You are on page 1of 502

M I C R O S O F T

20533B

L E A R N I N G

P R O D U C T

Implementing Microsoft Azure


Infrastructure Solutions

MCT USE ONLY. STUDENT USE PROHIBITED

O F F I C I A L

Implementing Microsoft Azure Infrastructure Solutions

MCT USE ONLY. STUDENT USE PROHIBITED

ii

Information in this document, including URL and other Internet Web site references, is subject to change
without notice. Unless otherwise noted, the example companies, organizations, products, domain names,
e-mail addresses, logos, people, places, and events depicted herein are fictitious, and no association with
any real company, organization, product, domain name, e-mail address, logo, person, place or event is
intended or should be inferred. Complying with all applicable copyright laws is the responsibility of the
user. Without limiting the rights under copyright, no part of this document may be reproduced, stored in
or introduced into a retrieval system, or transmitted in any form or by any means (electronic, mechanical,
photocopying, recording, or otherwise), or for any purpose, without the express written permission of
Microsoft Corporation.
Microsoft may have patents, patent applications, trademarks, copyrights, or other intellectual property
rights covering subject matter in this document. Except as expressly provided in any written license
agreement from Microsoft, the furnishing of this document does not give you any license to these
patents, trademarks, copyrights, or other intellectual property.

The names of manufacturers, products, or URLs are provided for informational purposes only and
Microsoft makes no representations and warranties, either expressed, implied, or statutory, regarding
these manufacturers or the use of the products with any Microsoft technologies. The inclusion of a
manufacturer or product does not imply endorsement of Microsoft of the manufacturer or product. Links
may be provided to third party sites. Such sites are not under the control of Microsoft and Microsoft is not
responsible for the contents of any linked site or any link contained in a linked site, or any changes or
updates to such sites. Microsoft is not responsible for webcasting or any other form of transmission
received from any linked site. Microsoft is providing these links to you only as a convenience, and the
inclusion of any link does not imply endorsement of Microsoft of the site or the products contained
therein.
2015 Microsoft Corporation. All rights reserved.

Microsoft and the trademarks listed at


http://www.microsoft.com/about/legal/en/us/IntellectualProperty/Trademarks/EN-US.aspx are trademarks
of the Microsoft group of companies. All other trademarks are property of their respective owners
Product Number: 20533B
Part Number (if applicable): X19-82805
Released: 01/2015

MCT USE ONLY. STUDENT USE PROHIBITED

MICROSOFT LICENSE TERMS


MICROSOFT INSTRUCTOR-LED COURSEWARE

These license terms are an agreement between Microsoft Corporation (or based on where you live, one of its
affiliates) and you. Please read them. They apply to your use of the content accompanying this agreement which
includes the media on which you received it, if any. These license terms also apply to Trainer Content and any
updates and supplements for the Licensed Content unless other terms accompany those items. If so, those terms
apply.
BY ACCESSING, DOWNLOADING OR USING THE LICENSED CONTENT, YOU ACCEPT THESE TERMS.
IF YOU DO NOT ACCEPT THEM, DO NOT ACCESS, DOWNLOAD OR USE THE LICENSED CONTENT.
If you comply with these license terms, you have the rights below for each license you acquire.
1.

DEFINITIONS.
a. Authorized Learning Center means a Microsoft IT Academy Program Member, Microsoft Learning
Competency Member, or such other entity as Microsoft may designate from time to time.

b. Authorized Training Session means the instructor-led training class using Microsoft Instructor-Led
Courseware conducted by a Trainer at or through an Authorized Learning Center.
c.

Classroom Device means one (1) dedicated, secure computer that an Authorized Learning Center owns
or controls that is located at an Authorized Learning Centers training facilities that meets or exceeds the
hardware level specified for the particular Microsoft Instructor-Led Courseware.

d. End User means an individual who is (i) duly enrolled in and attending an Authorized Training Session
or Private Training Session, (ii) an employee of a MPN Member, or (iii) a Microsoft full-time employee.
e. Licensed Content means the content accompanying this agreement which may include the Microsoft
Instructor-Led Courseware or Trainer Content.
f.

Microsoft Certified Trainer or MCT means an individual who is (i) engaged to teach a training session
to End Users on behalf of an Authorized Learning Center or MPN Member, and (ii) currently certified as a
Microsoft Certified Trainer under the Microsoft Certification Program.

g. Microsoft Instructor-Led Courseware means the Microsoft-branded instructor-led training course that
educates IT professionals and developers on Microsoft technologies. A Microsoft Instructor-Led
Courseware title may be branded as MOC, Microsoft Dynamics or Microsoft Business Group courseware.
h. Microsoft IT Academy Program Member means an active member of the Microsoft IT Academy
Program.
i.

Microsoft Learning Competency Member means an active member of the Microsoft Partner Network
program in good standing that currently holds the Learning Competency status.

j.

MOC means the Official Microsoft Learning Product instructor-led courseware known as Microsoft
Official Course that educates IT professionals and developers on Microsoft technologies.

k.

MPN Member means an active silver or gold-level Microsoft Partner Network program member in good
standing.

MCT USE ONLY. STUDENT USE PROHIBITED

l.

Personal Device means one (1) personal computer, device, workstation or other digital electronic device
that you personally own or control that meets or exceeds the hardware level specified for the particular
Microsoft Instructor-Led Courseware.

m. Private Training Session means the instructor-led training classes provided by MPN Members for
corporate customers to teach a predefined learning objective using Microsoft Instructor-Led Courseware.
These classes are not advertised or promoted to the general public and class attendance is restricted to
individuals employed by or contracted by the corporate customer.
n. Trainer means (i) an academically accredited educator engaged by a Microsoft IT Academy Program
Member to teach an Authorized Training Session, and/or (ii) a MCT.

o. Trainer Content means the trainer version of the Microsoft Instructor-Led Courseware and additional
supplemental content designated solely for Trainers use to teach a training session using the Microsoft
Instructor-Led Courseware. Trainer Content may include Microsoft PowerPoint presentations, trainer
preparation guide, train the trainer materials, Microsoft One Note packs, classroom setup guide and Prerelease course feedback form. To clarify, Trainer Content does not include any software, virtual hard
disks or virtual machines.
2.

USE RIGHTS. The Licensed Content is licensed not sold. The Licensed Content is licensed on a one copy
per user basis, such that you must acquire a license for each individual that accesses or uses the Licensed
Content.

2.1

Below are five separate sets of use rights. Only one set of rights apply to you.

a. If you are a Microsoft IT Academy Program Member:


i. Each license acquired on behalf of yourself may only be used to review one (1) copy of the Microsoft
Instructor-Led Courseware in the form provided to you. If the Microsoft Instructor-Led Courseware is
in digital format, you may install one (1) copy on up to three (3) Personal Devices. You may not
install the Microsoft Instructor-Led Courseware on a device you do not own or control.
ii. For each license you acquire on behalf of an End User or Trainer, you may either:
1. distribute one (1) hard copy version of the Microsoft Instructor-Led Courseware to one (1) End
User who is enrolled in the Authorized Training Session, and only immediately prior to the
commencement of the Authorized Training Session that is the subject matter of the Microsoft
Instructor-Led Courseware being provided, or
2. provide one (1) End User with the unique redemption code and instructions on how they can
access one (1) digital version of the Microsoft Instructor-Led Courseware, or
3. provide one (1) Trainer with the unique redemption code and instructions on how they can
access one (1) Trainer Content,
provided you comply with the following:
iii. you will only provide access to the Licensed Content to those individuals who have acquired a valid
license to the Licensed Content,
iv. you will ensure each End User attending an Authorized Training Session has their own valid licensed
copy of the Microsoft Instructor-Led Courseware that is the subject of the Authorized Training
Session,
v. you will ensure that each End User provided with the hard-copy version of the Microsoft InstructorLed Courseware will be presented with a copy of this agreement and each End User will agree that
their use of the Microsoft Instructor-Led Courseware will be subject to the terms in this agreement
prior to providing them with the Microsoft Instructor-Led Courseware. Each individual will be required
to denote their acceptance of this agreement in a manner that is enforceable under local law prior to
their accessing the Microsoft Instructor-Led Courseware,
vi. you will ensure that each Trainer teaching an Authorized Training Session has their own valid
licensed copy of the Trainer Content that is the subject of the Authorized Training Session,

MCT USE ONLY. STUDENT USE PROHIBITED

vii. you will only use qualified Trainers who have in-depth knowledge of and experience with the
Microsoft technology that is the subject of the Microsoft Instructor-Led Courseware being taught for
all your Authorized Training Sessions,
viii. you will only deliver a maximum of 15 hours of training per week for each Authorized Training
Session that uses a MOC title, and
ix. you acknowledge that Trainers that are not MCTs will not have access to all of the trainer resources
for the Microsoft Instructor-Led Courseware.

b. If you are a Microsoft Learning Competency Member:


i. Each license acquired on behalf of yourself may only be used to review one (1) copy of the Microsoft
Instructor-Led Courseware in the form provided to you. If the Microsoft Instructor-Led Courseware is
in digital format, you may install one (1) copy on up to three (3) Personal Devices. You may not
install the Microsoft Instructor-Led Courseware on a device you do not own or control.
ii. For each license you acquire on behalf of an End User or Trainer, you may either:
1. distribute one (1) hard copy version of the Microsoft Instructor-Led Courseware to one (1) End
User attending the Authorized Training Session and only immediately prior to the
commencement of the Authorized Training Session that is the subject matter of the Microsoft
Instructor-Led Courseware provided, or
2. provide one (1) End User attending the Authorized Training Session with the unique redemption
code and instructions on how they can access one (1) digital version of the Microsoft InstructorLed Courseware, or
3. you will provide one (1) Trainer with the unique redemption code and instructions on how they
can access one (1) Trainer Content,
provided you comply with the following:
iii. you will only provide access to the Licensed Content to those individuals who have acquired a valid
license to the Licensed Content,
iv. you will ensure that each End User attending an Authorized Training Session has their own valid
licensed copy of the Microsoft Instructor-Led Courseware that is the subject of the Authorized
Training Session,
v. you will ensure that each End User provided with a hard-copy version of the Microsoft Instructor-Led
Courseware will be presented with a copy of this agreement and each End User will agree that their
use of the Microsoft Instructor-Led Courseware will be subject to the terms in this agreement prior to
providing them with the Microsoft Instructor-Led Courseware. Each individual will be required to
denote their acceptance of this agreement in a manner that is enforceable under local law prior to
their accessing the Microsoft Instructor-Led Courseware,
vi. you will ensure that each Trainer teaching an Authorized Training Session has their own valid
licensed copy of the Trainer Content that is the subject of the Authorized Training Session,
vii. you will only use qualified Trainers who hold the applicable Microsoft Certification credential that is
the subject of the Microsoft Instructor-Led Courseware being taught for your Authorized Training
Sessions,
viii. you will only use qualified MCTs who also hold the applicable Microsoft Certification credential that is
the subject of the MOC title being taught for all your Authorized Training Sessions using MOC,
ix. you will only provide access to the Microsoft Instructor-Led Courseware to End Users, and
x. you will only provide access to the Trainer Content to Trainers.

MCT USE ONLY. STUDENT USE PROHIBITED

c.

If you are a MPN Member:


i. Each license acquired on behalf of yourself may only be used to review one (1) copy of the Microsoft
Instructor-Led Courseware in the form provided to you. If the Microsoft Instructor-Led Courseware is
in digital format, you may install one (1) copy on up to three (3) Personal Devices. You may not
install the Microsoft Instructor-Led Courseware on a device you do not own or control.
ii. For each license you acquire on behalf of an End User or Trainer, you may either:
1. distribute one (1) hard copy version of the Microsoft Instructor-Led Courseware to one (1) End
User attending the Private Training Session, and only immediately prior to the commencement
of the Private Training Session that is the subject matter of the Microsoft Instructor-Led
Courseware being provided, or
2. provide one (1) End User who is attending the Private Training Session with the unique
redemption code and instructions on how they can access one (1) digital version of the
Microsoft Instructor-Led Courseware, or
3. you will provide one (1) Trainer who is teaching the Private Training Session with the unique
redemption code and instructions on how they can access one (1) Trainer Content,
provided you comply with the following:
iii. you will only provide access to the Licensed Content to those individuals who have acquired a valid
license to the Licensed Content,
iv. you will ensure that each End User attending an Private Training Session has their own valid licensed
copy of the Microsoft Instructor-Led Courseware that is the subject of the Private Training Session,
v. you will ensure that each End User provided with a hard copy version of the Microsoft Instructor-Led
Courseware will be presented with a copy of this agreement and each End User will agree that their
use of the Microsoft Instructor-Led Courseware will be subject to the terms in this agreement prior to
providing them with the Microsoft Instructor-Led Courseware. Each individual will be required to
denote their acceptance of this agreement in a manner that is enforceable under local law prior to
their accessing the Microsoft Instructor-Led Courseware,
vi. you will ensure that each Trainer teaching an Private Training Session has their own valid licensed
copy of the Trainer Content that is the subject of the Private Training Session,
vii. you will only use qualified Trainers who hold the applicable Microsoft Certification credential that is
the subject of the Microsoft Instructor-Led Courseware being taught for all your Private Training
Sessions,
viii. you will only use qualified MCTs who hold the applicable Microsoft Certification credential that is the
subject of the MOC title being taught for all your Private Training Sessions using MOC,
ix. you will only provide access to the Microsoft Instructor-Led Courseware to End Users, and
x. you will only provide access to the Trainer Content to Trainers.

d. If you are an End User:


For each license you acquire, you may use the Microsoft Instructor-Led Courseware solely for your
personal training use. If the Microsoft Instructor-Led Courseware is in digital format, you may access the
Microsoft Instructor-Led Courseware online using the unique redemption code provided to you by the
training provider and install and use one (1) copy of the Microsoft Instructor-Led Courseware on up to
three (3) Personal Devices. You may also print one (1) copy of the Microsoft Instructor-Led Courseware.
You may not install the Microsoft Instructor-Led Courseware on a device you do not own or control.
e. If you are a Trainer.
i.
For each license you acquire, you may install and use one (1) copy of the Trainer Content in the
form provided to you on one (1) Personal Device solely to prepare and deliver an Authorized
Training Session or Private Training Session, and install one (1) additional copy on another Personal
Device as a backup copy, which may be used only to reinstall the Trainer Content. You may not
install or use a copy of the Trainer Content on a device you do not own or control. You may also
print one (1) copy of the Trainer Content solely to prepare for and deliver an Authorized Training
Session or Private Training Session.

MCT USE ONLY. STUDENT USE PROHIBITED

ii.

You may customize the written portions of the Trainer Content that are logically associated with
instruction of a training session in accordance with the most recent version of the MCT agreement.
If you elect to exercise the foregoing rights, you agree to comply with the following: (i)
customizations may only be used for teaching Authorized Training Sessions and Private Training
Sessions, and (ii) all customizations will comply with this agreement. For clarity, any use of
customize refers only to changing the order of slides and content, and/or not using all the slides or
content, it does not mean changing or modifying any slide or content.

2.2 Separation of Components. The Licensed Content is licensed as a single unit and you may not
separate their components and install them on different devices.

2.3 Redistribution of Licensed Content. Except as expressly provided in the use rights above, you may
not distribute any Licensed Content or any portion thereof (including any permitted modifications) to any
third parties without the express written permission of Microsoft.
2.4 Third Party Programs and Services. The Licensed Content may contain third party programs or
services. These license terms will apply to your use of those third party programs or services, unless other
terms accompany those programs and services.
2.5 Additional Terms. Some Licensed Content may contain components with additional terms,
conditions, and licenses regarding its use. Any non-conflicting terms in those conditions and licenses also
apply to your use of that respective component and supplements the terms described in this agreement.
3.

LICENSED CONTENT BASED ON PRE-RELEASE TECHNOLOGY. If the Licensed Contents subject


matter is based on a pre-release version of Microsoft technology (Pre-release), then in addition to the
other provisions in this agreement, these terms also apply:

a. Pre-Release Licensed Content. This Licensed Content subject matter is on the Pre-release version of
the Microsoft technology. The technology may not work the way a final version of the technology will
and we may change the technology for the final version. We also may not release a final version.
Licensed Content based on the final version of the technology may not contain the same information as
the Licensed Content based on the Pre-release version. Microsoft is under no obligation to provide you
with any further content, including any Licensed Content based on the final version of the technology.
b. Feedback. If you agree to give feedback about the Licensed Content to Microsoft, either directly or
through its third party designee, you give to Microsoft without charge, the right to use, share and
commercialize your feedback in any way and for any purpose. You also give to third parties, without
charge, any patent rights needed for their products, technologies and services to use or interface with
any specific parts of a Microsoft software, Microsoft product, or service that includes the feedback. You
will not give feedback that is subject to a license that requires Microsoft to license its software,
technologies, or products to third parties because we include your feedback in them. These rights
survive this agreement.
c.

Pre-release Term. If you are an Microsoft IT Academy Program Member, Microsoft Learning
Competency Member, MPN Member or Trainer, you will cease using all copies of the Licensed Content on
the Pre-release technology upon (i) the date which Microsoft informs you is the end date for using the
Licensed Content on the Pre-release technology, or (ii) sixty (60) days after the commercial release of the
technology that is the subject of the Licensed Content, whichever is earliest (Pre-release term).
Upon expiration or termination of the Pre-release term, you will irretrievably delete and destroy all copies
of the Licensed Content in your possession or under your control.

MCT USE ONLY. STUDENT USE PROHIBITED

4.

SCOPE OF LICENSE. The Licensed Content is licensed, not sold. This agreement only gives you some
rights to use the Licensed Content. Microsoft reserves all other rights. Unless applicable law gives you more
rights despite this limitation, you may use the Licensed Content only as expressly permitted in this
agreement. In doing so, you must comply with any technical limitations in the Licensed Content that only
allows you to use it in certain ways. Except as expressly permitted in this agreement, you may not:

access or allow any individual to access the Licensed Content if they have not acquired a valid license
for the Licensed Content,

alter, remove or obscure any copyright or other protective notices (including watermarks), branding
or identifications contained in the Licensed Content,

modify or create a derivative work of any Licensed Content,

publicly display, or make the Licensed Content available for others to access or use,

copy, print, install, sell, publish, transmit, lend, adapt, reuse, link to or post, make available or
distribute the Licensed Content to any third party,

work around any technical limitations in the Licensed Content, or

reverse engineer, decompile, remove or otherwise thwart any protections or disassemble the
Licensed Content except and only to the extent that applicable law expressly permits, despite this
limitation.

5. RESERVATION OF RIGHTS AND OWNERSHIP. Microsoft reserves all rights not expressly granted to
you in this agreement. The Licensed Content is protected by copyright and other intellectual property laws
and treaties. Microsoft or its suppliers own the title, copyright, and other intellectual property rights in the
Licensed Content.
6.

EXPORT RESTRICTIONS. The Licensed Content is subject to United States export laws and regulations.
You must comply with all domestic and international export laws and regulations that apply to the Licensed
Content. These laws include restrictions on destinations, end users and end use. For additional information,
see www.microsoft.com/exporting.

7.

SUPPORT SERVICES. Because the Licensed Content is as is, we may not provide support services for it.

8.

TERMINATION. Without prejudice to any other rights, Microsoft may terminate this agreement if you fail
to comply with the terms and conditions of this agreement. Upon termination of this agreement for any
reason, you will immediately stop all use of and delete and destroy all copies of the Licensed Content in
your possession or under your control.

9.

LINKS TO THIRD PARTY SITES. You may link to third party sites through the use of the Licensed
Content. The third party sites are not under the control of Microsoft, and Microsoft is not responsible for
the contents of any third party sites, any links contained in third party sites, or any changes or updates to
third party sites. Microsoft is not responsible for webcasting or any other form of transmission received
from any third party sites. Microsoft is providing these links to third party sites to you only as a
convenience, and the inclusion of any link does not imply an endorsement by Microsoft of the third party
site.

10.

ENTIRE AGREEMENT. This agreement, and any additional terms for the Trainer Content, updates and
supplements are the entire agreement for the Licensed Content, updates and supplements.

11.

APPLICABLE LAW.
a. United States. If you acquired the Licensed Content in the United States, Washington state law governs
the interpretation of this agreement and applies to claims for breach of it, regardless of conflict of laws
principles. The laws of the state where you live govern all other claims, including claims under state
consumer protection laws, unfair competition laws, and in tort.

MCT USE ONLY. STUDENT USE PROHIBITED

b. Outside the United States. If you acquired the Licensed Content in any other country, the laws of that
country apply.
12.

LEGAL EFFECT. This agreement describes certain legal rights. You may have other rights under the laws
of your country. You may also have rights with respect to the party from whom you acquired the Licensed
Content. This agreement does not change your rights under the laws of your country if the laws of your
country do not permit it to do so.

13.

DISCLAIMER OF WARRANTY. THE LICENSED CONTENT IS LICENSED "AS-IS" AND "AS


AVAILABLE." YOU BEAR THE RISK OF USING IT. MICROSOFT AND ITS RESPECTIVE
AFFILIATES GIVES NO EXPRESS WARRANTIES, GUARANTEES, OR CONDITIONS. YOU MAY
HAVE ADDITIONAL CONSUMER RIGHTS UNDER YOUR LOCAL LAWS WHICH THIS AGREEMENT
CANNOT CHANGE. TO THE EXTENT PERMITTED UNDER YOUR LOCAL LAWS, MICROSOFT AND
ITS RESPECTIVE AFFILIATES EXCLUDES ANY IMPLIED WARRANTIES OF MERCHANTABILITY,
FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT.

14.

LIMITATION ON AND EXCLUSION OF REMEDIES AND DAMAGES. YOU CAN RECOVER FROM
MICROSOFT, ITS RESPECTIVE AFFILIATES AND ITS SUPPLIERS ONLY DIRECT DAMAGES UP
TO US$5.00. YOU CANNOT RECOVER ANY OTHER DAMAGES, INCLUDING CONSEQUENTIAL,
LOST PROFITS, SPECIAL, INDIRECT OR INCIDENTAL DAMAGES.

This limitation applies to


o
anything related to the Licensed Content, services, content (including code) on third party Internet
sites or third-party programs; and
o
claims for breach of contract, breach of warranty, guarantee or condition, strict liability, negligence,
or other tort to the extent permitted by applicable law.
It also applies even if Microsoft knew or should have known about the possibility of the damages. The
above limitation or exclusion may not apply to you because your country may not allow the exclusion or
limitation of incidental, consequential or other damages.

Please note: As this Licensed Content is distributed in Quebec, Canada, some of the clauses in this
agreement are provided below in French.
Remarque : Ce le contenu sous licence tant distribu au Qubec, Canada, certaines des clauses
dans ce contrat sont fournies ci-dessous en franais.

