.
Audience
This course is intended for information technology (IT) professionals who have some knowledge of cloud
technologies and want to learn more about Microsoft Azure.
Student Prerequisites
In addition to their professional experience, students who attend this training should already have the
following technical knowledge:
Understanding of network configuration including: TCP/IP, DNS, virtual private networks, firewalls,
and encryption technologies.
Understanding of websites including: create, configure, monitor and deploy a website on Internet
Information Services (IIS).
Understanding of database concepts including: Tables, queries, Structured Query Language (SQL),
and database schemas
Understanding of resilience and disaster recovery including: backup and restore operations.
Course Objectives
After completing this course, students will be able to:
Implement and manage virtual networking within Azure and to connect to on-premises
environments.
Configure, manage, and monitor Azure virtual machines to optimize availability and reliability.
Plan and implement data services based on SQL Database to support applications.
Publish content through CDNs and publish videos by using Media Services.
Create and manage Azure AD directories, and configure application integration with Azure AD.
Course Outline
The course outline is as follows:
Module 1, Introduction to Azure"
Module 2, Implement and Manage Virtual Networks"
Module 3, Implementing Virtual Machines"
Module 4, Managing Virtual Machines"
Module 5, Implementing Websites"
Module 6, Planning and Implementing Storage"
Module 7, Planning and Implementing Data Services"
Module 8, Implementing PaaS Cloud Services and Mobile Services"
Module 9, Implementing Content Delivery Networks and Media Services"
Module 10, Implementing Azure AD"
Module 11, Managing Active Directory identities in a Hybrid Environment"
Module 12, Implement Automation"
Module 13, Microsoft Azure Solutions
Course Materials
Course Handbook A succinct classroom learning guide that provides all the critical technical
information in a crisp, tightly-focused format, which is just right for an effective in-class learning
experience.
ii
Lessons: Guide you through the learning objectives and provide the key points that are critical to
the success of the in-class learning experience.
Labs: Provide a real-world, hands-on platform for you to apply the knowledge and skills learned
in the module.
Module Reviews and Takeaways: Provide improved on-the-job reference material to boost
knowledge and skills retention.
Lab Answer Keys: Provide step-by-step lab solution guidance at your fingertips when its
needed.
Course Companion Content on the http://www.microsoft.com/learning/en/us/companionmoc.aspx Site: searchable, easy-to-browse digital content with integrated premium online
resources that supplement the Course Handbook.
iii
Modules: Include companion content, such as questions and answers, detailed demo steps and
additional reading links, for each lesson. Additionally, they include Lab Review questions and answers
and Module Reviews and Takeaways sections, which contain the review questions and answers, best
practices, common issues and troubleshooting tips with answers, and real-world issues and scenarios
with answers.
Resources: Include well-categorized additional resources that give you immediate access to the most
up-to-date premium content on TechNet, MSDN, Microsoft Press.
This section provides the information for setting up the classroom environment to support the business
scenario of the course.
Note: At the end of each lab, you must close the virtual machine and must not save any changes. To close
a virtual machine without saving the changes, perform the following steps:
1.
2.
In the Close dialog box, in the What do you want the virtual machine to do? list, click Turn off
and delete changes, and then click OK.
The following table shows the role of each virtual machine used in this course:
Virtual machine
Role
20533B-MIA-CL1
Client workstation
MSL-TMG1
Internet gateway
Software Configuration
The following software is installed:
iv
The files associated with the labs in this course are located in the D:\Labfiles folder on the 20533B-MIACL1 virtual machine.
Classroom Setup
Each classroom computer will have the same virtual machine configured in the same way.
8 GB or higher
DVD drive
In addition, the instructor computer must be connected to a projection display device that supports SVGA
1024 x 768 pixels, 16 bit colors.
Module 1
Introduction to Microsoft Azure
Contents:
Module Overview
1-1
1-2
1-7
1-13
1-18
1-25
1-28
Module Overview
Organizations are increasingly moving IT workloads to the cloud, so IT professionals need to understand
the principles on which cloud solutions are based and learn how to deploy and manage cloud
applications, services, and infrastructure. In particular, IT professionals who are planning to use
Microsoft Azure must learn about the services that Azure provides and how to manage them.
This module introduces cloud solutions in general, and then focuses on the services that Azure offers. The
module goes on to describe the portals that you can use to manage Azure subscriptions and services,
before introducing Windows PowerShell as a scripting solution for managing Azure.
Objectives
After completing this module, you will be able to:
Lesson 1
1-2
Cloud computing plays an increasingly important role in IT infrastructure, and IT professionals need to be
aware of fundamental cloud principles and techniques. This lesson introduces the cloud, and describes
considerations for implementing cloud-based infrastructure services.
Lesson Objectives
After completing this lesson, you will be able to:
Perform the following tasks to prepare the lab environment. The Azure services you will use in the lab will
be described in this module while the environment is being configured.
Important: The scripts used in this course may delete any objects that you have in your
subscription. For this reason, you should complete this course against a new Azure subscription.
You should have received sign-up details and instructions for creating an Azure Learning Pass for
this reason. Alternatively, create a new Azure trial subscription. In both cases, use a new Microsoft
account that has not been associated with any other Azure subscription. This avoids confusion in
labs and setup scripts.
The labs in this course use custom Microsoft Azure PowerShell cmdlets, including Setup-Azure to prepare
the Azure environment for a lab, and Reset-Azure to perform clean-up tasks at the end of a lab. For this
lab, Setup-Azure removes any current Azure subscription and account details from the Azure PowerShell
session.
Before you start the lab preparation, your Instructor will decide which Azure region is the closest to your
classroom location. You will need this information during the lab.
Demonstration Steps
Sign in to Your Microsoft Azure Subscription
1.
Ensure that the MSL-TMG1 and 20533B-MIA-CL1 virtual machines are both running, and then log on
to 20533B-MIA-CL1 as Student with the password Pa$$w0rd.
2.
You should already have created a Microsoft Azure trial subscription. If you have not done so, follow
the instructions in D:\Creating a Microsoft Azure Trial Subscription.htm. Provisioning may take
several hours.
3.
When your trial subscription has been provisioned, in Microsoft Internet Explorer, browse to
http://azure.microsoft.com, click Portal, and sign in using the Microsoft account that is associated
with your Azure subscription. Close any initial "welcome" messages.
1-3
4.
At the upper right of the screen, click your Microsoft account name and click Switch to new portal.
In the new tab that is opened close any initial "welcome" messages for the new portal.
5.
On the taskbar, right-click Microsoft Azure PowerShell, and then click Run as administrator. In the
User Account Control dialog, click Yes.
2.
3.
When prompted, sign in using the Microsoft account associated with your Azure subscription and
follow the on-screen instructions.
Note: This script may remove Azure services in your subscription. It is therefore recommended that
you use an Azure trial pass that was provisioned specifically for this course, and not your own Azure
account.
The script will take a few seconds to configure your Microsoft Azure environment, ready for the lab at
the end of this module.
Regardless of the specific technologies that organizations use to implement cloud computing solutions,
the National Institute of Science and Technology (NIST) has identified that they exhibit the following five
characteristics:
On-demand self-service. Cloud services are generally provisioned as they are required, and need
minimal infrastructure configuration by the consumer. This enables users of cloud services to quickly
set up the resources they want, typically without having to involve IT specialists.
Broad network access. Cloud services are generally accessed over a network connection, usually
either a corporate network or the Internet.
Resource pooling. Cloud services use a pool of hardware resources that are shared across
consumers. A hardware pool consists of hardware from multiple servers that are arranged as a single
logical entity.
1-4
Rapid elasticity. Cloud services scale dynamically to obtain additional resources from the pool as
workloads intensify, and release resources automatically when they are no longer needed.
Measured service. Cloud services generally include some sort of metering capability, making it
possible to track relative resource usage by the users of the services, who are generally referred to as
subscribers.
For information on the NIST paper that analyzes cloud computing trends and makes security
recommendations, see: http://csrc.nist.gov/publications/nistpubs/800-145/SP800-145.pdf.
Software as a Service
Platform as a Service
PaaS offerings consist of cloud-based services that provide resources on which developers can build their
own solutions. Typically, PaaS encapsulates fundamental operating system (OS) capabilities, including
storage and compute, in addition to functional services for custom applications. Usually, PaaS offerings
provide application programming interfaces (APIs), in addition to configuration and management user
interfaces. Azure provides PaaS services that simplify the creation of solutions such as web and mobile
applications. PaaS enables developers and organizations to create highly scalable custom applications
without having to provision and maintain hardware and operating system resources. Examples of PaaS
include Azure Websites and Azure Cloud Services, which can run a web application that your developer
team creates.
Infrastructure as a Service
1-5
IaaS offerings provide virtualized server and network infrastructure components that can be easily
provisioned and decommissioned as required. Typically, IaaS facilities are managed in a similar way to onpremises infrastructure, and provide an easy migration path for moving existing applications to the cloud.
A key point to note is that an infrastructure service might be a single IT resourcesuch as a virtual server
that has a default installation of Windows Server 2012 R2 and Microsoft SQL Server 2014or it might
be a completely preconfigured infrastructure environment for a specific application or business process.
For example, a retail organization might empower departments to provision their own database servers to
use as data stores for custom applications. Alternatively, the organization might define a set of virtual
machine and network templates that can be provisioned as a single unit to implement a complete,
preconfigured infrastructure solution for a branch or store, including all the required applications and
settings.
Applications or services where users need to persist data or settings and have them synchronize
between multiple client devices.
Conversely, applications or services that have the following characteristics may not benefit from being
based in the cloud:
Applications that work with data that must remain in privately managed storage for compliance
reasons.
In addition, there are some design and development considerations for implementing applications that
perform well and take advantage of the cloud. Some of these considerations include:
Availability. Cloud applications should be designed with redundancy in mind at every tier to satisfy
the availability requirements of an enterprise or globally accessible service.
Dynamic scaling. Cloud applications can scale on-demand, and applications should be designed to
respond to increased or reduced resources dynamically.
Security. Most cloud applications are hosted in third-party data centers and accessed across the
Internet. Suitable security measures should therefore be incorporated into the application design.
To help developers design and implement successful cloud applications, the Microsoft Patterns and
Practices team has documented a series of design patterns for cloud development. You can find these
patterns at the following location:
Cloud Design Patterns: Prescriptive Architecture Guidance for Cloud Applications
http://go.microsoft.com/fwlink/?LinkID=511691
1-6
Lesson 2
Microsoft Azure
1-7
Microsoft Azure is a cloud offering from Microsoft that enables individuals and organizations to create,
deploy, and operate cloud-based applications and infrastructure services. This lesson provides an overview
of Microsoft Azure, and describes the data center infrastructure that supports it before discussing the
services that are available in Microsoft Azure.
Lesson Objectives
After completing this lesson, you will be able to:
Host workloads in the cloud on Azure PaaS services and IaaS infrastructure that consists of virtual
machines and virtual networks.
To use Azure services, you require a subscription. You can sign up for a subscription as an individual or as
an organization, and then pay only for the services you use.
Note: Microsoft Azure was formerly known as Windows Azure.
1-8
Some of the services within Azure can be categorized as IaaS services. For example, you can use the Azure
Virtual Machines compute services to build a network of virtual servers to host an application, database,
or custom solution. Other services can be categorized as PaaS because you can use them without
maintaining the underlying operating systems. For example, when you run a website in Azure Websites, it
is not necessary to ensure that you are using the latest version of Internet Information Services (IIS). Other
services can be used in both IaaS and PaaS contexts, for example you can use Azure Automation to script
operations on virtual machines or websites.
Note: On the slide, the classification of services is the one used in Azure documentation.
Data centers include uninterruptable power supplies (UPSs) and alternate power supplies (APSs) for all
components, in addition to backup power that can keep the datacenter running in the event of a
localized disaster.
Clusters within data centers are connected by redundant high-speed networks that support internal
data transfer speeds of over 30,000 gigabytes per second (Gbps).
Data centers are connected to one another and the Internet using high-speed optical networks.
Data within a single data center can be replicated to three redundant storage devices, and can also
be replicated between pairs of data centers in the same geographic region.
Physical and network security for Azure data centers meets a range of industry and government
standards.
The data centers are designed to minimize power and water usage for maximum efficiency, including
servers and other hardware, cooling, and support operations.
The servers in each data center are provisioned in clusters, and each cluster includes multiple racks of
servers that run Windows Server 2012. A distributed service application named the Azure Fabric Controller
manages provisioning, dynamic scaling, and hardware fault-management for the virtual servers that host
cloud services on the physical servers in the cluster.
Azure Region
Physical Location
Central US
Iowa, USA
East US
Virginia, USA
North Central US
Illinois, USA
South Central US
Texas, USA
West US
California, USA
North Europe
Ireland
West Europe
Netherlands
East Asia
Hong Kong
Southeast Asia
Singapore
Japan East
Japan West
Brazil South
Australia East
Australia Southeast
Victoria, Australia
1-9
Whenever you create a new Azure service, you must select an Azure region to determine the data center
where the service will run. When you select an Azure region, you should consider where users of that
service are located and place the service as close to them as possible. Some services, such as Traffic
Manager and the Azure Content Delivery Network (CDN), enable you to serve content from more than
one Azure region. In this way, you can serve content to a truly global audience while ensuring that a local
response gives them the highest performance possible.
Not all Azure services are available from every Azure region. For the latest information on Azure regions
and a list of services by region, see:
Azure Regions
http://go.microsoft.com/fwlink/?LinkID=522615
Azure Services
Azure provides a wide range of services that you
can use as building blocks to create custom cloud
solutions. These services include:
Azure Cloud Services. Define multi-tier PaaS cloud services that you can deploy and manage on
Windows Azure.
Azure Virtual Networks. Provision networks to connect your virtual machines, PaaS cloud
services, and on-premises infrastructure.
Azure ExpressRoute. Create a dedicated high-speed connection from your on-premises data
center to Azure.
Azure Websites. Create scalable websites and services without the need to manage the
underlying web server configuration.
Mobile Services. Implement a hosted back-end service for mobile applications that run on
multiple mobile platforms.
Event Hubs. Build solutions that consume and process high volumes of events.
1-11
SQL Database. Implement relational databases for your applications without the need to
provision and manage a database server.
HDInsight. Use Apache Hadoop to perform big data processing and analysis.
Azure Redis Cache. Implement high-performance caching solutions for your applications.
Azure Machine Learning. Apply statistical models to your data and perform predictive analytics.
Azure Storage. Store data in files, binary large objects (BLOBs), tables, and queues.
Azure Import/Export Service. Transfer large volumes of data using physical media.
Azure Backup. Use Azure as a backup destination for your on-premises servers.
Azure Site Recovery. Manage complete site failover for on-premises and Azure private cloud
infrastructures.
Azure Media Services. Deliver multimedia content such as video and audio.
Azure BizTalk Services. Build integrated business orchestration solutions that integrate
enterprise applications with cloud services.
Azure Service Bus. Connect applications across on-premises and cloud environments.
Azure Active Directory. Integrate your corporate directory with cloud services for a single sign
on (SSO) solution.
Note: Azure is continually being improved and enhanced, and new services are added on a
regular basis. For a full list of services currently available in Azure, see: http://azure.microsoft.com.
Although resource groups provide a logical grouping of services, they do not reflect the geographical
location of the data centers in which those services are deployed. To provision related services in the same
data center, you can specify the region in which you want each service to be hosted. The list of available
regions maps to the regional data centers, enabling you to provision services in a specific data center.
When planning Azure services, you should deploy interdependent services in the same region. In some
cases this is enforced by Azure itself; for example, an HDInsight cluster must be configured to use a
storage account in the same region.
In most cases, co-locating services by specifying a region provides sufficient optimization of inter-service
communication to maximize application performance and minimize cost. However, in some cases where
extremely fast communication between services is vital, you can further optimize co-location by creating
an affinity group and specifying this affinity group for the services when you provision them. Affinity
groups are specified instead of regions, and ensure that compute and storage services will be hosted on
servers that are located close to one another within the same data center. Given that data centers contain
many thousands of servers, reducing the physical proximity of services within the data center can make a
material difference to network latency between the services.
Lesson 3
1-13
Microsoft Azure provides web-based portals in which you can provision and manage Azure subscriptions
and services. These portals usually provide the initial environment in which you will work with Azure, and
knowing how to navigate and use them is a fundamental skill that IT professionals require to manage
Azure services.
Lesson Objectives
After completing this lesson, you will be able to:
Provisioning Services
You can provision a new instance of a service by clicking the New button on any page. Most services
provide a dialog box in which you can enter the user-definable settings for the service before creating it.
Service provisioning is performed asynchronously, and an indicator is displayed at the bottom of the page
to show current activity. You can expand this indicator to show a list of completed and in-process tasks.
Managing Services
Your provisioned services are listed on the All Items page and on each service-specific page. The list
shows the name, status, and service-specific settings for each service. You can click a service name in the
list to view the dashboard for that service instance, where multiple tabbed sub-pages enable you to view
and configure service-specific settings. In most cases, you make changes to a service by using the dynamic
toolbar of context-specific icons that is displayed at the bottom of the sub-page.
Adding Co-Administrators
When you provision an Azure subscription, you are automatically designated as the administrator for that
subscription, and can manage all services and settings for the subscription. You can add co-administrators
in the Settings tab of the management portal by specifying the email address of each user to whom you
want to grant administrative privileges.
Startboard. The home page for your Azure environment, conceptually similar to the Start screen in
Windows. You can pin commonly used items to the Startboard to make it easier to navigate to them.
By default, the Startboard includes tiles that show global Azure service health, a shortcut to the Azure
gallery of available services, and a summary of billing information for your subscriptions.
Blades. Panes in which details of a selected item can be viewed and configured. Each blade is
displayed as a pane in the user interface, often containing a list of services or other items that you can
click to open another blade. New blades open to the right. In this way, you can navigate through
several blades to view details of a specific item in your Azure environment. Some blades can be
maximized and minimized to optimize screen space and simplify navigation.
Hub Menu. A bar on the left side of the page, which contains the following icons:
o
Home. Returns the page to the left so that the Hub Menu and Startboard are visible.
Notifications. Opens a blade on which you can view notifications about the status of tasks.
Billing. Provides details of charges and remaining credit for your subscriptions. Billing is also
available on a resource group basis.
You can switch to the preview portal from the full portal by clicking your account name and then clicking
Switch to new portal. Conversely, to switch to the full portal from the preview portal, click the Azure
Portal tile in the Startboard.
Demonstration Steps
Use the full Azure Management Portal
1-15
1.
Ensure that you are logged on to 20533B-MIA-CL1 as Student with the password Pa$$w0rd, and
that the setup script you ran in the previous demonstration to prepare the environment has
completed.
2.
Start Internet Explorer, browse to http://azure.microsoft.com, click Portal, and sign in using the
Microsoft account that is associated with your Azure subscription.
3.
On the left side of the page, note the pane containing icons for each service. Then at the bottom of
this pane, click SETTINGS (you may need to use the scroll bar for the pane).
4.
On the settings page, on the SUBSCRIPTIONS tab, note the details of your subscription; click the
ADMINISTRATORS tab and verify that your Microsoft account is listed as the service administrator;
and then click the AFFINITY GROUPS tab and note that this is where you can add affinity groups to
your subscription.
5.
In the services pane on the left, click STORAGE, and at the bottom of the page, click NEW. Then in
the panel that appears, click QUICK CREATE, enter the following details, and click CREATE STORAGE
ACCOUNT:
o
LOCATION / AFFINITY GROUP: Select the location that is closest to your geographic location
6.
At the bottom of the page, note the Active Progress indicator, which is animated to show that an
action is in progress.
7.
On the storage page, wait for your storage account status to become Online. Then click the name of
your storage account.
8.
On the page for your storage account, note the getting started information, and then view each of
the tabs for the storage account, noting that the context-aware tool bar at the bottom of the page
changes to reflect the current tab.
9.
Click the Back icon on the left to return to the storage page. Then click ALL ITEMS and note that the
storage account is listed on this page.
At the top-right of the full Azure management portal, click your Microsoft account name and then
click Switch to new portal. This opens a new tab in Internet Explorer.
2.
If you are asked to authenticate, sign in using the Microsoft account that is associated with your
subscription.
3.
When the preview portal is loaded, view the tiles in the Startboard, noting the service health of the
Azure datacenters and the billing status for your subscription.
4.
Click the Service health tile, and in the resulting Service health blade, note the status for the
individual Azure services and then click Storage.
5.
On the Storage blade, note the status for each region, and then click the region in which you
previously created a storage account.
6.
Review the status of the storage service in your selected region, and then on the Hub Menu, click
HOME. Note that the page scrolls to view the Startboard, but the blades you have opened remain
open.
7.
In the Hub Menu, click BROWSE, and then click Storage. Note that the currently open blades are
replaced with a new blade that shows your storage accounts.
8.
On the Storage blade, click your storage account, and on the blade that is opened, view the details of
your storage account, noting that it has been automatically assigned to a resource group named
Default-Storage-SelectedRegion.
9.
At the top of the blade for your storage account, click the Pin blade to Startboard icon and note
that a tile for this blade is added to the Startboard.
1-17
10. On the Hub Menu, click NEW, and in the New pane, click Website. Then in the Website blade, enter
the following settings and click Create:
o
RESOURCE GROUP: Click the default resource group name and then click Create a new resource
group. Then on the Create resource group blade, type the name Demo-Web-App and then click
OK
LOCATION: Click the default location, and then select the location nearest to you
11. Wait for the website to be created, and then in the blade for the website (which is opened
automatically after the website is created), note the information about the new website.
12. In Internet Explorer, switch to the tab containing the full Azure portal and refresh the page. Note that
the website you created in the preview portal is listed in the all items page.
Manage Azure Subscriptions
1.
At the top-right of the full Azure management portal, click your Microsoft account name and then
click View my bill. This opens a new tab in Internet Explorer. If prompted, sign in using the Microsoft
account credentials associated with your Azure subscription.
2.
On the subscriptions page, click your subscription. Then review the summary of usage and billing
that is displayed.
3.
Click the preview features tab, and note the available preview features. You can add preview
features to your subscription and start using them as soon as they have been provisioned.
4.
Lesson 4
The Azure portals provide a graphical user interface for managing Azure subscriptions and services, and in
many cases they are the primary management tools for service provisioning and operations. However, it is
common to want to automate DevOps tasks by creating re-usable scripts, or to combine management of
Azure resources with management of other network and infrastructure services. Windows PowerShell
provides a scripting platform for managing Windows, and can be extended to a wide range of other
infrastructure elements, including Azure, by importing modules of encapsulated code called cmdlets. This
lesson explores how you can use Windows PowerShell to connect to an Azure subscription, and provision
and manage Azure services.
Lesson Objectives
After completing this lesson, you will be able to:
Azure PowerShell
Azure PowerShell is the primary PowerShell library
for managing Azure services, and can be installed
using the Microsoft Web Platform Installer.
To obtain the latest version of Azure
PowerShell, see:
Azure Downloads
http://go.microsoft.com/fwlink/?LinkID=522617
Azure PowerShell includes the following modules:
In many cases, Azure PowerShell is the only PowerShell library you will require. The Azure PowerShell
module has a dependency on the Microsoft .NET Framework 4.5, and the Web Platform Installer checks
for this during installation.
Azure AD PowerShell
1-19
If you plan to implement Active Directory (AD) in Azure, you can install the Azure AD PowerShell library
to manage users, groups, and other aspects of the directory from PowerShell. Before you can install the
Azure AD PowerShell module, you must install the Microsoft Online Services Single Sign-In Assistant. To
obtain both of these components, see:
Manage Azure AD using Windows PowerShell
http://go.microsoft.com/fwlink/?LinkID=522616
Azure AD Authentication
You can use Azure AD authentication to sign into
an Azure account by using one of the following
kinds of credential:
To connect an Azure account to the local Windows PowerShell environment, you can use the AddAzureAccount cmdlet. This opens a browser window in which the user can interactively sign in to Azure
by entering a valid user name and password.
Azure AD authentication is token based, and after signing in, the user remains authenticated until the
authentication token expires. The expiry time for an Azure AD token is 12 hours, although it can be
refreshed in the Windows PowerShell session.
Note: Creating organizational accounts in Azure AD is discussed in Module 10: Implement
Azure Active Directory.
After you have authenticated, you can use the Get-AzureAccount cmdlet to view a list of Azure accounts
that you have associated with the local Windows PowerShell environment, and you can use the GetAzureSubscription cmdlet to view a list of subscriptions that are associated with those accounts. If you
have multiple subscriptions, you can set the current subscription by using the Set-AzureSubscription
cmdlet with the name of the subscription that you want to use.
Certificate-Based Authentication
Most tools for managing Azure support Azure AD authentication, and it is the recommended
authentication model. However, in some cases it may be more appropriate to authenticate by using a
management certificate. Examples of where certificate-based authentication is appropriate include older
tools that do not support Azure AD authentication, or Windows PowerShell scripts that will run for long
periods of time in which an authentication token might expire.
An Azure management certificate is an X.509 (v3) certificate that associates a client application or service
with an Azure subscription. You can use an Azure-generated management certificate, or you can generate
your own using your organizations public key infrastructure (PKI) solution or a tool such as Makecert.
After you have imported the certificate, you can execute the Get-AzureSubscription cmdlet to verify that
the subscription from which you downloaded the certificate file is available in Windows PowerShell, and
you can use the Set-AzureSubscription cmdlet to make it the default subscription.
When you are using your own certificate, you should store the certificate in the personal certificate store
for the user account under which requests to Azure will be made, and then export the certificate to a .cer
file that does not include the private key. You can then upload the certificate to your Azure subscription in
the full Azure management portal.
To authenticate by using the certificate in Windows PowerShell, you can use the Set-AzureSubscription
cmdlet, specifying the subscription name, subscription ID, and the certificate. You can obtain the
subscription ID from the Azure full management portal, and you can reference the certificate in
PowerShell by using the Get-Item cmdlet.
The following code example shows how to set the current subscription by using a specific certificate:
Using a Specific Certificate
$subName = "<the subscription name">
$subID = "<copy the subscription ID from the Azure portal>"
$thumbprint = "<the thumbprint of the certificate you want to use>"
$cert = Get-Item cert:\\currentuser\my\$thumbprint
Set-AzureSubscription -SubscriptionName $subName, -SubscriptionId $subId -Certificate $cert
To obtain the certificate thumbprint, you can view the certificate in Certificate Manager or you can use
the Windows PowerShell command Get-Item cert:\\currentuser\my\* to obtain a list of all personal
certificates and their thumbprints.
1-21
By default, the Azure module is active and Azure PowerShell is in Service Management mode. The Azure
module contains a comprehensive set of cmdlets, which you can use to view, create, and manage
individual Azure services in your subscription. For example, you can use the New-AzureWebsite cmdlet
to create an Azure website, or use the Get-AzureStorageAccount cmdlet to get a reference to an
existing storage account.
For a full list and summary description of the cmdlets in the Azure module, you can use the PowerShell
Get-Command cmdlet, and to display syntax for a specific Azure cmdlet, you can use the PowerShell
Get-Help cmdlet.
Viewing Information about Azure Module Cmdlets
# Get a list of cmdlets in the Azure module
Get-Command -Module Azure | Get-Help | Format-Table Name, Synopsis
# Get the syntax for a specific cmdlet
Get-Help New-AzureVM
# Get an example
Get-Help New-AzureVM -Example
In Resource Manager mode, you can use PowerShell to create and manage Azure resources in resource
groups. This approach makes it easier to manage related sets of resources as a unit. For example, you
could use the Get-AzureResourceGroup cmdlet to get a reference to an existing resource group, or use
the Remove-AzureResourceGroup cmdlet to remove a resource group and all of the resources it
contains.
You can use the Get-Command and Get-Help cmdlets to view information about the cmdlets in the
AzureResourceManager module.
Note: The AzureResourceManager module is currently in preview, and does not support
all of the functionality in the Azure module. In addition, the AzureResourceManager module
cannot be used in a certificate-based authentication session.
Demonstration Steps
Use Certificate-Based Authentication
1.
Ensure that you have completed the previous demonstration in this module, and are logged on to the
20533B-MIA-CL1 virtual machine as Student with the password Pa$$w0rd.
2.
On the taskbar, right-click Microsoft Azure PowerShell and click Run ISE as Administrator. Click
Yes when prompted.
3.
In the Windows PowerShell interactive scripting environment, in the command prompt pane, enter
the following command to generate and download a management certificate:
Get-AzurePublishSettingsFile
4.
When Internet Explorer opens, sign in using the Microsoft account associated with your Azure
subscription. Then when prompted to open or save the certificate file, in the Save drop-down list,
click Save as, and save the file as azure-credentials.publishsettings in the D:\Demofiles\Mod01
folder (overwriting any existing file of this name).
5.
6.
In the PowerShell ISE, in the command prompt pane, enter the following command to import the
certificate:
Import-AzurePublishSettingsFile D:\Demofiles\Mod01\azure-credentials.publishsettings
7.
In the PowerShell ISE, in the command prompt pane, enter the following command to view the
subscriptions that are connected to the local PowerShell session:
Get-AzureSubscription
8.
9.
Start Internet Explorer, browse to http://azure.microsoft.com, click Portal, and sign in using the
Microsoft account that is associated with your Azure subscription.
1-23
10. On the SETTINGS page, on the MANAGEMENT CERTIFICATES tab, find the most recently created
certificate and note its expiry date. Then, at the bottom of the page, note the option to upload your
own certificate, and close Internet Explorer.
11. In the Windows PowerShell ISE, in the output from the previously executed Get-AzureSubscription
statement, note the name of your subscription. Then enter the following command to delete it from
the local PowerShell environment:
Remove-AzureSubscription -SubscriptionName "<your_subscription_name>" -Force
12. Note the warnings that are displayed, and then re-execute the following command to verify that the
subscription has been deleted (if there are no subscriptions, the command returns an empty line):
Get-AzureSubscription
In the PowerShell ISE, in the command prompt pane, enter the following command to add an Azure
account to the local PowerShell environment:
Add-AzureAccount
2.
When prompted, sign in using the Microsoft account associated with your Azure subscription.
3.
In the PowerShell ISE, in the command prompt pane, enter the following command to view the Azure
accounts in your local PowerShell environment, and verify that your account is listed:
Get-AzureAccount
4.
Enter the following command to view the subscriptions that are connected to the local PowerShell
session, and verify that your subscription is listed again:
Get-AzureSubscription
In the PowerShell ISE, in the command prompt pane, enter the following command to view the
cmdlets in the Azure module. If you are prompted to run Update-Help, click No:
Get-Command -Module Azure | Get-Help | Format-Table Name, Synopsis
2.
Review the output, and note the large number of cmdlets available.
3.
Enter the following command to view the syntax for the Get-AzureWebsite cmdlet:
Get-Help Get-AzureWebsite
4.
Review the output. Then enter the following command to clear the screen:
cls
5.
6.
7.
8.
If the Script pane is not visible, on the View menu, click Show Script Pane.
9.
10. On the toolbar, click Run Selection and wait for the script and its results to be displayed in the
command prompt pane. The results should list the name and status of the storage account you
created in the previous demonstration.
11. In the Console pane, type the following command, and then press Enter:
Switch-AzureMode -Name AzureResourceManager
in Get-AzureResourceGroup)
""
$rg.ResourceGroupName
$rg.ResourcesTable
""
13. On the toolbar, click Run Selection and wait for the script and its results to be displayed in the
command prompt pane. The results should list each resource group in your subscription, and a table
of the resources in each resource group.
14. Close the Windows PowerShell ISE without saving any script files.
Reset the Environment
1.
On the taskbar, right-click Microsoft Azure PowerShell, and then click Run as administrator. In the
User Account Control dialog, click Yes.
2.
3.
When prompted, sign in using the Microsoft account associated with your Azure subscription.
Note: This script may remove Azure services in your subscription. It is therefore recommended that you
use an Azure trial pass that was provisioned specifically for this course, and not your own Azure account.
1-25
A. Datum is investigating the potential for Azure to host IT infrastructure and application services. You
have been tasked with exploring the Azure environment and familiarizing yourself with its management
tools so that you can perform simple demonstrations during a presentation on Azure to the board of
directors.
Objectives
After completing this lab, you will be able to:
Lab Setup
Estimated Time: 60 minutes
Virtual Machine: 20533B-MIA-CL1
User name: Student
Password: Pa$$w0rd
Before starting this lab, ensure that you have performed the Preparing the Environment demonstration
tasks at the beginning of the first lesson in this module, and that the setup script has completed.
The IT department at A. Datum uses an on-premises, web-based asset management application that
consists of a Microsoft ASP.NET website and a Microsoft SQL Server database. In addition, invoice
documents for all IT purchases are stored in a file share. You plan to explore options for migrating the
asset management application and invoice document store to Microsoft Azure by creating a website,
database, and storage account in Azure. You also want to check the latest billing information for your
subscription.
Note: The Microsoft Azure portals are continually improved, and the user interface may have been
updated since this lab was written. Your instructor will make you aware of any differences between the
steps described in the lab and the current Azure portal.
The main tasks for this exercise are as follows:
1. Use the Full Azure Management Portal.
2. Use the New Azure Preview Portal.
3. Manage Your Azure Subscription.
Ensure that the MSL-TMG1 and 20533B-MIA-CL1 virtual machines are both running, and then log on
to 20533B-MIA-CL1 as Student with the password Pa$$w0rd.
2.
Sign in to the full Azure management portal using the Microsoft account that is associated with your
Azure subscription.
3.
4.
Create a new website using the Custom Create option. The website should:
o
Include a free 20 MB database named AssetsDB on a new SQL Database server in the same
region that has an administrative login named Student with the password Pa$$w0rd.
After the website has been created and is running, view the dashboard for the AssetsDB SQL
database and review the summary information there.
1.
Switch to the new Azure preview portal and browse the resource groups that have been created
automatically for the website and SQL database you created in the previous task.
2.
View the contents of the resource group created for the SQL database.
3.
Create a new storage account with a unique name in the same location and resource group as the
SQL database.
4.
After the storage account has been created, view the resource group that was created for the SQL
database and verify that it now also contains the new storage group.
5.
Switch back to the full portal and verify that the new storage account is displayed in the ALL ITEMS
page (you may need to refresh the page).
In the full portal, view your bill and review the summary of usage and billing.
2.
Note: If your account has been recently created, the subscriptions page may display an error.
If you see this error, return to this page later to view billing information.
3.
4.
Results: At the end of this exercise, you should have created a website and a SQL database in your Azure
subscription and used Azure PowerShell to obtain information about them.
Start the Microsoft Azure PowerShell interactive scripting environment (ISE) as Administrator.
2.
Add your Azure account to the local PowerShell environment by using Azure AD authentication.
3.
Verify that your account and subscription are connected to the local PowerShell environment.
D:\Labfiles\Lab01\Starter\ExampleCommands.ps1
1-27
2.
In the script, replace the comments in the first foreach loop so that the code gets all storage accounts
and displays each accounts name and the status of the primary replica. Execute your foreach loop.
3.
In the script, replace the comments in the second foreach loop so that the code gets all websites and
displays each sites name and state. Execute your foreach loop
4.
In the script, replace the comments in the third foreach loop so that the code gets all SQL Database
servers and, for each server, gets all the databases. Execute your foreach loop.
In the PowerShell ISE, execute a command that switches to resource manager mode.
2.
In the ExampleCommands.ps1 script, replace the comments in the fourth foreach loop so that the
code gets all resource groups. Execute your foreach loop. When you have finished, close Windows
PowerShell ISE without saving any files.
On the taskbar, right-click Microsoft Azure PowerShell, and then click Run as administrator. In the
User Account Control dialog, click Yes.
2.
3.
When prompted, sign in using the Microsoft account associated with your Azure subscription.
Note: This script may remove Azure services in your subscription. It is therefore recommended that
you use an Azure trial pass that was provisioned specifically for this course, and not your own Azure
account.
The script will take 5-10 minutes to reset your Microsoft Azure environment, ready for the next lab.
The script removes all storage, VMs, virtual networks, cloud services, and resource groups.
Important: The script may not be able to get exclusive access to a storage account to delete it (you
will see an error, if this occurs). If you find objects remaining after the reset script is complete, you can
re-run Reset-Azure script, or use the full Azure Management Portal to manually delete all the objects
in your Azure subscription, with the exception of the default directory.
Results: At the end of this exercise, you should have written PowerShell commands that retrieve
information about the services and resource groups in your Azure subscription.
Question: In the lab, you created an Azure website, SQL database, and a storage account to
which the on-premises asset management application in the scenario could be migrated.
What other options for migrating this application to Azure might you consider?
Evaluate IaaS and PaaS options for each element of the solution based on comparative cost,
functionality, and management overhead.
Use resource groups to combine related services into a single unit of management.
Use Azure AD authentication when connecting PowerShell to Microsoft Azure unless you have a
specific reason to use a management certificate.
Review Question(s)
Question: Categorize each of the following Azure services as PaaS or IaaS:
Azure Websites
Azure Storage
Azure Virtual Machines
Azure Virtual Networks
SQL Database
Tools
You can download the following tools for working with Azure:
Module 2
Implement and Manage Virtual Networks
Contents:
Module Overview
2-1
2-2
2-13
2-19
2-22
2-29
2-34
Module Overview
Networking is one of the main building blocks of Microsoft Azure, so it is essential that you have a
clear understanding of how to configure network components and connect them together. In this second
module, you will look at how virtual networking provides the glue that brings together virtual machines,
cloud services and storage to enable you to publish the service onto the Internet.
Objectives
After completing this module, you will be able to:
Lesson 1
2-2
As with on-premises networks, Microsoft Azure networks need to be planned carefully to ensure that they
work as expected. However, you should find that your knowledge of planning on-premises networks
translates relatively simply into the Microsoft Azure environment.
Lesson Objectives
After completing this lesson, you will be able to:
Understand how virtual networks can be used to support virtual machines and PaaS cloud services.
Explain how on-premises computers can connect to VMs in an Azure virtual network.
Perform the following tasks to prepare the lab environment. The Azure services you will use in the lab will
be described in this module while the environment is being configured.
Important: The scripts used in this course may delete any objects that you have in your
subscription. For this reason, you should complete this course against a new Azure subscription.
You should have received sign-up details and instructions for creating an Azure Learning Pass for
this reason. Alternatively, create a new Azure Trial Subscription. In both cases, use a new
Microsoft account that has not been associated with any other Azure subscription. This avoids
confusion in labs and setup scripts.
The labs in this course use custom Microsoft Azure PowerShell cmdlets, including Setup-Azure to prepare
the Azure environment for a lab, and Reset-Azure to perform clean-up tasks at the end of a lab. For this
lab, Setup-Azure removes any current Azure subscription and account details from the Azure PowerShell
session.
Before you start the lab preparation, your Instructor will decide which Azure region is the closest to your
classroom location and also which Azure region is second closest. You will need this information during
the lab.
Demonstration Steps
Sign in to Your Microsoft Azure Subscription
2-3
1.
Ensure that the MSL-TMG1 and 20533B-MIA-CL1 virtual machines are both running, and then log on
to 20533B-MIA-CL1 as Student with the password Pa$$w0rd.
2.
You should already have created a Microsoft Azure trial subscription. If you have not done so, follow
the instructions in D:\Creating a Microsoft Azure Trial Subscription.htm. Provisioning may take
several hours.
3.
When your trial subscription has been provisioned, in Internet Explorer, browse to
http://azure.microsoft.com, click Portal, and sign in using the Microsoft account that is associated
with your Azure subscription. Close any initial "welcome" messages and password storage messages.
4.
At the top right, click your Microsoft account name and click Switch to new portal. If you are
prompted to sign in, use the Microsoft account that is associated with your subscription. Then, in the
new tab that is opened, close any initial "welcome" messages for the new portal.
On the taskbar, right-click Microsoft Azure PowerShell, and then click Run as administrator. In the
User Account Control dialog, click Yes.
2.
3.
At the prompt, type the module number, and then press Enter.
4.
5.
When prompted, sign in using the Microsoft account associated with your Azure subscription.
Note: This script may remove Azure services in your subscription. It is therefore recommended that you
use an Azure trial pass that was provisioned specifically for this course, and not your own Azure account.
The script will take a few seconds to configure your Microsoft Azure environment, ready for the lab at the
end of this module.
6.
2-4
Virtual networks (VNets) in Windows Azure also enable you to extend your on-premises networks into the
cloud. To build such a configuration, you must connect a Virtual Private Network (VPN) from your onpremises computers or networks to the Azure VNet. Alternatively, you can use ExpressRoute to provide a
connection to an Azure VNet that does not cross the Internet. In this way, you can enable on-premises
users to access Azure services as if they were physically located on-premises in your own datacenter.
VNets are often used to support Virtual Machines (VMs) by grouping them into subnets. However, you
can also create PaaS Cloud Services in VNets for the same reason. In addition, this module mentions
Traffic Manager because you can use it to load balance traffic between VMs or cloud services in VNets.
VMs, PaaS cloud services and Traffic Manager are discussed in later modules in this course.
This situation becomes more flexible when you consider VNets: A VM in a VNet can communicate directly
with any other VM in the VNet, even if it is in a different IaaS cloud service. VNets are the only way to
enable direct communication between a VM and a PaaS cloud service. You can also control the IP
addresses assigned to VMs and PaaS cloud service within a VNet and assign DNS servers for name
resolution.
When you move a server into the cloud, you move it further from the users on your premises. This
physical move should not place any barrier between the users and the resources they need to do their job.
You can use a VPN connection to remove any potential barriers. A VPN can connect your on-premises
network to and Azure VNet and all the VMs and PaaS cloud services it contains. This connection means
that users can connect to Azure resources as if they were local.
You can use similar private IPv4 address ranges in Azure VNets that you use on-premises:
10.x.x.x
172.16.x.x 172.31.x.x
192.168.x.x
2-5
You must carefully plan the IP addressing scheme. You will learn more about this planning later in this
lesson. Azure also supports the customization of DNS servers to ensure that on-premises computers can
resolve the IP address of virtual servers in the VNet from a name, and that virtual servers can resolve the IP
address of on-premises computers.
To connect to an Azure VNet from an on-premise network, you can use virtual private networks (VPNs) to
connect across the Internet, or an ExpressRoute connection:
A Point-to-Site VPN. This is a VPN that connects a single computer to a VNet. To create this
connection, you must configure each on-premises computer that you want to use the resources in the
VNet.
A Site-to-Site VPN. This is a VPN that connects an on-premises network, and all its computers, to a
VNet. To create this connection, you must configure a gateway and IP routing in the on-premises
network but it is not necessary to configure individual on-premises computers.
ExpressRoute. An ExpressRoute connection is a dedicated service that does not connect across the
Internet. By using ExpressRoute, you can increase security, reliability, and bandwidth.
You can also create a VPN that connects two Azure VNets. These are called VNet-to-VNet connections.
You will learn more about these connection methods in Lesson 3 Configuring Connections to Virtual
Networks.
Whenever you use a VPN to connect to a VNet, a virtual gateway is required in the VNet. The virtual
gateway routes traffic between VMs and PaaS cloud services in the VNet and computers at the other end
of the connection.
IP Addressing in VNets
VMs and PaaS cloud service roles in a single VNet require a unique IP address in the same way as clients
in an on-premise subnet do. This enables these VMs and cloud service roles to communicate with each
other. There are two types of IP addresses used in an Azure VNet:
DIPs. A DIP is a dynamic internal IP address. This address is used by VMs in the VNet to communicate
with other VMs in the same VNet. When you have connected a VPN to an Azure VNet, on-premises
clients communicate with VNet VMs by using DIPs.
VIPs. A VIP is a virtual IP address that is assigned to a cloud service (either an IaaS cloud service or a
PaaS cloud service). This address is used by external clients to communicate with the cloud service
and its VMs. All VMs within a single cloud service have the same VIP.
2-6
Azure assigns DIPs by using the DHCP protocol. DHCP leases are infinite in duration, so IP addresses are
stable. However, in some circumstances, such as when a VM has been placed into the Stopped
(Deallocated) state, a DIP may change.
If you are using a VPN to connect on-premises computers to the VNet, you must ensure that the onpremises IP address and the VNet DIP addresses do not conflict. You will learn how to plan a nonconflicting IP addressing scheme later in this lesson.
You can ensure a VM always has the same DIP address by setting a static internal IP address (also known
as a persistent private IP address) in PowerShell. Start by testing that the IP address you want to reserve is
not already in use, then use the Set-AzureStaticVNetIP as in the following example:
Setting a Static Internal IP Address
#Test the IP address for availability
Test-AzureStaticVNetIP -VnetName AdatumHQ -IPAddress 192.168.1.10
#Assign the IP address
Get-AzureVM -ServiceName AdatumWebFrontEnd -Name WebVM1 | Set-AzureStaticVNetIP -IPAddress
192.168.1.10 | Update-AzureVM
Note: When you want to assign a static IP address to on-premises computers, you can use
the Network Interface dialog within Windows. This method must not be used for VMs within
Azure because it will result in dropped connections and connectivity failures. Instead use SetAzureStaticVNetIP as described above.
Similarly, you can also ensure that the VIP for a cloud service, and the VMs it contains, never changes by
using a reserved IP. To do this, create a reserved IP with the New-AzureReservedIP cmdlet and then pass it
to a new VM as you create it:
Adding a Reserved IP for a New VM
$ReservedIP = New-AzureReservedIP -ReservedIPName "WebFrontEndIP" -Label "WebFrontEndIP" -Location
"West US"
New-AzureVMConfig -Name "WebFrontEndVM1" -InstanceSize Small -ImageName $imageName | AddAzureProvisioningConfig -Windows -AdminUsername Administrator -Password Pa$$w0rd | New-AzureVM ServiceName "WebFrontEnd" -ReservedIPName $ReservedIP -Location "West US"
Note: You will learn more about creating VMs, both in the portals and in PowerShell, in
Module 3.
Most of the time, VIPs are the only external IP addresses you need to assign. A VIP is assigned to an IaaS
cloud service and endpoints are used to specify one or VMs that receive incoming traffic to the VIP.
Alternatively a VIP can be assigned to a PaaS cloud service and endpoints used to specify the cloud
service role that receives incoming traffic.
However, in some cases you may want to enable external clients to communicate directly with a specific
VM in a cloud service through a direct IP address without specifying a port number. For example, if you
are using FTP in Passive Mode, the client negotiates the port number to use for transferring files. In such
cases, assign an instance-level Public IP (PIP) to the VM.
In this example, the script obtains an existing VM and then assigns a PIP to it.
You can also configure multiple network interface cards (NICs) for Azure VMs. In this case, each NIC
receives a separate DIP and you can utilize the NICs to isolate communication. For more information
about multiple NICs, see the following link:
Create a VM with Multiple NICs
http://go.microsoft.com/fwlink/?LinkID=522618
DNS
2-7
The Domain Name System (DNS) enables clients to resolve user-friendly fully-qualified domain names
(FQDNs), such as www.adatum.com, to IP addresses. Azure provides a DNS system to support many
name resolution scenarios but in some cases, you may need to configure an external DNS system to
resolve IP addresses with an Azure VNet.
For example, a VM in an IaaS cloud service can use the Azure internal DNS system to resolve the DIP of
any other VM in the same service. However, in a hybrid scenario where your on-premises network is
connected to and Azure VNet through a VPN, an on-premises computer could not resolve the DIP of a
VM in an Azure VNet until you configured the DNS servers with a record for the VM. You will learn more
about configuring name resolution later in this lesson.
External clients use a VIP address to communicate with a VM. This VIP is associated with an IaaS cloud
service that may be in an Azure VNet. You define endpoints on the cloud service to enable external clients
to connect to specific VMs within the cloud service. By default, an endpoint is associated with a single VM.
To increase availability and scalability, you can create two or more VMs in the same IaaS cloud service that
publish the same application. For example, if 3 VMs host the same website, you may want to distribute
incoming traffic between them and ensure that, if one VM fails, traffic is automatically distributed to the
other two.
You can use a load balanced set to enable this traffic distribution between VMs in a single cloud service.
In this configuration a single endpoint is shared between multiple VMs. The Azure Load Balancer
automatically randomly distributes requests across those VMs as they arrive at the endpoint.
Now consider the case where one VM in a VNet communicates with other VMs in the same VNet. For
example, a web server may want to access a group of middle-tier servers. You can use the Azure load
balancer for this load distribution if you specify the cloud service and endpoint. Alternatively you can
configure the internal load balancer for such distribution. The internal load balancer enables you to load
balance traffic between VMs in the same IaaS cloud service, without routing that traffic through an
endpoint.
Traffic Manager
Traffic Manager is another load balancing solution included within Azure that can load balance between
endpoints located in different Azure regions. These endpoints can include those on IaaS cloud services
that connect to virtual machines, those on PaaS cloud services that connect to roles, and those on Azure
websites. You can configure this load balancing to support failover or to ensure that users connect to an
endpoint that is close to their physical location for higher performance. You will learn how to configure
Traffic Manager in Module 5.
Regional VNets
2-8
All new VNets are regional VNets. This means they can span a complete Azure region or datacenter. This
differs from the original VNets in Azure, which were restricted to a single affinity group. If you have older
VNets in your subscription, these may be tied to an affinity group. However, over time all VNets will be
migrated to regional VNets and their ties to specific affinity groups will be removed.
Regional VNets support some features that affinity group VNets do not. These include:
Reserved IP Addresses
More VM Sizes
These VNets are known as cloud-only virtual networks. A dynamic routing gateway is not required in the
VNet.
Endpoints are published to the Internet, so they can be used by anyone with an Internet connection,
including your on-premises computers.
Point-to-Site VPNs
A simple way to connect a VPN to an Azure VNet is to use a Point-to-Site VPN. In these VPNs, you
configure the connection on individual on-premises computers. No extra hardware is required but you
must complete the configuration procedure on every computer that you want to connect to the VNet.
Point-to-site VPNs can be used by the client computer to connect to a VNet from any location with an
Internet connection. Once the VPN is connected, the client computer can access all VMs and cloud
services in the VNet as if they were running on the local network.
You will learn how to configure a Point-to-Site VPN in Lesson 2.
Site-to-Site VPNs
2-9
To connect all the computers in a physical site to an Azure VNet, you can create a Site-to-Site VPN. In this
configuration, you do not need to configure individual computers to connect to the VNet, instead you
configure a VPN device, which acts as a gateway to the VNet. You must also configure routing tables to
forward traffic to the VNet. Once these steps are completed, all computers in the local on-premises
network can connect to VMs and services in the VNet as if they were local resources.
You can use a Windows Server 2012 computer running RRAS as a gateway to the VNet. Alternatively,
there are a range of third-party VPN devices that are known to be compatible. If you have a VPN device
that is not on the known compatible list, you may be able to use it if it satisfies the list of gateway
requirements. To check the compatible VPN device list and requirements list, see:
About VPN Devices for Virtual Network
http://go.microsoft.com/fwlink/?LinkID=522619
ExpressRoute
ExpressRoute is a service that enables Azure customers to create a dedicated connection to Azure, which
does not connect through the public Internet. This contrasts with VPNs, which use encryption to tunnel
securely through the public Internet.
Because ExpressRoute connections are dedicated, they can offer faster speeds, higher security, lower
latencies, and higher reliability than VPNs. To learn more about Express Route, see:
ExpressRoute Technical Overview
http://go.microsoft.com/fwlink/?LinkID=522620
VNet-to-VNet Connections
As well as connecting an on-premises network to
an Azure VNet by using a VPN, you can also use a
VPN to connect two or more Azure VNets. Such
connections are termed VNet-to-VNet VPNs. The
connected VNets can be in different regions and
even in different Azure subscriptions.
To understand the configuration, first consider a Site-to-Site VPN. You must configure:
The range of IP addresses that are available on the local, on-premises subnet.
Because the virtual gateway is configured with the IP addresses in the VNet and the IP addresses in the
local network, it can route packets from Azure to the local network.
Now consider a VNet-to-VNet VPN that connects a VNet in the West US region to a VNet in the North
Europe region. You must configure:
When you configure the virtual gateway in West US, the IP address range that you provide for the Local
Network is actually the range for North Europe VNet. Similarly for the virtual gateway in North Europe,
the IP address range that you provide for the Local Network is actually the range for West US VNet. This
can confuse administrators because neither Local Network is in fact an on-premises network.
Note: You will configure a VNet-to-VNet VPN connection in the lab.
10.0.0.0/8. This address space includes all addresses from 10.0.0.1 to 10.0.0.255.
172.16.0.0/12. This address space includes all addresses from 172.16.0.1 to 172.31.255.255.
192.168.0.0/16. This address space includes all addresses from 192.168.0.1 to 192.168.255.255.
2-11
When you specify an address space for a VNet, you usually specify a much smaller range within one of the
private address spaces. For example, if you specified the address space 10.1.1.0/24, it means that all
addresses from 10.1.1.1 to 10.1.1.255 should be routed into your VNet.
In a cloud-only virtual network, you can specify any address range from the RFC 1918 private spaces.
However, if you will connect to the VNet with a VPN or ExpressRoute, you must ensure that the address
space is unique and does not overlap any of the ranges that are already in use on-premises or in other
VNets.
Best Practice: Always plan to use an address space that is not already in use in your
organization, either on-premises or in other VNets. Even if you plan for a VNet to be cloud-only,
you may want to make a VPN connection to it later. If there is any overlap in address spaces at
that point, you will have to reconfigure or recreate the VNet.
Choosing Subnets
You must also sub-divide the VMs and cloud services in your VNet by providing one or more subnets. The
range you specify for a subnet must be completely contained within its parent VNets address space.
Within each subnet, the first three IP addresses and the last IP address are reserved and cannot be used
for VMs or cloud services. The smallest subnets that are supported use a 29 bit subnet mask.
Because clients use DNS to resolve a name to an IP address, many VMs and services can receive new DIPs
without interrupting their service to users. In addition, because DHCP leases are infinite in Azure VNets, IP
addresses rarely change. However, sometimes an IP change does happen. For example, if a new VM is
created while another VM is in the Stopped (Deallocated) state, the new VM may take the old VMs
original address.
If you expect IP address change to cause problems for server, you can use a static internal IP address for
that VM. For example, a DNS server should have a static IP address, because clients may not be able to
locate it if its address changes. See the topic Virtual Network Features in this lesson for instructions on
setting a static IP address.
VMs in the same cloud service. VMs can resolve the names of all other VMs in the same cloud service
automatically by using the internal Azure name resolution.
VMs in the same VNet. If the VMs are in different cloud services but within a single VNet, those VMs
can resolve IP addresses for each other by using the internal Azure name resolution service and their
Fully Qualified Domain Names (FQDNs). This is supported only for the first 100 cloud services in the
VNet. Alternatively, use your own DNS system to support this scenario.
Between VMs in a VNet and on-premises computers. To support this scenario you must use your own
DNS system.
Between VMs in different VNets. To support this scenario you must use your own DNS system.
Between on-premises computers and public endpoints. If you publish an endpoint from a VM in an
Azure VNet, the Azure-provided external name resolution service will resolve the public VIP. This also
applies for any internet-connected computers that are not on your premises.
Note: If two VMs are deployed in different IaaS cloud services but not in a VNet, they
cannot communicate at all, even by using DIPs. Therefore name resolution is not applicable.
If you are planning to use your own DNS system, you must ensure that all computers can reach a DNS
server for registering and resolving IP addresses. You can either deploy DNS on a VM in the Azure VNet or
have VM register their addresses with an on-premises DNS server. Your DNS server must meet the
following requirements:
The server must have record scavenging switched off. Because DHCP leases in an Azure VNet are
infinite, record scavenging can remove records that have not been renewed but are still correct.
Lesson 2
2-13
In this second lesson, you move on from the planning process to review how to create and manage the
virtual networks that you create. There are two main ways to configure virtual networks: the Microsoft
Azure Portal and network configuration files.
Lesson Objectives
After completing this lesson, you should be able to:
Create and configure virtual networks by using the Microsoft Azure Management Portal.
Export and import network configuration files in to configure the virtual networks in an Azure
subscription.
2.
In the toolbar at the bottom, click New, and then click Custom Create.
3.
In the Name text box, type a descriptive name for the VNet.
4.
In the Location drop-down list, select a location near your users, and then click the Next arrow.
5.
Under DNS SERVERS, enter the name and IP address of the DNS server that VMs in the virtual
network will use. As this is a cloud-only virtual network, you may be able to use Azure internal name
resolution and leave this value blank.
6.
7.
On the Virtual Network Address Spaces page, add the private address spaces and subnets that you
have planned, and then click Complete.
Note: If you want to create a VPN connection to the VNet, you can either configure the
VPN as part of the VNet creation wizard, or add the VPN later. In the next lesson, you will learn
how to configure VPNs.
The following XML shows a complete network configuration file for a VNet with DNS servers:
Sample Network Configuration File
<NetworkConfiguration
xmlns:xsd="http://www.w3.org/2001/XMLSchema"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns="http://schemas.microsoft.com/ServiceHosting/2011/07/NetworkConfiguration"
<VirtualNetworkConfiguration>
<Dns>
<DnsServers>
<DnsServer name="dns1.adatum.local" IPAddress="192.168.5.1" />
<DnsServer name="dns2.adatum.local" IPAddress="192.168.6.1" />
</DnsServers>
</Dns>
<VirtualNetworkSites>
<VirtualNetworkSite name="AdatumEurope" Location="North Europe">
<AddressSpace>
<AddressPrefix>10.0.0.0/8</AddressPrefix>
<AddressPrefix>192.168.1.0/24</AddressPrefix>
</AddressSpace>
<Subnets>
<Subnet name="AdatumEurope">
<AddressPrefix>10.0.0.0/11</AddressPrefix>
</Subnet>
<Subnet name="AdatumEuSub2">
<AddressPrefix>192.168.1.0/27</AddressPrefix>
</Subnet>
</Subnets>
<DnsServersRef>
<DnsServerRef name="dns1.adatum.local" />
<DnsServerRef name="dns2.adatum.local" />
</DnsServersRef>
</VirtualNetworkSite>
</VirtualNetworkSites>
</VirtualNetworkConfiguration>
</NetworkConfiguration>
Demonstration Steps
Start Microsoft Azure PowerShell with administrator credentials
1.
Ensure that you are logged on to 20533B-MIA-CL1 as Student with the password Pa$$w0rd, and
that the setup script you ran in the previous demonstration to prepare the environment has
completed.
2.
Press the Windows key and on the Start screen, type Microsoft Azure PowerShell, right-click
Microsoft Azure PowerShell and then click Run as administrator.
3.
2.
Log on to Azure with the credentials associated with your Azure subscription.
2-15
2.
1.
2.
Double-click NetworkConfig.XML.
3.
In the How do you want to open this type of file (.xml)? dialog box, click Notepad.
4.
Show the students the contents of the file and point out that this is the same file from the slide in the
lesson.
5.
6.
In Microsoft Azure PowerShell, type the following command, and then press Enter:
Set-AzureVnetConfig D:\Demofiles\Mod02\NetworkConfig.XML
Show the settings for the new VNet in the Azure portal
1.
When you see the success message, on the Windows Taskbar, click Internet Explorer.
2.
3.
4.
5.
Click CONFIGURE.
6.
2.
In the NetworkConfig.XML file, change all three instances of 192.168.0.x to 192.168.30.x (where x is
the last octet and is different in all cases. This does not change).
3.
In Microsoft Azure PowerShell, type the following command and then press Enter:
Set-AzureVnetConfig D:\Demofiles\Mod02\NetworkConfig.XML
Refresh the screen in the portal and show that the IP subnets have now changed
1.
2.
Point out that the IP address ranges are now have 192.168.30.x values.
2-17
1.
2.
On the taskbar, right-click Microsoft Azure PowerShell, and then click Run as administrator. In the
User Account Control dialog, click Yes.
3.
4.
When prompted, sign in using the Microsoft account associated with your Azure subscription.
Note: This script may remove Azure services in your subscription. It is therefore recommended that
you use an Azure trial pass that was provisioned specifically for this course, and not your own Azure
account.
The script will take 5-10 minutes to reset your Microsoft Azure environment, ready for the next lab.
The script removes all storage, VMs, virtual networks and gateways, cloud services, and resource
groups.
Important: The script may not be able to get exclusive access to a storage account to delete it (you
will see an error, if this occurs). If you find objects remaining after the reset script is complete, you can
re-run Reset-Azure script, or use the full Azure Management Portal to manually delete all the objects
in your Azure subscription, with the exception of the default directory.
2.
In the toolbar at the bottom, click NEW and then click FROM GALLERY. Note that the QUICK
CREATE option does not allow you to specify a VNet.
3.
4.
In the VIRTUAL MACHINE NAME text box, type a descriptive name for the server.
5.
In the NEW USER NAME text box, type a name for the default administrator account.
6.
7.
In the CONFIRM text box, retype the password and then click Next.
8.
In the CLOUD SERVICE DNS NAME text box, ensure that a unique DNS name within the
cloudapp.net domain appears. If the name is unique a green tick is displayed. The default cloud
service name is taken from the VM name you specified on the previous page.
9.
In the REGION/AFFINITY GROUP/VIRTUAL NETWORK drop-down list, select the virtual network
you want to add the new VM to.
10. If the VNet has more than one subnet, select the correct subnet in the VIRTUAL NETWORK
SUBNETS drop-down list.
11. Click Next and then click Finish.
Note: You can also use the preview portal or PowerShell to create new VMs in a VNet. You
will learn more about these techniques in Module 3.
2-19
A. Datum has two large office buildings in different regions an HQ and a main branch office. In order to
serve these locations rapidly, you plan to have separate Azure virtual networks in the two regions that
match the office locations. Your Azure architects have provided a script that creates a virtual machine in
each virtual network. You have been asked to create the planning virtual networks and use the scripts to
populate them.
Objectives
After completing this lab, you will be able to:
Lab Setup
Estimated Time: 60 minutes
Virtual Machine: 20533B-MIA-CL1
User Name: Student
Password: Pa$$w0rd
Before starting this lab, ensure that you have performed the Preparing the Environment demonstration
tasks at the beginning of the first lesson in this module, and that the setup script has completed.
A. Datum now wishes to implement virtual networks for the A. Datum HQ and branch resources. You are
also required to run a script to populate these resources with some test virtual machines.
The main tasks for this exercise are as follows:
1. Connect to Windows Azure with Windows Azure PowerShell
2. Create Virtual Networks in the Management Portal and in PowerShell
3. Populate the Virtual Network
2.
Use the Get-AzurePublishSettingsFile cmdlet to download the encoded management certificate for
your subscription.
3.
Check your Azure Subscription settings using the Get-AzureSubscription command and record the
Current Storage Account Name value in D:\Labfiles\Lab02\Starter\ExampleCommands.ps1.
4.
Run the Update-Help cmdlet. Leave the Windows Azure PowerShell ISE window open.
5.
Note: For Location 1 and Location 2 use two Azure regions close to your physical
location. Your instructor will provide this information.
1.
Log on to the full Microsoft Azure portal using your Microsoft identity that you created to register for
your Microsoft Azure Learning Pass.
2.
In the Networks node, create a new virtual network with the following settings:
o
NAME: ADATUM-HQ-VNET
DNS and VPN Connectivity settings: add DNS server ADATUM-DNS, with IP address of 10.0.1.4
CIDR: /25
3.
Export the network configuration XML file and save this file onto your desktop.
4.
Edit the file settings to copy the existing VIRTUALNETWORKSITE section, and then edit the new
VIRTUALNETWORKSITE section with the following information:
o
NAME: ADATUM-BRANCH-VNET
CIDR: /25
5.
Import the settings using the Set-AzureVNetConfig command and the NetworkConfig.XML file.
6.
Check that both networks are displayed in the Microsoft Azure portal.
2.
At the Windows PowerShell ISE prompt, type the following command, and press Enter:
CD D:\Labfiles\Lab02\Starter
3.
At the Windows PowerShell ISE prompt, type the following command, and press Enter:
.\CreateVirtualMachines1.ps1
When prompted for your primary Azure region, enter the number of your Location 1, and press
Enter.
5.
The script may take 20 - 25 minutes to complete; when the script has completed, verify that the
following information is displayed:
o
Name: AdatumWestSvr1
IPAddress: 10.0.1.4
InstanceStatus: ReadyRole
PowerState: Started
2-21
6.
Close the Windows PowerShell ISE. Important: do not run the second script in the same instance of
PowerShell.
7.
On the taskbar, right-click Microsoft Azure PowerShell and click Run ISE as Administrator. Click
Yes when prompted.
8.
In the Windows PowerShell ISE, in the command prompt pane, enter the following command and
press Enter:
CD D:\Labfiles\Lab02\Starter
9.
In the Windows PowerShell ISE, in the command prompt pane, enter the following command and
press Enter:
.\CreateVirtualMachines2.ps1
10. When prompted for your secondary Azure region, enter the number of your Location 2, and press
Enter.
11. The script may take 10 - 15 minutes to complete; when the script has completed, verify that the
following information is displayed:
o
Name: AdatumEastSvr1
IPAddress: 10.0.2.4
InstanceStatus: ReadyRole
PowerState: Started
12. Do not proceed to the next exercise until the script operation is complete.
Results: After completing this exercise, you will have created virtual networks for A. Datum HQ and
branch, and deployed a virtual machine to each network.
Question: What are the two methods you can use to create Azure virtual networks?
Lesson 3
In this third lesson, you will learn how to establish connectivity between two or more sites in Microsoft
Azure, as well as how to connect from your on-premises computers to Azure virtual networks. Here, you
will be covering subjects such as configuring site-to-site VPNs.
Lesson Objectives
After completing this lesson, you should be able to:
Point-to-Site
A point-to-site VPN connects a single computer to a VNet through a VPN tunnel. You must configure a
certificate to secure this connection and then install a client configuration package on the client
computer.
Use point-to-site connections when you have a small number of client computers that you want to
connect. Remember that computers with a point-to-site VPN can use that connection from anywhere with
Internet access. For example, they could connect to the VNet from a caf with Wi-Fi.
Site-to-Site
A site-to-site VPN connects an on-premises TCP/IP network to a VNet through a VPN tunnel. In the onpremises network, a VPN device routes traffic to the VNet. You can either use a compatible third-party
VPN device or use a Windows server with the Routing and Remote Access Service (RRAS) configured.
Azure provides a script that you can use to configure the VPN device.
2-23
Use site-to-site connection when you have a large number of client computers all connected to an onpremises network. Unlike point-to-site connections, clients can only use site-to-site connections when
they have a direct connection to the on-premises network.
VNet-to-VNet
A VNet-to-VNet VPN connects one Azure VNet to another. The two VNets can be in different regions or
even in different Azure subscriptions. For example, you could use a VNet-to-VNet VPN to connect to a
partner organizations VNet, as long as the IP address spaces of the two VNets did not overlap.
When you configure a VNet-to-VNet connection, you must specify the IP address spaces in use for DIPs
on the opposite VNet so that the virtual gateway can route traffic to the correct location. This is referred
to, in the user interface, as the local network because the virtual gateway routes traffic in exactly the
same way as it would to an on-premises network. This can be confusing because, in the opposite VNet,
the first VNet is referred to as the local network.
Multisite
You can create a single VPN that connects multiple on-premises networks to a single VNet. This is known
as a multi-site VPN and is very similar to a site-to-site VPN. The main practical difference is that you must
configure a multi-site VPN by using a network configuration file. The portal does not support muti-site
VPNs at the time of writing.
For more information about configuring multi-site VPNs, see:
Configure a Multi-Site VPN
http://go.microsoft.com/fwlink/?LinkID=522621
ExpressRoute
The ExpressRoute service can provide a private connection to an Azure VNet that does not cross the
Internet. This can improve security and achieve higher bandwidth, lower latency, and better reliability.
Microsoft works with network service providers to build these connections.
For more information about ExpressRoute, see:
ExpressRoute: An overview
http://go.microsoft.com/fwlink/?LinkID=522622
Note: All of the configuration procedures described in this lesson use the full portal. You
can also use network configuration files to make all these changes and use the PowerShell SetAzureVNetConfig cmdlet to upload and apply your changes to Azure.
1.
2.
In the list of virtual networks, click the name of the VNet you want to configure.
3.
4.
5.
In the address space table, select the starting IP address and a CIDR notation subnet mask to specify
and address range. All clients that connect to this point-to-site VPN will receive an IP address from
this range.
6.
In the toolbar at the bottom, click SAVE and then click YES.
2.
In the toolbar at the bottom, click CREATE GATEWAY and then click YES.
Start a command prompt as administrator and use cd commands to navigate to the Visual Studio
Tools folder.
2.
3.
4.
In the list of virtual networks, click the VNet you want to configure and then click CERTIFICATES.
5.
6.
Click BROWSE FOR FILE, locate and select the certificate you create, and then click Open.
7.
Click Complete.
8.
In the command prompt, type the following command, and then press Enter:
makecert.exe -n "CN=AdatumClientCertificate" -pe -sky exchange -m 96 -ss My -in
"AdatumRootCertificate" -is my -a sha1
2-25
To connect to the VPN, a client must use a client configuration package. This package must include the
client certificate you just created:
1.