EXONRATION DE GARANTIE. Le contenu sous licence vis par une licence est offert tel quel . Toute
utilisation de ce contenu sous licence est votre seule risque et pril. Microsoft naccorde aucune autre garantie
expresse. Vous pouvez bnficier de droits additionnels en vertu du droit local sur la protection dues
consommateurs, que ce contrat ne peut modifier. La ou elles sont permises par le droit locale, les garanties
implicites de qualit marchande, dadquation un usage particulier et dabsence de contrefaon sont exclues.

LIMITATION DES DOMMAGES-INTRTS ET EXCLUSION DE RESPONSABILIT POUR LES


DOMMAGES. Vous pouvez obtenir de Microsoft et de ses fournisseurs une indemnisation en cas de dommages
directs uniquement hauteur de 5,00 $ US. Vous ne pouvez prtendre aucune indemnisation pour les autres
dommages, y compris les dommages spciaux, indirects ou accessoires et pertes de bnfices.
Cette limitation concerne:
tout ce qui est reli au le contenu sous licence, aux services ou au contenu (y compris le code)
figurant sur des sites Internet tiers ou dans des programmes tiers; et.
les rclamations au titre de violation de contrat ou de garantie, ou au titre de responsabilit
stricte, de ngligence ou dune autre faute dans la limite autorise par la loi en vigueur.

MCT USE ONLY. STUDENT USE PROHIBITED

Elle sapplique galement, mme si Microsoft connaissait ou devrait connatre lventualit dun tel dommage. Si
votre pays nautorise pas lexclusion ou la limitation de responsabilit pour les dommages indirects, accessoires
ou de quelque nature que ce soit, il se peut que la limitation ou lexclusion ci-dessus ne sappliquera pas votre
gard.

EFFET JURIDIQUE. Le prsent contrat dcrit certains droits juridiques. Vous pourriez avoir dautres droits
prvus par les lois de votre pays. Le prsent contrat ne modifie pas les droits que vous confrent les lois de votre
pays si celles-ci ne le permettent pas.
Revised September 2012

MCT USE ONLY. STUDENT USE PROHIBITED

Implementing Microsoft Azure Infrastructure Solutions

xi

Acknowledgements

MCT USE ONLY. STUDENT USE PROHIBITED

xii Implementing Microsoft Azure Infrastructure Solutions

Microsoft Learning would like to acknowledge and thank the following for their contribution towards
developing this title. Their effort at various stages in the development has ensured that you have a good
classroom experience.

Alistair Matthews - Author

David Coombes - Author

Anthony Steven - Author

Steve Ryan - Author

Geoff Allix - Author

John Devaney - Author

Graeme Malcolm - Author

Marcin Policht - Technical Reviewer

Ronald Beekelaar - Technical Reviewer

Andrew Fogg - QA

Richard Strange - DTP and Production

Jez Hallybone - Project Manager

MCT USE ONLY. STUDENT USE PROHIBITED

Implementing Microsoft Azure Infrastructure Solutions

Contents
Module 1: Introduction to Microsoft Azure
Module Overview

1-1

Lesson 1: Cloud Technology Overview

1-2

Lesson 2: Microsoft Azure

1-7

Lesson 3: The Azure Portals

1-13

Lesson 4: Managing Azure with Windows PowerShell

1-18

Lab: Introduction to Azure

1-25

Module Review and Takeaways

1-28

Module 2: Implement and Manage Virtual Networks


Module Overview

2-1

Lesson 1: Planning Virtual Networks

2-2

Lesson 2: Implementing and Managing Virtual Networks

2-13

Lab A: Creating Virtual Networks

2-19

Lesson 3: Configuring Connections to Virtual Networks

2-22

Lab B: Connecting Virtual Networks

2-29

Module Review and Takeaways

2-34

Module 3: Implementing Virtual Machines


Module Overview

3-1

Lesson 1: Introduction to IaaS Cloud Services

3-2

Lesson 2: Planning Virtual Machine Workloads

3-10

Lesson 3: Creating Virtual Machines

3-17

Lab: Implementing Virtual Machines

3-29

Module Review and Takeaways

3-32

Module 4: Managing Virtual Machines


Module Overview

4-1

Lesson 1: Configuring Virtual Machines

4-2

Lesson 2: Managing and Configuring Virtual Machine Disks

4-12

Lesson 3: Managing and Monitoring Virtual Machines

4-19

Lab: Managing Virtual Machines

4-31

Module Review and Takeaways

4-36

xiii

Module 5: Implementing Websites


Module Overview

5-1

Lesson 1: Planning for Website Deployment

5-2

Lesson 2: Deploying Websites

5-9

Lesson 3: Configuring Websites

5-18

Lesson 4: Monitoring Websites

5-23

Lesson 5: Traffic Manager

5-27

Lab: Implementing Websites

5-33

Module Review and Takeaways

5-39

Module 6: Planning and Implementing Storage


Module Overview

6-1

Lesson 1: Planning Storage

6-2

Lesson 2: Implement and Manage Storage

6-11

Lesson 3: Backup and Monitoring Storage

6-20

Lab: Planning and Implementing Storage

6-26

Module Review and Takeaways

6-31

Module 7: Planning and Implementing Data Services


Module Overview

7-1

Lesson 1: Data Services in Microsoft Azure

7-2

Lesson 2: Implementing Azure SQL Database

7-8

Lesson 3: Managing Azure SQL Database Security

7-15

Lesson 4: Monitoring Azure SQL Database

7-23

Lesson 5: Managing Azure SQL Database Business Continuity

7-27

Lab: Planning and Implementing Data Services

7-31

Module Review and Takeaways

7-36

Module 8: Implementing PaaS Cloud Services and Mobile Services


Module Overview

8-1

Lesson 1: Planning and Deploying PaaS Cloud Services

8-2

Lesson 2: Configuring Cloud Services

8-12

Lesson 3: Implementing Mobile Services

8-18

Lesson 4: Monitoring and Diagnostics

8-25

Lab: Implementing PaaS Cloud Services

8-29

Module Review and Takeaways

8-34

MCT USE ONLY. STUDENT USE PROHIBITED

xiv Implementing Microsoft Azure Infrastructure Solutions

MCT USE ONLY. STUDENT USE PROHIBITED

Implementing Microsoft Azure Infrastructure Solutions

Module 9: Implementing Content Delivery Networks and Media Services


Module Overview

9-1

Lesson 1: Implementing Azure Content Delivery Networks

9-2

Lab A: Implementing a Content Delivery Network

9-8

Lesson 2: Publishing Content with Azure Media Services

9-10

Lab B: Implementing Content Delivery Networks and Cloud Services

9-16

Module Review and Takeaways

9-20

Module 10: Implement Azure AD


Module Overview

10-1

Lesson 1: Create and Manage Azure AD Directories

10-2

Lesson 2: Configuring Application Integration with Azure AD

10-13

Lesson 3: Overview of Azure AD Premium

10-16

Lab: Implementing Azure Active Directory

10-24

Module Review and Takeaways

10-31

Module 11: Managing Active Directory in a Hybrid Environment


Module Overview

11-1

Lesson 1: Extending On-Premises Active Directory into Azure

11-2

Lesson 2: Directory Synchronization

11-9

Lesson 3: Implementing Federation

11-24

Lab: Managing an Active Directory Hybrid Environment

11-35

Module Review and Takeaways

11-39

Module 12: Implementing Automation


Module Overview

12-1

Lesson 1: Overview of Automation Components

12-2

Lesson 2: Implementing PowerShell Workflows

12-7

Lesson 3: Managing Automation

12-10

Lab: Implementing Automation

12-15

Module Review and Takeaways

12-20

Module 13: Microsoft Azure Solutions


Module Overview

13-1

Lesson 1 Scenario 1: Tailspin Toys Business Systems

13-2

Lesson 2 Scenario 2: Software as a Service

13-6

Module Review and Takeaways

13-9

xv

Lab Answer Keys


Module 1 Lab: Introduction to Azure

L01-1

Module 2 Lab A: Creating Virtual Networks

L02-1

Module 2 Lab B: Connecting Virtual Networks

L02-5

Module 3 Lab: Implementing Virtual Machines

L03-1

Module 4 Lab: Managing Virtual Machines

L04-1

Module 5 Lab: Implementing Websites

L05-1

Module 6 Lab: Planning and Implementing Storage

L06-1

Module 7 Lab: Planning and Implementing Data Services

L07-1

Module 8 Lab: Implementing PaaS Cloud Services

L08-1

Module 9 Lab A: Implementing a Content Delivery Network

L09-1

Module 9 Lab B: Implementing Content Delivery Networks and Cloud ServicesL09-2


Module 10 Lab: Implementing Azure Active Directory

L10-1

Module 11 Lab: Managing an Active Directory Hybrid Environment

L11-1

Module 12 Lab: Implementing Automation

L12-1

MCT USE ONLY. STUDENT USE PROHIBITED

xvi Implementing Microsoft Azure Infrastructure Solutions

About This Course

MCT USE ONLY. STUDENT USE PROHIBITED

About This Course

This section provides you with a brief description of the course, audience, suggested prerequisites, and
course objectives.

Course Description

This training course teaches IT professionals how to provision and manage services in Microsoft Azure.

Audience

This course is intended for information technology (IT) professionals who have some knowledge of cloud
technologies and want to learn more about Microsoft Azure.

Student Prerequisites

In addition to their professional experience, students who attend this training should already have the
following technical knowledge:

Understanding of on-premises virtualization technologies including: virtual machines, virtual


networking, and virtual hard disks.

Understanding of network configuration including: TCP/IP, DNS, virtual private networks, firewalls,
and encryption technologies.

Understanding of websites including: create, configure, monitor and deploy a website on Internet
Information Services (IIS).

Understanding of Active Directory concepts including: Domains, Forests, Domain Controllers,


replication, Kerberos, and LDAP.

Understanding of database concepts including: Tables, queries, Structured Query Language (SQL),
and database schemas

Understanding of resilience and disaster recovery including: backup and restore operations.

Course Objectives
After completing this course, students will be able to:

Describe Azure architecture components including infrastructure, tools, and portals.

Implement and manage virtual networking within Azure and to connect to on-premises
environments.

Plan and create Azure virtual machines.

Configure, manage, and monitor Azure virtual machines to optimize availability and reliability.

Implement, manage, backup and monitor storage solutions.

Plan and implement data services based on SQL Database to support applications.

Deploy and configure websites.

Deploy, configure, monitor, and diagnose cloud services.

Publish content through CDNs and publish videos by using Media Services.

Create and manage Azure AD directories, and configure application integration with Azure AD.

About This Course

Integrate on-premises Windows AD with Azure AD.

Automate operations in Azure management by using PowerShell runbooks.

Integrate on-premises Windows AD with Azure AD.

Automate operations in Azure management by using PowerShell runbooks.

Course Outline
The course outline is as follows:
Module 1, Introduction to Azure"
Module 2, Implement and Manage Virtual Networks"
Module 3, Implementing Virtual Machines"
Module 4, Managing Virtual Machines"
Module 5, Implementing Websites"
Module 6, Planning and Implementing Storage"
Module 7, Planning and Implementing Data Services"
Module 8, Implementing PaaS Cloud Services and Mobile Services"
Module 9, Implementing Content Delivery Networks and Media Services"
Module 10, Implementing Azure AD"
Module 11, Managing Active Directory identities in a Hybrid Environment"
Module 12, Implement Automation"
Module 13, Microsoft Azure Solutions

Course Materials

The following materials are included with your kit:

Course Handbook A succinct classroom learning guide that provides all the critical technical
information in a crisp, tightly-focused format, which is just right for an effective in-class learning
experience.

MCT USE ONLY. STUDENT USE PROHIBITED

ii

Lessons: Guide you through the learning objectives and provide the key points that are critical to
the success of the in-class learning experience.

Labs: Provide a real-world, hands-on platform for you to apply the knowledge and skills learned
in the module.

Module Reviews and Takeaways: Provide improved on-the-job reference material to boost
knowledge and skills retention.

Lab Answer Keys: Provide step-by-step lab solution guidance at your fingertips when its
needed.

Course Companion Content on the http://www.microsoft.com/learning/en/us/companionmoc.aspx Site: searchable, easy-to-browse digital content with integrated premium online
resources that supplement the Course Handbook.

MCT USE ONLY. STUDENT USE PROHIBITED

About This Course

iii

Modules: Include companion content, such as questions and answers, detailed demo steps and
additional reading links, for each lesson. Additionally, they include Lab Review questions and answers
and Module Reviews and Takeaways sections, which contain the review questions and answers, best
practices, common issues and troubleshooting tips with answers, and real-world issues and scenarios
with answers.

Resources: Include well-categorized additional resources that give you immediate access to the most
up-to-date premium content on TechNet, MSDN, Microsoft Press.

Student Course files on the http://www.microsoft.com/learning/en/us/companion-moc.aspx Site:


Includes the Allfiles.exe, a self-extracting executable file that contains all the files required for the labs and
demonstrations.
Course evaluation At the end of the course, you will have the opportunity to complete an online
evaluation to provide feedback on the course, training facility, and instructor.

To provide additional comments or feedback on the course, send e-mail to


support@mscourseware.com. To inquire about the Microsoft Certification Program, send e-mail
to mcphelp@microsoft.com.

Virtual Machine Environment

This section provides the information for setting up the classroom environment to support the business
scenario of the course.

Virtual Machine Configuration


In this course, you will use Microsoft Hyper-V to perform the labs.

Note: At the end of each lab, you must close the virtual machine and must not save any changes. To close
a virtual machine without saving the changes, perform the following steps:
1.

On the virtual machine, on the Action menu, click Close.

2.

In the Close dialog box, in the What do you want the virtual machine to do? list, click Turn off
and delete changes, and then click OK.

The following table shows the role of each virtual machine used in this course:
Virtual machine

Role

20533B-MIA-CL1

Client workstation

MSL-TMG1

Internet gateway

Software Configuration
The following software is installed:

Microsoft Windows Server 2012 R2

Microsoft SQL Server 2014

Microsoft Visual Studio 2013

Microsoft Azure PowerShell

About This Course

MCT USE ONLY. STUDENT USE PROHIBITED

iv

The files associated with the labs in this course are located in the D:\Labfiles folder on the 20533B-MIACL1 virtual machine.

Classroom Setup
Each classroom computer will have the same virtual machine configured in the same way.

Microsoft Azure Pass


This course contains labs which require you to access Microsoft Azure. Details of how to acquire, set up
and configure your Microsoft Azure pass will be provided by your MCT.

Course Hardware Level


To ensure a satisfactory student experience, Microsoft Learning requires a minimum equipment
configuration for trainer and student computers in all Microsoft Certified Partner for Learning Solutions
(CPLS) classrooms in which Official Microsoft Learning Product courseware is taught.
Course Hardware Level 6

Intel Virtualization Technology (Intel VT) or AMD Virtualization (AMD-V) processor

Dual 120-GB hard disks, 7,200 RPM SATA or better

8 GB or higher

DVD drive

Network adapter that has Internet connectivity

Super VGA (SVGA) 17-inch monitor

Mouse or compatible pointing device

Sound card with amplified speakers

In addition, the instructor computer must be connected to a projection display device that supports SVGA
1024 x 768 pixels, 16 bit colors.

MCT USE ONLY. STUDENT USE PROHIBITED


1-1

Module 1
Introduction to Microsoft Azure
Contents:
Module Overview

1-1

Lesson 1: Cloud Technology Overview

1-2

Lesson 2: Microsoft Azure

1-7

Lesson 3: The Azure Portals

1-13

Lesson 4: Managing Azure with Windows PowerShell

1-18

Lab: Introduction to Azure

1-25

Module Review and Takeaways

1-28

Module Overview

Organizations are increasingly moving IT workloads to the cloud, so IT professionals need to understand
the principles on which cloud solutions are based and learn how to deploy and manage cloud
applications, services, and infrastructure. In particular, IT professionals who are planning to use
Microsoft Azure must learn about the services that Azure provides and how to manage them.

This module introduces cloud solutions in general, and then focuses on the services that Azure offers. The
module goes on to describe the portals that you can use to manage Azure subscriptions and services,
before introducing Windows PowerShell as a scripting solution for managing Azure.

Objectives
After completing this module, you will be able to:

Identify suitable applications for the cloud.

Identify services and capabilities provided by Microsoft Azure.

Use Azure portals to manage Azure services and subscriptions.

Use Windows PowerShell to manage Azure services and subscriptions.

Introduction to Microsoft Azure

Lesson 1

Cloud Technology Overview

MCT USE ONLY. STUDENT USE PROHIBITED

1-2

Cloud computing plays an increasingly important role in IT infrastructure, and IT professionals need to be
aware of fundamental cloud principles and techniques. This lesson introduces the cloud, and describes
considerations for implementing cloud-based infrastructure services.

Lesson Objectives
After completing this lesson, you will be able to:

Describe key principles of cloud computing.

Identify common types of cloud service.

Identify suitable applications for cloud services.

Demonstration: Preparing the Environment

Perform the following tasks to prepare the lab environment. The Azure services you will use in the lab will
be described in this module while the environment is being configured.
Important: The scripts used in this course may delete any objects that you have in your
subscription. For this reason, you should complete this course against a new Azure subscription.
You should have received sign-up details and instructions for creating an Azure Learning Pass for
this reason. Alternatively, create a new Azure trial subscription. In both cases, use a new Microsoft
account that has not been associated with any other Azure subscription. This avoids confusion in
labs and setup scripts.

The labs in this course use custom Microsoft Azure PowerShell cmdlets, including Setup-Azure to prepare
the Azure environment for a lab, and Reset-Azure to perform clean-up tasks at the end of a lab. For this
lab, Setup-Azure removes any current Azure subscription and account details from the Azure PowerShell
session.
Before you start the lab preparation, your Instructor will decide which Azure region is the closest to your
classroom location. You will need this information during the lab.

Demonstration Steps
Sign in to Your Microsoft Azure Subscription
1.

Ensure that the MSL-TMG1 and 20533B-MIA-CL1 virtual machines are both running, and then log on
to 20533B-MIA-CL1 as Student with the password Pa$$w0rd.

2.

You should already have created a Microsoft Azure trial subscription. If you have not done so, follow
the instructions in D:\Creating a Microsoft Azure Trial Subscription.htm. Provisioning may take
several hours.

3.

When your trial subscription has been provisioned, in Microsoft Internet Explorer, browse to
http://azure.microsoft.com, click Portal, and sign in using the Microsoft account that is associated
with your Azure subscription. Close any initial "welcome" messages.

MCT USE ONLY. STUDENT USE PROHIBITED

Implementing Microsoft Azure Infrastructure Solutions

1-3

4.

At the upper right of the screen, click your Microsoft account name and click Switch to new portal.
In the new tab that is opened close any initial "welcome" messages for the new portal.

5.

Close Internet Explorer, closing all tabs.

Prepare the Azure Environment


1.

On the taskbar, right-click Microsoft Azure PowerShell, and then click Run as administrator. In the
User Account Control dialog, click Yes.

2.

Type the following command, and then press Enter:


Setup-Azure

3.

When prompted, sign in using the Microsoft account associated with your Azure subscription and
follow the on-screen instructions.

Note: This script may remove Azure services in your subscription. It is therefore recommended that
you use an Azure trial pass that was provisioned specifically for this course, and not your own Azure
account.
The script will take a few seconds to configure your Microsoft Azure environment, ready for the lab at
the end of this module.

Introduction to Cloud Computing


Cloud computing, or the cloud, has become a
leading trend in IT. However, its definition is
ambiguous and some of the terminology related
to it is confusing. Trying to define the cloud in
purely technological terms is difficultit is best to
think of it as being an abstract concept that
encapsulates techniques used to provide
computing services from a pool of shared
resources.
Most cloud solutions are built on virtualization
technology, which abstracts physical hardware as a
layer of virtualized resources for processing,
memory, storage, and networking. Many cloud solutions add further layers of abstraction to define
specific services that can be provisioned and used.

Regardless of the specific technologies that organizations use to implement cloud computing solutions,
the National Institute of Science and Technology (NIST) has identified that they exhibit the following five
characteristics:

On-demand self-service. Cloud services are generally provisioned as they are required, and need
minimal infrastructure configuration by the consumer. This enables users of cloud services to quickly
set up the resources they want, typically without having to involve IT specialists.

Broad network access. Cloud services are generally accessed over a network connection, usually
either a corporate network or the Internet.

Resource pooling. Cloud services use a pool of hardware resources that are shared across
consumers. A hardware pool consists of hardware from multiple servers that are arranged as a single
logical entity.

Introduction to Microsoft Azure

MCT USE ONLY. STUDENT USE PROHIBITED

1-4

Rapid elasticity. Cloud services scale dynamically to obtain additional resources from the pool as
workloads intensify, and release resources automatically when they are no longer needed.

Measured service. Cloud services generally include some sort of metering capability, making it
possible to track relative resource usage by the users of the services, who are generally referred to as
subscribers.

For information on the NIST paper that analyzes cloud computing trends and makes security
recommendations, see: http://csrc.nist.gov/publications/nistpubs/800-145/SP800-145.pdf.

Types of Cloud Service


Cloud services generally fall into one of the
following three categories:

Software as a Service (SaaS)

Platform as a Service (PaaS)

Infrastructure as a Service (IaaS)

Software as a Service

SaaS offerings consist of fully-formed software


applications that are delivered as cloud-based
services. Users can subscribe to the service and use
the application, normally through a web browser
or by installing a client-side app. Examples of Microsoft SaaS services include Microsoft Office 365,
Skype, and Microsoft Dynamics CRM Online. The primary advantage of SaaS services is that they enable
users to easily access applications without the need to install and maintain them. Typically, users do not
have to worry about issues such as updating applications and maintaining compliance because the service
provider handles them.

Platform as a Service

PaaS offerings consist of cloud-based services that provide resources on which developers can build their
own solutions. Typically, PaaS encapsulates fundamental operating system (OS) capabilities, including
storage and compute, in addition to functional services for custom applications. Usually, PaaS offerings
provide application programming interfaces (APIs), in addition to configuration and management user
interfaces. Azure provides PaaS services that simplify the creation of solutions such as web and mobile
applications. PaaS enables developers and organizations to create highly scalable custom applications
without having to provision and maintain hardware and operating system resources. Examples of PaaS
include Azure Websites and Azure Cloud Services, which can run a web application that your developer
team creates.

MCT USE ONLY. STUDENT USE PROHIBITED

Implementing Microsoft Azure Infrastructure Solutions

Infrastructure as a Service

1-5

IaaS offerings provide virtualized server and network infrastructure components that can be easily
provisioned and decommissioned as required. Typically, IaaS facilities are managed in a similar way to onpremises infrastructure, and provide an easy migration path for moving existing applications to the cloud.

A key point to note is that an infrastructure service might be a single IT resourcesuch as a virtual server
that has a default installation of Windows Server 2012 R2 and Microsoft SQL Server 2014or it might
be a completely preconfigured infrastructure environment for a specific application or business process.
For example, a retail organization might empower departments to provision their own database servers to
use as data stores for custom applications. Alternatively, the organization might define a set of virtual
machine and network templates that can be provisioned as a single unit to implement a complete,
preconfigured infrastructure solution for a branch or store, including all the required applications and
settings.

Running Applications in the Cloud


Although you can potentially move any kind of
application to the cloud, some types of application
are more suited to cloud-based delivery than
others. For example, applications that have the
following characteristics generally work well as
cloud-based applications:

Applications or services that have extremely


high or variable scalability requirements.

Applications or services that must be


consumed on a variety of client types, often
including mobile devices.

Applications or services where users need to persist data or settings and have them synchronize
between multiple client devices.

Conversely, applications or services that have the following characteristics may not benefit from being
based in the cloud:

Applications that are predominantly used offline on a single device.

Applications that work with data that must remain in privately managed storage for compliance
reasons.

In addition, there are some design and development considerations for implementing applications that
perform well and take advantage of the cloud. Some of these considerations include:

Availability. Cloud applications should be designed with redundancy in mind at every tier to satisfy
the availability requirements of an enterprise or globally accessible service.

Dynamic scaling. Cloud applications can scale on-demand, and applications should be designed to
respond to increased or reduced resources dynamically.

Introduction to Microsoft Azure

Security. Most cloud applications are hosted in third-party data centers and accessed across the
Internet. Suitable security measures should therefore be incorporated into the application design.

Occasional connectivity. Cloud-based applications must be resilient enough to handle scenarios


where Internet connectivity is not available, and should enable at least limited offline functionality.

To help developers design and implement successful cloud applications, the Microsoft Patterns and
Practices team has documented a series of design patterns for cloud development. You can find these
patterns at the following location:
Cloud Design Patterns: Prescriptive Architecture Guidance for Cloud Applications
http://go.microsoft.com/fwlink/?LinkID=511691

MCT USE ONLY. STUDENT USE PROHIBITED

1-6

MCT USE ONLY. STUDENT USE PROHIBITED

Implementing Microsoft Azure Infrastructure Solutions

Lesson 2

Microsoft Azure

1-7

Microsoft Azure is a cloud offering from Microsoft that enables individuals and organizations to create,
deploy, and operate cloud-based applications and infrastructure services. This lesson provides an overview
of Microsoft Azure, and describes the data center infrastructure that supports it before discussing the
services that are available in Microsoft Azure.

Lesson Objectives
After completing this lesson, you will be able to:

Identify key capabilities and features of Azure.

Describe key characteristics of Azure data centers.

Select the best Azure region for a new service.

Select appropriate Azure services for specific workload requirements.

Group and co-locate Azure services.

Overview of Microsoft Azure


Microsoft Azure is a collection of services that you
can use to build and operate cloud-based
applications and IT infrastructure. Azure services
are hosted in a global network of data centers that
Microsoft technicians manage 24 hours a day, 7
days a week and offer a 99.95 percent availability
service-level agreement (SLA) for compute
services.
Azure services enable you to:

Create and operate cloud-based applications


by using a wide range of commonly used
tools and frameworks.

Host workloads in the cloud on Azure PaaS services and IaaS infrastructure that consists of virtual
machines and virtual networks.

Integrate cloud-based services with on-premises infrastructure.

To use Azure services, you require a subscription. You can sign up for a subscription as an individual or as
an organization, and then pay only for the services you use.
Note: Microsoft Azure was formerly known as Windows Azure.

Introduction to Microsoft Azure

MCT USE ONLY. STUDENT USE PROHIBITED

1-8

Some of the services within Azure can be categorized as IaaS services. For example, you can use the Azure
Virtual Machines compute services to build a network of virtual servers to host an application, database,
or custom solution. Other services can be categorized as PaaS because you can use them without
maintaining the underlying operating systems. For example, when you run a website in Azure Websites, it
is not necessary to ensure that you are using the latest version of Internet Information Services (IIS). Other
services can be used in both IaaS and PaaS contexts, for example you can use Azure Automation to script
operations on virtual machines or websites.
Note: On the slide, the classification of services is the one used in Azure documentation.

Azure Data Centers


Azure services are hosted in Microsoft-managed
data centers throughout the world. The data
centers are located in multiple geographic areas,
with a pair of regional data centers in each
geographic region.
The data centers are based on a range of
architectures that spans several generations and is
continually evolving. The latest generation of data
center is based on a fully modular design that
includes the following features:

Clusters of servers are packaged into


preassembled units based on shipping
containers, enabling clusters that contain thousands of servers to be provisioned and swapped-out
rapidly.

Data centers include uninterruptable power supplies (UPSs) and alternate power supplies (APSs) for all
components, in addition to backup power that can keep the datacenter running in the event of a
localized disaster.

Clusters within data centers are connected by redundant high-speed networks that support internal
data transfer speeds of over 30,000 gigabytes per second (Gbps).

Data centers are connected to one another and the Internet using high-speed optical networks.

Data within a single data center can be replicated to three redundant storage devices, and can also
be replicated between pairs of data centers in the same geographic region.

Physical and network security for Azure data centers meets a range of industry and government
standards.

The data centers are designed to minimize power and water usage for maximum efficiency, including
servers and other hardware, cooling, and support operations.

The servers in each data center are provisioned in clusters, and each cluster includes multiple racks of
servers that run Windows Server 2012. A distributed service application named the Azure Fabric Controller
manages provisioning, dynamic scaling, and hardware fault-management for the virtual servers that host
cloud services on the physical servers in the cluster.

MCT USE ONLY. STUDENT USE PROHIBITED

Implementing Microsoft Azure Infrastructure Solutions

Azure Data Center Locations


Microsoft continues to increase the number of
data centers it has worldwide to provide the
highest levels of responsiveness and availability to
its global user base.
At the time of writing the following locations have
Azure data centers:

Azure Region

Physical Location

Central US

Iowa, USA

East US

Virginia, USA

North Central US

Illinois, USA

South Central US

Texas, USA

West US

California, USA

North Europe

Ireland

West Europe

Netherlands

East Asia

Hong Kong

Southeast Asia

Singapore

Japan East

Saitama Prefecture, Japan

Japan West

Osaka Prefecture, Japan

Brazil South

Sao Paulo State, Brazil

Australia East

New South Wales, Australia

Australia Southeast

Victoria, Australia

1-9

Whenever you create a new Azure service, you must select an Azure region to determine the data center
where the service will run. When you select an Azure region, you should consider where users of that
service are located and place the service as close to them as possible. Some services, such as Traffic
Manager and the Azure Content Delivery Network (CDN), enable you to serve content from more than
one Azure region. In this way, you can serve content to a truly global audience while ensuring that a local
response gives them the highest performance possible.

MCT USE ONLY. STUDENT USE PROHIBITED

1-10 Introduction to Microsoft Azure

Not all Azure services are available from every Azure region. For the latest information on Azure regions
and a list of services by region, see:
Azure Regions
http://go.microsoft.com/fwlink/?LinkID=522615

Azure Services
Azure provides a wide range of services that you
can use as building blocks to create custom cloud
solutions. These services include:

Compute and networking services


o

Azure Virtual Machines. Create


Windows and Linux virtual machines
from pre-defined templates, or deploy
your own custom server images in the
cloud.

Azure RemoteApp. Provision Windows


applications on Azure and run them from
any device.

Azure Cloud Services. Define multi-tier PaaS cloud services that you can deploy and manage on
Windows Azure.

Azure Virtual Networks. Provision networks to connect your virtual machines, PaaS cloud
services, and on-premises infrastructure.

Azure ExpressRoute. Create a dedicated high-speed connection from your on-premises data
center to Azure.

Traffic Manager. Implement load-balancing for high scalability and availability.

Web and mobile services


o

Azure Websites. Create scalable websites and services without the need to manage the
underlying web server configuration.

Mobile Services. Implement a hosted back-end service for mobile applications that run on
multiple mobile platforms.

API Management. Publish your service APIs securely.

Notification Hubs. Build highly-scalable push-notification solutions.

Event Hubs. Build solutions that consume and process high volumes of events.

Data and analytics services

MCT USE ONLY. STUDENT USE PROHIBITED

Implementing Microsoft Azure Infrastructure Solutions

1-11

SQL Database. Implement relational databases for your applications without the need to
provision and manage a database server.

HDInsight. Use Apache Hadoop to perform big data processing and analysis.

Azure Redis Cache. Implement high-performance caching solutions for your applications.

Azure Machine Learning. Apply statistical models to your data and perform predictive analytics.

DocumentDB. Implement a NoSQL data store for your applications.

Azure Search. Provide a fully managed search service.

Storage and backup services


o

Azure Storage. Store data in files, binary large objects (BLOBs), tables, and queues.

Azure Import/Export Service. Transfer large volumes of data using physical media.

Azure Backup. Use Azure as a backup destination for your on-premises servers.

Azure Site Recovery. Manage complete site failover for on-premises and Azure private cloud
infrastructures.

Media and content delivery services


o

Azure Media Services. Deliver multimedia content such as video and audio.

Azure CDN. Distribute content to users throughout the world.

Hybrid integration services


o

Azure BizTalk Services. Build integrated business orchestration solutions that integrate
enterprise applications with cloud services.

Azure Service Bus. Connect applications across on-premises and cloud environments.

Identity and access management services


o

Azure Active Directory. Integrate your corporate directory with cloud services for a single sign
on (SSO) solution.

Azure Multi-Factor Authentication. Implement additional security measures in your


applications to verify user identity.

Note: Azure is continually being improved and enhanced, and new services are added on a
regular basis. For a full list of services currently available in Azure, see: http://azure.microsoft.com.

Grouping and Co-Locating Services


When provisioning Azure services, you can group
related resources to improve manageability and to
ensure that related services are co-located in the
same data center. Co-locating related services
improves performance and reduces costs by
ensuring that all data transfer between the services
takes place in the same data center.

Grouping Services by Using Resource


Groups
You can use resource groups to combine related
services into a logical unit for management,
monitoring, and billing. This enables you to
provision, view, manage, and delete related resources as a single unit. For example a cloud application
might consist of a database in SQL Database and a website. By combining these into a named resource
group, administrators can easily identify and manage the specific individual service instances that are
required to support the application, and manage them as a unit.

Co-Locating Services by Using Regions

MCT USE ONLY. STUDENT USE PROHIBITED

1-12 Introduction to Microsoft Azure

Although resource groups provide a logical grouping of services, they do not reflect the geographical
location of the data centers in which those services are deployed. To provision related services in the same
data center, you can specify the region in which you want each service to be hosted. The list of available
regions maps to the regional data centers, enabling you to provision services in a specific data center.
When planning Azure services, you should deploy interdependent services in the same region. In some
cases this is enforced by Azure itself; for example, an HDInsight cluster must be configured to use a
storage account in the same region.

Co-Locating Services by Using Affinity Groups

In most cases, co-locating services by specifying a region provides sufficient optimization of inter-service
communication to maximize application performance and minimize cost. However, in some cases where
extremely fast communication between services is vital, you can further optimize co-location by creating
an affinity group and specifying this affinity group for the services when you provision them. Affinity
groups are specified instead of regions, and ensure that compute and storage services will be hosted on
servers that are located close to one another within the same data center. Given that data centers contain
many thousands of servers, reducing the physical proximity of services within the data center can make a
material difference to network latency between the services.

Lesson 3

The Azure Portals

MCT USE ONLY. STUDENT USE PROHIBITED

Implementing Microsoft Azure Infrastructure Solutions

1-13

Microsoft Azure provides web-based portals in which you can provision and manage Azure subscriptions
and services. These portals usually provide the initial environment in which you will work with Azure, and
knowing how to navigate and use them is a fundamental skill that IT professionals require to manage
Azure services.

Lesson Objectives
After completing this lesson, you will be able to:

Use the Azure full portal.

Use the new Azure preview portal.

Manage Azure subscriptions and preview features.

The Full Azure Management Portal


The full Azure management portal is the primary
user interface for provisioning and managing
Azure services. It is implemented as a web
application at
https://manage.windowsazure.com and
requires that you sign in using a Microsoft account
or an organizational account that is associated
with one or more Azure subscriptions.
The full Azure management portal consists of a
page for each Azure service, and also includes an
All Items page where you can view all provisioned
services in your subscriptions, and a Settings page
where you can configure subscription-wide settings.

Provisioning Services

You can provision a new instance of a service by clicking the New button on any page. Most services
provide a dialog box in which you can enter the user-definable settings for the service before creating it.
Service provisioning is performed asynchronously, and an indicator is displayed at the bottom of the page
to show current activity. You can expand this indicator to show a list of completed and in-process tasks.

Managing Services

Your provisioned services are listed on the All Items page and on each service-specific page. The list
shows the name, status, and service-specific settings for each service. You can click a service name in the
list to view the dashboard for that service instance, where multiple tabbed sub-pages enable you to view
and configure service-specific settings. In most cases, you make changes to a service by using the dynamic
toolbar of context-specific icons that is displayed at the bottom of the sub-page.

Adding Co-Administrators

MCT USE ONLY. STUDENT USE PROHIBITED

1-14 Introduction to Microsoft Azure

When you provision an Azure subscription, you are automatically designated as the administrator for that
subscription, and can manage all services and settings for the subscription. You can add co-administrators
in the Settings tab of the management portal by specifying the email address of each user to whom you
want to grant administrative privileges.

The New Azure Preview Portal


Although the full Azure management portal
currently provides the primary user interface for
managing Azure services, a new version of the
portal is available in preview form at
https://portal.azure.com. The preview portal
represents a significant change in the way that
administrative tasks are performed in Azure.
Note: Most tasks can be accomplished in
both the current (full) portal and the new
(preview) portal. However, some tasks have not yet
been implemented in the new portal and must be
performed in the full portal, and some new preview features are only available in the preview
portal.

Portal Elements and Concepts


The new portal contains the following UI elements:

Startboard. The home page for your Azure environment, conceptually similar to the Start screen in
Windows. You can pin commonly used items to the Startboard to make it easier to navigate to them.
By default, the Startboard includes tiles that show global Azure service health, a shortcut to the Azure
gallery of available services, and a summary of billing information for your subscriptions.

Blades. Panes in which details of a selected item can be viewed and configured. Each blade is
displayed as a pane in the user interface, often containing a list of services or other items that you can
click to open another blade. New blades open to the right. In this way, you can navigate through
several blades to view details of a specific item in your Azure environment. Some blades can be
maximized and minimized to optimize screen space and simplify navigation.

Hub Menu. A bar on the left side of the page, which contains the following icons:
o

Home. Returns the page to the left so that the Hub Menu and Startboard are visible.

Notifications. Opens a blade on which you can view notifications about the status of tasks.

Browse. Starts a journey to view details of a service in your Azure environment.

Billing. Provides details of charges and remaining credit for your subscriptions. Billing is also
available on a resource group basis.

New. Enables you to create a new service in your Azure environment.

You can switch to the preview portal from the full portal by clicking your account name and then clicking
Switch to new portal. Conversely, to switch to the full portal from the preview portal, click the Azure
Portal tile in the Startboard.

Managing Azure Subscriptions


To manage your Azure subscriptions, you can
browse to
http://account.windowsazure.com/subscriptio
ns.
From here, you can view and edit your
subscription, including usage statistics and billing
details. You can also edit your profile. You can
open the subscription management page from the
full portal by clicking your account name and then
clicking View my bill.
From the subscriptions page, you can also enable
preview features in your subscriptions. Preview
features are Azure services that have not been fully released, but which have been made available for
testing and evaluation.

Demonstration: Using Azure Portals


In this demonstration, you will see how to:

Use the full Azure management portal.

Use the new Azure preview portal.

Manage Azure subscriptions.

Demonstration Steps
Use the full Azure Management Portal

MCT USE ONLY. STUDENT USE PROHIBITED

Implementing Microsoft Azure Infrastructure Solutions

1-15

1.

Ensure that you are logged on to 20533B-MIA-CL1 as Student with the password Pa$$w0rd, and
that the setup script you ran in the previous demonstration to prepare the environment has
completed.

2.

Start Internet Explorer, browse to http://azure.microsoft.com, click Portal, and sign in using the
Microsoft account that is associated with your Azure subscription.

3.

On the left side of the page, note the pane containing icons for each service. Then at the bottom of
this pane, click SETTINGS (you may need to use the scroll bar for the pane).

4.

On the settings page, on the SUBSCRIPTIONS tab, note the details of your subscription; click the
ADMINISTRATORS tab and verify that your Microsoft account is listed as the service administrator;
and then click the AFFINITY GROUPS tab and note that this is where you can add affinity groups to
your subscription.

5.

MCT USE ONLY. STUDENT USE PROHIBITED

1-16 Introduction to Microsoft Azure

In the services pane on the left, click STORAGE, and at the bottom of the page, click NEW. Then in
the panel that appears, click QUICK CREATE, enter the following details, and click CREATE STORAGE
ACCOUNT:
o

URL: Enter a unique valid value

LOCATION / AFFINITY GROUP: Select the location that is closest to your geographic location

REPLICATION: Locally Redundant

6.

At the bottom of the page, note the Active Progress indicator, which is animated to show that an
action is in progress.

7.

On the storage page, wait for your storage account status to become Online. Then click the name of
your storage account.

8.

On the page for your storage account, note the getting started information, and then view each of
the tabs for the storage account, noting that the context-aware tool bar at the bottom of the page
changes to reflect the current tab.

9.

Click the Back icon on the left to return to the storage page. Then click ALL ITEMS and note that the
storage account is listed on this page.

Use the New Azure Preview Portal


1.

At the top-right of the full Azure management portal, click your Microsoft account name and then
click Switch to new portal. This opens a new tab in Internet Explorer.

2.

If you are asked to authenticate, sign in using the Microsoft account that is associated with your
subscription.

3.

When the preview portal is loaded, view the tiles in the Startboard, noting the service health of the
Azure datacenters and the billing status for your subscription.

4.

Click the Service health tile, and in the resulting Service health blade, note the status for the
individual Azure services and then click Storage.

5.

On the Storage blade, note the status for each region, and then click the region in which you
previously created a storage account.

6.

Review the status of the storage service in your selected region, and then on the Hub Menu, click
HOME. Note that the page scrolls to view the Startboard, but the blades you have opened remain
open.

7.

In the Hub Menu, click BROWSE, and then click Storage. Note that the currently open blades are
replaced with a new blade that shows your storage accounts.

8.

On the Storage blade, click your storage account, and on the blade that is opened, view the details of
your storage account, noting that it has been automatically assigned to a resource group named
Default-Storage-SelectedRegion.

9.

At the top of the blade for your storage account, click the Pin blade to Startboard icon and note
that a tile for this blade is added to the Startboard.

MCT USE ONLY. STUDENT USE PROHIBITED

Implementing Microsoft Azure Infrastructure Solutions

1-17

10. On the Hub Menu, click NEW, and in the New pane, click Website. Then in the Website blade, enter
the following settings and click Create:
o

URL: Enter a unique, valid URL

WEB HOSTING PLAN: Use the default plan

RESOURCE GROUP: Click the default resource group name and then click Create a new resource
group. Then on the Create resource group blade, type the name Demo-Web-App and then click
OK

SUBSCRIPTION: Your subscription

LOCATION: Click the default location, and then select the location nearest to you

Add to Startboard: Selected

11. Wait for the website to be created, and then in the blade for the website (which is opened
automatically after the website is created), note the information about the new website.

12. In Internet Explorer, switch to the tab containing the full Azure portal and refresh the page. Note that
the website you created in the preview portal is listed in the all items page.
Manage Azure Subscriptions
1.

At the top-right of the full Azure management portal, click your Microsoft account name and then
click View my bill. This opens a new tab in Internet Explorer. If prompted, sign in using the Microsoft
account credentials associated with your Azure subscription.

2.

On the subscriptions page, click your subscription. Then review the summary of usage and billing
that is displayed.

3.

Click the preview features tab, and note the available preview features. You can add preview
features to your subscription and start using them as soon as they have been provisioned.

4.

Close Internet Explorer, closing all tabs if prompted.

Lesson 4

Managing Azure with Windows PowerShell

MCT USE ONLY. STUDENT USE PROHIBITED

1-18 Introduction to Microsoft Azure

The Azure portals provide a graphical user interface for managing Azure subscriptions and services, and in
many cases they are the primary management tools for service provisioning and operations. However, it is
common to want to automate DevOps tasks by creating re-usable scripts, or to combine management of
Azure resources with management of other network and infrastructure services. Windows PowerShell
provides a scripting platform for managing Windows, and can be extended to a wide range of other
infrastructure elements, including Azure, by importing modules of encapsulated code called cmdlets. This
lesson explores how you can use Windows PowerShell to connect to an Azure subscription, and provision
and manage Azure services.

Lesson Objectives
After completing this lesson, you will be able to:

Import PowerShell modules for Azure.

Manage Azure accounts and subscriptions in PowerShell.

Use PowerShell cmdlets to manage Azure.

Run complex PowerShell commands, such as loops.

PowerShell Modules for Azure


Before you can use Windows PowerShell to
manage Azure services, you must ensure that
Windows PowerShell is installed, and then add the
required PowerShell modules. There are two
PowerShell libraries that you can install to manage
Azure.

Azure PowerShell
Azure PowerShell is the primary PowerShell library
for managing Azure services, and can be installed
using the Microsoft Web Platform Installer.
To obtain the latest version of Azure
PowerShell, see:
Azure Downloads
http://go.microsoft.com/fwlink/?LinkID=522617
Azure PowerShell includes the following modules:

Azure. A core set of cmdlets for managing Azure services.

AzureResourceManager. A set of cmdlets for managing resource groups.

AzureProfile. A set of cmdlets for managing authentication and execution context.

In many cases, Azure PowerShell is the only PowerShell library you will require. The Azure PowerShell
module has a dependency on the Microsoft .NET Framework 4.5, and the Web Platform Installer checks
for this during installation.

Azure AD PowerShell

MCT USE ONLY. STUDENT USE PROHIBITED

Implementing Microsoft Azure Infrastructure Solutions

1-19

If you plan to implement Active Directory (AD) in Azure, you can install the Azure AD PowerShell library
to manage users, groups, and other aspects of the directory from PowerShell. Before you can install the
Azure AD PowerShell module, you must install the Microsoft Online Services Single Sign-In Assistant. To
obtain both of these components, see:
Manage Azure AD using Windows PowerShell
http://go.microsoft.com/fwlink/?LinkID=522616

Managing Azure Accounts and Subscriptions in PowerShell


After you have installed the Azure PowerShell
module, you need to connect it to the Azure
subscriptions that you want to manage with it.
There are two approaches that you can take to
accomplish this: Azure AD authentication and
certificate-based authentication.