In the full portal, click the DASHBOARD tab for the virtual network.
2.
Under quick glance, click the VPN package for the appropriate client operating system.
3.
4.
On the client computer, double-click the configuration file you just downloaded. If the User Control
dialog appears, click Yes.
Now that you have installed both the client certificate and the VPN client configuration package, you can
connect to the VNet.
1.
Navigate to the list of VPN connections and locate the VPN connection you have created. The name
of the VPN connection will be the same as the name of the VNet in Azure.
2.
3.
2.
3.
On the DNS Servers and VPN Connectivity page, supply the following values:
o
DNS Servers. Specify the DNS server name and IP address that VMs in the VNet will use for
name resolution.
On the Site-to-Site Connectivity page, specify the properties of the on-premises network. You must
supply the following values:
o
VPN Device IP Address. This is the external IP address of your VPN device.
Address Space. Specify all the IP addresses that are to be found in your on-premises network.
4.
On the Virtual Network Address Spaces page, fill in the IP address spaces and subnets you planned.
You must include a gateway subnet. The virtual gateway will be added to this subnet when you create
it.
5.
When the VNet has been created, click the DASHBOARD tab.
6.
In the toolbar at the bottom, click CREATE GATEWAY and then click Dynamic Routing.
7.
Click Yes.
A site-to-site VPN requires an on-premises VPN device, which routes traffic from the on-premises network
to the VNet and receives traffic from the virtual gateway. You can use Windows Server with RRAS
configured for this device or use a supported third-party device. To configure this device, you must
provide the following information:
The IP address of the virtual gateway in the VNet. This IP address will be displayed in the VNets
Dashboard page.
The shared key. This key is used to encrypt the VPN. You can obtain the shared key from the full
portal by clicking MANAGE KEY on the toolbar.
The VPN configuration script template. You can obtain the script from the full portal by clicking
Download VPN Device Script in the quick glance section.
2-27
Once both virtual gateways are created, you can return to configure the actually IP address of the
opposite gateway.
There is no on-premises network in a VNet-to-VNet connection. However, in the user interface, you
must configure a local network IP address range. For each VNet, the local network IP address range
refers to the DIP addresses in the opposite VNet.
Note: You will configure a VNET-to-VNET VPN in the lab and see the procedure in detail.
Here, an overview of the process is provided.
To create a VNet-to-VNet connection, complete these procedures:
1.
Create two virtual networks. Do not enable point-to-site or site-to-site communication as part of the
initial configuration. Use IP address ranges that do not overlap.
2.
Add each VNet as a local network to the opposite VNet. Use the dummy IP address.
3.
Create dynamic routing virtual gateways in each VNet. Record the IP address of each virtual gateway.
4.
Reconfigure each VNet with the real IP address of the virtual gateway you created in the opposite
VNet.
5.
VNet-to-VNet VPNs can connect VNets in the same or different Azure subscriptions. Similarly they
can connect VNets in the same or different Azure regions.
Cloud services cannot span VNets even when those VNets are connected with a VPN.
All VPN tunnels to a VNet share the available bandwidth on the Azure VPN gateway. This include
point-to-site VPNs.
VPN devices must support certain requirements. There is a list of these requirements at the following
location. You can also find a list of compatible third-party VPN devices on the same page.
About VPN Devices for Virtual Network
http://go.microsoft.com/fwlink/?LinkID=522619
2-29
You have been asked to implement connectivity to the two A. Datum virtual networks you created earlier.
You want to use a VNet-to-VNet VPN to connect the VNets. You also want to implement a point-to-site
VPN so that you can connect from your administrative computer.
Objectives
After completing this lab, you will be able:
Validate virtual network connectivity using Azure- and virtual machine-based tools.
Lab Setup
Estimated Time: 100 minutes
Virtual Machine: 20533B-MIA-CL1
User Name: Student
Password: Pa$$w0rd
Before you begin this lab, ensure that you have completed the first lab in this module: Creating Virtual
Networks.
Use the full Azure portal to create two local networks in the Networks node, with the following
settings:
o
NAME: ADATUM-HQ-LOCALNET
CIDR: /24
NAME: ADATUM-BRANCH-LOCALNET
CIDR: /24
2.
Use the full Azure portal to enable site-to-site VPNs by configuring ADATUM-HQ-VNET to connect
to ADATUM-BRANCH-LOCALNET, and add a gateway subnet, and configuring ADATUMBRANCH -VNET to connect to ADATUM-HQ-LOCALNET, and verify that a gateway subnet has
been created.
3.
Use the full Azure portal to create dynamic routing gateways for ADATUM-HQ-VNET and
ADATUM-BRANCH-VNET.
4.
Note that it will take 20-25 minutes for the gateways to be created; do not proceed until gateway
creation is complete.
Use the full Azure portal to obtain the gateway IP address of the ADATUM-HQ-VNET virtual
network, and the ADATUM-BRANCH-VNET virtual network.
2.
Use the full Azure portal to edit properties of ADATUM-HQ-LOCALNET to add the gateway IP
address of ADATUM-HQ-VNET.
3.
Use the full Azure portal to edit properties of ADATUM-BRANCH-LOCALNET to add the gateway IP
address of ADATUM-BRANCH-VNET.
4.
5.
At the Windows PowerShell ISE prompt, type the following command, and press Enter:
Set-AzureVNetGatewayKey -VNetName ADATUM-HQ-VNET -LocalNetworksiteName
ADATUM-BRANCH-LOCALNET -sharedKey abcdefgh1234
6.
At the Windows PowerShell ISE prompt, type the following command, and press Enter:
Set-AzureVNetGatewayKey -VNetName ADATUM-BRANCH-VNET -LocalNetworksiteName
ADATUM-HQ-LOCALNET -sharedKey abcdefgh1234
7.
Use the full Azure portal to verify gateway configuration for ADATUM-HQ-VNET and ADATUMBRANCH-VNET; the Dashboard page now shows that a gateway has been created and connected for
the virtual network.
8.
9.
At the Windows PowerShell ISE prompt, type the following command, and press Enter:
Get-AzureVNetConnection -VNetName ADATUM-HQ-VNET| ft LocalNetworkSiteName,
ConnectivityState
Results: After completing this exercise, you will have connected the A. Datum HQ and branch virtual
networks, and deployed dynamic routing gateways for each virtual network.
2-31
A. Datum now wish to test the new Azure networking configuration, and validate the connectivity
between the A. Datum HQ and branch virtual networks. For test purposes, one of your virtual machines
has been configured (in the deployment script) as a DNS server, so that you can test name resolution
between linked virtual networks. You will RDP into these virtual machines.
The main tasks for this exercise are as follows:
1. Connect to A. Datum Virtual Machines
2. Testing TCP/IP Connectivity between Sites
3. Testing Name Resolution
2.
If a Remote Desktop Connection warning message appears, select the Dont ask me again for
connections to this computer check box, and click Connect.
3.
In the Windows Security dialog box, type the following credentials, and click OK:
o
Password: Pa$$w0rd123
4.
If another Remote Desktop Message appears, select the Dont ask me again for connections to this
computer check box, and click Yes.
5.
6.
7.
If a Remote Desktop Connection warning message appears, select the Dont ask me again for
connections to this computer check box, and click Connect.
8.
In the Windows Security dialog box, type the following credentials, and click OK:
9.
Password: Pa$$w0rd123
If another Remote Desktop Message appears, select the Dont ask me again for connections to this
computer check box, and click Yes.
Maximize the AdatumEastSvr1 session, and ensure that Windows Firewall is turned off for all profiles.
2.
3.
Maximize the AdatumWestSvr1 session, and ensure that Windows Firewall is turned off for all profiles.
4.
5.
6.
1.
2.
Results: After completing this exercise, you will have verified that virtual machines can communicate
between virtual networks.
A. Datum now wish to implement secure communications from on-premises resources to Azure, and wish
to start by configuring and testing a point-to-site VPN connection to one of the gateways you created in
Exercise 3.
Only complete this lab if you have sufficient time remaining.
Important: Even if you do not complete this exercise, you must ensure you complete the
Reset the Environment task. This task resets your Azure subscription in preparation for later labs
and ensures that no unnecessary costs accrue.
The main tasks for this exercise are as follows:
1. Configuring a VPN from Client to HQ Virtual Network
2. Connecting to the HQ Virtual Network
3. Reset the Environment
2.
3.
4.
At the Command Prompt, type the following command, and press Enter:
CD C:\Program Files (x86)\Windows Kits\8.1\bin\x64
5.
At the Command Prompt, type the following command, and press Enter:
makecert -sk exchange -r -n "CN=AdatumRootCertificate" -pe -a sha1 -len 2048 -ss My
"AdatumRootCertificate.cer"
6.
On the ADATUM-HQ-VNET CERTIFICATES page in the Azure Management Portal, upload the selfsigned root certificate.
7.
8.
At the Command Prompt, type the following command, and press Enter:
makecert.exe -n "CN=AdatumClientCertificate" -pe -sk exchange -m 96 -ss My -in
"AdatumRootCertificate" -is my -a sha1
9.
1.
Configure VPN client by downloading the 64-bit Client VPN Package, and installing it on the local
client.
2.
From the local client, connect to the VPN, and verify VPN connection using ipconfig/all.
3.
4.
2-33
1.
2.
On the taskbar, right-click Microsoft Azure PowerShell, and then click Run as administrator. In the
User Account Control dialog, click Yes.
3.
4.
When prompted, sign in using the Microsoft account associated with your Azure subscription.
Note: This script may remove Azure services in your subscription. It is therefore recommended that
you use an Azure trial pass that was provisioned specifically for this course, and not your own Azure
account.
The script will take 5-10 minutes to reset your Microsoft Azure environment, ready for the next lab.
The script removes all storage, VMs, virtual networks and gateways, cloud services, and resource
groups.
Important: The script may not be able to get exclusive access to a storage account to delete it (you
will see an error, if this occurs). If you find objects remaining after the reset script is complete, you can
re-run Reset-Azure script, or use the full Azure Management Portal to manually delete all the objects
in your Azure subscription, with the exception of the default directory.
Results: After completing this exercise, you will have configured and tested a point-to-site VPN
connection.
Review Question(s)
Question: What considerations are there for choosing a name resolution solution for an
Azure virtual network-based deployment?
Module 3
Implementing Virtual Machines
Contents:
Module Overview
3-1
3-2
3-10
3-17
3-29
3-32
Module Overview
When you run a server or a virtual server in an on-premises data center, your administrative team must
maintain the server hardware, power interruption protection, cooling, networking hardware, load
balancing, and other aspects of data center management. If instead you choose to run a virtual machine
(VM) within Microsoft Azure, hardware and infrastructure management tasks are the responsibility of
Microsoft at the Microsoft Azure datacenter. This frees your administrators to concentrate on operating
systems and software, and usually results in greater availability. In this module, you will see how Microsoft
Azure VMs can host services for your users and customers and how to create, install, and configure VMs
with different operating systems and software platforms.
Objectives
After completing this module, you will be able to:
Configure and manage Microsoft Azure Infrastructure as a Service (IaaS) cloud services and endpoints.
Create Windows and Linux virtual machines in Microsoft Azure by using the portal and Microsoft
Azure PowerShell.
Lesson 1
3-2
Virtual machines are the basis of Microsoft Azure and provide support for the platforms implementation
of IaaS. In this lesson, you will look at the IaaS cloud services, which act as the logical container for Azure
machines. You will then look at the various configuration options that apply at the IaaS cloud service level,
such as endpoints, IP addresses, and Access Control Lists (ACLs).
Lesson Objectives
After completing this lesson, you will be able to:
Understand how Azure virtual machines, virtual networks, and storage fit within Microsoft Azure.
Understand how cloud services endpoints facilitate communications to Azure virtual machines.
Perform the following tasks to prepare the lab environment. The Microsoft Azure services you will use in
the lab will be described in this module while the environment is being configured.
Note: Important: The scripts used in this course may delete any objects that you have in
your subscription. For this reason, you should complete this course against a new Azure
subscription. You should have received sign-up details and instructions for creating an Azure
Learning Pass for this reason. Alternatively, create a new Azure Trial Subscription. In both cases,
use a new Microsoft account that has not been associated with any other Azure subscription. This
avoids confusion in labs and setup scripts.
The labs in this course use custom Microsoft Azure PowerShell cmdlets, including Setup-Azure to prepare
the Azure environment for a lab, and Reset-Azure to perform clean-up tasks at the end of a lab. For this
lab, Setup-Azure creates a storage account in the Azure region you select, then creates a virtual network
(ADATUM-HQ-VNET). Setup-Azure then removes the Azure subscription and account from the Azure
PowerShell session.
Before you start the lab preparation, your instructor will decide which Azure region is the closest to your
classroom location. You will need this information during the lab setup, and during the lab.
Demonstration Steps
Sign in to your Microsoft Azure Subscription
1.
Ensure that the MSL-TMG1 and 20533B-MIA-CL1 virtual machines are both running, and then log on
to 20533B-MIA-CL1 as Student with the password Pa$$w0rd.
2.
You should already have created a Microsoft Azure trial subscription, if you have not done so, follow
the instructions in D:\Creating a Microsoft Azure Trial Subscription.htm. Provisioning may take
several hours.
3-3
3.
When your trial subscription has been provisioned, in Internet Explorer, browse to
http://azure.microsoft.com, click Portal, and sign in using the Microsoft account that is associated
with your Microsoft Azure subscription. Close any initial "welcome" messages.
4.
At the top right, click your Microsoft account name and click Switch to new portal. Then, in the new
tab that is opened, close any initial "welcome" messages for the new portal.
5.
Close the tab containing the new portal, keeping the full portal tab open.
On the taskbar, right-click Microsoft Azure PowerShell, and then click Run as administrator. In the
User Account Control dialog, click Yes.
2.
3.
At the prompt, type the module number, and then press Enter.
4.
5.
When prompted, sign in using the Microsoft account associated with your Microsoft Azure
subscription.
6.
When prompted, enter the Azure region to use, and then press Enter.
Note: This script may remove Azure services in your subscription. It is therefore recommended that
you use an Azure trial pass that was provisioned specifically for this course, and not your own Azure
account.
The script will take 2-3 minutes to configure your Microsoft Azure environment, ready for the lab at
the end of this module.
At the end of the setup, you should have the following:
o
3-4
machines consume Azure storage, and require a storage account in order to store virtual hard disk (VHD)
files.
Note that virtual machines are also part of the Azure PaaS offering; PaaS cloud services are also hosted on
virtual machines, as are websites. This module, and Module 4, focus on IaaS virtual machines.
PaaS cloud services, websites, and storage are discussed in later modules in this course.
A built-in Azure DNS server provides name resolution for all virtual machines within the same cloud
service; if you wish to extend this name resolution, to include on-premises resources, for example, you will
need to configure your own DNS solution (as discussed in Module 2).
Cloud services have an assigned publically-reachable DNS name, in the form <unique cloud service
name>.cloudapp.net. A cloud service has at least one Virtual Internet Protocol (VIP) address assigned,
and the cloud service VIP enables allow inbound connections to Azure virtual machines from the Internet.
Cloud service IP addressing is discussed later in this lesson.
An endpoint consists of two ports, one public and one private, associated with the VIP of the cloud
service. The public port is publically-accessible over the Internet, and the private port is the port on which
the service is published on the Azure virtual machine. The endpoint, therefore, connects the public
3-5
interface (the VIP) on a cloud service with a private interface on a VM within that cloud service, by using
port translation at the routing service used by Windows Azure.
The private port represents a protocol, such as RDP or HTTP, which enables a client computer on the
Internet to access a published service on a VM hosted in Microsoft Azure. Microsoft Azure will pass
packets from the client directed to the public port through to the private port, where the service listening
on that port can process them.
Note: Important: Using endpoints, communications from the Internet to a virtual machine
in a cloud service uses only the VIP address; the internal IP address assigned to the virtual
machine is not used. Internal IP addressing is discussed in Module 4.
Default Endpoints
Default endpoints are provisioned automatically
when you create a virtual machine in either the
Full or New Portal. These default endpoints are:
With Windows-based VMs, a Remote Desktop Protocol (RDP) endpoint is created with a randomly
assigned high-order public port and a private port that, by default, uses the standard RDP port 3389.
Windows VMs also have a remote PowerShell endpoint with the public and private ports set to 5986. With
Linux-based VMs, a Secure Shell (SSH) endpoint is created with the public and private ports set to 22.
Again, if you wish, you can assign different values to these ports.
Note: With a Windows-based VM, when you download the RDP Connection from the
Portal, the connection settings include the public port for connecting to the relevant VM. If you
subsequently set the public port manually, you will need to change the corresponding port
number on the RDP connection or download it again.
For example, in the Computer field on the RDP connection settings, you may see a value such as
Server133.cloudapp.net:50776. Here 50776 is the random high-order port assigned when the
VM is created. Azure then maps port 50776 to port 3389 on the VM. Any packets sent to port
50776 on host server133.cloudapp.net are then sent through to port 3389, where they are then
handled by the Remote Desktop service.
Creating Endpoints
3-6
On an existing VM, you can create additional endpoints to publish other services on the VM, such as FTP,
HTTP, or SMTP. This configuration requires selection of the transport protocol (TCP or UDP) and public
and private ports.
Endpoints can also be created, configured and deleted with Azure PowerShell cmdlets:
Endpoints can be configured as part of a load-balanced set that provides traffic distribution across
multiple VMs.
Note: Endpoints can also be configured for Direct Server Return. This feature is covered in
the Configuring IaaS Cloud Service Scalability topic in Module 4.
Connecting to Endpoints
Connection to the endpoint depends on the protocol in use. For example, to connect to the RDP
endpoint, you can click the Connect button on the Full Portal to generate an RDP connection file, which
you can then download or run. This RDP file will include the correct public port for the RDP endpoint on
that VM.
Similarly, to connect to a Linux-based system using the SSH endpoint, the login procedure requires use of
an SSH client, such as PuTTY. This client can then be run and configured to connect to the Linux VM. The
configuration requires the SSH details for the VM, such as myvmname.cloudapp.net, along with a port
numberfor example, port 22 for SSH. With SSH, you can also configure encryption keys for the
connection.
For more information on how to use SSH with Linux on Azure see:
How to Use SSH with Linux on Azure
http://go.microsoft.com/fwlink/?LinkID=522623
For other endpoints, such as HTTP or HTTPS, the connection will be made by a client application (a
browser, for example, in the case of HTTP or HTTPS).
Endpoint IP Addressing
To communicate through an endpoint, the cloud
service must be assigned an IP address; this
assignment can be automatic (using defaults) or
can use a manual configuration to reserve an IP
address.
3-7
A reserved IP is a public IP address that is specifically assigned to a cloud service. This reservation means
that the IP address will not change and will remain associated with the cloud service when all the VMs in
the cloud service are either in the Stopped (Deallocated) state, or have been deleted. Otherwise, the
public IP address for a cloud service is lost when the last VM in that cloud service is shut down.
Note: Important: A VM will enter the Stopped (Deallocated) state if you use the StopAzureVM cmdlet, or if you shut down the VM from the portal. If this VM is the last VM in the
cloud service, the public IP address for that cloud service will be removed and reassigned to the
pool of available addresses. So, if you need to shut down all the VMs in a cloud service and still
keep the same public IP address in Azure, the VMs must enter a Stopped state (not the
Stopped (Deallocated) state. To get a VM into the Stopped state you can use the cmdlet
Stop-AzureVM with the -StayProvisioned parameter, or you can shut down the VM by
connecting to the VM and performing a shutdown from the VM operating system.
IP addresses can only be reserved for VMs and for PaaS cloud service web/worker rolesand must be
allocated before these VMs are deployed. The reservation is at the cloud service level, not at the VM or
web/worker role.
Reserved IPs are usually created because you need the IP address to remain consistent. For example, when
publishing a service out onto the Internet that has to use a fixed IP address. There are some
considerations regarding reserved IP deployment:
An organization with a Microsoft Enterprise Agreement can have up to 100 reserved IP addresses.
For more information on the billable costs of a reserved IP address, and on the availability of reserved IP
addresses in each Azure region, see:
IP Address pricing
http://go.microsoft.com/fwlink/?LinkID=398482
Reserving an IP Address
IP addresses are reserved by using PowerShell or the REST APIs. The Azure PowerShell cmdlets for
reserved IP management include:
New-AzureReservedIP creates a reserved IP ready for use with an IaaS cloud service
3-8
To create a new reserved IP address, you use the New-AzureReservedIP cmdlet, and assign the new IP
address to a name:
Creating a new reserved IP address
New-AzureReservedIP -Location $location -ReservedIPName $ReservedIP
After you create a reserved IP address, you can allocate it to an IaaS cloud service during deployment of
the first virtual machine to that service.
After you create a reserved IP address, you can allocate it to a service, by using the ReservedIPName
parameter with either the New-AzureVM or New-AzureQuickVM cmdlets. The following example shows
the $ReservedIP address, created in the previous example, being used with the New-AzureVM or NewAzureQuickVM cmdlet:
Assigning a reserved IP address to a cloud service during VM creation
New-AzureVMConfig -Name $vmname -InstanceSize $instance -ImageName $image | AddAzureProvisioningConfig -Windows -AdminUsername $admin -Password $password | New-AzureVM
-ServiceName $service ReservedIPName $ReservedIP -Location $location
If you want to be able to connect to a VM by an IP address assigned directly to it, rather than by using the
cloud service VIP:<portnumber>, you can use instance-level Public IP (PIP) addressing. PIP addressing
has some similarities with reserved IP addresses that have just been discussed, such as a five IP address
limit for standard Azure subscriptions; however, with PIP addressing, the address applies to the VM itself,
rather than the cloud service. Instance-level PIPs are discussed in detail in Module 4.
3-9
Use rule ordering to ensure the correct set of rules are applied on a given virtual machine endpoint
VMs have a default ACL, which blocks all incoming traffic. When you create a new endpoint, a port is
assigned which is then opened to publish the service. You can apply ACLs to subnets by using full Azure
Management Portal or the new Azure Preview Portal, or by using Azure PowerShell.
To manage ACLs by using the full Azure Management Portal:
1.
Click Virtual Machines, and then select the virtual machine that you want to configure.
2.
Click Endpoints.
3.
4.
To configure an ACL on a specific endpoint, use these cmdlets with the EndPointName property.
For more information on cmdlet syntax for managing endpoint ACLs, see:
Managing Access Control Lists (ACLs) for Endpoints by using PowerShell
http://go.microsoft.com/fwlink/?LinkID=511714
Note: Note: If you are using VNets, you should use Network Security Groups (NSGs) rather
than Network ACLs. NSGs provide more granular control, but are only available for VMs that are
deployed in VNets. NSGs are discussed in Module 4.
Lesson 2
This lesson introduces the planning considerations for virtual machines that will support workloads in
Microsoft Azure. Good planning helps ensure the best fit between an on-premises environment and the
Microsoft Azure virtual machines onto which workloads can be migrated.
Lesson Objectives
After completing this lesson, you will be able to:
Identify which workloads are appropriate for use with Microsoft Azure.
Explain the differences between on-premises virtual machines and Microsoft Azure virtual machines.
Propose which workloads in your on-premises environment might be suitable for migration to
Microsoft Azure.
Complex data analysis of sales figures that an organization only needs to run at the end of each
month.
Annual retail sales spurts that may occur during festive holidays.
Unpredictable growth workloads such as those experienced by small, but rapidly expanding,
organizations, or short-term increased sales of fad products.
Spiking workloads, such as those experienced by sites providing news services or organizations that
perform end-of-day reporting to a head office.
Steady workload scenarios where organizations simply want to offload their infrastructure to the
cloud.
When planning virtual machine workloads for Azure IaaS, it is also important to remember that not every
application or service is a suitable fit for the cloud.
3-11
Low volume or limited growth workloads where the organization might be able to run the service or
application on commodity hardware on-premises less expensively than in the cloud.
Regulated environment workloads where an organization, or even the local government, may
regulate the type of data that can be hosted in the cloud. However, these cases might be suitable
candidates for a hybrid solution where only some highly available data is hosted in Azure and the
more sensitive, regulated data is kept on-premises.
All Microsoft software installed in the Microsoft Azure virtual machine environment must be properly
licensed. By default, Microsoft Azure virtual machines include a license for using Windows Server in the
Microsoft Azure environment. Certain Microsoft Azure virtual machine offerings may also include
additional Microsoft software on a per-hour or evaluation basis. Licenses for other software must be
obtained separately.
A wide range of Microsoft server software is supported in an Azure IaaS virtual machine environment,
including Microsoft Forefront Identity Manager 2010 R2 SP1 and later versions; Microsoft SharePoint
Server 2010 and later versions; Microsoft SQL Server 2008 (64-bit) and later versions; and Microsoft
System Center 2012 SP1 and later versions.
The following Windows Server Roles are currently supported:
Application Server
DNS Server
File Services
Hyper-V
There are also some significant Windows Server features that are not currently supported:
BitLocker Drive Encryption (on the operating system hard disk; may be used on data disks)
Windows Server Failover Clustering, except for SQL Server AlwaysOn Availability Groups
Multipath I/O
SNMP Services
The Standard tier compute instances are designed to offer optimal compute, memory and IO resources to
suit the running of a wide range of applications and workloads. These instances include both auto-scaling,
load balancing, and internal load balancing capabilities at no additional cost. Both types of tier offer a
choice of sizes.
For more information on virtual machine and cloud service sizes, including any changes since this course
was published, see:
Virtual Machine and Cloud Service Sizes for Azure
http://go.microsoft.com/fwlink/?LinkID=522626
Note: Linux virtual machines may have significantly smaller OS disk sizes when created
from the Image Gallery.
Sizing Considerations
When deciding on sizing for your Azure virtual machines, consider the following:
3-13
The size of the virtual machine affects the pricing and the tier affects some capabilities.
When deploying a virtual machine for SQL Server Enterprise Edition, select a virtual machine with at
least four CPU cores.
Some of the physical hosts in Azure data centers may not support larger virtual machine sizes, such as
A5 to A9, and you may get an error message such as Failed to configure virtual machine <machine
name> or Failed to create virtual machine <machine name>.
When creating virtual machines in Azure, each cloud service in which those virtual machines reside can
contain a maximum of 50 virtual machines. When you create a new virtual machine, a cloud service is
automatically created to contain it, but you can add more virtual machines in that same cloud service up
to the 50 virtual machines limit. You can also have a maximum of 150 input endpoints per cloud service.
This tool helps customers profile their existing on-premises infrastructure and estimate the cost of running
it on Azure. It helps to identify the utilization and resource allocation on physical machinesas well as
guest VMs running on VMware and Hyper-Vand determines the cost of running an on-premises
physical or virtual machine workload on Azure over a 30-day period. The tool scans the hardware and
resource utilization over a short period of time and is usually completed within 15 minutes. The resulting
server profile is then matched against Azure IaaS instance types to find the best fit for purpose based on
cost or performance. You can also export the results to either Excel or CSV format.
The tool can scan any of the following types of machine:
Windows 7 SP1
You can download the Microsoft Azure (IaaS) Cost Estimator tool at:
Microsoft Azure (IaaS) Cost Estimator Tool
http://go.microsoft.com/fwlink/?LinkID=522627
Azure supports only Generation 1 virtual machines, and not the Generation 2 virtual machines as
introduced with Hyper-V in Windows Server 2012 R2.
Azure virtual machines are no longer limited to one virtual network interface card (vNIC), but support
for multiple vNICs on a single virtual machine is currently subject to several conditions:
o
The number of vNICs you can create depends on the VM size; for example, Large (A3) and A6
support two vNICs, ExtraLarge (A4) and A7 support four vNICs.
Multiple vNICs are only supported if VMs are in an Azure Virtual Network.
Instance-level PIP addressing is only supported on the default NIC, and there is only one PIP
mapped to the IP of the default NIC. The additional NICs cannot be used in a Load Balance set.
On-premises
Domain Controller IP
address
To configure
AD database storage
On-premises
Should change default storage location from
C: drive
3-15
There are several considerations to look at when deciding how to deploy and configure SQL Server on
Azure virtual machines, including performance, high availability and disaster recovery, unused services,
and auto-scaling.
More information on deploying SQL Server on Azure virtual machines is discussed in Module 7 of this
course.
If you are running the Windows Server Essentials Experience on a domain controller, the DNS settings
can change when you change the size of the virtual machine. You can, however, manually reset the
settings back again after the resize operation.
You can get a false alert in the Best Practice Analyzer related to Windows Server Backup; this alert can
be ignored.
You cannot perform a client full system restore if your server running Windows Server Essentials
Experience is on a virtual machine that is hosted in Azure; although you can still restore volumes,
folders, or files.
If you have another server or client running in Azure, you cannot use the Connector software to
connect that server or client to the Windows Server Essentials Experience server running in Azure.
You cannot install the Azure Backup integration module so, to work around the issue, you can use the
Azure Backup Agent instead.
For more information on deploying a Windows Server Essentials Experience virtual machine in Azure, see:
Hosting Windows Server Essentials Experience on Azure Virtual Machines
http://go.microsoft.com/fwlink/?LinkID=522629
Identifying Service Interoperability Issues
There are some interoperability issues when using Azure virtual machines for DFS Namespace and DFS
Replication roles services, including:
DFS Namespaces
o
You can host domain-based namespaces in Azure virtual machines, including environments with
Azure AD, though a single namespace cant encompass both on-premises namespace servers and
namespace servers hosted in Azure VMs, even when using Active Directory Federation Services.
DFS Replication
o
Do not export, clone, or copy the Azure virtual machines running the DFS role.
When backing up data in a replicated folder hosted in a virtual machine, you must use backup
software from within the guest virtual machine.
If you are replicating between Azure and on-premises DFS servers, DFS Replication will require a
VPN connection between your on-premises replication group members and any members hosted
in Azure VMs.
For more information on deploying the DFS Namespace and DFS Replication server roles on an Azure
virtual machine see the Interoperability with Azure virtual machines section:
DFS Namespaces and DFS Replication Overview
http://go.microsoft.com/fwlink/?LinkID=522630
Lesson 3
3-17
You should now have a better understanding of virtual machines in Microsoft Azure, and be able to relate
this feature to virtual machines in Hyper-V. In this next lesson, you will investigate how to create those
virtual machines, both by using the portal and by using Windows PowerShell scripts.
Lesson Objectives
After completing this lesson, you will be able to:
Create and delete virtual machines and cloud services by using Windows PowerShell.
Microsoft provide a set of tools and resources that can help an organization plan for virtual machine
deployment.
The main planning factor with any cloud-based service is not so much the availability of resources, but the
price that an organization is willing to pay for those resources. To help with estimating the potential costs
when planning for virtual machines in Microsoft Azure, you can use the Virtual Machines Pricing Details
page on the Microsoft Azure website, at http://go.microsoft.com/fwlink/?LinkID=511945 . You can also
use the Pricing Calculator tool which enables you to cost out different workloads and services in Microsoft
Azure. This can be accessed at http://go.microsoft.com/fwlink/?LinkID=511946.
The Microsoft Azure Virtual Machine Readiness Assessment tool automatically inspects your on-premises
environment, whether it is physical or virtualized, and provides you with a check list and detailed report
on steps you need to take to move your environment to the cloud. The Microsoft Azure team provides
tailored guidance and recommendations for migrating your environment to Microsoft Azure. This tool is
specifically designed to help you get started with planning Active Directory, SQL, or SharePoint migrations
to Azure.
Automated Assessment
This tool will provide a high level checklist and a detailed report.
The checklist outlines areas which are ready to move and areas which may need additional
configuration or design changes.
The detailed report offers expert guidance and advice tailored to your environment.
Expert Advice
Your report shows areas that are ready to move and areas that need additional configuration or
design changes.
Click into each area to get expert guidance and advice tailored to your specific situation.
For more information on the Microsoft Azure Virtual Machine Readiness Assessment tool, and download
links, see:
Microsoft Azure Virtual Machine Readiness Assessment
http://go.microsoft.com/fwlink/?LinkID=511947
The Microsoft Azure Virtual Machine Optimization Assessment tool will automatically inspect your virtual
machines running in Microsoft Azure and enable you to optimize your Microsoft Azure deployment,
through the provided prioritized recommendations. This assessment is specifically focused on SQL Server,
AD, and SharePoint.
For more information on the Microsoft Azure Virtual Machine Optimization Assessment tool, and
download links, see:
Microsoft Azure Virtual Machine Optimization Assessment
http://go.microsoft.com/fwlink/?LinkID=511948
For more information on performance considerations for SQL Server workload, see:
Performance Guidance for SQL Server in Azure Virtual Machines
http://go.microsoft.com/fwlink/?LinkID=511949
3-19
1.
2.
3.
Configure any optional configuration settings, such as domain membership, virtual network or affinity
group settings, a storage account, and an availability set.
4.
There are several optional configuration settings that you can configure for your virtual machines, but you
will be creating and configuring a virtual machine for yourselves in the Preview Portal in the lab for this
module.
For quick access, you can pin your virtual machines to the Startboard, and can unpin them if no longer
needed.
Deploying Virtual Machines by using the full Microsoft Azure Management Portal
If you use the Microsoft Azure Management Portal, you can either use the QUICK CREATE option to
rapidly provision a virtual machine, and then configure and customize it later, or use the FROM GALLERY
option to select an image from the gallery and configure it upfront.
With the QUICK CREATE method, you only need to provide the following information to provision a
virtual machine:
Select a pricing tier size for the virtual machine (the default for a Windows-based virtual machine is
A1).
With the FROM GALLERY method, you need to provide more information to provision a virtual machine:
Select a version release date for the image (to ensure they have the most up-to-date version).
Select a pricing tier size for the virtual machine (the default for a Windows-based virtual machine is
Standard A1).
A cloud service to create the virtual machine in (create new or select existing).
Region, affinity group, or virtual network to deploy the virtual machine to.
A storage account.
$newVM = New-AzureVMConfig -name $vmname -Instance $instance -ImageName $osimage | AddAzureProvisioningConfig -Windows -AdminUsername $adminname -Password $password | SetAzureSubnet -SubnetNames $subnet
New-AzureVM -ServiceName $cloudservice -AffinityGroup $affinitygroup -VMs $newVM VNetName $vnet -DnsSettings $dns -WaitForBoot
You can also create and configure a virtual machine in one step, as in this example:
Creating a quick VM
New-AzureQuickVM -Windows -ImageName $osimage -Location $location -Name $vmname
ServiceName $svcName -InstanceSize $size -AdminUserName $adminname Password $password
There are more configuration options if you use the New-AzureVMConfig and New-AzureVM cmdlets,
such as the ability to use a static internal IP address by using Set-AzureStaticVNetIP.
For more information on using Microsoft Azure PowerShell to provision and deploy virtual machines, see:
Introduction to Windows Azure PowerShell
http://go.microsoft.com/fwlink/?LinkID=511950
Creating Windows Azure Virtual Machines with PowerShell
http://go.microsoft.com/fwlink/?LinkID=511951
For more information on using static internal IP addresses, see:
Configure a Static Internal IP Address for a VM
http://go.microsoft.com/fwlink/?LinkID=522631
To log on to a Windows virtual machine you click the Connect button to start a Remote Desktop
Connection session. In the Microsoft Azure Management Portal, the CONNECT button is located in the
command bar at the bottom of the screen. In the Preview Portal, the CONNECT button is in the top menu
bar in the virtual machines blade. When you click CONNECT, you get the option to either open the RDP
3-21
file to immediately start the Remote Desktop Connection session, or save the RDP file so that you easily
connect to the virtual machine without having to select it in the portal.
Create virtual machines and cloud services using the Microsoft Azure PowerShell.
Delete virtual machines and cloud services using the Microsoft Azure PowerShell.
Demonstration Steps
Create a virtual machine using Microsoft Azure PowerShell
1.
On the taskbar, right-click Microsoft Azure PowerShell and click Run ISE as Administrator. Click
Yes when prompted.
2.
In the PowerShell ISE, in the command prompt pane, enter the following command to add an Azure
account to the local PowerShell environment:
Add-AzureAccount
3.
When prompted, sign in using the Microsoft account associated with your Azure subscription.
4.
In the PowerShell ISE, in the command prompt pane, enter the following command and press Enter:
Get-AzureSubscription
5.
6.
7.
8.
If the Script pane is not visible, on the View menu, click Show Script Pane.
9.
In the PowerShell ISE, in the command prompt pane, select the subscription name, then right-click,
and click Copy.
10. In the PowerShell ISE, in the Script pane, paste the subscription name.
11. In the PowerShell ISE, in the command prompt pane, enter the following command and press Enter:
Get-AzureStorageAccount
12. In the PowerShell ISE, in the command prompt pane, select the storage account name, then rightclick, and click Copy.
13. In the PowerShell ISE, in the Script pane, paste the storage account name.
14. In the PowerShell ISE, in the Script pane, locate the following code:
Set-AzureSubscription -CurrentStorageAccountName <#Copy your storage account name
here#> -SubscriptionName <#Copy your subscription name here in quote marks#>
15. Replace <#Copy your storage account name here#> with your storage account name.
16. Replace <#Copy your subscription name here in quote marks#> with your subscription name; ensure
that you use single quote marks around the name.
17. In the PowerShell ISE, in the Script pane, select the code you have just edited.
18. On the toolbar, click the Run Selection button and wait for the script to complete.
19. In the PowerShell ISE, in the Script pane, select the following code:
$svcName = "20533lab03cloudsvc" + (Get-AzureStorageAccount).Label.Substring(15,6)
20. On the toolbar, click the Run Selection button and wait for the script to complete.
21. In the PowerShell ISE, in the command prompt pane, type the following and press Enter:
$svcName
22. This variable should now contain a unique cloud service name, using the same unique number used
to create the storage account during lab preparation.
23. In the PowerShell ISE, in the Script pane, select the following code:
$location = (Get-AzureStorageAccount).Location
24. On the toolbar, click the Run Selection button and wait for the script to complete.
25. In the PowerShell ISE, in the command prompt pane, type the following and press Enter:
$location
26. This variable should now contain the Azure region used during lab preparation.
27. In the PowerShell ISE, in the Script pane, select the following code:
$osimage = (Get-AzureVMImage | where {$_.ImageFamily -like "Windows Server 2012 R2
Datacenter*"} | sort PublishedDate -Descending)[0].ImageName
28. On the toolbar, click the Run Selection button and wait for the script to complete.
29. In the PowerShell ISE, in the Script pane, select the following code:
New-AzureQuickVM -Windows -ImageName $osimage -Location $location -Name DemoVM1
ServiceName $svcName -InstanceSize Small -AdminUserName Student Password
'Pa$$w0rd123'
30. On the toolbar, click the Run Selection button and wait for the script to complete.
31. In the PowerShell ISE, in the Script pane, select the following code:
New-AzureQuickVM -Windows -ImageName $osimage -Name DemoVM2 ServiceName $svcName InstanceSize Small -AdminUserName Student Password 'Pa$$w0rd123'
32. On the toolbar, click the Run Selection button and wait for the script to complete.
33. In the Microsoft Azure Preview Portal, click BROWSE, then click Virtual machines.
34. On the Virtual machines blade, note the two new virtual machines listed, called DemoVM1 and
DemoVM2.
Delete virtual machines and a cloud service using Microsoft Azure PowerShell
1.
In the PowerShell ISE, in the command prompt pane, enter each of the following commands and
press Enter after each one:
Remove-AzureVM ServiceName $svcName Name DemoVM1
Remove-AzureVM ServiceName $svcName Name DemoVM2
Remove-AzureService -ServiceName $svcName
3-23
2.
3.
In the Microsoft Azure Preview Portal, click BROWSE, then click Virtual machines.
4.
On the Virtual machines blade, note the two virtual machines called, DemoVM1 and DemoVM2,
are no longer listed.
5.
6.
On the Microsoft Azure Preview Portal home screen, click the AZURE PORTAL tile to open the full
management portal.
7.
2.
On the taskbar, right-click Microsoft Azure PowerShell, and then click Run as administrator. In the
User Account Control dialog, click Yes.
3.
4.
When prompted, sign in using the Microsoft account associated with your Azure subscription.
Note: This script may remove Azure services in your subscription. It is therefore recommended that you
use an Azure trial pass that was provisioned specifically for this course, and not your own Azure account.
The script will take 5-10 minutes to reset your Microsoft Azure environment, ready for the next lab.
The script removes all storage, VMs, virtual networks, cloud services, and resource groups. The script does
not remove the Automation account (or the organizational account); this can either be manually deleted
or you can leave it in place, as it does not affect subsequent labs.
Important: The script may not be able to get exclusive access to a storage account to delete it (if this
occurs, you will see an error). If you find objects remaining after the reset script is complete, you can rerun Reset-Azure script, or use the full Azure Management Portal to manually delete all the objects in your
Azure subscription, with the exception of the default directory.
OpenSUSE 13.1+
For more information on all prebuilt Linux images, including updates since this course was published, see:
Linux on Azure-Endorsed Distributions
http://go.microsoft.com/fwlink/?LinkID=511952
If you wish to use a Linux distribution that is not provided in the gallery, you can use your own virtual
machine image, and upload it as a VHD. Uploading and managing VHDs is covered in a later topic in this
lesson. You can also make use of community-supplied images on the VM Depot site:
https://vmdepot.msopentech.com./
http://go.microsoft.com/fwlink/?LinkID=523984
Note: Important: The Azure platform SLA only applies to virtual machines running the
Linux OS if you use one of the endorsed distributionsand if using the recommended
configuration. The Linux distributions provided in the Azure image gallery are endorsed
distributions, and have the required configuration.
2.
3.
4.
5.
6.
Select a region, affinity group or virtual network in which to deploy the virtual machine.
7.
8.
9.
10. Verify that VM Agent will be installed (this setting is always on for Linux images and cannot be
disabled).
11. Finish deploying the virtual machine.
3-25
If you use the new Preview Portal to create Linux virtual machines, the only authentication option is an
RSA encrypted OpenSSH public key encapsulated in an X509 certificate. If you use the full Microsoft Azure
Management Portal, you can choose between providing an SSH public key certificate or entering a
password to authenticate.
You can also use the Microsoft Azure PowerShell interface to create Linux virtual machines using Windows
PowerShell cmdlets; the syntax is similar to that for Windows virtual machines.
To create and configure a Linux virtual machine in one step, you could use code such as that used in this
example:
Create a Linux VM
New-AzureQuickVM -Linux -ServiceName $cloudSvcName -Name "LinuxVM1" -ImageName
$linuximage -LinuxUser LinuxUser Location $location InstanceSize Small Password
'Pa$$w0rd123'
To log on to the Linux virtual machine from a Windows operating system, you need to download an SSH
client such as PuTTY. You will need to determine the host name and port information to log in to the
Linux virtual machine with your SSH client. This information can be obtained from the dashboard of the
Linux virtual machine under SSH DETAILS.
For more information on deploying Linux virtual machines in Microsoft Azure, see:
Create a Virtual Machine Running Linux
http://go.microsoft.com/fwlink/?LinkID=511953
Introduction to Linux on Azure
http://go.microsoft.com/fwlink/?LinkID=511954
You can store your own images in Microsoft Azure, by either capturing an existing Microsoft Azure
virtual machine for use as an image or by uploading an image.
These common tasks for managing Microsoft Azure images can be performed using either the Microsoft
Azure Management Portal or Microsoft Azure PowerShell.
Create and upload a VHD that contains the Windows Server operating system
Create and upload a VHD that contains the Linux operating system
In the Microsoft Azure Management Portal, connect and log on to the virtual machine running
Windows Server.
2.
3.
4.
In Sysprep choose:
5.
a.
b.
c.
In the Microsoft Azure Management Portal, after the virtual machine shuts down, select Capture.
a.
b.
c.
3-27
These are the main steps in the process to capture an image from a virtual machine that is running the
Linux operating system:
1.
In your Secure Shell (SSH) client, connect and log on to the virtual machine running Linux.
2.
3.
In the Microsoft Azure Management Portal, shut down the virtual machine.
a.
Click Capture.
b.
c.
d.
These are the main steps in the process of creating and uploading a VHD containing the Windows Server
operating system to Microsoft Azure as an image:
1.
On the Windows Server, open a command prompt and change the current directory to
%Windir%\system32\sysprep.
2.
3.
In Sysprep choose:
4.
a.
b.
c.
In the Microsoft Azure Management Portal, after the virtual machine shuts down:
a.
b.
5.
Establish a secure connection to your Microsoft Azure subscription by downloading and importing
your publish settings file.
6.
In Microsoft Azure PowerShell, upload the VHD file using the Add-AzureVhd cmdlet.
7.
In the Microsoft Azure Management Portal, add the uploaded VHD as an image by doing the
following:
a.
b.
Click Images.
c.
d.
In the Create an image from a VHD window, enter the name, description, URL for your image,
operating system family, and confirm you have run Sysprep.
e.
When complete, your new image will be listed under My Images when you create a new virtual
machine.
There are several cmdlets available in Microsoft Azure PowerShell to help you create and manage images
in Microsoft Azure:
Get-AzureVMImage returns a list of the images that are available for your subscription, including
those provided with Microsoft Azure and your own custom images.
Remove-AzureVMImage deletes an image, but it does not delete any virtual machines created from
the image.
For more information on managing images with Microsoft Azure PowerShell, see:
Manage Images using Windows PowerShell
http://go.microsoft.com/fwlink/?LinkID=511959
3-29
As part of the planning for Microsoft Azure, A. Datum need to understand their requirements for virtual
machine workloads; you have been asked to determine the virtual machines that will be needed to run
two intranet web applications, together with their sizes and locations. One application is a simple
expense-reporting application that runs on Windows and IIS, and uses SQL server to store data. The other
application is for pool car booking and runs on Linux and Apache and uses MySQL to store data. You will
then deploy and configure Windows and Linux VMs.
Objectives
After completing this lab, you will be able to:
Lab Setup
Estimated Time: 60 minutes
Virtual Machine: 20533B-MIA-CL1
User Name: Student
Password: Pa$$w0rd
Before starting this lab, ensure that you have performed the Preparing the Environment demonstration
tasks at the beginning of the first lesson in this module, and that the setup script has completed.
In Internet Explorer, sign into the new Azure Preview Portal using the Microsoft account that is
associated with your Azure subscription.
2.
Password: Pa$$w0rd123
Note: At the time of writing, there appears to be a bug with the Azure Preview Portal, where the
NOTIFICATIONS list shows the virtual machine provisioning process lasting indefinitely. Also, the
Startboard may also fail to update; the fix is to switch to the Full Portal, which does correctly show the
status of VM provisioning.
Start the Microsoft Azure PowerShell interactive scripting environment (ISE) as Administrator.
2.
Add your Azure account to the local PowerShell environment by using Azure AD authentication.
3.
4.
Find the latest virtual machine image for Windows Server 2012 Datacenter.
5.
Use Microsoft Azure PowerShell to create a new virtual machine with the following settings:
6.
Administrator: Student
Password: Pa$$w0rd123
2.
In the Microsoft Azure PowerShell ISE, create a new virtual machine with the following settings:
o
VM name: LinuxVM1
1.
In Internet Explorer, browse to the download page for PuTTY, and download the putty.exe file for
Windows on Intel x86 platforms.
2.
Using the new Azure Preview Portal, determine the host name and port number for the new Linux
virtual machine, LinuxVM1.
3.
Open the PuTTY client and connect to the LinuxVM1 virtual machine using the following credentials:
o
User: LinuxUser
Password: Pa$$w0rd123
Module 4
Managing Virtual Machines
Contents:
Module Overview
4-1
4-2
4-12
4-19
4-31
4-36
Module Overview
Creating virtual machines (VMs) is the first step in deploying an Azure environment, but equally important
is understanding the options for configuring and then monitoring VMs. Configuration and management
are essential in delivering secure, available and scalable solutions. Azure provides highly flexible options
for all three of these requirements, but simply leaving systems at default settings seldom delivers the best
solution, for security, availability, or scalability.
In this module you will see some of the configuration, security, and monitoring options available for Azure
administrators.
Objectives
After completing this module, you will be able to:
Lesson 1
4-2
Virtual machines are the basis of Microsoft Azure and provide support for the platforms implementation
of Infrastructure as a Service (IaaS). In this lesson, you will look at the different configuration options that
you can controlsuch as IP addressesalong with storage, availability, scalability, and security
architectures and settings.
Lesson Objectives
After completing this lesson, you will be able to:
Describe the implementation of public and private IP addressing in Azure virtual machines.
Perform the following tasks to prepare the lab environment. The Microsoft Azure services you will use in
the lab will be described in this module while the environment is being configured.
Important: The scripts used in this course may delete any objects that you have in your
subscription. For this reason, you should complete this course against a new Azure subscription.
You should have received sign-up details and instructions for creating an Azure Learning Pass for
this reason. Alternatively, create a new Azure Trial Subscription. In both cases, use a new
Microsoft account that has not been associated with any other Azure subscription. This avoids
confusion in labs and setup scripts.
The labs in this course use custom Microsoft Azure PowerShell cmdlets, including Setup-Azure, to
prepare the Azure environment for a lab, and Reset-Azure to perform clean-up tasks at the end of a lab.
For this lab, Setup-Azure creates a storage account in the Azure region you select. It then creates a virtual
network (ADATUM-HQ-VNET), then creates 2 VMs (one a regular Windows server, and one with SQL
Server), then uploads a VHD (and makes copies) to Azure, and then removes the Azure subscription and
account from the Azure PowerShell session.
Before you start the lab preparation, your instructor will decide which Azure region is the closest to your
classroom location. You will need this information during the lab setup, and during the lab.
Demonstration Steps
Sign in to your Microsoft Azure Subscription
4-3
1.
Ensure that the MSL-TMG1 and 20533B-MIA-CL1 virtual machines are both running, and then log on
to 20533B-MIA-CL1 as Student with the password Pa$$w0rd.
2.
You should already have created a Microsoft Azure trial subscription. If you have not done so, follow
the instructions in D:\Creating a Microsoft Azure Trial Subscription.htm. Provisioning may take
several hours.
3.
When your trial subscription has been provisioned, in Internet Explorer, browse to
http://azure.microsoft.com, click Portal, and sign in using the Microsoft account that is associated
with your Microsoft Azure subscription. Close any initial "welcome" messages.
4.
At the top right, click your Microsoft account name and click Switch to new portal. Then, in the new
tab that is opened, close any initial "welcome" messages for the new portal.
5.
If you are prompted for credentials, sign in using the Microsoft account that is associated with your
Microsoft Azure subscription.
On the taskbar, right-click Microsoft Azure PowerShell, and then click Run as administrator. In the
User Account Control dialog, click Yes.
2.
3.
At the prompt, type the module number, and then press Enter.
4.
5.
When prompted, sign in using the Microsoft account associated with your Microsoft Azure
subscription.
When prompted, enter the Azure region to use (do not use East Asia), and then press Enter.
Note: This script may remove Azure services in your subscription. It is therefore recommended that you
use an Azure trial pass that was provisioned specifically for this course, and not your own Azure account.
The script will take 30-40 minutes to configure your Microsoft Azure environment, ready for the lab at the
end of this module.
At the end of setup, you should have the following:
Overview of VM IP Addressing
In Module 3, IP addressing for IaaS cloud services
was discussed, and you saw how you can
communicate with a virtual machine by using
endpoints. You will now see how IP addresses are
assigned to individual virtual machines.
Dynamic IP Addresses
By default, a new Azure virtual machine is
automatically deployed with a single virtual NIC
(vNIC), and with a single dynamic IP (DIP) address.
The DIP address is randomly assigned by Azure,
from available addresses for that cloud service. If
you wish to use specific IP address ranges, you can
use VNets.
4-4
If you use VNets to assign IP addresses from a subnet during VM deployment, the first VM to be created
will get the first available IP address from the subnet. For example, for the address range 10.0.0.0/11, the
first available IP address is 10.0.0.4 (as Azure reserves 10.0.0.1, 10.0.0.2, and 10.0.0.3, and 10.0.0.0 is not
available for assignment). In this example, the second VM to be deployed will get 10.0.0.5, and so on. So,
if using VNets to assign dynamic addresses, you do control the address range, but the only way to be able
to predict the IP address for each VM by knowing the order of VM deployment.
If you use the Stop-AzureVM cmdlet, or if you shut down a VM from the portal, the VM will enter the
Stopped (Deallocated) state, and will lose its IP address unless you used VNets to assign IP addresses
from a subnet during deployment.
Static IP Addresses
An organization typically requires static internal IP addresses on VMs that are running IP address sensitive
services, such as domain controllers or DNS servers. By contrast to a DIP address, a static IP is maintained
for a VM even when the VM is in the Stopped (Deallocated) state. Azure supports the assignment of
static IP addresses for VNets by using Azure PowerShellthese cmdlets are described in the next topic.
Important: Both dynamic and static IP addresses are primarily concerned with
communications within the IaaS cloud service. For communication between external networks
and Azure, additional addressing mechanisms must be taken into account, such as VPNs, as
discussed in Module 2.
PIP addresses are assigned using Azure PowerShell (currently), and are subject to the same address limits
as for the reserved VIP addresses discussed in Module 3; for example, up to five addresses are available
with a standard Azure subscription; PIP addresses also have a billable cost. Note that, unlike reserved VIP
addresses, PIP addresses cannot be reserved; if the VM enters the Stopped (Deallocated) state, the PIP
address is not retained.
4-5
Passive FTP using a PIP, the VM can receive traffic on just about any port; you will not have to open
up a specific endpoint to receive traffic. This enables scenarios like passive FTP where the ports are
chosen dynamically.
Outbound IP outbound traffic originating from the VM goes out with PIP as the source and this
uniquely identifies the VM to external entities.
The assignment of PIP addresses by using Azure PowerShell is described in the next topic.
Configuring VM IP Addressing
The method used to assign an IP address to an
Azure virtual machine varies, depending on the
type of address required.
Configuring DIP
No configuration is needed for VMs to get internal
IP addresses using DIP, unless you are using VNets;
configuring addresses using VNets is discussed in
Module 2 of this course.
A static IP can be requested, either when a new VM is created, or by updating and existing VM
configuration. This is a request, rather than a guaranteed allocation, and the IP address is set by Azure and
not within the VM itself. The administrator should check that the required IP address is available by
running the Azure PowerShell cmdlet Test-AzureStaticVNetIP for the VNet.
To request a static IP address when creating a VM or by updating a currently existing VM, you can use the
Set-AzureStaticVNetIPAzure PowerShell cmdlet.
If a VM has a static IP address, this must be removed, before a new static IP address is assigned, by using
the Remove-AzureStaticVNetIP cmdlet.
You can specify a static IP address when creating a new virtual machine; you must first ensure that the
address you are specifying is within the VNet subnet you are using, and that the address is not already in
use. The following example shows 10.0.1.4, from the subnet defined in $subnet, being assigned during
deployment:
Specifying a static internal IP address when creating a VM
4-6
You can set a static IP address for a previously created VM, by using Update-AzureVM. UpdateAzureVM automatically restarts the VM as part of the update process, and the address that you specify
will be assigned after the VM restarts. The following example shows 10.0.1.4 being assigned to the VM
name defined in $vmname:
Assigning a static internal IP address for a previously created VM
It is good practice to separate the VMs that have static IP addresses from those using dynamic addressing
(and from any PaaS instances) in the same virtual network, by creating a separate subnet for the VMs and
deploying them to that subnet. This configuration enables you to readily identify VMs with static IP
addresses.
For more information, see Configure a Static Internal Address for a VM:
http://go.microsoft.com/fwlink/?LinkID=522631
To assign a PIP either at VM creation, or as a post-configuration step, you use the Set-AzurePublicIP PublicIPName "<name>" cmdlet. Azure will then assign an available IP address; this address will be lost
when the virtual machine enters the Stopped (Deallocated) state so that, when the VM starts again, it
will get a new PIP.
You can specify a PIP address when creating a new virtual machine; the following example shows a PIP,
with the name defined in $PublicIP being assigned to the VM name defined in $vmname during
deployment:
Specifying a PIP address when creating a VM
New-AzureVMConfig -Name $vmname -InstanceSize $instance -ImageName $image | AddAzureProvisioningConfig -Windows -AdminUsername $admin -Password $password | Set-AzurePublicIP PublicIPName $PublicIP |New-AzureVM -ServiceName $service
You can set a PIP address for a previously created VM, by using Update-AzureVM. Update-AzureVM
automatically restarts the VM as part of the update process, and the address will be assigned after the VM
restarts. The following example shows a new PIP, with the name defined in $PublicIP, being assigned to
the VM name defined in $vmname:
Assigning a PIP address for a previously created VM
Configuring VM Availability
Just like on-premises deployments, administrators
must design their Azure deployment to ensure
service availability, against planned and unplanned
maintenance events. Azure offers Availability Sets
as part of a well-designed approach to
maintaining service availability.
When designing an Azure VM environment, you
should:
4-7
An Availability Set is a logical grouping of two or more VMs. Each virtual machine in an Availability Set is
automatically assigned an Update Domain and a Fault Domain.
Update Domains
An Availability Set consists of up to five non-user-configurable Update Domains (by default) to which VMs
are assigned; by modifying the service definition (.csdef) file, it is possible to configure a maximum of 20
Update Domains. Each Update Domain contains a set of virtual machines and associated physical
hardware that can be updated and rebooted at the same time.
When more than five virtual machines are configured within a single Availability Set, the sixth virtual
machine will be placed into the same Update Domain as the first virtual machine, the seventh in the same
Update Domain as the second virtual machine, and so on. During planned maintenance, only one Update
Domain is rebooted at a time.
Fault Domains
Fault Domains define a group of virtual machines that share a common set of hardware, such as a server
rack serviced by a set of power or networking switches. VMs in an Availability Set are placed across two
Fault Domains. This placing of VMs in Availability Sets mitigates against the effects of hardware failures,
network outages, power interruptions, or software updates.
By placing common application servers, such as web or database servers in function-based Availability
Sets and then using load balancing (discussed in the next topic), you can protect each service and enable
traffic to be continuously served by at least one instance of each service.
Configuring VM Scalability
Microsoft Azure includes three types of load
balancing:
Traffic Manager load balancing, which loadbalances external traffic across multiple
externally-facing VMs, cloud services, or
website instances.
4-8
By default, Traffic Manager uses DNS-level load balancing (round-robin) to distribute requests across
different cloud services located in different data centers. You can even distribute traffic across different
subscriptions, although this configuration is not supported and would only work with anonymous
requests. With the new nested profiles, weighted round-robin feature, and support for external endpoints,
you can use Azure PowerShell or REST API commands to create flexible load balancing schemes, such as
always distributing traffic to the region closest to an applications end-user.
Azure Load Balancing is an automatic feature that maps a single public IP address and port number of
incoming traffic to the private IP addresses and port numbers of a set of VMs, known as a load-balanced
set.
To configure Azure load balancing across VMs in a cloud service, you must create the load-balanced set,
and include in this set all the VMs that you wish to respond to external requests to a particular public IP
address and port number. VMs and services within the cloud service listen on their private IP address and
private port; the Azure Load Balancer, therefore, maps the public IP address and port number of incoming
traffic to the private IP address and port number of one VM in the set, and reverses this for the response
traffic from the VM.
By default, Azure provides random distribution of the incoming traffic. Traffic is distributed between the
VMs in the load-balanced set by calculating a hash value of the following client values:
Source IP address
Destination IP address
Source port
Destination port
This value is mapped to an available VM in the set. All the packets from the same connection map to the
same server in the set.
4-9
With the new source IP affinity distribution mode (also known as session affinity or client IP affinity), the
Azure Load Balancer can be configured to use either Source IP + Destination IP, or Source IP +
Destination IP + Protocol to map traffic to available servers. Source IP affinity ensures that connections
initiated from the same client computer always go to the same DIP endpoint; without source IP affinity,
when a client closes and re-opens a connection, or starts a new session from the same source IP, the
source port changes and may be directed to a different DIP endpoint.
For more information on the steps necessary to configure Azure load-balancing, see:
Configure a load-balanced set
http://go.microsoft.com/fwlink/?LinkID=511712.
Administrators can create endpoints through the full portal or by using the Azure PowerShell cmdlet
Add-AzureEndpoint.
For more information on scenario-based examples for internal load balancing, see:
Internal load balancing
http://go.microsoft.com/fwlink/?LinkID=511713
One potential issue with load balancing is the potential for the Azure load balancer to become a
bottleneck. This can be the case with a large number of requests in high traffic environments. An
administrator can configure a load-balanced set to provide Direct Server Return. This enables the server
that is servicing a client request to respond directly to the client. This means that the load balancer is free
to handle new requests, rather than responses. Direct Server Return is commonly implemented for UDP
requests for video or audio, as these real-time applications are susceptible to network delays.
Firewall Rules
Firewall rules allow or deny connections through the host VM firewall. You can define VM firewall rules by
configuring the Windows Firewall with Advanced Security settings on individual VM, either manually or by
using group policies.
For RDP, Remote PowerShell, and SSH, the configuration of access through firewalls is automatic. For
other endpoints, you must manually configure firewall access provision. So, if you set up another
endpoint, such as SMTP, then you must manually add open port 25 on the VM to publish out that service.
You will also need to configure firewalls if the default port numbers on the automatically configured
services is changed.
Certificates
By default, RDP and Remote PowerShell are secured using self-signed certificates. If you wish to use
certificates linked to a trusted certificate authority, one approach is to deploy a Remote Desktop Gateway,
and secure RDP connections through the gateway, using your own certificate. You could also use
PowerShell to deploy a certificate to a VM during VM deployment. Although secure, one potential
disadvantage of these approaches is that the certificate would need to be installed on the client
computers that will be used as RDP clients. By contrast, the default self-signed certificates do not require
installation, but will generate a dialog box saying, The publisher of this remote connection cannot be
identified. Do you want to continue anyway?
For Linux-based VMs, exposing SSH to the Internet from the cloud can present a security weakness. In
addition to configuring unique userids (not root or admin), the endpoint should be configured on private
key/certificate SSH authentication. The Azure Management Portal accepts SSH public keys encapsulated in
an X509 certificate.
For more information on how to generate and deploy certificates for SSH, see:
How to Use SSH with Linux on Azure
http://go.microsoft.com/fwlink/?LinkID=511722
Deployment of certificates and SSH keys into new VMs can be scripted with Azure PowerShell. The Azure
PowerShell cmdlets for certificate management include:
Add-AzureCertificate
Get-AzureCertificate
Remove-AzureCertificate
Encryption
4-11
Windows Azure provides highly secure environments and rigorous security governance for customer data
protection. However, customers should still consider encryption for highly sensitive data. BitLocker is only
supported on data disks in Azure VMs, not on the OS disk. Microsoft is working with partners to deliver
secured data with BitLocker-like technologies, such as CloudLink, which supports a fully automated start
up from an encrypted volume.
For more information on protecting Azure storage, see:
Protecting Data in Microsoft Azure
http://go.microsoft.com/fwlink/?LinkID=398382
For more information on CloudLink, see:
Azure Virtual Machine Disk Encryption using CloudLink
http://go.microsoft.com/fwlink/?LinkID=511715
Lesson 2
In this lesson you will see the types of disk used by virtual machines, and how to manage and configure
these disks. You will also see how to attach new and existing disks to virtual machines, and how to import
and export large amounts of data to and from Azure.
Lesson Objectives
After completing this lesson, you will be able to:
OS disks
o
One per VM
Labeled as C: drive
Temporary disks
o
Labeled as D: drive
Data disks
o
Maximum size is 1 TB
Maximum number of data disks that can be attached is determined by the size of the VM
4-13
OS and data disks are both implemented as blob storage in a storage account; however, OS disks and
data disks appear to the VM operating system as SATA and SCSI respectively. Temporary disks are
implemented as local storage.
Note: Another storage option for Azure VMs is Windows Azure Files (currently in preview).
Windows Azure Files allows Azure VMs to mount a shared file system using the SMB protocol,
and provides a way to share files between VMs.
Data disks can be created by either attaching an empty disk to a virtual machine or by attaching a
data disk, which already contains data, to the virtual machine.
For operating system disks and data disks, you can view a list of disks, add and delete disks, and update
disks by using the Microsoft Azure Management Portal or the Microsoft Azure PowerShell cmdlets.
When using the portals, you can see information about the disks attached to a virtual machine by using
either the virtual machines dashboard; or the Disks page in the Virtual Machines section in the full Azure
Management Portal; or the Virtual Machines blade in the new Azure Preview Portal.
Configuring Caching
An Azure VM operating system disk has an in-built disk cache, which supports ReadOnly and ReadWrite
caching. Data disks support the following cache configurations:
None (default)
ReadOnly
ReadWrite
These can be modified in the new Azure Preview Portal, by opening the blade associated with the VM disk
and selecting the required cache configuration; caching can also be configured in the Full Portal.
Changing disk cache settings requires a reboot of the VM.
Disk cache can also be modified by using the following Azure PowerShell cmdlets:
Create a new virtual machine running Windows Server 2012. This must be on a medium sized server,
rather than the smallest server, as small servers can only attach two disks.
2.
3.
4.
Open the Server Manager and navigate to File and Storage Services.
5.
6.
Click New Storage Pool and allocate the blank disks to the pool.
7.
In File and Storage Services, select the pool and then, in the Virtual Disks pane, click New Virtual
Disk.
8.
9.
The New Volume wizard appears. Select the disk and select the drive letter, then create the volume.
4-15
For Windows VMs, a new disk or storage space can be initialized by using the Server Manager Disk
Management tools, in the same way as for managing disks in any on-premises computer. You need to be
logged in to the VM to run this tool. Disk Management shows the VM as Unallocated space, which you
can then configure as a new volume. This process is exactly the same as with an on-premises virtual
machine or a physical computer running Windows. You can then format the volume using you choice of
file system.
The process for attaching empty or existing disks to a Linux machine is the similar. The initialization
process requires the administrator to connect and log in to the Linux VM. The process is then to run the
Linux- version-specific commands for disk initialization.
For more information on initializing disks for Linux VMs, see:
How to Attach a Data Disk to a Linux Virtual Machine
http://go.microsoft.com/fwlink/?LinkID=511711
With the VHD in place, the Full Portal ATTACH button will now display the ATTACH DISK option, in
addition to the ATTACH EMPTY DISK option. This option lists the available disks for the VM, which can be
added.
To attach an empty disk in the full Azure Management Portal:
1.
Click Virtual Machines, and then select the appropriate virtual machine.
2.
On the command bar, click Attach, and then select Attach empty disk.
3.
In the Attach Empty Disk dialog box, in File Name, either accept the automatically generated name
or type a new descriptive name. (The data disk that is created from the .vhd file will always use the
automatically generated name.)
4.
5.
6.
You will now see the data disk listed on the dashboard of the virtual machine.
2.
On the Virtual Machines blade, click the virtual machine you want to add a disk to.
3.
On the blade for the selected virtual machine, scroll down and under Configure, click Disks.
4.
On the Disks blade, in the top command bar, click ATTACH EXISTING.
5.
On the Attach an existing disk blade, click VHD FILE Configure required settings.
6.
On the Choose a disk blade, click CHOOSE STORAGE ACCOUNT Configure required settings.
7.
On the Storage account blade, click one of the existing storage accounts.
8.
On the Choose a disk blade, click CHOOSE CONTAINER Configure required settings.
9.
10. On the Choose a disk blade, click CHOOSE A DISK Configure required settings.
11. On the Storage blob blade, click the name of an existing disk.
12. On the Choose a disk blade, click OK.
13. On the Attach an existing disk blade, click OK.
You can upload a VHD from your on-premises computer to the VM Storage Account by using the Azure
PowerShell Add-AzureVHD cmdlet:
Uploading a VHD
Add-AzureVhd -Destination "<source_location>/<VHDName>.vhd" -LocalFilePath <LocalPathToVHD>
Note: When attaching an existing disk to a Microsoft Azure virtual machine, it must be at
least 20 MB in size.
Detach a disk
Demonstration Steps
Attach a new empty disk
1.
In the Microsoft Azure Preview Portal, click BROWSE, then click Virtual machines.
2.
3.
On the WebVM1 blade, scroll down and under Configuration, click Disks.
4.
On the Disks blade, in the top command bar, click Attach New.
5.
On the Attach a new disk blade, click STORAGE CONTAINER Configure required settings.
6.
On the Choose a container blade, click CHOOSE STORAGE ACCOUNT Configure required
settings.
7.
8.
On the Choose a container blade, click CHOOSE CONTAINER Configure required settings.
9.
4-17
12. The new disk will now be added to the list of data disks on the Disks blade (this process may take 2-3
minutes to complete).
13. Close the Disks blade.
Detach a disk
1.
In the Microsoft Azure Preview Portal, on the WebVM1 blade, scroll down and under Configuration,
click Disks.
2.
On the Disks blade, click the disk shown under DATA DISKS.
3.
On the blade for the disk, in the top menu bar, click Detach.
4.
Click Yes.
5.
The disk will now be removed from the list of data disks on the Disks blade (this process may take 23 minutes to complete).