Azure AD Authentication
You can use Azure AD authentication to sign into
an Azure account by using one of the following
kinds of credential:

A Microsoft account that is associated with an


Azure subscription.

An organizational account that is defined in Azure AD.

To connect an Azure account to the local Windows PowerShell environment, you can use the AddAzureAccount cmdlet. This opens a browser window in which the user can interactively sign in to Azure
by entering a valid user name and password.
Azure AD authentication is token based, and after signing in, the user remains authenticated until the
authentication token expires. The expiry time for an Azure AD token is 12 hours, although it can be
refreshed in the Windows PowerShell session.
Note: Creating organizational accounts in Azure AD is discussed in Module 10: Implement
Azure Active Directory.

After you have authenticated, you can use the Get-AzureAccount cmdlet to view a list of Azure accounts
that you have associated with the local Windows PowerShell environment, and you can use the GetAzureSubscription cmdlet to view a list of subscriptions that are associated with those accounts. If you
have multiple subscriptions, you can set the current subscription by using the Set-AzureSubscription
cmdlet with the name of the subscription that you want to use.

Certificate-Based Authentication

MCT USE ONLY. STUDENT USE PROHIBITED

1-20 Introduction to Microsoft Azure

Most tools for managing Azure support Azure AD authentication, and it is the recommended
authentication model. However, in some cases it may be more appropriate to authenticate by using a
management certificate. Examples of where certificate-based authentication is appropriate include older
tools that do not support Azure AD authentication, or Windows PowerShell scripts that will run for long
periods of time in which an authentication token might expire.

An Azure management certificate is an X.509 (v3) certificate that associates a client application or service
with an Azure subscription. You can use an Azure-generated management certificate, or you can generate
your own using your organizations public key infrastructure (PKI) solution or a tool such as Makecert.

Using an Azure-Generated Certificate

To use an Azure-generated certificate in Windows PowerShell, run the Get-PublishSettingsFile cmdlet,


which opens a web browser in which you can sign into your Azure account and download a certificate file.
After the file has been downloaded, use the Import-PublishSettingsFile to register the certificate on the
local computer.
Important: The downloaded certificate file, which by default has the file extension
.publishsettings, contains sensitive information. You should download this to a secure location,
and delete it after you have imported the certificate.

After you have imported the certificate, you can execute the Get-AzureSubscription cmdlet to verify that
the subscription from which you downloaded the certificate file is available in Windows PowerShell, and
you can use the Set-AzureSubscription cmdlet to make it the default subscription.

Using Your Own Certificate

When you are using your own certificate, you should store the certificate in the personal certificate store
for the user account under which requests to Azure will be made, and then export the certificate to a .cer
file that does not include the private key. You can then upload the certificate to your Azure subscription in
the full Azure management portal.
To authenticate by using the certificate in Windows PowerShell, you can use the Set-AzureSubscription
cmdlet, specifying the subscription name, subscription ID, and the certificate. You can obtain the
subscription ID from the Azure full management portal, and you can reference the certificate in
PowerShell by using the Get-Item cmdlet.
The following code example shows how to set the current subscription by using a specific certificate:
Using a Specific Certificate
$subName = "<the subscription name">
$subID = "<copy the subscription ID from the Azure portal>"
$thumbprint = "<the thumbprint of the certificate you want to use>"
$cert = Get-Item cert:\\currentuser\my\$thumbprint
Set-AzureSubscription -SubscriptionName $subName, -SubscriptionId $subId -Certificate $cert

To obtain the certificate thumbprint, you can view the certificate in Certificate Manager or you can use
the Windows PowerShell command Get-Item cert:\\currentuser\my\* to obtain a list of all personal
certificates and their thumbprints.

Deleting Accounts and Subscriptions


To delete an account, use the Remove-AzureAccount cmdlet. To remove a subscription, use the
Remove-AzureSubscription cmdlet. Both of these cmdlets will prompt you to confirm the deletion
unless you specify the -Force parameter.

Azure PowerShell Cmdlets


After you have connected your Windows
PowerShell environment to your Azure
subscription, you can use Azure cmdlets to view,
provision, and manage Azure services. The Azure
PowerShell library provides two operational
modes: one in which cmdlets from the Azure
module are available, and another in which
cmdlets from the AzureResourceManager
module are available. Cmdlets from the
AzureProfile module are available in both modes.
To switch between modes, you can use the
Switch-AzureMode cmdlet, which is defined in
the AzureProfile module.
Using the Switch-AzureMode cmdlet
# Switch to Resource Manager mode (activate the AzureResourceManager module)
Switch-AzureMode -Name AzureResourceManager
# Switch back to service manager mode (activate the Azure module)
Switch-AzureMode -Name AzureServiceManagement

Service Management Mode

MCT USE ONLY. STUDENT USE PROHIBITED

Implementing Microsoft Azure Infrastructure Solutions

1-21

By default, the Azure module is active and Azure PowerShell is in Service Management mode. The Azure
module contains a comprehensive set of cmdlets, which you can use to view, create, and manage
individual Azure services in your subscription. For example, you can use the New-AzureWebsite cmdlet
to create an Azure website, or use the Get-AzureStorageAccount cmdlet to get a reference to an
existing storage account.
For a full list and summary description of the cmdlets in the Azure module, you can use the PowerShell
Get-Command cmdlet, and to display syntax for a specific Azure cmdlet, you can use the PowerShell
Get-Help cmdlet.
Viewing Information about Azure Module Cmdlets
# Get a list of cmdlets in the Azure module
Get-Command -Module Azure | Get-Help | Format-Table Name, Synopsis
# Get the syntax for a specific cmdlet
Get-Help New-AzureVM
# Get an example
Get-Help New-AzureVM -Example

Resource Manager Mode

In Resource Manager mode, you can use PowerShell to create and manage Azure resources in resource
groups. This approach makes it easier to manage related sets of resources as a unit. For example, you
could use the Get-AzureResourceGroup cmdlet to get a reference to an existing resource group, or use
the Remove-AzureResourceGroup cmdlet to remove a resource group and all of the resources it
contains.
You can use the Get-Command and Get-Help cmdlets to view information about the cmdlets in the
AzureResourceManager module.

Viewing Information about AzureResourceManager Cmdlets


# Switch to Resource Manager mode
Switch-AzureMode -Name AzureResourceManager
# Get a list of cmdlets in the AzureResourceManager module
Get-Command -Module AzureResourceManager | Get-Help | Format-Table Name, Synopsis
# Get the syntax for a specific cmdlet
Get-Help Remove-AzureResourceGroup
# Get an example
Get-Help Remove-AzureResourceGroup -Example

Note: The AzureResourceManager module is currently in preview, and does not support
all of the functionality in the Azure module. In addition, the AzureResourceManager module
cannot be used in a certificate-based authentication session.

Demonstration: Using Azure PowerShell


In this demonstration, you will see how to:

Use certificate-based authentication.

Use Azure AD-based authentication.

Use Azure PowerShell Cmdlets.

Demonstration Steps
Use Certificate-Based Authentication

MCT USE ONLY. STUDENT USE PROHIBITED

1-22 Introduction to Microsoft Azure

1.

Ensure that you have completed the previous demonstration in this module, and are logged on to the
20533B-MIA-CL1 virtual machine as Student with the password Pa$$w0rd.

2.

On the taskbar, right-click Microsoft Azure PowerShell and click Run ISE as Administrator. Click
Yes when prompted.

3.

In the Windows PowerShell interactive scripting environment, in the command prompt pane, enter
the following command to generate and download a management certificate:
Get-AzurePublishSettingsFile

4.

When Internet Explorer opens, sign in using the Microsoft account associated with your Azure
subscription. Then when prompted to open or save the certificate file, in the Save drop-down list,
click Save as, and save the file as azure-credentials.publishsettings in the D:\Demofiles\Mod01
folder (overwriting any existing file of this name).

5.

When the download has completed, close Internet Explorer.

6.

In the PowerShell ISE, in the command prompt pane, enter the following command to import the
certificate:
Import-AzurePublishSettingsFile D:\Demofiles\Mod01\azure-credentials.publishsettings

7.

In the PowerShell ISE, in the command prompt pane, enter the following command to view the
subscriptions that are connected to the local PowerShell session:
Get-AzureSubscription

MCT USE ONLY. STUDENT USE PROHIBITED

Implementing Microsoft Azure Infrastructure Solutions

8.

Verify that your subscription is listed.

9.

Start Internet Explorer, browse to http://azure.microsoft.com, click Portal, and sign in using the
Microsoft account that is associated with your Azure subscription.

1-23

10. On the SETTINGS page, on the MANAGEMENT CERTIFICATES tab, find the most recently created
certificate and note its expiry date. Then, at the bottom of the page, note the option to upload your
own certificate, and close Internet Explorer.

11. In the Windows PowerShell ISE, in the output from the previously executed Get-AzureSubscription
statement, note the name of your subscription. Then enter the following command to delete it from
the local PowerShell environment:
Remove-AzureSubscription -SubscriptionName "<your_subscription_name>" -Force

12. Note the warnings that are displayed, and then re-execute the following command to verify that the
subscription has been deleted (if there are no subscriptions, the command returns an empty line):
Get-AzureSubscription

Use Azure AD Authentication


1.

In the PowerShell ISE, in the command prompt pane, enter the following command to add an Azure
account to the local PowerShell environment:
Add-AzureAccount

2.

When prompted, sign in using the Microsoft account associated with your Azure subscription.

3.

In the PowerShell ISE, in the command prompt pane, enter the following command to view the Azure
accounts in your local PowerShell environment, and verify that your account is listed:
Get-AzureAccount

4.

Enter the following command to view the subscriptions that are connected to the local PowerShell
session, and verify that your subscription is listed again:
Get-AzureSubscription

Use Azure PowerShell Cmdlets


1.

In the PowerShell ISE, in the command prompt pane, enter the following command to view the
cmdlets in the Azure module. If you are prompted to run Update-Help, click No:
Get-Command -Module Azure | Get-Help | Format-Table Name, Synopsis

2.

Review the output, and note the large number of cmdlets available.

3.

Enter the following command to view the syntax for the Get-AzureWebsite cmdlet:
Get-Help Get-AzureWebsite

4.

Review the output. Then enter the following command to clear the screen:
cls

5.

In the PowerShell ISE, click File and then click Open.

6.

In the Open dialog, browse to D:\Demofiles\Mod01\.

7.

Click ExampleCommands.ps1 and then click Open.

8.

If the Script pane is not visible, on the View menu, click Show Script Pane.

9.

In the Script pane, highlight the following code:


foreach ($store in Get-AzureStorageAccount)
{
Write-Host $store.StorageAccountName : $store.StatusOfPrimary
}

10. On the toolbar, click Run Selection and wait for the script and its results to be displayed in the
command prompt pane. The results should list the name and status of the storage account you
created in the previous demonstration.
11. In the Console pane, type the following command, and then press Enter:
Switch-AzureMode -Name AzureResourceManager

12. In the Script pane, highlight the following code:


foreach ($rg
{
Write-Host
Write-Host
Write-Host
Write-Host
}

in Get-AzureResourceGroup)
""
$rg.ResourceGroupName
$rg.ResourcesTable
""

MCT USE ONLY. STUDENT USE PROHIBITED

1-24 Introduction to Microsoft Azure

13. On the toolbar, click Run Selection and wait for the script and its results to be displayed in the
command prompt pane. The results should list each resource group in your subscription, and a table
of the resources in each resource group.
14. Close the Windows PowerShell ISE without saving any script files.
Reset the Environment
1.

On the taskbar, right-click Microsoft Azure PowerShell, and then click Run as administrator. In the
User Account Control dialog, click Yes.

2.

Type the following command, and then press Enter:


Reset-Azure

3.

When prompted, sign in using the Microsoft account associated with your Azure subscription.

Note: This script may remove Azure services in your subscription. It is therefore recommended that you
use an Azure trial pass that was provisioned specifically for this course, and not your own Azure account.

Lab: Introduction to Azure


Scenario

MCT USE ONLY. STUDENT USE PROHIBITED

Implementing Microsoft Azure Infrastructure Solutions

1-25

A. Datum is investigating the potential for Azure to host IT infrastructure and application services. You
have been tasked with exploring the Azure environment and familiarizing yourself with its management
tools so that you can perform simple demonstrations during a presentation on Azure to the board of
directors.

Objectives
After completing this lab, you will be able to:

Manage Azure services and subscriptions by using the Azure portals.

Manage Azure services and resources by using Windows PowerShell.

Lab Setup
Estimated Time: 60 minutes
Virtual Machine: 20533B-MIA-CL1
User name: Student
Password: Pa$$w0rd

Before starting this lab, ensure that you have performed the Preparing the Environment demonstration
tasks at the beginning of the first lesson in this module, and that the setup script has completed.

Exercise 1: Using Azure Portals


Scenario

The IT department at A. Datum uses an on-premises, web-based asset management application that
consists of a Microsoft ASP.NET website and a Microsoft SQL Server database. In addition, invoice
documents for all IT purchases are stored in a file share. You plan to explore options for migrating the
asset management application and invoice document store to Microsoft Azure by creating a website,
database, and storage account in Azure. You also want to check the latest billing information for your
subscription.

Note: The Microsoft Azure portals are continually improved, and the user interface may have been
updated since this lab was written. Your instructor will make you aware of any differences between the
steps described in the lab and the current Azure portal.
The main tasks for this exercise are as follows:
1. Use the Full Azure Management Portal.
2. Use the New Azure Preview Portal.
3. Manage Your Azure Subscription.

Task 1: Use the Full Azure Management Portal


1.

Ensure that the MSL-TMG1 and 20533B-MIA-CL1 virtual machines are both running, and then log on
to 20533B-MIA-CL1 as Student with the password Pa$$w0rd.

2.

Sign in to the full Azure management portal using the Microsoft account that is associated with your
Azure subscription.

3.

4.

Create a new website using the Custom Create option. The website should:
o

Have a unique, valid URL name.

Be located in the region nearest your current location.

Include a free 20 MB database named AssetsDB on a new SQL Database server in the same
region that has an administrative login named Student with the password Pa$$w0rd.

After the website has been created and is running, view the dashboard for the AssetsDB SQL
database and review the summary information there.

Task 2: Use the New Azure Preview Portal

MCT USE ONLY. STUDENT USE PROHIBITED

1-26 Introduction to Microsoft Azure

1.

Switch to the new Azure preview portal and browse the resource groups that have been created
automatically for the website and SQL database you created in the previous task.

2.

View the contents of the resource group created for the SQL database.

3.

Create a new storage account with a unique name in the same location and resource group as the
SQL database.

4.

After the storage account has been created, view the resource group that was created for the SQL
database and verify that it now also contains the new storage group.

5.

Switch back to the full portal and verify that the new storage account is displayed in the ALL ITEMS
page (you may need to refresh the page).

Task 3: Manage Your Azure Subscription


1.

In the full portal, view your bill and review the summary of usage and billing.

2.

Note: If your account has been recently created, the subscriptions page may display an error.
If you see this error, return to this page later to view billing information.

3.

View the available preview features.

4.

Close Internet Explorer.

Results: At the end of this exercise, you should have created a website and a SQL database in your Azure
subscription and used Azure PowerShell to obtain information about them.

Exercise 2: Using Azure PowerShell


Scenario
Now that you have explored the Azure portals and created some basic objects, you want to configure
your local PowerShell environment to work with your Azure subscription, and use it to retrieve
information about the services you have created.
The main tasks for this exercise are as follows:
1. Connect PowerShell to Your Azure Subscription.
2. Manage Azure Services.
3. Manage Resource Groups.
4. Reset the Environment.

Task 1: Connect PowerShell to Your Azure Subscription


1.

Start the Microsoft Azure PowerShell interactive scripting environment (ISE) as Administrator.

2.

Add your Azure account to the local PowerShell environment by using Azure AD authentication.

3.

Verify that your account and subscription are connected to the local PowerShell environment.

Task 2: Manage Azure Services


1.

In the Windows PowerShell ISE, open the following script:


o

D:\Labfiles\Lab01\Starter\ExampleCommands.ps1

MCT USE ONLY. STUDENT USE PROHIBITED

Implementing Microsoft Azure Infrastructure Solutions

1-27

2.

In the script, replace the comments in the first foreach loop so that the code gets all storage accounts
and displays each accounts name and the status of the primary replica. Execute your foreach loop.

3.

In the script, replace the comments in the second foreach loop so that the code gets all websites and
displays each sites name and state. Execute your foreach loop

4.

In the script, replace the comments in the third foreach loop so that the code gets all SQL Database
servers and, for each server, gets all the databases. Execute your foreach loop.

Task 3: Manage Resource Groups


1.

In the PowerShell ISE, execute a command that switches to resource manager mode.

2.

In the ExampleCommands.ps1 script, replace the comments in the fourth foreach loop so that the
code gets all resource groups. Execute your foreach loop. When you have finished, close Windows
PowerShell ISE without saving any files.

Task 4: Reset the Environment


1.

On the taskbar, right-click Microsoft Azure PowerShell, and then click Run as administrator. In the
User Account Control dialog, click Yes.

2.

Type the following command, and then press Enter:


Reset-Azure

3.

When prompted, sign in using the Microsoft account associated with your Azure subscription.

Note: This script may remove Azure services in your subscription. It is therefore recommended that
you use an Azure trial pass that was provisioned specifically for this course, and not your own Azure
account.
The script will take 5-10 minutes to reset your Microsoft Azure environment, ready for the next lab.
The script removes all storage, VMs, virtual networks, cloud services, and resource groups.
Important: The script may not be able to get exclusive access to a storage account to delete it (you
will see an error, if this occurs). If you find objects remaining after the reset script is complete, you can
re-run Reset-Azure script, or use the full Azure Management Portal to manually delete all the objects
in your Azure subscription, with the exception of the default directory.

Results: At the end of this exercise, you should have written PowerShell commands that retrieve
information about the services and resource groups in your Azure subscription.
Question: In the lab, you created an Azure website, SQL database, and a storage account to
which the on-premises asset management application in the scenario could be migrated.
What other options for migrating this application to Azure might you consider?

Module Review and Takeaways


In this module, you learned about cloud services, and in particular, about Microsoft Azure. You then
learned how to use the Azure portals and Windows PowerShell to manage Azure subscriptions and
services.
Best Practice: When planning an Azure-based cloud solution, consider the following
recommendations:

Evaluate IaaS and PaaS options for each element of the solution based on comparative cost,
functionality, and management overhead.

Use resource groups to combine related services into a single unit of management.

Use Azure AD authentication when connecting PowerShell to Microsoft Azure unless you have a
specific reason to use a management certificate.

Review Question(s)
Question: Categorize each of the following Azure services as PaaS or IaaS:
Azure Websites
Azure Storage
Azure Virtual Machines
Azure Virtual Networks
SQL Database

Tools
You can download the following tools for working with Azure:

Microsoft Azure PowerShell: http://azure.microsoft.com/downloads/


(http://go.microsoft.com/fwlink/?LinkID=522617)

Microsoft Azure AD PowerShell: http://aka.ms/aadposh


(http://go.microsoft.com/fwlink/?LinkID=522616)

The Cross-Platform Command line Interface: http://azure.microsoft.com/downloads/


(http://go.microsoft.com/fwlink/?LinkID=522617)

MCT USE ONLY. STUDENT USE PROHIBITED

1-28 Introduction to Microsoft Azure

MCT USE ONLY. STUDENT USE PROHIBITED


2-1

Module 2
Implement and Manage Virtual Networks
Contents:
Module Overview

2-1

Lesson 1: Planning Virtual Networks

2-2

Lesson 2: Implementing and Managing Virtual Networks

2-13

Lab A: Creating Virtual Networks

2-19

Lesson 3: Configuring Connections to Virtual Networks

2-22

Lab B: Connecting Virtual Networks

2-29

Module Review and Takeaways

2-34

Module Overview

Networking is one of the main building blocks of Microsoft Azure, so it is essential that you have a
clear understanding of how to configure network components and connect them together. In this second
module, you will look at how virtual networking provides the glue that brings together virtual machines,
cloud services and storage to enable you to publish the service onto the Internet.

Objectives
After completing this module, you will be able to:

Plan virtual networks in Microsoft Azure.

Implement and manage virtual networks.

Configure inter-site connectivity with Microsoft Azure virtual networks.

Implement and Manage Virtual Networks

Lesson 1

Planning Virtual Networks

MCT USE ONLY. STUDENT USE PROHIBITED

2-2

As with on-premises networks, Microsoft Azure networks need to be planned carefully to ensure that they
work as expected. However, you should find that your knowledge of planning on-premises networks
translates relatively simply into the Microsoft Azure environment.

Lesson Objectives
After completing this lesson, you will be able to:

Understand how virtual networks can be used to support virtual machines and PaaS cloud services.

Describe the overall functioning of virtual networking in Microsoft Azure.

List the features supported by Azure virtual networks.

Explain how on-premises computers can connect to VMs in an Azure virtual network.

Plan a VPN connection from one Azure virtual network to another.

Design IP address space and subnet allocation to manage host numbers.

Plan for effective name resolution in Microsoft Azure virtual networks.

Demonstration: Preparing the Environment

Perform the following tasks to prepare the lab environment. The Azure services you will use in the lab will
be described in this module while the environment is being configured.
Important: The scripts used in this course may delete any objects that you have in your
subscription. For this reason, you should complete this course against a new Azure subscription.
You should have received sign-up details and instructions for creating an Azure Learning Pass for
this reason. Alternatively, create a new Azure Trial Subscription. In both cases, use a new
Microsoft account that has not been associated with any other Azure subscription. This avoids
confusion in labs and setup scripts.

The labs in this course use custom Microsoft Azure PowerShell cmdlets, including Setup-Azure to prepare
the Azure environment for a lab, and Reset-Azure to perform clean-up tasks at the end of a lab. For this
lab, Setup-Azure removes any current Azure subscription and account details from the Azure PowerShell
session.
Before you start the lab preparation, your Instructor will decide which Azure region is the closest to your
classroom location and also which Azure region is second closest. You will need this information during
the lab.

MCT USE ONLY. STUDENT USE PROHIBITED

Implementing Microsoft Azure Infrastructure Solutions

Demonstration Steps
Sign in to Your Microsoft Azure Subscription

2-3

1.

Ensure that the MSL-TMG1 and 20533B-MIA-CL1 virtual machines are both running, and then log on
to 20533B-MIA-CL1 as Student with the password Pa$$w0rd.

2.

You should already have created a Microsoft Azure trial subscription. If you have not done so, follow
the instructions in D:\Creating a Microsoft Azure Trial Subscription.htm. Provisioning may take
several hours.

3.

When your trial subscription has been provisioned, in Internet Explorer, browse to
http://azure.microsoft.com, click Portal, and sign in using the Microsoft account that is associated
with your Azure subscription. Close any initial "welcome" messages and password storage messages.

4.

At the top right, click your Microsoft account name and click Switch to new portal. If you are
prompted to sign in, use the Microsoft account that is associated with your subscription. Then, in the
new tab that is opened, close any initial "welcome" messages for the new portal.

Prepare the Azure Environment


1.

On the taskbar, right-click Microsoft Azure PowerShell, and then click Run as administrator. In the
User Account Control dialog, click Yes.

2.

Type the following command, and then press Enter:


Setup-Azure

3.

At the prompt, type the module number, and then press Enter.

4.

Confirm your selection, and then press Enter.

5.

When prompted, sign in using the Microsoft account associated with your Azure subscription.

Note: This script may remove Azure services in your subscription. It is therefore recommended that you
use an Azure trial pass that was provisioned specifically for this course, and not your own Azure account.

The script will take a few seconds to configure your Microsoft Azure environment, ready for the lab at the
end of this module.
6.

When the script is complete, close PowerShell and Internet Explorer.

Virtual Networks as a Component of Azure


Virtual Networks (VNets) in Microsoft Azure are
network overlays that you can use to configure
and control connectivity between virtual machines
(VMs) and PaaS cloud service roles. You can use
both VMs and PaaS cloud services without VNets
but, when you organize them into VNets, you
enable them to communicate directly on an
isolated network and can set IP addressing
schemes and name resolution settings.

Implement and Manage Virtual Networks

MCT USE ONLY. STUDENT USE PROHIBITED

2-4

Virtual networks (VNets) in Windows Azure also enable you to extend your on-premises networks into the
cloud. To build such a configuration, you must connect a Virtual Private Network (VPN) from your onpremises computers or networks to the Azure VNet. Alternatively, you can use ExpressRoute to provide a
connection to an Azure VNet that does not cross the Internet. In this way, you can enable on-premises
users to access Azure services as if they were physically located on-premises in your own datacenter.
VNets are often used to support Virtual Machines (VMs) by grouping them into subnets. However, you
can also create PaaS Cloud Services in VNets for the same reason. In addition, this module mentions
Traffic Manager because you can use it to load balance traffic between VMs or cloud services in VNets.
VMs, PaaS cloud services and Traffic Manager are discussed in later modules in this course.

Overview of Virtual Networks


A major driver for the adoption of cloud services,
such as Azure, is to enable IT departments to
move server resources into the cloud. This can
save companies money by removing the need to
maintain expensive datacenters with
uninterruptible power supplies, generators,
multiple fail-safes, clustered database servers and
so on. This is particularly advantageous for small
and medium-sized companies, which may not
have the expertise to maintain their own robust
infrastructure.

You can create VMs in Azure without using VNets.


Each VM must be placed in an IaaS cloud service. You can create each VM in a separate cloud service or
you can add two or more VMs to a single cloud service. VMs in the same IaaS cloud service can
communicate directly but you have no control over their IP addresses or DNS configuration. VMs in
different IaaS cloud services can only communicate through cloud service endpoints that have specific
port numbers. VMs can only communicate with PaaS cloud services though endpoints.

This situation becomes more flexible when you consider VNets: A VM in a VNet can communicate directly
with any other VM in the VNet, even if it is in a different IaaS cloud service. VNets are the only way to
enable direct communication between a VM and a PaaS cloud service. You can also control the IP
addresses assigned to VMs and PaaS cloud service within a VNet and assign DNS servers for name
resolution.

When you move a server into the cloud, you move it further from the users on your premises. This
physical move should not place any barrier between the users and the resources they need to do their job.
You can use a VPN connection to remove any potential barriers. A VPN can connect your on-premises
network to and Azure VNet and all the VMs and PaaS cloud services it contains. This connection means
that users can connect to Azure resources as if they were local.
You can use similar private IPv4 address ranges in Azure VNets that you use on-premises:

10.x.x.x

172.16.x.x 172.31.x.x

192.168.x.x

MCT USE ONLY. STUDENT USE PROHIBITED

Implementing Microsoft Azure Infrastructure Solutions

2-5

You must carefully plan the IP addressing scheme. You will learn more about this planning later in this
lesson. Azure also supports the customization of DNS servers to ensure that on-premises computers can
resolve the IP address of virtual servers in the VNet from a name, and that virtual servers can resolve the IP
address of on-premises computers.
To connect to an Azure VNet from an on-premise network, you can use virtual private networks (VPNs) to
connect across the Internet, or an ExpressRoute connection:

A Point-to-Site VPN. This is a VPN that connects a single computer to a VNet. To create this
connection, you must configure each on-premises computer that you want to use the resources in the
VNet.

A Site-to-Site VPN. This is a VPN that connects an on-premises network, and all its computers, to a
VNet. To create this connection, you must configure a gateway and IP routing in the on-premises
network but it is not necessary to configure individual on-premises computers.

ExpressRoute. An ExpressRoute connection is a dedicated service that does not connect across the
Internet. By using ExpressRoute, you can increase security, reliability, and bandwidth.

You can also create a VPN that connects two Azure VNets. These are called VNet-to-VNet connections.
You will learn more about these connection methods in Lesson 3 Configuring Connections to Virtual
Networks.

Whenever you use a VPN to connect to a VNet, a virtual gateway is required in the VNet. The virtual
gateway routes traffic between VMs and PaaS cloud services in the VNet and computers at the other end
of the connection.

Virtual Network Features


Virtual Networks in Azure have a range of features
that help you to group virtual machines and cloud
services and connect to VNets from on-premises
or internet-connected machines.

VNets for Cloud Services and Virtual


Machines
Once you have created a VNet, you can place new
VMs and PaaS Cloud Services into the new VNet.
VMs and cloud services within the same VNet can
communicate directly without going through an
endpoint or virtual gateway.

IP Addressing in VNets

VMs and PaaS cloud service roles in a single VNet require a unique IP address in the same way as clients
in an on-premise subnet do. This enables these VMs and cloud service roles to communicate with each
other. There are two types of IP addresses used in an Azure VNet:

DIPs. A DIP is a dynamic internal IP address. This address is used by VMs in the VNet to communicate
with other VMs in the same VNet. When you have connected a VPN to an Azure VNet, on-premises
clients communicate with VNet VMs by using DIPs.

VIPs. A VIP is a virtual IP address that is assigned to a cloud service (either an IaaS cloud service or a
PaaS cloud service). This address is used by external clients to communicate with the cloud service
and its VMs. All VMs within a single cloud service have the same VIP.

Implement and Manage Virtual Networks

MCT USE ONLY. STUDENT USE PROHIBITED

2-6

Azure assigns DIPs by using the DHCP protocol. DHCP leases are infinite in duration, so IP addresses are
stable. However, in some circumstances, such as when a VM has been placed into the Stopped
(Deallocated) state, a DIP may change.
If you are using a VPN to connect on-premises computers to the VNet, you must ensure that the onpremises IP address and the VNet DIP addresses do not conflict. You will learn how to plan a nonconflicting IP addressing scheme later in this lesson.

You can ensure a VM always has the same DIP address by setting a static internal IP address (also known
as a persistent private IP address) in PowerShell. Start by testing that the IP address you want to reserve is
not already in use, then use the Set-AzureStaticVNetIP as in the following example:
Setting a Static Internal IP Address
#Test the IP address for availability
Test-AzureStaticVNetIP -VnetName AdatumHQ -IPAddress 192.168.1.10
#Assign the IP address
Get-AzureVM -ServiceName AdatumWebFrontEnd -Name WebVM1 | Set-AzureStaticVNetIP -IPAddress
192.168.1.10 | Update-AzureVM

Note: When you want to assign a static IP address to on-premises computers, you can use
the Network Interface dialog within Windows. This method must not be used for VMs within
Azure because it will result in dropped connections and connectivity failures. Instead use SetAzureStaticVNetIP as described above.

Similarly, you can also ensure that the VIP for a cloud service, and the VMs it contains, never changes by
using a reserved IP. To do this, create a reserved IP with the New-AzureReservedIP cmdlet and then pass it
to a new VM as you create it:
Adding a Reserved IP for a New VM
$ReservedIP = New-AzureReservedIP -ReservedIPName "WebFrontEndIP" -Label "WebFrontEndIP" -Location
"West US"
New-AzureVMConfig -Name "WebFrontEndVM1" -InstanceSize Small -ImageName $imageName | AddAzureProvisioningConfig -Windows -AdminUsername Administrator -Password Pa$$w0rd | New-AzureVM ServiceName "WebFrontEnd" -ReservedIPName $ReservedIP -Location "West US"

Note: You will learn more about creating VMs, both in the portals and in PowerShell, in
Module 3.

Most of the time, VIPs are the only external IP addresses you need to assign. A VIP is assigned to an IaaS
cloud service and endpoints are used to specify one or VMs that receive incoming traffic to the VIP.
Alternatively a VIP can be assigned to a PaaS cloud service and endpoints used to specify the cloud
service role that receives incoming traffic.

However, in some cases you may want to enable external clients to communicate directly with a specific
VM in a cloud service through a direct IP address without specifying a port number. For example, if you
are using FTP in Passive Mode, the client negotiates the port number to use for transferring files. In such
cases, assign an instance-level Public IP (PIP) to the VM.
In this example, the script obtains an existing VM and then assigns a PIP to it.

MCT USE ONLY. STUDENT USE PROHIBITED

Implementing Microsoft Azure Infrastructure Solutions

Assigning an Instance-Level PIP to a VM


Get-AzureVM -ServiceName FTPService -Name FTPVM1 | Set-AzurePublicIP -PublicIPName ftpip | UpdateAzureVM

You can also configure multiple network interface cards (NICs) for Azure VMs. In this case, each NIC
receives a separate DIP and you can utilize the NICs to isolate communication. For more information
about multiple NICs, see the following link:
Create a VM with Multiple NICs
http://go.microsoft.com/fwlink/?LinkID=522618

DNS

2-7

The Domain Name System (DNS) enables clients to resolve user-friendly fully-qualified domain names
(FQDNs), such as www.adatum.com, to IP addresses. Azure provides a DNS system to support many
name resolution scenarios but in some cases, you may need to configure an external DNS system to
resolve IP addresses with an Azure VNet.

For example, a VM in an IaaS cloud service can use the Azure internal DNS system to resolve the DIP of
any other VM in the same service. However, in a hybrid scenario where your on-premises network is
connected to and Azure VNet through a VPN, an on-premises computer could not resolve the DIP of a
VM in an Azure VNet until you configured the DNS servers with a record for the VM. You will learn more
about configuring name resolution later in this lesson.

Azure Load Balancer and Internal Load Balancer

External clients use a VIP address to communicate with a VM. This VIP is associated with an IaaS cloud
service that may be in an Azure VNet. You define endpoints on the cloud service to enable external clients
to connect to specific VMs within the cloud service. By default, an endpoint is associated with a single VM.

To increase availability and scalability, you can create two or more VMs in the same IaaS cloud service that
publish the same application. For example, if 3 VMs host the same website, you may want to distribute
incoming traffic between them and ensure that, if one VM fails, traffic is automatically distributed to the
other two.
You can use a load balanced set to enable this traffic distribution between VMs in a single cloud service.
In this configuration a single endpoint is shared between multiple VMs. The Azure Load Balancer
automatically randomly distributes requests across those VMs as they arrive at the endpoint.

Now consider the case where one VM in a VNet communicates with other VMs in the same VNet. For
example, a web server may want to access a group of middle-tier servers. You can use the Azure load
balancer for this load distribution if you specify the cloud service and endpoint. Alternatively you can
configure the internal load balancer for such distribution. The internal load balancer enables you to load
balance traffic between VMs in the same IaaS cloud service, without routing that traffic through an
endpoint.

Traffic Manager

Traffic Manager is another load balancing solution included within Azure that can load balance between
endpoints located in different Azure regions. These endpoints can include those on IaaS cloud services
that connect to virtual machines, those on PaaS cloud services that connect to roles, and those on Azure
websites. You can configure this load balancing to support failover or to ensure that users connect to an
endpoint that is close to their physical location for higher performance. You will learn how to configure
Traffic Manager in Module 5.

Implement and Manage Virtual Networks

Regional VNets

MCT USE ONLY. STUDENT USE PROHIBITED

2-8

All new VNets are regional VNets. This means they can span a complete Azure region or datacenter. This
differs from the original VNets in Azure, which were restricted to a single affinity group. If you have older
VNets in your subscription, these may be tied to an affinity group. However, over time all VNets will be
migrated to regional VNets and their ties to specific affinity groups will be removed.
Regional VNets support some features that affinity group VNets do not. These include:

Reserved IP Addresses

Internal Load Balancing

Instance-Level Public IP Addresses

More VM Sizes

Connecting to Virtual Networks


Before you can use a VM or PaaS cloud service
within an Azure VNet, you must connect to that
VNet. There are several ways to make this
connection.

Cloud-Only Virtual Networks


You can choose not to make any kind of virtual
private network (VPN) connection to a VNet.
Instead, when you create a VM or cloud service,
you can specify endpoints that external clients can
connect to. An endpoint is a VIP and a port
number. Therefore an endpoint can be used only
for a specific protocol, such as connecting a
Remote Desktop Protocol (RDP) client or browsing a website.

These VNets are known as cloud-only virtual networks. A dynamic routing gateway is not required in the
VNet.
Endpoints are published to the Internet, so they can be used by anyone with an Internet connection,
including your on-premises computers.

Point-to-Site VPNs
A simple way to connect a VPN to an Azure VNet is to use a Point-to-Site VPN. In these VPNs, you
configure the connection on individual on-premises computers. No extra hardware is required but you
must complete the configuration procedure on every computer that you want to connect to the VNet.
Point-to-site VPNs can be used by the client computer to connect to a VNet from any location with an
Internet connection. Once the VPN is connected, the client computer can access all VMs and cloud
services in the VNet as if they were running on the local network.
You will learn how to configure a Point-to-Site VPN in Lesson 2.

MCT USE ONLY. STUDENT USE PROHIBITED

Implementing Microsoft Azure Infrastructure Solutions

Site-to-Site VPNs

2-9

To connect all the computers in a physical site to an Azure VNet, you can create a Site-to-Site VPN. In this
configuration, you do not need to configure individual computers to connect to the VNet, instead you
configure a VPN device, which acts as a gateway to the VNet. You must also configure routing tables to
forward traffic to the VNet. Once these steps are completed, all computers in the local on-premises
network can connect to VMs and services in the VNet as if they were local resources.
You can use a Windows Server 2012 computer running RRAS as a gateway to the VNet. Alternatively,
there are a range of third-party VPN devices that are known to be compatible. If you have a VPN device
that is not on the known compatible list, you may be able to use it if it satisfies the list of gateway
requirements. To check the compatible VPN device list and requirements list, see:
About VPN Devices for Virtual Network
http://go.microsoft.com/fwlink/?LinkID=522619

ExpressRoute

ExpressRoute is a service that enables Azure customers to create a dedicated connection to Azure, which
does not connect through the public Internet. This contrasts with VPNs, which use encryption to tunnel
securely through the public Internet.
Because ExpressRoute connections are dedicated, they can offer faster speeds, higher security, lower
latencies, and higher reliability than VPNs. To learn more about Express Route, see:
ExpressRoute Technical Overview
http://go.microsoft.com/fwlink/?LinkID=522620

VNet-to-VNet Connections
As well as connecting an on-premises network to
an Azure VNet by using a VPN, you can also use a
VPN to connect two or more Azure VNets. Such
connections are termed VNet-to-VNet VPNs. The
connected VNets can be in different regions and
even in different Azure subscriptions.

Comparing Site-to-Site and VNet-toVNet VPNs

Functionally and conceptually, a VNet-to-VNet


connection is the same as a Site-to-Site
connection except that both ends of the
connection are VNets. VMs and cloud service
components in each VNet can communicate as if they were on the same VNet. However, the
configuration of a VNet can be a confusing process because you must complete similar tasks at both ends
of the connection.

To understand the configuration, first consider a Site-to-Site VPN. You must configure:

An IP addressing scheme in the VNet.

The range of IP addresses that are available on the local, on-premises subnet.

A gateway in the local subnet.

A virtual gateway in the VNet.

Because the virtual gateway is configured with the IP addresses in the VNet and the IP addresses in the
local network, it can route packets from Azure to the local network.
Now consider a VNet-to-VNet VPN that connects a VNet in the West US region to a VNet in the North
Europe region. You must configure:

An IP addressing scheme in the West US VNet.

An IP addressing scheme in the North Europe VNet.

A virtual gateway in the West US VNet.

A virtual gateway in the North Europe VNet.

MCT USE ONLY. STUDENT USE PROHIBITED

2-10 Implement and Manage Virtual Networks

When you configure the virtual gateway in West US, the IP address range that you provide for the Local
Network is actually the range for North Europe VNet. Similarly for the virtual gateway in North Europe,
the IP address range that you provide for the Local Network is actually the range for West US VNet. This
can confuse administrators because neither Local Network is in fact an on-premises network.
Note: You will configure a VNet-to-VNet VPN connection in the lab.

Designing IP Address Space and Subnet Allocation in Azure


Virtual Networks
You can control the DIPs assigned to VMs and
cloud services within an Azure VNet by specifying
an IP addressing scheme. Planning an IP
addressing scheme within Azure VNets is much
like planning an IP addressing scheme onpremises. The same ranges are often used and the
same rules applied. However there are conditions
that are unique to Azure VNets.

Private Address Spaces

The RFC 1918 standard defines three private


address spaces that are never used for addressing
on the Internet. Administrators use these ranges
behind Network Address Translation (NAT) devices to ensure unique addresses used within intranets
never prevent communication with Internet servers. These three address spaces are the only ones that are
supported within an Azure VNet. The address spaces are:

10.0.0.0/8. This address space includes all addresses from 10.0.0.1 to 10.0.0.255.

172.16.0.0/12. This address space includes all addresses from 172.16.0.1 to 172.31.255.255.

192.168.0.0/16. This address space includes all addresses from 192.168.0.1 to 192.168.255.255.

MCT USE ONLY. STUDENT USE PROHIBITED

Implementing Microsoft Azure Infrastructure Solutions

2-11

When you specify an address space for a VNet, you usually specify a much smaller range within one of the
private address spaces. For example, if you specified the address space 10.1.1.0/24, it means that all
addresses from 10.1.1.1 to 10.1.1.255 should be routed into your VNet.
In a cloud-only virtual network, you can specify any address range from the RFC 1918 private spaces.
However, if you will connect to the VNet with a VPN or ExpressRoute, you must ensure that the address
space is unique and does not overlap any of the ranges that are already in use on-premises or in other
VNets.
Best Practice: Always plan to use an address space that is not already in use in your
organization, either on-premises or in other VNets. Even if you plan for a VNet to be cloud-only,
you may want to make a VPN connection to it later. If there is any overlap in address spaces at
that point, you will have to reconfigure or recreate the VNet.

Choosing Subnets

You must also sub-divide the VMs and cloud services in your VNet by providing one or more subnets. The
range you specify for a subnet must be completely contained within its parent VNets address space.
Within each subnet, the first three IP addresses and the last IP address are reserved and cannot be used
for VMs or cloud services. The smallest subnets that are supported use a 29 bit subnet mask.

Use Static Internal IP Addresses

Because clients use DNS to resolve a name to an IP address, many VMs and services can receive new DIPs
without interrupting their service to users. In addition, because DHCP leases are infinite in Azure VNets, IP
addresses rarely change. However, sometimes an IP change does happen. For example, if a new VM is
created while another VM is in the Stopped (Deallocated) state, the new VM may take the old VMs
original address.
If you expect IP address change to cause problems for server, you can use a static internal IP address for
that VM. For example, a DNS server should have a static IP address, because clients may not be able to
locate it if its address changes. See the topic Virtual Network Features in this lesson for instructions on
setting a static IP address.

Planning for Name Resolution in Azure Virtual Networks


Name resolution is the process by which a
computer name is resolved to an IP address. A
computer can use the IP address to connect to the
named computer by using the IP address that the
user may find it difficult to remember.
Azure provides a name resolution service that
enables VMs and cloud services within Azure to
communicate by name. However, some
configurations exceed the reach of the Azure
name resolution service. You must plan name
resolution carefully to ensure that all computers
and VMs can connect.

Consider the following situations:

MCT USE ONLY. STUDENT USE PROHIBITED

2-12 Implement and Manage Virtual Networks

VMs in the same cloud service. VMs can resolve the names of all other VMs in the same cloud service
automatically by using the internal Azure name resolution.

VMs in the same VNet. If the VMs are in different cloud services but within a single VNet, those VMs
can resolve IP addresses for each other by using the internal Azure name resolution service and their
Fully Qualified Domain Names (FQDNs). This is supported only for the first 100 cloud services in the
VNet. Alternatively, use your own DNS system to support this scenario.

Between VMs in a VNet and on-premises computers. To support this scenario you must use your own
DNS system.

Between VMs in different VNets. To support this scenario you must use your own DNS system.

Between on-premises computers and public endpoints. If you publish an endpoint from a VM in an
Azure VNet, the Azure-provided external name resolution service will resolve the public VIP. This also
applies for any internet-connected computers that are not on your premises.

Note: If two VMs are deployed in different IaaS cloud services but not in a VNet, they
cannot communicate at all, even by using DIPs. Therefore name resolution is not applicable.

If you are planning to use your own DNS system, you must ensure that all computers can reach a DNS
server for registering and resolving IP addresses. You can either deploy DNS on a VM in the Azure VNet or
have VM register their addresses with an on-premises DNS server. Your DNS server must meet the
following requirements:

The server must support Dynamic DNS (DDNS) registration.

The server must have record scavenging switched off. Because DHCP leases in an Azure VNet are
infinite, record scavenging can remove records that have not been renewed but are still correct.

The server must have DNS recursion enabled.

The server must be accessible on TCP/UDP port 53 from all clients.

Lesson 2

Implementing and Managing Virtual Networks

MCT USE ONLY. STUDENT USE PROHIBITED

Implementing Microsoft Azure Infrastructure Solutions

2-13

In this second lesson, you move on from the planning process to review how to create and manage the
virtual networks that you create. There are two main ways to configure virtual networks: the Microsoft
Azure Portal and network configuration files.

Lesson Objectives
After completing this lesson, you should be able to:

Create and configure virtual networks by using the Microsoft Azure Management Portal.

Navigate the schema of a network configuration file.

Export and import network configuration files in to configure the virtual networks in an Azure
subscription.

Create and modify a virtual network by using a network configuration file.

Create a virtual machine and deploy that VM into a virtual network.