6.
In the Microsoft Azure Preview Portal, on the WebVM1 blade, scroll down and under Configuration,
click Disks.
2.
On the Disks blade, in the top command bar, click Attach Existing.
3.
On the Attach an existing disk blade, click VHD FILE Configure required settings.
4.
On the Choose a disk blade, click CHOOSE STORAGE ACCOUNT Configure required settings.
5.
6.
On the Choose a disk blade, click CHOOSE CONTAINER Configure required settings.
7.
8.
On the Choose a disk blade, click CHOOSE A DISK Configure required settings.
9.
13. The new disk will now be added to the list of data disks on the Disks blade (this process may take 2-3
minutes to complete).
14. Close the Disks blade.
You create an import job to transfer data from your on-premises infrastructure onto hard drives that
you will send to your Microsoft Azure storage account in the datacenter.
You create an export job to request that data currently held in your Microsoft Azure storage account
be transferred to empty hard drives that you ship to the Microsoft Azure datacenterwhich can then
be shipped back to you with the requested data on.
Lesson 3
4-19
Lesson Objectives
After completing this lesson, you will be able to:
Discuss the function and deployment of management tools such as Puppet and Chef.
The Azure Cross-Platform Command-Line Interface (xplat-cli) provides a set of open source, crossplatform commands for working with the Azure Platform. Although available for all platforms, xplat-cli is
primarily for use with Linux-based VMs, as Windows VMs are usually managed from a command line by
using Azure PowerShell cmdlets.
Xplat-cli is covered in greater depth later in this lesson.
Like Windows PowerShell, Microsoft Azure PowerShell offers a rich configuration and automation toolset
for the deployment and management of all aspects of an Azure environment. An administrator must
install the Azure PowerShell modules to start using the facilities.
For more information on installing and configuring Microsoft Azure PowerShell, see:
How to install and configure Azure PowerShell
http://go.microsoft.com/fwlink/?LinkID=511717
Remote Desktop Protocol (RDP) enables administrators to establish a graphical user interface session with
an Azure virtual machine. The full and new portals provide a Connect option that provisions a .rdp file,
which can be downloaded and saved for initiating an RDP connection to the specified VM. The RDP
endpoint is created by default when creating a new Windows VM, but can be removed if you do not wish
to use RDP.
Closely associated with the RDP utility is the Remote Desktop Connection Manager. This utility provides
an interface for grouping and managing multiple VMs through RDP connections.
For more information on using Remote Desktop Connection Manager with Azure, see:
Importing Windows Azure Cloud Services into Remote Desktop Connection Manager (RDC
Man)
http://go.microsoft.com/fwlink/?LinkID=522635
Note: It is possible to use RDP with Linux VMs, as long as a GUI such as X desktop has been
installed on the VM; in such a scenario, you could then use an option such as xrdp to provide the
RDP service on the Linux VM.
Secure SHell
When creating a Linux VM, you can choose to enable Secure Shell (SSH); an administrator can then
establish a connection from a Windows client by using the Secure Shell (SSH) protocol with a terminal
emulator, such as PuTTY. From a Linux client, an administrator may use an SSH client such as OpenSSH.
The SSH endpoint is created by default when creating a Linux VM, even if you choose not to enable SSH
itself during deployment.
VM Agent
4-21
VM Agent Extensions
The VM Agent on Windows VMs can have in-built extensions, such as the BGInfo extension, which
displays information about a Windows VM on the desktop of the VM instance during an RDP session
connection, such as internal and public IP, disk space, and memory.
The VM Agent enables some management operations external to the guest operating system
functionality, such as resetting a password with the VMAccess extension. An administrator can install and
configure the VM Agent on an existing VM by installing the VM Agent and running the associated .msi
file.
It can then be enabled by running the Update-AzureVM Azure PowerShell cmdlet.
VM Extensions enable an administrator to deploy functionality during the build process, rather than
having to log in and install software. Extensions are held as packages in the Azure VM Extension Gallery,
from where they can be loaded on to the VM.
Typically, extensions are written and distributed by software companies registered with Microsoft. Some of
these are already available in the From Gallery VM creation wizard, such as Chef and Puppet.
Demonstration Steps
Create a VM in a separate IaaS cloud service
1.
2.
3.
In the toolbar at the bottom, click NEW and then click FROM GALLERY.
4.
In the list of images, click Windows Server 2012 R2 Datacenter, and then click Next.
5.
6.
7.
8.
In the CONFIRM text box, type Pa$$w0rd123 and then click Next.
9.
In the CLOUD SERVICE drop-down list, select Create a new cloud service.
10. In the CLOUD SERVICE DNS NAME box, add some numbers to WebVM3 to make a unique name.
11. In the REGION/AFFINITY GROUP/VIRTUAL NETWORK box, select your closest region.
12. Click Next and then click Complete.
Note: Do not complete any subsequent steps until the STATUS columns for WebVM3
shows the status Running. Do not proceed while the STATUS is Running (Provisioning).
Disable RDP Access in a Virtual Machine
1.
2.
In the toolbar at the bottom, click CONNECT and then click Open.
3.
4.
5.
6.
7.
8.
9.
Click regedit.exe.
2.
3.
In the Sign in dialog box, enter the credentials for the account associated with your Azure
subscription and then click Sign in.
4.
5.
Note the Service Name value for the WebVM3 virtual server (or copy to the clipboard).
6.
4-23
If the command returns True then the Azure VM Agent, which is required to use Azure Agent Extensions,
is installed.
8.
The command ensures that RDP access is enabled and that the virtual server has a firewall rule that
permits RDP access.
9.
2.
In the toolbar at the bottom, click RESTART and then click Yes.
3.
When the restart operation is complete, in the toolbar at the bottom, click CONNECT and then click
Open.
4.
5.
If you get an RDP connection cannot be completed message, in the dialog box, click OK, then in
Internet Explorer, click OK, and, then wait a few minutes and try again from step 3.
6.
7.
In the Remote Desktop Connection dialog box, click Yes. RDP connects and displays the desktop.
8.
9.
The Custom Script extension can upload script files to Azure Storage Accounts. By default, it will use the
default Storage Account for the VM, but this can be configured in the PowerShell script:
Uploading scripts using the Custom Script extension
Set-AzureVMCustomScriptExtension -FileUri <URI_and_File.ps1_name> -VM <VM_Name>
Update-AzureVM
Puppet
Puppet is an open source IT management tool
written in Ruby for system automation and server
management for both on-premises and cloud
environments, and across a range of operating
systems. Although it is open source, it is
maintained by Puppet Labs. Puppet can manage
up to 50,000 physical or virtual machines.
Puppet uses a configuration scripting and command language. Puppet automatically updates managed
systems to match configuration changes in the Puppet Master.
Puppet Architecture
4-25
The architecture is a client/server configuration that restricts VM access to raw Puppet modules. Each VM
gets a configuration that is compiled specifically for that VM. This means that there is an overarching
principle of least privilege, with package creation and deployment separated.
The Puppet Agent Extension is deployed either during the full portal From Gallery installation option or
through PowerShell or other command line management tools. The PowerShell cmdlets supplied by
Puppet Labs include:
Chef
Chef provides an automation system for building, deploying, and managing azure infrastructure.
Administrators can manage resources using recipesreusable definitions that provide instructions for
tasks.
The Chef client runs on all VMs managed by the Chef server. A single Chef server can manage up to
10,000 nodes. Each client queries Chef server for the latest set of applicable configuration changes, called
recipes. The suitability of recipes is defined by the Chef server based on the client role. A client executes
the recipes in the same order to ensure consistent management changes. Chef applies recipes when a
client update is required. If no changes exist for that client, no changes are made.
Chef Architecture
Chef employs a convergent configuration model. Changes propagate through clients to bring the entire
network to the required configuration standard. By default, the client polls configuration updates from
the Chef server once every 30 minutes.
Chef Deployment
Chef provides a VM Agent Extension that can be deployed through the full portal From Gallery
installation option.
For more information on Chef, see:
About Chef and Azure Virtual Machines
http://go.microsoft.com/fwlink/?LinkID=511721
Installation
Administrators can install xplat-cli by using installer packages for Windows and Linux, or by using the
npm command. The latter requires Node.js to be installed.
For more information on downloading the latest xplat-cli source, including the INSTALL file containing the
latest information on the installation process, see:
https://github.com/Azure/azure-xplat-cli/releases
When xplat-cli is installed, the system will list the xplat-cli commands on the command-line prompt. The
commands are run by typing azure <command_name>.
For example, an administrator can interrogate account information by typing azure account.
Xplat-cli can manage both resources and services, although the former does not currently offer the same
breadth of functionality. To configure resources, run the config mode command: azure config mode
arm.
To return to service management mode, run azure config mode asm. Service management is the default
mode.
For more information on xplat-cli, see:
Install and Configure the Azure Cross-Platform Command-Line Interface
http://go.microsoft.com/fwlink/?LinkID=511726
Custom Probes
4-27
The basic health probe only determines whether the VM in the load-balanced set is alive. A custom probe
can provide more specific detail about the activity and availability of an application on a VM in a loadbalanced set.
For more information on creating an application for a custom probe, see:
Custom Probe for IaaS Load Balanced sets in Windows Azure and ACL Part 2
http://go.microsoft.com/fwlink/?LinkID=511727
Alerts
Alert rules enable administrators to monitor metrics for an Azure service, including VMs. Rules can have
assigned thresholds which trigger an alert when they are exceeded. This triggers an email to specified
administrators. Notifications trigger when a condition occurs and when it resolves.
The Alerts page in the Management Services section of the full portal lists the configured alert rules. The
page displays the status for existing rules. An administrator can also access details about a rule, create new
rules, and manage existing rules.
An administrator can create up to 10 alert rules per Azure subscription. To add a new rule when 10 exist,
the administrator must delete one rule.
An administrator can configure virtual machine alert rules on:
Configure Diagnostics
The administrator enables and configures VM diagnostics from the Monitoring area of the new portal VM
blade. By clicking any of the panes, such as CPU percentage today or Disk read and write, and then
clicking DIAGNOSTICS in the Metric blade, the administrator can enable diagnostic logging for:
Basic metrics
.NET metrics
IIS logs
The logs that are generated by the diagnostics function are held in the default Storage Account for the
VM, although this can be changed to an alternative account if required.
The latest VM Agent now installs the Windows Azure Diagnostics (WAD) extension.
In Internet Explorer, in the full Azure Management Portal, in the navigation panel on the left, click
Virtual Machines.
2.
In virtual machines, click the right arrow next to WebVM1 and click MONITOR.
3.
4.
5.
6.
7.
Ensure that the condition is greater than, then in the THRESHOLD VALUE box, enter 10.
8.
9.
2.
3.
4.
5.
6.
7.
Start Task Manager and click More Details, then click the Performance tab.
8.
Start a Command Prompt session and arrange side-by-side with Task Manager.
9.
10. At the root of the C: drive, type DIR /S and press Enter.
4-29
11. Let the listing operation run for a minute or so. The processor usage on the Taskbar should be near
100 percent.
Show the alert has tripped
1.
2.
3.
Click the refresh button occasionally until you see the CPU line jump upwards. Note that this can take
up to fifteen minutes for the alert to be generated.
4.
5.
6.
Create a new tab in Internet Explorer, and browse to mail.live.com. You should be logged on
automatically.
2.
3.
4.
Switch back to the RDP session and close the Command Prompt window.
5.
1.
2.
On the taskbar, right-click Microsoft Azure PowerShell, and then click Run as administrator. In the
User Account Control dialog, click Yes.
3.
4.
When prompted, sign in using the Microsoft account associated with your Azure subscription.
Note: This script may remove Azure services in your subscription. It is therefore recommended that you
use an Azure trial pass that was provisioned specifically for this course, and not your own Azure account.
The script will take 5-10 minutes to reset your Microsoft Azure environment, ready for the next lab.
The script removes all storage, VMs, virtual networks, cloud services, and resource groups.
Important: The script may not be able to get exclusive access to a storage account to delete it (you will
see an error, if this occurs). If you find objects remaining after the reset script is complete, you can re-run
Reset-Azure script, or use the full Azure Management Portal to manually delete all the objects in your
Azure subscription, with the exception of the default directory.
4-31
Now that the planning and VM deployment for the two A. Datum applications is complete, you must
configure VHDs and configure availability and scalability for these VMs. You will place the two IIS web
servers, which will host the front end for the expense application, in a load-balanced availability set. For
the expenses web application, you will attach a new disk to an IIS server to store the ASP.NET disk cache
and create a new Storage Space on the SQL Server to increase the efficiency of the database. Finally, you
will use the Cross-Platform Command Line Interface to manage a virtual machine.
Objectives
After completing this lab, you will be able to:
Set up Azure virtual machines in availability sets and load balanced sets.
Configure virtual data disks for Azure virtual machines and create fault tolerant disks.
Lab Setup
Estimated Time: 40 minutes
Virtual Machine: 20533B-MIA-CL1
User Name: Student
Password: Pa$$w0rd
Before starting this lab, ensure that you have performed the Preparing the Environment demonstration
tasks at the beginning of the first lesson in this module, and that the setup script has completed.
For the expenses web application, you have been asked to ensure maximum uptime. To achieve this
objective, you want to place the virtual machines in the same availability set and load-balanced set. In this
exercise, you will configure this arrangement and use HTML pages to test what happens if a server goes
offline.
The main tasks for this exercise are as follows:
1. Specify Availability Sets
2. Configure the Azure Load Balancer
3. Add Test Pages
4. Test Availability
2.
Using Microsoft Azure PowerShell, get the properties of the WebVM1 virtual machine. Notice that
the virtual machine is not in an availability set.
3.
Add the WebVM1 virtual machine to a new availability set named adatumfrontend.
4.
5.
2.
In the Azure preview portal, join the WebVM1 virtual machine to a new load balanced set. Use the
following information:
o
Private Port: 80
Protocol: TCP
Public Port: 80
Probe Port: 80
Interval: 15 seconds
Retries: 31
Add the WebVM2 virtual machine to the AdatumWebLBS load-balanced set. Use the following
information:
o
Private Port: 80
Username: Student
Password: Pa$$w0rd123
2.
3.
Add an HTML <h1> tag and a <p> tag to the Test.txt file. Use the following content for each tag:
o
4.
Rename the Test.txt file to be Test.htm. Ensure you can see file extensions in Windows Explorer.
5.
6.
Username: Student
Password: Pa$$w0rd123
7.
8.
Add an HTML <h1> tag and a <p> tag to the Test.txt file. Use the following content for each tag:
9.
4-33
Rename the Test.txt file to be Test.htm. Ensure you can see file extensions in Windows Explorer.
In Internet Explorer, browse to the cloud service that hosts WebVM1 and WebVM2. Then access the
test.htm page within that web service. Note the virtual machine where the test page is located.
2.
In the Azure preview portal, shut down the virtual machine you noted in step 1.
3.
Refresh the display of the A. Datum Test Page. The page is now served by the other virtual machine
in the load balanced set.
Results: At the end of this exercise, you will have the WebVM1 and WebVM2 virtual machines configured
in an availability set and a load-balanced set.
In 20533B-MIA-CL1, switch to the Microsoft Azure PowerShell, and use the GetAzureStorageAccount cmdlet to identify the name of the Azure Storage Account currently in use in
your subscription.
2.
3.
Use the Get-AzureStorageKey cmdlet to find out the storage key value for the Azure Storage
Account from Step 1.
4.
Use the New-AzureStorageContainer cmdlet create a new storage container with the name of 1azure-storage. Note the Blob End Point value.
5.
1.
Switch to Internet Explorer, and click the new Azure Preview Portal tab.
2.
In the preview portal, add the new VHD file that you created in the previous task, to the WebVM2
virtual machine.
3.
Connect to the WebVM2 virtual machine, saving the RDP file to your desktop. Then open the RDP
file, log on and view the contents of the attached VHD.
4.
Detach the 20533B_DataDisk.VHD disk, then create two new virtual disks of 10GB and attach them
to WebVM2.
Create a new storage pool called New Storage Pool and add both the 10 GB virtual disks to the
pool.
2.
Create a new virtual disk from the storage pool called New Virtual Disk. Set it to mirror, with thin
provisioning and a virtual disk size of 30 GB.
3.
Create a volume on the 30 GB storage space with a size of 15 GB, using the E: drive letter and a
volume label of RAID Volume. Review what virtual and physical disks the storage pool now uses, and
then view the E: drive in File Explorer.
Results: At the end of this lab, you will have an Azure virtual machine with two virtual data disks that are
configured in a storage space.
2.
Use the Microsoft Azure Command Prompt to download and import the publish settings file using
your Microsoft Azure subscription credentials. You will need to use the following commands:
o
4-35
2.
View all the available Azure Cross-Platform Command-Line Interface commands by using the azure
command on its own.
3.
azure vm list
2.
On the taskbar, right-click Microsoft Azure PowerShell, and then click Run as administrator. In the
User Account Control dialog, click Yes.
3.
4.
When prompted, sign in using the Microsoft account associated with your Azure subscription.
Note: This script may remove Azure services in your subscription. It is therefore recommended that
you use an Azure trial pass that was provisioned specifically for this course, and not your own Azure
account.
The script will take 10-15 minutes to reset your Microsoft Azure environment, ready for the next lab.
The script removes all storage, VMs, virtual networks, cloud services, and resource groups.
Important: The script may not be able to get exclusive access to a storage account to delete it (if this
occurs, you will see an error). If you find objects remaining after the reset script is complete, you can
re-run Reset-Azure script, or use the full Azure Management Portal to manually delete all the objects
in your Azure subscription, with the exception of the default directory.
Results: After completing this exercise, you will have: Configured the Cross-Platform Command Line
Interface to issue commands to a Linux virtual machine.
Question: In Exercise 1, you placed the two virtual machines in the same availability set and
the same load-balanced set. What would be the consequences if you had not placed the
virtual machines in the availability set but only configured the load-balanced set?
Question: You used PowerShell to configure two virtual machines with the same availability
set name. When you execute the Get-AzureVM cmdlet, both virtual machines report the
availability set name AdatumFrontEnd. However, when you examine the virtual machines in
the portal, they appear in separate availability sets with the same name. How can this
situation arise?
Review Question(s)
Question: You are configuring virtual machines for the Adatum expenses web application.
You have created four virtual machines that will host the web front end. You have also
created four virtual machines that will host the database. All the virtual machines are in the
same cloud service. What should you use to load-balance the web front-end virtual
machines? What should you use to load-balance the database virtual machines?
Module 5
Implementing Websites
Contents:
Module Overview
5-1
5-2
5-9
5-18
5-23
5-27
5-33
5-39
Module Overview
Azure Infrastructure as a Service (IaaS) virtual machines can be used for a wide range of purposes,
including hosting websites by using Internet Information Services (IIS). However, Azure also includes a
specialized websites service that you can use to host any website without configuring a VM and associated
platform software. If you create an Azure website, you can choose from a wide range of common web
applications, including WordPress, Drupal, Umbraco, and others. Alternatively, you can upload a custom
web application from Visual Studio or another web developer tool. In this module, you will see how to
host robust and highly-scalable websites in Azure.
Objectives
After this module, you will be able to:
Use Visual Studio, FTP clients, and PowerShell to deploy a website to Azure.
Use Traffic Manager to distribute requests between two or more Azure websites.
Implementing Websites
Lesson 1
5-2
In this lesson, you will learn about Azure Websites and how they differ from Platform as a Service (PaaS)
cloud services and web applications hosted on Azure virtual machines. You will also see the four tiers
within which you can create an Azure website and the different features supported by each tier. Finally
you will learn how the tools and source code control systems used by developers influence your choice of
deployment methods.
Lesson Objectives
After this lesson, you will be able to:
Choose whether to implement a web application within Azure as an Azure website, as a PaaS cloud
service, or as an application hosted on virtual machines.
Choose the best value pricing tier for your web application based on the functionality and scalability
that it requires.
Choose whether to create a web hosting plan to share features and resources across multiple
websites.
Perform the following tasks to prepare the lab environment. The Azure services you will use in the lab will
be described in this module while the environment is being configured.
Note: Important: The scripts used in this course may delete any objects that you have in
your subscription. For this reason, you should complete this course against a new Azure
subscription. You should have received sign-up details and instructions for creating an Azure
Learning Pass for this reason. Alternatively, create a new Azure Trial Subscription. In both cases,
use a new Microsoft account that has not been associated with any other Azure subscription. This
avoids confusion in labs and setup scripts.
The labs in this course use custom Microsoft Azure PowerShell cmdlets, including Setup-Azure to prepare
the Azure environment for a lab, and Reset-Azure to perform clean-up tasks at the end of a lab. For this
lab, Setup-Azure only removes the Azure subscription and account from the Azure PowerShell session.
Before you start the lab preparation, your Instructor will decide which Azure region is the closest to your
classroom location. You will need this information during the lab setup, and during the lab.
Demonstration Steps
Sign in to Your Microsoft Azure Subscription
5-3
1.
Ensure that the MSL-TMG1 and 20533B-MIA-CL1 virtual machines are both running, and then log on
to 20533B-MIA-CL1 as Student with the password Pa$$w0rd.
2.
You should already have created a Microsoft Azure trial subscription. If you have not done so, follow
the instructions in D:\Creating a Microsoft Azure Trial Subscription.htm. Provisioning may take
several hours.
3.
When your trial subscription has been provisioned, in Internet Explorer, browse to
http://azure.microsoft.com, click Portal, and sign in using the Microsoft account that is associated
with your Azure subscription. Close any initial "welcome" messages.
4.
At the top right, click your Microsoft account name and click Switch to new portal. If you are
prompted to sign in, use the Microsoft account that is associated with your Azure subscription. Then,
in the new tab that is opened, close any initial "welcome" messages for the new portal.
5.
Close the tab containing the new portal, keeping the full portal tab open.
On the taskbar, right-click Microsoft Azure PowerShell, and then click Run as administrator. In the
User Account Control dialog, click Yes.
2.
3.
At the prompt, type the module number, and then press Enter.
4.
5.
When prompted, sign in using the Microsoft account associated with your Microsoft Azure
subscription.
6.
When the script is complete, close Internet Explorer and Microsoft Azure PowerShell.
Note: This script may remove Azure services in your subscription. It is therefore recommended that
you use an Azure trial pass that was provisioned specifically for this course, and not your own Azure
account.
The script will take 2-3 minutes to configure your Microsoft Azure environment, ready for the lab at
the end of this module.
Implementing Websites
5-4
Since an IaaS virtual machine in Azure can include a web server, such as IIS or Apache, you can use them
to host web applications. This scenario is very much like running a traditional web farm to host your web
application, except that the servers are at Azure data centers and not on-premises. Virtual machines are
therefore commonly used to migrate an on-premises web application into Azure with as little
modification as possible. Supporting servers, such as SQL Servers to host databases, can be hosted on
other VMs in the same IaaS cloud service. Load balancing is available to scale out the web application
when necessary.
5-5
If you choose to host a web application in VMs, you have the maximum control over the operating system
and supporting software. For example, you could install a specific version of PHP on Apache if you need it.
However, you must invest the time to patch and maintain the infrastructure you create. If you want to
scale the application out, you must provision new VMs to host the new instances of the application. You
can use RDP to connect to IaaS virtual machines.
Azure Websites
Alternatively, you can choose to host your web application in the Azure Websites service. After creating a
new Azure website, you can either upload a custom web application or choose from a wide range of
popular general purpose web applications, including Drupal, Word Press, Umbraco, and others.
Developers can build custom web applications to host in Azure Websites by using ASP.NET, Node.js, PHP,
and Python.
You can scale up an Azure website by changing tiers. This increases the traffic a single instance of the site
can service. Alternatively, scale out by installing a website in multiple instances and using Azure load
balancing to distribute traffic. However, you can only scale the website as a single componentyou
cannot scale separate parts of the application differently. You also cannot gain RDP access to the web
server. You can use Azure SQL Database or SQL Server on a virtual machine to host an underlying
database.
PaaS Cloud Services
You can also choose to build a web application as an Azure PaaS cloud Service. A PaaS cloud service
consists of a web role, which includes the applications user interface, and worker roles, which run
background tasks. Since you can scale each role independently by specifying the number of role instances,
you have a great deal of control over scalability with PaaS cloud services. You can connect to the servers
that host your PaaS cloud service by using RDP.
However, PaaS cloud services are a specialized form of web applications that are unique to Azure. An
existing web application sometimes requires significant modification before it can run as a PaaS cloud
service. You will learn more about PaaS cloud services in Module 8.
Free tier websites are limited to 165 MB of outbound data transfer each day and must be hosted within
the azurewebsites.net domain. You cannot scale out a free tier website to multiple instances and they do
not qualify for any Service Level Agreement (SLA). However, you can use WebJobs and create up to 10
websites and use up to 1 GB of storage.
Implementing Websites
5-6
Shared tier websites have unlimited outbound data transfer and can use a custom domain, although you
cannot use SSL to secure shared tier websites in custom domains. You can scale a shared tier website out
to six instances and use the Azure load balancer to distribute load.
Basic tier websites can use up to 10 GB of storage and can use custom domains with SSL encryption. Basic
tier websites also qualify for the 99.9 percent uptime SLA.
Finally, standard tier websites can use up to 50 GB of storage and you can scale them out to 10 dedicated
instances. Automatic scaling and staged publishing slots are only available for standard tier websites.
A web hosting plan must be contained within a single resource group. Although a resource group can
span multiple Azure regions, a web hosting plan must be contained within a single region. Web hosting
plans can only contain Azure websites. This contrasts with resource groups, which you can use to associate
websites with SQL Databases, PaaS cloud services, storage accounts, and other Azure services.
5-7
If the developers are not using a source control system to coordinate their development, they can deploy
a website to Azure directly from their chosen IDE, such as Visual Studio or Web Matrix. The command-line
MSBuild tool can also be used to script deployment processes.
FTP can be used to transfer files but the Web Deploy technology has extra features that make it easier to
set configuration values, such as connection strings, and reduce deployment time.
Source Code in an On-Premises Source Control System
If developers are using a source control system located on servers within their on-premises network, they
can configure that system to perform continuous delivery to an Azure website. This site should be in a
staging slot, to ensure that changes can be tested before being moved to the production website. Onpremises source control systems include TFS, Git, and Mercurial repositories.
Source Code in a Cloud Source Control System
If developers are using a cloud-hosted source control system, such as Team Foundation Version Control
(TFVC) in Visual Studio Online (VSO), they can configure continuous delivery in a very similar way to onpremises source control systems. Developers have many choices in these systems. For example, they can
use Git for distributed source code in VSO instead of using the centralized TFVC.
For more information about these deployment mechanisms, see:
http://go.microsoft.com/fwlink/?LinkID=511730
Implementing Websites
5-8
You company is initiating a new project to build the companys public website. There will be a small team
of developers using ASP.NET MVC.
Discuss the following questions for each scenario:
Should the web application be hosted as an Azure website, as a PaaS cloud service, or on virtual
machines in Azure?
Where is the best place to store the web applications source code and how should source control be
implemented?
If you choose to create an Azure Website, which of the four tiers should be used?
Lesson 2
Deploying Websites
5-9
Web applications are usually created by teams of web designers and developers by using a variety of tools
such as graphic design packages, image editing packages, web design software, and Integrated
Development Environments (IDEs) such as Visual Studio. When the first version of the web application is
complete, developers or administrators must deploy it to a web server and you can choose to use Azure
Websites as a web server to host your application. There are many ways to package and deploy a web
application to Azure and, in this lesson, you will learn about those methods and how to configure IDEs,
FTP tools, and source control software to deploy new web applications and updates as Azure Websites.
Lesson Objectives
At the end of this lesson, you will be able to:
Describe the advantage of using Web Deploy to deploy a web application to Azure.
Use Web Deploy to deploy a web application to Azure from Visual Studio.
In the toolbar on the left, click NEW and then click Website.
2.
In the URL text box, type a unique and valid name. If the name is unique and valid, a green smiley
face appears.
3.
4.
Select a location. Use a location close to the audience you expect to be interested in your site.
5.
You can also create websites by using the New-AzureWebsite cmdlet in the Azure PowerShell. For
example:
Creating New Websites in PowerShell
New-AzureWebsite Name MyNewWebsite Location "East US"
In the tool bar on the left, click BROWSE and then click Websites.
2.
3.
Scroll down to locate the Deployment section, and then click Set deployment credentials.
4.
5.
6.
In the CONFIRM PASSWORD text box, type the same password and then click SAVE.
Azure can create a publish profile for each website you create. This profile is an XML file with a
.publishsettings extension that includes all the credentials, connection strings, and other settings required
to publish a website from an IDE such as Visual Studio.
Demonstration Steps
Create a new website in Azure by using the preview portal
5-11
1.
Start Internet Explorer, and browse to http://azure.microsoft.com, click Portal, and sign in using
the Microsoft account that is associated with your Azure subscription.
2.
In the top right, click your username, and then click Switch to new portal.
3.
In the toolbar on the left, click New, and then click Website.
4.
In the URL text box, type a valid unique website name. If the name is valid and unique, a green smiley
is displayed.
5.
6.
When the website creation is complete, in the website blade, click Browse. Internet Explorer shows
the default webpage.
2.
Close the Internet Explorer tab and then close the tab containing the new portal, keeping the full
portal tab open.
FTP Clients
Azure can act as an FTP server to enable you to
upload your website for publishing. You must
choose an FTP client to use. There are many clients
available. For example:
Dedicated FTP Clients. There are several dedicated FTP clients available for free download. These
include FileZilla, SmartFTP, CoreFTP, and others. The advanced features these clients include make
them suitable for website publishing, which can involve many hundreds of files and large file sizes.
IDEs. Visual Studio and other IDEs support FTP for website publishing.
In order to publish a site by using FTP, you must configure your client with the destination URL of the
remote FTP site and the credentials the FTP can use to log onto the FTP server. Ensure you use the FTP
credentials you configured for the Azure website and not your Azure account credentials. In addition, you
must select active or passive FTP mode.
By default, FTP uses active mode. In this mode, the client initiates the session and issues commands by
using a command port (usually port 21 on the server) and the server initiates data transfers by using a
data port (usually port 20 on the server). Firewalls may block the data transfers because they appear to be
a separate communication. In passive mode, both commands and data transfers are initiated by the client
and are less likely to be blocked by firewalls.
Limitations of FTP
The principal advantage of FTP is its wide use and broad compatibility. However, since FTP is an older
technology that was not designed specifically for uploading website source code, advanced features are
not available. For example:
FTP simply transfers files. It is not able to modify files or distinguish their use. Therefore it cannot
automatically alter database connection strings in web.config files to connect to the production
database instead of a development database. Web deploy, for example, can be configured to make
this modification.
FTP always transfers all the selected files whether they have been modified or not. This can result in
an operation re-uploading many files unnecessarily when changes are made.
5-13
Web Deploy is only supported with IIS web servers, which are used to host Azure Websites. It is also only
supported by a small number of clients, such as Visual Studio and Web Matrix. However, when this
software is available, Web Deploy has the following advantages:
Web Deploy only uploads files that have changed so modifications can be performed reliably with
much less network traffic.
Web Deploy works over the secure HTTPS protocol. It does not require extra ports to be open on the
web servers firewall.
Web Deploy can secure the files it transfers by setting Access Control Lists (ACLs).
Web Deploy can use SQL scripts to deploy a database to a remote server.
Web Deploy can automatically modify the web.config file. For example, it can replace a database
connection string so that the deployed website connects to a production database.
MSDeploy.exe
The Web Deploy client is implemented as a command-line utility named MSDeploy.exe. Visual Studio,
Web Matrix and PowerShell cmdlets all use this program to execute Web Deploy operations. You can use
MSDeploy.exe at the command prompt manually or as part of a batch file.
You can download the MSDeploy.exe tool at the following location:
Web Deploy Download
http://go.microsoft.com/fwlink/?LinkID=522636
The Windows Azure PowerShell includes the Publish-AzureWebsiteProject cmdlet, which uses Web Deploy
to upload a Visual Studio package or project file to Azure. With this cmdlet you can automate website
deployment.
For example, use the following PowerShell command to package and publish a Visual Studio web
application project:
Using the Publish-AzureWebsiteProject Cmdlet
Publish-AzureWebsiteProject Name AdatumWebsite ProjectFile "AdatumWebsite.csproj" Configuration
Release
Demonstration Steps
Download a publishing profile from the Azure portal
1.
2.
3.
4.
2.
3.
4.
In the Solution Explorer, right-click the AdatumWebsite project, and then click Publish.
5.
In the Publish Web wizard, on the Profile page, click Import, and then click Browse.
6.
Locate and select the publish profile you just downloaded, click Open, and then click OK.
On the Connection page, click Validate Connection. If the connection is valid, a green tick is
displayed.
2.
Click Publish. When the publishing process is complete, Internet Explorer displays the site.
3.
Close the Internet Explorer tab containing the website, but keep the full portal page open.
Website Updates
After you have deployed a finished version of a
website to Azure, development rarely ceases. In
most cases, new features and bug fixes will be
made by developers to improve the site and
ensure a compelling user experience. These
changes are deployed in different ways,
depending on the location of your source code
and the deployment tool you choose.
5-15
Continuous Deployment
Continuous Delivery is a recent approach to software development in which the source code for a project
is regularly changing with bug fixes and new features. Continuous Deployment is part of the Continuous
Delivery model and involves regular and automatic builds and deployments of the project to a staging
environment. If you use a centralized source control system, such as TFS or GitHub, to develop an Azure
Website, you can configure continuous deployment of that website to Azure on an automated schedule
or in response to any committed changes.
To enable and use Continuous Deployment you must:
Connect the project to the Azure Website. In the Azure portal, you must configure the location of
your source code repository and provide credentials that Azure can use to authenticate with the
repository.
Make one or more changes to the source code and commit them to the repository.
The precise steps involved in this configuration depend on the repository you are using. For example steps
for a Git repository in Visual Studio Online, see:
Continuous delivery to Azure using Visual Studio Online and Git
http://go.microsoft.com/fwlink/?LinkID=522637
Before you deploy source code to a public-facing website, you must have confidence in its integrity and
reliability. For this reason it is important to implement a strict testing and acceptance regime that
identifies bugs and other issues in code before they are deployed to the production website. Much of this
testing can be performed in the development environment. For example, unit tests can be run on
developers computers. However, the final testing location should be the staging environment. The
staging environment should match the production environment as closely as possible.
If you are using standard tier Azure websites, you can create two or more slots for each site. Create one
slot for the production website and deploy tested and accepted code there. You can create a second slot
as the staging environment. Deploy new code to this staging slot and use it to run acceptance tests. The
staging slot has a different URL for browsing.
When the new version in the staging slot passes all tests, you can safely deploy it to production by
swapping the slots. This also provides a simple rollback path: if the new version causes unexpected
problems you can swap the slots a second time to move back to the old production site.
Best Practice: If you are using Continuous Deployment, you should never configure it to
deploy code to a production website. This would result in untested code in a user-facing
environment. Instead, configure deployment to a staging slot or a separate website, where tests
can be run before final deployment.
When you swap a production and a staging slot, the following settings in the production slot will be
replaced with those of the staging slot:
Connection Strings
Handler Mappings
For staging, you usually run the website against a dedicated staging database, which is defined in the
connection string. When you swap slots, the new production database will use the database you were
using while staging the site. If you want to continue to use the original database because it contains upto-date production data, you must edit the connection string in the new production slot. You should only
do this if the database schema has not changed in the new version. If the schema has changed, you must
instead migrate production data into the staging database before you perform the swap.
The following production slot settings will not change when you swap a staging slot into a production
slot:
Publishing endpoints
Scale settings
Staging slots are publically available, but since the URL is not widely known, Internet users are unlikely to
find your staging site. However, you may wish to restrict access to your staging slot so that only your
developers and testing team can access it. You can do this by adding IP address white lists to the
web.config file in the website.
For more details of this technique, see:
Azure Web Sites block web access to non-production deployment slots
http://ruslany.net/2014/04/azure-web-sites-block-web-access-to-non-production-deployment-slots/
Demonstration Steps
Evaluate your Azure websites in PowerShell
1.
2.
If you are not logged in, type the following command, and then press Enter:
Add-AzureAccount
3.
4.
2.
5-17
1.
Click DASHBOARD.
2.
3.
4.
In the CONFIGURATION SOURCE list, select the website you created previously, and then click the
Complete icon.
5.
When the configuration is complete, click the arrow to the left of the website you created in the first
demo.
6.
Point out to the students that the new slot is a separate website within the first website.
7.
Switch to PowerShell.
8.
Lesson 3
Configuring Websites
Once you have created and deployed an Azure website, you have many settings that you can configure
on an ongoing basis. For example, you can configure SSL and website certificates to support encryption,
link databases and storage accounts to a website to ease scalability and monitoring, and scale websites to
cope with peak demand. In this lesson, you will see how to configure a website for best performance and
best value and how to use WebJobs to schedule scripted tasks that maintain your website.
Lesson Objectives
After this lesson, you will be able to:
Use the Configure page in the portal to manage framework versions, security, configuration strings,
and app settings.
Web Sockets. Web sockets are a mechanism that enables two-way communication between server
and client. Developers can build chat rooms, games, and support tools by using web sockets. If your
developers are using web sockets, you must enable them on the Configuration tab.
Note: Many developers in ASP.NET use the SignalR package to build two-way messaging
into their web applications. SignalR is built on web sockets.
Always On. Many web development technologies, such as ASP.NET and PHP, unload a website from
memory when there have been no requests for a prolonged period. When the first new request is
received, code may need compilation and reloading before a response can be sent to the user and
this process can delay a response. The Always On feature avoids this problem by regularly pinging the
website with a simple request. Always On is only available for websites in the Standard tier.
5-19
Platform. Use the Platform setting to control whether to run server code in 32-bit or 64-bit mode.
The 64-bit mode is only available in basic or standard tier websites.
Certificates. If you want to use Secure Sockets Layer (SSL) to encrypt communications between the
web browser and the server, you must obtain and upload a certificate from a recognized certificate
authority. Use the Certificates section to add such a certificate to your site.
Domain Names. If you have registered a custom domain name, such as adatumcorp.com, with an
ISP, you can use that domain name to host your site. All Azure sites without custom domain names
are in the azurewebsites.net domain.
SSL Bindings. To use SSL with a custom domain, you must ensure the custom domain appears in the
certificate when you purchase it from the certificate authority. Once you have uploaded the
certificate, you can bind it to the custom domain by using the SSL Bindings table.
App Settings. You can use app settings to pass custom name/value pairs to your application at
runtime. Work with your development team to determine what settings are required by the website
code. For example, you could use an app setting to specify an administrators email address. The
website code must take this setting and display it in an appropriate place on the site.
Connection Strings. These strings are used by the website to connect to a database. Most websites
use databases to store all dynamic data and cannot function without a connection to one or more
databases. Connection strings are stored in configuration files such as the web.config file. You can use
the Connection Strings section to override these connection strings without modifying and uploading
a new web.config file.
Default Documents. The default document list specifies the page that will be displayed if a user does
not specify one. For example, if they want to see the home page, most users specify the domain name
of the site and do not add default.htm, index.htm or some other page. Work with your developers to
ensure the website home page appears in the default documents list. Optimize the website by
ensuring that the home page is at the top of the list.
Declaring databases and storage accounts as linked resources has the following advantages:
Other Azure administrators can easily determine the databases and storage accounts that are used by
each website without examining connection strings or web.config files.
It is easier to scale databases and storage accounts as you scale the corresponding website.
It is easier to configure monitoring for databases and storage accounts as you configure monitoring
for the corresponding website.
2.
3.
In the Web Hosting Plan section, choose SHARED or BASIC to configure simple static scaling. If you
want to use automatic scaling, chose STANDARD.
4.
In the Capacity section, you can scale up by choosing a larger Instance Size. You can also scale out
by choosing a larger Instance Count.
5.
In standard tier websites, click Set up schedule times to automatically create extra instances to cover
an expected demand spike.
6.
Click Scale by Metric to set conditions that will trigger the creation of extra instances. By using these
metrics, you can respond to unexpected demand spikes.
Best Practice: When you specify a schedule for scaling instances, bear in mind that it can
take several minutes for each instance to start and become available to users. Therefore, ensure
that you provide enough time from the start of the schedule and the time when you expect peak
traffic to occur.
Overview of WebJobs
WebJobs are a new feature of Azure Websites that
enable administrators and developers to run
automated background tasks. These tasks can be
run:
5-21
WebJobs are often used for important maintenance tasks that should not have an impact on the delivery
of content to visitors. For example:
Image processing. Processes that must be run on uploaded images are often CPU intensive.
File maintenance. For example, you might want to scan log files and remove unimportant events.
RSS aggregation. Importing information from an RSS feed can be CPU-intensive when there are many
articles.
Best Practice: By default, Azure Websites are unloaded and halted after a prolonged
period of inactivity. This also interrupts any WebJobs in process. To avoid these halts and prevent
interruption for WebJobs, use the Always On feature.
The operations and logic that a WebJob performs are defined in a script file. These files can include:
Batch files
PowerShell scripts
PHP scripts
Python scripts
Node.js scripts
The type of script you create for a WebJob depends on your own experience. For example, if you are a
Windows administrator with little web development experience, you are more likely to code WebJob
operations as a PowerShell script than as a Node.js script.
Implementing WebJobs
Use the following procedures to create and
monitor WebJobs.
Creating a WebJob
To create a WebJob, first compress your script file
and any supporting files it requires into a zip file.
Then following these steps:
1.
2.
3.
4.
In the NAME text box, type a descriptive name for the new WebJob.
5.
6.
In the HOW TO RUN drop-down list, select On demand, Run continuously, or Run on a Schedule.
7.
If you are creating a scheduled WebJob, in the SCHEDULER REGION drop-down list, select an Azure
data center where you want the scheduler to run.
8.
You can specify either a one-off time for the job to execute or a recurring schedule.
The WebJob history shows when the WebJob was run and the result of the script execution. To access the
history, take the following steps:
1.
In the Azure full portal, in the navigation on the left, click WEBSITES.
2.
Click the website that runs the WebJob and then click the WEBJOBS tab.
3.
For the relevant WebJob, click the link in the LOGS column.
4.
Azure displays the WebJob details page. This page displays the script run, the duration of the script
execution, and the status.
5.
To see further details, click the link in the TIMING and then click Toggle output. Individual events in
the execution of the WebJob are displayed.
Lesson 4
Monitoring Websites
5-23
Running websites consume resources and incur costs. They may also generate errors, for example if users
request webpages that do not exist. Azure helps you to stay in touch with your websites behavior by
providing a range of diagnostic logs and tools. In this lesson, you will see how to use configure logging
for your website and how to view and analyze the data generated.
Lesson Objectives
At the end of this lesson, you will be able to:
Configure site diagnostics and application diagnostics to log the behavior of an Azure website.
Use diagnostic logs and the Azure portal to investigate your website and diagnose problems.
Use the KUDU user interface to access further information about your website.
Application Diagnostics
By using application diagnostics, you can work with website developers to capture and log individual
events that occur as the website code executes. In order to record such an event, the developer must use
the System.Diagnostics.Trace class to send a message. Developers often send trace messages in error
handling code but they can also send them simply to record a successful operation.
Application diagnostics are switched off by default, which means that trace messages are not recorded. If
you switch on application diagnostics, you must configure the following settings:
Log storage location. Choose whether to store the application diagnostic log in the website file
system, a table in an Azure storage account, or a blob container in an Azure storage account. You can
choose to enable any combination of these locations.
Logging level. Choose whether to record informational, warning, or error messages in the log. The
verbose logging level records all the message the application sends. You can configure a different
logging level for each log storage location.
Retention period. Logs stored in blob storage are not automatically deleted. If you want to enable
automatic deletion, you must set a retention period.
These settings can be configured in the CONFIGURE tab for any Azure Website.
Site Diagnostics
Site diagnostics can be used to record information about HTTP requests and responses, which are the
communications between the web server and the web browser. You can enable or disable the following:
Detailed Error Logging. In HTTP, any response with a status code of 400 or greater indicates an error.
Often, users may only see a simple error page with no technical details. The details stored in site
diagnostic logs may help you to diagnose the problem.
Failed Request Tracing. This option includes rich tracing information logged when an error occurred.
As the trace includes a list of all the IIS components that processed the request and timing
information, you can use this trace to isolate problematic components.
Web Server Logging. This enables the standard W3C extended log for your website. Such a log shows
all requests and responses, client IP addresses, and timings and can be used to assess server load,
identify malicious attacks, and study client behavior.
Monitoring Websites
Once you have enabled application and site
diagnostic logs, you must download the logs to
examine the recorded data. In addition, you can
use the MONITOR tab in the Azure portal to
profile a websites performance.
To examine the Failed Request Traces, ensure you download both XML and XSL files to the same folder.
You can then open the XML files in Internet Explorer.
5-25
Instead of using FTP, you can also download the logs by using the Save-AzureWebsiteLog PowerShell
cmdlet:
Downloading Website Logs in PowerShell
Save-AzureWebsiteLog -Name MyWebsite -Output .\LogFiles.zip
Finally, you can use the Azure cross-platform command line interface to download logs:
Using the X-Plat-CLI to Download Logs
Azure site log download MyWebsite
Diagnostic logs are easy to understand but can be challenging to analyze when they contain a large
quantity of data. One way to analyze diagnostic logs is to use HDInsight. You can find PowerShell scripts
that enable this approach at the following location:
Analyze Windows Azure Website application logs using transient HDInsight cluster
http://go.microsoft.com/fwlink/?LinkID=511735
The Azure portal also includes a MONITOR tab for every website. You can use this to view performance
counters that describe how your website uses resources such as CPU time and network traffic. By default
the counters include:
CPU Time
Data In
Data Out
Requests
HTTP Successes
By adding these counters and displaying them in the graph, you can examine how demand and website
response has varied over the hour, 24 hours, or seven days.
You can also set alerts that can trigger an email when a counter exceeds a threshold. Typically, you would
use alerts to automatically notify your team of administrators when there is a demand spike or some other
performance issue. To add an alert, follow these steps:
1.
In Azure full portal, in the navigation on the left, click WEBSITES and then click the website you want
to monitor.
2.
3.
4.
5.
In the NAME text box, type a descriptive name and then click Next.
6.
7.
In the THRESHOLD text box, type the value that should trigger the alert.
8.
In the ALERT ELEVATION WINDOW drop-down list, select the time period over which the value
should exceed the threshold.
9.
Select the Send an email to the service administrator and co-administrators, and then click
Complete.
Using Kudu
Project Kudu is an open-source component of
Azure Websites that implements Azures support
for continuous deployment from Git and Mercurial
source code control systems. It also includes the
code that supports WebJobs.
Kudu includes a user interface that publishes
diagnostic information and can help you obtain
troubleshooting and performance information.
To access the information in Kudu, you must authenticate with your Azure administrator account and the
connection is encrypted by using SSL. The default page displays information about the IIS environment
the website is hosted on. You can also run commands, either at a Windows command prompt or in
PowerShell, by using the links of the Debug Console menu.
The Process Explorer tab shows a list of all the processes within the Azure website and includes
information such as their memory usage and uptime. For each process you can find out what DLLs it has
loaded and the threads it runs, as well as the environment variables that are in place.
Other links in Kudu enable you to view diagnostic log files and add NuGet extensions to the website.
Lesson 5
Traffic Manager
5-27
If you are running a large global website, you may want to scale the website out to multiple data centers.
This helps to provide a rapid response to user requests from a web server close to their physical location.
Alternatively, you may want to increase availability for your website by providing failover websites that
take over in case the primary website has a problem. You can set up these scenarios by using Traffic
Manager. In this lesson, you will learn how to configure and use Traffic Manager to support highly
responsive and available websites.
Lesson Objectives
At this end of this lesson, you will be able to:
A client resolves a fully qualified domain name (FQDN) to an IP address, through Traffic Manager, in the
following way:
1.
The user requests a FQDN, for example by typing it into a browser address bar or by clicking on a
link. In this example, the user requests www.adatum.com.
2.
In the Domain Name System (DNS), the requested FQDN is forwarded to a traffic manager URL, by
using a CNAME record. Administrators must configure such a record in DNS in order to use Traffic
Manager with their own domains. The traffic manager URL must be within the trafficmanager.net
domain.
3.
Traffic Manager has been monitoring the endpoints configured for the requested traffic manager
URL. It returns the IP address of one endpoint. The endpoint chosen depends on the configured load
balancing method.
4.
The client receives the IP address and makes a connection to the website endpoint.
Note: Traffic Manager can be used to distribute load across Azure Websites, PaaS Cloud
Services, IaaS Cloud Service, or external endpoints. Therefore, do not consider Traffic Manager to
be useful only for web services: in fact it is a general Azure service that you can use to increase
performance and availability for many endpoints within and outside of Azure.
2.
Create a Traffic Manager profile. The profile will store all the subsequent settings.
3.
Configure a DNS Prefix. Choose a unique prefix within the trafficmanager.net domain. You must
ensure the CNAME record forwards users to this fully-qualified domain name.
4.
Failover. All traffic is forwarded to the first endpoint unless that endpoint is offline.
Performance. Each request is forwarded to the nearest endpoint to the client. This increases
performance because, with endpoints located around the world, the website can be served from
a location close to the user.
5.
Add Endpoints to the Traffic Manager Profile. Each endpoint is an Azure website in a different
physical location.
6.
Configure Monitoring. Traffic Manager polls each endpoint in the profile to confirm that it is online.
You can use TCP or HTTP for this monitoring. If you use HTTP, you can specify a page that the Traffic
Manager will request each time. You must ensure this page exists for each endpoint in the Traffic
Manager profile.
5-29
Endpoints should all be in the same subscription. You can add endpoints to the Traffic Manager
profile in a different subscription, such as a partner organizations subscription. You can also add
endpoints that are external to Azure. However, Traffic Manager will not automatically remove external
endpoints from the profile if they are deleted. You must delete them manually.
Only production endpoints can be used. You cannot add staging slots to a Traffic Manager profile.
Name endpoints clearly. Traffic Manager profiles can include many endpoints; administrators may
confuse them if you do not ensure the endpoint names are systematic and include the endpoints
location.
Make endpoints consistent. If the content and configuration of all the endpoints in the Traffic
Manager profile are not identical the response sent to users may be unpredictable.
Disable endpoints for website maintenance. Website maintenance operations, such as update
deployment, can be achieved without interruptions in service because other endpoints can take over.
To enable this, disable the endpoint you want to maintain before beginning your administrative
actions. All traffic will be forwarded to another endpoint until you have finished and re-enabled the
endpoint.
Use PowerShell to test whether a given traffic manager profile URL is available.
Demonstration Steps
1.
In the Microsoft Azure PowerShell, type the following command and then press Enter:
Test-AzureTrafficManagerDomainName DomainName yourname.trafficmanager.net
If the command returns true, you can use this domain for this demonstration. If the command returns
false, try other domain names within trafficmanager.net.
2.
4.
Click the traffic manager profile you created in step 5. If the profile is not visible, refresh the page.
5.
Click ENDPOINTS.
6.
7.
8.
In the list of websites, select the website you created in Lesson 2, demo 1.
9.
Note: It may take several minutes for the new endpoint to be checked and to be listed as
Online.
Reset the Environment
1.
2.
On the taskbar, right-click Microsoft Azure PowerShell, and then click Run as administrator. In the
User Account Control dialog, click Yes.
3.
4.
When prompted, sign in using the Microsoft account associated with your Azure subscription.
Note: This script may remove Azure services in your subscription. It is therefore recommended that
you use an Azure trial pass that was provisioned specifically for this course, and not your own Azure
account.
The script will take 2-3 minutes to reset your Microsoft Azure environment, ready for the next lab. The
script removes all storage, VMs, virtual networks, cloud services, and resource groups.
External Endpoints
5-31
In this example, the command adds an external endpoint to a Performance-based Traffic Manager profile.
Adding an External Endpoint
$profile = Get-AzureTrafficManagerProfile -Name "AdatumMainWebsite"
If you choose round robin load balancing for your Traffic Manager profile, Traffic Manager distributes
load approximately equally between endpoints. If there are three endpoints in the profile, one third of
Traffic Manager responses will forward requests to the first endpoint. An equal proportion of responses
will forward requests to the second and third endpoints.
Note: Sometimes caching and other issues can distort the distribution of traffic. For
example, if a proxy server with a large number of clients caches a Traffic Manager response, all
the clients that use that proxy server will connect to the same endpoint while that response
remains in the cache. However, with a large number of clients from across the Internet, such
distortions tend to average out and the distribution of traffic becomes approximately equal.
Sometimes, however, you would prefer an unequal distribution of traffic. For example, if one endpoint is a
website in the standard tier, it can be scaled more easily than a website in the basic tier. For such
situations, you can bias the distribution of load, by specifying a weight for each endpoint. Endpoints with
larger weights receive more traffic.
Weights can be specified between 1 and 1000. All endpoints have a default weight of 1.
The following command adds a new endpoint with a specific weight to a Traffic Manager profile:
Adding a Weighted Endpoint
$profile = Get-AzureTrafficManagerProfile -Name "AdatumWebsite"
Add-AzureTrafficManagerEndpoint -TrafficManagerProfile $profile -DomainName "adatumus.azurewebsites.net" -Status "Enabled" -Type "Website" -Weight 70 | Set-AzureTrafficManagerProfile
Nested Profiles
In most cases a Traffic Manager endpoint is either a website, a PaaS cloud service, or a VM in an IaaS
cloud service. However, you can also specify a Traffic Manager profile as an endpoint. This creates a
nested profile, in which a parent profile contains one or more child profiles.
You can use this technique to increase the flexibility of load balancing. For example, you could set up a
parent profile that uses Performance load balancing to distribute load over several endpoints around the
world. Client requests would be sent to the endpoint closest to the user. Within one of those endpoints,
you could use round robin load balancing in a child profile to distribute load equal between two websites.
To set up nested profiles, create the parent and child profiles separately and configure their endpoints.
Then add the child profile as an endpoint to the parent profile, specifying the parameter Type =
TrafficManager. This operation can only been done in PowerShell.
The following command adds a Traffic Manager profile as a child endpoint to a parent Traffic Manager
profile:
Nesting Traffic Manager Profiles
$parent = Get-AzureTrafficManagerProfile -Name "AdatumWebsites"
$child = Get-AzureTrafficManagerProfile -Name "EuropeRoundRobinWebsites"
$parent = Add-AzureTrafficManagerEndpoint -TrafficManagerProfile $parent -DomainName
"euroundrobin.trafficmanager.net" -Status "Enabled" -Type "TrafficManager" -Location "North Europe"
Set-AzureTrafficManagerProfile -TrafficManagerProfile $parent
5-33
The A. Datum public-facing website currently runs on an IIS web server at the companys chosen ISP. You
want to migrate this website into Azure and you have been asked to test Azure Websites functionality by
setting up a test A. Datum website. The website is maintained and developed by an internal team who
have provided a test website to deploy. You want to ensure they can continue to stage changes to the
website before those changes are deployed to the public facing site. Since A. Datum is a global company,
you also want to test Traffic Manager and show business decision makers how it can distribute traffic to
instances close to the website visitors.
Objectives
After completing this lab, you will be able to:
Create a new Azure website and configure deployment slots and credentials.
Lab Setup
Estimated Time: 60 minutes
Virtual Machine: 20533B-MIA-CL1
User Name: Student
Password: Pa$$w0rd
Before starting this lab, ensure that you have performed the Preparing the Environment demonstration
tasks at the beginning of the first lesson in this module, and that the setup script has completed.
You have been asked to set up an A. Datum test website in Azure. As the first step in the setup process,
you want to create a new Azure website. Later in this lab, you will deploy the test web application to this
site.
The main tasks for this exercise are as follows:
1. Create a Website
2. Add a Deployment Slot
3. Configure Deployment Credentials
1.
Ensure that the MSL-TMG1 and 20533B-MIA-CL1 virtual machines are both running, and then log on
to 20533B-MIA-CL1 as Student with the password Pa$$w0rd.
2.
In Internet Explorer, browse to http://azure.microsoft.com and sign into the portal using the
Microsoft account that is associated with your Azure subscription. Then switch to the new portal.
3.
2.
Add a new deployment slot to the website you created in Task 1. Use the following information:
o
Name: Staging
Use the PowerShell Get-AzureWebsite cmdlet to check the website and staging slot you have created.
Set the following deployment credentials for the website you created in Task 1:
o
Password: Pa$$w0rd
Results: After you have completed this lab, you will have created a new website in the Azure portal and
configured the new website with deployment slots and deployment credentials.
Now that you have created a website and deployment slot for the A. Datum test website, you can publish
the web application supplied to you by the A. Datum web development team. In this Exercise, you will use
a publishing profile in Visual Studio 2013 to connect to the new website and deploy the web content.
The main tasks for this exercise are as follows:
1. Obtain a Publishing Profile
2. Deploy a Website
Switch to the full Azure portal and then download and save a publish profile for the website you
created in Exercise 1.
2.
Open the following web application project in Visual Studio Express 2013:
o
3.
D:\LabFiles\Lab05\Starter\AdatumWebsite\AdatumWebsite.sln
Start the web application and examine the contents. Then close Internet Explorer.
Note: When you start the web application in Visual Studio, the website runs in IIS Express
on your local workstation.
In Visual Studio, start the Publish wizard for the AdatumWebsite project and then import the
.PublishSettings file you downloaded in Task 1.
2.
Verify that the publish settings file includes correct connection information.
3.
Ensure that the Release configuration is used for the published website.
4.
Preview the file changes and then Publish the new website to Azure.
Note: The Publish operation may take 2 to 3 minutes. When the operation is complete,
Internet Explorer opens and displays the new website hosted in Azure.
5-35
Results: After you have completed this lab, you will have a deployed website hosted in Windows Azure
that you can visit with any common web browser.
The web deployment team have created an updated style sheet for the A. Datum test website. You want
to demonstrate to decision makers how changes such as this can be deployed to a staging slot and tested,
before deployment to the production A. Datum website. In this exercise, you will upload the new website
to the staging slot you created in Exercise 1. You will then move the new site into the production slot.
The main tasks for this exercise are as follows:
1. Deploy a Website for Staging
2. Swap Deployment Slots
3. Rollback a Deployment
In the Azure full portal, download a publish profile for the Staging slot for your website.
2.
D:\LabFiles\Lab05\Starter\NewAdatumWebsite\AdatumWebsite.sln
3.
Publish the new website and import the staging publish settings file you just downloaded.
4.
5.
6.
1.
In Internet Explorer, access the properties of the website you created in Exercise 1.
2.
Browse the website. Notice that the color scheme is the old one, because the new color scheme is still
in the staging slot. Close the A. Datum website.
3.
4.
When the swap is complete, browse the website. Notice that the color scheme is the new one.
In the Azure portal, swap the staging and production slots again.
Note: By swapping the slots a second time, you simulate a deployment rollback.
2.
When the swap is complete, browse the website. Notice that the color scheme has reverted to the old
one.
5-37
1.
In Windows Azure PowerShell, get a list of all the websites in your Azure subscription. Note the name
of your original website.
2.
Get a list of the Azure locations and chose a location that is not the location you chose in Exercise 1.
3.
Name: Use the name of your original website with the number 2 appended.
4.
In the Azure full portal, download a publish profile for the website you just created (WebsiteName2).
5.
6.
D:\LabFiles\Lab05\Starter\AdatumWebsite\AdatumWebsite.sln
Start the Publish Web wizard and import the publish settings file you just downloaded.
Note: Be sure to add a new publish settings file on the Profile tab, so that the content can
be published to the new website.
7.
8.
9.
In the Windows Azure full portal, configure the new website in the Standard tier.
2.
In the full Azure portal, create a new Traffic Manager profile. Use the following information:
o
Add the websites you created in Exercise 1 and Exercise 4 as endpoints in the Traffic Manager profile.
2.
2.
Use the nslookup command to resolve the DNS NAME for your traffic manager profile.
Note: In the DNS aliases, traffic manager returns the website you created in Exercise 1,
which is closest to your physical location.
3.
In the Azure portal, disable the traffic manager endpoint that is the website you created in Exercise 1.
4.
Use the nslookup command to resolve the DNS NAME for your traffic manager profile. The results
should differ from those in step 3.
Note: If the aliases have not changed, reissue the nslookup commands until there is a
change.
1.
2.
On the taskbar, right-click Microsoft Azure PowerShell, and then click Run as administrator. In the
User Account Control dialog, click Yes.
3.
4.
When prompted, sign in using the Microsoft account associated with your Azure subscription.
Note: This script may remove Azure services in your subscription. It is therefore recommended that
you use an Azure trial pass that was provisioned specifically for this course, and not your own Azure
account.
The script will take 5-10 minutes to reset your Microsoft Azure environment, ready for the next lab.
The script removes all storage, VMs, virtual networks, cloud services, websites, and resource groups.
Important: The script may not be able to get exclusive access to a storage account to delete it (if this
occurs, you will see an error). If you find objects remaining after the reset script is complete, you can
re-run Reset-Azure script, or use the full Azure Management Portal to manually delete all the objects
in your Azure subscription, with the exception of the default directory.
Results: At the end of this exercise, you will have a website set up in two Azure regions and Traffic
Manager will be configured to distribute requests between them.
Question: In Exercise 2, you deployed the A. Datum production website to Azure. In Exercise
3, you deployed a new version of the site to a staging slot. How can you tell, within Internet
Explorer, which is the production site and which is the staging site?
Question: At the end of Exercise 4, you used an FQDN within the trafficmanager.net domain
to access your website. How can you use your own registered domain name to access this
website?
Review Question(s)
Question: What are the advantages of deploying a website to Azure Websites over those of
deploying a website to an Azure VM running IIS?
5-39
Module 6
Planning and Implementing Storage
Contents:
Module Overview
6-1
6-2
6-11
6-20
6-26
6-31
Module Overview
The Microsoft Azure Storage Services provides a range of options for storing and accessing data. The
core structures provision storage of content in blob containers, tables and queues, but this is also evolving
with the addition of Azure Files. In addition to storage, Microsoft Azure also provides Recovery Services,
which deliver failover and backup and restore facilities for sites and data. Storage can be provisioned
through the full portal, and IT Professionals can access storage and manage it using a range of command
line and graphical tools as well as Azure PowerShell. In this module, you will learn about the available
options for data storage and management.
Objectives
After completing this module, you will be able to:
Lesson 1
Planning Storage
6-2
Microsoft Azure Storage and Recovery Services enable you to hold and protect your business data in a
cloud storage environment. The range of storage types mean that it is important for you to understand
not only how to deliver storage services but also how these are best deployed for your business solutions.
As with all Microsoft Azure facilities, storage is a billable commodity, so you need to manage you storage
and recovery options to ensure that you deploy the most business and cost efficient solutions. This lesson
discusses the various data services that are available in Microsoft Azure and describes considerations for
choosing a data storage solution.
Lesson Objectives
After completing this lesson, you will be able to:
Plan backup and recovery with Azure Site Recovery and Backup.
Perform the following tasks to prepare the lab environment. The Azure services you will use in the lab will
be described in this module while the environment is being configured.
Important: The scripts used in this course may delete any objects that you have in your
subscription. For this reason, you should complete this course against a new Azure subscription.
You should have received sign-up details and instructions for creating an Azure Learning Pass for
this reason. Alternatively, create a new Azure Trial Subscription. In both cases, use a new
Microsoft account that has not been associated with any other Azure subscription. This avoids
confusion in labs and setup scripts.
The labs in this course use custom Microsoft Azure PowerShell cmdlets, including Setup-Azure to prepare
the Azure environment for a lab, and Reset-Azure to perform clean-up tasks at the end of a lab. For this
lab, Setup-Azure creates a storage account in the Azure region you select; then creates a virtual network
(ADATUM-HQ-VNET); then creates a Windows server VM; and then removes the Azure subscription and
account from the Azure PowerShell session.
Before you start the lab preparation, your instructor will decide which Azure region is the closest to your
classroom location. You will need this information during the lab.
Demonstration Steps
Sign in to Your Azure Subscription
6-3
1.
Ensure that the MSL-TMG1 and 20533B-MIA-CL1 virtual machines are both running, and then log on
to 20533B-MIA-CL1 as Student with the password Pa$$w0rd.
2.
You should already have created a Microsoft Azure trial subscription. If you have not done so, follow
the instructions in D:\Creating a Microsoft Azure Trial Subscription.htm. Provisioning may take
several hours.
3.
When your trial subscription has been provisioned, in Internet Explorer, browse to
http://azure.microsoft.com, click Portal, and sign in using the Microsoft account that is associated
with your Azure subscription. Close any initial "welcome" messages.
At the top right, click your Microsoft account name and click Switch to new portal. Then, in the new tab
that is opened, close any initial "welcome" messages for the new portal.
Enable Preview Features
1.
2.
At the top right of the Azure portal page, click your Microsoft account name and click View my bill.
3.
4.
Click try it now for the Windows Azure Files preview feature, and activate it for your subscription.
Note: Preview features are constantly changing. If this feature is unavailable, continue to the next
step.
5.
On the taskbar, right-click Microsoft Azure PowerShell, and then click Run as administrator. In the
User Account Control dialog, click Yes.
2.
3.
At the prompt, type the module number, and then press Enter.
4.
5.
When prompted, sign in using the Microsoft account associated with your Azure subscription.
6.
When prompted, enter the Azure regions to use, and then press Enter.
Note: This script may remove Azure services in your subscription. It is therefore recommended that
you use an Azure trial pass that was provisioned specifically for this course, and not your own Azure
account.
The script will take 1520 minutes to configure your Microsoft Azure environment, ready for the lab
at the end of this module.
At the end of setup, you should have the following:
A VM called AdatumSvr1.
Storage Accounts
In order to use Azure Storage, you begin by
creating a storage account. You can create many
storage accounts within a single Azure subscription. Each storage account can contain up to 500 TB of
data. For each storage account, you must specify:
6-4
A URL. This defines the URLs at which the storage account can be accessed by clients. All storage
accounts are within the core.windows.net domain. The full URL, depends on the type of storage you
want to use. For example, if you specify the URL mystorageaccount, you can access BLOB storage at
http://mystorageaccount.blob.core.windows.net.
A Location or Affinity Group. This assigns the primary data center where your storage account
maintains data. Choose a location close to the location where you expect most users.
A Replication Option. In order to ensure resilience and availability, Azure automatically replicates
your data to multiple physical servers. You can choose one of four replication schemes:
o
Locally Redundant. Your data is replicated synchronously, so that there are three copies within a
single facility in a single region. Locally Redundant Storage (LRS) protects your data against server
hardware failures but not against the failure of the facility itself.
Zone Redundant. Your data is replicated synchronously, so that there are three copies across
two or three facilities in a single region. Zone Redundant Storage (ZRS) is more redundant that
LRS but does not protect against failures that affect a while region. ZRS is only available for BLOB
storage.
6-5
Geo-Redundant. Your data is replicated asynchronously, with three copies of the data in the
primary region, and three copies of the data stored in a secondary region. If there is failure at the
primary region, Azure Storage will failover to the secondary region. Geo-Redundant Storage
(GRS) is the most resilient of the replication schemes.
Read-Access Geo-Redundant. As with GRS, your data is replicated asynchronously across two
regions. However, with read-access GRS, the three copies in the secondary region are enabled for
read-only access to the data, if the primary region is unavailable.
Storage Types
Each storage account can contain the following types of storage. You can use more than one of these
types in the same storage account:
BLOB Storage. Binary Large Objects (BLOBs) can be any type of file or binary data. This can include
documents, images, videos, backup files, configuration files, and data logs. You can create any
number of containers within a single storage account. Within each container, you can store any
number of blobs up to the 500 TB limit.
Table Storage. You can use tables to store data without specifying a schema as you would in a
database. This schema-less design makes it easy for developers to adapt a table to changing
requirements. Developers can use table storage as the back-end data store for websites, mobile apps,
PaaS cloud services, and other types of solution.
Queue Storage. When developers architect distributed applications, they need a method by which
components of the application can reliably communicate asynchronously. One popular method is to
use a queue: a source component sends a message by placing it into a queue. The destination
component works though the messages in the queue one at a time. You can use Azure Queue
Storage to provide such a message queue with all the redundancy and reliability provided by Azure
Storage.
File Storage. Azure file storage enables you to create an SMB file share. Client computers can browse
this share or map a network drive to the share as they might access a file share on an on-premises
Windows file and print server.
For more information on performance and costs of the different Azure storage options, see:
Best Practices for Performance in Azure Applications
http://go.microsoft.com/fwlink/?LinkID=522638
6-6
Azure Site Recovery is a service you can use to orchestrate protection for on-premises virtual machines
that run on Hyper-V. The Hyper-V host servers can be part of a System Center Virtual Machine Manager
(VMM) cloud, but this is not a requirement. The Azure Site Recovery Manager replicates the protected
virtual server and ensures that, in the event of a failure, services are smoothly failed over to the replicated
virtual server. The replicated virtual server can be located:
On Premises. In this configuration, the Site Recovery Manager replicates the virtual server to second
VMM cloud in another physical location from the source.