Creating Virtual Networks using the Management Portal


To create a virtual network, you can either use the
full portal or upload a network configuration file.
A network configuration file is an XML file with a
specific schema.
Note: At the time of writing, the preview
portal does not support creating virtual networks,
although you can browse a virtual networks
configuration.
To create a cloud-only virtual network in the full
portal, following these steps:
1.

In the navigation menu on the left, click Networks.

2.

In the toolbar at the bottom, click New, and then click Custom Create.

3.

In the Name text box, type a descriptive name for the VNet.

4.

In the Location drop-down list, select a location near your users, and then click the Next arrow.

5.

Under DNS SERVERS, enter the name and IP address of the DNS server that VMs in the virtual
network will use. As this is a cloud-only virtual network, you may be able to use Azure internal name
resolution and leave this value blank.

6.

Click the Next arrow.

7.

On the Virtual Network Address Spaces page, add the private address spaces and subnets that you
have planned, and then click Complete.

Note: If you want to create a VPN connection to the VNet, you can either configure the
VPN as part of the VNet creation wizard, or add the VPN later. In the next lesson, you will learn
how to configure VPNs.

Network Configuration Files


The configuration of an Azure VNet can be
summarized in an XML file called a network
configuration file. These files can include the
following settings:

The name and location of the VNet.

DNS servers for the VNet.

IP private addresses spaces for DIPs in the


VNet.

Subnets within the private address spaces.

The IP address of the virtual gateway that


connects to a VPN.

The following XML shows a complete network configuration file for a VNet with DNS servers:
Sample Network Configuration File
<NetworkConfiguration
xmlns:xsd="http://www.w3.org/2001/XMLSchema"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns="http://schemas.microsoft.com/ServiceHosting/2011/07/NetworkConfiguration"
<VirtualNetworkConfiguration>
<Dns>
<DnsServers>
<DnsServer name="dns1.adatum.local" IPAddress="192.168.5.1" />
<DnsServer name="dns2.adatum.local" IPAddress="192.168.6.1" />
</DnsServers>
</Dns>
<VirtualNetworkSites>
<VirtualNetworkSite name="AdatumEurope" Location="North Europe">
<AddressSpace>
<AddressPrefix>10.0.0.0/8</AddressPrefix>
<AddressPrefix>192.168.1.0/24</AddressPrefix>
</AddressSpace>
<Subnets>
<Subnet name="AdatumEurope">
<AddressPrefix>10.0.0.0/11</AddressPrefix>
</Subnet>
<Subnet name="AdatumEuSub2">
<AddressPrefix>192.168.1.0/27</AddressPrefix>
</Subnet>
</Subnets>
<DnsServersRef>
<DnsServerRef name="dns1.adatum.local" />
<DnsServerRef name="dns2.adatum.local" />
</DnsServersRef>
</VirtualNetworkSite>
</VirtualNetworkSites>
</VirtualNetworkConfiguration>
</NetworkConfiguration>

MCT USE ONLY. STUDENT USE PROHIBITED

2-14 Implement and Manage Virtual Networks

Exporting and Importing Network Configuration Files


In the portal, you can download the network
configuration file by clicking Export in the toolbar
for the DASHBOARD page. You can also do this in
PowerShell by issuing the Get-AzureVNetConfig
cmdlet. You can make changes to this file and
then apply them by uploading the configuration
file with the Set-AzureVNetConfig cmdlet.
The following PowerShell commands export a
networking configuration from Azure and then
import a different configuration file.

Exporting and Importing a Network Configuration


#Export the old configuration
Get-AzureVNetConfig -ConfigurationPath C:\backups\OldConfig.xml
#Import the new configuration
Set-AzureVNetConfig -ConfigurationPath C:\configs\UpdatedConfig.xml

Demonstration: Creating and Modifying a Network Using


a Configuration File
In this demonstration, you will see how to:

Open a previously created network configuration file.

Import a network configuration file into Azure.

Update a network configuration file offline.

Import a new configuration file to apply your changes.

Demonstration Steps
Start Microsoft Azure PowerShell with administrator credentials

MCT USE ONLY. STUDENT USE PROHIBITED

Implementing Microsoft Azure Infrastructure Solutions

1.

Ensure that you are logged on to 20533B-MIA-CL1 as Student with the password Pa$$w0rd, and
that the setup script you ran in the previous demonstration to prepare the environment has
completed.

2.

Press the Windows key and on the Start screen, type Microsoft Azure PowerShell, right-click
Microsoft Azure PowerShell and then click Run as administrator.

3.

In the User Account Control dialog box, click Yes.

Run Add-AzureAccount and log on to Azure


1.

Type the following command and then press Enter:


Add-AzureAccount

2.

Log on to Azure with the credentials associated with your Azure subscription.

2-15

Check your subscription using the Get-AzureSubscription cmdlets


1.

Type Get-AzureSubscription and press Enter.

2.

Show the subscription information.

Open existing NetworkConfig.XML

MCT USE ONLY. STUDENT USE PROHIBITED

2-16 Implement and Manage Virtual Networks

1.

In File Explorer, navigate to D:\Demofiles\Mod02.

2.

Double-click NetworkConfig.XML.

3.

In the How do you want to open this type of file (.xml)? dialog box, click Notepad.

4.

Show the students the contents of the file and point out that this is the same file from the slide in the
lesson.

5.

Highlight the three subnets and the IP address ranges of each.

6.

Do not close Notepad.

Import the network settings


1.

In Microsoft Azure PowerShell, type the following command, and then press Enter:
Set-AzureVnetConfig D:\Demofiles\Mod02\NetworkConfig.XML

Show the settings for the new VNet in the Azure portal
1.

When you see the success message, on the Windows Taskbar, click Internet Explorer.

2.

In Internet Explorer, browse to the full Azure Management Portal at


https://manage.windowsazure.com, and sign in using the Microsoft account that is associated with
your Microsoft Azure subscription, in the Azure portal, click Networks.

3.

Show the Main_Network VNet in the portal.

4.

Click the right-arrow next to Main_Network.

5.

Click CONFIGURE.

6.

Point out the three subnets and their values.

In the NetworkConfig.XML file, change the subnet values to 192.168.30.x


1.

Switch back to Notepad.

2.

In the NetworkConfig.XML file, change all three instances of 192.168.0.x to 192.168.30.x (where x is
the last octet and is different in all cases. This does not change).

3.

On the File menu, click Save.

Rerun the Set-AzureVnetConfig cmdlet


1.

In Microsoft Azure PowerShell, type the following command and then press Enter:
Set-AzureVnetConfig D:\Demofiles\Mod02\NetworkConfig.XML

Refresh the screen in the portal and show that the IP subnets have now changed
1.

In Internet Explorer, press F5 to refresh the browser page.

2.

Point out that the IP address ranges are now have 192.168.30.x values.

Reset the environment

MCT USE ONLY. STUDENT USE PROHIBITED

Implementing Microsoft Azure Infrastructure Solutions

2-17

1.

Close all open applications without saving any files.

2.

On the taskbar, right-click Microsoft Azure PowerShell, and then click Run as administrator. In the
User Account Control dialog, click Yes.

3.

Type the following command, and then press Enter:


Reset-Azure

4.

When prompted, sign in using the Microsoft account associated with your Azure subscription.

Note: This script may remove Azure services in your subscription. It is therefore recommended that
you use an Azure trial pass that was provisioned specifically for this course, and not your own Azure
account.
The script will take 5-10 minutes to reset your Microsoft Azure environment, ready for the next lab.
The script removes all storage, VMs, virtual networks and gateways, cloud services, and resource
groups.
Important: The script may not be able to get exclusive access to a storage account to delete it (you
will see an error, if this occurs). If you find objects remaining after the reset script is complete, you can
re-run Reset-Azure script, or use the full Azure Management Portal to manually delete all the objects
in your Azure subscription, with the exception of the default directory.

Deploying a VM into a Virtual Network


Azure virtual networks can be used to contain VMs
and PaaS cloud services and ensure that those
resources are available to on-premises computers
as if they were installed on the local network. VMs
will be covered in much greater detail in Modules
3 and 4, however it is helpful to learn how deploy
a VM into a VNet at this point in order to
demonstrate that your VNet is configured
correctly.
In order to create a new VM in an existing VNet,
complete the following steps:
1.

In the full portal, in the navigation on the left,


click VIRTUAL MACHINES.

2.

In the toolbar at the bottom, click NEW and then click FROM GALLERY. Note that the QUICK
CREATE option does not allow you to specify a VNet.

3.

Choose an operation system image and then click Next.

4.

In the VIRTUAL MACHINE NAME text box, type a descriptive name for the server.

5.

In the NEW USER NAME text box, type a name for the default administrator account.

6.

In the NEW PASSWORD text box, type a secure password.

7.

In the CONFIRM text box, retype the password and then click Next.

8.

In the CLOUD SERVICE DNS NAME text box, ensure that a unique DNS name within the
cloudapp.net domain appears. If the name is unique a green tick is displayed. The default cloud
service name is taken from the VM name you specified on the previous page.

9.

In the REGION/AFFINITY GROUP/VIRTUAL NETWORK drop-down list, select the virtual network
you want to add the new VM to.

10. If the VNet has more than one subnet, select the correct subnet in the VIRTUAL NETWORK
SUBNETS drop-down list.
11. Click Next and then click Finish.
Note: You can also use the preview portal or PowerShell to create new VMs in a VNet. You
will learn more about these techniques in Module 3.

MCT USE ONLY. STUDENT USE PROHIBITED

2-18 Implement and Manage Virtual Networks

Lab A: Creating Virtual Networks


Scenario

MCT USE ONLY. STUDENT USE PROHIBITED

Implementing Microsoft Azure Infrastructure Solutions

2-19

A. Datum has two large office buildings in different regions an HQ and a main branch office. In order to
serve these locations rapidly, you plan to have separate Azure virtual networks in the two regions that
match the office locations. Your Azure architects have provided a script that creates a virtual machine in
each virtual network. You have been asked to create the planning virtual networks and use the scripts to
populate them.

Objectives
After completing this lab, you will be able to:

Create virtual Azure virtual networks.

Lab Setup
Estimated Time: 60 minutes
Virtual Machine: 20533B-MIA-CL1
User Name: Student
Password: Pa$$w0rd

Before starting this lab, ensure that you have performed the Preparing the Environment demonstration
tasks at the beginning of the first lesson in this module, and that the setup script has completed.

Exercise 1: Creating the Virtual Network


Scenario

A. Datum now wishes to implement virtual networks for the A. Datum HQ and branch resources. You are
also required to run a script to populate these resources with some test virtual machines.
The main tasks for this exercise are as follows:
1. Connect to Windows Azure with Windows Azure PowerShell
2. Create Virtual Networks in the Management Portal and in PowerShell
3. Populate the Virtual Network

Task 1: Connect to Windows Azure with Windows Azure PowerShell


1.

Start Windows Azure PowerShell ISE with administrative credentials.

2.

Use the Get-AzurePublishSettingsFile cmdlet to download the encoded management certificate for
your subscription.

3.

Check your Azure Subscription settings using the Get-AzureSubscription command and record the
Current Storage Account Name value in D:\Labfiles\Lab02\Starter\ExampleCommands.ps1.

4.

Run the Update-Help cmdlet. Leave the Windows Azure PowerShell ISE window open.

5.

Record your Location 1 and Location 2 details in


D:\Labfiles\Lab02\Starter\ExampleCommands.ps1, and save the file.

Note: For Location 1 and Location 2 use two Azure regions close to your physical
location. Your instructor will provide this information.

Task 2: Create Virtual Networks in the Management Portal and in PowerShell

MCT USE ONLY. STUDENT USE PROHIBITED

2-20 Implement and Manage Virtual Networks

1.

Log on to the full Microsoft Azure portal using your Microsoft identity that you created to register for
your Microsoft Azure Learning Pass.

2.

In the Networks node, create a new virtual network with the following settings:
o

NAME: ADATUM-HQ-VNET

LOCATION: Your Location 1

DNS and VPN Connectivity settings: add DNS server ADATUM-DNS, with IP address of 10.0.1.4

Address space: 10.0.1.0/24

Subnet name: Leave as default

Subnet: Starting IP 10.0.1.0.

CIDR: /25

3.

Export the network configuration XML file and save this file onto your desktop.

4.

Edit the file settings to copy the existing VIRTUALNETWORKSITE section, and then edit the new
VIRTUALNETWORKSITE section with the following information:
o

NAME: ADATUM-BRANCH-VNET

LOCATION: Your Location 2

Address space: 10.0.2.0/24

Subnet name: Leave as default

Subnet: Starting IP 10.0.2.0.

CIDR: /25

DnsServersRef: Leave as ADATUM-DNS

5.

Import the settings using the Set-AzureVNetConfig command and the NetworkConfig.XML file.

6.

Check that both networks are displayed in the Microsoft Azure portal.

Task 3: Populate the Virtual Network


1.

Switch to Windows PowerShell ISE.

2.

At the Windows PowerShell ISE prompt, type the following command, and press Enter:
CD D:\Labfiles\Lab02\Starter

3.

At the Windows PowerShell ISE prompt, type the following command, and press Enter:
.\CreateVirtualMachines1.ps1

Important: The command starts with dot backslash.


4.

When prompted for your primary Azure region, enter the number of your Location 1, and press
Enter.

5.

The script may take 20 - 25 minutes to complete; when the script has completed, verify that the
following information is displayed:
o

Name: AdatumWestSvr1

IPAddress: 10.0.1.4

InstanceStatus: ReadyRole

PowerState: Started

MCT USE ONLY. STUDENT USE PROHIBITED

Implementing Microsoft Azure Infrastructure Solutions

2-21

6.

Close the Windows PowerShell ISE. Important: do not run the second script in the same instance of
PowerShell.

7.

On the taskbar, right-click Microsoft Azure PowerShell and click Run ISE as Administrator. Click
Yes when prompted.

8.

In the Windows PowerShell ISE, in the command prompt pane, enter the following command and
press Enter:
CD D:\Labfiles\Lab02\Starter

9.

In the Windows PowerShell ISE, in the command prompt pane, enter the following command and
press Enter:
.\CreateVirtualMachines2.ps1

Important: The command starts with dot backslash.

10. When prompted for your secondary Azure region, enter the number of your Location 2, and press
Enter.
11. The script may take 10 - 15 minutes to complete; when the script has completed, verify that the
following information is displayed:
o

Name: AdatumEastSvr1

IPAddress: 10.0.2.4

InstanceStatus: ReadyRole

PowerState: Started

12. Do not proceed to the next exercise until the script operation is complete.

Results: After completing this exercise, you will have created virtual networks for A. Datum HQ and
branch, and deployed a virtual machine to each network.
Question: What are the two methods you can use to create Azure virtual networks?

Lesson 3

Configuring Connections to Virtual Networks

MCT USE ONLY. STUDENT USE PROHIBITED

2-22 Implement and Manage Virtual Networks

In this third lesson, you will learn how to establish connectivity between two or more sites in Microsoft
Azure, as well as how to connect from your on-premises computers to Azure virtual networks. Here, you
will be covering subjects such as configuring site-to-site VPNs.

Lesson Objectives
After completing this lesson, you should be able to:

Describe the options for inter-site connectivity.

Configure a Point-to-Sit VPN.

Configure site-to-site VPNs.

Configure VNet-to-VNet VPNs.

List considerations that are important when configuring inter-site connectivity.

Inter-Site Connectivity Options


Remember that you can connect to VMs or PaaS
cloud services in a VNet through endpoints
without using VPN connections. However, an
endpoint specifies a particular port number and
uses a VIP so is restricted to a particular protocol
and purpose. For example, the RDP endpoint
cannot be used to send queries to a database.
By creating a VPN connection to a VNet, you allow
clients to connect as if the VNet resources were on
the local network. The cloud connection thus
becomes transparent to the user. All VPN
connections require a virtual gateway in the VNet,
which routes traffic to the on-premises computers. The available connections include:

Point-to-Site

A point-to-site VPN connects a single computer to a VNet through a VPN tunnel. You must configure a
certificate to secure this connection and then install a client configuration package on the client
computer.

Use point-to-site connections when you have a small number of client computers that you want to
connect. Remember that computers with a point-to-site VPN can use that connection from anywhere with
Internet access. For example, they could connect to the VNet from a caf with Wi-Fi.

Site-to-Site

A site-to-site VPN connects an on-premises TCP/IP network to a VNet through a VPN tunnel. In the onpremises network, a VPN device routes traffic to the VNet. You can either use a compatible third-party
VPN device or use a Windows server with the Routing and Remote Access Service (RRAS) configured.
Azure provides a script that you can use to configure the VPN device.

MCT USE ONLY. STUDENT USE PROHIBITED

Implementing Microsoft Azure Infrastructure Solutions

2-23

Use site-to-site connection when you have a large number of client computers all connected to an onpremises network. Unlike point-to-site connections, clients can only use site-to-site connections when
they have a direct connection to the on-premises network.

VNet-to-VNet

A VNet-to-VNet VPN connects one Azure VNet to another. The two VNets can be in different regions or
even in different Azure subscriptions. For example, you could use a VNet-to-VNet VPN to connect to a
partner organizations VNet, as long as the IP address spaces of the two VNets did not overlap.
When you configure a VNet-to-VNet connection, you must specify the IP address spaces in use for DIPs
on the opposite VNet so that the virtual gateway can route traffic to the correct location. This is referred
to, in the user interface, as the local network because the virtual gateway routes traffic in exactly the
same way as it would to an on-premises network. This can be confusing because, in the opposite VNet,
the first VNet is referred to as the local network.

Multisite

You can create a single VPN that connects multiple on-premises networks to a single VNet. This is known
as a multi-site VPN and is very similar to a site-to-site VPN. The main practical difference is that you must
configure a multi-site VPN by using a network configuration file. The portal does not support muti-site
VPNs at the time of writing.
For more information about configuring multi-site VPNs, see:
Configure a Multi-Site VPN
http://go.microsoft.com/fwlink/?LinkID=522621

ExpressRoute

The ExpressRoute service can provide a private connection to an Azure VNet that does not cross the
Internet. This can improve security and achieve higher bandwidth, lower latency, and better reliability.
Microsoft works with network service providers to build these connections.
For more information about ExpressRoute, see:
ExpressRoute: An overview
http://go.microsoft.com/fwlink/?LinkID=522622
Note: All of the configuration procedures described in this lesson use the full portal. You
can also use network configuration files to make all these changes and use the PowerShell SetAzureVNetConfig cmdlet to upload and apply your changes to Azure.

Configuring a Point-to-Site VPN


To set up a point-to-site VPN, you must configure
an IP address space, configure a virtual gateway,
create certificates, and install a client VPN
package.

Configuring an IP Address Space for


Clients
Start by specifying a range of IP addresses that will
be used for clients that connect to the VPN. The
range must not overlap the ranges used for
internal DIPs in the VNet or any other range used
for site-to-site or VNet-to-VNet connections. The
portal shows a warning if there is such an overlap:

MCT USE ONLY. STUDENT USE PROHIBITED

2-24 Implement and Manage Virtual Networks

1.

In the full portal, in the navigation on the left, click NETWORKS.

2.

In the list of virtual networks, click the name of the VNet you want to configure.

3.

Click the CONFIGURE tab.

4.

Under point-to-site connectivity, select Configure point-to-site connectivity.

5.

In the address space table, select the starting IP address and a CIDR notation subnet mask to specify
and address range. All clients that connect to this point-to-site VPN will receive an IP address from
this range.

6.

In the toolbar at the bottom, click SAVE and then click YES.

Configuring a Virtual Gateway


Point-to-site connections require a virtual gateway in the VNet that routes traffic to client on-premises
computers. To create the virtual gateway:
1.

From the CONFIGURATION page, click DASHBOARD.

2.

In the toolbar at the bottom, click CREATE GATEWAY and then click YES.

The gateway creation process can take up to 30 minutes.

Creating Root and Client Certificates


Certificates are used to authenticate clients as they connect to the VPN and also to encrypt the
connection to ensure security. You must generate a self-signed root certificate, upload it to the portal,
reference it to generate a client certificate, and then install the client certificate on your computer. To
complete these tasks, take the following steps:
1.

Start a command prompt as administrator and use cd commands to navigate to the Visual Studio
Tools folder.

2.

Type the following command and then press Enter:


makecert -sky exchange -r -n "CN=AdatumRootCertificate" -pe -a sha1 -len 2048 -ss My
"AdatumRootCertificate.cer"

3.

In the full portal, in the navigation on the left, click NETWORKS.

4.

In the list of virtual networks, click the VNet you want to configure and then click CERTIFICATES.

5.

Click UPLOAD A ROOT CERTIFICATE.

6.

Click BROWSE FOR FILE, locate and select the certificate you create, and then click Open.

7.

Click Complete.

8.

In the command prompt, type the following command, and then press Enter:
makecert.exe -n "CN=AdatumClientCertificate" -pe -sky exchange -m 96 -ss My -in
"AdatumRootCertificate" -is my -a sha1

Create and Install the VPN Client Configuration Package

MCT USE ONLY. STUDENT USE PROHIBITED

Implementing Microsoft Azure Infrastructure Solutions

2-25

To connect to the VPN, a client must use a client configuration package. This package must include the
client certificate you just created:
1.

In the full portal, click the DASHBOARD tab for the virtual network.

2.

Under quick glance, click the VPN package for the appropriate client operating system.

3.

Save the configuration .exe file.

4.

On the client computer, double-click the configuration file you just downloaded. If the User Control
dialog appears, click Yes.

Connect to the VPN

Now that you have installed both the client certificate and the VPN client configuration package, you can
connect to the VNet.
1.

Navigate to the list of VPN connections and locate the VPN connection you have created. The name
of the VPN connection will be the same as the name of the VNet in Azure.

2.

Right-click the connection and then click Connect.

3.

Click Continue, and then click Connect.

Configuring a Site-to-Site VPN


Note: To promote understanding, only
outline steps are included in the following
procedures. This is to provide an overview of the
process. In the lab, you will see the detailed
procedure for creating a VNet-to-VNet
connection, which is similar to creating a site-tosite connection.
To configure a new virtual network and a site-tosite VPN, follow these steps:
1.

In the full portal, create a new VNet. On the


Virtual Network Details page, supply the following values:
o

Name. Choose a descriptive, unique name.

Location. Choose the Azure region closest to your user base.

2.

3.

On the DNS Servers and VPN Connectivity page, supply the following values:
o

DNS Servers. Specify the DNS server name and IP address that VMs in the VNet will use for
name resolution.

Configure Site-to-Site VPN. Selected.

Local Network. Select or create a local network.

MCT USE ONLY. STUDENT USE PROHIBITED

2-26 Implement and Manage Virtual Networks

On the Site-to-Site Connectivity page, specify the properties of the on-premises network. You must
supply the following values:
o

Name. Provide a descriptive name for the local network.

VPN Device IP Address. This is the external IP address of your VPN device.

Address Space. Specify all the IP addresses that are to be found in your on-premises network.

4.

On the Virtual Network Address Spaces page, fill in the IP address spaces and subnets you planned.
You must include a gateway subnet. The virtual gateway will be added to this subnet when you create
it.

5.

When the VNet has been created, click the DASHBOARD tab.

6.

In the toolbar at the bottom, click CREATE GATEWAY and then click Dynamic Routing.

7.

Click Yes.

Configuring the VPN Device

A site-to-site VPN requires an on-premises VPN device, which routes traffic from the on-premises network
to the VNet and receives traffic from the virtual gateway. You can use Windows Server with RRAS
configured for this device or use a supported third-party device. To configure this device, you must
provide the following information:

The IP address of the virtual gateway in the VNet. This IP address will be displayed in the VNets
Dashboard page.

The shared key. This key is used to encrypt the VPN. You can obtain the shared key from the full
portal by clicking MANAGE KEY on the toolbar.

The VPN configuration script template. You can obtain the script from the full portal by clicking
Download VPN Device Script in the quick glance section.

For more information about compatible VPN devices, see:


About VPN Devices for Virtual Network
http://go.microsoft.com/fwlink/?LinkID=522619

Configuring a VNet-to-VNet VPN


You can use a VNet-to-VNet VPN to connect one
VNet to another. The connected VNets can be in
the same Azure region or different regions. They
can also be in the same subscription or different
subscriptions.
It is a long process to create a VNet-to-VNet VPN
and it can appear confusing. Bear in mind:

MCT USE ONLY. STUDENT USE PROHIBITED

Implementing Microsoft Azure Infrastructure Solutions

2-27

You must complete almost identical steps at


both ends of the VPN because the
configuration is symmetrical.

When you initially create a virtual gateway


you do not yet know the IP address of the virtual gateway at the opposite end of the connection.
Therefore use a dummy IP address.

Once both virtual gateways are created, you can return to configure the actually IP address of the
opposite gateway.

There is no on-premises network in a VNet-to-VNet connection. However, in the user interface, you
must configure a local network IP address range. For each VNet, the local network IP address range
refers to the DIP addresses in the opposite VNet.

Note: You will configure a VNET-to-VNET VPN in the lab and see the procedure in detail.
Here, an overview of the process is provided.
To create a VNet-to-VNet connection, complete these procedures:
1.

Create two virtual networks. Do not enable point-to-site or site-to-site communication as part of the
initial configuration. Use IP address ranges that do not overlap.

2.

Add each VNet as a local network to the opposite VNet. Use the dummy IP address.

3.

Create dynamic routing virtual gateways in each VNet. Record the IP address of each virtual gateway.

4.

Reconfigure each VNet with the real IP address of the virtual gateway you created in the opposite
VNet.

5.

Connect the VPN virtual gateways.

Considerations for Inter-Site Connectivity


When planning and configuring your VPN
connections to and from VNets, bear the following
facts in mind:

MCT USE ONLY. STUDENT USE PROHIBITED

2-28 Implement and Manage Virtual Networks

Azure supports a maximum of 10 VPN tunnels


from each VNet. Each point-to-site VPN, siteto-site VPN, or VNet-to-VNet VPN counts as
one of these VPN tunnels. Also a multi-site
VPN counts as one VPN tunnel for the
purposes of this restriction. A single point-tosite VPN can support up to 254 connections
from client computers.

Address spaces must not overlap. Carefully


plan the address spaces you use in VNets and any connected on-premises networks.

VNet-to-VNet VPNs can connect VNets in the same or different Azure subscriptions. Similarly they
can connect VNets in the same or different Azure regions.

Redundant tunnels are not supported.

Cloud services cannot span VNets even when those VNets are connected with a VPN.

All VPN tunnels to a VNet share the available bandwidth on the Azure VPN gateway. This include
point-to-site VPNs.

VPN devices must support certain requirements. There is a list of these requirements at the following
location. You can also find a list of compatible third-party VPN devices on the same page.
About VPN Devices for Virtual Network
http://go.microsoft.com/fwlink/?LinkID=522619

Lab B: Connecting Virtual Networks


Scenario

MCT USE ONLY. STUDENT USE PROHIBITED

Implementing Microsoft Azure Infrastructure Solutions

2-29

You have been asked to implement connectivity to the two A. Datum virtual networks you created earlier.
You want to use a VNet-to-VNet VPN to connect the VNets. You also want to implement a point-to-site
VPN so that you can connect from your administrative computer.

Objectives
After completing this lab, you will be able:

Connect Azure virtual networks using a VNet-to-VNet VPN.

Validate virtual network connectivity using Azure- and virtual machine-based tools.

Configure and test a point-to-site VPN.

Lab Setup
Estimated Time: 100 minutes
Virtual Machine: 20533B-MIA-CL1
User Name: Student
Password: Pa$$w0rd

Before you begin this lab, ensure that you have completed the first lab in this module: Creating Virtual
Networks.

Exercise 1: Connecting the Virtual Networks


Scenario
A. Datum now wish to connect the A. Datum HQ and branch virtual networks by using a VPN.
The main tasks for this exercise are as follows:
1. Create a Virtual Network Gateway
2. Connect the Virtual Networks

Task 1: Create a Virtual Network Gateway


1.

Use the full Azure portal to create two local networks in the Networks node, with the following
settings:
o

NAME: ADATUM-HQ-LOCALNET

VPN DEVICE IP ADDRESS: 1.1.1.1

STARTING IP: 10.0.1.0

CIDR: /24

NAME: ADATUM-BRANCH-LOCALNET

VPN DEVICE IP ADDRESS: 2.2.2.2

STARTING IP: 10.0.2.0

CIDR: /24

MCT USE ONLY. STUDENT USE PROHIBITED

2-30 Implement and Manage Virtual Networks

2.

Use the full Azure portal to enable site-to-site VPNs by configuring ADATUM-HQ-VNET to connect
to ADATUM-BRANCH-LOCALNET, and add a gateway subnet, and configuring ADATUMBRANCH -VNET to connect to ADATUM-HQ-LOCALNET, and verify that a gateway subnet has
been created.

3.

Use the full Azure portal to create dynamic routing gateways for ADATUM-HQ-VNET and
ADATUM-BRANCH-VNET.

4.

Note that it will take 20-25 minutes for the gateways to be created; do not proceed until gateway
creation is complete.

Task 2: Connect the Virtual Networks


1.

Use the full Azure portal to obtain the gateway IP address of the ADATUM-HQ-VNET virtual
network, and the ADATUM-BRANCH-VNET virtual network.

2.

Use the full Azure portal to edit properties of ADATUM-HQ-LOCALNET to add the gateway IP
address of ADATUM-HQ-VNET.

3.

Use the full Azure portal to edit properties of ADATUM-BRANCH-LOCALNET to add the gateway IP
address of ADATUM-BRANCH-VNET.

4.

Switch to Windows PowerShell ISE.

5.

At the Windows PowerShell ISE prompt, type the following command, and press Enter:
Set-AzureVNetGatewayKey -VNetName ADATUM-HQ-VNET -LocalNetworksiteName
ADATUM-BRANCH-LOCALNET -sharedKey abcdefgh1234

6.

At the Windows PowerShell ISE prompt, type the following command, and press Enter:
Set-AzureVNetGatewayKey -VNetName ADATUM-BRANCH-VNET -LocalNetworksiteName
ADATUM-HQ-LOCALNET -sharedKey abcdefgh1234

7.

Use the full Azure portal to verify gateway configuration for ADATUM-HQ-VNET and ADATUMBRANCH-VNET; the Dashboard page now shows that a gateway has been created and connected for
the virtual network.

8.

Switch to Windows PowerShell ISE.

9.

At the Windows PowerShell ISE prompt, type the following command, and press Enter:
Get-AzureVNetConnection -VNetName ADATUM-HQ-VNET| ft LocalNetworkSiteName,
ConnectivityState

10. Verify that the ConnectivityState of ADATUM-BRANCH-LOCALNET shows as Connected.


11. At the Windows PowerShell ISE prompt, type the following command, and press Enter:

Get-AzureVNetConnection -VNetName ADATUM-BRANCH-VNET| ft LocalNetworkSiteName,


ConnectivityState
12. Verify that the ConnectivityState of ADATUM-HQ-LOCALNET shows as Connected.

Results: After completing this exercise, you will have connected the A. Datum HQ and branch virtual
networks, and deployed dynamic routing gateways for each virtual network.

Exercise 2: Validating Virtual Network Connectivity


Scenario

MCT USE ONLY. STUDENT USE PROHIBITED

Implementing Microsoft Azure Infrastructure Solutions

2-31

A. Datum now wish to test the new Azure networking configuration, and validate the connectivity
between the A. Datum HQ and branch virtual networks. For test purposes, one of your virtual machines
has been configured (in the deployment script) as a DNS server, so that you can test name resolution
between linked virtual networks. You will RDP into these virtual machines.
The main tasks for this exercise are as follows:
1. Connect to A. Datum Virtual Machines
2. Testing TCP/IP Connectivity between Sites
3. Testing Name Resolution

Task 1: Connect to A. Datum Virtual Machines


1.

Connect to AdatumWestSvr1 using D:\Labfiles\Lab02\Starter\AdatumWestSvr1.rdp.

2.

If a Remote Desktop Connection warning message appears, select the Dont ask me again for
connections to this computer check box, and click Connect.

3.

In the Windows Security dialog box, type the following credentials, and click OK:
o

User name: Student

Password: Pa$$w0rd123

4.

If another Remote Desktop Message appears, select the Dont ask me again for connections to this
computer check box, and click Yes.

5.

Minimize the AdatumWestSvr1 RDP session.

6.

Connect to AdatumEastSvr1 using D:\Labfiles\Lab02\Starter\AdatumEastSvr1.rdp.

7.

If a Remote Desktop Connection warning message appears, select the Dont ask me again for
connections to this computer check box, and click Connect.

8.

In the Windows Security dialog box, type the following credentials, and click OK:

9.

User name: Student

Password: Pa$$w0rd123

If another Remote Desktop Message appears, select the Dont ask me again for connections to this
computer check box, and click Yes.

10. Minimize the AdatumEastSvr1 RDP session.

Task 2: Testing TCP/IP Connectivity between Sites


1.

Maximize the AdatumEastSvr1 session, and ensure that Windows Firewall is turned off for all profiles.

2.

Minimize the AdatumEastSvr1 RDP session.

3.

Maximize the AdatumWestSvr1 session, and ensure that Windows Firewall is turned off for all profiles.

4.

In the AdatumWestSvr1 session, ping AdatumEastSvr1 (10.0.2.4) from AdatumWestSvr1 by IP address.

5.

Maximize the AdatumEastSvr1 RDP session.

6.

Ping AdatumWestSvr1 (10.0.1.4) from AdatumEastSvr1 by IP address.

Task 3: Testing Name Resolution

MCT USE ONLY. STUDENT USE PROHIBITED

2-32 Implement and Manage Virtual Networks

1.

Use the PowerShell Test-NetConnection cmdlet to ping AdatumEastSvr1 from AdatumWestSvr1 by


fully qualified domain name.

2.

Use the PowerShell Test-NetConnection cmdlet to ping AdatumWestSvr1 from AdatumEastSvr1 by


fully qualified domain name.

Results: After completing this exercise, you will have verified that virtual machines can communicate
between virtual networks.

Exercise 3: Configuring a Point-to-Site VPN


Scenario

A. Datum now wish to implement secure communications from on-premises resources to Azure, and wish
to start by configuring and testing a point-to-site VPN connection to one of the gateways you created in
Exercise 3.
Only complete this lab if you have sufficient time remaining.
Important: Even if you do not complete this exercise, you must ensure you complete the
Reset the Environment task. This task resets your Azure subscription in preparation for later labs
and ensures that no unnecessary costs accrue.
The main tasks for this exercise are as follows:
1. Configuring a VPN from Client to HQ Virtual Network
2. Connecting to the HQ Virtual Network
3. Reset the Environment

Task 1: Configuring a VPN from Client to HQ Virtual Network


Enable point-to-site connectivity for the ADATUM-HQ-VNET virtual network.
1.

Use the Windows key, and then type Command.

2.

Right-click Command Prompt, and then click Run as administrator.

3.

In the User Account Control dialog box, click Yes.

4.

At the Command Prompt, type the following command, and press Enter:
CD C:\Program Files (x86)\Windows Kits\8.1\bin\x64

5.

At the Command Prompt, type the following command, and press Enter:
makecert -sk exchange -r -n "CN=AdatumRootCertificate" -pe -a sha1 -len 2048 -ss My
"AdatumRootCertificate.cer"

6.

On the ADATUM-HQ-VNET CERTIFICATES page in the Azure Management Portal, upload the selfsigned root certificate.

7.

Switch to the Command Prompt.

8.

At the Command Prompt, type the following command, and press Enter:
makecert.exe -n "CN=AdatumClientCertificate" -pe -sk exchange -m 96 -ss My -in
"AdatumRootCertificate" -is my -a sha1

9.

Verify client certificate installation in Internet Explorer.

Task 2: Connecting to the HQ Virtual Network

MCT USE ONLY. STUDENT USE PROHIBITED

Implementing Microsoft Azure Infrastructure Solutions

1.

Configure VPN client by downloading the 64-bit Client VPN Package, and installing it on the local
client.

2.

From the local client, connect to the VPN, and verify VPN connection using ipconfig/all.

3.

Verify the VPN connection by browsing files on \\adatumwestsvr1.adatum.msft\c$.

4.

Disconnect the VPN connection.

Task 3: Reset the Environment

2-33

1.

Close all open applications without saving any files.

2.

On the taskbar, right-click Microsoft Azure PowerShell, and then click Run as administrator. In the
User Account Control dialog, click Yes.

3.

Type the following command, and then press Enter:


Reset-Azure

4.

When prompted, sign in using the Microsoft account associated with your Azure subscription.

Note: This script may remove Azure services in your subscription. It is therefore recommended that
you use an Azure trial pass that was provisioned specifically for this course, and not your own Azure
account.
The script will take 5-10 minutes to reset your Microsoft Azure environment, ready for the next lab.
The script removes all storage, VMs, virtual networks and gateways, cloud services, and resource
groups.
Important: The script may not be able to get exclusive access to a storage account to delete it (you
will see an error, if this occurs). If you find objects remaining after the reset script is complete, you can
re-run Reset-Azure script, or use the full Azure Management Portal to manually delete all the objects
in your Azure subscription, with the exception of the default directory.

Results: After completing this exercise, you will have configured and tested a point-to-site VPN
connection.

Module Review and Takeaways


In this module, you learned about:

Planning virtual networks in Microsoft Azure.

Implementing and managing virtual networks.

Configuring inter-site connectivity with Microsoft Azure networks.

Review Question(s)
Question: What considerations are there for choosing a name resolution solution for an
Azure virtual network-based deployment?

MCT USE ONLY. STUDENT USE PROHIBITED

2-34 Implement and Manage Virtual Networks

MCT USE ONLY. STUDENT USE PROHIBITED


3-1

Module 3
Implementing Virtual Machines
Contents:
Module Overview

3-1

Lesson 1: Introduction to IaaS Cloud Services

3-2

Lesson 2: Planning Virtual Machine Workloads

3-10

Lesson 3: Creating Virtual Machines

3-17

Lab: Implementing Virtual Machines

3-29

Module Review and Takeaways

3-32

Module Overview

When you run a server or a virtual server in an on-premises data center, your administrative team must
maintain the server hardware, power interruption protection, cooling, networking hardware, load
balancing, and other aspects of data center management. If instead you choose to run a virtual machine
(VM) within Microsoft Azure, hardware and infrastructure management tasks are the responsibility of
Microsoft at the Microsoft Azure datacenter. This frees your administrators to concentrate on operating
systems and software, and usually results in greater availability. In this module, you will see how Microsoft
Azure VMs can host services for your users and customers and how to create, install, and configure VMs
with different operating systems and software platforms.

Objectives
After completing this module, you will be able to:

Configure and manage Microsoft Azure Infrastructure as a Service (IaaS) cloud services and endpoints.

Identify suitable workloads for Microsoft Azure IaaS virtual machines.

Create Windows and Linux virtual machines in Microsoft Azure by using the portal and Microsoft
Azure PowerShell.

Implementing Virtual Machines

Lesson 1

Introduction to IaaS Cloud Services

MCT USE ONLY. STUDENT USE PROHIBITED

3-2

Virtual machines are the basis of Microsoft Azure and provide support for the platforms implementation
of IaaS. In this lesson, you will look at the IaaS cloud services, which act as the logical container for Azure
machines. You will then look at the various configuration options that apply at the IaaS cloud service level,
such as endpoints, IP addresses, and Access Control Lists (ACLs).

Lesson Objectives
After completing this lesson, you will be able to:

Understand how Azure virtual machines, virtual networks, and storage fit within Microsoft Azure.

Understand how IaaS cloud services support Azure virtual machines.

Understand how cloud services endpoints facilitate communications to Azure virtual machines.

Configure endpoints on Azure virtual machines.

Configure IP addresses for endpoints in IaaS cloud services.

Configure network access control lists.

Demonstration: Preparing the Environment

Perform the following tasks to prepare the lab environment. The Microsoft Azure services you will use in
the lab will be described in this module while the environment is being configured.
Note: Important: The scripts used in this course may delete any objects that you have in
your subscription. For this reason, you should complete this course against a new Azure
subscription. You should have received sign-up details and instructions for creating an Azure
Learning Pass for this reason. Alternatively, create a new Azure Trial Subscription. In both cases,
use a new Microsoft account that has not been associated with any other Azure subscription. This
avoids confusion in labs and setup scripts.

The labs in this course use custom Microsoft Azure PowerShell cmdlets, including Setup-Azure to prepare
the Azure environment for a lab, and Reset-Azure to perform clean-up tasks at the end of a lab. For this
lab, Setup-Azure creates a storage account in the Azure region you select, then creates a virtual network
(ADATUM-HQ-VNET). Setup-Azure then removes the Azure subscription and account from the Azure
PowerShell session.
Before you start the lab preparation, your instructor will decide which Azure region is the closest to your
classroom location. You will need this information during the lab setup, and during the lab.

Demonstration Steps
Sign in to your Microsoft Azure Subscription
1.

Ensure that the MSL-TMG1 and 20533B-MIA-CL1 virtual machines are both running, and then log on
to 20533B-MIA-CL1 as Student with the password Pa$$w0rd.

2.

You should already have created a Microsoft Azure trial subscription, if you have not done so, follow
the instructions in D:\Creating a Microsoft Azure Trial Subscription.htm. Provisioning may take
several hours.

MCT USE ONLY. STUDENT USE PROHIBITED

Microsoft Azure for IT Professionals

3-3

3.

When your trial subscription has been provisioned, in Internet Explorer, browse to
http://azure.microsoft.com, click Portal, and sign in using the Microsoft account that is associated
with your Microsoft Azure subscription. Close any initial "welcome" messages.

4.

At the top right, click your Microsoft account name and click Switch to new portal. Then, in the new
tab that is opened, close any initial "welcome" messages for the new portal.

5.

Close the tab containing the new portal, keeping the full portal tab open.

Prepare the Microsoft Azure Environment


1.

On the taskbar, right-click Microsoft Azure PowerShell, and then click Run as administrator. In the
User Account Control dialog, click Yes.

2.

Type the following command, and then press Enter:


Setup-Azure

3.

At the prompt, type the module number, and then press Enter.

4.

Confirm your selection, and then press Enter.

5.

When prompted, sign in using the Microsoft account associated with your Microsoft Azure
subscription.

6.

When prompted, enter the Azure region to use, and then press Enter.

Note: This script may remove Azure services in your subscription. It is therefore recommended that
you use an Azure trial pass that was provisioned specifically for this course, and not your own Azure
account.
The script will take 2-3 minutes to configure your Microsoft Azure environment, ready for the lab at
the end of this module.
At the end of the setup, you should have the following:
o

A uniquely named storage account.

A virtual network named ADATUM-HQ-VNET (10.0.1.0/24).

An Azure DNS named ADATUM-DNS at 10.0.1.4.

Virtual Machines as a component of Azure


An Azure virtual machine is a server that runs in
the Azure cloud. It makes use of a range of Azure
services, such as storage, virtual networks, cloud
services, and directories.
Azure virtual machines provide you with all the
flexibility of virtualization, but without requiring
the capital expense of buying and maintaining
your own host datacenter. With an Azure virtual
machine, all the hardware and infrastructure
management tasks are performed by Microsoft.

Virtual machines are part of the Azure IaaS


offering. They are often used together with virtual
networks (VNets). Azure virtual machines run within an IaaS cloud service, which provides a public
endpoint IP address. Although similar to Platform as a Service (PaaS) cloud services, IaaS cloud services
have different features and capabilities, and are configured and managed separately. Azure virtual

Implementing Virtual Machines

MCT USE ONLY. STUDENT USE PROHIBITED

3-4

machines consume Azure storage, and require a storage account in order to store virtual hard disk (VHD)
files.

Note that virtual machines are also part of the Azure PaaS offering; PaaS cloud services are also hosted on
virtual machines, as are websites. This module, and Module 4, focus on IaaS virtual machines.
PaaS cloud services, websites, and storage are discussed in later modules in this course.

Overview of IaaS Cloud Services


IaaS cloud services are similar to the PaaS cloud
services used to host web and worker roles, which
are discussed later in this course, in Module 8. In
both cases, the cloud service is the network
container for hosting Azure virtual machines. You
cannot create an Azure virtual machine without
first, either implicitly or explicitly, specifying a
cloud service to use.
Any virtual machine in a cloud service can
communicate directly with all other virtual
machines in that cloud service, and by using Azure
communications; all communications within a
cloud service are internal to that cloud service only, and virtual machines are not using the Internet to
communicate with each other.

A built-in Azure DNS server provides name resolution for all virtual machines within the same cloud
service; if you wish to extend this name resolution, to include on-premises resources, for example, you will
need to configure your own DNS solution (as discussed in Module 2).
Cloud services have an assigned publically-reachable DNS name, in the form <unique cloud service
name>.cloudapp.net. A cloud service has at least one Virtual Internet Protocol (VIP) address assigned,
and the cloud service VIP enables allow inbound connections to Azure virtual machines from the Internet.
Cloud service IP addressing is discussed later in this lesson.

Introduction to Cloud Service Endpoints


In order to communicate with a virtual machine
within its cloud service, it not enough to know the
DNS name of the cloud service, such as
adatum12345.cloudapp.net (or the IP address of
the cloud service). As there is likely to be more
than one virtual machine within the cloud service,
there needs to be a way to communicate directly
with one specific virtual machine.
One way to achieve this virtual machine-specific
communication is through a cloud service
endpoint.