In Azure. In this configuration, the Site Recovery Manager replicates the virtual server to an Azure
virtual machine.
Azure Backup
The Azure Backup service is designed to enable you to use Azure as a backup medium to replace physical
media such as tapes, hard drives, and DVDs. To use Azure Backup to protect your data, you must:
1.
Create a backup vault in Azure. A vault is a virtual location to which data will be backed up. You
should create the vault in an Azure region close to the physical location of the data.
2.
Download the vault credential. The Azure Backup Agent uses the vault credential to authenticate with
Azure when it starts a backup operation.
3.
Download and install the Azure Backup Agent. Choose the correct backup agent for your backup
tool. There are separate downloads for System Center Data Protection Manager and for Windows
Server Essentials.
4.
Use Windows Server Backup to configure and schedule backups. Once the agent is installed and
configured, Azure appears as a data destination within the Windows Server Backup MMC snap-in,
and there is a separate Azure Backup management console available on the Start menu. You can also
use PowerShell to configure and initiate backup operations.
Blob Storage
6-7
Block blobs. Block blobs are designed to enable developers to upload large files efficiently. Data is
uploaded in the form of data blocks, each of which is up to 4 MB in size. Block blobs can be up to 200
GB in size.
Page blobs. Page blobs are designed for random read and write operations. Blobs are accessed as
pages, each of which is up to 512 bytes in size. When you create a page blob, you specify the
maximum size to which it may grow up to a limit of 1 TB.
Table Storage
The Azure Table storage service can be used to store structured data in tables without the constraints of
traditional relational databases. Within each storage account you can create multiple tables. Each table
can contain multiple entities. Because table storage does not mandate a schema, the entities within a
single table need not have precisely the same set of properties. For example, one Product entity may have
a Size property, while another Product entity in the same table may have no Size property at all. Each
property consists of a name and a value. For example, the Size property may have the value 50 cm for a
particular product.
Tables can be accessed through a URL; for example, to access a table named mytable in a storage
account named myaccount, applications use the following URL:
http://myaccount.table.core.windows.net/mytable
The number of tables in a storage account is unlimited. The number of entities in a table is unlimited.
Each entity can be up to 1 MB in size and possess up to 252 custom properties. Every entity also has
partition key, row key, and timestamp properties. It is important to choose these two key values (partition
key and row key) carefully, because it is much more efficient to search on these keys than on other values
(this is because only the key values are indexed). The partition key partitions the data, and should be used
to group similar data.
Queue Storage
6-8
The Azure Queue storage service can store long queues of messages for asynchronous processing.
Developers can use a queue to ensure reliable messaging between the components of a distributed
system. The separate components add messages to the queue and remove messages from the queue by
issuing commands over the HTTP or HTTPS protocols.
Queues can be accessed through a URL; for example, to access a queue named myqueue in a storage
account named myaccount, applications use the following URL:
http://myaccount.queue.core.windows.net/myqueue
You can create any number of queues in a storage account and any number of messages in each queue
up to the 200 TB limit for all data in the storage account. Each message can be up to 64 KB in size.
File Storage
The Azure File Storage service enables you to create Server Message Block (SMB) file shares in Azure just
as you would on an on-premises file and print server. Within each file share, you can create multiple levels
of directories to categorize content. Each directory can contain multiple files and multiple directories.
Files can be up to 1 TB in size.
Access Keys
6-9
Use the following command to obtain the storage keys for a storage account named myaccount in your
Azure subscription:
Obtaining Storage Keys
Get-AzureStorageKey StorageAccountName myaccount
Two storage keys are always in use for every storage account. This enables you to regenerate each key
from time to time without interrupting service to users. For example, if you regenerate the primary key,
apps can use the secondary key for authentication until you reconfigure them with the new primary key.
You can regenerate access keys in the Azure portal or by using the New-AzureStorageKey PowerShell
cmdlet.
Use the following command to regenerate a primary key:
Regenerating Keys
New-AzureStorageKey -KeyType Primary -StorageAccountName myaccount
The automatically generated Primary and Secondary access keys provide full administrative access to
storage, which creates a potential security risk. For this reason, Azure storage also supports Shared Access
Signature (SAS) authentication, in which access to a specific container, blob, table, or queue is granted for
a limited time period based on a token. This method uses a primary Storage Account Key (SAK) and
secondary secret key, or Shared Access Signature (SAS). Role instances, VMs, and applications access
storage using the SAK, and get full control over their associated data. Scoped access to Azure storage
data, such as time-limited access, is controlled through the SAS token. The SAK and SAS are plain text
keys, but within an application, developers can secure these keys by encrypting the connection string
using PKCS-7 within the applications configuration file.
The SAS is created through a query template (URL), signed with the SAK. That signed URL can be given to
another process (delegated), which can then fill in the details of the query and make the request of the
storage service. A SAS enables you to grant time-based access to clients without revealing the storage
accounts secret key. SAS tokens are usually generated by applications using the Azure API, but you can
also generate them using PowerShell. For example, the New-AzureStorageContainerSASToken cmdlet
generates an SAS token for a blob container.
For more information about using Shared Access Signature, see:
Shared Access Signatures, Part 1: Understanding the SAS Model
http://go.microsoft.com/fwlink/?LinkID=511741
Capacity. The capacity of a storage account is the amount of data you have stored in it. This is
charged on a per GB basis. In the case of VHDs, for example, this means that, if you create a new 100
GB VHD, but only upload 10 GB of data to the VHD, you will only be billed for the storage space used
by the page blob, regardless of how much space was allocated.
Replication Scheme. Locally Redundant Storage (LRS) storage accounts are cheaper than Zone
Redundant Storage (ZRS) accounts, which are cheaper than Geographically Redundant Storage (GRS)
accounts; Read-Access Geographically Redundant Storage (RA-GRS) accounts are the most expensive.
Lesson 2
6-11
In this lesson you will see how to implement several of the storage options in Microsoft Azure. You will
also see the tools and utilities that are available to manage storage accounts and containers by using the
utilities and commands available for Microsoft Azure.
Lesson Objectives
After completing this lesson, you will be able to:
Implement blobs.
You can create a storage account by using the Azure portal or by using PowerShell. To create a storage
account in the Azure Preview Portal, follow these steps:
1.
In the Azure Preview Portal, in the toolbar on the left, click NEW and then click Storage.
2.
In the STORAGE textbox, type a unique URL within the core.windows.net domain. If the URL you
choose is unique and valid, a green smiley appears.
3.
Click PRICING TIER and then click GRS, LRS, or RA-GRS and then click Select. ZRS is not available in
the Preview Portal.
4.
Click LOCATION and then click a location close to the users of the data.
5.
Click Create.
In the Azure PowerShell, you can create a new storage account by issuing the following command:
Creating a New Storage Account in PowerShell
Whichever method you use to create a storage account, you must ensure that the name you use is unique
within the whole of Azure (not just your subscription), and of a length between three and 24 characters.
The name can contain only lower-case letters and numerals. During account creation, Azure creates the
two account access keys and the storage endpoints for all the storage services.
Azure PowerShell enables you to obtain more storage information than is currently available from the
Azure portals, although without the graphical UI.
AzCopy.exe
6-13
AzCopy.exe provides a command line option that is optimized for reading and writing content from local
machines to Azure cloud storage. This is a high-performance tool that you can use to upload, download,
and copy data to and from blob, table and file storage. For a detailed explanation of AzCopy.exe,
including options and example commands, see the following link:
Getting Started with the AzCopy Command-Line Utility
http://go.microsoft.com/fwlink/?LinkID=522643
Storage Explorer
Storage Explorer is available through CodePlex. It provides a graphical interface for management of blobs,
tables, and queues, though not currently Azure Files. This is a managementbut not a creationtool for
storage accounts. These must be created in either the new portal or the full portal.
To download Storage Explorer, see:
Azure Storage Explorer
http://go.microsoft.com/fwlink/?LinkID=511744
Azure Storage Explorer 6 is the latest version of Azure Storage Explorer, and is currently available in
preview form. With this utility, you can create and manage:
Containers
Blobs
Tables
Queues
Security
Access Level
If you have installed the Azure SDK for .NET in Visual Studio 2013, you can use the Server Explorer tool to
access Azure storage accounts and manage the contents. The Microsoft Web Platform Installer installs
Microsoft Azure SDK for .NET (VS 2013) 2.4.
Unlike the CodePlex Storage Explorer, Server Explorer in Visual Studio 2013 can also create Storage
Accounts, as well as managing storage components within an account.
To review the information for using Server Explorer for Visual Studio 2013, see:
Browsing Storage Resources with Server Explorer
http://go.microsoft.com/fwlink/?LinkID=511745
Implementing Blobs
Blobs are stored in a container within the Azure
storage account, and containers can be created
programmatically or in the Azure portal.
Public Container. Allows full public read access to blobs and to the container metadata.
Use the following commands in PowerShell to create a new container. Before you can create the
container, you must obtain a storage context object by passing the storage account primary key.
Creating a Blob Container in PowerShell
Administrators can view, modify, and upload blobs and blob containers using tools such as AzCopy and
Azure Storage Explorer or they can use the following PowerShell cmdlets:
For example, you could use the following code to create a table:
Creating a Storage Table in PowerShell
$storageAccount = "mystorageaccount"
$storageKey = (Get-AzureStorageKey -StorageAccountName $storageAccount).Primary
$context = New-AzureStorageContext -StorageAccountName $storageAccount -StorageAccountKey
$storageKey
New-AzureStorageTable -Name "MyTable" -Context $context
6-15
At the time of writing, Azure Files are in preview. To access this feature, you must request access for your
subscription by following these steps:
1.
2.
3.
4.
If you are requested to sign in, authenticate with the credentials associated with your Azure
subscription.
5.
Once you have enabled the preview feature, new storage accounts will be automatically created with a
files service endpoint. This endpoint can be found at:
http://<storage account name>.file.core.windows.net/
Existing storage accounts cannot be enabled for file storage.
Within a file service enabled storage account, you can create multiple file shares. Within each share, you
can use directories to create a categorized hierarchy of content. Developers can create file shares by
coding against the REST API. Administrators can use PowerShell to create file shares.
Use the following commands to create a file share, create a directory, and upload a file:
Using an Azure File Share
$storageAccount = "mystorageaccount"
$storageKey = (Get-AzureStorageKey -StorageAccountName $storageAccount).Primary
$context = New-AzureStorageContext -StorageAccountName $storageAccount -StorageAccountKey
$storageKey
#Create the new share
$share = New-AzureStorageShare -Name myshare -Context $context
#Create a directory in the new share
New-AzureStorageDirectory -Share $share -Path mydirectory
#Upload a file
Set-AzureStorageFileContext -Share $share -Source C:\upload\instructions.txt -Path mydirectory
Azure File Shares are accessible from on-premises clients and Azure services in remote regions using REST
API, PowerShell, or AzCopy. AzCopy can copy files between local systems and Azure file shares.
For more information about the Azure Files service, see:
Introducing the Azure File Service
http://go.microsoft.com/fwlink/?LinkID=511746
Demonstration Steps
Create a Storage Account
6-17
1.
Ensure that you are logged on to 20533B-MIA-CL1 as Student with the password Pa$$w0rd, and
that the setup script you ran in the previous demonstration to prepare the environment has
completed.
2.
Start Internet Explorer and browse to https://portal.azure.com. When prompted, sign in using the
credentials for the Microsoft account associated with your Azure subscription.
3.
4.
Close the Everything blade, then under Marketplace, click Storage, cache, + backup.
5.
On the Storage, cache, + backup blade, under Storage and Cache, click Storage, and then click
Create.
6.
In the Storage account blade, apply the following settings and click Create:
o
RESOURCE GROUP: Click the current resource group, and then click Create a new resource
group
7.
In the hub menu, click NOTIFICATIONS and wait for the storage account to be created.
8.
9.
In the Storage blade, click the storage account you just created.
10. In the blade for your storage account, click the Containers tile.
11. On the Containers blade, click ADD. Then in the Add a container blade, apply the following settings
and click OK:
o
NAME: demo-container
12. If the new container does not appear in the Containers blade within a few seconds, refresh the page
in Internet Explorer.
13. Close the Containers blade.
14. In the blade for your storage account, click KEYS, and on the Manage keys blade view the primary
and secondary access keys that have been generated for your storage account. Note that you can
copy the keys to the clipboard from this blade.
15. Close all open blades, and close Internet Explorer.
Use PowerShell to Upload Blobs
1.
In the D:\Demofiles\Mod06 folder, right-click UploadBlobs.ps1 and click Edit to open the file in
the Windows PowerShell interactive scripting environment (ISE).
2.
In the Windows PowerShell ISE, in the command prompt pane, enter the command GetAzureAccount and verify that your Microsoft account is displayed.
Note: If your account is not displayed, enter the command Add-AzureAccount and sign in using
your Microsoft account.
3.
In the script pane, in the $storageAccountName variable declaration at the beginning, replace the
value <your_storage_account_name> with the name of the Azure storage account you created in the
previous task.
4.
Declares a variable named $containerName that references the demo-container container you
created in the previous task.
Finds the folder where the script is stored and declares a variable named $sourceFolder that
references the data subfolder.
Uses the Get-AzureStorageKey cmdlet to retrieve the access key for your storage account.
Uses the New-AzureStorageContext to create a storage context that connects to your storage
account using the access key.
Iterates through the files in the source folder and uses the Set-AzureStorageBlobContent
cmdlet to write each file as a blob in the container.
5.
6.
Observe the script as it runs, and view the output, which indicates that the three files in the
D:\Demofiles\Mod06\data folder were uploaded to the demo-container container in your storage
account.
Note: If you get The remote server returned an error: (404) Not Found. message, the storage account
may not have completed provisioning. Wait a few minutes, and then try steps 5 and 6 again.
7.
6-19
1.
2.
On the TOOLS menu, click Connect to Microsoft Azure Subscription. If you are prompted to sign
out, click OK.
3.
Sign into Azure using the Microsoft account associated with your Azure subscription.
4.
5.
6.
Under Storage, expand the storage account you created in the first task, and expand Blobs.
7.
8.
In the demo-container [Container] page, verify that the container contains the files that were
uploaded by the PowerShell script in the previous task.
9.
Lesson 3
Microsoft Azure offers more than just easy-to-configure, scalable storage; it also provides facilities for you
to monitor your storage deployment and backups for sites and data. These are configurable, both
through the full and new portals and through Azure PowerShell cmdlets. In this lesson, you will find out
more about how to monitor and manage storage and provide backup and failover security for your
business sites and data.
Lesson Objectives
After completing this lesson, you will be able to:
Monitor storage.
Implement Azure Backup.
Enabling Monitoring
Monitoring can be set in both the preview portal
and the full portal. Monitoring and diagnostics are
switched off by default, but can be configured
after a storage account is created.
Monitoring is configured for the entire storage
account, but the level of detail recorded can be set
for blob containers, tables, and queues separately. The following monitoring levels are available:
Off. Turns off monitoring. Existing monitoring data is persisted through the end of the retention
period. This is the default setting for each storage type.
Minimal. Collects basic metrics such as ingress and egress, availability, latency, and success
percentages, which are aggregated for the Blob, Table, and Queue services.
Verbose. In addition to the minimal metrics, verbose monitoring collects the same set of metrics for
each storage operation in the Azure Storage Service API. Verbose metrics enable closer analysis of
issues that occur during application operations but may impact performance.
The administrator can also set a retention policy period from 1 to 365 days for each storage type.
To enable monitoring for a storage account, follow these steps:
6-21
1.
In the Azure full portal, in the navigation on the left, click Storage.
2.
3.
In the Monitoring section, choose Off, Minimal, or Verbose, for each storage type that you use in
that storage account.
4.
For each storage type, use the Retention textbox to set the data retention period in days.
5.
Using verbose monitoring for long periods will incur a cost because monitoring data is stored in the
storage account in the following tables:
$MetricsTransactionsBlob
$MetricsTransactionsTable
$MetricsTransactionsQueue
$MetricsCapacityBlob
Managing Analytics
Once you have enabled monitoring for a storage account, data should start to appear in the portal user
interface within about an hour. In the full portal, monitoring statistics are displayed in charts on the
Dashboard and Monitor pages for the storage account. The full set of metrics are only available on the
Monitor page.
A default set of metrics are automatically displayed. To add a new metric to the monitoring chart, follow
these steps:
1.
2.
Click the storage account you want to monitor and then click the MONITOR tab.
3.
4.
Select the counters you want to monitor and then click OK.
You can also configure alerts for the metrics displayed in the monitoring chart. An alert monitors one of
the counters in the chart and sends an email if the counter exceeds a threshold you define. By using alerts,
you can ensure that Azure immediately informs administrators when there is a peak in demand. To add an
alert:
1.
In the list of counters below the monitoring chart, select the counter that interests you.
2.
3.
In the NAME text box, type a descriptive name for the alert and then click NEXT.
4.
In the CONDITION drop-down list, select a condition such as greater than or less than.
5.
In the THRESHOLD text box, type the value that should trigger the alert.
6.
In the ALERT EVALUATION WINDOWS drop-down list, select the time period over which the
counter must exceed the threshold to trigger the alert.
7.
Under ACTIONS select Send an email to the service administrator and co-administrators.
8.
Click Complete.
Enabling Logging
In addition to monitoring, you can also create activity logs for each of the storage types that you use in
your storage account. These are diagnostic logs that record read, write, and delete operations. You can
use these logs to examine storage operations in detail and diagnose poor performance, malicious attacks,
and other problems.
These are held, by default, in an Azure blob at http://<accountname>.blob.core.windows.net/$logs.
This store can be interrogated in Visual Studio.
For more information on logging, see:
Review Collecting Logging Data by Using Azure Diagnostics
http://go.microsoft.com/fwlink/?LinkID=511748
View Diagnostic Data Stored in Azure Storage
http://go.microsoft.com/fwlink/?LinkID=511749
To enable logging for a storage account, take the following steps:
1.
In the full portal, in the navigation on the left, click Storage and then click the storage account you
want to configure.
2.
Click the CONFIGURE tab, and then scroll down to the Logging section.
3.
For each storage type, select Read Requests, Write Requests, or Delete Requests. You can use the
check boxes to select more than one type.
4.
For each storage type, in the Retention text box enter a number of days to retain logged data.
5.
Demonstration Steps
Configure Monitoring and Logging
1.
Start Internet Explorer and browse to https://portal.azure.com. When prompted, sign in using the
credentials for the Microsoft account associated with your Azure subscription.
2.
3.
In the Storage blade, click the storage account you created in the previous demonstration.
4.
Maximize the blade for your storage account. Then click the TotalRequests today tile. Then in the
Metric blade, click DIAGNOSTICS.
5.
In the Diagnostics blade, under STATUS, click ON. Then select all available check boxes and click OK.
6.
On the Metric blade, note the areas where chart and tables of monitoring data will be displayed. No
data is available yet, but it will be collected and displayed here after a period of time.
7.
In the blade for your storage account, click the Events in the past week tile.
2.
The Events blade is used to summarize operations that have occurred for the storage account; if
there are any events listed, click one and view its Detail blade.
3.
6-23
1.
2.
On the taskbar, right-click Microsoft Azure PowerShell, and then click Run as administrator. In the
User Account Control dialog, click Yes.
3.
4.
When prompted, sign in using the Microsoft account associated with your Azure subscription.
Note: This script may remove Azure services in your subscription. It is therefore recommended that you
use an Azure trial pass that was provisioned specifically for this course, and not your own Azure account.
The script will take 5-10 minutes to reset your Microsoft Azure environment, ready for the next lab.
The script removes all storage, VMs, virtual networks, cloud services, and resource groups. The script does
not remove the Backup Vault; this can either be manually deleted or you can leave it in place as it does
not affect subsequent labs.
Important: The script may not be able to get exclusive access to a storage account to delete it (you will
see an error, if this occurs). If you find objects remaining after the reset script is complete, you can re-run
Reset-Azure script, or use the full Azure Management Portal to manually delete all the objects in your
Azure subscription, with the exception of the default directory.
Configuring Site Recovery is a complex task that requires forward planning to ensure success, particularly
for on-premises to on-premises scenarios which involve System Center VMM administration.
Administrators must complete the following tasks to set up site:
1.
Plan the System Center VMM infrastructure (if required). The System Center administrators must set
up the on-premises VMM clouds and, for on-premises to on-premises failover that includes a HyperV cluster with a static IP address, set up the Hyper-V Replica Broker role.
2.
Create an Azure Site Recovery Vault. In the Azure full portal, when you create the vault, Azure
generates a registration key, which the Site Recovery provider will use to authenticate.
3.
Deploy the Azure Site Recovery Provider. This provider is a key component that you must install on
either every VMM server or every Hyper-V host that you want to protect.
4.
Deploy the Azure Site Recovery Services Agent. You must install this agent on every Hyper-V host
server that runs virtual machines that you want to protect.
5.
Configure network mapping. Network mapping ensures that virtual machines do not lose
connectivity to each other and to clients after failover. In VMM, System Center administrators must
set up logical networks and VM networks correctly. If you want to fail over to Azure virtual machines,
you must also configure an Azure virtual network.
6.
Configure for storage mapping. Storage mapping enables administrators to control where virtual
machine hard disks are stored after failover takes place. For on-premises to Azure protection, you
must specify an Azure geo-replicated storage account in the same regions and subscription as the
Site Recovery service.
7.
Enable protection for Virtual Machines. System Center must enable and configure protection for the
VVM cloud.
Backup Vault
You can use Backup Vaults to protect server data off-site with automated backups to Azure. The
maximum retention time for production data using Azure Backup is 30 days, and the maximum size of a
single backup from a specific volume is 850 GB. If you wish to retain data for longer than 30 days, you
should use System Center 2012 Data Protection Manager with Azure Backup, and this will provide up to
120 days retention of Azure protected data.
Note: Update Rollup 3 (UR3) for System Center 2012 R2 Data Protection Manager, and the
updated Microsoft Azure Backup, provide long term retention for Azure cloud backups. The
maximum retention with these tools is now 3360 days (over nine years).
The administrator can manage cloud backups from the backup tools in:
2.
6-25
3.
4.
Configure the backup agent to use the vault credential, and register the server with Azure Backup.
5.
Configure a backup job in the usual management tool on the protected server.
You will complete these configuration tasks in the lab. For full details of the process, see:
Configure Azure Backup to quickly and easily back up Windows Server
http://go.microsoft.com/fwlink/?LinkID=522645
The IT department at A. Datum uses an asset management application to track IT assets, such as computer
hardware and peripherals. The application stores images of asset types and invoices for purchases of
specific assets. As part of A. Datums evaluation of Microsoft Azure, you need to test Azure storage
features as part of your plan to migrate the storage of these images and invoice documents to Azure.
Objectives
After completing this lab, you will be able to:
Lab Setup
Estimated Time: 60 Minutes
Virtual Machine: 20533B-MIA-CL1
User Name: Student
Password: Pa$$w0rd
Before starting this lab, ensure that you have performed the Preparing the Environment demonstration
tasks at the beginning of the first lesson in this module, and that the setup script has completed.
Note: The new Azure portal is in preview, and occasionally the user interface may fail to refresh
automatically. If this happens, refresh the page in Internet Explorer.
Ensure that you are logged on to 20533B-MIA-CL1 as Student with the password Pa$$w0rd, and
that the setup script you ran in the Preparing the Environment demonstration has completed.
2.
Use Internet Explorer to sign into the new Azure portal at https://portal.azure.com using your
Microsoft Account.
3.
4.
After the storage account has been created, add a container named asset-images with private
access.
5.
6.
6-27
1.
Download and install AzCopy from http://aka.ms/AzCopy. Note that this page also includes
documentation and examples for using AzCopy.
2.
Add the installation path for AzCopy (C:\Program Files (x86)\Microsoft SDKs\Azure\AzCopy) to
the Path system variable.
3.
Test the installation by running the following command in a command prompt window:
AzCopy /?
In the new Azure portal, view the keys for your storage account. Note that you can copy access keys
to the clipboard.
2.
In a command prompt, enter use AzCopy to copy all of the .png files in the
D:\Labfiles\Lab06\Starter\asset-images folder to the asset-images container in your storage
account.
3.
Results: At the end of this exercise, you will have a new Azure storage account with a container named
asset-images.
A. Datum currently stores invoices for IT assets in Microsoft Word format in a local folder. As part of your
evaluation of Microsoft Azure, you want to test the uploading of these files to a file share in your Azure
storage account to make it easier to access them from virtual machines in Azure.
The main tasks for this exercise are as follows:
1. Create a File Share and Upload Files
2. Access a File Share from a Virtual Machine
Use the Windows PowerShell Interactive Scripting Environment (ISE) to create a PowerShell script that
performs the followings tasks:
o
Uses the Get-AzureStorageKey cmdlet to retrieve the access key for your storage account.
Uses the New-AzureStorageContext to create a storage context that connects to your storage
account using the access key.
Uses the New-AzureStorageDirectory cmdlet to create a folder named invoices in the file
share.
Note: You can edit FileShare.ps1 in the D:\Labfiles\Lab06\Starter folder if you prefer not to write the
script from scratch.
2.
Connect to the AdatumSvr1 virtual machine in your Azure subscription using the following
credentials (this was created by the setup script you ran earlier in the module):
o
Password: Pa$$w0rd123
2.
In the remote desktop session to AdatumSvr1, turn off IE Enhanced Security Configuration for
administrators, and use Internet Explorer to sign in to the Azure portal and copy the primary access
key for your storage account to the clipboard.
3.
In an administrative command prompt window, type the following command to map a network drive
to the assets file share in Azure storage. Replace both instances of storage_account with the name of
your storage account and paste your access key in place of access_key (to paste into a command
prompt window, click the control box at the top left of the window, point to Edit, and click Paste):
net use z: \\storage_account.file.core.windows.net\assets /u:storage_account access_key
4.
In the command prompt window, enter the following command to view the contents of the invoices
folder in the Z: drive (which is now mapped to the assets file share you created in the previous task):
dir z:\invoices
5.
6.
Sign out of the AdatumSvr1 virtual machine to end the remote desktop session.
Results: At the end of this exercise, you will have a file share named assets that contains a folder named
invoices. This folder will contain three invoice documents and be accessible from the AdatumSvr1 virtual
machine.
6-29
A. Datum currently uses an on-premises backup solution. As part of your evaluation of Microsoft Azure,
you want to test the protection of on-premises master copies of your image files and invoices by backing
them up to the cloud. To accomplish this, you intend to use Azure Backup.
The main tasks for this exercise are as follows:
1. Create a Backup Vault
2. Create a Certificate
3. Install and Configure a Backup Agent
4. Create a Backup Schedule
5. Run a Backup
6. Reset the Environment
2.
In the full Azure Management Portal, click Recovery Services, then click your new backup vault.
2.
On the backup vault Quick Start page, click Download vault credentials.
3.
Download and install the Azure backup agent for Windows Server and System Center - Data
Protection Manager.
2.
3.
Use the desktop shortcut that has been created, start Microsoft Azure Backup, and register the server
using the vault credentials you downloaded earlier.
4.
Use Microsoft Azure Backup to schedule a weekly backup, to run at 9:30 on Sunday, of the following
folders:
o
D:\Labfiles\Lab06\Starter\asset-images
D:\Labfiles\Lab06\Starter\invoices
2.
In the full Azure management portal, verify that the MIA-CL1 server has been registered, and note the
newest recovery point for the protected items (which should include files and folders on D:\).
1.
2.
On the taskbar, right-click Microsoft Azure PowerShell, and then click Run as administrator. In the
User Account Control dialog, click Yes.
3.
4.
When prompted, sign in using the Microsoft account associated with your Azure subscription.
Note: This script may remove Azure services in your subscription. It is therefore recommended that
you use an Azure trial pass that was provisioned specifically for this course, and not your own Azure
account.
The script will take 5-10 minutes to reset your Microsoft Azure environment, ready for the next lab.
The script removes all storage, VMs, virtual networks, cloud services, and resource groups. The script
does not remove the Backup Vault; this can either be manually deleted or you can leave it in place as
it does not affect subsequent labs.
Important: The script may not be able to get exclusive access to a storage account to delete it (you
will see an error, if this occurs). If you find objects remaining after the reset script is complete, you can
re-run Reset-Azure script, or use the full Azure Management Portal to manually delete all the objects
in your Azure subscription, with the exception of the default directory.
Results: At the end of this exercise you will have an Azure backup vault in your subscription, created
Backup Vault Credentials, and installed the Azure backup agent on 20533B-MIA-CL1. You will have
backed up the contents of the asset-images and invoices folders to the backup vault.
Question: The asset management application stores images of hardware components as
blobs and invoices as files. If the application needed to also store the location of each asset
using a unique asset number and a text description of the location, what storage options
should you consider?
6-31
Choose the most appropriate storage type based on your application requirements and the format of
the data to be stored.
Co-locate storage accounts and the services that use them in the same region or affinity group.
When storing blobs, use block blobs for large objects that you want to upload or stream, and use
page blobs when the application will read and write data using random access semantics.
Review Question(s)
Question: Why should you co-locate storage accounts and the Azure services that use them?
Module 7
Planning and Implementing Data Services
Contents:
Module Overview
7-1
7-2
7-8
7-15
7-23
7-27
7-31
7-36
Module Overview
Microsoft Azure includes a range of services that you can use to manage data. In particular, Microsoft
Azure SQL Database provides a relational database management service based on Microsoft SQL Server,
which you can use to implement a relational data store for applications without having to take on the
responsibility of managing SQL Server itselfor the operating system that supports it. In this module, you
will learn about the available options for data storage and analysis, and how to provision, configure, and
manage Azure SQL Database.
Objectives
After completing this module, you will be able to:
Lesson 1
7-2
Microsoft Azure provides multiple services that you can use to store, manage, and analyze data. The
appropriate service to use depends on the specific data management requirements of the applications
your Azure infrastructure must support. This lesson discusses the various data services that are available in
Microsoft Azure, and describes considerations for choosing a data storage solution.
Lesson Objectives
After completing this lesson, you will be able to:
Describe how Azure data services can be used to support compute services and app services in
applications.
Perform the following tasks to prepare the lab environment. The Azure services you will use in the lab will
be described in this module while the environment is being configured.
Important: The scripts used in this course may delete any objects that you have in your
subscription. For this reason, you should complete this course against a new Azure subscription.
You should have received sign-up details and instructions for creating an Azure Learning Pass for
this reason. Alternatively, create a new Azure Trial Subscription. In both cases, use a new
Microsoft account that has not been associated with any other Azure subscription. This avoids
confusion in labs and setup scripts.
The labs in this course use custom Microsoft Azure PowerShell cmdlets, including Setup-Azure to prepare
the Azure environment for a lab, and Reset-Azure to perform clean-up tasks at the end of a lab. For this
lab, Setup-Azure creates a database with sample data on the local SQL Server, and then removes the
Azure subscription and account from the Azure PowerShell session.
Before you start the lab preparation, your instructor will decide which Azure region is the closest to your
classroom location. You will need this information during the lab setup, and during the lab.
Demonstration Steps
Sign in to Your Microsoft Azure Subscription
1.
Ensure that the MSL-TMG1 and 20533B-MIA-CL1 virtual machines are both running, and then log on
to 20533B-MIA-CL1 as Student with the password Pa$$w0rd.
2.
You should already have created a Microsoft Azure trial subscription. If you have not done so, follow
the instructions in D:\Creating a Microsoft Azure Trial Subscription.htm. Provisioning may take
several hours.
3.
When your trial subscription has been provisioned, in Internet Explorer, browse to
http://azure.microsoft.com, click Portal, and sign in using the Microsoft account that is associated
with your Azure subscription. Close any initial "welcome" messages.
7-3
4.
At the top right, click your Microsoft account name and click Switch to new portal. Then, in the new
tab that is opened close any initial "welcome" messages for the new portal.
5.
Close the tab containing the new portal, keeping the full portal tab open.
In Internet Explorer, at the top right of the Azure portal page, click your Microsoft account name and
click View my bill.
2.
3.
Click try it now for the following preview feature, and activate it for your subscription:
o
Note: Preview features are constantly changing. If either of these features is unavailable, continue to the
next step.
4.
On the taskbar, right-click Microsoft Azure PowerShell, and then click Run as administrator. In the
User Account Control dialog, click Yes.
2.
3.
At the prompt, type the module number, and then press Enter.
4.
5.
When prompted, sign in using the Microsoft account associated with your Microsoft Azure
subscription.
Note: This script may remove Azure services in your subscription. It is therefore recommended that
you use an Azure trial pass that was provisioned specifically for this course, and not your own Azure
account.
The script will take 2-3 minutes to configure your Microsoft Azure environment, ready for the lab at
the end of this module.
At the end of setup, you should have a new database on your local machine. There should be no
objects in your Azure subscription except the default directory.
7-4
on Virtual Machines (VMs). This arrangement provides a very familiar environment for Database
Administrators (DBAs) but, because VMs are an Infrastructure as a Service (IaaS) offering, you are
responsible for managing and maintaining all the underlying software, including the operating system
and database management software. You must also take responsibility for maintaining fault tolerance and
scaling.
Microsoft has included the SQL Database service within Azure. This is a Platform as a Service (PaaS)
offering that frees you from patching and maintaining operating systems and database management
software. It also includes built-in features for fault tolerance and scalability. In this module, you will learn
in detail about SQL Database and how to set up databases to support your applications.
The Azure Storage service provides an alternative location for data storage. For example, for storing files,
you can use blob storage. Many web applications, for example, use a database for structured data, such as
product details, but keep images outside of the database in blobs. This arrangement may result in better
performance.
The Azure Storage service also includes table storage. Tables are similar to databases in that they store
structured data in rows but they do not have a rigid schema for each table. This means each row in the
table can have different columns. For example, in a Products table, a bicycle product may include a
column for frame size that a bicycle pedal product does not include. This is often termed semi-structured
data.
Cache. Azure cache services enable application developers to cache application data for faster data
access and improved application performance. Application developers can choose from caching
solutions based on the AppFabric cache engine and open source Redis Cache technologies.
Azure SQL Database. Azure SQL Database is a PaaS solution (sometimes referred to as a Databaseas-a-Service solution) that provides a relational data storage solution based on Microsoft SQL Server
technologies.
Virtual Machines. You can create Azure virtual machines that host a relational database
management system (RDBMS) such as SQL Server, Oracle, and MySQL, creating an IaaS solution for
relational data storage.
7-5
Machine Learning. Azure Machine Learning uses statistical algorithms to train predictive models,
which you can use to apply data mining techniques to data sets or individual records and predict
unknown values.
StorSimple. Azure StorSimple is a hybrid storage management solution that enables enterprises to
provide centralized access to data that is stored across on-premises storage devices and Azure.
Backup. Azure backup vaults provide an effective off-site backup solution for enterprise data.
Site Recovery. Azure Site Recovery services provide a site-to-site or on-premises-to-Azure failover
solution for virtual machines hosted in Microsoft System Center Virtual Machine Management clouds.
Unsupported Features
Azure SQL Database supports many of the same objects as SQL Server, and database developers can
create and manage tables, views, and stored procedures using familiar Transact-SQL syntax. You can
implement most common database workloads in Azure SQL Database, but be aware that SQL Database
does not support some SQL Server features, including:
SQLCLR
Service broker
Trace flags
Additionally, some other features of SQL Server have limited support in Azure SQL Database.
Database Isolation
7-6
A key principle on which Azure SQL Database is based, is strict isolation of databases. In a SQL Server
instance, applications can open a connection to one database, and then change the database context (by
using the USE statement) or reference objects in a different database. In Azure SQL Database, access is
restricted to the database to which the connection was initially made. Applications cannot change
database context without opening a new connection.
Although Azure SQL Database eliminates or simplifies many of the configuration and management tasks
required to maintain a relational database, administrators still need to create databases, manage security,
and recover databases in the event of a disaster. However, there are some key distinctions between how
you perform some of these tasks in a SQL Database environment and how you carry them out in SQL
Server. The following table summarizes these differences:
Operations task
SQL Server
SQL Database
Creating databases
Configuring security
Operations task
SQL Server
requirements.
Additionally, SQL Server
supports a range of highavailability solutions;
including failover
clustering, database
mirroring, and log
shipping.
SQL Database
can rely on the built-in
automated backup
functionality discussed later in
this module.
Azure SQL Database stores
data in redundant storage
within the Azure data center,
reducing the likelihood of
failure. Additionally, Standard,
and Premium SQL Databases
are automatically replicated up
to geo-redundant storage on a
frequent basis enabling you to
restore a database to a specific
point in time up to the most
recent backupeven if the
database has been deleted.
Reference Links: For more information about supported features in Azure SQL Database,
see the article Azure SQL Database Transact-SQL Support in the Azure documentation, on the
MSDN website at
http://go.microsoft.com/fwlink/?LinkID=511756.
7-7
Lesson 2
7-8
Azure SQL Database is a cloud-based SQL service that provides subscribers with a highly scalable platform
for hosting their databases. By using Azure SQL Database, organizations can avoid the cost and
complexity of managing on-site SQL Server installations, and quickly set up and start using database
applications.
In this lesson, you will learn about the key features of Azure SQL Database and how to provision and
manage databases in Azure SQL Database.
Lesson Objectives
After completing this lesson, you will be able to:
Describe tools with which you can manage databases in Azure SQL Database.
Connect SQL Server Management Studio to Azure SQL Database and use it to manage databases.
Beyond the relational database engine provided by SQL Database, it is necessary to understand the model
behind the Azure platform, so you can set up your own account, provision a server, and create databases.
7-9
There is a relationship between four core objects in SQL Databasethe subscription, the resource group,
the server, and the database. The following table describes these objects:
Azure object
Description
Azure
Subscription
Resource Group
Resource groups are conceptual containers in which you can group related
Azure resources to aid manageability. You can create your SQL Database
resources in a single resource group, along with other related resources, such
as Azure web applications, that use a SQL Database to store data. An Azure
subscription can contain multiple resource groups.
SQL Database
Server
SQL Database servers are logical servers that host SQL Databases. Each SQL
Database server has a Domain Name System (DNS) name, administrator
accounts, and firewall rules. SQL Database servers may host zero or more
user databases in addition to the master system database that is used to
store server configuration data. You can choose to organize SQL Database
servers into resource groups to help administrators manage them. Multiple
database servers can be placed into each resource group.
SQL Database
Creating a Database
When you create a database, you must specify the
following information:
The server on which to create the database. You can select an existing server that you have previously
created in the same subscription, or create a new server.
The resource group in which the database and its server should be created (if an existing server is
selected, the database is automatically added to the existing resource group to which the server
belongs).
Note: A Database Transfer Unit (DTU) is a measure of the capacity of a database tier or
server. It depends on the CPU resources, memory, read operations, and write operations available
to the tier. A database tier with five DTUs has approximately five times the capacity of a tier with
1 DTU. Each Azure SQL Database server supports a maximum of 1600 DTUs spread across
databases in different tiers.
Creating a Server
You can create a server either as part of the process of creating a database, or on its own. In scenarios
where you are producing new databases for applications, you typically create the server as part of the
process of creating the first database. However, in some cases, you might want to create the server
without any user databases, and then add databases to it later; for example, by migrating them from an
on-premises SQL Server instance.
Each SQL Database server must have a globally unique name. The fully qualified name of the server is in
the form <server_name>.database.windows.net; for example, abcd1234.database.windows.net.
When you create a server, you must specify the following information:
A globally unique server name (when using the full portal, this is generated automatically).
A login name and password for the administrative account that you will use to manage the server.
The geographical region where the Azure data center hosting the server should be located.
Whether or not to allow other Azure services to connect to the server. Enabling access from Azure
creates a firewall rule that permits access from the IP address 0.0.0.0.
Note: After you have created a server, you must configure its settings to enable remote
network access based on IP address. Firewall rules are discussed in more depth later in this
module.
SQL Server Management Studio. You can use SQL Server Management Studio (SSMS) to connect to
an Azure SQL Database Server and manage it in a similar way to SQL Server instances. The ability to
manage SQL Server instances and SQL Database servers by using the same tool is useful in hybrid IT
environments. However, many of the graphical designers in SSMS are not compatible with SQL
Database, so you must perform most tasks by executing Transact-SQL statements.
7-11
SQLCMD. You can use the SQLCMD command-line tool to connect to Azure SQL Database servers
and execute Transact-SQL commands.
Visual Studio. Developers can use Visual Studio to create databases and deploy them directly to
Azure SQL Database.
Export a data-tier application (DAC) from SQL Server and import it into Azure SQL Database. A DAC
can be exported as a .dacpac file (a database snapshot file) or as a .bacpac file (a logical backup file).
Of these two techniques, using a DAC is the simplest way to ensure the correct migration of the database
and all its server-level dependencies. You can export and import the DAC by using the tools in SSMS and
the Azure SQL Database management portal, or you can use a wizard in SSMS to automate the entire
process.
The Export Data-Tier Application wizard in SSMS enables you to specify an Azure Storage account as the
destination for an exported package. The Import Data-Tier Application wizard enables you to specify an
Azure Storage account as the source for a package that you want to import. This makes it easy to migrate
a database from SQL Server to Azure SQL Database in two stages, using Azure Storage as an intermediary
storage location for the DAC package.
Alternatively, you can use the Deploy Database wizard to export a SQL Server database as a DAC package
and import it into an Azure SQL database server in a single operation.
Note: Whichever technique you use to deploy a SQL Server database to Azure SQL
Database, you will need to resolve any compatibility issues before migration, and reconfigure
security for the database after migration. Although DAC packages include logins and maintain
mappings to database users, the migration operation does not include passwords; you must reset
these after the migration completes. Additionally, if the source database uses Windows
authentication, you may need to create new logins and users in Azure SQL Database because SQL
Database does not support Windows authentication.
Demonstration Steps
Create an Azure SQL Database
1.
Ensure that you are logged on to 20533B-MIA-CL1 as Student with the password Pa$$w0rd, and
that the setup script you ran in the previous demonstration to prepare the environment has
completed.
2.
Start Internet Explorer, browse to http://azure.microsoft.com, click Portal, and sign in using the
Microsoft account that is associated with your Azure subscription.
3.
At the top right, click your Microsoft account name and click Switch to new portal.
4.
In the Hub menu on the left, click New, and then click SQL Database.
5.
6.
7.
8.
Click SERVER, and then in the Server blade, click Create a new server.
9.
In the New server blade, enter the following settings and click OK:
o
PASSWORD: Pa$$w0rd
10. In the SQL database blade, click RESOURCE GROUP, and then in the Resource group blade, click
Create a new resource group.
11. In the Create resource group blade, in the NAME box, type DemoRG and click OK.
12. In the SQL database blade, ensure that Add to Startboard is selected and click Create. Then wait for
the SQL Database to be created.
Configure Firewall Settings
1.
In Internet Explorer, switch to the tab containing the full Azure portal.
2.
In the service pane on the left, click SQL DATABASES and verify that the demodb database you
created in the new portal is listed. If not, refresh the page in Internet Explorer.
3.
On the sql databases page, click SERVERS, and verify that the uniquely named server you created in
the previous task is listed.
4.
5.
7-13
Note the CURRENT CLIENT IP ADDRESS, and click the ADD TO THE ALLOWED IP ADDRESSES
icon. Change the START IP ADDRESS to XXX.XXX.0.0, and the END IP ADDRESS to
XXX.XXX.255.255, leaving XXX as it is (where XXX.XXX is the first two fields of Current Client IP
address), and then at the bottom of the page, click SAVE.
Start SQL Server 2014 Management Studio, and in the Connect to Server dialog box, specify the
following settings (replacing server name with the unique name you specified when creating your
SQL Database server), and click Connect:
o
Login: Instructor
Password: Pa$$w0rd
2.
In SQL Server Management Studio, in Object Explorer, under the server name, expand Databases and
verify that the demodb database is listed.
3.
Expand the demodb database and then right-click its Tables folder, point to New, and click Table.
Note that this opens a Transact-SQL template that you can use to create a tablethere are no
graphical tools in SQL Server Management Studio for creating Azure SQL Database objects.
4.
Replace the Transact-SQL code in the template with the following code:
CREATE TABLE dbo.demotable
(
id integer identity primary key,
dataval nvarchar(50)
);
GO
5.
On the toolbar, in the Available Databases list, ensure that demodb is selected. Then click Execute.
6.
In Object Explorer, expand the Tables folder and verify that dbo.demotable is listed (if not, rightclick Tables and click Refresh).
7.
Click New Query and enter the following Transact-SQL code in the new query pane. This code inserts
100 rows containing automatically generated globally unique identifier (GUID) values into the table:
INSERT INTO dbo.demotable
VALUES
(newid());
GO 100
8.
On the toolbar, in the Available Databases list, ensure that demodb is selected. Then click Execute.
9.
In Object Explorer, right-click dbo.demotable, point to Script Table as, point to SELECT To, and
click New Query Editor Window. This generates a Transact-SQL query that retrieves data from the
table.
10. On the toolbar, in the Available Databases list, ensure that demodb is selected. Then click Execute.
11. View the query results and verify that a table of id and dataval values is returned.
12. Keep SQL Server Management Studio and Internet Explorer open for the next demonstration.
1.
2.
Double-click DemoClientApp.exe to run it, wait for a few seconds, and note that the application
displays an error indicating that it cannot open a database connection. Then press Enter to end the
application.
3.
Double-click DemoClientApp.exe.config.
4.
In the How do you want to open this type of file (.config)? dialog box, click Microsoft Visual
Studio 2013 to open the configuration file in Visual Studio, and note the value of the
connectionString attribute for the demoConnectionString setting. This must be modified to
reference the demodb database in your Azure SQL Database server.
5.
In Internet Explorer, on the tab containing the new Azure portal, if the demodb SQL Database blade
is not open, in the Startboard, click the tile for the demodb SQL Database (which was pinned to the
Startboard when you created it).
6.
In the demodb SQL Database blade, click Properties, and view the properties of the demodb
database.
7.
8.
On the Database connection strings blade, click the Click to copy icon for the ADO.NET
connection string. If prompted, click Allow access.
9.
In Visual Studio, replace the existing connection string with the one you copied from the Azure portal.
Then in the copied connection string, change the Password parameter with Pa$$w0rd. The new
connectionString value should look similar to this:
Server=tcp:server_name.database.windows.net,1433;Database=demodb; User
ID=Instructor@server_name;Password=Pa$$w0rd;Encrypt=True;TrustServerCertificate=False;Connectio
n Timeout=30;
11. In the D:\Demofiles\Mod07 folder, double-click DemoClientApp.exe to run it, and note that it now
connects successfully to the database and displays the data values from the dbo.demotable table.
Then press Enter to end the application.
Lesson 3
7-15
Azure SQL Database provides a highly secure platform for subscribers databases. However, whilst the
principles of security for Azure SQL Database will be familiar to users of SQL Server, there are some
differences between the two. In this lesson, you will learn about the security model in Azure SQL
Database, and how to manage firewall rules, logins, users, roles, and permissions.
Lesson Objectives
After completing this lesson, you will be able to:
To restrict access from specific devices or networks, SQL Database uses a firewall, which by default allows
no external connections. When you create a server, you can optionally grant access from other Azure
services, which are identified by the IP address 0.0.0.0. In the Azure management portal, you can enable
access from the current IP address of the client device being used to access the portal. You can also
specify one or more ranges of IP addresses that should be permitted to access the SQL Database server.
Logins
In a similar way to SQL Server, Azure SQL Database uses logins at the server level to authenticate user
requests. SQL Database does not support Windows integrated authentication, so all logins consist of a
login name and password. Logins are defined in the master database.
Azure SQL Database provides the following two database roles in the master database, to which you can
assign users, in order to grant them server-level permissions:
Note that this architecture is different to that of SQL Server. A SQL Database server is a logical entity that
contains only databases, including the master database. To assign server-level management privileges to
a login, you must create a user for that login in the master database, and then add the user (not the
login) to the role.
At the database level, SQL Database provides an additional layer of firewall protection, as well as the same
security principals as SQL Server.
As well as restricting access to the SQL Database server based on client IP address, you can define
additional firewall rules for individual databases. This enables you to host multiple databases on the same
server while restricting access to each database, based on different ranges of IP address.
Users
Like SQL Server, SQL Database requires that logins be mapped to a user in each database to which they
require access. The system administrator login you create when first provisioning the server is
automatically mapped to the dbo user in all databases.
Database Roles
SQL Database provides the same database roles that you would find in a database in a SQL Server 2014
instance:
db_datareader. This role can read all data from all user tables in the database.
db_datawriter. This role can write data in all user tables in the database.
db_ddladmin. This role can create and manage objects in the database.
db_denydatareader. This role cannot read data from any table in the database.
db_denydatawriter. This role cannot write data in any table in the database.
db_owner. This role can perform all configuration and management tasks in the database.
At the schema and object level, SQL Database uses the same permissions-based authorization model as
SQL Server. You can use GRANT, REVOKE, and DENY statements to assign permissions on database
objects to users and roles in the database.
7-17
Allow the current client IP address. This option provides a quick way to add a range of allowed IP
addresses that includes only the public facing IP address presented in requests from the computer or
device from which you are currently accessing the Azure management portal. If you are connected
directly to the Internet, this will be the Internet-facing IP address of your computer. More commonly,
it is the Internet-facing IP address of the edge device that connects your local network to the Internet.
Specify one or more explicit ranges of allowed address. Each range consists of a unique name, a
starting IP address, and an ending IP address.
You can also manage server firewall rules programmatically through a representational state transfer
(REST) application programming interface (API) or by using the sp_set_firewall_rule and
sp_delete_firewall_rule system stored procedures in the master database. You can view server firewall
settings by querying the sys.firewall_rules system view in the master database.
To manage database firewall rules, you can use the sp_set_database_firewall_rule and
sp_delete_database_firewall_rule system stored procedures in the database to which the firewall rule
applies. You can also use the Azure REST API or PowerShell to manage these.
You can view the database firewall rules in a specific database by querying its
sys.database_firewall_rules system view.
Note: Firewalls can make troubleshooting connectivity issues difficult, so you should always
start by using the sys.firewall_rules and sys.database_firewall_rules views to determine exactly
what IP addresses have been granted access in Azure. Note that firewall rules can take several
minutes to become active. If the correct ranges have been granted access, check your local
firewall configuration and IP address. Your local firewall must permit outbound TCP connections
to port 1433. If your client device uses dynamic IP settings, you must verify that the current IP
address is included in one of the ranges defined in Azure SQL Database. Note that network
address translation (NAT) can cause the IP address detected by the Azure SQL Database firewalls
to differ from the one shown in your local IP settings.
Managing Logins
To create a login, connect to the master database and use the CREATE LOGIN Transact-SQL statement,
specifying a name and password for the login.
The following code sample shows how to create a login named MyLogin with the password Pa$$w0rd:
Creating a Login
CREATE LOGIN MyLogin
WITH PASSWORD = Pa$$w0rd;
After you have created a login, you can change the password by using the ALTER LOGIN statement and
delete the login by using the DROP LOGIN statement.
When connecting to Azure SQL Database, client applications must use SQL Server authentication and
specify the login name and password in the connection string used to establish the connection. When
specifying the login name, you should use the syntax <login_name>@<server_name>. For example, if
your SQL database server is named abcd1234, and your login is named MyLogin, your connection string
should specify the login as MyLogin@abcd1234.
Managing Users
Users are the mechanism by which logins are granted access to databases. To create a user, connect to the
database to which you want to grant access and use the CREATE USER Transact-SQL statement, specifying
the associated login.
The following code sample shows how to create a user named MyUser for the MyLogin login created
previously in this topic:
Creating a User
CREATE USER MyUser
FROM LOGIN MyLogin;
After you have created a user, you can delete it by using the DROP USER statement.
7-19
To add a user in the master database to a role with server-level permissions, use the sp_addrolemember
system stored procedure as shown in this example:
Adding a User in the Master Database to a Role with Server-Level Permissions
EXEC sp_addrolemember 'dbmanager', 'MyUser';
At the database level, administrative permissions are encapsulated in database roles defined in each
database, to which you can add users.
To add a user to a database role, use the sp_addrolemember system stored procedure in the appropriate
database as shown in this example:
Adding a User to a Database Role
EXEC sp_addrolemember 'db_datareader', 'MyUser';
Note: The ALTER SERVER ROLE and ALTER ROLE statements are not supported in Azure
SQL Database. You must use the sp_addrolemember system stored procedure to add users to
server roles (in the master database only) and database roles (in all databases).
Managing Permissions
You can use GRANT, REVOKE, and DENY statements to assign explicit permissions that enable users to
perform specific tasks or access particular database objects. In general, the simplest approach to designing
database security is to use role membership to define the base set of permissions that are required, and
only use explicit permissions to extend or override permissions inherited from role membership.
The following example shows how to deny SELECT permission on a specific table, even if the user has
been granted permission through membership of the db_datareader role:
Managing Permissions
DENY SELECT ON dbo.MyTable TO MyUser;
Manage firewalls.
Demonstration Steps
Manage Firewalls
1.
Ensure that you have completed the previous demonstration in this module.
2.
In Internet Explorer, on the tab containing the full Azure portal, click the SQL Databases icon in the
left pane. Then on the sql database page, click SERVERS, click the name of your SQL Database
server, and view its CONFIGURE tab.
3.
Note the allowed IP addresses that are currently defined for the server, and that you can enter a rule
name, start IP address, and end IP address to add rules that permit access from a range of IP
addresses. Note also that Windows Azure services are allowed to access this server.
4.
In SQL Server Management Studio, in Object Explorer, under Databases, expand System Databases.
5.
6.
In the query editor, enter the following Transact-SQL code, which retrieves details of server firewall
rules:
SELECT * FROM sys.firewall_rules;
7.
8.
In Object Explorer, right-click the demodb database and click New Query.
9.
In the query editor, enter the following Transact-SQL code, which retrieves details of database firewall
rules:
SELECT * FROM sys.database_firewall_rules;
10. Click Execute and view the results. There are currently no database firewall rules, so only clients
within the ranges allowed by the server-level firewall can connect to this database.
11. In the query editor, under the existing code, add the following Transact-SQL code:
EXEC sp_set_database_firewall_rule N'All Internet', '0.0.0.0', '255.255.255.255';
12. Select the EXEC statement you just added and click Execute.
13. Select the SELECT statement you added in step 9 and click Execute. Note that a new rule has been
added to allow access to the demodb database from any Internet-connected computer. However,
only computers with an IP address that is allowed in the server-level firewall rules will be able to
access the master database (and any other databases that are added to this server).
Note: Permitting access to a database from any Internet-connected computer is not recommended for
production databases, and is only used here as an example for demonstration purposes.
7-21
1.
In SQL Server Management Studio, in Object Explorer, under your Azure SQL Database server, expand
Security (ensure you expand the server-level folder, and not the database-level folder of the same
name for the demodb database).
2.
Expand Logins, and note that the Instructor login you specified when creating the database server is
listed.
3.
Right-click Logins and click New Login. Then modify the Transact-SQL script that is generated as
shown here and click Execute:
CREATE LOGIN DemoLogin
WITH PASSWORD = 'Pa$$w0rd';
GO
4.
In Object Explorer, right-click the Logins folder and click Refresh to verify that the DemoLogin login
has been created.
5.
In Object Explorer, under the Databases folder, under the demodb database, expand Security, and
expand Users.
6.
Right-click Users and click New User. Then modify the Transact-SQL script that is generated as
shown here and click Execute:
CREATE USER DemoUser
FOR LOGIN DemoLogin
WITH DEFAULT_SCHEMA = dbo;
GO
EXEC sp_addrolemember 'db_datareader', 'DemoUser';
GO
EXEC sp_addrolemember 'db_datawriter', 'DemoUser';
GO
7.
In Object Explorer, right-click the Users folder and click Refresh to verify that the DemoUser user
has been created. This user has been added to the db_datareader and db_datawriter database roles,
giving it permission to read and write to all tables and views in the database.
8.
In the query editor, under the existing Transact-SQL code, add the following code:
DENY update, delete ON dbo.demotable TO DemoUser;
9.
Select the DENY statement you just added and click Execute.
10. Click New Query. Then, when the new query editor window opens, click anywhere in the blank query
pane, point to Connection, and click Change Connection.
11. In the Connect to Database Engine dialog box, change the Login value to DemoLogin and in the
Password box, type Pa$$w0rd, Then click Connect and note that an error is displayed because
DemoLogin does not have a user account in the master database, and no alternative default
database was specified when you created the login.
12. Click OK on the error message. Then in the Connect to Database Engine dialog box, click Options;
on the Connection Properties tab in the Connect to database box, type demodb, and click
Connect. This time the connection succeeds because the login has a user account in the demodb
database.
13. In the query editor window, enter the following Transact-SQL code:
SELECT * FROM dbo.demotable;
14. Click Execute, and note that the query succeeds because the user has permission to read the table
through membership of the db_datareader role.
15. In the query editor window, under the existing code, enter the following Transact-SQL code:
INSERT INTO dbo.demotable
VALUES
(newid());
16. Select the INSERT statement you just typed, and click Execute. Note that the query succeeds because
the user has permission to modify the table through membership of the db_datawriter role.
17. In the query editor window, under the existing code, enter the following Transact-SQL code:
UPDATE dbo.demotable
SET dataval =newid()
WHERE id = 1;
18. Select the UPDATE statement you just typed, and click Execute. Note that an error is returned.
Although the user has permission to modify the table through membership of the db_datawriter
role, permission to update the table has been explicitly denied to the user.
19. In the query editor window, under the existing code, enter the following Transact-SQL code:
DELETE dbo.demotable
WHERE id = 1;
20. Select the DELETE statement you just typed, and click Execute. Note that an error is returned.
Although the user has permission to modify the table through membership of the db_datawriter
role, permission to delete data from the table has been explicitly denied to the user.
21. Close SQL Server Management Studio without saving any files, but keep Internet Explorer open for
the next demonstration.
Lesson 4
7-23
While Microsoft Azure SQL Database requires less ongoing maintenance than a SQL Server instance, you
should still monitor your databases to help determine usage requirements, plan upgrades, and
troubleshoot performance and security issues.
Lesson Objectives
After completing this lesson, you will be able to:
Describe how SQL Database monitoring metrics and alerts enable administrators to profile the
performance of each server and database.
Storage utilization.
Configuring Alerts
You can configure alerts for each metric, triggering an automated e-mail notification when a metric
exceeds a specified threshold value over a specified period of time.
The ability to retrieve details of current activity is particularly useful for troubleshooting concurrency
issues, where data access tasks from one client application are blocking activity for another.
Reference Links: For details of dynamic management views supported in SQL Azure, see
System Views (Azure SQL Database) at http://go.microsoft.com/fwlink/?LinkID=511757.
Enabling Auditing
Before you can enable SQL Database auditing, you must create an Azure Storage account in which the
audit events will be stored. After you have created this, you can enable auditing for any Basic, Standard, or
Premium database in the new Azure portal, specifying the events that should be audited.
Events are only audited for client applications that use a secure connection string to connect to a SQL
Database for which auditing has been enabled. A secure connection string includes a server name in the
form <server_name>.database.secure.windows.net instead of the default
<server_name>.database.windows.net, so you must modify the connection string used by applications
that perform activities you want to audit.
You can view a summary of audit events for a database in the Azure portal. Additionally, you can export
the audit events as an Excel workbook, which enables you to analyze the events using the tools in Excel.
Demonstration Steps
View SQL Database Metrics
7-25
1.
Ensure that you have completed the previous demonstrations in this module.
2.
In Internet Explorer, on the tab containing the new Azure portal, if the demodb SQL Database blade
is not open, in the Startboard, click the tile for the demodb SQL Database (which was pinned to the
Startboard when you created it).
3.
On the demodb SQL Database blade, note the charts displayed in the Monitoring section, which
show details of connections and storage space used.
4.
Click the Storage chart. Then in the Metric blade, view the chart.
5.
On the Metric blade, click ADD ALERT. Then in the Add an alert rule blade, specify the following
settings:
6.
RESOURCE: demodb
THRESHOLD: 100
On the Add an alert rule blade, click OK to save the alert, which will notify administrators if the
database storage size exceeds 100 MB within a 15-minute period.
In Internet Explorer, in the new Azure portal, in the Hub menu, click New, click Everything, type
storage, and then click Storage.
2.
3.
In the Storage account blade, enter the following details and click Create:
o
LOCATION: the same location where you created your Azure SQL Database server
4.
5.
On the startboard, click the demodb SQL Database tile, you may have to click the scrollbar. Then, on
the demodb SQL Database blade, scroll to the bottom if necessary and click Enable and setup
Auditing.
6.
In the Auditing blade, click STORAGE ACCOUNT. Then on the Storage account blade, select the
storage account you just created.
7.
In the Auditing blade, click CONNECTION STRINGS. Then on the Database connection strings
blade, under Security Enabled Connection Strings, click the Click to copy icon for ADO.NET. If
prompted, click Allow access.
8.
In the Auditing blade, click OK. Then wait for auditing to be enabled. No audit events should have
been recorded in the last 24 hours.
9.
10. In Visual Studio, replace the existing connection string with the one you copied from the Azure portal.
Then in the copied connection string, change the Password parameter with Pa$$w0rd. The new
connectionString value should look similar to this:
Server=tcp:server_name.database.secure.windows.net,1433;Database=demodb; User
ID=Instructor@server_name;Password=Pa$$w0rd;Encrypt=True;TrustServerCertificate=False;Connectio
n Timeout=30;
Note: In this preview release, audit events may not be displayed immediately, so the portal may indicate
that no audit events have occurred in the last 24 hours.
14. Keep Internet Explorer open for the next demonstration.
Lesson 5
7-27
A core responsibility for database administrators and infrastructure managers is to ensure business
continuity in the event of a failure. At a simple level, this usually involves ensuring that data is backed up
on a regular basis and that backups are retained so that they can be used to restore applications in the
event of failure. Additionally, some business-critical applications may require a high-availability solution in
which a redundant copy of the database is maintained, and can be used as a failover solution in the event
of a failure.
This lesson discusses ways to ensure database recovery and failover for Azure SQL Database.
Lesson Objectives
After completing this lesson, you will be able to:
Describe how database restoration can reduce service interruption for users.
Self-Service Restore
When you create a database in a Microsoft Azure
SQL Database server, Microsoft Azure
automatically backs up the database periodically
to a remote data center, enabling you to restore
the database to a previous state. Additionally, if
the database is accidentally deleted, you can
restore it from the latest automatic backup. The
available restore points depend on the edition of
Azure SQL Database.
Standard. Standard edition databases can be restored to a specific point in time within a seven-day
period.
Premium. Premium database can be restored to a specific point in time within a 35-day period.
You can restore databases by using the Azure management portal, or by using Windows PowerShell. You
can restore an existing database to back out accidental or invalid changes to data. When you restore an
existing database, Azure creates a new database of the same service tier with a name that reflects the date
and time to which the database has been recovered. After youve verified that the recovered database
contains the required data, you can delete the original database and the use ALTER DATABASE statement
to rename the restored database to match the original name.
When you delete an entire database, it remains listed in the portal until its retention period has expired.
You can restore deleted databases to the most recently available recovery point.
Geo-Replication
While both copy-based and automatic backups
enable you to recover data in the event of a
database, server, or data center failure, the time
taken to recover the database can result in service
interruption for business-critical applications.
Restore a database.
Configure Geo-Replication.
Demonstration Steps
Restore a Database
7-29
1.
Ensure that you have completed the previous demonstrations in this module.
2.
In Internet Explorer, on the tab containing the full Azure portal, click the SQL Databases icon in the
left pane.
3.
Select the row containing the demodb database (avoid clicking its name, as this will open its
dashboard). Then at the bottom of the page, click DELETE, and when prompted, click YES, DELETE.
4.
After the database has been deleted, in the D:\Demofiles\Mod07 folder, double-click
DemoClientApp.exe to run it, note that an error is displayed, and press Enter to end the application.
5.
In Internet Explorer, in the tab containing the full Azure portal, on the sql databases page, click
DELETED DATABASES.
6.
Select the demodb database, and at the bottom of the page click RESTORE.
7.
In the Specify restore settings dialog box, specify the following settings and click the Complete icon:
o
8.
Wait for the restore operation to complete (this can take several minutes).
9.
In the D:\Demofiles\Mod07 folder, double-click DemoClientApp.exe to run it, verify that the
application now retrieves the data values from the restored database, and press Enter to end the
application.
Configure Geo-Replication
1.
In Internet Explorer, on the tab containing the full Azure portal, click the SQL Databases icon in the
left pane. Then click the name of the demodb database to open its dashboard.
2.
On the GEO-REPLICATION tab, at the bottom of the page, click ADD SECONDARY.
3.
In the Specify secondary settings dialog box, note that you can only select an OFFLINE secondary;
only Premium edition SQL Databases can be replicated to an online, readable secondary. Then, in the
TARGET SERVER list, select New SQL Database server and click the Next icon.
4.
On the SQL database server settings page, enter the following details and click the Complete icon.
o
5.
On the Confirm Additional billing impact dialog box, select the check box to confirm you
understand the billing impact, and click the OK icon.
6.
1.
2.
On the taskbar, right-click Microsoft Azure PowerShell, and then click Run as administrator. In the
User Account Control dialog, click Yes.
3.
4.
When prompted, sign in using the Microsoft account associated with your Azure subscription.
Note: This script may remove Azure services in your subscription. It is therefore recommended that
you use an Azure trial pass that was provisioned specifically for this course, and not your own Azure
account.
The script will take 5-10 minutes to reset your Microsoft Azure environment, ready for the next lab.
The script removes all storage, VMs, virtual networks, cloud services, and resource groups.
7-31
Managers at A. Datum are planning to migrate some of the companys application databases to the cloud.
To achieve this goal, you plan to use Microsoft Azure SQL Database. You have been asked to test SQL
Database by creating a new database of A. Datum servers and by migrating sample data from the A.
Datum customer relationship management system. Managers have asked you to investigate how SQL
Database will support an existing custom application used with A. Datum, as well as disaster recovery
features.
Objectives
After completing this lab, you will be able to:
Lab Setup
Estimated Time: 60 minutes
Virtual Machine: 20533B-MIA-CL1
User Name: Student
Password: Pa$$w0rd
Before starting this lab, ensure that you have performed the Preparing the Environment demonstration
tasks at the beginning of the first lesson in this module, and that the setup script has completed.
The operations team at A. Datum currently use a Microsoft SQL Server database to store details of servers
in the corporate infrastructure. You want to investigate Azure SQL Database as a new host for this
database. The operations team are interested in how they will be able to monitor the performance of this
database in Azure.
Note: The Microsoft Azure portal is continually improved, and the user interface may have been updated
since this lab was written. Your instructor will make you aware of any differences between the steps
described in the lab and the current Azure portal user interface.
The main tasks for this exercise are as follows:
1. Create a SQL Database
2. Configure Server Firewall Rules
3. Use SQL Server Management Studio
4. View Database Metrics
Ensure that the MSL-TMG1 and 20533B-MIA-CL1 virtual machines are both running, and then log on
to 20533B-MIA-CL1 as Student with the password Pa$$w0rd.
2.
In Internet Explorer, browse to http://azure.microsoft.com and sign in to the portal using the
Microsoft account that is associated with your Azure subscription. Then switch to the new portal.
3.
Create a new SQL Database named operations based on the following settings:
Server: a new server with a unique name. The server admin should be named Student with the
password Pa$$w0rd, and the server can be created in the region closest to your present location.
Switch back to the full Azure portal, and verify that the operations database is listed in the SQL
DATABASES page.
2.
On the SERVERS tab, verify that the uniquely named server you created is listed.
3.
Configure a firewall rule that permits the entire Class B subnet that includes the current IP address of
your local workstation to connect.
Start SQL Server Management Studio and connect to your Microsoft Azure SQL Database server:
o
Use SQL Server authentication to connect as Student with the password Pa$$w0rd.
2.
3.
Open the Operations.sql file in the D:\Labfiles\Lab07\Starter folder and execute it in the operations
database to create and populate a table of server IP addresses.
4.
Execute the following Transact-SQL query in the operations database, and verify that a list of three
servers and their IP addresses is returned:
SELECT * FROM dbo.serverlist;
5.
Keep SQL Server Management Studio open for the next exercise.
In Internet Explorer, in the preview Azure portal, on the operations SQL Database blade, view the
charts in the Monitoring section, which show details of connections and storage space used.
2.
View the details of the Storage metric, and create an alert that will send an email to the service
administrator, co-administrators, and your own email address when the operations database total
database size metric is greater than 100 over the last 15 minutes.
3.
Results: After completing this exercise, you will have created an Azure SQL Database named operations
on a new server with a name of your choosing. You will also have used SQL Server Management Studio to
create a table named dbo.serverlist and created an alert to help you monitor database storage.
7-33
The sales team at A. Datum uses a CRM application to track customer invoices. The application currently
stores customer data in an on-premises SQL Server database. You want to demonstrate that Azure can
support this CRM application by migrating the database for this application to Azure SQL Database, and
then reconfiguring the application to use the new, cloud-based database.
The main tasks for this exercise are as follows:
1. Deploy a Database to Azure
2. Configure SQL Database Security
3. Configure an Application Connection String
In SQL Server Management Studio, connect to the MIA-CL1 SQL Server instance using Windows
authentication.
2.
Verify that the sales database is listed in the Databases folder for the MIA-CL1 server.
3.
Right-click the sales database, point to Tasks, and click Deploy Database to Windows Azure SQL
Database. Then use the wizard to deploy the sales database on MIA-CL1 to your Microsoft Azure
SQL Database server.
In SQL Server Management Studio, in Object Explorer, under your Azure SQL Database server, expand
Security, expand Logins, and verify that only the Student login is listed.
2.
Create a new login named SalesApp with the password Pa$$w0rd by executing the following
Transact-SQL code in the master database:
CREATE LOGIN SalesApp
WITH PASSWORD = 'Pa$$w0rd'
GO
3.
In Object Explorer, in the Databases folder for your Azure SQL Database server, expand the sales
database, expand Security, and expand Users to view the users that are defined in the sales
database.
4.
Create a user named SalesApp for the SalesApp login. The user should have a default schema of
dbo, and should be added to the db_owner database role. You can create the user by executing the
following Transact-SQL code in the sales database:
CREATE USER SalesApp
FOR LOGIN SalesApp
WITH DEFAULT_SCHEMA = dbo
GO
EXEC sp_addrolemember 'db_owner', 'SalesApp'
GO
5.
Keep SQL Server Management Studio open for the next exercise.
1.
Start Visual Studio and open the SalesApp.sln solution in the D:\Labfiles\Lab07\Starter folder. Then
open its Web.config file and note that the SalesConnectionString setting connects to the sales
database on the localhost server using integrated security (Windows authentication).
2.
In Internet Explorer, in the preview Azure portal, browse the SQL Databases in your subscription to
find the sales database.
3.
View the properties of the sales database and show its database connection strings. Then copy the
ADO.NET connection string to the clipboard.
4.
In Visual Studio, replace the existing connection string with the one you copied from the Azure portal.
Then in the copied connection string, change the User ID parameter to SalesApp@server_name
(where server_name is the unique name of your Azure SQL Database server); replace the Password
parameter with Pa$$w0rd. The new connectionString value should look similar to this:
Server=tcp:server_name.database.windows.net,1433;Database=sales; User
ID=SalesApp@server_name;Password=Pa$$w0rd;Encrypt=True;TrustServerCertificate=False;Connection
Timeout=30;
5.
6.
When Internet Explorer opens, verify that the sales application shows invoice history data for the
selected customer. The data is retrieved from the sales database you migrated to Microsoft Azure SQL
Database.
7.
Close the Internet Explorer window that contains the sales application, and then close Visual Studio,
saving changes if prompted.
Results: After completing this exercise, you will have deployed the sales SQL Server database on the local
SQL Server instance to your Azure SQL Database server, and configured the SalesApp web application to
use a connection string for the new Azure SQL Database.
The operations database you created is considered a mission-critical source of data for IT employees at A.
Datum. Before business decision makers can commit to using Azure to host this database, you must
ensure that the database can be recovered in the event of accidental deletion.
The main tasks for this exercise are as follows:
1. Delete a Database
2. Restore a Deleted Database
3. Reset the Environment
In Internet Explorer, in the full portal, delete the operations SQL Database.
2.
In SQL Server Management Studio, refresh the Databases folder for your Azure SQL Database server
to verify that the operations database is no longer on the server.
In Internet Explorer, in the full portal, restore the deleted operations SQL Database using the
following settings:
o
Note: If the operations database is not in the DELETED DATABASES list, press F5 to
refresh the portal display. You may have to wait several minutes before the database appears in
the list.
2.
When the restore operation has completed, use SQL Server Management Studio to verify that the
database has been restored.
3.
Use the following Transact-SQL query to verify that the data in the database has been recovered:
SELECT * FROM dbo.serverlist;
7-35
1.
2.
On the taskbar, right-click Microsoft Azure PowerShell, and then click Run as administrator. In the
User Account Control dialog, click Yes.
3.
4.
When prompted, sign in using the Microsoft account associated with your Azure subscription.
Note: This script may remove Azure services in your subscription. It is therefore recommended that
you use an Azure trial pass that was provisioned specifically for this course, and not your own Azure
account.
The script will take 5-10 minutes to reset your Microsoft Azure environment, ready for the next lab.
The script removes all storage, VMs, virtual networks, cloud services, and resource groups.
Results: At the end of this lab, you will have deleted and restored the operations database.
Question: If the SalesApp web application was deployed to a server with a fixed public IP
address, how could you enable it to access the sales database without allowing it to access
the master database or any other databases on the server?
Review Question(s)
Question: What considerations are there for choosing between on-premises SQL Server, SQL
Server in an Azure virtual machine, and Azure SQL Database?
Module 8
Implementing PaaS Cloud Services and Mobile Services
Contents:
Module Overview
8-1
8-2
8-12
8-18
8-25
8-29
8-34
Module Overview
Platform as a Service (PaaS) cloud services are another execution model you can use to host applications
in Microsoft Azure. Cloud services provide a platform that can host web applications and web services.
Cloud services use a modular architecture that enables you to scale your application to the largest sizes
while minimizing costs. In this module, you will see how to create, administer, and monitor cloud services
and mobile services.
Objectives
At the end of this module, you will be able to:
Configure PaaS cloud services by using configuration files or the Azure portal.
Create and administer a mobile service that supports an app for mobile devices.
Monitor the performance of cloud services and mobile services, and diagnose bottlenecks.
Lesson 1
8-2
Azure provides four execution models for applications: Azure Virtual Machines, Azure Websites, PaaS
Cloud Services, and Mobile Services. In this lesson, you will see how PaaS Cloud Services differ from Azure
Websites and Azure Virtual Machines and enable you to create a modular, flexible, and highly scalable
application architecture. You will also see how to configure cloud services and deploy the cloud service
code created by developers.
Lesson Objectives
At the end of this lesson, you will be able to:
Describe how PaaS Cloud Services and Mobile Services integrate with other Azure services to support
applications.
Choose whether to use Azure Virtual Machines, Azure Websites, Azure PaaS Cloud Services, or Azure
Mobile Services to host an application.
Describe how web roles and worker roles enable highly scalable and flexible application architectures.
Deploy a cloud service package to Azure by using Visual Studio, the Azure portal, or Visual Studio
Online.
Apply staging and deployment best practices to Azure PaaS cloud services.
Perform the following tasks to prepare the lab environment. The Azure services you will use in the lab will
be described in this module while the environment is being configured.
Important: The scripts used in this course may delete any objects that you have in your
subscription. For this reason, you should complete this course against a new Azure subscription.
You should have received sign-up details and instructions for creating an Azure Learning Pass for
this reason. Alternatively, create a new Azure Trial Subscription. In both cases, use a new
Microsoft account that has not been associated with any other Azure subscription. This avoids
confusion in labs and setup scripts.
The labs in this course use custom Microsoft Azure PowerShell cmdlets, including Setup-Azure to prepare
the Azure environment for a lab, and Reset-Azure to perform clean-up tasks at the end of a lab. For this
lab, Setup-Azure removes any Azure subscription and account from the Azure PowerShell session.
Before you start the lab preparation, your instructor will decide which Azure region is the closest to your
classroom location. You will need this information during the lab setup, and during the lab.
Demonstration Steps
Sign in to Your Microsoft Azure Subscription
8-3
1.
Ensure that the MSL-TMG1 and 20533B-MIA-CL1 virtual machines are both running, and then log on
to 20533B-MIA-CL1 as Student with the password Pa$$w0rd.
2.
You should already have created a Microsoft Azure trial subscription. If you have not done so, follow
the instructions in D:\Creating a Microsoft Azure Trial Subscription.htm. Provisioning may take
several hours.
3.
When your trial subscription has been provisioned, in Internet Explorer, browse to
http://azure.microsoft.com, click Portal, and sign in using the Microsoft account that is associated
with your Azure subscription. Close any initial "welcome" messages.
4.
At the top right, click your Microsoft account name and click Switch to new portal. Then, in the new
tab that is opened, close any initial "welcome" messages for the new portal. If you are prompted for
credentials, sign in using the Microsoft account that is associated with your Microsoft Azure
subscription.
5.
On the taskbar, right-click Microsoft Azure PowerShell, and then click Run as administrator. In the
User Account Control dialog, click Yes.
2.
3.
At the prompt, type the module number, and then press Enter.
4.
5.
When prompted, sign in using the Microsoft account associated with your Microsoft Azure
subscription.
Note: This script may remove Azure services in your subscription. It is therefore recommended that
you use an Azure trial pass that was provisioned specifically for this course, and not your own Azure
account.
The script will take 2-3 minutes to configure your Microsoft Azure environment, ready for the lab at
the end of this module.
At the end of setup, you should only have the default directory service in your Azure subscription.
8-4
Web roles. A web role hosts the front end of the cloud service and always runs on a dedicated virtual
machine that hosts an Internet Information Services (IIS) web server. In a website, for example, the
web role would include the webpages that make up the user interface for the application.
Worker roles. A worker role executes asynchronous tasks and also runs on a dedicated virtual
machine. The web roles call worker roles to complete long-running, intensive, or perpetual
procedures.
Like Azure Websites, in PaaS Cloud Services, you can create multiple instances of web roles and worker
roles to ensure fault tolerance and increase scalability. However, you have extra flexibility in PaaS cloud
services because you can scale each role separately from all the others in the same service.
Note: In Azure, the term cloud service can refer to either a cloud service that hosts IaaS
virtual machines or a cloud service that hosts web roles and worker roles. In this course, the term
IaaS cloud service refers to a service that contains IaaS virtual machines and the term PaaS
cloud service refers to a service that contains roles. This terminology ensures clarity. However,
note that writers and technicians are sometimes ambiguous: when the term cloud service is
used, ensure you know which type of cloud service is being discussed.
Azure is frequently used to host back-end portions of a mobile device app. Many mobile apps, for
example, require a centralized database to store information for all users and a centralized location to run
business logic. The Azure Mobile Services compute feature is an execution model that brings together all
the commonly used server-side features that developers assemble to support mobile apps. A mobile
service makes it easy for developers to put together the functionality they need.
The Azure storage accounts and SQL Databases that you have already seen are frequently used as
information stores in both PaaS cloud services and mobile services. In this module, you will also see how
Service Bus queues can be used to enable communications between web roles and worker roles and how
the Push Notification feature can be used to ease messaging to mobile devices.
8-5
Cloud Services. Alternatively you can choose to run web applications and web services as Azure Cloud
Services. Cloud services have a more flexible and distributed architecture than Azure Websites and
offer more control over the servers that run the application. Again, Azure provides the PaaS.
Mobile Services. Many mobile apps connect to a server-side portion of the application to access a
centralized database, execute server-side code, and authenticate. To run these centralized portions of
a mobile app, you can choose Azure Mobile Services. Azure provides a set of PaaS features that many
mobile apps require. For example, Mobile Services makes it easy for users to authenticate with their
Microsoft account.
In a PaaS cloud service, architects can divide code into separate roles. Each PaaS cloud service includes an
application file, with compiled code, and a configuration file. There are two kinds of role:
Web Roles. A web role provides an Internet Information Services (IIS) web server, which is used to
host the front end for the application. For example, if you implement a website as a PaaS cloud
service, the web role hosts the user interface webpages.
Worker Roles. A worker role runs asynchronous, long-running, or perpetual tasks and is initiated from
a web role. Worker roles do not interact directly with users and do not provide an IIS server.
A PaaS cloud service can include any number of roles. Each role can be configured to have multiple
instances. By created multiple instances for each role, you can scale the cloud service out and increase its
resilience to failures.
Web roles and worker roles enable the most flexible and efficient scaling. For example, if an application
has one processor-intensive task, such as a video processing task, developers can place that code in a
worker role to separate it. When you deploy the cloud service, you can scale the processor-intensive task
independently without incurring extra costs by scaling out the entire application.
Best Practice: Create at least two instances of each role in your PaaS cloud service. By
doing this, you ensure that an instance is available to respond to users in the event of a single
failure. You must create at least two instances of each role in order to qualify for the 99.95
percent uptime guarantee in the Azure service level agreement (SLA). Instances of the same role
run in separate fault domains and separate upgrade domains.
8-6
Like websites, many PaaS cloud services utilize a database to store underlying data. You can use an Azure
virtual machine or Azure SQL Database to run such a database.
2.
In the toolbar at the bottom, click NEW and then click QUICK CREATE.
3.
In the URL text box, type a unique URL for the cloud service within the cloudapp.net domain.
4.
In the REGION OR AFFINITY GROUP drop-down list, select a region close to the users.
5.
Alternatively, you can create a PaaS cloud service by using the New-AzureService PowerShell cmdlet, as in
the following example:
Creating a PaaS Cloud Service in PowerShell
New-AzureService -ServiceName MyNewService -Location "West Europe"
From Visual Studio, you can use the Publishing Wizard. To ease this deployment method, you can
obtain a publish profile from Azure and import it into the Visual Studio. Deployment of web roles
uses Web Deploy.
From the Azure Portal, you can upload a cloud service package and configuration file. Developers can
create these files by using the packaging wizard in Visual Studio. Administrators can use these files to
upload the service code and start the application.
From Visual Studio Online, you can configure continuous deployment. If you choose this option, you
must take care to ensure untested code is not deployed to the production environment. Frequently,
Visual Studio Online is configured to deploy code to a staging environment. When the staged code
has been tested thoroughly, administrators can move it to the production environment.
Note: In the lab, you will see how to deploy a PaaS cloud service by using the Azure portal.
Deployment Environments
A PaaS cloud service runs in different locations
during development, for testing, and for
production. In each organization, development
teams work to different project models. For
example, some teams may perform most testing
toward the end of a project while those using
Agile or Test Driven Development (TDD) models
test throughout the project. For this reason, the
environments teams use to test code vary widely.
However, the following divisions are commonly
used.
During Development
8-7
Most developers run informal tests on their code as they write. However, coded tests, which are run
repeatedly by all the developers in the team as they modify code, are now considered essential in many
organizations. Such tests are commonly of two types:
Unit Tests. These tests execute a small unit of code such as an individual procedure. Fixed inputs are
passed to the procedure and the outputs are evaluated.
End-to-End Tests. These tests simulate a complete operation in which multiple components of the
code may be involved. For example, an end-to-end test may simulate a user request and response.
Because these tests are executed so frequently, they are coded and executed in the IDE. At this stage of
the project, code is run on developers computers.
For an Azure PaaS cloud service project, developers need an environment on their local computer where
they can run teststhis must closely match Azure itself. Such an environment is provided by the Azure
SDK. There are two important components of the SDK model Azure. Both these components start in the
developers computer when they enter debugging mode:
The Azure Compute Emulator. Web roles and worker roles execute within this emulator.
The Azure Storage Emulator. Blob storage, file storage, and table storage are simulated by this
emulator.
During Staging
Staging is the last opportunity to test a project before it is deployed to production. The following tests are
commonly performed at this stage:
Acceptance Testing. These tests check that the completed project satisfies the functional and nonfunctional requirements.
Performance Testing. These tests simulate user demand and determine the CPU, memory, and other
resources that may be required to cope with the expected load.
Beta Testing. A limited number of the final users of the project can be granted access to the staging
environment to try out the software and identify issues.
For an Azure PaaS cloud service project, the staging environment should be in Azure itselfso you must
deploy the project. You can use a staging slot for this deployment. A staging slot is a deployment of the
cloud service with the following characteristics:
In the Azure portal, it appears within a single cloud service, together with the production slot.
8-8
To access the staging slot cloud service, use a URL that includes the Globally Unique Identifier (GUID).
For example, if your cloud service is found at http://myservice.cloudapp.net, the staging slot is found
at http://GUID.cloudapp.net. You can determine the GUID by browsing the services dashboard in the
Azure portal.
Alternatively, you could create a separate PaaS cloud service for staging. By using a staging slot, when all
tests have been passed, you can deploy the service to production by using a virtual IP swap. In this
operation, the staging and production slots are swapped, which means that the accepted new version is
moved to production without a new deployment of the code.
During Production
The production environment is the final destination for the PaaS cloud service code. This environment
runs thoroughly tested and debugged code that your team has complete confidence in and services real
user requests based on live databases and files.
How are testing, staging, and production deployments separated in your organization for cloud
applications?
How will Azure modify your approach to testing, staging, and production deployment?
Demonstration Steps
Create a new PaaS cloud service by using PowerShell
1.
Start Internet Explorer, and browse to http://azure.microsoft.com, click Portal, and sign in using
the Microsoft account that is associated with your Azure subscription.
2.
3.
4.
5.
6.
Sign in with the user credentials associated with your Azure account.
7.
8.
From the list of locations, choose a location near you and note the locations name.
9.
8-9
Where XXX is a unique number, and My Location is the Azure location you selected in step 8.. Azure
creates a new PaaS cloud service.
10. Type the following command and then press Enter:
New-AzureStorageAccount StorageAccountName smallstorageXXX Location "My Location"
Where XXX is a unique number, and My Location is the same Azure location you used in step 5.
11. Switch to Internet Explorer and press F5 to refresh the portal.
12. Click SmallCloudServiceXXX and then click INSTANCES.
13. Point out that the service has been created but not deployed
Configure and package a cloud service project in Visual Studio 2013
1.
2.
3.
Browse to D:\Demofiles\Mod08\SmallCloudService.
4.
5.
6.
7.
8.
In the Web Platform Installer 5.0 dialog box, on the Microsoft Azure SDK for .NET (VS 2013) 2.4 page, click Install.
9.
In the Web Platform Installer 5.0 dialog box, on the PREREQUISITES page, click I Accept.
14. In the Web Platform Installer 5.0 dialog box, on the Spotlight page, click Exit.
15. In the View Downloads - Internet Explorer dialog box, click Close.
16. In Visual Studio, on the FILE menu, click Exit.
17. Start Visual Studio 2013.
18. Click FILE, click Open, and then click Project/Solution.
19. Browse to D:\DemoFiles\Mod08\SmallCloudService.
20. Click SmallCloudService.sln and then click Open.
21. In the Solution Explorer, expand SmallCloudService and then expand Roles.
22. Right-click SmallWebRole and then click Properties.
23. If you are prompted to log on, use the username and password associated with your Azure
subscription.
24. Click Settings.
25. In the list of settings, click in the Value column of the only setting.
26. Click the button on the right.
27. In the Create Storage Connection String dialog box, select Your subscription.
28. If the Subscription and Account name boxes are empty, click Sign In, and then enter the username
and password associated with your Azure subscription.
29. In the Account name box, select smallstorageXXX and then click OK.
30. Click FILE and then click Save All.
31. In the Solution Explorer, right-click SmallCloudService and then click Package.
32. In the Package Azure Application dialog box, click Package. When the package operation is
complete, the package and configuration files are displayed in Windows Explorer.
Deploy a packaged cloud service project by using the Azure portal
1.
2.
3.
4.
5.
6.
7.
Browse to
D:\DemoFiles\Mod08\SmallCloudService\SmallCloudService\bin\release\app.publish.
8.
9.
New features.
Bug fixes.
8-11
To deploy a new version of a PaaS cloud service to Azure, you must upload the compiled package file and
configuration file in the same way as you did to deploy the first version. You can do this in Visual Studio
by using the Publishing Wizard in the Azure portal by uploading the files manually, or using continuous
deployment by using Visual Studio Online. You should ensure that proper staging is complete for the new
version, as you did for the first version.
Staging slots provide an extra advantage when deploying upgraded services. When you move the staged
code into the production slot, the older version of the service is automatically moved into the staging slot
and not overwritten. In the event of any problem with the new version, you can rapidly roll back the
deployment to the old version by swapping again.
Lesson 2
Developers write code in PaaS cloud services but Azure administrators must be able to configure
deployed cloud services. For example, administrators must ensure that a cloud service responds smoothly
to expected and unexpected peaks in demand. In this lesson, you will see how to configure a cloud service
by using configuration files and the Azure portal.
Lesson Objectives
At the end of this lesson, you will be able to:
Reconfigure a PaaS cloud service for deployment to Azure by modifying the service configuration file.
Choose whether to use storage account queues, service bus queues, or direct communication to
enable communication between PaaS cloud service roles.
Choose how to scale a cloud service for expected and unexpected load peaks.
You can edit the file directly. The configuration file is an XML, so any text editor can be used to make
changes.
You can edit many values in the Azure portal after deployment.
You can use the Visual Studio Publishing Wizard. This tool provides help for formulating connection
strings correctly.
The following code shows a simple PaaS cloud service configuration file:
Example Service Configuration File
<ServiceConfiguration serviceName="ContosoAdsCloudService"
xmlns="http://schemas.microsoft.com/ServiceHosting/2008/10/ServiceConfiguration"
osFamily="4"
osVersion="*"
schemaVersion="2014-01.2.3">
<Role name="ContosoAdsWeb">
<Instances count="1" />
<ConfigurationSettings>
<Setting name="Microsoft.WindowsAzure.Plugins.Diagnostics.ConnectionString"
value="UseDevelopmentStorage=true" />
<Setting name="StorageConnectionString"
value="UseDevelopmentStorage=true" />
</ConfigurationSettings>
</Role>
<Role name="ContosoAdsWorker">
<Instances count="1" />
<ConfigurationSettings>
<Setting name="Microsoft.WindowsAzure.Plugins.Diagnostics.ConnectionString"
value="UseDevelopmentStorage=true" />
<Setting name="StorageConnectionString"
value="UseDevelopmentStorage=true" />
<Setting name="ContosoAdsDbConnectionString"
value="Data Source=(localdb)\v11.0; Initial Catalog=ContosoAds;
Integrated Security=True; MultipleActiveResultSets=True;" />
</ConfigurationSettings>
</Role>
</ServiceConfiguration>
The example above is a typical configuration file used in the development environment. Only one
instance of each role is configured; connection strings use the Azure storage emulator and a local
database.
8-13
To prepare this configuration for deployment to Azure, the following changes are commonly required:
Instance Count. You should always use two or more instances of every role in the production
environment. This greatly improves resilience and qualifies the service for the 99.95 percent uptime
condition in the SLA. Use the Count attribute of the <Instances> tag to specify the number of
instances for each role.
Database Connection Strings. You must ensure that the database connection strings point the cloud
service to the production database. This database may be an Azure SQL Database instance or a SQL
Server instance running on a virtual machine. For SQL Database instances, you can copy the
connection string from the database dashboard in the Azure portal.
Storage Connection Strings. If the service uses an Azure storage account, you must ensure that the
storage connection strings point the cloud service to the production storage account. You can copy
the connection string from the storage account dashboard in the Azure portal.
Direct Communication
Input Endpoints. These external endpoints enable services and other clients outside the PaaS cloud
service to call the role.
Internal Endpoints. These endpoints enable roles within the same PaaS cloud service to communicate.
Direct Port Endpoints. These endpoints enable services and other clients outside the PaaS cloud
service to call a specific instance of a role on a specific port.
You can administer endpoints in the PaaS cloud service configuration file. For example, the following XML
code defines an internal endpoint for a worker role:
Worker Role Endpoint Definition
<WorkerRole name="ImageProcessorRole">
<Endpoints>
<InternalEndpoint name="InternalImageIn" protocol="tcp" port="1000"/>
</Endpoints>
</WorkerRole>
The following XML code defines an external endpoint for a web role:
Web Role Endpoint Definition
<WebRole name="FrontEndRole">
<Endpoints>
<InputEndpoint name="HttpIn" protocol="http" port="80" localPort="80" />
</Endpoints>
</WebRole>
Instead of using direct communication, developers may choose to use a queue to send messages from
one role to another. By using a queue, you ensure that a message reaches a role; the role works its way
through all the messages in the queue asynchronously. You can also control the processing of messages in
a queue; for example, by throttling the queue to ensure it does not consume all service resources.
Therefore, a queue is a popular communication method.
8-15
Azure has two types of queue in different services: storage queues and service bus queues. Developers
and software architects usually decide which queuing mechanism to use. However, IT professionals must
be aware of the two mechanisms and be able to configure them as dependencies when a cloud service
uses them.
Characteristic
Azure Queues
Average Latency
10 ms
100 ms
64 KB
256 KB
1 TB
5 GB
7 days
Unlimited
For more information about the differences between storage account queues and service bus queues, see:
Comparing Microsoft Azure Queues and Service Bus Queues
http://go.microsoft.com/fwlink/?LinkID=511758
Azure Queues and Service Bus Queues - Compared and Contrasted
http://go.microsoft.com/fwlink/?LinkID=522646
Reduce the latency of communications between PaaS cloud services and virtual machines because
communication can be direct and does not have to take place through public endpoints and the
Azure load balancer.
Enable on-premises clients to connect directly with PaaS cloud service. This is possible if the VNet has
a VPN connection to your on-premises network.
To add a PaaS cloud service to a VNet you must add a <NetworkConfiguration> section to the service
configuration file. This section must be inserted after all the roles have been defined in the file.
In the following example, the service configuration file determines that the current PaaS cloud service will
be added to the A. Datum HQ VNet:
Adding a PaaS Cloud Service to a VNet
<NetworkConfiguration>
<VirtualNetworkSite name="AdatumHQ" />
<AddressAssignments>
<InstanceAddress roleName="SimpleWebRole">
<Subnets>
<Subnet name="HQSubnet1" />
</Subnets>
</InstanceAddress>
</AddressAssignments>
</NetworkConfiguration>
Best Practice: The scheduled scaling technique you see in this demonstration ensures that
sufficient instances of all roles are present to maintain good responsiveness during an expected
demand peak. After the peak passes, instances are automatically de-provisioned to avoid extra
costs. When you set the schedule, bear in mind that it can take a few minutes for each new
instance to come online. Start your schedule well before the expected peak to ensure that full
capacity is reached in a timely manner.
Demonstration Steps
Set the default instance count for a cloud service
8-17
1.
Start Internet Explorer, and browse to http://azure.microsoft.com, click Portal, and sign in using
the Microsoft account that is associated with your Azure subscription.
2.
3.
4.
5.
6.
2.
3.
4.
5.
6.
In the END TIME column, type a time 20 minutes from now, and then click Complete.
7.
8.
9.
10. The instances are displayed in the table. After 10 minutes, the number of instance increases to five. To
see the new instances, you may need to refresh the page by pressing F5.
Lesson 3
One of the more common uses for the services and tools available in Azure is as a back end for mobile
apps that run on phones, tablets, and other devices. Microsoft has responded to this demand by adding
mobile services to Azure. A mobile service provides the facilities and features that are widely used by
mobile app developers in a single service with a single Application Programming Interface (API). In this
lesson, you will see how to create and administer a mobile service to support a mobile app created by
your team of developers.
Lesson Objectives
At the end of this lesson, you will be able to:
Create and configure a new Azure mobile service by using the Azure portal.
Data
Authentication
Communication
Business Logic
8-19
Many of these needs can already be satisfied with other parts of Azure. For example, mobile devices can
use SQL Database to store data without creating a mobile service. However, mobile services provides a
simple way for developers to access all these features through a single API that is compatible with a wide
range of mobile devices. For example:
Developers can access Azure SQL Database and define a data schema and edit data by calling
methods in the Mobile Services API.
A mobile service includes a free Azure notification hub that can push messages to mobile clients.
With a simple call, developers can send messages targeted to individual users or target large
audiences with personalized content. Each mobile device operating system type has a different
Platform Notification Service (PNS). An Azure notification hub can send the same message to many
different PNSs. This frees developers from writing multiple portions of code to support multiple
device types. This code is built into a notification hub for developers to call.
By configuring authentication in your mobile service, you can authenticate against Facebook, Twitter,
Outlook.com, Google, and Azure Active Directory through the Mobile Service APIwithout writing
separate code in your app for each provider.
In a mobile service, you can add JavaScript or .NET code that encapsulates business logic and runs in
Azure. This removes load from mobile devices.
Note: Mobile Services are designed principally to make mobile app development easier for
developers. However, IT professionals must know how to administer mobile services if developers
choose to use them. For example, if a spike in demand is expected, IT professionals must scale a
mobile service. This lesson focuses on such tasks.
1.
2.
In the toolbar at the bottom, click NEW and then click CREATE.
3.
In the URL text box, type a unique valid URL for the mobile service. The mobile service must be
unique within the azure-mobile.net domain.
4.
In the DATABASE drop-down list, choose whether to use a database that you have already created or
to create a new database in Azure SQL Database.
5.
6.
In the BACKEND drop-down list, choose the language for business logic code. Work with your
developer team to choose the language.
7.
Click Next.
8.
If you have chosen to create a new database, in the NAME text box, type a name for the database.
9.
In the SERVER drop-down list, choose a SQL Database server to run the new database.
In order for an application to access your mobile service, it must send the application key with its request.
An application key is created by default when you create your mobile service, but you can choose to
regenerate it. You can also regenerate the master key, which authorizes the highest level of access that is
suitable for app administrators.
To manage the application and master keys, take the following steps:
1.
In the Azure full portal, in the navigation on the left, click MOBILE SERVICES.
2.
3.
4.
You can copy a key to the keyboard by clicking the Copy button. To replace the key, click
Regenerate.
Best Practice: Application keys are often hardcoded into the mobile app your developers
create. If you regenerate the key, old versions of the app that use the original key will no longer
function. You will need to distribute a new version of the app to fix this issue. Only regenerate the
key if you can deploy a new version of the app quickly.
8-21
You can scale out a mobile service by specifying a higher level tier for the service. There are three tiers
available:
Free. Free tier services are limited to 60 minutes of CPU time per day, 165 MB of outbound data
transfer per day, and 500 active devices.
Basic. Basic tier services have no limits on CPU time, outbound data, or the number of active devices.
Scaling out is limited to six units.
Standard. Standard tier services have no limits on CPU time, data transfer, devices, or the number of
units.
You can scale out basic and standard tier mobile services by creating multiple units. As well as specifying a
default number of mobile service units, you can scale up, based on a schedule or in response to a
threshold in a metric, such as CPU time.
Full details of mobile services tiers and their pricing can be found at the following URL:
Mobile Services Pricing Details
http://go.microsoft.com/fwlink/?LinkID=511759
Configuring Authentication
The popularity of social networking means the
majority of potential users for your app already
have a Microsoft, Facebook, Twitter, or Google
user account. They also trust these services
because they use them on a regular basis. By
enabling users to authenticate in your mobile app
with credentials from these external services, you
can take advantage of this trust and avoid the
need for all users to create a new account for your
appwith separate credentials to remember.
In order for an app to authenticate with Facebook,
you must:
1.
2.
Obtain credentials for the app from Facebook. This is often an app access key.
3.
This process is similar for other external providers such as Twitter, although the details of the credentials
may vary.
Usually, the app access key is hardcoded into the app itself. If you want to support authentication against
multiple external providers, you must hardcode multiple access keys into your app. Azure Mobile Services
eases this situation in two ways:
By storing configurable access keys for each supported provider. This means that access keys need no
longer be hardcoded into apps.
By enabling developers to authenticate against multiple external providers with a single portion of
code.
If your developers have chosen to enable external authentication providers in their mobile app using the
Mobile Services API, you must configure access keys in the Azure Portal. To complete this process, take
the following steps:
1.
In the Azure full portal, in the navigation on the left, click MOBILE SERVICES.
2.
In the list of mobile services, click the service you want to configure.
3.
4.
If you want to authenticate users with Microsoft accounts, fill in the CLIENT ID, CLIENT SECRET, and
PACKAGE ID values in the Microsoft Account Settings section.
5.
If you want to authenticate users with Facebook accounts, fill in the APP ID/APP KEY and APP
SECRET values in the Facebook Settings section.
6.
If you want to authenticate users with Twitter accounts, fill in the APP KEY and APP SECRET values in
the Twitter Settings section.
7.
If you want to authenticate users with Microsoft Google accounts, fill in the CLIENT ID and CLIENT
SECRET values in the Google Settings section.
8.
If you want to authenticate users with Azure Active Directory accounts, fill in the APP URL and
CLIENT ID values in the Microsoft Account Settings section.
Demonstration Steps
Create a new mobile service
8-23
1.
Start Internet Explorer, and browse to http://azure.microsoft.com, click Portal, and sign in using
the Microsoft account that is associated with your Azure subscription.
2.
3.
In the toolbar at the bottom, click NEW and then click CREATE.
4.
In the URL box, type a valid unique name. If the name is valid and unique a green tick appears.
5.
In the DATABASE drop-down list, select Create a free 20MB SQL Database.
6.
7.
Select the CONFIGURE ADVANCED PUSH SETTINGS check box and then click Next.
2.
In the NOTIFICATION HUB NAME box, type a valid unique name, and then click Next.
2.
3.
4.
5.
In the REGION drop-down list, select the same location you used in step 6.
6.
Click Complete.
When the mobile service creation is complete, click the mobile service you just created.
2.
Under GET STARTED, click CREATE A NEW WINDOWS OR WINDOWS PHONE APP.
3.
Under Download and run your app, click Download and then click Save.
4.
5.
Right-click the zip file, click Extract All, and then click Extract.
6.
7.
In the How do you want to open this type of file (.sln)? dialog box, click More options, and then
click Visual Studio 2013.
8.
In the Security Warning dialog box, clear the Ask me for every project in this solution check box,
and then click OK.
9.
10. If the User Account Control dialog box appears, click Yes.
11. In the Solution Explorer, show the students the Windows 8.1 and Windows Phone 8.1 projects.
Reset the Environment
1.
2.
On the taskbar, right-click Microsoft Azure PowerShell, and then click Run as administrator. In the
User Account Control dialog, click Yes.
3.
4.
When prompted, sign in using the Microsoft account associated with your Azure subscription.
Note: This script may remove Azure services in your subscription. It is therefore recommended that
you use an Azure trial pass that was provisioned specifically for this course, and not your own Azure
account.
The script will take 5-10 minutes to reset your Microsoft Azure environment, ready for the next lab.
The script removes all storage, VMs, virtual networks, cloud services, and resource groups.
Important: The script may not be able to get exclusive access to a storage account to delete it (if this
occurs, you will see an error). If you find objects remaining after the reset script is complete, you can
re-run Reset-Azure script, or use the full Azure Management Portal to manually delete all the objects
in your Azure subscription, with the exception of the default directory.
Lesson 4
8-25
Cloud services and mobile services may need to support large numbers of users and still respond quickly.
During times of high demand, you should be able to monitor the performance of your service in detail so
that you can be sure users have a smooth experience. In this lesson, you will see how to enable
monitoring and obtain detailed data to allow you to diagnose performance bottlenecks and add capacity
in the right components.
Lesson Objectives
At the end of this lesson, you will be able to:
Configure a diagnostic connection to a storage account so that a cloud service can use verbose
monitoring.
Obtain diagnostic monitoring data for the notification hubs and databases that support mobile
services.
Minimal Monitoring
By default, PaaS cloud services use minimal
monitoring. In this mode, the following counters
are available:
CPU Percentage
Data In
Data Out
If you have multiple role instances, you can monitor these counters either for individual instances or in
total for all instances of each role.
Verbose Monitoring
When you enable verbose monitoring, you can record a much larger range of counters. This enables you
to gain a much more detailed picture of the performance of instances and roles. Unlike minimal
monitoring, verbose monitoring stores data in table storage. Therefore you must create a storage account
and connect it to the monitoring tool to use verbose monitoring.
Note: Minimal monitoring is free. However, because verbose monitoring stores data in a
storage account, it incurs extra costs for using the Azure Storage service.
For information on the steps to create a storage account, go to Module 5, or see:
How to Create a Storage Account
http://go.microsoft.com/fwlink/?LinkID=522647
To configure verbose monitoring:
1.
In the Azure full portal, click STORAGE and then click the storage account you want to use for
monitoring data.
2.
3.
4.
In the navigation on the left, click CLOUD SERVICES and then click the PaaS cloud service you want
to monitor.
5.
6.
In the DIAGNOSTIC CONNECTION STRINGS section, enter the name of the storage account, and
then paste the storage account access key.
7.
Click SAVE.
8.
9.
Click SAVE.
2.
3.
4.
In the list of roles, choose the role instance you want to monitor. You can also select aggregated
counters for all the instances of each role.
5.
Metrics are listed in sections. Expand the section that interests you and then select the metric to add.
6.
Click OK.
8-27
Once you have added a metric to the table, configure an alert for that metric by following these steps:
1.
In the list of metrics on the MONITORING tab, select the metric that interests you.
2.
3.
In the NAME text box, type a descriptive name for the alert and then click NEXT.
4.
In the THRESHOLD VALUE textbox, type a value that should trigger the alert when it is exceeded.
5.
In the ACTIONS section, choose whether to email the service administrators or to email another
address.
6.
Click Complete.
Incoming messages. This counts the number of messages that mobile services are sending to the
mobile devices that are registered.
Errors. This counts the number of messages that could not be delivered.
Registrations. This counts the number of clients that register as a destination for messages.
Successful Operation. This counts notifications that are successfully delivered to mobile devices.
Mobile Service diagnostic logs only contain data if developers have coded logging actions in their code
by using the Services.Log.Info() and similar methods. However, if developers are using logging correctly,
this is a good place to find diagnostic information that may help you with fault finding. Developers will
see these logged events in Visual Studio when they run the mobile service in debugging mode.
Administrators can see these events in the full portal. To examine the diagnostic log:
1.
In the Azure full portal, in the navigation on the left, click MOBILE SERVICES.
2.
In the list of mobile services, click the service you want to troubleshoot.
3.
Messages in the diagnostic log can be of three levels: Information, Warning, and Error. The message string
displayed is fixed by the developer in their code. Each event in the log also shows the method in which
the event was logged. This value helps developers to precisely identify the source of the problem.
8-29
You want to evaluate the potential of PaaS cloud services to host A. Datum web applications. Your
development team has provided a simple cloud service project that you can use to investigate Azure
functionality. You want to show how staging and production slots can be used to ease the deployment of
new versions of the PaaS cloud service. You also want to demonstrate that you can monitor the service to
get clear information on resource usage. This will help the administration team evaluate service
performance during its staged deployment.
Objectives
At the end of this lab, you will be able to:
Deploy a PaaS cloud service for staging and enable RDP access.
Lab Setup
Estimated Time: 60 minutes
Virtual Machine: 20533B-MIA-CL1
User Name: Student
Password: Pa$$w0rd
Before starting this lab, ensure that you have performed the Preparing the Environment demonstration
tasks at the beginning of the first lesson in this module, and that the setup script has completed.
Ensure that the MSL-TMG1 and 20533B-MIA-CL1 virtual machines are both running, and then log on
to 20533B-MIA-CL1 as Student with the password Pa$$w0rd.
2.
In the Microsoft Azure PowerShell, connect and log in to your Azure account.
3.
In PowerShell, get a list of Azure locations and note the name of a location near you.
4.
In PowerShell, create a new Azure SQL Database server. Use the following information:
5.
In PowerShell, get the name of the SQL Database server you created in step 4.
6.
7.
In the Azure full portal, create a new SQL Database. Use the following information:
o
Name: CloudServiceProdDB
Server: Use the SQL Database server name you noted in step 5
In Windows Azure PowerShell, create a new Azure storage account. Use the following information:
o
1.
2.
In the service configuration file, set the instance count attribute to 2 for both the
AdatumAdsWebRole role and the AdatumAdsWorkerRole role. Save your changes.
3.
In the Azure Portal, copy the primary access key for the cloudappprodXXX storage account to the
clipboard.
4.
In Visual Studio, configure the StorageConnectionString setting for the AdatumAdsWebRole role.
Use the following information:
o
DefaultEndPointsProtocol: https
AccountName: cloudappprodXXX
AccountKey: paste the primary key that you just copied to the clipboard
5.
Configure the StorageConnectionString setting for the AdatumAdsWorkerRole role with the same
information.
6.
7.
8.
In the Azure Portal, copy the ADO.NET connection string for the CloudServiceProdDB database to
the clipboard.
9.
In Visual Studio, copy the connection string from the clipboard to the value attribute of the
<Setting> element named AdatumAdsDbConnectionString.
2.
In the Azure portal, create a new PaaS Cloud Service. Use the following information:
o
Package: D:\LabFiles\Lab08\Starter\Production\Package\AdatumAds.cspkg
Configuration: D:\LabFiles\Lab08\Starter\Production\Package\ServiceConfiguration.Cloud.cscfg
Note: The deployment process for the PaaS cloud service can take several minutes to
complete. Wait for the Service Status column to display Created and the Production column to
display Running before you continue to the next task. If needed, you can refresh the webpage.
8-31
Results: In this exercise, you will create the necessary resources required by the PaaS cloud service (a
storage account and a SQL database). You will also edit the service configuration file and deploy the cloud
service to the production slot.
The development team has provided a second version of the simple PaaS cloud service. You want to
investigate how deployment slots can be used to stage and deploy new versions of cloud services. You will
use the same configuration you used for the production service.
The main tasks for this exercise are as follows:
1. Deploy a Staged Cloud Service
2. Configure Remote Desktop Protocol Access
3. Test Connectivity
In the Azure portal, add a staging deployment to the PaaS cloud service you created in Exercise 1. Use
the following information:
o
Package: D:\LabFiles\Lab08\Starter\Staging\Package\AdatumAds.cspkg
Configuration: D:\LabFiles\Lab08\Starter\Production\Package\ServiceConfiguration.Cloud.cscfg
Note: The deployment process for the PaaS cloud service can take several minutes to
complete. Wait for the Service Status column to display Created and the Staging column to
display Running before you continue to the next task. If needed, you can refresh the webpage.
Enable RDP access for the production deployment of the PaaS cloud service. Use the following
information:
o
Password: Pa$$w0rd
2.
3.
From the list of production instances, connect to the AdatumAdsWebRole_IN_0 instance by using
RDP.
Add the NETWORK OUT metric for the aggregated web role and worker role to the monitoring page
for the PaaS cloud service you created in Exercise 1.
2.
Add the Network Out metric for the AdatumAdsWebRole role to the monitoring graph.
3.
Add the Network Out metric for the AdatumAdsWorkerRole role to the monitoring graph.
Add a new alert for the PaaS cloud service. Use the following information:
o
Email Address: use the outlook.com email address associated with your Azure account
Inspect the data for the alert you created in task 3. Note whether the alert is active.
2.
In Internet Explorer, browse to http://www.outlook.com and open the emails for the account
associated with your Azure subscription. Examine any alerts sent from Azure.
3.
8-33
1.
2.
On the taskbar, right-click Microsoft Azure PowerShell, and then click Run as administrator. In the
User Account Control dialog, click Yes.
3.
4.
When prompted, sign in using the Microsoft account associated with your Azure subscription.
Note: This script may remove Azure services in your subscription. It is therefore recommended that
you use an Azure trial pass that was provisioned specifically for this course, and not your own Azure
account.
The script will take 5-10 minutes to reset your Microsoft Azure environment, ready for the next lab.
The script removes all storage, VMs, virtual networks, cloud services, and resource groups.
Important: The script may not be able to get exclusive access to a storage account to delete it (you
will see an error, if this occurs). If you find objects remaining after the reset script is complete, you can
re-run Reset-Azure script, or use the full Azure Management Portal to manually delete all the objects
in your Azure subscription, with the exception of the default directory.
Results: At the end of this exercise, you will have configured monitoring for a PaaS cloud service with new
metrics and an alert.
Question: In Exercise 2, you enabled RDP access and used the RDP client to connect to an
instance of a web role. Why would administrators connect to cloud service role instances
with RDP?
Question: You want to ensure you can always see the network traffic your PaaS cloud service
has used over the last hour. Should you configure a monitoring metric or an alert?
Review Question(s)
Question: Your company is developing a mobile app. You have been asked to host data and
notification hubs in Azure. What are the advantages of using an Azure mobile service instead
of creating separate SQL Databases and notification hubs?
Module 9
Implementing Content Delivery Networks and Media
Services
Contents:
Module Overview
9-1
9-2
9-8
9-10
9-16
9-20
Module Overview
Large amounts of online content is now stored as graphical images, audio, and video. It is important to
have a system to upload this content, convert it to an appropriate format, and store it. The content should
support the devices that your customers will use to consume the media and you might want to stream
video content to the consumers. Azure Media Services provides the functionality to upload, encode, store,
and stream your media.
Nowadays, your audience is often spread globally so you should consider performance for users who are
geographically distant from the source media or applications. A content delivery network (CDN) replicates
data globally so that all users have a local endpoint.
Objectives
After completing this module, you will be able to:
Lesson 1
9-2
Microsoft Azure provides CDN functionality to deliver content that is as close as possible to users, no
matter where they are in the world. This lesson discusses content delivery networks and describes how to
implement Azure CDNs.
Lesson Objectives
After completing this lesson, you will be able to:
Describe how Azure CDNs integrate with other Azure services to deliver content.
Describe using your own custom domain address with an Azure CDN.
Perform the following tasks to prepare the lab environment. The Azure services you will use in the lab will
be described in this module while the environment is being configured.
Note: Important: The scripts used in this course may delete any objects that you have in
your subscription; therefore, you should complete this course against a new Azure subscription.
You should have received sign-up details and instructions for creating an Azure Learning Pass for
this reason. Alternatively, create a new Azure Trial Subscription. In both cases, use a new
Microsoft account that has not been associated with any other Azure subscription. This avoids
confusion in labs and setup scripts.
The labs in this course use custom Microsoft Azure PowerShell cmdlets, including Setup-Azure to prepare
the Azure environment for a lab, and Reset-Azure to perform clean-up tasks at the end of a lab. For this
lab, Setup-Azure removes the Azure subscription and account from the Azure PowerShell session.
Demonstration Steps
Sign in to Your Microsoft Azure Subscription
1.
Ensure that the MSL-TMG1 and 20533B-MIA-CL1 virtual machines are both running, and then log on
to 20533B-MIA-CL1 as Student with the password Pa$$w0rd.
2.
You should already have created a Microsoft Azure trial subscription. If you have not done so, follow
the instructions in D:\Creating a Microsoft Azure Trial Subscription.htm. Provisioning may take
several hours.
3.
When your trial subscription has been provisioned, in Internet Explorer, browse to
http://azure.microsoft.com, click Portal, and sign in using the Microsoft account that is associated
with your Azure subscription. Close any initial "welcome" messages.
9-3
4.
At the top right, click your Microsoft account name and click Switch to new portal. Then, in the new
tab that is opened close any initial "welcome" messages for the new portal. If you are prompted for
credentials, sign in using the Microsoft account that is associated with your Microsoft Azure
subscription.
5.
Close the tab containing the new portal, keeping the full portal tab open.
On the taskbar, right-click Microsoft Azure PowerShell, and then click Run as administrator. In the
User Account Control dialog, click Yes.
2.
3.
At the prompt, type the module number, and then press Enter.
4.
5.
When prompted, sign in using the Microsoft account associated with your Microsoft Azure
subscription.
Note: This script may remove Azure services in your subscription. It is therefore recommended that
you use an Azure trial pass that was provisioned specifically for this course, and not your own Azure
account.
The script will take 2-3 minutes to configure your Microsoft Azure environment, ready for the lab at
the end of this module.
6.
You can create your own CDN by configuring the Azure Content Delivery Network service. This service
can cache content from Azure storage accounts, PaaS cloud services, virtual machines in IaaS cloud
services, or Azure websites.
Azure Media Services provides the facilities many organizations need to stream media such as video and
audio content. You can use Media Services to encode, publish, and stream a wide variety of formats to a
broad base of clients, such as mobile devices, computers, and connected televisions. Media Services
streams content from Azure Storage accounts.
9-4
The content has protection from distributed denial-of-service (DDoS) attacks because Azure CDNs
include systems to detect and mitigate against attacks; also, there are replica copies of the content in
many locations. Azure CDNs also support HTTPS calls, enabling you to integrate content from the
CDN into secure web pages.
Because the content is no longer located in one single location, there is no bottleneck, making a CDN
inherently scalable.
Reliability is increased by a CDN because it includes Azures redundancy and failover functionality. If
one node is unavailable, the content will be automatically retrieved from the next nearest node.
CDNs can contain any content, but the content should be static. Often this content consists of large
files such as multimedia content, but it can also include content from cloud services and Azure
websites. Dynamic content will need to be constantly refreshed from the content provider and any
benefits of implementing the CDN will be lost.
In an Azure CDN, the content you place in an Azure storage account is automatically cached at multiple
points-of-presence (POPs), which are server distributed globally. For the latest list of POPs, see:
Azure Content Delivery Network (CDN) POP Locations
http://go.microsoft.com/fwlink/?LinkID=522649
9-5
Because the endpoints must maintain copies of the storage data, CDNs should be used for non-volatile,
static data. Data that changes frequently can adversely affect the performance of a CDN.
Creating CDNs
Creating a CDN is very straightforward. Click NEW, click APP SERVICES, click CDN, and click QUICK
CREATE.
For more information on creating CDNs, see:
How to Enable the Content Delivery Network (CDN) for Azure
http://go.microsoft.com/fwlink/?LinkID=522650
9-6
A blob stays in the CDN cache for a period of time called time-to-live (TTL)by default, this is seven days.
Therefore, if content is accessed frequently in a seven-day period, the CDN will have a significant
performance gain; if content were to be accessed every 10 days, CDN would provide no performance
gains. The TTL period can be defined using APIs or third-party tools.
For more information about TTL and how to change it, see:
How to Manage Expiration of Blob Content in the Azure Content Delivery Network (CDN)
http://go.microsoft.com/fwlink/?LinkID=522651
As with cached content from blobs, cached content from cloud services has a seven-day default TTL. This
can be modified by creating a web.config file in the /cdn folder. By modifying the clientCache settings,
you can specify a new default TTL value for all objects in the /cdn folder. You can customize TTL further
by setting CDN caching properties programmatically on individual objects.
For more information on TTL with cloud services, see:
How to Manage Expiration of Cloud Service Content in the Azure Content Delivery Network
(CDN)
http://go.microsoft.com/fwlink/?LinkID=522652
For more information on using CDNs with Azure websites, see:
Enabling a CDN Endpoint in Azure Websites
http://go.microsoft.com/fwlink/?LinkID=523983
9-7
9-8
The A. Datum developers have created a new website that uses many high-resolution images and videos.
Clients are expected to access the site from many different locations worldwide. You have been asked to
investigate Azure CDN services as a means to ensure that the site serves high-resolution photographs as
rapidly as possible wherever users request them.
Objectives
After completing lab, you will be able to:
Lab Setup
Estimated Time: 20 minutes
Virtual Machine: 20533B-MIA-CL1
User Name: Student
Password: Pa$$w0rd
Before starting this lab, ensure that you have performed the Preparing the Environment demonstration
tasks at the beginning of the first lesson in this module, and that the setup script has completed.
Note: The Microsoft Azure portal is continually improved, and the user interface may have been updated
since this lab was written. Your instructor will make you aware of any differences between the steps
described in the lab and the current Azure portal user interface.
The main tasks for this exercise are as follows:
1. Create a New Storage Account
2. Enable the Content Delivery Network
Ensure that the MSL-TMG1 and 20533B-MIA-CL1 virtual machines are both running, and then log on
to 20533B-MIA-CL1 as Student with the password Pa$$w0rd.
2.
Start Internet Explorer, browse to https://portal.azure.com, and sign in using the Microsoft account
that is associated with your Azure subscription.
3.
STORAGE: Use adatum + random numbers (for example, adatum123456); if you get a Storage
account name is not available message, change the numbers until you get a green tick. Note
this name for use in Exercise 1 of the second lab.
RESOURCE GROUP: Default-Storage-EastAsia (click Resource Group and then, in the Create
resource group dialog box, delete the default name, type Default-Storage-EastAsia, and click
OK).
Start Internet Explorer, browse to http://azure.microsoft.com, click Portal, and sign in using the
Microsoft account that is associated with your Azure subscription.
2.
Create a new CDN using the storage account that you created in the previous task as the origin
domain.
2.
9-9
Lesson 2
There are increasing numbers and types of devices that can consume online media. Whereas, historically,
you would need to support different types of personal computer, nowadays you might also need to
provide media to tablets, smartphones, games consoles, set-top boxes and smart TVs. Azure Media
Services allows you to encode media in many different formats, encrypt media, and stream media to users.
Lesson Objectives
After completing this lesson, you will be able to:
Media Services is highly scalable, from a single video or audio file to hundreds of thousands of media files.
Media Services will also scale from a handful of consumers to an audience of many thousands. The Azure
CDN capabilities let you deliver content worldwide with low latency through the worldwide Azure
datacenters.
Although we have discussed a worldwide audience, not all content should be distributed publically. Azure
Media services includes the ability to authenticate users to ensure that the content is only seen by a
specific audience. Some content must be restricted by country or region; for example, you might need to
restrict the country/region for legal reasons, or you might create advertisements specific to the region of
the target audience. In Azure Media Services, geo-blocking allows you to filter geographically.
As with other Azure services, you only pay for what you, the producer of the content, uses.
9-11
Uploading content with the Management Portal is very straightforward; you simply create a Media
Services account, specifying name, region and storage account, and then the media services account has a
link to upload a video. Once a video is uploaded, there are links in the Management Portal to encode and
package the video.
When uploading, you should consider access control and group media files into assets that can have one
set of access constraints applied across the asset.
When encoding, you should consider the target devices that you assessed in the previous topic. Device
type, capabilities, and screen size will affect encoding settings.
Packaging does not re-encode your media, but places it into a file container for delivery. You can package
the media into multiple file containers to support the protocol requirements of different devices. You also
get to choose whether the content uses static packaging, or dynamic packaging, so that the client
application can choose the packaging format.
Upload a video
Encode a video
Publish a video
Demonstration Steps
Create a storage account
1.
Start Internet Explorer, browse to https://portal.azure.com, and sign in using the Microsoft account
that is associated with your Azure subscription.
2.
3.
In the Marketplace blade, click Storage, cache, + backup, click Storage, and then click Create.
4.
In the Storage account dialog box, enter the following settings and click Create:
o
STORAGE: Use adatum + random numbers (for example, adatum123456); if you get a Storage
account name is not available message, change the numbers until you get a green tick. Note this
name for use in the next task.
RESOURCE GROUP: Default-Storage-EastAsia (Click Resource Group and then in the Create
Resource group dialog box, delete the default name, type Default-Storage-EastAsia, and click
OK).
2.
Click NEW, click APP SERVICES, click MEDIA SERVICE, and click QUICK CREATE.
3.
9-13
In the CREATE MEDIA SERVICE dialog box, enter the following settings and click CREATE MEDIA
SERVICE:
o
NAME: adatummediaservice12345.
REGION: The same location as the storage account in the previous task.
STORAGE ACCOUNT: In the drop-down list, select the account name from the previous task.
When the media service creation is complete, in the navigation bar on the left, click MEDIA
SERVICES.
2.
Click the media service that you created in the previous task.
3.
4.
5.
6.
Click Open.
7.
Click OK.
Encode a Video
1.
When the video file upload is complete, the file appears in the list of content. Select the file, and then,
in the toolbar at the bottom, click ENCODE.
2.
3.
In the OUTPUT CONTENT NAME textbox, type Encoded Welcome Video and then click OK.
Publish a Video
Note: At this point, wait until the encoding job is complete. When the job is complete, the
PUBLISH button is available when the Encoded Welcome Video item is selected.
1.
Select Encoded Welcome Video and then, in the toolbar at the bottom, click PUBLISH.
2.
Click Yes.
Note: To play the encoded video, you must install the Desktop Experience feature of
Windows Server 2008 R2. This feature includes the necessary Windows media codecs. Students
will perform this installation in the lab.
Reset the Environment
1.
2.
On the taskbar, right-click Microsoft Azure PowerShell, and then click Run as administrator. In the
User Account Control dialog, click Yes.
3.
4.
When prompted, sign in using the Microsoft account associated with your Azure subscription.
Note: This script may remove Azure services in your subscription. It is therefore recommended that
you use an Azure trial pass that was provisioned specifically for this course, and not your own Azure
account.
The script will take 5-10 minutes to reset your Microsoft Azure environment, ready for the next lab.
The script removes all storage, VMs, virtual networks, cloud services, and resource groups.
Important: The script may not be able to get exclusive access to a storage account to delete it (if this
occurs, you will see an error). If you find objects remaining after the reset script is complete, you can
re-run Reset-Azure script, or use the full Azure Management Portal to manually delete all the objects
in your Azure subscriptionwith the exception of the default directory.
Encrypting Content
If you have content that you want to encrypt while
it is being uploaded, you should use the
StorageEncrypted option.
For more information about the StorageEncrypted
option, see:
Producing Storage Encrypted Content
http://go.microsoft.com/fwlink/?LinkID=522654
If your content is already encrypted, you should use the CommonEncryption or EnvelopeEncrypted
options.
For more information about uploading encrypted content, see:
Uploading Encrypted Content
http://go.microsoft.com/fwlink/?LinkID=522655
Streaming Media
There are two methods that you can use to encrypt streaming media in Azure Media Services
PlayReady and AES.
PlayReady is a DRM system from Microsoft that encrypts the media and requires users to obtain a license
to view it. The advantage of DRM is that the media is always encrypted and can only be viewed by the
device with the license. Furthermore, additional limits can be placed on the content, such as how many
9-15
times the user can view it. If the file is copied to a different device, it will not be viewable. Media that you
wish to protect with PlayReady must be in the Smooth Streaming format.
For more information about encryption using PlayReady, see:
Securing Media
http://go.microsoft.com/fwlink/?LinkID=522656
Once you have PlayReady-encrypted Smooth Streaming, you can package the content as HLS with
PlayReady. HTTP Live Streaming (HLS) is a streaming technology.
AES encrypts the data so that it cannot be intercepted by an attacker using a man-in-the-middle attack,
but does not provide DRM functionality. It is relatively straightforward to redistribute AES protected
content that you are authorized to view.
For more information about encryption using AES, see:
Using Static Encryption to Protect HLSv3 with AES-128
http://go.microsoft.com/fwlink/?LinkID=522657
and:
Using AES-128 Dynamic Encryption and Key Delivery Service
http://go.microsoft.com/fwlink/?LinkID=522658
The A. Datum developers have created a new website that uses many high-resolution images and videos.
You have been asked to complete your investigation of Azure CDN, as well as to implement Azure Media
Services for hosting video content. Clients are expected to access the site using many different devices.
You have been asked to ensure that users can view your videos on a broad range of different devices from
different manufacturers.
Objectives
After completing this lab, you will be able to:
Create a Media Services account and upload content to the Media Services account.
Lab Setup
Estimated Time: 60 minutes
Virtual Machine: 20533B-MIA-CL1
User Name: Student
Password: Pa$$w0rd
Before starting this lab, please ensure that you have completed the first lab in this module.
You have enabled a content delivery network and now wish to upload media and explore the media that
you have uploaded.
Note: The Microsoft Azure portal is continually improved, and the user interface may have been updated
since this lab was written. Your instructor will make you aware of any differences between the steps
described in the lab and the current Azure portal user interface.
The main tasks for this exercise are as follows:
1. Add a Container to the Storage Account
2. Upload Content to the Content Delivery Network
3. Explore the Content Delivery Network
Add a container to the storage account that you created in the first lab with the following properties:
o
NAME: AdatumContainer
Use PowerShell to upload a file to your CDN with the following properties:
o
Container: adatumcontainer
File: D:\Labfiles\Lab09\Starter\Welcome.png
2.
3.
9-17
You want to make content available to multiple device types. The data is currently stored in WMV format,
but you want to re-encode the video and store it for online viewing.
The main tasks for this exercise are as follows:
1. Create a New Storage Account
2. Enable Media Services
3. Upload Videos
2.
Using PowerShell, create a new storage account with the following settings:
o
NAME: adatummediaservice12345.
STORAGE ACCOUNT: Select the account name from the previous task.
Now that you have uploaded a video file to Media Services, you want to encode and publish the file for
delivery to users. In order to test the published media stream, you must install Windows Media Player,
which is part of the Windows Server 2008 R2 Desktop Experience feature.
Note: The Microsoft Azure portal is continually improved, and the user interface may have been updated
since this lab was written. Your instructor will make you aware of any differences between the steps
described in the lab and the current Azure portal user interface.
The main tasks for this exercise are as follows:
1. Encode Media
2. Publish Media
3. Scale Media Delivery
4. Play the Media Stream
5. Reset the Environment
2.
In Server Manager, install the Desktop Experience feature on the MIA-CL1 server and then restart
the server.
2.
When the server has restarted, log in as Student and open the Azure full portal.
3.
2.
On the taskbar, right-click Microsoft Azure PowerShell, and then click Run as administrator. In the
User Account Control dialog, click Yes.
3.
4.
When prompted, sign in using the Microsoft account associated with your Azure subscription.
9-19
Note: This script may remove Azure services in your subscription. It is therefore recommended that
you use an Azure trial pass that was provisioned specifically for this course, and not your own Azure
account.
The script will take 5-10 minutes to reset your Microsoft Azure environment, ready for the next lab.
The script removes all storage, VMs, virtual networks, cloud services, and resource groups.
Important: The script may not be able to get exclusive access to a storage account to delete it (if this
occurs, you will see an error). If you find objects remaining after the reset script is complete, you can
re-run Reset-Azure script, or use the full Azure Management Portal to manually delete all the objects
in your Azure subscriptionwith the exception of the default directory.
Encoded media.
2.
Published media.
3.
Module 10
Implement Azure AD
Contents:
Module Overview
10-1
10-2
10-13
10-16
10-24
10-31
Module Overview
Azure Active Directory is a cloud-based identity and access management solution. You can provide
secure access to sensitive services and data with multi-factor authentication (MFA), as well as single signon, to make application access more convenient for your users.
In this module, you will learn how to create a custom domain, integrate applications with Azure AD, and
use Azure AD Premium features.
Objectives
After completing this module, you will be able to:
Lesson 1
Manage users.
Lesson Objectives
After completing this lesson, you will be able to:
Manage users and groups by using the Azure Management Portal and Azure PowerShell.
Perform the following tasks to prepare the lab environment. The Azure services you will use in the lab will
be described in this module while the environment is being configured.
Important: The scripts used in this course may delete any objects that you have in your
subscription. Therefore, you should complete this course against a new Azure subscription. You
should have received sign-up details and instructions for creating an Azure Learning Pass for this
reason. Alternatively, create a new Azure Trial Subscription. In both cases, use a new Microsoft
account that has not been associated with any other Azure subscription. This avoids confusion in
labs and setup scripts.
The labs in this course use custom Microsoft Azure PowerShell cmdlets, including Setup-Azure to prepare
the Azure environment for a lab, and Reset-Azure to perform clean-up tasks at the end of a lab. For this
lab, Setup-Azure removes any current Azure subscription and account details from the Azure PowerShell
session.
Demonstration Steps
Sign in to Your Microsoft Azure Subscription
1.
Ensure that the MSL-TMG1 and 20533B-MIA-CL1 virtual machines are both running, and then log on
to 20533B-MIA-CL1 as Student with the password Pa$$w0rd.
2.
You should already have created a Microsoft Azure trial subscription. If you have not done so, follow
the instructions in D:\Creating a Microsoft Azure Trial Subscription.htm. Provisioning may take
several hours.
10-3
3.
When your trial subscription has been provisioned, in Internet Explorer, browse to
http://azure.microsoft.com, click Portal, and sign in using the Microsoft account that is associated
with your Azure subscription. Close any initial "welcome" messages.
4.
At the top right, click your Microsoft account name and click Switch to new portal. Then, in the new
tab that is opened, close any initial "welcome" messages for the new portal.
5.
Close the tab containing the new portal, keeping the full portal tab open.
On the taskbar, right-click Microsoft Azure PowerShell, and then click Run as administrator. In the
User Account Control dialog, click Yes.
2.
3.
At the prompt, type the module number, and then press Enter.
4.
5.
When prompted, sign in using the Microsoft account associated with your Azure subscription.
Note: This script may remove Azure services in your subscription. It is therefore recommended that you
use an Azure trial pass that was provisioned specifically for this course, and not your own Azure account.
The script will take a few seconds to configure your Microsoft Azure environment, ready for the lab at the
end of this module.
AD DS can be queried and managed through Lightweight Directory Access Protocol (LDAP) calls.
AD DS uses organizational units (OUs) and Group Policy Objects (GPOs) for management.
AD DS uses trusts between domains, for delegated management such as in AD forests, and for
authenticating forest users.
Windows Server-based Active Directory can be deployed on an Azure VM, and this can be a way to
enable scalability and availability for an on-premises AD; however, deploying Windows Server-based
Active Directory on an Azure VM does not make any use of Azure Active Directory. Note that deploying
AD on an Azure VM, requires an additional Azure data disk; this disk is needed to store the AD database,
logs, and SYSVOL, and Host Cache Preference for this disk must be set to None (you should not use the
C: drive for AD storage).
AAD is primarily an identity solution, and is designed for Internet-based applications using HTTP (port
80) and HTTPS (port 443) communications.
AAD users and groups are created in a flat structure, and there are no OUs or GPOs.
AAD cannot be queried through LDAP; instead, AAD uses the REST API over HTTP and HTTPS.
10-5
AAD does not use Kerberos authentication; instead, authentication uses HTTP and HTTPS protocols
such as SAML, WS-Federation, and OpenID Connect (and authorization uses OAuth).
AAD includes federation services, and many third-party services (such as Facebook) are already
federated with (and trust) Azure AD. Federated applications are covered in Lesson 2 of this module.
You can also federate your on-premises AD DS with AAD; this is covered in Module 11 of this course.
AAD can integrate with existing AD infrastructures, such as by using Identity Federation based on ADFS
(Active Directory Federation Services) and SAML v2 as a protocol.
AAD Directory
The directory component of AAD is, by design, multi-tenant and provides a highly scalable cloud-based
directory service:
Multi-tenant. Microsoft hosts millions of users and directories within AAD, but as each Azure AD
directory is distinct and separate from other Azure AD directories, customer data and identity
information is completely isolated from other tenants; users and administrators of one Azure AD
directory cannot accidentally or maliciously access data in another directory.
Scalable. The directory technologies used by AAD have been in use as a directory supporting
Microsoft Office 365 and Microsoft Intune long before Azure became available; these are scalable to
millions of users. AADs flexible, extensible data model uses the REST-based Graph API (not LDAP).
AAD also supports federation by design, and can provide a federation platform, as well as a directory
service. AAD can also act as an authorization service for other cloud-based services, when federating with
them.
Note: the AAD Graph API is the interface for navigating the content of AAD (walking the
tree, or, more correctly, the graph) and accessing (and creating and manipulating) the
information stored there. Developers can perform CRUD (Create, Read, Update, Delete)
operations through REST (Representational State Transfer) API endpoints when developing, for
example, web applications and mobile appsas well as more conventional business processes.
Unlike AD DS, AAD is primarily designed to support applications. ADD includes user, mail-enabled
contact, and group objects, but computer and domain controller objects are not part of AAD.
AAD Tenant
An AAD tenant is a dedicated instance of Azure AD that is automatically provisioned for an organization
when it signs up for a Microsoft cloud service such as Azure, Office 365, or Windows Intune.
When you sign up for a new trial or paid subscription to Azure, Office 365, or Windows Intune, you
automatically get a new AAD tenant/instance. You can also associate a new, or existing, Azure
subscription with an existing AAD instance associated with an Office 365 or Windows Intune subscription.
There are three types of account that can be used with AAD:
An organizational account created within the default Azure directory, or any custom Azure
directory, either by the tenant administrator, or a co-administratorfor example,
<user>@<domain1>.onmicrosoft.com.
The tenant administrator account is the account used to sign up for new trial or paid subscription. This
account can be either a Microsoft Account or an existing organizational account.
You can only manage AAD, if you are a Global Administrator of the AAD instance. You can only sign in to
an Azure portal if you are the tenant administrator, or if the tenant administrator has configured an
organizational account to be a co-administrator. Note that, by default, tenant administrators and coadministrators can manage AAD using the Management Portal because by default these accounts are
automatically granted Global Administrator role in the AD instance associated with the subscription.
Important: Within AAD, directory users can be configured with roles such as Global
Administrator, Billing Administrator, Service Administrator, User Administrator, and Password
Administrator. These roles are applicable to management tools such as Office 365 and Intune
portals, or Windows Azure Active Directory Module for Windows PowerShell cmdlets; they do
not control whether a user can manage AAD using the Azure portal or Microsoft Azure AD for
Windows PowerShell.
In the Microsoft cloud service portal, specify the custom domain name.
2.
In the Microsoft cloud service portal, note the DNS information that will need to be configured at
your domain registrar or DNS hosting provider.
3.
Log in in to your domain registrar or DNS hosting provider, and edit the DNS records.
4.
In the Microsoft cloud service portal, verify that the Microsoft cloud service can resolve the edited
DNS records for the custom domain.
Before you can verify a custom domain, the domain name must already be registered with a domain
name registrar, and the administrator must have appropriate sign-in credentials to be able to edit DNS
records for this domain; this could be at the domain registrar or at a DNS hosting provider. These DNS
records are required to verify the domain with the Microsoft cloud service, and to point traffic to the
cloud service. Azure AD provides the required DNS information, either TXT (preferably), or MX records if
your DNS provider does not support TXT records.
The following is an example of a TXT record used for custom domain verification:
Alias or Host name: @
Destination or Points to Address: MS=ms96744744
TTL: 1 hour
10-7
After verification, the administrator can make the domain the primary domain for the Azure tenant; for
example, replace adatum12345.onmicrosoft.com with adatum.com, so that new users will be
automatically created in this directory.
Demonstration Steps
Connect to the full Azure portal
1.
Start Internet Explorer, browse to http://azure.microsoft.com, click Portal, and sign in using the
Microsoft account that is associated with your Azure subscription.
2.
3.
Click DOMAINS.
4.
5.
On the Specify a domain name page, in the DOMAIN NAME box, type contoso.com.
6.
Click add.
7.
8.
On the Verify contoso.com page, in the RECORD TYPE box, point out the options: TXT record and
MX record.
9.
Explain that these records will need to be created in your DNS (and propagated) before you click
verify.
10. On the Verify contoso.com page, point to the details of the TXT record that must be created in DNS.
11. In the RECORD TYPE box, click MX record, and point to the details of the MX record that must be
created on DNS; remind students that either TXT or MX records can be used (you do not require
both).
12. Click close.
13. Point out that the domain will continue to show as Unverified until the verification steps are
completed.
Manage Users and Groups by Using Azure Management Portal and Azure
PowerShell
Administrators can manage Azure AD users and
groups by using the Azure Portal, by using the
Windows Azure Active Directory Module for
Windows PowerShell, or through Windows Intune
or Office 365. You can add users to the directory,
and also add users to groups.
To use PowerShell to create users and groups, you
must first start the Windows Azure Active
Directory Module for Windows PowerShell, and
then, at the Windows Azure Active Directory
Module for Windows PowerShell prompt, type the
following command:
Connect-MsolService
You are then prompted for administrator credentials.
You can use PowerShell to create user accounts by using Windows Azure Active Directory Module for
Windows PowerShell commands such as:
New-MsolUser -UserPrincipalName mledford@adatum.com -DisplayName "Mario Ledford" FirstName "Mario" -LastName "Ledford" -Password 'Pa$$w0rd123' -ForceChangePassword
$false -UsageLocation "US"
You can use PowerShell to create groups by using Windows Azure Active Directory Module for Windows
PowerShell commands such as:
New-MsolGroup -DisplayName "Azure team" -Description "Adatum Azure team users"
To create multiple users in bulk, you can either import a CSV file containing account information (such as
by exporting from an existing on-premises directory) or use Azure PowerShell scripting to generate
multiple accounts. Administrators can also add users and groups by synchronizing an existing directory,
using Directory Synchronization (DirSync); this is covered in Module 11 of this course.
To use bulk import, you first need to assemble your user information:
UserName
FirstName
LastName
DisplayName
JobTitle
Department
Country
AnneW@adatum.com
Anne
Wallace
Anne
Wallace
President
Management
United
States
FabriceC@adatum.com
Fabrice
Canel
Fabrice Canel
Attorney
Legal
United
States
GarretV@adatum.com
Garret
Vargas
Garret
Vargas
Operations
Operations
United
States
10-9
You can then use PowerShell to process this CSV file, and create the user accounts, using Windows Azure
Active Directory Module for Windows PowerShell commands such as:
$users = Import-Csv C:\Users.csv
$users | ForEach-Object {
New-MsolUser -UserPrincipalName $_.UserName -FirstName $_.FirstName -LastName $_.LastName DisplayName $_.DisplayName -Title $_.JobTitle -Department $_.Department -Country $_.Country
}
A subset of the full MFA capabilities are available at no cost to Global Administrators of the Azure AD
instance. These subset features are:
Ability to enable and enforce multi-factor authentication for end users (note that using MFA for end
users is not part of the free service).
Use of text message, call to an office phone, or mobile phone app as a second authentication factor.
Implement Azure AD
Demonstration Steps
Create a new directory called AdatumDemo
1.
In Internet Explorer, in the navigation pane, scroll down, and click ACTIVE DIRECTORY.
2.
3.
In the Add directory dialog box, enter the following settings and click Complete (check mark):
2.
Click USERS.
3.
4.
In the Tell us about this user dialog box, enter the following settings and click Next:
5.
10-10
6.
Click Next.
7.
Click Create.
8.
On the Get temporary password page, note the value for NEW PASSWORD (you might want to
copy it to Notepad); as a backup, in the SEND PASSWORD IN EMAIL box, type the email address of
your Azure subscription.
9.
Click CONFIGURE.
2.
3.
If you get a Sign in page, enter the following credentials, and click Sign in:
10-11
4.
Point out the Allow users to create app passwords to sign into non-browser applications option.
5.
6.
In the users list, select the check box for Rick Torres, and in the quick steps section, point out that
MFA has already been enabled.
7.
8.
Note the options to require users to provide contact methods again, and to delete all existing app
passwords. Then click cancel.
9.
10. At the top right of the page, click your Azure subscription name, and then click Sign out.
Set up multi-factor authentication for the new user
1.
2.
On the Windows Azure page, enter the following credentials (where XXXadatumdemoXXX is your
unique AdatumDemo directory name), and click Sign in:
Username: rtorres@XXXadatumdemoXXX.onmicrosoft.com
Password: the temporary password you noted above
3.
On the change password page, in the OLD PASSWORD box, type the temporary password; in the
CREATE NEW PASSWORD and CONFIRM NEW PASSWORD boxes, type Pa$$w0rd123, and click
submit. If you are prompted to sign in again, re-enter the new password Pa$$w0rd123.
4.
Note the following message: Your admin has required that you set up this account for additional
security verification.
5.
6.
On the additional security verification page, click in the first box, and note the contact method
options: Authentication phone, Office phone, Mobile app.
7.
If you have access to a mobile phone, and have a signal or data connection in the classroom, you may
wish to complete the "additional security verification" steps by selecting your country or region, and
either getting a code sent to you by text message, or selecting Mobile app and configuring the app
for your phone.
8.
Implement Azure AD
10-12
Add a new directory for testing or other nonproduction usage, or for managing data
synced from another AD forest.
Change the name of a directory to be descriptive of the organization, or label it for non-production
use, for example.
Add users to a new Windows Azure AD from an existing directory, such as to take users from a
production directory and use them in a test environment, without requiring those users to sign in
with new accounts and credentials.
For information on Managing Multiple Azure Directories, see:
http://go.microsoft.com/fwlink/?LinkID=511761
Lesson 2
10-13
In this lesson, students learn about how to add in-house and third-party applications to Azure AD,
configure application access, configure single sign-on (SSO) for Azure AD applications, compare Azureaware applications with applications using Azure AD, and how to use the application access panel.
Lesson Objectives
After completing this lesson, you should be able to:
Add your own custom Azure AD-aware web apps to Azure AD.
Manage applications that use resources, such as user accounts, across multiple Azure tenant
subscriptions.
Account sync enables SaaS application users to be provisioned and deprovisioned by using accounts that
are ultimately managed in either an on-premises Active Directory or in Azure AD.
Centralized application access management in the Azure Management Portal provides a single point of
management for controlling application access and for management.
Unified reporting and monitoring enables administrators to easily detect anomalous user activity in Azure
AD.
For information on Application access enhancements for Azure AD, see:
http://go.microsoft.com/fwlink/?LinkID=511762
Implement Azure AD
10-14
If not using Azure AD, configuring SSO for multiple SaaS applications (so that users do not have to
remember a separate password for each application), and multiple vendors, can be difficult. The Azure AD
application gallery provides a range of popular Microsoft and third-party SaaS applications pre-integrated
with Azure AD, and ready to use.
There are three options for using SSO with Azure AD:
2.
Unauthenticated requests can be blocked and redirected to the correct Azure AD tenant for user
authentication.
b.
Users who authenticated with Azure AD can be recognized and granted access.
10-15
If the developers are using the .NET platform, this second step involves configuring the out-of-the-box
Windows Identity Foundation (WIF) .NET classes, so that they can work with claims-based identity and
federated authentication. WIF includes HTTP modules and configuration settings that can be used to add
an interception layer, and for performing redirection and authentication.
Step 2 involves configuring the application, using tools such as Visual Studio. Visual Studio provides
functionality to help developers automatically configure web apps. These apps can then use WIF to
redirect authentication requests to external authorities that support web-based SSO protocols, such as
WS-Federation.
For information on Adding Sign-On to Your Web Application Using Azure AD, see:
http://go.microsoft.com/fwlink/?LinkID=511763
Different Azure AD tenants may maintain their identity and directory data in an infrastructure that is
inaccessible from cloud applications.
To meet these challenges, Azure AD provides a method for applications to request admins to grant access
to their directory tenants. This is done using the Azure AD Management Portal, using a similar UI to the
consent-granting functionality used by common social web applications, such as Facebook and LinkedIn.
The process for enabling multi-tenant application support involves adding something in front of your app,
such as a sign-in page, so that:
Unauthenticated requests can be intercepted, and redirected toward the correct Azure AD tenant for
user authentication.
Authenticated requests, from users who have already authenticated with Azure AD, can be
recognized and the user granted access.
After authentication, AAD generates a token which is passed back to the users browser or client-side app,
and is then used with all communications to the application.
For information on Developing Multi-Tenant Web Applications with Azure AD, see:
http://go.microsoft.com/fwlink/?LinkID=511764
Implement Azure AD
Lesson 3
10-16
In this lesson, students learn about how to use the features in Azure AD Premium, configure advanced
Multi-factor Authentication settings and use MFA with applications, and list the usage scenarios for Azure
AD Application Proxy.
Lesson Objectives
After completing this lesson, you should be able to:
List the features in Azure AD Premium, and compare with Azure AD Basic.
Describe how Multi-Factor Authentication can be used with on-premises applications and Windows
Server.
Company branding. Add company logo and color schemes to organization Sign In and Access Panel
pages, including localized versions for different languages and locales.
Group-based application access. Use groups to provision users, and assign user access, in bulk to SaaS
applications. Groups can be created in Azure AD, or be existing groups synced from on-premises
Active Directory.
Self-service password reset. Provides users with the ability to reset their own password.
Active Directory Premium edition incurs Azure costs and adds the following features to those available in
Azure AD Basic:
Self-service group management. Enables users to create groups, request access to other groups, and
delegate group ownership, so that other users can approve requests and maintain group
memberships.
10-17
Advanced security reports and alerts. Provides detailed logs showing anomalies and inconsistent
access pattern reports. Advanced reports are machine learning-based to help improve access security
and response to potential threats.
Multi-Factor Authentication. Full MFA works with on-premises applications (using VPN, RADIUS, and
so on), Azure, Office 365 and Dynamics CRM Online, and third-party Azure AD gallery applications
(but not non-browser off-the-shelf apps, such as Microsoft Outlook). Full MFA is covered in more
detail in the following topics in this lesson.
Password reset with write-back to on-premises directories (such as used in hybrid Exchange
scenarios).
The ability to enable and enforce multi-factor authentication for end users (note that using MFA for
end users is not part of the free service).
The use of a text message, a call to an office phone, or a mobile phone app as a second
authentication factor.
Note that you can also manage MFA for Office 365 users from the Azure Portal, as long as you add the
Office 365 directory to your subscription.
For information on Manage the directory for your Office 365 subscription in Azure, see:
http://go.microsoft.com/fwlink/?LinkID=522659
Implement Azure AD
10-18
If you are deploying the Remote Desktop (RD) Gateway and Azure Multi-Factor Authentication Server
using RADIUS, the Azure Multi-Factor Authentication Server is configured as a RADIUS proxy between the
RD Gateway and Network Policy Server (NPS). Azure Multi-Factor Authentication Server is deployed onpremises to help secure VPNs, Microsoft Active Directory Federation Services (AD FS), IIS web applications,
Remote Desktop, and other remote access applications using RADIUS, and LDAP authentication.
For information on the Azure Multi-Factor Authentication Server and Enabling Multi-Factor
Authentication for On-Premises Applications and Windows Server, see:
http://go.microsoft.com/fwlink/?LinkID=511769
If an organization has federated on-premises AD with Azure AD using AD FS, the following MFA options
are available:
To secure AD FS with Azure MFA Server, a plug-in is installed which can filter requests being made to the
AD FS server. IP whitelists (now called trusted IPs) can be configured, so that internal IP addresses do not
trigger MFA requests (IP whitelists are covered in the next topic).
For information on Technical Scenarios for Azure Multi-Factor Authentication, see:
http://go.microsoft.com/fwlink/?LinkID=511766
One-Time Bypass
One-Time Bypass is a temporary setting, to enable a user to sign in without using MFA; the bypass expires
after the specified number of seconds. This can be useful if a user needs to use an Azure-hosted
application, but is not currently able to access a phone for text messaging, automated calls, or the MFA
app. The default one-time bypass period is five minutes.
Trusted IPs
10-19
App Passwords
App Passwords permit users that have been enabled for multi-factor authentication to use non-browser
clients, such as Outlook 2013 with Office 365. App passwords are created within the Azure portal, and
enable the user to bypass multi-factor authentication for that application.
For information on Configuring Advanced Multi-Factor Authentication Settings, see:
http://go.microsoft.com/fwlink/?LinkID=511767
For information on App Passwords, see:
http://go.microsoft.com/fwlink/?LinkID=511768
Demonstration Steps
Connect to the full Azure portal
1.
2.
3.
4.
5.
6.
7.
Click CREATE.
Implement Azure AD
10-20
1.
Click MANAGE at the bottom of the page to open the Azure Multi-Factor Authentication
management portal.
2.
3.
In the Fraud Alert section, verify that Allow users to submit Fraud Alerts has been enabled by
default.
4.
Verify that Block user when fraud is reported has also been enabled by default, so users will be
blocked when a fraud is reported.
5.
In the Code To Report Fraud During Initial Greeting box, type 999; this code can then be entered
by a user during call verification to report a fraud, and generate an alert.
6.
In the Send fraud alert notifications to these email addresses box, type the email address of your
Azure subscription.
7.
In the Azure Multi-Factor Authentication management portal, on the left of the page, under VIEW
A REPORT, click Fraud Alert.
2.
Point to the options to specify a date range for the report, and the options to specify usernames,
phone numbers and user status.
3.
2.
In the One-Time Bypass section, point out the default time of 300 seconds; the bypass is temporary
and will automatically expire after this period.
3.
In the Send one-time bypass used notifications to these email addresses box, type the email
address of your Azure subscription.
4.
2.
3.
4.
Note the warning message, as this user has not yet authenticated to this Multi-Factor Authentication
Provider.
5.
In the Bypass Reason box, type Lost phone, and click Bypass.
In the Azure Multi-Factor Authentication management portal, in the CONFIGURE section, click
Voice Messages.
2.
3.
4.
5.
6.
In the Description box, type MFA voice message, and click Upload.
7.
8.
9.
2.
Click AdatumDemo.
3.
Click CONFIGURE.
4.
5.
If you get a Sign in page, enter the following credentials, and click Sign in:
6.
On the service settings page, under trusted ips, select For requests from federated users
originating from my intranet.
7.
8.
10-21
1.
At the top of the service settings page, ensure Allow users to create app passwords to sign into
non-browser applications is selected.
2.
3.
4.
2.
On the taskbar, right-click Microsoft Azure PowerShell, and then click Run as administrator. In the
User Account Control dialog, click Yes.
Implement Azure AD
3.
4.
When prompted, sign in using the Microsoft account associated with your Azure subscription.
10-22
Note: This script may remove Azure services in your subscription. It is therefore recommended that you
use an Azure trial pass that was provisioned specifically for this course, and not your own Azure account.
The script will take 5-10 minutes to reset your Microsoft Azure environment, ready for the next lab.
The script removes all storage, VMs, virtual networks, cloud services, and resource groups. The script does
not remove the Azure Directory; this can either be manually deleted or you can leave it in place, as it does
not affect subsequent labs.
User Enrollment and Self-Management involves users completing their enrollment, such as by selecting an
authentication method if the administrator has not pre-specified this.
In order to use Azure MFA mobile phone apps:
The Azure Mobile App Web Service must be accessible via a public URL.
The Azure Mobile App Web Service, and the Azure Multi-Factor Authentication Web Service SDK,
must be secured with an SSL certificate.
When the Azure Mobile App Web Service has been deployed, and users have installed the Azure MultiFactor Authentication App to their mobile device, they can:
1.
Log in to the User Portal and generate an activation code or contact an administrator who will
generate an activation code for them.
2.
Activate the Azure Multi-Factor Authentication App by entering an activation code and URL, or by
scanning the barcode picture.
3.
Switch their authentication method to Mobile App or contact an administrator, who will change it for
them.
For information on Enabling Multi-Factor Authentication for On-Premises Applications and Windows
Server, see:
http://go.microsoft.com/fwlink/?LinkID=511769
10-23
To use the Azure AD Application Proxy, you must install a simple software agent, or connector, on an onpremises server, such as a backend application tier. This connector sends outgoing http and https requests
to the cloud-based Azure proxy service; the proxy service responses contain the incoming user requests.
User requests are routed from the connector to the target application, without requiring any
infrastructure in the perimeter network; users can access on-premises applications without needing any
direct access to an on-premises network.
For information on Public Preview of Azure AD Application Proxy, see:
http://go.microsoft.com/fwlink/?LinkID=511770
Implement Azure AD
10-24
The IT department at A. Datum currently uses on-premises Active Directory, and a range of AD-aware
applications. As part of A. Datums evaluation of Microsoft Azure, you need to test the migration of some
users from on-premises Active Directory to Azure AD. As part of this testing, you need to create some
pilot users and groups in Azure AD.
A. Datum are also planning to deploy Azure-aware applications, and require users to use single sign-on
for these applications. There is then no additional administration overhead in maintaining separate user
accounts for each application. As part of A. Datums evaluation of Microsoft Azure, you need to install and
configure a test application, and confirm successful single sign-on.
A. Datum also require applications to use multi-factor authentication for all authentication requests from
outside the company intranet. As part of A. Datums evaluation of Microsoft Azure, you need to configure
and test MFA for global administrators.
Objectives
After completing this lab, you will be able to:
Administer Azure Active Directory.
Configure Single Sign-On for AD gallery applications.
Configure Multi-Factor Authentication for administrators.
Lab Setup
Estimated Time: 45 minutes
Virtual Machine: 20533B-MIA-CL1
User Name: Student
Password: Pa$$w0rd
Before starting this lab, ensure that you have performed the Preparing the Environment demonstration
tasks at the beginning of the first lesson in this module, and that the setup script has completed.
As part of your test migration of some A. Datum users from on-premises Active Directory to Azure AD,
you first need to create a new Azure directory, and then create some pilot users and groups in Azure AD.
In these tasks, you will use both the portal and Microsoft Azure Active Directory module for Azure
PowerShell.
The main tasks for this exercise are as follows:
1. Create Directories
2. Manage Users in the Portal
3. Manage Groups in the Portal
4. Manage Users and Groups With Azure PowerShell
10-25
1.
Ensure that the MSL-TMG1 and 20533B-MIA-CL1 virtual machines are both running, and then log on
to 20533B-MIA-CL1 as Student with the password Pa$$w0rd.
2.
In Internet Explorer, browse to http://azure.microsoft.com and sign into the portal using the
Microsoft account that is associated with your Azure subscription.
3.
NAME: Adatum
DOMAIN NAME: Use your initials + the NAME field + random numbers (e.g. abcadatum123456)
ROLE: User
2.
Note the value for NEW PASSWORD; as a backup, in the SEND PASSWORD IN EMAIL box, type the
email address of your Azure subscription.
3.
Create the following user in the Adatum directory, and note the temporary password:
o
In the ALTERNATE EMAIL ADDRESS box, type the email address of your Azure subscription
4.
Note the value for NEW PASSWORD; as a backup, in the SEND PASSWORD IN EMAIL box, type the
email address of your Azure subscription.
5.
6.
2.
NAME: Sales
DESCRIPTION: Sales team
Implement Azure AD
3.
4.
NAME: Marketing
DESCRIPTION: Marketing employees
5.
6.
7.
Add the Sales and Marketing groups to the Sales and Marketing group.
10-26
1.
On the taskbar, right-click Windows Azure Active Directory Module for Windows PowerShell and
click Run ISE as Administrator.
2.
3.
4.
5.
6.
If the Script pane is not visible, on the View menu, click Show Script Pane.
7.
In the PowerShell ISE, in the command prompt pane, enter the following command and press Enter:
Connect-MsolService
8.
9.
In the PowerShell ISE, in the Script pane, locate the following code:
New-MsolUser -UserPrincipalName mledford@<#Copy your Azure Directory name
here#>.onmicrosoft.com -DisplayName Mario Ledford -FirstName Mario -LastName Ledford Password Pa$$w0rd123 -ForceChangePassword $false -UsageLocation US
10. Replace <#Copy your Azure Directory name here#> with your Azure Directory name.
11. In the PowerShell ISE, in the Script pane, select the code you have just edited.
12. On the toolbar, click the Run Selection button and wait for the script to complete.
13. In the PowerShell ISE, in the command prompt pane, enter the following command and press Enter:
Get-MsolUser
14. In the PowerShell ISE, in the Script pane, locate the following code:
New-MsolGroup -DisplayName Azure team -Description Adatum Azure team users
15. In the PowerShell ISE, in the Script pane, select the above code
16. On the toolbar, click the Run Selection button and wait for the script to complete.
10-27
17. In the PowerShell ISE, in the command prompt pane, enter the following command and press Enter:
Get-MsolGroup
18. In the PowerShell ISE, in the Script pane, locate the following code:
$group = Get-MsolGroup | Where-Object {$_.DisplayName -eq "Azure team"}
19. In the PowerShell ISE, in the Script pane, select the above code.
20. On the toolbar, click the Run Selection button and wait for the script to complete.
21. In the PowerShell ISE, in the Script pane, locate the following code:
$user = Get-MsolUser | Where-Object {$_.DisplayName -eq "Mario Ledford"}
22. In the PowerShell ISE, in the Script pane, select the above code.
23. On the toolbar, click the Run Selection button and wait for the script to complete.
24. In the PowerShell ISE, in the Script pane, locate the following code:
Add-MsolGroupMember -GroupObjectId $group.ObjectId -GroupMemberType "User" GroupMemberObjectId $user.ObjectId
25. In the PowerShell ISE, in the Script pane, select the above code.
26. On the toolbar, click the Run Selection button and wait for the script to complete.
27. In the PowerShell ISE, in the Script pane, locate the following code:
Get-MsolGroupMember -GroupObjectId $group.ObjectId
28. In the PowerShell ISE, in the Script pane, select the above code.
29. On the toolbar, click the Run Selection button and wait for the script to complete.
30. In the portal, verify that Mario Ledford appears in the list of users, and that Azure team appears in
the list of groups.
Results: After completing this exercise, you will have created some pilot users and groups in Azure AD
using the portal and Microsoft Azure Active Directory module for Azure PowerShell.
Implement Azure AD
10-28
As A. Datum are planning to deploy Azure-aware applications, and require users to use single sign-on for
these applications, you now need to install and configure a test application, and confirm successful single
sign-on.
The main tasks for this exercise are as follows:
1. Add Directory Applications and Configure Single Sign-On
2. Test Single Sign-On
In the Adatum directory, create the following application from the gallery:
o
2.
3.
Mario Ledford
4.
Select to enter Microsoft Account (Windows Live) credentials on behalf of the user.
5.
In the Email Address box, type the email address of your Azure subscription. In the Password box,
type your Azure subscription password, and then click the check mark.
6.
In the Adatum directory, create the following application from the gallery:
o
Skype
7.
8.
9.
Mario Ledford
Do not enter Microsoft Account (Windows Live) credentials on behalf of the user.
Username: mledford@XXXadatumXXX.onmicrosoft.com
Password: Pa$$w0rd123
2.
On the applications page, note the options to Update credentials, and Report a problem for Microsoft
Account (Windows Live).
3.
Run Microsoft Account (Windows Live), and complete the Access Panel Extension Setup Wizard.
4.
5.
Username: mledford@XXXadatumXXX.onmicrosoft.com
Password: Pa$$w0rd123
Click Microsoft Account (Windows Live), and verify that your sign-on to the Access Panel has
automatically signed you in to your Microsoft Account.
6.
10-29
Click Skype, and verify that you are now prompted for credentials, because you did not enter any
credentials on behalf of the user when configuring single sign-on.
Results: After completing this exercise, you will have installed and configured a test application, and
confirmed successful single sign-on.
As A. Datum require applications to use multi-factor authentication, you now need to configure and test
MFA for global administrators.
The main tasks for this exercise are as follows:
1. Configure Multi-Factor Authentication
2. Test Multi-Factor Authentication
3. Reset the Environment
2.
Username: kgruber@XXXadatumXXX.onmicrosoft.com
Password: Pa$$w0rd123
2.
Note the following message: Your admin has required that you set up this account for additional
security verification.
3.
4.
Optional step: If you have access to a mobile phone in the classroom, and have a signal or data
connection, you may wish to complete the "additional security verification" steps on the additional
security verification page.
2.
On the taskbar, right-click Microsoft Azure PowerShell, and then click Run as administrator. In the
User Account Control dialog, click Yes.
3.
4.
When prompted, sign in using the Microsoft account associated with your Azure subscription.
Implement Azure AD
10-30
Note: This script may remove Azure services in your subscription. It is therefore recommended that
you use an Azure trial pass that was provisioned specifically for this course, and not your own Azure
account.
The script will take 5-10 minutes to reset your Microsoft Azure environment, ready for the next lab.
The script removes all storage, VMs, virtual networks, cloud services, and resource groups. The script
does not remove the Azure Directory; this can either be manually deleted or you can leave it in place
as it does not affect subsequent labs.
Results: After completing this exercise, you will have configured MFA for administrators.
Review Question(s)
Question: What are some benefits of hosting part or all of an organization's Active Directory
in Azure?
10-31
Module 11
Managing Active Directory in a Hybrid Environment
Contents:
Module Overview
11-1
11-2
11-9
11-24
11-35
11-39
Module Overview
In this module, you will look at three alternative approaches for integrating on-premises Active
Directory with Microsoft Azure. These options are placing a domain controller into Azure,
implementing directory synchronization with optional password synchronization or single sign-on using
Active Directory Federation Services (AD FS). Finally, you will consider how to manage these types of
hybrid environment.
Objectives
After completing this module, you should be able to:
Synchronize user accounts between on-premises Active Directory and Microsoft Azure Active
Directory.
Set up single sign-on using federation between on-premises Active Directory and Microsoft Azure
Active Directory.
Lesson 1
So far, you have probably only considered having on-premises domain controllers, with those domain
controllers existing in your data center. You may also have deployed domain controllers to branch offices,
either as writable instances or as read-only domain controllers (RODC).
With Microsoft Azure, you can also place one or more domain controllers into the cloud, enabling
applications that run cloud-based instances to authenticate to one of those authoritative sources.
Lesson Objectives
After completing this lesson, you should be able to:
Perform the following tasks to prepare the lab environment. The Azure services you will use in the lab will
be described in this module while the environment is being configured.
Important: The scripts used in this course may delete any objects that you have in your
subscription. Therefore, you should complete this course against a new Azure subscription. You
should have received sign-up details and instructions for creating an Azure Learning Pass for this
reason. Alternatively, create a new Azure Trial Subscription. In both cases, use a new Microsoft
account that has not been associated with any other Azure subscription. This avoids confusion in
labs and setup scripts.
The labs in this course use custom Microsoft Azure PowerShell cmdlets, including Setup-Azure to prepare
the Azure environment for a lab, and Reset-Azure to perform clean-up tasks at the end of a lab. For this
lab, Setup-Azure creates a storage account in the Azure region you select; it then creates a virtual network
(ADATUM-HQ-VNET); then creates a Windows server VM; then promotes this server to a DC and sets up
users; and then removes the Azure subscription and account from the Azure PowerShell session.
Before you start the lab preparation, your instructor will decide which Azure region is the closest to your
classroom location. You will need this information during the lab.
Demonstration Steps
Sign in to Your Microsoft Azure Subscription
1.
Ensure that the MSL-TMG1 and 20533B-MIA-CL1 virtual machines are both running, and then log on
to 20533B-MIA-CL1 as Student with the password Pa$$w0rd.
2.
You should already have created a Microsoft Azure trial subscription. If you have not done so, follow
the instructions in D:\Creating a Microsoft Azure Trial Subscription.htm. Provisioning may take
several hours.
11-3
3.
When your trial subscription has been provisioned, in Internet Explorer, browse to
http://azure.microsoft.com, click Portal, and sign in using the Microsoft account that is associated
with your Azure subscription. Close any initial "welcome" messages.
4.
At the top right, click your Microsoft account name and click Switch to new portal. If you are
prompted to sign in, use the Microsoft account that is associated with your Azure subscription. Then,
in the new tab that is opened close any initial "welcome" messages for the new portal.
5.
Close the tab containing the new portal, keeping the full portal tab open.
On the taskbar, right-click Microsoft Azure PowerShell, and then click Run as administrator. In the
User Account Control dialog, click Yes.
2.
3.
At the prompt, type the module number, and then press Enter.
4.
5.
When prompted, sign in using the Microsoft account associated with your Azure subscription.
6.
When prompted, enter the Azure region to use, and then press Enter.
Note: This script may remove Azure services in your subscription. It is therefore recommended that you
use an Azure trial pass that was provisioned specifically for this course, and not your own Azure account.
The script will take 30-40 minutes to configure your Microsoft Azure environment, ready for the lab at the
end of this module.
At the end of setup, you should have the following:
The script might take more than 30 minutes to configure your Microsoft Azure environment, ready for the
lab at the end of this module.
7.
8.
9.
13. In the Internet Explorer Enhanced Security Configuration dialog box, under both Administrators
and Users, click Off, then click OK.
14. Close Server Manager, and then close the AdatumDC1 session.
Implementing single sign-on between on-premises Active Directory and Microsoft Azure
Active Directory. This third option supports the largest range of integration features and enables a
user to log on to Microsoft Azure after being authenticated by the on-premises Active Directory. The
technology used is Active Directory Federation Services (AD FS) and a typical implementation uses AD
FS proxies to handle incoming authentication requests from the Internet. Alternatively, you can use
the Windows Server 2012 R2 Web Application Proxy (WAP) role service to provide this proxying.
Keeping authentication requests for Azure-based services within the Azure environment.
Enabling additional directory synchronization options such as DirSync and SSO with AD FS.
Azure architecture
Inter-site connectivity
Azure Architecture
When planning the architecture, you need to take into account the following guidelines:
11-5
Create an Azure virtual network, and IP address scheme, and deploy your DCs into this vNet.
Create the vNET first and allocate the DCs to that vNET on creation.
Allocate static IP addresses to your DCs using the Set-AzureStaticVNetIP PowerShell command.
Plan for a site-to-site VPN so that replication traffic can come in to your on-premises DCs from the
Azure-based DCs.
Consider carefully whether to deploy read-only domain controllers (RODCs) in Azure. Although this
arrangement reduces the amount of egress traffic and the charges on your Azure account, RODCs do
not work in situations where a service needs read/write access to the directory.
Inter-Site Connectivity
A key element is going to be the inter-site connectivity between your on-premises environment and
Microsoft Azure. To ensure that the VMs hosted in Azure can communicate with your internal DCs, you
must set up a vNet with site-to-site connectivity back in to your on-premises network (or use
ExpressRoute). To provide this connectivity, you must implement the following elements:
A static IP address on your Internet connection. This IP address is used to establish the
communication endpoint to which the Azure environment can then connect.
A site-to-site connection in Microsoft Azure configured with a gateway to connect to the on-premises
network.
For more information about setting up site-to-site connectivity, see:
http://go.microsoft.com/fwlink/?LinkID=522660
The first option gives the best security separation between your on-premises and Azure environments but
would require to you establish and maintain trust relationships between the two forests. Note that you
will also have to put all of the Flexible Single Master Operations (FSMO) roles on to an Azure-hosted DC.
The second option provides namespace separation between your on-premises domain and your Azure
domain(s), but does not provide any additional security boundary. Use this option if you want to
implement namespace separation but be aware that this choice may affect future DirSync operations
you may have different UPNs for each domain, so domain synchronization would be more complex. Also,
you will have to place the domain-level FSMO roles on to an Azure-hosted DC.
The third option is likely to be the selected option, as this arrangement simply extends the on-premises
domain into the cloud while preserving a single namespace.
If you select the separate domain or same domain option, you will need to configure sites in Active
Directory so that you can control the replication traffic between the on-premises and the Azure-based
DCs. In both cases, the Knowledge Consistency Checker (KCC) controls the replication process, but intrasite replication uses a bidirectional ring topology that assumes high-bandwidth, permanently available
connections. Replication traffic is not scheduled and updates are optimized for speed. By contrast, intersite replication uses a least-cost spanning tree topology with a default three-hour interval that can be
restricted to certain times of the day or week.
By default, Active Directory creates a default site and a default site IP link. You should plan for at least two
sites, one for the on-premises DCs, the other for the Azure-based DCs. You can then review the settings of
the default site IP link to check that it meets your requirements for replication and cost control.
11-7
If you have the choice, you would not want to place the FSMO roles on the Azure-hosted DCs. However, if
your Azure DCs are in a separate domain, then you will have to put the PDC Emulator, RID Master and
infrastructure master on those VMs. If the Azure DCs are in a separate forest, then the Schema Master and
Domain Naming Master will need to be hosted in Azure.
Regardless of your domain topology, you should configure all of your Azure-based DCs a Global Catalog
servers. This arrangement prevents global catalog lookups and evaluations of Universal Group
memberships from having to traverse from Azure to the on-premises GC and therefore incur network
usage charges.
Note: Because sites need different IP address ranges, you would not place your Azure DCs
in a vNet that shares the same IP address range as the on-premises network.
You will need a storage account into which you are going to place the Azure virtual hard disk for the VM
operating system and then create a separate disk, with drive caching switched off, that will be the location
for the Active Directory Database, log files and Sysvol.
For more information on the procedure for creating a storage account, see:
http://go.microsoft.com/fwlink/?LinkID=522662
Then use the Set-AzureStaticVNetIP command to assign the VM a static address. For example, to assign
the 10.0.0.15 address, use the following syntax:
Set-AzureStaticVNetIP -IPAddress "10.0.0.15"
To set up a static IP address at the same time that you configure a VM, use a PowerShell command similar
to the following:
New-AzureVMConfig -Name Name of the Virtual Machine -ImageName Name of the
Image InstanceSize Small | Set-AzureSubnet SubnetNames Name of Subnet | SetAzureStaticVNetIP -IPAddress IP address | New-AzureVM ServiceName Name of Web
Service AffinityGroup "Name of the Affinity Group";
Install DNS
Although AD DS setup adds the DNS role to the server, you will need to configure DNS to provide name
resolution services before thatso that the Azure-based VM can resolve the address of one of the onpremise DCs. You cannot use Azure internal name resolution in this scenario.
You can add the DNS role either through Add Roles and Features in Server Manager or by using the
following PowerShell cmdlet:
Add-WindowsFeature DNS
Lesson 2
Directory Synchronization
In this second lesson, you move on to look at directory synchronization, or DirSync. DirSync provides a
mechanism for synchronizing users, groups and contacts in Active Directory to Microsoft Azure Active
Directory.
Lesson Objectives
After completing this lesson, you should be able to:
11-9
11-10
The Directory Synchronization toolset is currently in transition, with existing tools being phased out to be
replaced by new software. At the time of writing this content, there are two tool links provided from the
Quick Start page for an Azure Directory in the Full Azure Portal:
DirSync
AAD Connect
DirSync
In the Full Azure Portal, the Set up directory integration link, points to the download location for
DirSync. When you run this installer, it identifies as Windows Azure Active Directory Synchronization
tool (WAAD Sync), but is still generically referred to as DirSync.
DirSync is a cut-down version of Forefront Identity Manager (FIM) 2010 R2, Microsofts Identity
Management server. FIM is a metadirectory with agents that connect to the source directory services,
extract the directory objects, and place those objects attributes in the metadirectory database. The
metadirectory is stored as a series of tables, either in the Windows Internal Database or a full version of
SQL Server.
In a separate operation, another agent connects to the target directory service and then pushes those
objects into the target directory service which, with DirSync, is Microsoft Azure Active Directory. The main
difference between DirSync and the full version of FIM is that DirSync only has agents for Active Directory
and Microsoft Azure Active Directory. DirSync also has fewer options for filtering objects and attributes.
After the initial synchronization, DirSync then updates changes to user accounts on a three-hour schedule,
ensuring a flow of new objects and updated attributes (Delta Syncs) from Active Directory into Microsoft
Azure Active Directory. However, you can force synchronization using PowerShell, by using the FIM user
interface, or by re-running the DirSync configuration wizard.
With Microsoft Azure, the flow is one-way from Active Directory to Azure. However, with Office 365 in a
hybrid Exchange scenario, some attributes replicate in the other direction; with AD Premium enabled, you
can configure Azure to write passwords back to an on-premises Active Directory.
Note: A new feature, currently available in the AAD Connect preview, will enable password
write-back to the on-premises Active Directory. This feature requires Azure Active Directory
Premium.
For information on the attributes that are replicated from Active Directory to Microsoft Azure, see:
http://go.microsoft.com/fwlink/?LinkID=522664
DirSync supports limited filtering and customization of attribute flow, based on the following values:
Organizational unit
Domain
User attributes
For more information on DirSync attribute filtering, see:
http://go.microsoft.com/fwlink/?LinkID=522665
The current version of DirSync also supports password synchronization as an install-time option. With the
release of AAD Connect, DirSync will no longer be updated.
AAD Connect
11-11
As an interim release, there was an updated tool available as replacement for DirSync. This was called the
Microsoft Azure AD Sync Services (AADSync) tool but is no longer available as a separate download;
instead, it is delivered as a component of the new AAD Connect service. In the Full Azure portal, this is
currently available from the Download the preview of Azure AD Connect link.
The AADSync component differs from DirSync in several respects:
AADSync uses the new Microsoft Identity Manger (MIM) synchronization, built on a SQL 2012 R2
express database.
AADSync enables filtering on individual attributes, and the synchronization of just those filtered
accounts using a specific Microsoft Online service, such as Exchange Online or SharePoint Online.
AADSync supports the synchronization of password hashes from multiple on-premises AD to AAD.
AAD Connect is a wizard-based tool designed to enable connectivity between an on-premises identity
infrastructure and Azure. Using the wizard, you choose your topology and requirements (such as for single
or multiple directories, password sync or federation); the wizard will then deploy and configure all the
required components. Depending on the requirements selected, this can include AAD Sync, Exchange
Hybrid deployment, password change write-back, AD FS and proxy servers, and the Azure AD PowerShell
module.
Note: At the time of writing, Azure AD Connect is currently in Public Preview 1, and is not
recommended for production deployments. For the remainder of this module, all references to
DirSync are also relevant to the new AAD Connect (AADSync) tool, unless specifically stated
otherwise.
DirSync Only
With DirSync on its own, you have two entirely separate directory services, but objects from on-premises
Active Directory are replicated into Microsoft Azure Active Directory. For example, DirSync maps
User.One@contoso.com from the on-premises Active Directory to user.one@contoso.com in Microsoft
Azure Active Directory.
11-12
Any change in User Ones attributes in Active Directory, such as telephone number, office location and so
on, will replicate through DirSync to Microsoft Azure Active Directory. At this point, passwords are
maintained separately in the two systems.
Enabling Password Sync alongside DirSync provides same sign-on facilities. So if User One logs on to their
domain-joined computer with a user name of user.one@contoso.com and a password of Pa$$w0rd, they
are being authenticated by Active Directory. If they then connect to an Azure-based service or application,
they will see an authentication prompt. When they again enter the same credentials of
user.one@contoso.com and Pa$$w0rd at the prompt, they can access the Azure-based resources. When
accessing the Azure-based resource, the user is being authenticated by Microsoft Azure Active Directory.
In the background, the Password Sync component takes the users password hash from Active Directory,
then encrypts this hash and passes this as a string to Azure. Azure decrypts the encrypted hash and stores
the password hash as a user attribute in Microsoft Azure Active Directory.
When the user logs in to an Azure service, the logon challenge dialog box generates a hash of the users
password and passes that hash back to Azure. Azure then compares the hash with the one stored in that
users account. If the two hashes match, then the two passwords must also match and the user is given
access to the resource.
Of course, if the dialog box provides the facility to save credentials, then the user can check that option;
the next time they access the Azure resource, they wont be prompted. However, it is important to
understand that this is same sign-on, not single sign-on. The user is still being authenticated against two
separate directory services, albeit with the same user name and password. However, for many
organizations, the simplicity of this solution, without the added complexities and costs of an AD FS
implementation, makes the lack of true single sign-on a small price to pay.
In addition to the configuration of AD FS itself, DirSync must also be configured in order to replicate
objects into Microsoft Azure Active Directory. With SSO, DirSync is again used to synchronize user, group,
and contact information from Active Directory to Microsoft Azure Active Directoryso these objects will
appear as directory service objects in Azure.
The difference between password sync and SSO is that in SSO, instead of two separate authentication
processes taking placeone on the on-premises Active Directory and the other in Microsoft Azure Active
Directorya federation trust is established between Azure and the on-premises directory. This trust
relationship enables users to access resources in Azure using their accounts in Microsoft Azure Active
Directory, delivered by a single sign-on to on-premises AD. However, the authentication of those users
does not take place in Azure, but in the on-premises Active Directory. The next lesson covers this process
in greater detail.
Authorization to access Azure resources is separate from authentication and takes place on the resource
side (in this case Azure). The on-premises Active Directory generates a token, which is passed to AD FS,
and then to Azure, using the federation trust relationship.
DirSync Only
DirSync with
Password Sync
11-13
Single Sign-On
with AD FS and
DirSync
Yes
Yes
Yes
Yes
Yes
Yes
Yes limited
support
Yes limited
support
No
Yes
Yes
No
Yes
Yes
No
Yes
Yes
Yes
Yes
Yes
No
No
Yes
No
No
Yes
No
No
Yes
No
No
Yes
No
No
Yes
The following table shows the high-level requirements for each option:
Requirement
DirSync Only
DirSync with
Password Sync
Single Sign-On
with AD FS and
DirSync
Yes
Yes
Yes
Highly-available AD FS server
infrastructure
No
No
Yes
No
No
Yes
It is important to understand that if AD FS is unavailable, users will not be to authenticate, and will not be
able to use Azure resources. If the DirSync server is unavailable, recent attribute changes (including
password hashes, if enabled) will not be synchronized by users will still be able to access resources.
Deploying AD FS, therefore, has much higher resource and management demands than either DirSync
Only or DirSync with Password Sync.
11-14
There is also a potential issue with DirSync with Password Sync that might mitigate against its use in some
scenarios; when Password Sync is enabled, the Azure Directory password for a synchronized user is set to
never expire. So, if you have set a password expiry policy in AD, a user may still be able to log in using
Azure, even after the on-premises password has expired.
Review DC requirements
To work with DirSync, domain controllers must be
running one of the following operating systems:
Windows Server 2008 R2 Standard or Enterprise, Windows Server 2008 Datacenter, or Windows
Server 2008 R2 Datacenter (all are 64-bit only).
For complex multi-forest scenarios, it is important to be able to manually select a unique Active Directory
attribute to use as a SourceAnchor (the link between on-premises Active Directory and Windows Azure
Active Directory). This must be an immutable attribute, such as Employee ID, as the default SourceAnchor
(GUID) is unique to one forest; if an object is moved across forests, the object will appear to DirSync to be
a new object. For this reason, unless AAD Connect is being used, multi-forest scenarios may require a full
deployment of a licensed copy of FIM 2010 R2.
11-15
The DirSync computer must be a member of a domain, and for standard single forest scenarios, this
computer must be joined to a domain within the same forest that will be synchronized. DirSync now
supports installations on domain controllers; previous versions did not. However, for production scenarios,
it is recommended to use a separate server for DirSync.
The computer running DirSync requires the following Windows Server versions:
64-bit edition of Windows Server 2008 R2 SP1 Standard or Enterprise (or later), or Windows Server
2008 Datacenter or Windows Server 2008 R2 Datacenter or later.
Microsoft .NET Framework 3.5 SP1 and the Microsoft .NET Framework 4.0. The .NET Framework 4.0
will already be installed if you are using Windows Server 2012; Microsoft .NET Framework 3.5 SP1 will
need to be enabled.
Deployments with more than 50,000 objects in Active Directory require a significant increase in memory
requirements (from 4 GB RAM to 16 GB); therefore, it is important to implement adequate hardware
resources when transitioning from the pilot to production phase.
Note that, if you have implemented DirSync in Azure, you may need to scale up the VM if your
synchronization requirements increase.
Number of objects in
Active Directory
CPU
Memory
1.6 GHz
4 GB
70 GB
10,00050,000
1.6 GHz
4 GB
70 GB
50,000100,000
1.6 GHz
16 GB
100 GB
100,000300,000
1.6 GHz
32 GB
300 GB
300,000600,000
1.6 GHz
32 GB
450 GB
1.6 GHz
32 GB
500 GB
The current release of Microsoft Azure Active Directory has a default object limit of 50,000 objects (users,
mail-enabled contacts, and groups). This object limit is automatically increased to 300,000 after the first
domain is verified. If a synchronization results in the existing quota being exceeded, the tenant
administrator will receive an email message, such as:
The Directory Synchronization batch run was completed on Tuesday, 23 December 2014 23:45:22 GMT for
tenant <name>
The following errors occurred during synchronization:
Synchronization has been stopped. The company has exceeded the number of objects that can be
synchronized. Contact Technical Support and ask for an increase in your companys quota.
11-16
If there is a verified domain and a requirement to synchronize more than 300,000 objects, or there are no
verified domains and a requirement to synchronize more than 50,000 objects, you will need to contact
Microsoft Technical Support to request an increase to the object quota limit. It is therefore important to
plan for any likely DirSync quota increase; otherwise, if left to the last minute, this could become a
deployment blocker.
A Microsoft Azure account with Global Administrator permission in the Microsoft Azure tenant
(such as an organizational account), that is NOT the account used to set up the account itself.
DirSync uses a Microsoft Azure Global Administrator account to provision and update objects when the
DirSync configuration wizard is run. You should create a dedicated service account in Microsoft Azure to
use for DirSync as you cannot use the Microsoft Azure tenant administrator account. This restriction is
because the account that you used to set up Azure may not have a domain name suffix that matches the
domain name. The account needs to be a member of the Global Administrators group.
On this new account, it is important to disable the default 90-day password expiration; otherwise, the
synchronization service will stop working when the password expires, which will require reconfiguration of
DirSync.
To disable service account password expiration by using the Windows Azure Active Directory Module for
Windows PowerShell, type the following command, and press Enter:
Set-MsolUser -UserPrincipalName <service account>@<domain>.onmicrosoft.com -PasswordNeverExpires
$true
On-premises, the account used to install and configure DirSync must have the following permissions:
Enterprise Administrator permissions in Active Directory. Required to create the synchronization user
account in Active Directory.
The account used to configure DirSync and run the configuration wizard must reside in the local
machines FIMSyncAdmins group; by default, the account used to install DirSync (the Enterprise
Administrator) is automatically added to this group.
Note: You need to log off and log back in again to use the FIM interface, as your logon
account has to be added to the DirSync Admins group.
The Enterprise Administrator account is only required when installing and configuring DirSync, and the
Enterprise Administrator credential is not stored or saved by the configuration wizard. Therefore, it is
good practice to create a special "DirSync Administrator" account for installing and configuring DirSync,
and to only assign this account to the Enterprise Administrators group when DirSync is being set up. This
DirSync Administrator account should be removed from the Enterprise Administrators group after DirSync
setup is complete. It is also good practice to ensure that the password for this account is set to never
expire, in case you ever need to reinstall or reconfigure DirSync.
Create the MSOL_<id> domain account in the CN=Users container of the root domain.
Delegate the following permissions to MSOL_<id> on each domain partition in the forest:
o
Replication Synchronization
The following accounts are created in Active Directory during DirSync configuration:
11-17
MSOL_<id>. This account is created during DirSync installation, and is configured to synchronize to
the Microsoft Azure tenant. The account has directory replication permissions in the local Active
Directory and write permission on certain attributes to enable Hybrid Deployment.
AAD_<id>. This is the service account for the Synchronization Engine, and is created with a randomly
generated complex password automatically configured to never expire. When the directory
synchronization service runs, it uses the service account credentials to read from the local Active
Directory and then write the contents of the synchronization database to Microsoft Azure using the
tenant administrator credentials entered during the DirSync wizard.
Note: Do not change this service account after installing DirSync, as DirSync will always
attempt to run using the account created during setup. If the account is changed, DirSync will
stop running and scheduled synchronizations will no longer occur.
Synchronization with Microsoft Azure Active Directory occurs over SSL; this synchronization is outbound
(as it is initiated by DirSync) and uses port 443. Internal network communication uses standard Active
Directory-related ports; for successful synchronization, the DirSync server must be able to contact all DCs
in the forest.
Service
Protocol
Port
LDAP
TCP/UDP
389
Kerberos
TCP/UDP
88
DNS
TCP/UDP
53
TCP/UDP
464
RPC
TCP
135
TCP
1024 - 65535
49152 - 65535
SMB
TCP
445
SSL
TCP
443
SQL
TCP
1433
11-18
When you synchronize user accounts into Microsoft Azure Active Directory, you need to ensure that you
match the UPN for your on-premises environment with the value that you will be using when creating the
new user accounts in Microsoft Azure Active Directory. For example, if your company uses @contoso.com
as its UPN suffix, you need to have registered contoso.com as a domain in Microsoft Azure. This
requirement is to ensure that Userb@contoso.com on the on-premise environment creates the
userb@contoso.com account in Microsoft Azure when DirSync runs.
If your on-premises domain uses a non-routable UPN, such as Contoso.local, then you need to change the
UPN to a routable value that maps to a registered domain in Microsoft Azure. Otherwise user accounts
will be created in Azure using the default domain, which is in the form
@usernamedomain.onmicrosoft.com, where usernamedomain is derived from the values in the email
address that you used to register your Azure subscription with. Therefore, it is important to ensure that
you have UPNs set up correctly in your on-premises directory, with the matching domains added to
Azure, before you synchronize.
Note: You need to check that UPNs are not empty. The next topic covers tools that can
help carry out this check.
Recording network port use, as well as DNS records related to Microsoft Azure.
11-19
When preparing to clean up an on-premises AD, you should note the following attribute requirements
and invalid characters:
Attribute
Characters
Requirements
Must be unique
Invalid characters
proxyAddress
256
sAMAccountName
20
!#$%^&{}\{`~"/[]:
@<>+=;?*
givenName
64
?@\+
Surname
64
?@\+
displayName
256
?@\+
256
MailNickname
64
UserPrincipalName
64/256
Must be unique
)(;><][\
[!#$%&*+/=?^`{}]
After the checks have been carried out, key remediation tasks include:
}{#$%~*+)(><!/\
=?`
Updating blank and invalid userPrincipalName attributes, and replacing with valid userPrincipalName
attributes.
Removing invalid characters in the following attributes: givenName, surname (sn), sAMAccountName,
displayName, mail, proxyAddresses, mailNickname, and userPrincipalName.
UPNs that are used for SSO can contain letters, numbers, periods, dashes, and underscores; no other
character types are allowed. If the Microsoft Azure integration includes plans for SSO, it is important to
ensure that UPN names meet this requirement before SSO is rolled out, so it is worth considering this
factor at this stage, even if SSO is not currently planned.
For a list of attributes that may need cleaning up, see:
http://go.microsoft.com/fwlink/?LinkId=390909
IdFix
11-20
The IdFix tool enables you to identify and remediate the majority of object synchronization errors in
Active Directory, including common issues such as duplicate or malformed proxyAddresses and
userPrincipalName. IdFix is designed to run on Windows 7 and Windows Server 2008 R2; however, it does
also run on Windows Server 2012.
You can select the OUs for IdFix to check, and common errors can be fixed within the tool itself. Common
errors include such things as invalid characters that may have been introduced during scripted user
imports to attributes.
Note: For distinguished names that contain format and duplicate errors (such as two users
with the same distinguished name), IdFix may not be able to suggest an automatic remediation
for the error. Such errors can either be fixed outside IdFix, or be manually remediated within
IdFix.
For more information, and to download IdFix, see the IdFix DirSync Error Remediation Tool page on
the Microsoft Download Center.
http://go.microsoft.com/fwlink/?LinkId=390910
ADModify.NET
For errors such as format issues, you can make changes to specific attributes object by object, using either
ADSIEdit or Advanced Mode in Active Directory Users and Computers. However, to make attribute
changes to multiple objects, ADModify.NET is a better tool; the batch mode operation provided by
ADModify.NET is particularly useful for making changes to attributes such as UPNs across OUs or
domains.
Introduction to Active DirectoryModify.net.
http://go.microsoft.com/fwlink/?LinkId=390911
2.
3.
11-21
To check if DirSync is activated in an account, start a Microsoft Azure PowerShell session and type the
following commands, pressing Enter after each line:
$cred = get-credential
This cmdlet returns a value of either True or False. If it returns a value of True, directory synchronization is
activated. If it returns a value of False, directory synchronization is not activated.
2.
2.
3.
3.
Configure DirSync
Configuring DirSync requires you to specify the credentials for the two accounts, one for Microsoft Azure
Active Directory and the other for Active Directory. You can then stop the process at the end of the wizard
prior to synchronization.
4.
At this point, you can use the FIM interface to configure filtering prior to synchronization. This procedure
is recommended at this point as it prevents accounts replicating into Microsoft Azure Active Directory that
subsequently would need to be deleted.
The FIM user interface isnt exactly in an obvious place. To start it, double-click on the following
executable:
%ProgramFiles%\Windows Azure Active Directory Sync\SYNCBUS\Synchronization
Service\UIShell\Miisclient.exe
After you have opened the interface, to configure filtering, carry out the following procedure:
1.
2.
3.
4.
Click Containers.
Note: The credentials dialog box initially displays the MSOL_<id> account; this account
uses a randomly generated password, so administrators will not know it.
5.
In the Credentials dialog box, enter the credentials for your synchronization account that you
created earlier (your Active Directory Enterprise Administrator), and click OK.
6.
In the Select Containers dialog box, clear the root level check box then select, for example, the OUs
that you want to synchronize, and click OK.
7.
8.
5.
Synchronize Directories
The third part of the operation is to carry out the synchronization itself. To synchronize through the
Configuration Wizard, carry out the following procedure:
1.
Restart the DirSync Configuration wizard by double-clicking on the icon on the desktop.
2.
Enter the administrative account credentials for both Microsoft Azure Active Directory and Active
Directory.
3.
Ensure that Synchronize your directories now is checked and click Finish.
Verifying DirSync
Verifying the DirSync operation is very easy. Carry
out the following process:
1.
2.
3.
4.
Check that users from the on-premises Active Directory are visible.
11-22
To confirm that updates are propagating, change a user attribute in the on-premises Active Directory and
check in Azure that the change has replicated across.
Forcing Replication
If you need to force a replication, such as to synchronize new accounts or group memberships, you have
three options for forcing replication and synchronizing directories manually:
The synchronization process is different, depending on whether this is an initial (full) or an update
operation.
In the FIM interface, an initial sync consists of three stages or run profiles:
1.
2.
3.
Export.
2.
3.
Export.
You only see this differentiation in the FIM user interface. Using the Start-OnlineCoexistenceSync
command, or re-running the Configuration Wizard, always initiate a full synchronization.
To run the sync operation manually through the FIM interface, carry out the following procedure:
11-23
1.
2.
Start Miisclient.exe.
3.
4.
5.
6.
2.
3.
4.
To synchronize through the Configuration Wizard, carry out the following procedure:
1.
2.
Enter the administrative account credentials for both Microsoft Azure Active Directory and Active
Directory.
3.
Ensure that Synchronize your directories now is checked and click Finish.
2.
3.
Change <add key=SyncTimeInterval value=3:0:0 /> to whatever time you want the
synchronization interval to be.
4.
Restart the DirSync service, either with PowerShell or by using the Services console.
Note: Note that changing the synchronization interval is not a supported option. You are not
recommended to have too low a value for SyncTimeInterval, otherwise DirSync could start running
continually and never complete a synchronization. The minimum recommended value is 15 minutes. Note
also that all attributes do not sync on the same schedule; for example, passwords sync within a few
minutes.
Lesson 3
Implementing Federation
11-24
In this third lesson, you review the third directory service integration option, Single Sign-On (SSO), using
Active Directory Federation Services (AD FS). You will also look at the two options for protecting your AD
FS infrastructure from intrusion, using either the AD FS proxy role computer or the Web Application Proxy
(WAP) role in Windows Server 2012 R2.
Note: Throughout this section, the content refers to on-premises Active Directory directory
service integration with directory services in Microsoft Azure Active Directory. However, you may
already have extended your on-premises Active Directory into Microsoft Azure and want to use
this extended arrangement with AD FS, which is perfectly possible. Therefore, you can host your
organizations AD FS servers and proxies in Azure, along with one or more domain controllers, so
the separation between what is on-premises and what is in Azure can become indistinct.
Throughout this lesson, any references to on-premises Active Directory should be read as your
organizations original.
Lesson Objectives
After completing this lesson, you should be able to:
Identify the process for federating between on-premises Active Directory and Microsoft Azure Active
Directory.
Deploy the Web Application Proxy Role in Windows Server 2012 R2.
Manage the trust relationship between Azure and the on-premises AD FS.
11-25
Claims provider: A service that generates claims in response to requests. Also known as the Security
Token Service (STS). AD FS is an example of a claims provider.
Application provider: The party that provides access to applications based on information provided
by the claims from the STS. Also known as a relying party. Azure applications act as the relying party;
through the Azure directory service, Azure applications can provide access to resources to
authenticated users.
Claim: A claim is a statement about a user, such as the users email address, domain, group
membership, first name and last name or UPN. The claim enables the relying party to establish the
identity of the user requesting access to resources.
Token: A token is a file that contains claims about an authenticated user, along with an assertion that
the user has been correctly authenticated. Claims are typically signed to prevent alteration in transit
and also encrypted.
Federation: A collection of domains that have established trust; in this case, Azure Directory trusts
the on-premises AD for user authentication.
In summary, a user attempts to access a resource hosted by Azure. Azure directs authorization requests to
Microsoft Azure Active Directory, which then requests confirmation of that users identity and
authentication status from the STS (AD FS) through the federation trust. The STS contacts the on-premises
AD DS, confirms authentication of the user and extracts any information required to create the claim,
according to the claim rules for the federation trust.
The STS then signs (and typically encrypts) the token and passes it to the application provider (Microsoft
Azure Active Directory) using information from the federation trust. The relying party takes this token,
decrypts it and matches it to the user requesting access to the resource in Microsoft Azure. The user can
now access the application provider resource using his or her Active Directory credentials.
Note: Remember that in SSO, authentication is carried out by the on-premises Active
Directory and that information passed over to Microsoft Azure Active Directorythe password
for Microsoft Azure Active Directorydoes not get used at all. However, the accounts in both
directory services must still match up, hence the requirement to use DirSync as well as AD FS.
Microsoft online services, such as Azure and Office 365, use a specific Microsoft identity service to
establish federated-identity relationships between organizations; this service is called the Microsoft
Federation Gateway. The Microsoft Federation Gateway is responsible for directing communications
between the trusted identity provider (in this case, the on-premises Active Directory through AD FS) and
Azure Active Directory.
For more information on claims-based authentication, see:
A Guide to Claims-Based Identity and Access Control (2nd Edition)
http://go.microsoft.com/fwlink/?LinkID=523987
AD FS 1.1 was released with Windows Server 2008 and Windows Server 2008 R2, as an installable
server role.
AD FS 2.0 was released as an installable download for Windows Server 2008 SP2 or above.
AD FS 2.1 was released with Windows Server 2012 as an installable server role.
AD FS 3.0 is an installable server role on Windows Server 2012 R2. AD FS 3.0 does not require a
separate IIS install and includes a new AD FS proxy role called the Web Application Proxy.
11-26
Windows authentication (default for intranet-based requests but not supported on all browsers; the
fallback is forms authentication).
AD FS also supports multifactor authentication (MFA) by using device authentication. The user has to use
a registered device to access a resource.
In the AD FS architecture, the AD FS servers for the claims provider connect directly to the domain
controllers for the domain, where they can access information about users held in Active Directory.
Because of this privileged access, AD FS servers need the same levels of protection as domain controllers.
To service access requests from the Internet, AD FS includes an AD FS proxy server role. An AD FS proxy
server typically sits in the perimeter network and intercepts the authentication requests, then proxies the
request through to the AD FS servers. The AD FS servers only accept incoming requests from Internetbased clients through the proxy, and only port 443 (SSL) needs to be open between the proxy and the AD
FS server.
11-27
An alternate way to configure AD FS to accept incoming requests from the Internet is through use of the
Web Application Proxy role service in Windows Server 2012 R2. This server would also be installed into the
perimeter network in a workgroup. A typical deployment is to use AD FS servers within the corporate
network for access by users on that network, and to use Web Application Proxy servers for users
connecting from the Internet.
For more information on how to configure WAP with AD FS, see:
http://go.microsoft.com/fwlink/?LinkID=522666
2.
3.
4.
5.
Microsoft Azure Active Directory identifies that there is a federation trust with the target organization
based on the users logon credentials.
6.
The authentication request is redirected from the Microsoft Federation Gateway to the AD FS proxy
for the target organization.
7.
8.
The AD FS server contacts a domain controller and confirms that the authentication request is valid.
9.
AD FS builds a token containing relevant claims about the user. The claims are specified by the claims
provider rules.
10. The AD FS server signs the token, encrypts it and then passes the token back to the Microsoft
Federation Gateway over SSL.
11. The Microsoft Federation Gateway decrypts the token, checks it is unaltered and then uses that token
to create an access token for the resource.
12. Microsoft Azure Active Directory posts the security token to the Reply URL of the resource.
13. The resource being accessed uses the access token to grant the user a connection to the resource.
11-28
The most critical component of an AD FS deployment is the federation server or server farm. Therefore, it
is important that server placement strategy is properly considered. AD FS servers must be domain-joined
and should be placed behind a firewall on the corporate network to prevent exposure to the Internet. AD
FS proxies should not be domain-joined and should be installed in the perimeter network.
The number of AD FS servers that should be deployed in an organization depends on the number of users
likely to issue authentication requests. The recommended minimum requirements are displayed in the
following table:
Number of users
1,000 to 15,000
15,000 to 60,000
You may want to implement access filtering based on claims rules. For example, you might specify that
only users based in a particular location, or with a certain domain suffix, can access a certain resource in
Azure.
For more information on passing through or filtering incoming claims, see:
http://go.microsoft.com/fwlink/?LinkID=522667
11-29
AD FS servers require a database, and can be configured to use either the Windows Internal Database
(WID) or full SQL Server. If WID is used, then AD FS servers in a farm are configured as primary or
secondary. A primary federation server is initially the first federation server in the farm, and has a
read/write copy of the AD FS configuration database. All other federation servers created in the farm (the
secondary servers) regularly poll the primary server and synchronize any changes to a read-only copy of
the AD FS configuration database stored locally. By default, the poll interval is five minutes, but an
immediate synchronization can be forced anytime by using Windows PowerShell.
Secondary servers provide fault tolerance for the primary server and, with appropriate server placement,
can load-balance access requests across network sites. If the primary federation server is offline, all
secondary federation servers continue to process requests as normal. However, no new changes can be
made to the AD FS database until the primary federation server has been brought back online, or a
secondary server is promoted to the primary role. Primary and secondary role assignment is managed by
using the Set-AdfsSyncProperties Windows PowerShell cmdlet.
If SQL Server is used to store AD FS information, all servers in the farm are considered "primary", as they
all have read/write access to the database.
For more information on AD FS databases, see:
The Role of the AD FS Configuration Database
http://go.microsoft.com/fwlink/?LinkID=523981
Logon as a service.
However, if your environment includes domain controllers that run Windows Server 2012 or later, then
you can use the new group managed service account (GMSA) feature. The advantage of the GMSA is that
it can automatically manage password changes for the account and does not require the administrator to
change the password manually.
11-30
Again, as with DirSync, you need to ensure namespace consistency between the on-premises Active
Directory and Microsoft Azure Active Directory. In summary, that requirement means having UPN suffixes
that map to a registered domain name in Azure. So, if a company uses a UPN suffix of Contoso.com, then
Contoso.com needs to be a registered domain in Microsoft Azure Active Directory for that companys
account.
Client requests to AD FS need to be able to resolve to the correct access point for the AD FS service,
regardless of whether the client is on the internal network or on the Internet. Typically, internal clients
connect to the AD FS server, and external clients connect to the proxy (AD FS or WAP). However, to have
the same URL for both internal and external connections requires different entries in the internal and
external DNS to connect to the relevant part of the AD FS infrastructure (split brain DNS). For example, if
the host name to connect to your AD FS infrastructure is adfs.contoso.com, you will need to have the
following DNS entries:
INTERNAL DNS
Contoso.com zone
Host name
adfs
Address
192.168.10.12
Address
131.107.21.65
For token exchange, AD FS uses self-signed certificates. These certificates only validate that the content
has been unaltered in transit, so there is typically no requirement to use third-party issued certificates, or
to validate to a trusted CA.
By default, token exchange certificates automatically renew 20 days before certificate expiry. However,
there is still a requirement to update Microsoft Azure Active Directory when that change is made. If you
only have a single top-level domain, you can use the Microsoft Federation Metadata Update Automation
Installation Tool to create an automated task to update the certificate in Azure.
11-31
For SSL encryption, certificates must come from a trusted third party and do need to be replaced
manually before they expire. With the third-party SSL encryption certificates, either the common name
(cn) or the Subject Alternate Name (SAN) on the SSL certificate must match the fully-qualified domain
name (FQDN) name of the endpoint to which the client request is terminating. So, if the DNS name of the
STS is adfs.contoso.com, the SSL certificate for connecting to the proxy array must include either a cn or
SAN for adfs.contoso.com.
You dont have to wait for SSL certificate expiry but be warned that, as soon as the certificate expires, AD
FS will fail.
For more information on replacing certificates with AD FS 2.0, see:
http://go.microsoft.com/fwlink/?LinkID=522670
Note: It is not uncommon to use a single certificate for both the AD FS servers and the
proxies. This configuration ties in to the requirement for internal and external clients to use the
same URL to access either the proxies (if outside the corporate network) or the AD FS servers (if
inside the network).
Firewall configuration is relatively simple in that external clients only need the SSL port TCP 443 to
connect to the AD FS proxy or WAP endpoint. The proxy then communicates with AD FS using only port
443.
To provide high availability, AD FS servers are typically configured as server farms and the client requests
load-balanced across the servers using Network Load Balancing (NLB) or through use of hardware load
balancers. Configuration of a load balancer results in a single IP address for the load-balancing array that
must then be entered into DNS and also set as the cn or SAN of the SSL certificate.
The proxy servers (WAP or AD FS) will also require load balancing, again either using NLB or hardware
load balancers.
For more information on load-balancing WAP proxies, see:
http://go.microsoft.com/fwlink/?LinkID=522671
Note: Note: As with DirSync, you also need to ensure that you clean up Active Directory by
removing unnecessary spaces, illegal characters, and duplicate addresses before implementing
AD FS. The topic on Cleaning Up Active Directory from the previous lesson covers these
considerations in detail.
11-32
1.
2.
Assign third-party SSL certificate to default website in IIS (no longer required in Windows Server 2012
R2).
3.
4.
5.
Select third-party SSL certificate (must be installed into the computers personal store).
6.
7.
8.
2.
3.
4.
5.
6.
7.
Enter external and back-end URL and select SSL certificate (must be installed into the computers
personal store).
8.
9.
Test connection to external URLshould get the login prompt for AD FS.
10. Optional: customize logon screen with logos, help buttons, and so on.
For more information on configuring AD FS proxies, see:
http://go.microsoft.com/fwlink/?LinkID=522666
11-33
For federation to work, you have to add the domain to Azure and then convert it to federated. This
process creates the relying party trust between Azure and the on-premises domain. After conversion,
every synchronized on-premises user becomes a federated user and can use their corporate credentials to
access resources in Azure.
To convert a standard domain to federated, you can either use the Azure Portal, or use the following
Azure Active Directory PowerShell command:
Convert-MsolDomainToFederated DomainName <domain>
You can convert multiple domains by using the -SupportMultipleDomain switch.
To add new domain as a federated domain, you can either use the Azure Portal, or use the following
Azure Active Directory PowerShell command:
New-MsolFederatedDomain DomainName <domain>
When adding federated sub-domains, you must add the root domain first.
Important: After you have used the New-MsolFederatedDomain cmdlet to add a top-level
domain, you will not be able to use the New-MsolDomain cmdlet to add non-federated
(standard) domains.
The following link shows the detail of the steps for setting up federation between AD FS and
Microsoft Azure Active Directory:
http://go.microsoft.com/fwlink/?LinkID=522673
Requirements:
1.
2.
The organization is also adopting a partial rollout of Microsoft Azure and will be deploying a number
of cloud services that evaluate user accounts prior to granting access to resources.
3.
The main Azure app is an internally-developed customer relationship management system that has
been migrated to the cloud platform. The front end of this application connects to a separate Oracle
database that includes inbuilt authentication and authorization.
4.
To ensure the highest level of security on this CRM system, A. Datum plans to implement a cloudbased multi-factor authentication to ensure user identity prior to logon.
5.
A. Datum wants to preserve separate password policies between the on-premises directory and
Azure-based applications.
6.
Propose a Solution:
1.
2.
3.
In the future, if A. Datum wants to provide single-source management of passwords and password
policies, what option could the organization enable?
11-34
11-35
A. Datum currently uses single sign-on for on-premises applications. As part of A. Datums evaluation of
Microsoft Azure, you need to test that A. Datum users can use the same credentials that they use to access
resources on the A. Datum intranet to access resources in Azure. When users change passwords and other
directory details, you want to ensure these changes will be reflected in both your on-premises and Azure
Active Directories. In this lab, you will evaluate this hybrid environment.
Objectives
After completing this lab, you will be able to:
Lab Setup
Estimated Time: 40 minutes
Virtual Machine: 20533B-MIA-CL1
User Name: Student
Password: Pa$$w0rd
Before starting this lab, ensure that you have performed the Preparing the Environment demonstration
tasks at the beginning of the first lesson in this module, and that the setup script has completed.
2.
Start Internet Explorer on AdatumDC1, and log on to the full Microsoft Azure portal, using the
Microsoft account associated with your Azure subscription.
3.
In the full Azure portal, navigate to the Active Directory tab. In the default directory, enable Directory
Integration. Note the name of the default DNS name.
4.
From the default directory dashboard page, download the latest version of the DirSync executable
and save it to the Downloads folder.
11-36
5.
Run DirSync.exe file setup, accepting the default settings but stop prior to configuration; installation
may take 15-20 minutes.
6.
Log off and log back on again as ADATUM\Student with a password of Pa$$w0rd123.
On AzureDC1, in the Users OU, create an account called DirSync with a password of Pa$$w0rd123,
set that password to never to expire, and add the account to the Domain Admins and Enterprise
Admins groups.
2.
Verify that there are five user accounts in the Accounts OU.
3.
Run the Directory Sync Configuration Wizard from the Desktop. Use the
DirSyncAzure@yourdomainname.onmicrosoft.com and the ADATUM\DirSync account in Active
Directory, both with a password of Pa$$w0rd123. Do not enable Hybrid Deployment, do not enable
Password Sync, and do not synchronize directories.
2.
3.
4.
5.
6.
Click Containers.
7.
Password: Pa$$w0rd123
Domain: ADATUM
8.
In the Select Containers dialog box, clear the root level check box, then select only the Accounts
check box, and click OK.
9.
Results: After completing this exercise, you will have installed and configured DirSync, ready for a test
synchronization.
11-37
A. Datum now wants to test directory integration, by synchronizing a specific OU within Active Directory
into Microsoft Azure Active Directory, changing attributes on a user account, and then forcing
synchronization.
The main tasks for this exercise are as follows:
1. Synchronize Directories
2. Initiate manual synchronization
3. Reset the Environment
Run the Directory Sync Configuration Wizard from the Desktop. Use the
DirSyncAzure@<yourdomainname>.onmicrosoft.com and the ADATUM\DirSync account in
Active Directory, both with a password of Pa$$w0rd123. Do not enable Hybrid Deployment, do not
enable Password Sync, but select the option to synchronize directories.
2.
Log on to the Full Azure Portal, and check that the user accounts from the Accounts OU have
synchronized into Microsoft Azure Active Directory.
Make a change to the attributes of some of your users in the Accounts OU in the Adatum directory.
Attributes to change include:
o
Job Title
Department
Street Address
City
State or Province
2.
Start a PowerShell session using administrative credentials, set the execution policy to unrestricted,
and then import the DirSync module using the Import-Module command.
3.
4.
In the Full Azure Portal, check that the changes you have made to the user accounts have replicated
to Microsoft Azure; if you do not see any changes, wait a few minutes and refresh the page.
5.
Close the AdatumDC1 remote desktop session, and click OK when prompted.
2.
On the taskbar, right-click Microsoft Azure PowerShell, and then click Run as administrator. In the
User Account Control dialog box, click Yes.
3.
4.
When prompted, sign in using the Microsoft account associated with your Azure subscription.
11-38
Note: This script may remove Azure services in your subscription. It is therefore recommended that
you use an Azure trial pass that was provisioned specifically for this course, and not your own Azure
account.
The script will take 5-10 minutes to reset your Microsoft Azure environment, ready for the next lab.
The script removes all storage, VMs, virtual networks, cloud services, and resource groups.
Important: The script may not be able to get exclusive access to a storage account to delete it (if this
occurs, you will see an error). If you find objects remaining after the reset script is complete, you can
re-run the Reset-Azure script, or use the full Azure Management Portal to manually delete all the
objects in your Azure subscription, with the exception of the default directory.
Results: After completing this exercise, you will have synchronized a specific OU within Active Directory
into Microsoft Azure Active Directory, changed attributes on user accounts, and forced synchronization.
Synchronizing user accounts between on-premises Active Directory and Microsoft Azure.
11-39
Setting up single sign-on using federation between on-premises Active Directory and Microsoft Azure.
Review Question(s)
Question: How might you allay any security concerns with either DirSync and password sync
or single sign-on?
Module 12
Implementing Automation
Contents:
Module Overview
12-1
12-2
12-7
12-10
12-15
12-20
Module Overview
In this module, you look at how you can use automation methods to administer Microsoft Azure. You
will review the automation architecture, such as accounts, assets, jobs, runbooks and integration modules.
Finally, you will see how these methods can combine to reduce the amount of time that it takes to keep
on top of management issues in Microsoft Azure.
Objectives
After completing this module, you should be able to:
Manage automation through creating and publishing of runbooks and scheduling jobs.
Lesson 1
In this first lesson, you investigate what Azure Automation is and review the crucial first step of connecting
Azure Automation to an Azure subscription, either by uploading a management certificate, or by using
Windows PowerShell credentials with Azure AD. You then move on to look at the different automation
assets you can create and what each of those assets does.
Lesson Objectives
After completing this lesson, you should be able to:
Perform the following tasks to prepare the lab environment. The Azure services you will use in the lab will
be described in this module while the environment is being configured.
Important: The scripts used in this course may delete any objects that you have in your
subscription. Therefore, you should complete this course against a new Azure subscription. You
should have received sign-up details and instructions for creating an Azure Learning Pass for this
reason. Alternatively, create a new Azure Trial Subscription. In both cases, use a new Microsoft
account that has not been associated with any other Azure subscription. This avoids confusion in
labs and setup scripts.
The labs in this course use custom Microsoft Azure PowerShell cmdlets, including Setup-Azure to prepare
the Azure environment for a lab, and Reset-Azure to perform clean-up tasks at the end of a lab. For this
lab, Setup-Azure creates a virtual network (ADATUM-VNET), and then removes the Azure subscription and
account from the Azure PowerShell session.
Before you start the lab preparation, your instructor will decide which Azure region is the closest to your
classroom location. You will need this information during the lab. Note that, at the time of writing, the
only available regions for Azure Automation were East US, Southeast Asia, and West Europe; you must
choose one of these regions.
Demonstration Steps
Sign in to Your Microsoft Azure Subscription
1.
Ensure that the MSL-TMG1 and 20533B-MIA-CL1 virtual machines are both running, and then log on
to 20533B-MIA-CL1 as Student with the password Pa$$w0rd.
2.
You should already have created a Microsoft Azure trial subscription. If you have not done so, follow
the instructions in D:\Creating a Microsoft Azure Trial Subscription.htm. Provisioning may take
several hours.
3.
When your trial subscription has been provisioned, in Internet Explorer, browse to
http://azure.microsoft.com, click Portal, and sign in using the Microsoft account that is associated
with your Azure subscription. Close any initial "welcome" messages.
12-3
4.
At the top right, click your Microsoft account name and click Switch to new portal. Then, in the new
tab that is opened, close any initial "welcome" messages for the new portal.
5.
Close the tab containing the new portal, keeping the full portal tab open.
On the taskbar, right-click Microsoft Azure PowerShell, and then click Run as administrator. In the
User Account Control dialog, click Yes.
2.
3.
At the prompt, type the module number, and then press Enter.
4.
5.
When prompted, sign in using the Microsoft account associated with your Azure subscription.
6.
When prompted, enter the Azure region to use (at the time of writing, the only available regions for
Azure Automation are East US, Southeast Asia, and West Europe), and then press Enter.
7.
When prompted, sign in using the Microsoft account associated with your Azure subscription.
Note: This script may remove Azure services in your subscription. It is therefore recommended that you
use an Azure trial pass that was provisioned specifically for this course, and not your own Azure account.
The script will take a while to configure your Microsoft Azure environment, ready for the lab at the end of
this module.
Using Azure AD
Using certificates
2.
12-5
1.
A self-signed certificate this can be created using makecert.exe, and must then be uploaded to be
used with Azure Automation.
2.
3.
The Azure AD method is more simple to use, but does require an organizational account, with coadministrator rights.
For more information on How to install and configure Azure PowerShell, including the two
connection methods, see:
http://go.microsoft.com/fwlink/?LinkID=511717
For more information on the Getting Started with NEW Microsoft Azure Automation Preview
Feature, see:
http://go.microsoft.com/fwlink/?LinkID=511772
For more information on the Managing Azure Services with the Microsoft Azure Automation Preview
Service, see:
http://go.microsoft.com/fwlink/?LinkID=511773
Managing values initially set from the management portal or from the Windows PowerShell.
String
Integer
Boolean
Datetime
Variable values can be stored encrypted in the Azure Automation database; if a value is encrypted, you
cannot see the value in the portal, it is only available to be used in a workflow by using the GetAutomationVariable activity.
Schedules enable runbooks to run automatically, either as a single date and time, or a recurring schedule.
Lesson 2
Lesson Objectives
After completing this lesson, you should be able to:
Create basic PowerShell workflows using sequences, checkpoints, and parallel processing.
Long-running activities.
Repeatable activities.
Frequently-executed activities.
12-7
A big advantage of Windows PowerShell Workflows is that they can perform a set of commands in
parallel, instead of sequentially, as with a typical PowerShell script. This is useful for runbooks that perform
multiple actions that take a significant time to complete, such as provisioning a group of virtual machines.
PowerShell workflows are dependent on .NET Framework Windows Workflow Foundation (WWF).
Specifically, Windows PowerShell Workflows are Windows PowerShell scripts, written using Windows
PowerShell syntax, launched by Windows PowerShell, but processed by Windows Workflow Foundation.
For more information on PowerShell Workflows: The Basics, see:
http://go.microsoft.com/fwlink/?LinkID=511774
The keywords ForEach Parallel concurrently process commands in a collection, and can be used where
items in a collection are processed in parallel, but commands in the script block run sequentially.
The keyword Sequence runs commands in sequence within a Parallel script block.
The keyword InlineScript runs a block of commands in a separate, non-workflow session and returns its
output to the workflow. Commands within an InlineScript block are processed by Windows PowerShell
(not by Windows Workflow Foundation).
Checkpoints are snapshots of the current state of the workflow, including the current values for variables.
Checkpoints are saved to the Automation database, so that workflows can resume after interruption or
outage. Checkpoints are set with the Checkpoint-Workflow activity. The Suspend-Workflow activity
can be used to force a runbook to suspend, and set a checkpointthis is useful for runbooks that need
some intermediate manual steps.
12-9
To enable a series of commands to execute in sequence, add the sequence keyword to execute the code
between the braces {} in series.
In the following example, commands A and B (and the sequence C-D) will be executed in parallel (and
there is no way to know in advance which of these commands will complete first); commands C and D will
always execute in the order C then D, but might execute before command A or command B.
workflow test {
InlineScript { Code }
parallel {
Command A
Command B
sequence {
Command C
Command D
}
}
For more information on Azure Automation Capabilities in Depth: The Azure Automation PowerShell
Cmdlets, including currently mapped cmdlets, see:
http://go.microsoft.com/fwlink/?LinkID=511962
Implementing Automation
Lesson 3
Managing Automation
In this third lesson, you look at the methods for authoring new runbooks, how to edit and test your
runbook code, and how to publish a runbook in a live production environment. Finally, you look at
options for managing runbooks, runbook jobs, and log files.
Lesson Objectives
After completing this lesson, you should be able to:
Author runbooks.
12-10
When creating a new runbook, it is initially saved as a Draft version; using drafts enables you to validate
runbook operation before making the runbook available for production use by overwriting the existing
Published version. When you test the runbook, the Draft version is run and any output sent to the
Output Pane in the management portal for administrators.
Note that when testing a runbook, the draft runbook is executed against your live Microsoft Azure
subscription (there is no what-if option), so you must check the consequences of executing the runbook
against provisioned cloud resources before clicking Test.
Important: Because there is no what-if, and Test runs against a live environment, you
may wish to use a separate development or test subscription for developing and testing your
automation runbooks. When you have the final version of a runbook, you could then export it,
and import it into a live production subscription.
For more information on Sample runbooks for Azure Automation, see:
http://go.microsoft.com/fwlink/?LinkID=511775
For more information on how to create a runbook, see:
http://go.microsoft.com/fwlink/?LinkID=511776
Authoring Runbooks
Runbook code is edited by using the management
portal editor.
There are several approaches to authoring a
runbook:
To insert code from other runbooks, click Insert in the management portal editor, and then click
Runbook.
12-11
To insert a global setting into a runbook, click Insert in the management portal editor, then click Setting.
Then, in the Setting Action column, select the type of code that you require (such as Get Variable, Get
Connection, Get Certificate, or Get Windows PowerShell Credential. You then select from the
available assets in the center column.
To insert an Azure Activity, click Insert in the management portal editor, then select the Azure
Integration Module.
For more information on Runbook and Module Operations, see:
http://go.microsoft.com/fwlink/?LinkID=511777
Import a runbook.
Run a runbook that deploys two Azure VMs to a new storage account.
Demonstration Steps
Create a new Automation Account
1.
2.
3.
On the Add a New Automation Account page, in the ACCOUNT NAME box, type ADATUMDEMO; in the REGION list, select your nearest region (use the same region you selected when you
prepared the lab environment) and click OK.
Implementing Automation
2.
3.
4.
5.
On the Define Credential page, in the CREDENTIAL TYPE box, select Windows PowerShell
Credential, in the NAME box, type PScredential, and click the right arrow.
6.
On the Define Credential page, in the USER NAME box, type AutomationDemo@<domain>;
where domain is the part after the @ symbol you noted above (or paste from Notepad).
7.
In the PASSWORD and CONFIRM PASSWORD boxes, type Pa$$w0rd123, and click Complete
(check mark).
2.
3.
On the Define Variable page, in the VARIABLE TYPE box, select String; in the NAME box, type
SubscriptionName, and click the right arrow.
4.
On the Define Variable Value page, in the VALUE box, type the name of your Azure trial (for
example, Free Trial), and click Complete (check mark).
5.
12-12
1.
Click RUNBOOKS.
2.
Click IMPORT.
3.
On the Select the runbook to be imported page, click BROWSE FOR FILE.
4.
In the Choose File to Upload dialog box, navigate to D:\Demofiles\Mod12, select New-VMs.ps1,
and click Open.
5.
In the Select the runbook to be imported page, click Complete (check mark); the runbook may
take 2-3 minutes to import).
2.
On the new-vms page, click AUTHOR; talk students through the script.
12-13
1.
On the new-vms page, at the bottom of the page, click SAVE; point out that the script is currently in
DRAFT.
2.
3.
At the confirmation message, click YES; note that the status of the runbook has now changed from
DRAFT to PUBLISHED.
2.
3.
Click JOBS.
4.
The job will be submitted, then queued, and then be run. Wait until you see STATUS of Completed
in the jobs list (this should take 4-5 minutes).
5.
6.
On the SUMMARY page, note the information shown in the job summary section.
7.
8.
Make a note of the names of the storage account and cloud service.
9.
2.
Verify that your new storage account is online (the portal may take several minutes to update and
show the storage).
3.
4.
Verify that your new cloud service are running (the portal may take several minutes to update and
show the cloud services).
5.
6.
Verify that there are now two new VMs running, or being provisioned (the portal may take several
minutes to update and show the VMs).
2.
On the taskbar, right-click Microsoft Azure PowerShell, and then click Run as administrator. In the
User Account Control dialog, click Yes.
3.
4.
When prompted, sign in using the Microsoft account associated with your Azure subscription.
Note: This script may remove Azure services in your subscription. It is therefore recommended that you
use an Azure trial pass that was provisioned specifically for this course, and not your own Azure account.
The script will take 5-10 minutes to reset your Microsoft Azure environment, ready for the next lab.
Implementing Automation
12-14
The script removes all storage, VMs, virtual networks, cloud services, and resource groups. The script does
not remove the Automation account (or the organizational account); this can either be manually deleted
or you can leave it in place as it does not affect subsequent labs.
Important: The script may not be able to get exclusive access to a storage account to delete it (if this
occurs, you will see an error). If you find objects remaining after the reset script is complete, you can rerun Reset-Azure script, or use the full Azure Management Portal to manually delete all the objects in your
Azure subscription, with the exception of the default directory.
Publishing Runbooks
After a runbook has been successfully tested, it
can be published ready to run on a schedule.
Runbooks have Draft and Published versions; the
Published version can be run or scheduled, the
Draft version can be edited or tested (testing a
runbook is the same as running it). The Published
version is not overwritten until the Draft is
"published".
A runbook can be linked with multiple schedules,
such as a "weekly" schedule and also a "first of
each month" schedule. If a schedule is disabled,
runbooks linked to that schedule will not run at
the scheduled times.
A runbook job represents a single execution of a runbook, and the runbook dashboard page displays
summary information about all runbook jobs for a specific runbook. The command bar on the dashboard
page can be used to stop, suspend, or resume a runbook job, depending on the current status.
You can use the Configure tab to specify settings, such as runtime log settings, and the description (512
characters maximum). Log setting options are:
You can also assign tags to the runbook, and you can then filter the list of runbooks by using the search
tool and typing some or all of the tag name.
12-15
A. Datum wishes to minimize administrative overheads as much as possible, especially for tasks such as
deploying virtual machines. For this reason, as part of A. Datums evaluation of Microsoft Azure, you have
been asked to test the new Azure Automation features, and as part of your tests, to deploy Azure virtual
machines using runbook automation.
Objectives
After completing this lab, you will be able to:
Configure automation accounts
Create runbooks
Lab Setup
Estimated Time: 45 minutes
Virtual Machine: 20533B-MIA-CL1
User Name: Student
Password: Pa$$w0rd
Before starting this lab, ensure that you have performed the Preparing the Environment demonstration
tasks at the beginning of the first lesson in this module, and that the setup script has completed.
A. Datum administrators frequently spend time creating storage accounts and Azure VMs. You want to
increase administrator productivity by using Automation to execute these tasks and free administrators to
continue with other tasks.
The main tasks for this exercise are as follows:
1. Create an Automation Account
2. Configure an Account
2.
In the Management Portal, create a new user in the default directory called AutomationUser, with
User role; note that you are creating an organizational account, and you will make this account a coadministrator of the Azure subscription.
3.
Note the temporary password page, and the full username (including the part after the @ symbol);
you might want to copy this to Notepad.
4.
5.
Sign out of the portal, then sign in as your new AutomationUser using the temporary password, and
then change the password to Pa$$w0rd123.
.
Implementing Automation
2.
3.
12-16
In the Management Portal, select your ADATUM Automation account, and add a CREDENTIAL asset:
o
Name: PScredential
User name: AutomationUser@<domain> (where domain is the part after @ symbol you noted
above).
Password: Pa$$w0rd123
In the Management Portal, select your ADATUM Automation account, and add the following String
type variables:
o
Name: SubscriptionName, Value: the name of your Azure trial (e.g. Free Trial)
Network: ADATUM-VNET
Subnet: Subnet-1
In the Management Portal, select your ADATUM Automation account, and add the following
Schedule:
o
NAME: EndOfDay
TYPE: DAILY
Results: After completing this exercise, you will have configured a new Azure Automation account, and
created a new Azure organizational account to use with Azure Automation.
As part of your tests of the new Azure Automation features, you will now deploy Azure virtual machines
using runbook automation, and will author, test, and run a new runbook to deploy two virtual machines
using parallel workflow.
The main tasks for this exercise are as follows:
1. Create a Runbook
2. Publish a Runbook
3. Test a Runbook
4. Reset the Environment
2.
Select New-StorageAndVMs, and click AUTHOR; note that the script includes basic credential and
subscription configuration only.
12-17
3.
4.
Select and copy all the text from #CODE BLOCK A ... to #CODE BLOCK A END. This code block
calculates unique names for the storage account and cloud service names.
5.
Switch to Internet Explorer, and on the new-storageandvms page, in the runbook, click in line 12,
and paste the text.
6.
7.
8.
The job will be submitted, and then queued; wait until you see STATUS:COMPLETED in the OUTPUT
PANE bar before proceeding.
9.
In the OUTPUT PANE, verify that storage account and cloud service account names are displayed;
these are variables only at this stage.
10. Switch to Notepad, and select and copy all the text from #CODE BLOCK B ... to #CODE BLOCK B END; this code block places the name of the latest Windows Server 2012 R2 image into a variable.
11. Switch to Internet Explorer, and on the new-storageandvms page, in the runbook, after the code
you previously pasted (but before the final "}"), paste the text.
12. At the bottom of the page, click TEST.
13. At the confirmation message, click YES.
14. The job will be submitted, and then queued; wait until you see STATUS:COMPLETED in the OUTPUT
PANE bar before proceeding.
15. In the OUTPUT PANE, verify that storage account and cloud service account names are displayed,
and that the latest Windows Server 2012 R2 image name is also shown.
16. Switch to Notepad, and select and copy all the text from #CODE BLOCK C ... to #CODE BLOCK C END; this code block sets the value of local variables using Automation Asset variables.
17. Switch to Internet Explorer, and on the new-storageandvms page, in the runbook, after the code
you previously pasted (but before the final "}"), paste the text.
18. At the bottom of the page, click TEST.
19. At the confirmation message, click YES.
20. The job will be submitted, and then queued; wait until you see STATUS:COMPLETED in the OUTPUT
PANE bar before proceeding.
21. In the OUTPUT PANE, verify that, in addition to the previous variables, the Asset variables you
defined earlier are now listed.
22. Switch to Notepad, and select and copy all the text from #CODE BLOCK D ... to #CODE BLOCK D END; this code block creates a new storage account, and associates it with your Azure subscription.
23. Switch to Internet Explorer, and on the new-storageandvms page, in the runbook, after the code
you previously pasted (but before the final "}"), paste the text.
24. At the bottom of the page, click SAVE; you will not test this code at this stage, as testing will create
the storage and the objective is to automate storage creation and VM deployment as one scripted
operation.
25. Switch to Notepad, and select and copy all the text from #CODE BLOCK E ... to #CODE BLOCK E END; this code block deploys two new VMs, using the workflow parallel operation.
Implementing Automation
26. Switch to Internet Explorer, and on the new-storageandvms page, in the runbook, after the code
you previously pasted (but before the final "}"), paste the text.
12-18
27. At the bottom of the page, click SAVE; you will not test this code at this stage, as testing will deploy
VMs and the objective is to automate storage creation and VM deployment as one scripted
operation; you will run the script later in this lab.
2.
On the new-storageandvms page, publish the runbook; note that the status has now changed from
DRAFT to PUBLISHED.
3.
Click LINK TO AN EXISTING SCHEDULE, and note that the EndOfDay schedule you created is
available to be used; do not link to the existing schedule.
4.
NAME: TEST
START TIME: select today's date and set the time to the current PC time plus five minutes
5.
In the schedule list, note the NEXT RUN time, and that the scheduled job is enabled.
6.
In the jobs list, verify that the STATUS shows as Completed, and then click your job.
2.
On the SUMMARY page, note the information shown in the job summary section.
3.
4.
Make a note of the names of the storage account and cloud services; you might want to copy them
to Notepad.
5.
In the Management Portal, under STORAGE, verify that your new storage account is online.
6.
In the Management Portal, under CLOUD SERVICES, verify that your new cloud services are running.
7.
In the Management Portal, under VIRTUAL MACHINES, verify that there are two new VMs running.
Note that the portal display can take several minutes to update.
2.
On the taskbar, right-click Microsoft Azure PowerShell, and then click Run as administrator. In the
User Account Control dialog, click Yes.
3.
4.
When prompted, sign in using the Microsoft account associated with your Azure subscription.
Note: This script may remove Azure services in your subscription. It is therefore recommended that
you use an Azure trial pass that was provisioned specifically for this course, and not your own Azure
account.
The script will take 5-10 minutes to reset your Microsoft Azure environment, ready for the next lab.
12-19
The script removes all storage, VMs, virtual networks, cloud services, and resource groups. The script
does not remove the Automation account (or the organizational account); these can either be
manually deleted or you can leave them in place as it does not affect subsequent labs.
5.
Important: The script may not be able to get exclusive access to a storage account to delete it (if this
occurs, you will see an error). If you find objects remaining after the reset script is complete, you can
re-run Reset-Azure script, or use the full Azure Management Portal to manually delete all the objects
in your Azure subscription, with the exception of the default directory.
Results: After completing this exercise, you will have authored, tested, and run a new runbook to deploy
two virtual machines.
Implementing Automation
Managing automation through creating and publishing of runbooks and scheduling jobs.
Review Question(s)
Question: When deploying virtual machines to Windows Azure, why would you choose to
use Azure Automation rather than regular Windows Azure PowerShell scripts?
12-20
Module 13
Microsoft Azure Solutions
Contents:
Module Overview
13-1
13-2
13-6
13-9
Module Overview
Now that you have a technical understanding of many Azure services, you can use your knowledge to
solve business problems for customers. In this module, you will read about and discuss two detailed
scenarios. The instructor will help you to propose an outline solution for each scenario, in which Azure
services are used to solve project goals.
Note: Throughout the scenarios in this module, no definitive correct answer or solution is
implied. Instead, the module is a chance to demonstrate and consolidate your understanding by
proposing innovative architectures that maximize performance and use Azure services. Treat each
scenario as you would a customer project.
Objectives
At the end of this module, you will be able to:
Plan a migration project and architect an Azure solution that addresses a typical medium-sized
manufacturing companys business needs using cloud technologies.
Plan a new software as a service (SaaS) offering, built from components of Microsoft Azure.
Lesson 1
In this lesson, you will examine the business requirements of a fictitious company called Tailspin Toys and
plan a solution based on Azure to address those requirements. Use the knowledge you have gained in this
course to suggest which Azure services should be used and how the solution should be designed.
Lesson Objectives
At the end of the lesson, you will be able to:
Analyze a companys business needs in terms of the Azure services that can be used to address them.
Architect a detailed solution plan that uses a wide range of Azure features.
Existing Situation
Tailspin Toys is a medium size company that
manufactures remote control aircraft. With
headquarters in Sydney, Australia, the company
also has regional offices in London and Stockholm.
A new office will be opened in Washington DC in
the next few months. Tailspin Toys has partnered
with A. Datum over many years and has expressed
an interest in the work A. Datum is doing to
migrate systems to Microsoft Azure.
Business Systems
Tailspin Toys runs the following business-critical
systems:
Microsoft Exchange. This is hosted on three servers in Sydney and one server each in London and
Stockholm.
Custom manufacturing management system. These systems use Microsoft SQL Server databases
and desktop client applications written in Visual C#. Clients log in to the SQL Servers by using
Windows Authentication and accounts stored in Active Directory. The manufacturing management
system is used by manufacturing personnel.
A third-party CRM system. This system uses an Oracle database and a set of web services written in
PHP that run on two Apache servers in Sydney. Clients connect to the PHP servers from a set of client
applications that run on phones, tablets, and Windows computers. The CRM system is used mostly by
sales and marketing personnel.
A third-party document management system. This system has a website that acts as a front end
and a Microsoft SQL Server database where document metadata is maintained. Documents
themselves are stored outside the database on a Windows file and print server. All servers that
support this system are located in Sydney. The document management system is used by product
engineers and technical writers.
Data Centers
Tailspin Toys has a data center with 10 servers in the Sydney headquarters. This data center has the
following features:
Climate control.
Users
Tailspin Toys has around 2,000 users globally. Relevant teams are distributed as follows:
IT Department
13-3
In Sydney, Tailspin Toys has a staff of 24 people in the IT department. This includes a team of 10
developers who maintain the custom systems and work on integration projects. There are also four fulltime database administrators (DBAs) and five systems administrators. In addition, there is a 24-hour help
desk staffed by 10 people. Finally there are two systems architects.
To increase the availability of the CRM system. The CRM system depends on Oracle and Apache
servers in Sydney. Occasionally, network problems and server failures have resulted in a loss of service
to users. In the last year, the system has only achieved 92 percent uptime.
To increase the performance of the CRM system. Users in the Sydney office report good performance
but those in the field, and especially those in Europe, report poor performance and frequently long
delays or lack of responsiveness from the client software.
In the second part of the project, the third party document management system will be migrated to the
cloud. Again, no modifications can be made to the system code. The goals of this phase of the project are
as follows:
To increase the performance of the document management system. As for the CRM system,
document management system users report slow performance and occasional unresponsiveness
when the system is used from locations other than the Sydney premises.
To ensure that the performance of the document management system is equal for all users whatever
their location.
In the third part of the project, the Tailspin Toys manufacturing management system will be migrated to
the cloud. You can work with the development team to make minor modifications to the system, but the
board want the migration to be completed quickly. The goals for this phase of the project are as follows:
To replace the aging server hardware that runs Microsoft SQL Server for the manufacturing
management system.
Which Azure Network Services, if any, would improve performance and access for the current system?
Remember to keep the overall project goals in mind as you consider the goals for each phase of the
project.
13-5
How can you ensure that system users can continue to connect and authenticate with the minimum
about of disruption?
How can you ensure that solution qualifies for the Azure SLA?
How can you ensure that performance is maximized for all users, regardless of their location?
How will the solution address the goals for the current phase?
How will the solution address the overall goals for the project?
How can you ensure that the solution accommodates the planned expansion into North America?
How can you assure budget holders that the solution will be worthwhile?
Lesson 2
In this lesson, you will examine the business requirements for a new system required by A. Datum: a
software update distribution system. You will propose a cloud solution for this project that uses
components of Azure. Use the knowledge you have gained in this course to suggest which Azure services
should be used and how the solution should be designed.
Lesson Objectives
At the end of this lesson, you will be able to:
Analyze business requirements and choose Azure services that can be used to satisfy those
requirements.
Choose components of Azure that you can use, in collaboration with developers, to build a software
update distribution service.
Business Requirements
A. Datum is planning a new service to its
customers for distributing software updates for its
high-end command and control systems. You have
proposed that the central components of this
system should be hosted on Azure to ensure high
availability and reliability without the attendant
costs of hardware and data center infrastructure.
The board has asked you to provide a detailed
project proposal.
The proposed system must be able to host software updates for both desktop applications and
mobile apps.
The proposed system must be able to alert clients when a new update is available.
The proposed system must store a range of metadata for each update, such as version number,
change list, publication data, a description of each bug that the update fixes, and a description of
each new feature.
Client applications will use REST requests through TCP port 80 to communicate with the centralized
service. You solution must include compatible RESTful services.
13-7
Video presentations, with demonstrations of the latest features, will be published with each software
update. Your system must be able to stream these videos to clients.
The system must be able to distribute software updates to all A. Datum customers, which are spread
throughout the world.
The system must ensure that clients are authenticated and prevent as many impersonation attacks as
possible.
Which Azure service can you use to store the software updates themselves? These updates will be in
several types of package file, ready for download to different clients.
Which Azure service can you use to store metadata for the software updates?
How can you ensure that updates are available for efficient download anywhere in the world?
How will the different components of the system communicate? Consider storage, database, frontend server components, and clients. Plan IaaS or PaaS cloud services, endpoints, and any IP
addressing schemes. Consider communication within Azure regions, between Azure regions, and from
on-premises locations.
How can you ensure that the solution qualifies for the Azure SLA?
How can you ensure that performance is maximized for all users, regardless of their location?
How can you assure budget holders that the solution will be worthwhile?
13-9
In this module, you have discussed two real-world scenarios, in which Azure can be used to build a
scalable solution. You should now understand how the individual Azure services you have seen in this
course can be combined to build highly functional and flexible solutions.
Best Practice:
When planning Azure solutions, always ensure your plan is scalable and qualifies for the Azure SLA.
Bear in mind that budget holders will need to be assured that your solution is cost-effective as well as
technically brilliant.
Remember that there may be several different approaches that satisfy your requirements.
Course Evaluation
Your evaluation of this course will help Microsoft understand the quality of your learning experience.
Please work with your training provider to access the course evaluation form.
Microsoft will keep your answers to this survey private and confidential and will use your responses to
improve your future learning experience. Your open and honest feedback is valuable and appreciated.
13-10
Ensure that the MSL-TMG1 and 20533B-MIA-CL1 virtual machines are both running, and then log on
to 20533B-MIA-CL1 as Student with the password Pa$$w0rd.
2.
Start Internet Explorer, browse to http://azure.microsoft.com, click Portal, and sign in using the
Microsoft account that is associated with your Azure subscription.
3.
In the pane on the left, click WEB SITES. Then at the bottom of the websites page, click NEW, and
click CUSTOM CREATE.
4.
In the Create Web Site dialog box, apply the following settings and click the Next icon.
5.
On the Specify database settings page, apply the following settings and click the Complete icon:
o
NAME: AssetsDB
6.
Wait for the new website to be created and its status to change to Running. Then in the pane on the
left click SQL DATABASES and verify that the AssetsDB database you specified has also been
created.
7.
Click the name column of the AssetsDB database, and then in the assetsdb page, click the
DASHBOARD tab and view the summary information there.
At the top-right of the Microsoft Azure full portal, click your Microsoft account name and then click
Switch to new portal. This opens a new tab in Internet Explorer.
2.
When the preview portal is loaded, view the tiles in the Startboard, noting the service health of the
Azure datacenters and the billing status for your subscription.
3.
In the hub menu, click BROWSE and then click Resource Groups.
4.
In the Resource groups blade, note the resource groups that were created automatically for the
website and SQL database you created in the previous task. These should have names similar to
Default-SQL-SelectedRegion and Default-Web-SelectedRegion.
5.
Click the Default-SQL-SelectedRegion resource group and verify that it contains the AssetsDB
database you created previously.
6.
7.
8.
In the Storage, cache, + backup blade, click Storage and then click Create.
9.
In the Storage account blade, enter the following settings and click Create:
o
10. In the hub menu, click NOTIFICATIONS, and view the progress of the Creating Storage task. This
may take a few minutes.
L1-2
11. When the storage account has been created, close the Notifications pane. Then in the hub menu,
click BROWSE, click Resource Groups, and in the Resource groups blade, click the Default-SQLSelectedRegion resource group and verify that this resource group now contains both the AssetsDB
database and the new storage account you just created.
12. In Internet Explorer, switch to the tab containing the full Azure portal and in the pane on the left, click
the ALL ITEMS icon. Then refresh the page and note that the storage account you created in the
preview portal is listed in the all items page.
At the top-right of the Microsoft Azure full management portal, click your Microsoft account name
and then click View my bill. This opens a new tab in Internet Explorer. If prompted, sign in using the
Microsoft account credentials associated with your Azure subscription.
2.
On the subscriptions page, click your subscription. Then review the summary of usage and billing
that is displayed.
3.
Note: If your account has been recently created, the subscriptions page may display an error.
If you see this error, return to this page later to view billing information.
4.
Click the preview features tab, and note the available preview features. You can add preview
features to your subscription and start using them as soon as they have been provisioned.
5.
Results: At the end of this exercise, you should have created a website and a SQL database in your Azure
subscription and used Azure PowerShell to obtain information about them.
On the taskbar, right-click Microsoft Azure PowerShell and click Run ISE as Administrator. Click
Yes when prompted.
2.
In the PowerShell ISE, in the command prompt pane, enter the following command to add an Azure
account to the local PowerShell environment:
Add-AzureAccount
3.
When prompted, sign in using the Microsoft account associated with your Azure subscription.
4.
In the PowerShell ISE, in the command prompt pane, enter the following command to view the Azure
accounts in your local PowerShell environment, and verify that your account is listed:
Get-AzureAccount
5.
Enter the following command to view the subscriptions that are connected to the local PowerShell
session, and verify that your subscription is listed.
Get-AzureSubscription
In the Windows PowerShell ISE, click File and then click Open.
2.
In the Open dialog, browse to D:\Labfiles\Lab01\Starter, click ExampleCommands.ps1 and then click
Open.
3.
4.
5.
6.
7.
8.
9.
L1-4
10. On the toolbar, click the Run Selection button and wait for the script and its results to be displayed
in the command prompt pane. The results should list the name and status of the storage account you
created in the previous exercise.
11. In the Script pane, locate and select the following code:
<#Insert a command that gets all websites here#>
18. On the toolbar, click the Run Selection button and wait for the script and its results to be displayed
in the command prompt pane. The results should list the name and state of the website.
19. In the Script pane, locate and select the following code:
<#Insert a command that gets all database servers here#>
24. On the toolbar, click the Run Selection button and wait for the script and its results to be displayed
in the command prompt pane. The results should list the name of each database server and the name
and size of each database.
25. In the command prompt pane, enter cls and press Enter to clear the screen.
In the Windows PowerShell ISE, in the Console pane, type the following command, and then press
Enter:
Switch-AzureMode Name AzureResourceManager
2.
3.
4.
5.
On the toolbar, click the Run Selection button and wait for the script and its results to be displayed
in the command prompt pane. The results should list all the resource groups in your subscription.
6.
On the taskbar, right-click Microsoft Azure PowerShell, and then click Run as administrator. In the
User Account Control dialog, click Yes.
2.
3.
When prompted, sign in using the Microsoft account associated with your Azure subscription.
Note: This script may remove Azure services in your subscription. It is therefore recommended that
you use an Azure trial pass that was provisioned specifically for this course, and not your own Azure
account.
The script will take 5-10 minutes to reset your Microsoft Azure environment, ready for the next lab.
The script removes all storage, VMs, virtual networks, cloud services, and resource groups.
4.
Important: The script may not be able to get exclusive access to a storage account to delete it (you
will see an error, if this occurs). If you find objects remaining after the reset script is complete, you can
re-run Reset-Azure script, or use the full Azure Management Portal to manually delete all the objects
in your Azure subscription, with the exception of the default directory.
Results: At the end of this exercise, you should have written PowerShell commands that retrieve
information about the services and resource groups in your Azure subscription.
Ensure that you are logged on to 20533B-MIA-CL1 as Student with the password Pa$$w0rd.
2.
On the task bar, right-click Microsoft Azure PowerShell and click Run ISE as Administrator. Click
Yes when prompted.
3.
In the Windows PowerShell ISE, in the command prompt pane, enter the following command and
then press Enter to add an Azure account to the local PowerShell environment:
Add-AzureAccount
4.
When prompted, sign in using the Microsoft account associated with your Azure subscription.
5.
In the Windows PowerShell ISE, click File and then click Open.
6.
7.
8.
If the Script pane is not visible, on the View menu, click Show Script Pane.
9.
In the Windows PowerShell ISE, in the command prompt pane, enter the following command and
press Enter:
Get-AzureSubscription
10. In the Windows PowerShell ISE, in the command prompt pane, select the subscription name, then
right-click, and click Copy.
11. In the Windows PowerShell ISE, in the Script pane, paste the subscription name.
12. In the Windows PowerShell ISE, in the command prompt pane, enter the following command and
press Enter:
Update-help
13. In the Windows PowerShell ISE, in the command prompt pane, enter the following command to clear
the screen and press Enter:
cls
15. In the Windows PowerShell ISE, in the Script pane, type your Location 1 and Location 2 details into
ExampleCommands.ps1.
16. In the Windows PowerShell ISE, click File, and then click Save.
Note: For Location 1 and Location 2 use two Azure regions close to your physical
location. Your instructor will provide this information.
L2-2
1.
2.
3.
4.
5.
In the navigation pane, click Network Services, click Virtual Network, and then click Custom
Create.
6.
In the Virtual Network Details dialog box, in the NAME field, enter ADATUM-HQ-VNET.
7.
Under LOCATION, select your Location 1, then click the right arrow.
8.
In the DNS Servers and VPN Connectivity page, under DNS SERVERS, in the NAME box, type
ADATUM-DNS, in the IP ADDRESS box, type 10.0.1.4, and click the right arrow.
9.
In the Virtual Network Address Spaces page, in the ADDRESS SPACE section, change the
STARTING IP to 10.0.1.0, and under CIDR (ADDRESS COUNT) select /24 (256).
10. In the Virtual Network Address Spaces page, in the SUBNETS section, ensure that the STARTING
IP is 10.0.1.0, and under CIDR (ADDRESS COUNT) select /25 (128); if you cannot view the CIDR list,
delete the 10.0.1.0 under STARTING IP, then type 10.0.1.0 again.
11. Note the Usable address range.
12. Click the check mark on the bottom right of the dialog box.
13. You have now set up a virtual network in Microsoft Azure.
14. On the bottom of the networks page, click the EXPORT button.
15. In the Export network configuration dialog box, ensure your subscription is selected, and click the
checkmark.
16. On the pop-up box, click Save, then click Save as.
17. Save the NetworkConfig.xml file to the desktop on your computer.
18. On the Windows Taskbar, click File Explorer and navigate to the desktop.
19. Right-click NetworkConfig.xml and click Edit.
20. Copy everything between <VirtualNetworkSites> and </VirtualNetworkSites>.
21. Paste the copied text just before </VirtualNetworkSites>; you should now have two identical
VirtualNetworkSite sections in the XML file.
22. Make the following changes to the second VirtualNetworkSite section in the XML file file:
a.
b.
c.
d.
26. In the Windows PowerShell ISE, in the command prompt pane, enter the following command and
press Enter:
Set-AzureVNetConfig C:\path\NetworkConfig.xml
2.
In the Windows PowerShell ISE, in the command prompt pane, enter the following command and
press Enter:
CD D:\Labfiles\Lab02\Starter
3.
In the Windows PowerShell ISE, in the command prompt pane, enter the following command and
press Enter:
.\CreateVirtualMachines1.ps1
When prompted for your primary Azure region, enter the number of your Location 1, and press
Enter.
5.
The script may take 20 - 25 minutes to complete; when the script has completed, verify that the
following information is displayed:
o
Name: AdatumWestSvr1
IPAddress: 10.0.1.4
InstanceStatus: ReadyRole
PowerState: Started
6.
Close the Windows PowerShell ISE. Important: do not run the second script in the same instance of
PowerShell.
7.
On the task bar, right-click Microsoft Azure PowerShell and click Run ISE as Administrator. Click
Yes when prompted.
8.
In the Windows PowerShell ISE, in the command prompt pane, enter the following command and
press Enter:
CD D:\Labfiles\Lab02\Starter
9.
In the Windows PowerShell ISE, in the command prompt pane, enter the following command and
press Enter:
.\CreateVirtualMachines2.ps1
L2-4
10. When prompted for your secondary Azure region, enter the number of your Location 2, and press
Enter.
11. The script may take 10 - 15 minutes to complete; when the script has completed, verify that the
following information is displayed:
o
Name: AdatumEastSvr1
IPAddress: 10.0.2.4
InstanceStatus: ReadyRole
PowerState: Started
12. Do not proceed to the next exercise until the script operation is complete.
Results: After completing this exercise, you will have created virtual networks for A. Datum HQ and
branch, and deployed a virtual machine to each network.
2.
3.
4.
5.
On the Specify your local network details page, in the NAME box, type ADATUM-HQ-LOCALNET,
and in the VPN DEVICE IP ADDRESS box, type 1.1.1.1 (as a temporary placeholder address), and
then click the right arrow.
6.
On the Specify the address space page, under STARTING IP type 10.0.1.0, and under CIDR
(ADDRESS COUNT) select /24 (256).
7.
Click the check mark on the bottom right of the dialog box.
8.
At the bottom right of the page, click + NEW, and then click ADD LOCAL NETWORK.
9.
On the Specify your local network details page, in the NAME box, type ADATUM-BRANCHLOCALNET, and in the VPN DEVICE IP ADDRESS box, type 2.2.2.2 (as a temporary placeholder
address), and then click the right arrow.
10. On the Specify the address space page, under STARTING IP type 10.0.2.0, and under CIDR
(ADDRESS COUNT) select /24 (256).
11. Click the check mark on the bottom right of the dialog box.
12. On the networks page, click VIRTUAL NETWORKS.
13. On the networks page, next to ADATUM-HQ-VNET, click the arrow.
14. On the adatum-hq-vnet page, click CONFIGURE.
15. On the adatum-hq-vnet page, select the Connect to the local network check box.
16. In the LOCAL NETWORK box, select ADATUM-BRANCH-LOCALNET.
17. Click add gateway subnet.
18. At the bottom of the page, click SAVE.
19. At the warning message, click YES.
20. On the adatum-hq-vnet page, click the large left arrow.
21. Repeat steps 13 to 19, to configure ADATUM-BRANCH-VNET to connect to ADATUM-HQLOCALNET; note that if a gateway subnet already exists, you cannot create another one.
22. On the adatum-branch-vnet page, click the large left arrow.
23. On the networks page, next to ADATUM-HQ-VNET, click the arrow.
24. On the adatum-hq-vnet page, click DASHBOARD; note that the page shows that a gateway has not
yet been created.
25. At the bottom of the page, click CREATE GATEWAY, and then click Dynamic Routing.
26. At the Do you want to create a gateway message, click YES.
2.
3.
On the adatum-hq-vnet page, click DASHBOARD; note that the page now shows that a gateway
has been created, but is not yet connected.
4.
5.
Repeat steps 2 to 4 above, and note the GATEWAY IP ADDRESS for ADATUM-BRANCH-VNET:
_______________________________________
L2-6
6.
7.
8.
9.
On the Specify your local network details page, in the VPN DEVICE IP ADDRESS box, type the
gateway IP address for ADATUM-HQ-VNET that you noted in step 4 above, and then click the right
arrow.
10. On the Specify the address space page, click the check mark on the bottom right of the dialog box.
11. On the networks page, click LOCAL NETWORKS.
12. Click ADATUM-BRANCH-LOCALNET, and at the bottom of the page, click EDIT.
13. On the Specify your local network details page, in the VPN DEVICE IP ADDRESS box, type the
gateway IP address for ADATUM-BRANCH-VNET that you noted in step 5 above, and then click the
right arrow.
14. On the Specify the address space page, click the check mark on the bottom right of the dialog box.
15. Switch to Windows PowerShell ISE.
16. At the Windows PowerShell ISE prompt, type the following command, and press Enter:
17. At the Windows PowerShell ISE prompt, type the following command, and press Enter:
21. On the adatum-hq-vnet page, click DASHBOARD; note that the page now shows that a gateway
has been created, and connected; note that it may take several minutes for the configuration to be
updated in the portal.
22. On the adatum-hq-vnet page, click the large left arrow.
23. On the networks page, next to ADATUM-BRANCH-VNET, click the arrow.
24. On the adatum-branch-vnet page, click DASHBOARD; note that the page now shows that a
gateway has also been created and connected for this virtual network; note that it may take several
minutes for the configuration to be updated in the portal.
25. Switch to Windows PowerShell ISE.
26. At the Windows PowerShell ISE prompt, type the following command, and press Enter:
Get-AzureVNetConnection -VNetName ADATUM-HQ-VNET| ft LocalNetworkSiteName,
ConnectivityState
Results: After completing this exercise, you will have connected the A. Datum HQ and branch virtual
networks, and deployed dynamic routing gateways for each virtual network.
2.
Double-click AdatumWestSvr1.
3.
If a Remote Desktop Connection warning message appears, select the Dont ask me again for
connections to this computer check box, and click Connect.
4.
In the Windows Security dialog box, type the following credentials, and click OK:
o
Password: Pa$$w0rd123
5.
If another Remote Desktop Message appears, select the Dont ask me again for connections to this
computer check box, and click Yes.
6.
7.
8.
Double-click AdatumEastSvr1.
9.
If a Remote Desktop Connection warning message appears, select the Dont ask me again for
connections to this computer check box, and click Connect.
10. In the Windows Security dialog box, type the following credentials, and click OK:
o
Password: Pa$$w0rd123
L2-8
11. If another Remote Desktop Message appears, select the Dont ask me again for connections to this
computer check box, and click Yes.
12. Minimize the AdatumEastSvr1 RDP session.
2.
3.
4.
If the status of Windows Firewall shows as On for the Public profile, click Public:On.
5.
6.
Under Public network settings, click Turn off Windows Firewall, and then click OK.
7.
8.
9.
2.
3.
At the Windows PowerShell ISE prompt, type the following command, and press Enter:
Test-NetConnection AdatumEastSvr1.adatum.msft
4.
Verify that AdatumEastSvr1 responds to ICMP messages, and note the IP address that responds:
_______________________________________
5.
6.
7.
8.
9.
At the Windows PowerShell ISE prompt, type the following command, and press Enter:
Test-NetConnection AdatumWestSvr1.adatum.msft
10. Verify that AdatumWestSvr1 responds to ICMP messages, and note the IP address that responds:
_______________________________________
11. Close the AdatumEastSvr1 RDP session.
12. In the Remote Desktop Connection dialog box, click OK.
Results: After completing this exercise, you will have verified that virtual machines can communicate
between virtual networks.
2.
3.
4.
5.
6.
7.
8.
9.
12. At the Command Prompt, type the following command, and press Enter:
makecert -sk exchange -r -n "CN=AdatumRootCertificate" -pe -a sha1 -len 2048 -ss My
"AdatumRootCertificate.cer"
2.
In the quick glance section, click Download the 64-bit Client VPN Package.
3.
4.
At the [filename].exe is not commonly downloaded and could harm your computer warning,
click Actions.
5.
At the SmartScreen Filter dialog box, click More Options, and then click Run anyway.
6.
At the User Account Control dialog box, click Yes and then, at the adatum-hq-vnet dialog box,
click Yes.
7.
8.
9.
13. Switch to the Command Prompt, and type the following command, and press Enter:
ipconfig /all
14. In the results, verify that there is a PPP adapter ADATUM-HQ-VNET section, and that you have an
assigned IP address and that the DNS server is set to 10.0.1.4 (AdatumWestSvr1).
15. Switch to File Explorer.
16. In File Explorer, in the Address box, type the following, and then press Enter:
\\adatumwestsvr1.adatum.msft\c$
17. In the Windows Security dialog box, type the following credentials, and click OK:
o
Password: Pa$$w0rd123
18. Verify that you can browse files on AdatumWestSvr1 over the point-to-site VPN.
19. Switch to the Network Connections window.
20. Right-click ADATUM-HQ-VNET, and then click Connect/Disconnect.
21. In the Networks page, click the ADATUM-HQ-VNET VPN connection, and then click Disconnect.
2.
On the task bar, right-click Microsoft Azure PowerShell, and then click Run as administrator. In
the User Account Control dialog, click Yes.
3.
4.
When prompted, sign in using the Microsoft account associated with your Azure subscription.
Note: This script may remove Azure services in your subscription. It is therefore recommended that
you use an Azure trial pass that was provisioned specifically for this course, and not your own Azure
account.
The script will take 5-10 minutes to reset your Microsoft Azure environment, ready for the next lab.
The script removes all storage, VMs, virtual networks and gateways, cloud services, and resource
groups.
Important: The script may not be able to get exclusive access to a storage account to delete it (you
will see an error, if this occurs). If you find objects remaining after the reset script is complete, you can
re-run Reset-Azure script, or use the full Azure Management Portal to manually delete all the objects
in your Azure subscription, with the exception of the default directory.
Results: After completing this exercise, you will have configured and tested a point-to-site VPN
connection.
Start Internet Explorer, browse to the new Azure Preview Portal (https://portal.azure.com), and sign
in using the Microsoft account that is associated with your Azure subscription.
2.
3.
4.
5.
6.
7.
8.
9.
14. On the Virtual Network blade, under Use an existing virtual network, click ADATUM-HQ-VNET.
15. On the Network blade, click OK.
16. On the Optional config blade, click OK.
17. On the Create VM blade, verify that Add to Startboard is checked, and click Create.
18. On the Startboard, note the animation occurring on the new tile while your new virtual machine is
being created.
19. On the Hub menu, click NOTIFICATIONS, which indicates that the virtual machine is still being
provisioned. The virtual machine provisioning process should take approximately 20-25 minutes. If
the process appears to be taking longer than this, on the Startboard, click AZURE PORTAL to switch
to the full portal, click VIRTUAL MACHINES, and check the status of WebVM1; stuck notifications
is a bug with the current Preview Portal.
20. When provisioning is complete, the tile on the Startboard will be updated to display the name of the
new virtual machine and the WebVM1 virtual machine blade will open, displaying all the information
about the new virtual machine (if you had the stuck notifications issue in the previous step, then the
Startboard may also fail to update).
21. You can continue to the next task while the WebVM1 virtual machine is deploying.
Note: At the time of writing, there appears to be a bug with the Azure Preview Portal, where the
NOTIFICATIONS list shows the virtual machine provisioning process lasting indefinitely. Also, the
Startboard may fail to update; the fix is to switch to the Full Portal, which does correctly show the status
of VM provisioning.
1.
On the taskbar, right-click Microsoft Azure PowerShell and click Run ISE as Administrator. Click
Yes when prompted.
2.
In the PowerShell ISE, in the command prompt pane, enter the following command to add an Azure
account to the local PowerShell environment:
Add-AzureAccount
3.
When prompted, sign in using the Microsoft account associated with your Azure subscription.
4.
In the PowerShell ISE, in the command prompt pane, enter the following command and press Enter:
Get-AzureSubscription
5.
6.
7.
8.
If the Script pane is not visible, on the View menu, click Show Script Pane.
9.
In the PowerShell ISE, in the command prompt pane, select the subscription name, then right-click,
and click Copy.
10. In the PowerShell ISE, in the Script pane, paste the subscription name.
11. In the PowerShell ISE, in the command prompt pane, enter the following command and press Enter.
Get-AzureStorageAccount
12. In the PowerShell ISE, in the command prompt pane, select the string to the right of Label for the
first storage account, then right-click, and click Copy.
13. In the PowerShell ISE, in the Script pane, paste the storage account name.
14. In the PowerShell ISE, in the Script pane, locate the following code:
Set-AzureSubscription -CurrentStorageAccountName <#Copy your storage account name
here#> -SubscriptionName <#Copy your subscription name here in quote marks#>
15. Replace <#Copy your storage account name here#> with your storage account name.
16. Replace <#Copy your subscription name here in quote marks#> with your subscription name; ensure
that you use single quote marks around the name.
17. In the PowerShell ISE, in the Script pane, select the code you have just edited.
18. On the toolbar, click the Run Selection button and wait for the script to complete.
19. In the PowerShell ISE, in the Script pane, select the following code:
$svcName = "20533lab03cloudsvc" + (Get-AzureStorageAccount
"20533*"}).Label.Substring(15,6)
20. On the toolbar, click the Run Selection button and wait for the script to complete.
21. In the PowerShell ISE, in the command prompt pane, type the following and press Enter:
$svcName
22. This variable should now contain a unique cloud service name, using the same unique number used
to create the storage account during lab preparation.
23. In the PowerShell ISE, in the Script pane, select the following code:
$location = (Get-AzureStorageAccount | where {$_.Label -like "20533*"}).Location
24. On the toolbar, click the Run Selection button and wait for the script to complete.
25. In the PowerShell ISE, in the command prompt pane, type the following and press Enter:
$location
26. This variable should now contain the Azure region used during lab preparation.
27. In the PowerShell ISE, in the Script pane, select the following code:
28. On the toolbar, click the Run Selection button and wait for the script to complete.
29. In the PowerShell ISE, in the Script pane, select the following code:
30. On the toolbar, click the Run Selection button and wait for the script to complete.
31. In the Microsoft Azure Preview Portal, click BROWSE, then click Virtual machines.
32. On the Virtual machines blade, note the new virtual machine listed called WebVM2. (The virtual
machine provisioning process should take approximately 5-10 minutes.) You can continue to the next
task while the WebVM2 virtual machine is deploying.
In the PowerShell ISE, in the command prompt pane, enter the following command and press Enter,
where uniquecloudservicename is a unique name:
Test-AzureName service "uniquecloudservicename"
2.
The response must be False for it to be unique; if the response is True, try another name for the
service.
3.
In the PowerShell ISE, in the command prompt pane, enter the following command and press Enter,
where uniquecloudservicename is the unique name from the previous test step:
$cloudSvcName = "uniquecloudservicename"
4.
In the PowerShell ISE, in the Script pane, select the following code:
5.
In the PowerShell ISE, in the Script pane, select the code you have just edited.
6.
On the toolbar, click the Run Selection button and wait for the script to complete.
7.
In the PowerShell ISE, in the Script pane, select the following code:
New-AzureQuickVM -Linux -ServiceName $cloudSvcName -Name "LinuxVM1" -ImageName
$linuximage -LinuxUser Location $location InstanceSize Small Password
'Pa$$w0rd123'
8.
On the toolbar, click the Run Selection button and wait for the script to complete. (The virtual
machine provisioning process should take approximately 5-10 minutes.)
2.
3.
4.
Start Internet Explorer, browse to http://azure.microsoft.com, click Portal, and sign in using the
Microsoft account that is associated with your Azure subscription.
5.
In the Microsoft Azure portal, click your Microsoft account name at the top right and then click
Switch to new portal.
6.
7.
8.
9.
10. On the Properties blade, under SSH, click the Copy button to copy the host name and port number
(for example linuxvm1.cloudapp.net:22).
11. In the Internet Explorer dialog box, click Allow access.
12. In the PowerShell ISE, in the Script pane, paste the host name and port number.
13. In the Microsoft Azure portal, close all the open blades.
14. Open the Downloads folder and double-click putty.exe.
15. In the Host Name text box, paste the host name from step 7 in the previous task, and in the Port
textbox, paste the port number from step 7 in the previous task.
16. Click Open.
17. If you get a PuTTY Security Alert dialog box, click Yes.
18. In the PuTTY command window, at the login as: prompt, type LinuxUser and press Enter.
19. At the Password: prompt, type Pa$$w0rd123 and press Enter.
20. At the command prompt, type who and press Enter.
21. At the command prompt, type dir and press Enter.
22. At the command prompt, type df and press Enter.
23. At the command prompt, type ps and press Enter.
24. At the command prompt, type top and press Enter.
25. Press q to stop the command.
26. At the command prompt, type exit and press Enter.
2.
On the taskbar, right-click Microsoft Azure PowerShell, and then click Run as administrator. In the
User Account Control dialog, click Yes.
3.
4.
When prompted, sign in using the Microsoft account associated with your Azure subscription.
Note: This script may remove Azure services in your subscription. It is therefore recommended that
you use an Azure trial pass that was provisioned specifically for this course, and not your own Azure
account.
The script will take 5-10 minutes to reset your Microsoft Azure environment, ready for the next lab.
The script removes all storage, VMs, virtual networks, cloud services, and resource groups.
Important: The script may not be able to get exclusive access to a storage account to delete it (if this
occurs, you will see an error). If you find objects remaining after the reset script is complete, you can
re-run Reset-Azure script, or use the full Azure Management Portal to manually delete all the objects
in your Azure subscription, with the exception of the default directory.
On the taskbar, right-click Microsoft Azure PowerShell and click Run ISE as Administrator. Click Yes
when prompted.
2.
In the PowerShell ISE, in the command prompt pane, enter the following command to add an Azure
account to the local PowerShell environment:
Add-AzureAccount
3.
When prompted, sign in using the Microsoft account associated with your Azure subscription.
4.
5.
6.
7.
If the Script pane is not visible, on the View menu, click Show Script Pane.
8.
In the PowerShell ISE, in the command prompt pane, enter the following command and press Enter:
Get-AzureVM
9.
In the PowerShell ISE, in the command prompt pane, select the service name, then right-click, and
click Copy.
10. In the PowerShell ISE, in the Script pane, paste the cloud service name.
11. In the PowerShell ISE, in the Script pane, locate the following code:
Get-AzureVM -Name WebVM1 ServiceName <#Copy your cloud
service name here#>
12. Replace <#Copy your cloud service name here#> with your service name.
13. In the PowerShell ISE, in the Script pane, select the code you have just edited.
14. On the toolbar, click the Run Selection button and wait for the script to complete.
15. Notice that the AvailabilitySetName property is blank.
16. In the PowerShell ISE, in the Script pane, locate the following code:
17. Replace <#Copy your cloud service name here#> with your service name.
18. In the PowerShell ISE, in the Script pane, select the code you have just edited.
19. On the toolbar, click the Run Selection button and wait for the script to complete.
L4-2
20. In the PowerShell ISE, in the Script pane, locate the code you edited in Step 12. On the toolbar, click
the Run Selection button and wait for the script to complete:
Get-AzureVM -Name WebVM1 ServiceName servicename
23. Replace <#Copy your cloud service name here#> with your service name.
24. In the PowerShell ISE, in the Script pane, select the code you have just edited.
25. On the toolbar, click the Run Selection button and wait for the script to complete.
26. In the PowerShell ISE, in the Script pane, locate the following code:
Get-AzureVM -Name WebVM2 ServiceName <#Copy your cloud
service name here#>
27. Replace <#Copy your cloud service name here#> with your service name.
28. In the PowerShell ISE, in the Script pane, select the code you have just edited.
29. On the toolbar, click the Run Selection button and wait for the script to complete.
30. Notice that the AvailabilitySetName property is filled in.
Start Internet Explorer, browse to http://portal.azure.com, and sign in using the Microsoft account
that is associated with your Azure subscription.
2.
In the toolbar on the left, click BROWSE and then click Virtual Machines.
3.
4.
In the Configuration section, click Load balanced sets and then click JOIN.
5.
6.
7.
8.
9.
2.
Browse to D:\LabFiles\Lab04\Starter.
3.
Double-click WebVM1.rdp. If the Remote Desktop Connection message box appears, click Connect.
4.
In the Windows Security dialog box, in the User name box, type Student.
5.
6.
7.
8.
9.
Browse to C:\inetpub\wwwroot.
10. Click the Home menu, click New Item and then click Text Document.
11. Type Test and then press Enter.
12. Double-click the Test.txt file.
13. In the How do you want to open this type of file dialog box, click Notepad.
14. Type the following code, and then press Enter:
<h1>A. Datum Test Page</h1>
23. In the RDP tab at the top, click Close and then click OK.
24. On the Windows Start menu, click This PC.
25. Browse to D:\LabFiles\Lab04\Starter.
L4-4
26. Double-click WebVM2.rdp. If the Remote Desktop Connection message box appears, click Connect.
27. In the Windows Security dialog box, in the User name box, type Student.
28. In the Password box, type Pa$$w0rd123, and then click OK.
29. In the Remote Desktop Connection dialog box, click Yes.
30. If the Networks pane appears, click No.
31. On the Windows Start screen, click This PC.
32. Browse to C:\inetpub\wwwroot.
33. Click the Home menu, click New Item and then click Text Document.
34. Type Test and then press Enter.
35. Double-click the Test.txt file.
36. In the How do you want to open this type of file dialog box, click Notepad.
37. Type the following code, and then press Enter:
<h1>A. Datum Test Page</h1>
In the Window Azure preview portal, in the list of virtual machines, click WebVM1.
2.
3.
4.
5.
Press CTRL+V and then press Enter. Internet Explorer displays the IIS default homepage.
6.
Append the text test.htm to the URL in the address bar and then press Enter. Internet Explorer
displays the test page you created in Task 3.
7.
8.
Switch to the Internet Explorer tab that shows the Azure Preview Portal.
9.
If the Properties, Settings, or Virtual Machines blades are open, close these blades.
10. In the Virtual Machines blade, click the virtual machine that you noted in step 7.
11. In the Virtual Machine blade, click SHUT DOWN and then click YES.
12. When the virtual machine shutdown is complete, switch to the Internet Explorer tab that shows the A.
Datum Test Page.
13. Press CTRL+F5. The page refreshes.
14. Note that the page is now served by the other virtual machine in the load balanced set.
Results: At the end of this exercise, you will have the WebVM1 and WebVM2 virtual machines configured
in an availability set and a load-balanced set.
2.
In the PowerShell ISE, in the command prompt pane, enter the following command and press Enter:
Get-AzureSubscription
3.
In the PowerShell ISE, in the command prompt pane, select the subscription name, then right-click,
and click Copy.
4.
In the PowerShell ISE, in the Script pane, paste the subscription name.
5.
In the PowerShell ISE, in the command prompt pane, enter the following command and press Enter:
Get-AzureStorageAccount
6.
In the PowerShell ISE, in the command prompt pane, select the string to the right of Label, then
right-click, and click Copy.
7.
In the PowerShell ISE, in the Script pane, paste the storage account name.
8.
In the PowerShell ISE, in the Script pane, locate the following code:
Set-AzureSubscription -CurrentStorageAccountName <#Copy your storage account name
here#> -SubscriptionName <#Copy your subscription name here in quote marks#>
9.
Replace <#Copy your storage account name here#> with your storage account name.
10. Replace <#Copy your subscription name here in quote marks#> with your subscription name; ensure
that you use single quote marks around the name.
11. In the PowerShell ISE, in the Script pane, select the code you have just edited.
12. On the toolbar, click the Run Selection button and wait for the script to complete.
13. In the PowerShell ISE, in the command prompt pane, enter the following command and press Enter:
Get-AzureStorageKey
14. Paste the storage account label you copied in Step 6, and press Enter.
15. In the PowerShell ISE, in the command prompt pane, select the string to the right of Primary, then
right-click, and click Copy.
16. In the PowerShell ISE, in the Script pane, paste the storage key.
L4-6
17. In the PowerShell ISE, in the command prompt pane, enter the following command and press Enter:
New-AzureStorageContainer
19. In the PowerShell ISE, in the command prompt pane, select the Blob End Point, then right-click, and
click Copy.
20. In the PowerShell ISE, in the Script pane, locate the following code:
Add-AzureVhd -Destination <#Copy your blob end point here#>1-azurestorage/20533B_DataDisk.vhd
-LocalFilePath D:\Labfiles\Lab04\Starter\20533B_DataDisk.vhd
21. Replace <#Copy your blob endpoint here#> with your Blob End Point; make sure that there is a
single forward slash (/) between the endpoint and the vhd path.
22. In the PowerShell ISE, in the Script pane, select the code you have just edited.
23. On the toolbar, click the Run Selection button and wait for the script to complete.
24. You should now see upload data as the VHD is uploaded to Microsoft Azure; the process will take
several minutes to complete.
25. Do not proceed to the next task until the upload has completed.
Switch to Internet Explorer, and click the new Azure Preview Portal tab.
2.
3.
4.
In the Virtual machines blade, click WebVM2. If you stopped WebVM2 in Exercise 1, click Start, and
then click Yes; wait for WebVM2 to enter the Running state before continuing.
5.
In the WebVM2 blade, scroll down and click the Disks tile.
6.
7.
In the Attach an existing disk blade, click VHD FILE Configure required settings.
8.
In the Choose a disk blade, click CHOOSE STORAGE ACCOUNT Configure required settings.
9.
16. On the Disks blade, wait until the 20553B_DataDisk.vhd is listed under DATA DISKS.
17. Close the Disks blade.
18. On the WebVM2 blade, click CONNECT.
19. In the popup message, click Open.
20. If the Remote Desktop Connection message box appears, click Connect.
21. Log on as WEBVM2\Student with a password of Pa$$w0rd123.
22. On the Remote Desktop Connection message box, click Yes.
23. When you have logged in, on the Taskbar on WebVM2, click File Explorer.
24. Click Computer.
25. Click the Data Disk (E:) drive.
26. Note the text file at the root of this drive.
27. Minimize the remote desktop window.
28. On the WebVM2 blade, click the Disks tile.
29. Next to 20533B_DataDisk.VHD disk, click the ellipsis (), and click Detach.
30. In the Detach dialog box, click Yes.
31. Wait until the page refreshes.
32. On the Disks blade, click Attach New.
33. In the Attach a new disk blade, click STORAGE CONTAINER Configure required settings.
34. In the Choose a container blade, click CHOOSE STORAGE ACCOUNT Configure required settings.
35. In the Storage account blade, click the storage account.
36. Click CHOOSE CONTAINER Configure required settings.
37. In the Storage container blade, click 1-azure-storage.
38. In the Choose a container blade, click OK.
39. In the Attach a new disk blade, under SIZE, enter 10, and then click OK.
40. Wait until the new disk appears in the Disks blade.
41. Repeat steps 32-40 to create and attach a second 10GB virtual disk.
42. Wait until the second new disk appears in the Disks blade.
2.
3.
In Server Manager, on the left-hand pane, click File and Storage Services.
4.
5.
Under STORAGE POOLS, click TASKS, and then click New Storage Pool.
6.
7.
On the Specify a storage pool name and subsystem page, in the Name box, type New Storage
Pool.
8.
Select the WebVM2 group of available physical disks and then click Next.
9.
On the Select physical disks for the storage pool page, select the check boxes next to each
physical disk, and then click Next.
10. On the Confirm selections page, verify that the settings are correct, and then click Create.
11. On the View results page, verify that all tasks completed, and then click Close.
12. In Storage Pools, right-click New Storage Pool and click New Virtual Disk.
13. On the Before you begin page, click Next.
14. On the Select the storage pool page, click Next.
15. In the Name box, type New Virtual Disk and click Next.
16. On the Select the storage layout page, click Mirror, and click Next.
17. On the Specify the provisioning type page, click Thin, and then click Next.
18. On the Specify the size of the virtual disk page, click Specify size and in Virtual disk size box,
enter 30, then click Next.
19. On the Confirm selections page, note that the size of the virtual disk is larger than the available
space in the storage pool.
20. Click Create.
21. When the configuration completes, click Close.
22. On the Before you begin page, click Next.
23. On the Select the server and disk page, click the 30 GB Storage Spaces disk, and click Next.
24. On the Specify the Size of the volume page, enter 15 GB, and click Next.
25. On the Assign to a drive letter or folder page, select the next free drive letter (should be E:), and
click Next.
L4-8
26. On the Select file system settings page, change the volume label to RAID Volume and click Next.
27. On the Confirm selections page, click Create.
28. When the configuration completes, click Close.
29. Review the status of the New Storage Pool. Note the free space, which virtual disks are configured
and which physical disks are being used in the storage pool.
30. Switch to File Explorer and view the new RAID Volume (E:) drive of 14.9 GB.
31. Minimize the remote desktop window.
Results: At the end of this lab, you will have an Azure virtual machine with two virtual data disks that are
configured in a storage space.
2.
In the pop-up dialog box, click the arrow next to Save and click Save as.
3.
4.
5.
6.
7.
8.
9.
Click Start, type Azure command, and then click Microsoft Azure Command Prompt v2.5.
2.
At the Microsoft Azure Command Prompt, type the following command and press Enter:
azure account download
3.
In the browser window that opens, sign in to your Microsoft Azure subscription (if prompted).
4.
In the pop-up dialog box, click the arrow next to Save and click Save as.
5.
6.
At the Microsoft Azure Command Prompt, type the following command and press Enter:
azure account import C:\Users\Student\Downloads\<your publishsettingsfilename>
7.
At the Microsoft Azure Command Prompt, type the following command and press Enter:
azure
8.
This command will display all the available commands in the Azure Cross-Platform Command-Line
Interface.
9.
At the Microsoft Azure Command Prompt, type the following command and press Enter:
azure account list
10. This command lists all the subscriptions for the tenant.
11. At the Microsoft Azure Command Prompt, type the following command and press Enter:
azure network vnet list
12. This command lists all the virtual networks in your subscription.
13. At the Microsoft Azure Command Prompt, type the following command and press Enter:
azure vm list
14. This command lists all the virtual machines in your subscription.
15. At the Microsoft Azure Command Prompt, type the following command and press Enter:
azure vm disk list
16. This command lists all the disk images in your virtual machines.
17. At the Microsoft Azure Command Prompt, type the following command and press Enter:
exit
1.
2.
On the taskbar, right-click Microsoft Azure PowerShell, and then click Run as administrator. In the
User Account Control dialog, click Yes.
3.
4.
When prompted, sign in using the Microsoft account associated with your Azure subscription.
Note: This script may remove Azure services in your subscription. It is therefore recommended that
you use an Azure trial pass that was provisioned specifically for this course, and not your own Azure
account.
The script will take 10-15 minutes to reset your Microsoft Azure environment, ready for the next lab.
The script removes all storage, VMs, virtual networks, cloud services, and resource groups.
Important: The script may not be able to get exclusive access to a storage account to delete it (if this
occurs, you will see an error). If you find objects remaining after the reset script is complete, you can
re-run Reset-Azure script, or use the full Azure Management Portal to manually delete all the objects
in your Azure subscription, with the exception of the default directory.
Ensure that the MSL-TMG1 and 20533B-MIA-CL1 virtual machines are both running, and then log on
to 20533B-MIA-CL1 as Student with the password Pa$$w0rd.
2.
Start Internet Explorer, browse to http://azure.microsoft.com, click Portal, and sign in using the
Microsoft account that is associated with your Azure subscription.
3.
At the top right, click your Microsoft account name and click Switch to new portal.
4.
In the bottom left of the portal, click NEW, and then click Website.
5.
In the Website blade, in the URL text box, type any unique valid server name. If the name is unique
and valid, a green smiley is displayed.
6.
7.
In the Web hosting plan blade, in the NAME text box, type WebsiteStandardPlan.
8.
9.
2.
3.
In the Website blade, click the website you created in Task 1, scroll down to locate the Deployment
section, and then click Deployment slots.
4.
5.
In the Add a slot blade, in the NAME text box, type Staging.
6.
In the CONFIGURATION SOURCE list, select the website you created in Task 1, click OK. Azure adds
the new deployment slot to the list.
7.
8.
On the Start screen, type the Microsoft Azure PowerShell, and then click Microsoft Azure
PowerShell.
9.
If you are not logged in, type the following command, and then press Enter:
Add-AzureAccount
10. Login with the account associated with your Azure subscription.
11. Type the following PowerShell command and then press Enter:
Get-AzureWebsite
12. Check that the list of websites includes both the website you created in Task 1 and the staging slot
you created in Task 2.
L5-2
1.
In Internet Explorer, in the website you created in Task 1 blade, scroll down to locate the
Deployment section, and then click Set deployment credentials.
2.
In the FTP/DEPLOYMENT USER NAME box, type ftpadminXXXX where XXXX is a unique number.
3.
4.
In the CONFIRM PASSWORD box, type Pa$$w0rd, and then click SAVE.
Results: After you have completed this lab, you will have created a new website in the Azure portal and
configured the new website with deployment slots and deployment credentials.
In Internet Explorer, switch to the tab that displays the full portal.
2.
3.
In the list of websites, click the website you created in Exercise 1 and then click DASHBOARD.
4.
5.
In the dialog, click Save. Internet Explorer saves the publish profile in the Downloads folder.
6.
7.
8.
9.
In Visual Studio, in the Solution Explorer, right-click the AdatumWebsite project and then click
Publish.
2.
3.
4.
5.
Select the .PublishSettings file you downloaded in Task 1 and then click Open.
6.
7.
8.
Visual Studio connects to the Azure website. If the connection is valid a green tick icon is displayed.
9.
Click Next.
10. On the Settings page, in the Configuration drop-down list, select Release.
11. Click Next.
12. On the Preview page, click Start Preview.
13. Examine the list of changes to apply to the website.
14. Click Publish.
15. Close the Home Page tab.
16. Close Visual Studio 2013.
Results: After you have completed this lab, you will have a deployed website hosted in Windows Azure
that you can visit with any common web browser.
In Internet Explorer, in the full portal, in the navigation on the left, click WEBSITES.
2.
In the list of websites, to the left of the name of your website, click the arrow to display all slots.
3.
Click yourwebsite(Staging).
4.
5.
6.
7.
8.
9.
10. In the Solution Explorer, right-click the AdatumWebsite project, and then click Publish.
11. In the Publish Web wizard, on the Profile page, click Import.
12. In the Import Publish Settings dialog box, click Browse.
L5-4
21. When the publish operation is complete, Internet Explorer opens and displays the new website in the
staging slot.
22. Close Internet Explorer and Visual Studio.
2.
Click Portal, and sign in using the Microsoft account that is associated with your Azure subscription.
3.
4.
5.
6.
7.
Close the Internet Explorer tab that displays the A. Datum website.
8.
9.
10. In the DESTINATION drop-down list, ensure that YourWebsite is selected, and then click the check
button.
11. In the toolbar at the bottom, click BROWSE.
12. Notice that the color scheme is the new one.
13. Close the Internet Explorer tab that displays the A. Datum website.
2.
3.
In the DESTINATION drop-down list, ensure that YourWebsite is selected, and then click the check
button.
4.
5.
6.
2.
At the command prompt, type the following command, and then press Enter:
Get-AzureWebsite
3.
4.
At the command prompt, type the following command, and then press Enter:
Get-AzureLocation
5.
6.
At the command prompt, type the following command, and then press Enter:
New-AzureWebsite Name WebsiteName2 Location "SecondLocation"
7.
Where WebsiteName2 is the name of your original website with the number 2 appended and
SecondLocation is the location you chose in step 5.
8.
In Internet Explorer, in the full portal, in the navigation on the left, click WEB SITES.
9.
10. Under Publish your app, click Download the publish profile.
11. In the dialog, click Save.
12. On the Toolbar, click Visual Studio 2013.
13. On the File menu, point to Open, and then click Project/Solution.
14. Browse to the folder D:\LabFiles\Lab05\Starter\AdatumWebsite.
15. Click AdatumWebsite.sln and then click Open.
16. In the Solution Explorer, right-click the AdatumWebsite project, and then click Publish.
17. In the Publish Web wizard, on the left, click Profile and then click Import.
18. In the Import Publish Settings dialog box, click Browse.
In Windows Azure PowerShell, type the following command and then press Enter:
Test-AzureTrafficManagerDomainName DomainName "yourname.trafficmanager.net"
2.
Where yourname is your full name with no spaces. If the command returns true use your name for
this Exercise. If the command returns false, try other names until you find a free domain.
3.
In Internet Explorer, in the full portal, in the navigation on the left, click TRAFFIC MANAGER.
4.
5.
In the DNS PREFIX box, type the name you entered in step 1 (excluding the trafficmanager.net
suffix).
6.
In the LOAD BALANCING METHOD drop-down list, select Performance, and then click CREATE.
In the full portal, click the Traffic Manager profile you created in Task 2.
2.
3.
4.
In the list of websites, select the website you created in Exercise 1 and the website you created in
Exercise 4.
5.
Click Complete.
6.
7.
In the DNS TIME TO LIVE (TTL) text box, remove the original setting and then type 30.
8.
2.
For the traffic manager profile, note the entry in the DNS NAME column.
3.
4.
Place the cursor in the Address bar, type the DNS NAME you just noted, and then press Enter.
5.
6.
From the Start Menu, type cmd and then press Enter.
7.
9.
In Internet Explorer, switch to the tab that displays the Azure portal.
L5-6
13. In the list of endpoints, select the website you created in Exercise 1.
14. In the toolbar, click Disable and then click Yes.
15. Switch to the Command Prompt.
16. Type the following command and then press Enter:
nslookup dnsname
2.
On the taskbar, right-click Microsoft Azure PowerShell, and then click Run as administrator. In the
User Account Control dialog, click Yes.
3.
4.
When prompted, sign in using the Microsoft account associated with your Azure subscription.
Note: This script may remove Azure services in your subscription. It is therefore recommended that
you use an Azure trial pass that was provisioned specifically for this course, and not your own Azure
account.
The script will take 5-10 minutes to reset your Microsoft Azure environment, ready for the next lab.
The script removes all storage, VMs, virtual networks, cloud services, websites, and resource groups.
Important: The script may not be able to get exclusive access to a storage account to delete it (if this
occurs, you will see an error). If you find objects remaining after the reset script is complete, you can
re-run Reset-Azure script, or use the full Azure Management Portal to manually delete all the objects
in your Azure subscription, with the exception of the default directory.
Results: At the end of this exercise, you will have a website set up in two Azure regions and Traffic
Manager will be configured to distribute requests between them.
Ensure that you are logged on to 20533B-MIA-CL1 as Student with the password Pa$$w0rd, and
that the setup script you ran in the Preparing the Environment demonstration has completed.
2.
Start Internet Explorer and browse to https://portal.azure.com. When prompted, sign in using the
credentials for the Microsoft account associated with your Azure subscription.
3.
4.
Close the Everything blade, then under Marketplace, click Storage, cache, + backup.
5.
On the Storage, cache, + backup blade, under Storage and Cache, click Storage, and then click
Create.
6.
In the Storage account blade, apply the following settings and click Create:
o
RESOURCE GROUP: Click the current resource group, and then click Create a new resource
group. Name the new resource group Asset-Management and click OK
7.
In the hub menu, click NOTIFICATIONS and wait for the storage account to be created.
8.
9.
In the Storage blade, click the storage account you just created.
10. In the blade for your storage account, click the Containers tile.
11. On the Containers blade, click ADD. Then in the Add a container blade, apply the following settings
and click OK:
12. NAME: asset-images
13. Access type: Private
14. If the new container does not appear in the Containers blade within a few seconds, refresh the page
in Internet Explorer.
15. Close the Containers blade, but keep the blade for your storage account open.
16. On the taskbar, right-click Microsoft Azure PowerShell and click Run ISE as Administrator. Click
Yes when prompted.
17. In the PowerShell ISE, click File and then click Open.
18. In the Open dialog, browse to D:\Labfiles\Lab06\Starter\.
L6-2
1.
2.
In the Download and install AzCopy section, click the link to install the latest version of AzCopy.
3.
When prompted to run or save the file, click Run. Then click Yes if prompted to allow the program to
make changes to the computer, and complete the wizard to install the AzCopy using the default
installation options.
4.
If you get a Microsoft Azure Storage Tools - v3.0.0 Setup dialog box, click Cancel.
5.
Right-click the Start button and click System. Then in the System window, click Advanced system
settings.
6.
In the System Properties dialog box, on the Advanced tab, click Environment Variables.
7.
In the Environment Variables dialog box, in the System variables list, select Path. Then click Edit.
8.
In the Edit System Variable dialog box, in the Variable value text box, append the following text
(including the semicolon at the beginning) to the existing value, and then click OK:
;C:\Program Files (x86)\Microsoft SDKs\Azure\AzCopy.
9.
In the Environment Variables dialog box, click OK. Then in the System Properties dialog box, click
OK and close the System window.
10. Right-click the Start button and click Command Prompt. Then in the command prompt window,
enter the following command:
AzCopy /?
11. View the syntax information that is displayed. Keep the command prompt window open for the next
task.
In Internet Explorer, on the Microsoft Azure tab, in the blade for your storage account, click KEYS.
2.
On the Manage keys blade, click the Copy icon next to the primary access key. If prompted to allow
access to the clipboard, click Allow access.
3.
In the command prompt window, enter the following commands to change the current directory
context:
D:
CD D:\Labfiles\Lab06\Starter
4.
5.
In the PowerShell ISE, in the Script pane, locate the following code:
AzCopy /Dest:https://<your storage account>.blob.core.windows.net/asset-images
/destkey:<your primary access key> /Source:asset-images
6.
7.
Replace <your primary access key> with your primary access key.
8.
In the PowerShell ISE, in the Script pane, select the code you have just edited.
9.
11. In the command prompt window, click the control box at the top left of the window, point to Edit,
and click Paste, and then press Enter to run the command.
12. Wait for the command to complete and view the file transfer information that is displayed.
13. Close the command prompt window.
Results: At the end of this exercise, you will have a new Azure storage account with a container named
asset-images.
2.
3.
4.
5.
In the Windows PowerShell ISE, in the command prompt pane, enter the command GetAzureAccount and verify that your Microsoft account is displayed.
Note: If your account is not displayed, enter the command Add-AzureAccount and sign in using
your Microsoft account.
6.
In the script pane, in the $storageAccountName variable declaration at the beginning, replace the
value <your_storage_account_name> with the name of the Azure storage account you created in the
previous task.
7.
Declares variables named $shareName and $folderName for the file share and folder to be
created.
Uses the Get-AzureStorageKey cmdlet to retrieve the access key for your storage account.
Uses the New-AzureStorageContext to create a storage context that connects to your storage
account using the access key.
Finds the folder where the script is stored and declares a variable named $sourceFolder that
references the invoices subfolder.
Iterates through the files in the source folder and uses the Set-AzureStorageFileContent cmdlet
to write each file to the folder in the file share.
8.
9.
Observe the script as it runs, and view the output. Then close the Windows PowerShell ISE without
saving any changes.
L6-4
1.
In Internet Explorer, on the Microsoft Azure tab, in the hub menu, click BROWSE and click Virtual
machines. Then in the Virtual machines blade, click AdatumSvr1.
2.
In the AdatumSvr1 blade, click Connect, and when prompted to open or save the AdatumSvr1.rdp
file, click Open.
3.
When prompted to connect, click Connect. Then enter the following credentials and click OK:
o
Password: Pa$$w0rd123
4.
If you are prompted to connect again, click Yes, and then wait for the remote desktop session to
open and initialize. If you are promoted to set up networks, click Yes.
5.
When Server Manager starts, on the Local Server page, click the status for IE Enhanced Security
Configuration. Select Off for Administrators and click OK. Then close Server Manager.
6.
In the AdatumSvr1 remote desktop window, on the Start page, click Internet Explorer. If you are
prompted to set up Internet Explorer, select Use recommended security and compatibility
settings and click OK.
7.
Browse to https://portal.azure.com and sign in using the Microsoft account associated with your
Azure subscription. Ignore any messages at the bottom of the browser window.
8.
9.
In the Storage blade, click the storage account you created in the previous exercise. Then, in the
blade for your storage account, click KEYS.
10. On the Manage Keys blade, click the Copy icon next to the primary access key. If prompted to allow
access to the clipboard, click Allow access.
11. Right-click the Start menu and click Command Prompt (Admin).
12. In the command prompt window, enter the following command to map a network drive to the assets
file share in Azure storage. Replace both instances of storage_account with the name of your storage
account and paste your access key in place of access_key (to paste into a command prompt window,
click the control box at the top left of the window, point to Edit, and click Paste):
net use z: \\storage_account.file.core.windows.net\assets /u:storage_account access_key
13. In the command prompt window, enter the following command to view the contents of the invoices
folder in the Z: drive (which is now mapped to the assets file share you created in the previous task):
dir z:\invoices
Results: At the end of this exercise, you will have a file share named assets that contains a folder named
invoices. This folder will contain three invoice documents and be accessible from the AdatumSvr1 virtual
machine.
In 20533B-MIA-CL1, in Internet Explorer, in the Azure portal Startboard, click AZURE PORTAL to
open the full portal.
2.
In the full portal, click NEW, click DATA SERVICES, click RECOVERY SERVICES, click BACKUP
VAULT, and click QUICK CREATE.
3.
Enter a valid, unique name, select your closest region, and click CREATE VAULT.
In the full Azure Management Portal, click Recovery Services, then click your new backup vault.
2.
On the backup vault Quick Start page, click Download vault credentials.
3.
4.
Once the credentials have been downloaded, you'll be prompted to open the folder. Click x to close
this menu.
In the full Azure portal, on page for your backup vault, under Download Azure Backup Agent, click
the For Windows Server or System Center Data Protection Manager or Windows Client link.
2.
When prompted to run or save the file, click Run. Then when prompted to allow the program to
make changes, click Yes and complete the wizard to install the agent. Choose the option to use
Microsoft Update to check for updates.
3.
4.
Minimize Internet Explorer, and on the desktop, double-click Microsoft Azure Backup. When
prompted to allow the program to make changes, click Yes.
5.
6.
In the Register Server Wizard, on the Proxy Configuration page, click Next.
7.
On the Vault Identification page, click Browse, navigate to the Downloads folder, and select the
credentials you created earlier and click Open.
8.
9.
On the Encryption Setting page, click Generate Passphrase. Then click Browse and browse to the
D:\Labfiles\Lab06\Starter folder, click OK.
L6-6
1.
2.
In the Schedule Backup Wizard, on the Getting started page, click Next.
3.
On the Select Items to Backup page, click Add Items. Then in the Select Items dialog box, expand
D, expand Labfiles, expand Lab06, expand Starter and select the following folders and click OK:
o
asset-images
invoices
4.
5.
On the Specify Backup Time page, in the Available time box, click 9:30 AM, and then click Add.
6.
In the Scheduled time box, click 4:30 AM, click Remove, and then click Next.
7.
On the Confirmation page, click Finish. Then, when the backup schedule is created, click Close.
2.
In the Back Up Now Wizard, on the Confirmation page, click Back Up.
3.
When the backup is complete, click Close, and close Microsoft Azure Backup.
4.
In Internet Explorer, in the full Azure portal, on the page for your backup vault, click SERVERS and
verify that the MIA-CL1 server is listed.
5.
Click PROTECTED ITEMS and note the newest recovery point for D:\.
6.
2.
On the taskbar, right-click Microsoft Azure PowerShell, and then click Run as administrator. In the
User Account Control dialog, click Yes.
3.
4.
When prompted, sign in using the Microsoft account associated with your Azure subscription.
Note: This script may remove Azure services in your subscription. It is therefore recommended that
you use an Azure trial pass that was provisioned specifically for this course, and not your own Azure
account.
The script will take 5-10 minutes to reset your Microsoft Azure environment, ready for the next lab.
The script removes all storage, VMs, virtual networks, cloud services, and resource groups. The script
does not remove the Backup Vault; this can either be manually deleted or you can leave it in place as
it does not affect subsequent labs.
5.
Important: The script may not be able to get exclusive access to a storage account to delete it (you
will see an error, if this occurs). If you find objects remaining after the reset script is complete, you can
re-run Reset-Azure script, or use the full Azure Management Portal to manually delete all the objects
in your Azure subscription, with the exception of the default directory.
Results: At the end of this exercise you will have an Azure backup vault in your subscription, created
Backup Vault Credentials, and installed the Azure backup agent on 20533B-MIA-CL1. You will have
backed up the contents of the asset-images and invoices folders to the backup vault.
Ensure that the MSL-TMG1 and 20533B-MIA-CL1 virtual machines are both running, and then log on
to 20533B-MIA-CL1 as Student with the password Pa$$w0rd.
2.
Start Internet Explorer, browse to http://azure.microsoft.com, click Portal, and sign in using the
Microsoft account that is associated with your Azure subscription.
3.
At the top right, click your Microsoft account name and click Switch to new portal.
4.
In the Hub menu on the left, click New, and then click SQL Database.
5.
6.
Click SELECT SOURCE, and then in the Select source blade, click Blank Database.
7.
Click PRICING TIER, and in the Recommended pricing tiers blade, click BROWSE ALL PRICING
TIERS.
8.
In the Change your pricing tier to blade, click S1 Standard, and then click Select.
9.
10. Click SERVER, and then in the Server blade, click Create a new server.
11. In the New server blade, enter the following settings and click OK:
o
PASSWORD: Pa$$w0rd
12. In the SQL database blade, click RESOURCE GROUP, and then in the Resource group blade, click
Create a new resource group.
13. In the Resource group blade, in the NAME box, type OpsRG, and click OK.
14. In the SQL database blade, ensure that Add to Startboard is selected and click Create. Then wait for
the SQL Database to be created.
15. If a Message from webpage dialog box appears, click OK, and then wait until the operations
database becomes online.
In Internet Explorer, switch to the tab containing the full Azure portal.
2.
In the service pane on the left, click SQL DATABASES and verify that the operations database you
created in the new portal is listed.
L7-2
3.
On the sql databases page, click SERVERS, and verify that the uniquely named server you created in
the previous task is listed.
4.
5.
Note the CURRENT CLIENT IP ADDRESS, and click the ADD TO THE ALLOWED IP ADDRESSES
icon. Change the START IP ADDRESS to XXX.XXX.0.0, and the END IP ADDRESS to
XXX.XXX.255.255, leaving XXX as it is (where XXX.XXX is the first two fields of the Current Client IP
address), and then at the bottom of the page, click SAVE.
2.
In the Connect to Server dialog box, specify the following settings (replacing server_name with the
unique name you specified when creating your SQL Database server) and click Connect:
o
Login: Student
Password: Pa$$w0rd
3.
In SQL Server Management Studio, in Object Explorer, under the server name, expand Databases and
verify that the operations database is listed.
4.
In SQL Server Management Studio, open the Operations.sql file in the D:\Labfiles\Lab07\Starter
folder and view the Transact-SQL code it contains.
5.
On the toolbar, in the Available Databases list, select operations. Then click Execute.
6.
Click New Query and enter the following Transact-SQL code in the new query pane:
SELECT * FROM dbo.serverlist;
7.
On the toolbar, in the Available Databases list, ensure that operations is selected. Then click
Execute.
8.
View the query results and verify that a list of three servers and their IP addresses is returned.
9.
Keep SQL Server Management Studio open for the next exercise.
In Internet Explorer, on the tab containing the preview Azure portal, in the Startboard, click the tile
for the operations SQL Database (which was pinned to the Startboard when you created it).
2.
On the operations SQL Database blade, note the charts displayed in the Monitoring section, which
show details of connections and storage space used.
3.
Click the Storage chart. Then in the Metric blade, view the chart.
4.
On the Metric blade, click ADD ALERT. Then in the Add an alert rule blade, specify the following
settings and click OK:
o
RESOURCE: operations
5.
THRESHOLD: 100
Results: After completing this exercise, you will have created an Azure SQL Database named operations
on a new server with a name of your choosing. You will also have used SQL Server Management Studio to
create a table named dbo.serverlist and created an alert to help you monitor database storage.
In SQL Server Management Studio, in Object Explorer, in the Connect drop-down list, click Database
Engine.
2.
In the Connect to Server dialog box, specify the following settings, and click Connect:
o
3.
In SQL Server Management Studio, in Object Explorer, under the MIA-CL1 server, expand Databases
and verify that the sales database is listed.
4.
Right-click the sales database, point to Tasks, and click Deploy Database to Windows Azure SQL
Database.
5.
In the Deploy Database Sales wizard, on the Introduction page, click Next.
6.
On the Deployment Settings page, click Connect. Then in the Connect to Server dialog box,
specify the following settings (replacing server_name with the unique name of your SQL Database
server) and click Connect:
o
Login: Student
Password: Pa$$w0rd
7.
On the Deployment Settings page, ensure that the new database name is sales and note the
temporary file name used for the .bacpac file that will be exported and imported, and then click
Next.
8.
9.
On the Results page, verify that the operation completed successfully, and click Close.
L7-4
10. In SQL Server Management Studio, in Object Explorer, if necessary, right-click the Databases folder
under your Azure SQL Database server and click Refresh to verify that the sales database has been
copied to this server.
In SQL Server Management Studio, in Object Explorer, under your Azure SQL Database server, expand
Security, expand Logins, and verify that only the Student login is listed.
2.
Right-click Logins and click New Login. Then modify the Transact-SQL script that is generated as
shown here and click Execute:
CREATE LOGIN SalesApp
WITH PASSWORD = 'Pa$$w0rd'
GO
3.
In Object Explorer, right-click the Logins folder and click Refresh to verify that the SalesApp login
has been created.
4.
In Object Explorer, in the Databases folder for your Azure SQL Database server, expand the sales
database, expand Security, and expand Users.
5.
Right-click Users and click New User. Then modify the Transact-SQL script that is generated as
shown here and click Execute:
CREATE USER SalesApp
FOR LOGIN SalesApp
WITH DEFAULT_SCHEMA = dbo
GO
EXEC sp_addrolemember 'db_owner', 'SalesApp'
GO
6.
In Object Explorer, right-click the Users folder and click Refresh to verify that the SalesApp user has
been created.
7.
Keep SQL Server Management Studio open for the next exercise.
Start Visual Studio and open the SalesApp.sln solution in the D:\Labfiles\Lab07\Starter folder.
2.
3.
4.
In Internet Explorer, on the tab containing the preview Azure portal, on the Hub menu, click BROWSE
and then click SQL databases.
5.
On the SQL databases blade, click the sales database. Then on the sales SQL Database blade, click
Properties.
6.
On the Properties blade, click Show database connection strings. Then on the Database
connection strings blade, click the Click to copy icon for the ADO.NET connection string. If
prompted, click Allow access.
7.
8.
In Visual Studio, in Web.config, select the existing value for the connectionString attribute and then
paste the connection string you copied to replace it.
9.
In the pasted connection string, change the User ID parameter to SalesApp@server_name (where
server_name is the unique name of your Azure SQL Database server); and replace the Password
parameter with Pa$$w0rd. The new connectionString value should look similar to this:
Server=tcp:server_name.database.windows.net,1433;Database=sales; User
ID=SalesApp@server_name;Password=Pa$$w0rd;Encrypt=True;TrustServerCertificate=False;C
onnection Timeout=30;
10. Save Web.config. Then on the Debug menu, click Start Debugging.
11. When Internet Explorer opens, verify that the sales application shows invoice history data for the
selected customer. The data is retrieved from the sales database you migrated to Microsoft Azure SQL
Database.
12. Close the Internet Explorer window that contains the Customer Invoice History page, and then close
Visual Studio, saving changes if prompted.
Results: After completing this exercise, you will have deployed the sales SQL Server database on the local
SQL Server instance to your Azure SQL Database server, and configured the SalesApp web application to
use a connection string for the new Azure SQL Database.
In Internet Explorer, in the tab containing the full portal, click the SQL Database page and verify that
it contains the sales and operations databases you created previously in this lab.
Note: If either database is not in the list, refresh the page.
2.
Select the row containing the operations database (avoid clicking its name, as this will open its
dashboard). Then at the bottom of the page, click DELETE, and when prompted, click YES, DELETE.
3.
In SQL Server Management Studio, in Object Explorer, under your Azure SQL Database server, rightclick the Databases folder and click Refresh to verify that the operations database is no longer on
the server.
In Internet Explorer, in the tab containing the full Azure portal, on the sql databases page, click
DELETED DATABASES.
Note: If the operations database is not in the DELETED DATABASES list, press F5 to
refresh the portal display. You may have to wait several minutes before the database appears in
the list.
2.
Select the operations database, and at the bottom of the page, click RESTORE.
3.
L7-6
In the Specify restore settings dialog box, specify the following settings and click the Complete icon:
o
4.
Wait for the restore operation to complete; this can take several minutes.
5.
In SQL Server Management Studio, in Object Explorer, under your Azure SQL Database server, rightclick the Databases folder and click Refresh to verify that the operations database has been
restored.
6.
In SQL Server Management Studio, click New Query and enter the following Transact-SQL code in
the new query pane:
SELECT * FROM dbo.serverlist;
7.
On the toolbar, in the Available Databases list, ensure that operations is selected. Then click
Execute.
8.
View the query results and verify that a list of three servers and their IP addresses is returned.
2.
On the taskbar, right-click Microsoft Azure PowerShell, and then click Run as administrator. In the
User Account Control dialog, click Yes.
3.
4.
When prompted, sign in using the Microsoft account associated with your Azure subscription.
Note: This script may remove Azure services in your subscription. It is therefore recommended that
you use an Azure trial pass that was provisioned specifically for this course, and not your own Azure
account.
The script will take 5-10 minutes to reset your Microsoft Azure environment, ready for the next lab.
The script removes all storage, VMs, virtual networks, cloud services, and resource groups.
Results: At the end of this lab, you will have deleted and restored the operations database.
Ensure that the MSL-TMG1 and 20533B-MIA-CL1 virtual machines are both running, and then log on
to 20533B-MIA-CL1 as Student with the password Pa$$w0rd.
2.
3.
4.
Sign in with the user credentials associated with your Azure account.
5.
6.
From the list of locations, choose a location near you and note the locations name.
7.
Where yourname is your first name and Your Location is the location name you noted in step 6.
8.
9.
Note the name of the SQL Database server you created in step 7.
10. Switch to and close the Internet Explorer which contains the full portal tab, then start Internet
Explorer, browse to http://azure.microsoft.com, click Portal, and then sign in with the credentials
associated with your Azure account.
11. In the navigation on the left, click SQL DATABASES.
12. In the toolbar at the bottom, click NEW and then click CUSTOM CREATE.
13. In the NAME box, type CloudServiceProdDB.
14. In the SERVER drop-down list, choose the SQL Database server name you noted in step 9.
15. Click the Complete icon.
16. Switch to Azure PowerShell, type the following command and then press Enter:
Where XXX is a unique number, and Your Location is the location you noted in step 6.
To test if the account already exists, type the following command and then press Enter:
Test-AzureName Storage cloudappprodXXX
2.
3.
Browse to D:\LabFiles\Lab08\Starter\Production\Package.
4.
5.
6.
7.
8.
9.
L8-2
16. To the right of the PRIMARY ACCESS KEY box, click the Copy button, and then click Allow access.
17. Switch to Visual Studio.
18. Locate the <Role> element with the Name AdatumAdsWebRole.
19. Within that <Role> element, locate the <Setting> element with the Name
StorageConnectionString.
20. Delete the string in the value attribute and replace it with the following text:
DefaultEndPointsProtocol=https;AccountName=cloudappprodXXX;AccountKey=
21. Place the cursor at the end of the text you just typed and then press CTRL+V to paste the storage
account primary key.
22. Ensure you close the value attribute with a double quote.
23. Click FILE and then click Save ServiceConfiguration.Cloud.cscfg.
24. Locate the <Role> element with the name AdatumAdsWorkerRole.
25. Within that <Role> element, locate the <Setting> element with the Name
StorageConnectionString.
26. Delete the string in the value attribute and replace it with the following text:
DefaultEndPointsProtocol=https;AccountName=cloudappprodXXX;AccountKey=
27. Place the cursor at the end of the text you just typed and then press CTRL+V to paste the storage
account primary key.
28. Ensure you close the value attribute with a double quote.
29. Click FILE and then click Save ServiceConfiguration.Cloud.cscfg.
30. Locate the <Role> element with the name AdatumAdsWebRole.
31. Within that <Role> element, locate the <Setting> element with the Name
Microsoft.WindowsAzure.Plugins.Diagnostics.ConnectionString.
32. Delete the string in the value attribute and replace it with the following text:
DefaultEndPointsProtocol=https;AccountName=cloudappprodXXX;AccountKey=
33. Place the cursor at the end of the text you just typed and then press CTRL+V to paste the storage
account primary key.
34. Ensure you close the value attribute with a double quote.
35. Click FILE and then click Save ServiceConfiguration.Cloud.cscfg.
36. Locate the <Role> element with the name AdatumAdsWorkerRole.
37. Within that <Role> element, locate the <Setting> element with the Name
Microsoft.WindowsAzure.Plugins.Diagnostics.ConnectionString.
38. Delete the string in the value attribute and replace it with the following text:
DefaultEndPointsProtocol=https;AccountName=cloudappprodXXX;AccountKey=
39. Place the cursor at the end of the text you just typed and then press CTRL+V to paste the storage
account primary key.
40. Ensure you close the value attribute with a double quote.
41. Click FILE and then click Save ServiceConfiguration.Cloud.cscfg.
42. Switch to Internet Explorer.
43. In the Manage Access Keys dialog box, click OK.
44. In the navigation on the left, click SQL DATABASES.
45. In the list of databases, click CloudServiceProdDB.
46. Under Connect to your database, click View SQL Database connection strings for ADO.Net,
ODBC, PHP, and JDBC.
47. In the Connection Strings dialog box, select all the text in the ADO.NET box and then press CTRL+C.
48. Switch to Visual Studio.
49. Locate the <Role> element with the name AdatumAdsWorkerRole.
50. Within that <Role> element, locate the <Setting> element with the Name
AdatumAdsDbConnectionString.
51. Delete the string in the value attribute.
52. Press CTRL+V to paste the connection string you copied to the clipboard.
53. In the connection string you just pasted, locate the text {your_password_here}.
54. Delete the located text and replace it with Pa$$w0rd.
55. Click FILE and then click Save ServiceConfiguration.Cloud.cscfg.
56. Close Visual Studio.
2.
3.
In the toolbar at the bottom, click NEW and then click CUSTOM CREATE.
4.
In the URL box, type your name. If a green tick does not appear, try another name.
5.
In the REGION OR AFFINITY GROUP drop-down list, select the same location you used in Task 1.
6.
Select the Deploy a cloud service package check box, and then click Next.
7.
8.
9.
Browse to D:\LabFiles\Lab08\Starter\Production\Package
L8-4
Results: In this exercise, you will create the necessary resources required by the PaaS cloud service (a
storage account and a SQL database). You will also edit the service configuration file and deploy the cloud
service to the production slot.
2.
In the list of cloud services, click the name of the service you created in Exercise 1.
3.
4.
5.
6.
Browse to D:\LabFiles\Lab08\Starter\Staging\Package.
7.
8.
9.
Browse to D:\LabFiles\Lab08\Starter\Production\Package.
2.
Click the name of the PaaS cloud service you created in Exercise 1.
3.
4.
5.
6.
7.
8.
9.
In the EXPIRES ON box, select a date one month from todays date.
In the Azure Portal, in the navigation on the left, click CLOUD SERVICES.
2.
3.
4.
Under quick glance, click the SITE URL. The cloud service home page opens in a new Internet
Explorer tab.
5.
6.
7.
Under quick glance, click the SITE URL. The cloud service staging home page opens in a new
Internet Explorer tab.
8.
9.
At the top of the portal, click INSTANCES and then click PRODUCTION.
11. In the toolbar at the bottom, click CONNECT and then click Open.
12. In the Remote Desktop Connection dialog box, click Connect.
13. In the Password box, type Pa$$w0rd and then click OK.
14. In the Remote Desktop Connection dialog box, click Yes. The RDP client displays the desktop for
the first instance of the web role.
15. Close the remote desktop connection.
16. Click OK in the Remote Desktop Connection window.
At the top of the portal, click MONITOR and then click STAGING.
2.
3.
4.
5.
Click Yes.
6.
In the list of metrics, select the Network Out metric for the AdatumAdsWebRole role.
7.
At the left of the metric, click the circle to add the metric to the graph.
8.
In the list of metrics, select the Network Out metric for the AdatumAdsWorkerRole role.
9.
At the left of the metric, click the circle to add the metric to the graph.
In the list of metrics, select the Network Out metric for the AdatumAdsWebRole role.
2.
3.
In the NAME box, type Network Traffic Limit and then click Next.
4.
5.
Under ACTIONS, select Specify the email address for another administrator.
6.
In the ADDRESS box, type the outlook.com email address associated with your Azure account.
7.
Click Complete.
L8-6
In the Azure portal, in the navigation on the left, click CLOUD SERVICES.
2.
In the list of cloud services, click the service you created in Exercise 1.
3.
4.
In the list of metrics, select Network Out metric for the AdatumAdsWebRole role.
5.
6.
7.
8.
9.
10. If you are asked to log in, use the username and password for the account associated with your Azure
subscription.
11. In the list of emails, click Microsoft Azure Alerts.
12. Inspect the details of the alert.
13. Close Internet Explorer.
2.
On the taskbar, right-click Microsoft Azure PowerShell, and then click Run as administrator. In the
User Account Control dialog, click Yes.
3.
4.
When prompted, sign in using the Microsoft account associated with your Azure subscription.
Note: This script may remove Azure services in your subscription. It is therefore recommended that
you use an Azure trial pass that was provisioned specifically for this course, and not your own Azure
account.
The script will take 5-10 minutes to reset your Microsoft Azure environment, ready for the next lab.
The script removes all storage, VMs, virtual networks, cloud services, and resource groups.
Important: The script may not be able to get exclusive access to a storage account to delete it (you
will see an error, if this occurs). If you find objects remaining after the reset script is complete, you can
re-run Reset-Azure script, or use the full Azure Management Portal to manually delete all the objects
in your Azure subscription, with the exception of the default directory.
Results: At the end of this exercise, you will have configured monitoring for a PaaS cloud service with new
metrics and an alert.
Ensure that the MSL-TMG1 and 20533B-MIA-CL1 virtual machines are both running, and then log on
to 20533B-MIA-CL1 as Student with the password Pa$$w0rd.
2.
Start Internet Explorer, browse to https://portal.azure.com, and sign in using the Microsoft account
that is associated with your Azure subscription.
3.
4.
5.
6.
In the Storage account blade, enter the following settings and click Create:
o
STORAGE: Use adatum + random numbers (for example,. adatum123456); if you get a Storage
account name is not available message, change the numbers until you get a green tick. Note this
name for use in Exercise 1 of the second lab.
RESOURCE GROUP: Default-Storage-EastAsia (click Resource Group and then, in the Create
resource group dialog box, delete the default name, type Default-Storage-EastAsia, and click
OK).
Start Internet Explorer, browse to http://azure.microsoft.com, click Portal, and sign in using the
Microsoft account that is associated with your Azure subscription.
2.
Click NEW.
3.
4.
In ORIGIN DOMAIN, select the storage account that you created in the previous task and click
CREATE.
2.
Start Internet Explorer, browse to http://azure.microsoft.com, click Portal, and sign in using the
Microsoft account that is associated with your Azure subscription.
2.
3.
Click the storage account that you created in the first task of the first lab.
4.
Click CONTAINERS.
5.
6.
In the New container dialog box, enter the following settings and click OK:
o
NAME: adatumcontainer
2.
3.
4.
At the Microsoft Azure PowerShell prompt, type the following command and press Enter:
Get-AzurePublishSettingsFile
5.
6.
Click the drop-down arrow next to Save and click Save as.
7.
Navigate to D:\Labfiles\Lab09\Starter.
8.
9.
10. At the Microsoft Azure PowerShell prompt, type the following command and press Enter:
Import-AzurePublishSettingsFile PublishSettingsFile D:\Labfiles\Lab09\Starter\Adatumcredentials.publishsettings
11. At the Microsoft Azure PowerShell prompt, type the following command and press Enter:
$Key1=(Get-AzureStorageKey StorageAccountName Enter storage account name from the
first lab).Primary
12. At the Microsoft Azure PowerShell prompt, type the following command and press Enter:
$Context1=New-AzureStorageContext StorageAccountKey $Key1 StorageAccountName Enter
storage account name from the first lab
L9-2
13. At the Microsoft Azure PowerShell prompt, type the following command and press Enter:
Set-AzureStorageBlobContent Blob Welcome Container adatumcontainer File
D:\Labfiles\Lab09\Starter\Welcome.png Context $Context1 -Force
Start Internet Explorer, browse to http://azure.microsoft.com, click Portal, and sign in using the
Microsoft account that is associated with your Azure subscription.
2.
3.
Click the storage account that you created in the first task of the first lab.
4.
Click CONTAINERS.
5.
Click adatumcontainer.
6.
Click DOWNLOAD.
7.
The file that you uploaded to the CDN will now be displayed in Internet Explorer.
8.
2.
3.
Switch to PowerShell.
2.
You will choose a storage location for your Azure storage account. At the Microsoft Azure
PowerShell prompt, type the following command and press Enter:
Get-AzureLocation
3.
4.
Now you will add a storage account. At the Microsoft Azure PowerShell prompt, type the following
command and press Enter:
New-AzureStorageAccount StorageAccountName adatumstorage123456 Location Southeast Asia
2.
3.
Click NEW, click APP SERVICES, click MEDIA SERVICE, and click QUICK CREATE.
4.
In the CREATE MEDIA SERVICE dialog box, enter the following settings and click CREATE MEDIA
SERVICE:
o
NAME: adatummediaservice12345.
STORAGE ACCOUNT: Select the account name from the previous task.
2.
Click the media service that you created in the previous task.
3.
4.
5.
6.
Click Open.
7.
Click OK.
In Internet Explorer, in the navigation bar on the left, click MEDIA SERVICES.
2.
3.
4.
Click Welcome-wmv-Source.
5.
6.
In the Azure Media Encoder dialog box, review the values for PRESET and select Playback on
PC/Mac (via Flash/Silverlight).
7.
Verify that the OUTPUT CONTENT NAME value is Welcome-wmv-PCMac-Output and click OK.
8.
2.
In the Are you sure that you want to publish Welcome-wmv-PCMac-Output? Panel, click YES.
2.
3.
L9-4
4.
5.
Select Welcome-wmv-PCMac-Output.
6.
7.
8.
Click Close.
2.
Under Configure this local server, click Add roles and features.
3.
In the Add Roles and Features Wizard, click Next and then click Next again.
4.
Ensure that the MIA-CL1 server is selected and then click Next.
5.
6.
7.
8.
In the dialog that appears, click Add Features and then click Next.
9.
Click Install.
2.
On the taskbar, right-click Microsoft Azure PowerShell, and then click Run as administrator. In the
User Account Control dialog, click Yes.
3.
4.
When prompted, sign in using the Microsoft account associated with your Azure subscription.
Note: This script may remove Azure services in your subscription. It is therefore recommended that
you use an Azure trial pass that was provisioned specifically for this course, and not your own Azure
account.
The script will take 5-10 minutes to reset your Microsoft Azure environment, ready for the next lab.
The script removes all storage, VMs, virtual networks, cloud services, and resource groups.
L9-6
Important: The script may not be able to get exclusive access to a storage account to delete it (if this
occurs, you will see an error). If you find objects remaining after the reset script is complete, you can
re-run Reset-Azure script, or use the full Azure Management Portal to manually delete all the objects
in your Azure subscriptionwith the exception of the default directory.
Encoded media.
2.
Published media.
3.
Ensure that the MSL-TMG1 and 20533B-MIA-CL1 virtual machines are both running, and then log on
to 20533B-MIA-CL1 as Student with the password Pa$$w0rd.
2.
Start Internet Explorer, browse to http://azure.microsoft.com, click Portal, and sign in using the
Microsoft account that is associated with your Azure subscription.
3.
4.
5.
In the Add directory dialog box, enter the following settings and click Complete (check mark):
o
NAME: Adatum
DOMAIN NAME: Use your initials + the NAME field + random numbers (for example,
abcadatum123456); if you get a The domain is not unique message, change the numbers until
you get a green tick
2.
3.
4.
In the Tell us about this user dialog box, enter the following settings and click Next:
5.
In the user profile dialog box, enter the following settings and click Next:
o
ROLE: User
6.
Click Create.
7.
On the Get temporary password page, note the value for NEW PASSWORD; as a backup, in the
SEND PASSWORD IN EMAIL box, type the email address of your Azure subscription.
8.
9.
10. In the Tell us about this user dialog box, enter the following settings and click Next:
o
11. In the user profile dialog box, enter the following settings and click Next:
o
ALTERNATE EMAIL ADDRESS: Type the email address of your Azure subscription
Username: kgruber@XXXadatumXXX.onmicrosoft.com
L10-2
18. On the Update your password page, in the Current password box, type the temporary password, in
the New password and Confirm password boxes, type Pa$$w0rd123, and click Update password
and sign in.
Note: Although kgruber is a Global Administrator, this account is not a Co-Administrator of the
Azure tenant, so the attempt to log in to the portal fails ("We were unable to find any subscriptions
associated with your account"); this is by design.
19. Close Internet Explorer.
2.
3.
Click Adatum.
4.
Click GROUPS.
5.
6.
In the Add Group dialog box, enter the following settings and click Complete:
o
NAME: Sales
7.
Click Sales.
8.
9.
In the Add members dialog box, click Remi Desforges and click Complete.
NAME: Marketing
On the taskbar, right-click Windows Azure Active Directory Module for Windows PowerShell and
click Run ISE as Administrator.
2.
3.
4.
5.
6.
If the Script pane is not visible, on the View menu, click Show Script Pane.
7.
In the PowerShell ISE, in the command prompt pane, enter the following command and press Enter:
Connect-MsolService
L10-4
8.
9.
In the PowerShell ISE, in the Script pane, locate the following code:
New-MsolUser -UserPrincipalName mledford@<#Copy your Azure Directory name
here#>.onmicrosoft.com -DisplayName Mario Ledford -FirstName Mario -LastName Ledford Password Pa$$w0rd123 -ForceChangePassword $false -UsageLocation US
10. Replace <#Copy your Azure Directory name here#> with your Azure Directory name.
11. In the PowerShell ISE, in the Script pane, select the code you have just edited.
12. On the toolbar, click the Run Selection button and wait for the script to complete.
13. In the PowerShell ISE, in the command prompt pane, enter the following command and press Enter:
Get-MsolUser
14. In the PowerShell ISE, in the Script pane, locate the following code:
New-MsolGroup -DisplayName Azure team -Description Adatum Azure team users
15. In the PowerShell ISE, in the Script pane, select the above code.
16. On the toolbar, click the Run Selection button and wait for the script to complete.
17. In the PowerShell ISE, in the command prompt pane, enter the following command and press Enter:
Get-MsolGroup
18. In the PowerShell ISE, in the Script pane, locate the following code:
$group = Get-MsolGroup | Where-Object {$_.DisplayName -eq "Azure team"}
19. In the PowerShell ISE, in the Script pane, select the above code.
20. On the toolbar, click the Run Selection button and wait for the script to complete.
21. In the PowerShell ISE, in the Script pane, locate the following code:
$user = Get-MsolUser | Where-Object {$_.DisplayName -eq "Mario Ledford"}
22. In the PowerShell ISE, in the Script pane, select the above code.
23. On the toolbar, click the Run Selection button and wait for the script to complete.
24. In the PowerShell ISE, in the Script pane, locate the following code:
Add-MsolGroupMember -GroupObjectId $group.ObjectId -GroupMemberType "User" GroupMemberObjectId $user.ObjectId
25. In the PowerShell ISE, in the Script pane, select the above code.
26. On the toolbar, click the Run Selection button and wait for the script to complete.
27. In the PowerShell ISE, in the Script pane, locate the following code:
Get-MsolGroupMember -GroupObjectId $group.ObjectId
28. In the PowerShell ISE, in the Script pane, select the above code.
29. On the toolbar, click the Run Selection button and wait for the script to complete.
30. Switch to Internet Explorer.
31. Click USERS, and verify that Mario Ledford appears in the list of users.
32. Click GROUPS, and verify that Azure team appears in the list of groups.
Results: After completing this exercise, you will have created some pilot users and groups in Azure AD
using the portal and Microsoft Azure Active Directory module for Azure PowerShell.
2.
3.
In the What do you want to do? dialog box, click Add an application from the gallery.
4.
In the Add an application for my organization to use dialog box, in the search box, type
Microsoft, and press Enter.
5.
Click Microsoft Account (Windows Live), and then click the check mark.
6.
7.
8.
9.
10. In the Assign Users dialog box, select the I want to enter Microsoft Account (Windows Live)
credentials on behalf of the user check box.
11. In the Email Address box, type the email address of your Azure subscription. In the Password box,
type your Azure subscription password, and then click the check mark.
12. Above Microsoft Account, click the Back arrow.
13. At the bottom of the screen, click ADD.
14. In the What do you want to do? dialog box, click Add an application from the gallery.
15. In the Add an application for my organization to use dialog box, in the search box, type Skype,
and press Enter.
16. Click Skype, and then click the check mark.
17. Verify that Configure single sign-on has been enabled by default.
18. Click Assign users.
19. In the user list, click Mario Ledford.
20. At the bottom of the screen, click ASSIGN.
21. In the Assign Users dialog box, do not select the I want to enter Skype credentials on behalf of
the user check box, and click the check mark.
22. On the top right of the page, click your Azure account name, and then click Sign out.
L10-6
1.
2.
3.
On the Sign in page, enter the following credentials (where XXXadatumXXX is your unique Adatum
domain name), and click Sign in:
o
o
Username: mledford@XXXadatumXXX.onmicrosoft.com
Password: Pa$$w0rd123
4.
On the applications page, click the ellipsis (...) next to Microsoft Account (Windows Live); note the
options to Update credentials, and Report a problem.
5.
6.
In the Microsoft Account (Windows Live) dialog box, click Install Now.
7.
8.
In the Access Panel Extension dialog box, on the Welcome to the Access Panel Extension Setup
Wizard page, click Next.
9.
17. On the Sign in page, enter the following credentials (where XXXadatumXXX is your unique Adatum
domain name), and click Sign in.
Username: mledford@XXXadatumXXX.onmicrosoft.com
Password: Pa$$w0rd123
18. On the applications page, click Microsoft Account (Windows Live); note the Redirecting to
Microsoft Account (Windows Live) message.
19. Verify that your sign-on to the Access Panel has automatically signed you in to your Microsoft
Account.
20. Switch to the Access Panel Applications tab.
21. On the applications page, click Skype; note that you are now prompted for credentials, because you
did not enter any credentials on behalf of the user when configuring single sign-on.
22. Close the Skype dialog box.
23. Close Internet Explorer.
Results: After completing this exercise, you will have installed and configured a test application, and
confirmed successful single sign-on.
2.
In Internet Explorer, in the address box, type https://manage.windowsazure.com, and then press
Enter.
3.
On the Microsoft Azure page, click your Azure subscription name; if your Azure subscription is not
shown, click Use another account.
4.
On the Sign in page, enter the credentials for the Microsoft account associated with your Azure
subscription, and click Sign in.
5.
6.
7.
Click CONFIGURE.
8.
9.
If you get a Sign in page, enter the following credentials, and click Sign in.
10. Sign in using the Microsoft account associated with your Azure subscription.
11. On the multi-factor authentication page, click users.
12. In the users list, select the check box for Karen Gruber, and in the quick steps section, click Enable.
13. On the About enabling multi-factor auth page, click enable multi-factor auth.
14. On the Updates successful page, click close.
15. In Internet Explorer, close the multi-factor authentication tab.
16. Close Internet Explorer.
2.
3.
4.
On the Sign in page, enter the following credentials (where XXXadatumXXX is your unique Adatum
domain name), and click Sign in:
Username: kgruber@XXXadatumXXX.onmicrosoft.com
Password: Pa$$w0rd123
5.
Note the following message: Your admin has required that you set up this account for additional
security verification.
6.
L10-8
7.
On the additional security verification page, click in the first box, and note the contact method
options.
8.
Optional step: If you have access to a mobile phone in the classroom, and have a signal or data
connection, you may wish to complete the "additional security verification" steps on the additional
security verification page.
2.
On the taskbar, right-click Microsoft Azure PowerShell, and then click Run as administrator. In the
User Account Control dialog, click Yes.
3.
4.
When prompted, sign in using the Microsoft account associated with your Azure subscription.
Note: This script may remove Azure services in your subscription. It is therefore recommended that
you use an Azure trial pass that was provisioned specifically for this course, and not your own Azure
account.
The script will take 5-10 minutes to reset your Microsoft Azure environment, ready for the next lab.
The script removes all storage, VMs, virtual networks, cloud services, and resource groups. The script
does not remove the Azure Directory; this can either be manually deleted or you can leave it in place
as it does not affect subsequent labs.
Results: After completing this exercise, you will have configured MFA for administrators.
2.
3.
In the Windows Security dialog box, enter a user name of ADATUM\Student and a password of
Pa$$w0rd123.
4.
5.
6.
If a Set up Internet Explorer 11 dialog box opens, click Use recommended security and
compatibility settings, and then click OK.
7.
8.
When prompted, sign in using the Microsoft account associated with your Azure subscription.
9.
10. Click the arrow to the right of the directory name, then under default directory, click DIRECTORY
INTEGRATION.
11. Next to DIRECTORY SYNC, click ACTIVATED, then click SAVE.
12. In the confirmation dialog, click YES.
13. Under Install and run the directory sync tool, click here.
14. In the pop-up dialog box, click the down arrow next to Save and then click Save as.
15. Save the dirsync.exe file to the Downloads folder.
16. Click View downloads, and then click Run.
17. In the Welcome page, click Next.
18. In the Microsoft Software Licence Terms page, click I accept and then click Next.
19. In the Select Installation Folder page, click Next.
20. On the Installation Complete page, click Next; installation may take 15-20 minutes.
21. Cancel the Start Configuration Wizard now option and click Finish.
Important: Do not run the configuration wizard at this time. You need to log off and log on again to
add your user account to the Synchronization Engine FIMSyncAdmins group.
22. Close the View Downloads dialog box.
23. Click the Start button, then click Student and click Sign out.
24. Double-click AdatumDC1.rdp.
2.
3.
4.
5.
6.
7.
8.
9.
Under Password options, click Other password options, then click Password never expires.
L11-2
12. In Enter the object names to select, type Domain Admins, then click Check Names, and then click
OK.
13. Repeat steps 11 and 12 for the Enterprise Admins group.
14. On the Create User dialog box, click OK.
15. Double-click the Accounts OU.
16. Verify that there are five user accounts in this OU.
17. From the Start page, open Internet Explorer, browse to manage.windowsazure.com.
18. When prompted, sign in using the Microsoft account associated with your Azure subscription.
19. In the portal, click ACTIVE DIRECTORY.
20. Click the arrow next to Default Directory and click USERS.
21. At the bottom of the page, click ADD USER.
22. Ensure that TYPE OF USER is set to New user in your organization, then enter a user name of
DirSyncAzure, and click the right arrow.
23. In the User Profile page, in Display Name, enter DirSyncAzure.
24. Under ROLE, select Global Administrator.
25. In the ALTERNATE EMAIL ADDRESS field, enter user@alt.none, then click the right arrow. (Do not
enable Multi-Factor Authentication.)
26. On the Get temporary password page, make a note of the full user name (including the part after
the @ symbol); you might want to copy this to Notepad.
27. Click create, and make a note of the temporary password shown in the NEW PASSWORD box; you
might want to copy this to Notepad.
28. Click Complete (check mark).
29. At the top right-hand corner, click your logon name and click sign out.
30. Click SIGN IN.
31. Click Use another account.
32. Enter DirSyncAzure@yourdomainname.onmicrosoft.com using the domain name in step 26.
33. Enter the temporary password from Step 27 above.
34. Click Sign in.
35. In the change password dialog box, under old password, enter the temporary password from Step 27.
36. In the CREATE NEW PASSWORD and CONFIRM NEW PASSWORD boxes, enter Pa$$w0rd123,
then click Update password and sign in.
37. On the No Subscriptions found page, click SIGN OUT; this message is because the account is not a
tenant co-administrator.
38. Close Internet Explorer.
2.
3.
4.
In the Active Directory Enterprise Administrator Credentials page, under User name, enter
ADATUM\DirSync and a password of Pa$$w0rd123, and click Next.
5.
6.
7.
8.
On the Finished page, click to clear Synchronize your directories now, and then click Finish.
2.
3.
Double-click miisclient.exe.
4.
5.
6.
7.
Click Containers.
Note: The credentials dialog box initially displays the MSOL_<id> account; this account uses a
randomly generated password, so administrators will not know it.
8.
In the Credentials dialog box, enter the following credentials, and click OK:
o
Password: Pa$$w0rd123
Domain: ADATUM
In the Select Containers dialog box, clear the root level check box, then select only the Accounts
check box, and click OK.
Results: After completing this exercise, you will have installed and configured DirSync, ready for a test
synchronization.
L11-4
1.
2.
3.
4.
In the Active Directory Enterprise Administrator Credentials page, under User name, enter
ADATUM\DirSync and a password of Pa$$w0rd123, and then click Next.
5.
6.
7.
8.
On the Finished page, ensure that Synchronize your directories now is checked, and click Finish.
9.
In the Windows Azure Active Directory Sync tool Configuration Wizard dialog box, click OK.
2.
3.
Job Title
Department
Street Address
City
State or Province
4.
Click OK.
5.
In the taskbar, right-click PowerShell and select Run as Administrator; if you do not get the Run as
Administrator option, click PowerShell on the taskbar, then close PowerShell, and try again.
6.
Type Set-ExecutionPolicy Unrestricted and press Enter, then type Y and press Enter again.
7.
8.
9.
10. Click one of the user accounts that you have changed previously.
11. Click WORK INFO.
12. Check that the changes you made earlier have propagated to Microsoft Azure; if you do not see any
changes, wait a few minutes and refresh the page.
13. Close the AdatumDC1 remote desktop session, and click OK when prompted.
2.
On the taskbar, right-click Microsoft Azure PowerShell, and then click Run as administrator. In the
User Account Control dialog box, click Yes.
3.
4.
When prompted, sign in using the Microsoft account associated with your Azure subscription.
Note: This script may remove Azure services in your subscription. It is therefore recommended that
you use an Azure trial pass that was provisioned specifically for this course, and not your own Azure
account.
The script will take 5-10 minutes to reset your Microsoft Azure environment, ready for the next lab.
The script removes all storage, VMs, virtual networks, cloud services, and resource groups.
Important: The script may not be able to get exclusive access to a storage account to delete it (if this
occurs, you will see an error). If you find objects remaining after the reset script is complete, you can
re-run the Reset-Azure script, or use the full Azure Management Portal to manually delete all the
objects in your Azure subscription, with the exception of the default directory.
Results: After completing this exercise, you will have synchronized a specific OU within Active Directory
into Microsoft Azure Active Directory, changed attributes on user accounts, and forced synchronization.
2.
3.
4.
On the Add a New Automation Account page, in the ACCOUNT NAME box, type ADATUM, in the
REGION list, use the same region you selected when you prepared the lab environment, and then
click Complete (check mark).
5.
6.
7.
Click USERS.
8.
9.
10. In the USER NAME box, type AutomationUser, and click the right arrow.
11. In the FIRST NAME and LAST NAME boxes, type Automation and User.
12. In the DISPLAY NAME box, type Automation User.
13. In the ROLE box, select User, and click the right arrow (do not enable Multi-Factor Authentication).
Note that you are creating an organizational account, and you will make this account a coadministrator of the Azure subscription.
14. On the Get temporary password page, make a note of the full username (including the part after
the @ symbol); you might want to copy this to Notepad.
15. Click create, and make a note of the temporary password shown in the NEW PASSWORD box; you
might want to copy this to Notepad.
16. Click Complete (check mark).
17. In the Management Portal, on the left side, click SETTINGS.
18. Click ADMINISTRATORS.
19. At the bottom of the page, click ADD.
20. In the EMAIL ADDRESS box, type AutomationUser@<domain>, where domain is the part after the
@ symbol you noted above (or you could paste this from Notepad).
21. Under SUBSCRIPTION, select your Azure subscription, and click OK (check mark).
22. At the top right of the page, click your Azure subscription name, and click Sign out.
23. On the You have been signed out page, click SIGN IN.
24. On the Microsoft Azure page, click Use another account.
25. On the Sign in page, enter the following credentials (where domain is the part after the @ symbol
you noted above), and click Sign in:
o
Username: AutomationUser@<domain>
L12-2
26. On the Update your password page, in the Current password box, type the temporary password.
27. In the New password and Confirm password boxes, type Pa$$w0rd123, and click Update
password and sign in.
28. If the Sign in page appears, enter your new password, and click Sign in.
29. Close the WINDOWS AZURE TOUR box.
2.
3.
4.
5.
6.
On the Define Credential page, in the CREDENTIAL TYPE box, select Windows PowerShell
Credential, in the NAME box, type PScredential, and click the right arrow.
7.
On the Define Credential page, in the USER NAME box, type AutomationUser@<domain>; where
domain is the part after the @ symbol you noted above (you could paste this from Notepad).
8.
In the PASSWORD and CONFIRM PASSWORD boxes, type Pa$$w0rd123, and click Complete
(check mark).
9.
AdminName: Student
AdminPassword: Pa$$w0rd123
Network: ADATUM-VNET
Subnet: Subnet-1
17. Under TYPE, click DAILY, under START TIME, select today's date and set time to 18:00, and then
click Complete (check mark). Note that the time must be at least five minutes after the time you
create this schedule.
Results: After completing this exercise, you will have configured a new Azure Automation account, and
created a new Azure organizational account to use with Azure Automation.
Click RUNBOOKS.
2.
Click IMPORT.
3.
On the Select the runbook to be imported page, click BROWSE FOR FILE.
4.
In the Choose File to Upload dialog box, navigate to D:\Labfiles\Lab12\Starter, select NewStorageAndVMs.ps1, and click Open.
5.
In the Select the runbook to be imported page, click Complete (check mark); the runbook import
process may take several minutes to complete.
6.
7.
On the new-storageandvms page, click AUTHOR; note that the script includes basic credential and
subscription configuration only.
8.
9.
10. In the How do you want to open this type of file (.txt)? dialog box, click Notepad.
11. Select all the text from #CODE BLOCK A ... to #CODE BLOCK A - END, and click Edit, then Copy.
This code block calculates unique names for the storage account and cloud service names.
12. Switch to Internet Explorer.
13. On the new-storageandvms page, in the runbook, click in line 12, and press Ctrl+V to paste the
text.
14. At the bottom of the page, click TEST.
15. At the confirmation message, click YES.
16. The job will be submitted, and then queued; wait until you see STATUS:COMPLETED in the OUTPUT
PANE bar before proceeding.
17. In the OUTPUT PANE, verify that storage account and cloud service account names are displayed;
these are variables only at this stage.
18. Switch to Notepad.
19. Select all the text from #CODE BLOCK B ... to #CODE BLOCK B - END, and click Edit, then Copy.
This code block places the name of the latest Windows Server 2012 R2 image into a variable.
L12-4
21. On the new-storageandvms page, in the runbook, after the code you previously pasted (but before
the final "}"), press Ctrl+V to paste the text.
22. At the bottom of the page, click TEST.
23. At the confirmation message, click YES.
24. The job will be submitted, and then queued; wait until you see STATUS:COMPLETED in the OUTPUT
PANE bar before proceeding.
25. In the OUTPUT PANE, verify that storage account and cloud service account names are displayed,
and that the latest Windows Server 2012 R2 image name is also shown.
26. Switch to Notepad.
27. Select all the text from #CODE BLOCK C ... to #CODE BLOCK C - END, and click Edit, then Copy; this
code block sets the value of local variables using Automation Asset variables.
28. Switch to Internet Explorer.
29. On the new-storageandvms page, in the runbook, after the code you previously pasted (but before
the final "}"), press Ctrl+V to paste the text.
30. At the bottom of the page, click TEST.
31. At the confirmation message, click YES.
32. The job will be submitted, and then queued; wait until you see STATUS:COMPLETED in the OUTPUT
PANE bar before proceeding.
33. In the OUTPUT PANE, verify that in addition to the previous variables, the Asset variables you
defined earlier are now listed.
34. Switch to Notepad.
35. Select all the text from #CODE BLOCK D ... to #CODE BLOCK D - END, and click Edit, then Copy;
this code block creates a new storage account, and associates it with your Azure subscription.
36. Switch to Internet Explorer.
37. On the new-storageandvms page, in the runbook, after the code you previously pasted (but before
the final "}"), press Ctrl+V to paste the text.
38. At the bottom of the page, click SAVE; you will not test this code at this stage, as testing will create
the storage and the objective is to automate storage creation and VM deployment as one scripted
operation.
39. Switch to Notepad.
40. Select all the text from #CODE BLOCK E ... to #CODE BLOCK E - END, and click Edit, then Copy; this
code block deploys two new VMs, using the workflow parallel operation.
41. Switch to Internet Explorer.
42. On the new-storageandvms page, in the runbook, after the code you previously pasted (but before
the final "}"), press Ctrl+V to paste the text.
43. At the bottom of the page, click SAVE; you will not test this code at this stage, as testing will deploy
VMs and the objective is to automate storage creation and VM deployment as one scripted
operation, and you will run the script later in this lab.
2.
At the Command Prompt, type the following command, and press Enter: time.
3.
Note the current PC time, and any time shift from your current classroom time.
4.
5.
6.
At the confirmation message, click YES; note that the status of the runbook has now changed from
DRAFT to PUBLISHED.
7.
Click SCHEDULE.
8.
9.
On the Select a schedule page, note that the EndOfDay schedule you created is available to be used.
10. Close the Select a schedule page; do not link to the existing schedule.
11. Click LINK TO A NEW SCHEDULE.
12. On the Configure Schedule page, in the NAME box, type TEST, and click the right arrow.
13. Under TYPE, click ONE TIME, under START TIME, select today's date and set the time to the current
PC time plus five minutes, and then click Complete (check mark).
14. In the schedule list, note the NEXT RUN time, and that the scheduled job is enabled.
15. Wait five minutes.
Click JOBS.
2.
3.
4.
On the SUMMARY page, note the information shown in the job summary section.
5.
6.
Make a note of the names of the storage account and cloud services; you might want to copy them
to Notepad.
7.
8.
9.
2.
On the taskbar, right-click Microsoft Azure PowerShell, and then click Run as administrator. In the
User Account Control dialog, click Yes.
3.
4.
When prompted, sign in using the Microsoft account associated with your Azure subscription.
L12-6
Note: This script may remove Azure services in your subscription. It is therefore recommended that
you use an Azure trial pass that was provisioned specifically for this course, and not your own Azure
account.
The script will take 5-10 minutes to reset your Microsoft Azure environment, ready for the next lab.
The script removes all storage, VMs, virtual networks, cloud services, and resource groups. The script
does not remove the Automation account (or the organizational account); these can either be
manually deleted or you can leave them in place as it does not affect subsequent labs.
Important: The script may not be able to get exclusive access to a storage account to delete it (if this
occurs, you will see an error). If you find objects remaining after the reset script is complete, you can
re-run Reset-Azure script, or use the full Azure Management Portal to manually delete all the objects
in your Azure subscription, with the exception of the default directory.
Results: After completing this exercise, you will have authored, tested, and run a new runbook to deploy
two virtual machines.