An endpoint consists of two ports, one public and one private, associated with the VIP of the cloud
service. The public port is publically-accessible over the Internet, and the private port is the port on which
the service is published on the Azure virtual machine. The endpoint, therefore, connects the public

MCT USE ONLY. STUDENT USE PROHIBITED

Microsoft Azure for IT Professionals

3-5

interface (the VIP) on a cloud service with a private interface on a VM within that cloud service, by using
port translation at the routing service used by Windows Azure.

The private port represents a protocol, such as RDP or HTTP, which enables a client computer on the
Internet to access a published service on a VM hosted in Microsoft Azure. Microsoft Azure will pass
packets from the client directed to the public port through to the private port, where the service listening
on that port can process them.
Note: Important: Using endpoints, communications from the Internet to a virtual machine
in a cloud service uses only the VIP address; the internal IP address assigned to the virtual
machine is not used. Internal IP addressing is discussed in Module 4.

It is possible to assign a publically-accessible IP to a single virtual machine, and therefore communicate


directly with a virtual machine from the Internet. Such addressing is covered later in this lesson.

Configuring Endpoints on Virtual Machines


When creating an Azure virtual machine you can
either use the default endpoint assignments or
manually configure the endpoints you require.

Default Endpoints
Default endpoints are provisioned automatically
when you create a virtual machine in either the
Full or New Portal. These default endpoints are:

Windows VMs RDP and Remote PowerShell

Linux VMs SSH

In the Full Portal, the Quick Create option creates


these endpoints automatically and assigns the default ports. When you create a VM from the Gallery, the
default endpoints are automatically created; however, you can change the default port assignments,
remove the default endpoints, or add other endpoints.

With Windows-based VMs, a Remote Desktop Protocol (RDP) endpoint is created with a randomly
assigned high-order public port and a private port that, by default, uses the standard RDP port 3389.
Windows VMs also have a remote PowerShell endpoint with the public and private ports set to 5986. With
Linux-based VMs, a Secure Shell (SSH) endpoint is created with the public and private ports set to 22.
Again, if you wish, you can assign different values to these ports.
Note: With a Windows-based VM, when you download the RDP Connection from the
Portal, the connection settings include the public port for connecting to the relevant VM. If you
subsequently set the public port manually, you will need to change the corresponding port
number on the RDP connection or download it again.
For example, in the Computer field on the RDP connection settings, you may see a value such as
Server133.cloudapp.net:50776. Here 50776 is the random high-order port assigned when the
VM is created. Azure then maps port 50776 to port 3389 on the VM. Any packets sent to port
50776 on host server133.cloudapp.net are then sent through to port 3389, where they are then
handled by the Remote Desktop service.

Implementing Virtual Machines

Creating Endpoints

MCT USE ONLY. STUDENT USE PROHIBITED

3-6

On an existing VM, you can create additional endpoints to publish other services on the VM, such as FTP,
HTTP, or SMTP. This configuration requires selection of the transport protocol (TCP or UDP) and public
and private ports.
Endpoints can also be created, configured and deleted with Azure PowerShell cmdlets:

Add-AzureEndpoint adds a new endpoint to a VM.

Get-AzureEndpoint displays the information about a VMs endpoints.

Remove-AzureEndpoint deletes an endpoint from a VM.

Set-AzureEndpoint updates an existing VM endpoint.

Endpoints can be configured as part of a load-balanced set that provides traffic distribution across
multiple VMs.
Note: Endpoints can also be configured for Direct Server Return. This feature is covered in
the Configuring IaaS Cloud Service Scalability topic in Module 4.

Connecting to Endpoints

Connection to the endpoint depends on the protocol in use. For example, to connect to the RDP
endpoint, you can click the Connect button on the Full Portal to generate an RDP connection file, which
you can then download or run. This RDP file will include the correct public port for the RDP endpoint on
that VM.

Similarly, to connect to a Linux-based system using the SSH endpoint, the login procedure requires use of
an SSH client, such as PuTTY. This client can then be run and configured to connect to the Linux VM. The
configuration requires the SSH details for the VM, such as myvmname.cloudapp.net, along with a port
numberfor example, port 22 for SSH. With SSH, you can also configure encryption keys for the
connection.
For more information on how to use SSH with Linux on Azure see:
How to Use SSH with Linux on Azure
http://go.microsoft.com/fwlink/?LinkID=522623
For other endpoints, such as HTTP or HTTPS, the connection will be made by a client application (a
browser, for example, in the case of HTTP or HTTPS).

MCT USE ONLY. STUDENT USE PROHIBITED

Microsoft Azure for IT Professionals

Endpoint IP Addressing
To communicate through an endpoint, the cloud
service must be assigned an IP address; this
assignment can be automatic (using defaults) or
can use a manual configuration to reserve an IP
address.

Virtual Internet Protocol (VIP) Addresses


VIP addresses are public (external) IP addresses
used to access Azure resources within a cloud
service. When an administrator creates a cloud
service, that cloud service is automatically assigned
a VIP; this VIP is randomly chosen from the list of
currently available public IP addresses for the
Azure region where you are creating the cloud service.
For more information on the public IP address ranges used by each Azure region see:
Azure Datacenter IP Ranges
http://go.microsoft.com/fwlink/?LinkID=522624

Reserved Virtual Internet Protocol Addresses

3-7

A reserved IP is a public IP address that is specifically assigned to a cloud service. This reservation means
that the IP address will not change and will remain associated with the cloud service when all the VMs in
the cloud service are either in the Stopped (Deallocated) state, or have been deleted. Otherwise, the
public IP address for a cloud service is lost when the last VM in that cloud service is shut down.
Note: Important: A VM will enter the Stopped (Deallocated) state if you use the StopAzureVM cmdlet, or if you shut down the VM from the portal. If this VM is the last VM in the
cloud service, the public IP address for that cloud service will be removed and reassigned to the
pool of available addresses. So, if you need to shut down all the VMs in a cloud service and still
keep the same public IP address in Azure, the VMs must enter a Stopped state (not the
Stopped (Deallocated) state. To get a VM into the Stopped state you can use the cmdlet
Stop-AzureVM with the -StayProvisioned parameter, or you can shut down the VM by
connecting to the VM and performing a shutdown from the VM operating system.

IP addresses can only be reserved for VMs and for PaaS cloud service web/worker rolesand must be
allocated before these VMs are deployed. The reservation is at the cloud service level, not at the VM or
web/worker role.

Reserved IPs are usually created because you need the IP address to remain consistent. For example, when
publishing a service out onto the Internet that has to use a fixed IP address. There are some
considerations regarding reserved IP deployment:

A standard Azure subscription can have five reserved IP addresses.

An organization with a Microsoft Enterprise Agreement can have up to 100 reserved IP addresses.

A reserved IP address has a billable cost.

Reserved IP addresses may not be available in all regions.

For more information on the billable costs of a reserved IP address, and on the availability of reserved IP
addresses in each Azure region, see:

Implementing Virtual Machines

IP Address pricing
http://go.microsoft.com/fwlink/?LinkID=398482

Reserving an IP Address
IP addresses are reserved by using PowerShell or the REST APIs. The Azure PowerShell cmdlets for
reserved IP management include:

get-help *-AzureReservedIP* get Help on the AzureReservedIP cmdlets

New-AzureReservedIP creates a reserved IP ready for use with an IaaS cloud service

Remove-AzureReservedIP deletes a reserved IP

Get-AzureReservedIP displays all reserved IPs

MCT USE ONLY. STUDENT USE PROHIBITED

3-8

To create a new reserved IP address, you use the New-AzureReservedIP cmdlet, and assign the new IP
address to a name:
Creating a new reserved IP address
New-AzureReservedIP -Location $location -ReservedIPName $ReservedIP

After you create a reserved IP address, you can allocate it to an IaaS cloud service during deployment of
the first virtual machine to that service.

After you create a reserved IP address, you can allocate it to a service, by using the ReservedIPName
parameter with either the New-AzureVM or New-AzureQuickVM cmdlets. The following example shows
the $ReservedIP address, created in the previous example, being used with the New-AzureVM or NewAzureQuickVM cmdlet:
Assigning a reserved IP address to a cloud service during VM creation

New-AzureVMConfig -Name $vmname -InstanceSize $instance -ImageName $image | AddAzureProvisioningConfig -Windows -AdminUsername $admin -Password $password | New-AzureVM
-ServiceName $service ReservedIPName $ReservedIP -Location $location

Instance-level Public IP Addresses

If you want to be able to connect to a VM by an IP address assigned directly to it, rather than by using the
cloud service VIP:<portnumber>, you can use instance-level Public IP (PIP) addressing. PIP addressing
has some similarities with reserved IP addresses that have just been discussed, such as a five IP address
limit for standard Azure subscriptions; however, with PIP addressing, the address applies to the VM itself,
rather than the cloud service. Instance-level PIPs are discussed in detail in Module 4.

MCT USE ONLY. STUDENT USE PROHIBITED

Microsoft Azure for IT Professionals

Network Access Control Lists and Endpoints


You can protect a Microsoft Azure endpoint by
using access control lists (ACLs) to permit or deny
access from specified subnets or addresses to the
cloud service that the endpoint exposes. You can
only protect the whole cloud service, you cannot
specify an ACL for a virtual network, or for a
specific subnet contained in a virtual network
(unless you use Network Security Groups).
Network ACLs protect against unrestricted
endpoint access, and save unnecessary security
filtering on individual VMs.
An ACL can be configured to provide control over
incoming traffic by selectively permitting or denying incoming traffic based on remote subnet IPv4
address range.
In addition, you can:

3-9

Specify up to 50 ACL rules per virtual machine endpoint

Use rule ordering to ensure the correct set of rules are applied on a given virtual machine endpoint

VMs have a default ACL, which blocks all incoming traffic. When you create a new endpoint, a port is
assigned which is then opened to publish the service. You can apply ACLs to subnets by using full Azure
Management Portal or the new Azure Preview Portal, or by using Azure PowerShell.
To manage ACLs by using the full Azure Management Portal:
1.

Click Virtual Machines, and then select the virtual machine that you want to configure.

2.

Click Endpoints.

3.

Select the endpoint from the list.

4.

Click Manage ACL.

To manage ACLs by using Azure PowerShell, use the following cmdlets:

Get-AzureAclConfig displays the ACL for an endpoint

New-AzureAclConfig creates a new ACL for an object

Remove-AzureAclConfig deletes an existing object ACL

Set-AzureAclConfig sets an ACL configuration

To configure an ACL on a specific endpoint, use these cmdlets with the EndPointName property.
For more information on cmdlet syntax for managing endpoint ACLs, see:
Managing Access Control Lists (ACLs) for Endpoints by using PowerShell
http://go.microsoft.com/fwlink/?LinkID=511714
Note: Note: If you are using VNets, you should use Network Security Groups (NSGs) rather
than Network ACLs. NSGs provide more granular control, but are only available for VMs that are
deployed in VNets. NSGs are discussed in Module 4.

Lesson 2

Planning Virtual Machine Workloads

MCT USE ONLY. STUDENT USE PROHIBITED

3-10 Implementing Virtual Machines

This lesson introduces the planning considerations for virtual machines that will support workloads in
Microsoft Azure. Good planning helps ensure the best fit between an on-premises environment and the
Microsoft Azure virtual machines onto which workloads can be migrated.

Lesson Objectives
After completing this lesson, you will be able to:

Identify which workloads are appropriate for use with Microsoft Azure.

Select the best virtual machine size for a particular workload.

Explain the differences between on-premises virtual machines and Microsoft Azure virtual machines.

Propose which workloads in your on-premises environment might be suitable for migration to
Microsoft Azure.

Identifying Workloads for Microsoft Azure IaaS VMs


Some workloads are suitable for deploying using
VMs in Microsoft Azure; others are more
challenging.

Suitable Workloads for Microsoft Azure


IaaS VMs
There are certain types of workload that are a
better fit for hosting in an Azure IaaS environment
than others. Examples of these more suitable
workloads are:

Highly available service workloads such as


commercial online stores.

Periodic workloads such as:


o

Complex data analysis of sales figures that an organization only needs to run at the end of each
month.

Seasonal marketing campaigns on an organizations website.

Annual retail sales spurts that may occur during festive holidays.

Unpredictable growth workloads such as those experienced by small, but rapidly expanding,
organizations, or short-term increased sales of fad products.

Spiking workloads, such as those experienced by sites providing news services or organizations that
perform end-of-day reporting to a head office.

Steady workload scenarios where organizations simply want to offload their infrastructure to the
cloud.

When planning virtual machine workloads for Azure IaaS, it is also important to remember that not every
application or service is a suitable fit for the cloud.

Unsuitable Workloads for Microsoft Azure IaaS


There are some workload scenarios that do not suit the elasticity and flexibility of an Azure IaaS
environment. For example:

MCT USE ONLY. STUDENT USE PROHIBITED

Microsoft Azure for IT Professionals

3-11

Low volume or limited growth workloads where the organization might be able to run the service or
application on commodity hardware on-premises less expensively than in the cloud.

Regulated environment workloads where an organization, or even the local government, may
regulate the type of data that can be hosted in the cloud. However, these cases might be suitable
candidates for a hybrid solution where only some highly available data is hosted in Azure and the
more sensitive, regulated data is kept on-premises.

Microsoft Server Software Support for Azure IaaS VMs

All Microsoft software installed in the Microsoft Azure virtual machine environment must be properly
licensed. By default, Microsoft Azure virtual machines include a license for using Windows Server in the
Microsoft Azure environment. Certain Microsoft Azure virtual machine offerings may also include
additional Microsoft software on a per-hour or evaluation basis. Licenses for other software must be
obtained separately.
A wide range of Microsoft server software is supported in an Azure IaaS virtual machine environment,
including Microsoft Forefront Identity Manager 2010 R2 SP1 and later versions; Microsoft SharePoint
Server 2010 and later versions; Microsoft SQL Server 2008 (64-bit) and later versions; and Microsoft
System Center 2012 SP1 and later versions.
The following Windows Server Roles are currently supported:

Active Directory Domain Services

Active Directory Federation Services

Active Directory Lightweight Directory Services

Application Server

DNS Server

File Services

Network Policy and Access Services

Print and Document Services

Remote Access (Web Application Proxy)

Remote Desktop Services

Web Server (IIS)

Windows Server Update Services

There are, however, some currently unsupported server roles:

Dynamic Host Configuration Protocol Server

Hyper-V

Remote Access (Direct Access)

Rights Management Services

Windows Deployment Services

There are also some significant Windows Server features that are not currently supported:

BitLocker Drive Encryption (on the operating system hard disk; may be used on data disks)

Windows Server Failover Clustering, except for SQL Server AlwaysOn Availability Groups

Internet Storage Name Server

Multipath I/O

Network Load Balancing

Peer Name Resolution Protocol

SNMP Services

Storage Manager for SANs

Windows Internet Name Service

Wireless LAN Service

For more information on currently supported Microsoft server software, see:


Microsoft server software support for Microsoft Azure virtual machines
http://go.microsoft.com/fwlink/?LinkID=522625

Sizing of Virtual Machines for Microsoft Azure IaaS


When you create virtual machines in Azure, you
can select from several available sizes and options
for the virtual machine-based compute resources
used to run your apps and workloads. There are
also some deployment considerations you need to
be aware of when planning to provision or deploy
these resources.

Virtual Machine Sizes for Azure


Virtual machines are available in two compute
tiersBasic and Standard.
The new Basic tier computer instances are similar
to the lower-priced Standard tier, but the virtual machine instances do not include load balancing or
auto-scaling features. Basic tier virtual machines are most suited to single instance production
applications, development workloads, test servers, and batch processing applications.

MCT USE ONLY. STUDENT USE PROHIBITED

3-12 Implementing Virtual Machines

The Standard tier compute instances are designed to offer optimal compute, memory and IO resources to
suit the running of a wide range of applications and workloads. These instances include both auto-scaling,
load balancing, and internal load balancing capabilities at no additional cost. Both types of tier offer a
choice of sizes.
For more information on virtual machine and cloud service sizes, including any changes since this course
was published, see:
Virtual Machine and Cloud Service Sizes for Azure
http://go.microsoft.com/fwlink/?LinkID=522626

Note: Linux virtual machines may have significantly smaller OS disk sizes when created
from the Image Gallery.

Sizing Considerations
When deciding on sizing for your Azure virtual machines, consider the following:

MCT USE ONLY. STUDENT USE PROHIBITED

Microsoft Azure for IT Professionals

3-13

The size of the virtual machine affects the pricing and the tier affects some capabilities.

A1 is the smallest size recommended for production workloads.

When deploying a virtual machine for SQL Server Enterprise Edition, select a virtual machine with at
least four CPU cores.

Some of the physical hosts in Azure data centers may not support larger virtual machine sizes, such as
A5 to A9, and you may get an error message such as Failed to configure virtual machine <machine
name> or Failed to create virtual machine <machine name>.

Virtual Machine Limits in Azure

When creating virtual machines in Azure, each cloud service in which those virtual machines reside can
contain a maximum of 50 virtual machines. When you create a new virtual machine, a cloud service is
automatically created to contain it, but you can add more virtual machines in that same cloud service up
to the 50 virtual machines limit. You can also have a maximum of 150 input endpoints per cloud service.

The Microsoft Azure (IaaS) Cost Estimator Tool

This tool helps customers profile their existing on-premises infrastructure and estimate the cost of running
it on Azure. It helps to identify the utilization and resource allocation on physical machinesas well as
guest VMs running on VMware and Hyper-Vand determines the cost of running an on-premises
physical or virtual machine workload on Azure over a 30-day period. The tool scans the hardware and
resource utilization over a short period of time and is usually completed within 15 minutes. The resulting
server profile is then matched against Azure IaaS instance types to find the best fit for purpose based on
cost or performance. You can also export the results to either Excel or CSV format.
The tool can scan any of the following types of machine:

Microsoft technologies (SCVMM, Hyper-V)

VMware technologies (vSphere, ESXi)

Physical machines (Windows, Linux)

The tool can be installed on any of the following operating systems:

Windows Server 2012 onwards

Windows Server 2008 R2 SP1

Windows Server 2008 SP2

Windows Vista SP2

Windows 7 SP1

Windows 8 and 8.1

You can download the Microsoft Azure (IaaS) Cost Estimator tool at:
Microsoft Azure (IaaS) Cost Estimator Tool
http://go.microsoft.com/fwlink/?LinkID=522627

Identifying Differences Between On-Premises and Microsoft Azure VMs


Microsoft Azure virtual machines are similar to
virtual machines run in on-premises Hyper-V.
However, although there are some overall
similarities, there are several differences.

General Differences Disks, Virtual


Machine Format and Networking
There are several basic differences between onpremises and Azure virtual machines:

MCT USE ONLY. STUDENT USE PROHIBITED

3-14 Implementing Virtual Machines

Virtual machine disks in Azure are always a


fixed size whereas, in Hyper-V, you can use
dynamic disks. Currently, Azure only supports
.vhd disks, not .vhdx. More information on virtual machine disks is provided in Module 4.

Azure supports only Generation 1 virtual machines, and not the Generation 2 virtual machines as
introduced with Hyper-V in Windows Server 2012 R2.

IPv6 is not supported in Azure virtual networks.

Azure virtual machines are no longer limited to one virtual network interface card (vNIC), but support
for multiple vNICs on a single virtual machine is currently subject to several conditions:
o

Multiple vNICs work on any VMs in Azure, except Basic SKUs.

The number of vNICs you can create depends on the VM size; for example, Large (A3) and A6
support two vNICs, ExtraLarge (A4) and A7 support four vNICs.

Multiple vNICs are only supported if VMs are in an Azure Virtual Network.

vNICs cannot forward traffic or act as Layer 3 (IP) gateways.

Instance-level PIP addressing is only supported on the default NIC, and there is only one PIP
mapped to the IP of the default NIC. The additional NICs cannot be used in a Load Balance set.

You cannot currently add or remove vNICs after a VM is created.

You must use the Azure PowerShell Add-AzureNetworkInterfaceConfig cmdlet to create


additional vNICs.

Differences when deploying Domain Controllers in Azure


The slide table example shows some of the key configuration differences when deploying domain
controllers in Azure virtual machines.
To configure

On-premises

In an Azure virtual network

Domain Controller IP
address

Assign static IP in NIC properties

Obtain IP address from DHCP


or make static using SetAzureStaticVNetIP

DNS client resolver

Set Preferred and Alternate DNS servers in


NIC properties for clients

Set DNS server address on


virtual network properties,
and then specify the Azure
DNS during VM deployment

To configure
AD database storage

On-premises
Should change default storage location from
C: drive

MCT USE ONLY. STUDENT USE PROHIBITED

Microsoft Azure for IT Professionals

3-15

In an Azure virtual network

Must change default storage


location from C: drive, as you
can then control the cache
behavior (Azure OS disk has
ReadOnly caching by default)

For more information on deploying a domain controller in Azure, see:


Guidelines for Deploying Windows Server Active Directory on Azure Virtual Machines
http://go.microsoft.com/fwlink/?LinkID=522628

Differences when deploying SQL Server in Azure

There are several considerations to look at when deciding how to deploy and configure SQL Server on
Azure virtual machines, including performance, high availability and disaster recovery, unused services,
and auto-scaling.
More information on deploying SQL Server on Azure virtual machines is discussed in Module 7 of this
course.

Managing Limitations with Windows Server Essentials Experience


There are some limitations when running Windows Server 2012 R2 with Windows Server Essentials
Experience as an Azure virtual machine, including:

If you are running the Windows Server Essentials Experience on a domain controller, the DNS settings
can change when you change the size of the virtual machine. You can, however, manually reset the
settings back again after the resize operation.

You can get a false alert in the Best Practice Analyzer related to Windows Server Backup; this alert can
be ignored.

You cannot perform a client full system restore if your server running Windows Server Essentials
Experience is on a virtual machine that is hosted in Azure; although you can still restore volumes,
folders, or files.

If you have another server or client running in Azure, you cannot use the Connector software to
connect that server or client to the Windows Server Essentials Experience server running in Azure.

You cannot install the Azure Backup integration module so, to work around the issue, you can use the
Azure Backup Agent instead.

For more information on deploying a Windows Server Essentials Experience virtual machine in Azure, see:
Hosting Windows Server Essentials Experience on Azure Virtual Machines
http://go.microsoft.com/fwlink/?LinkID=522629
Identifying Service Interoperability Issues

There are some interoperability issues when using Azure virtual machines for DFS Namespace and DFS
Replication roles services, including:

DFS Namespaces
o

You cannot cluster stand-alone namespaces in Azure virtual machines.

MCT USE ONLY. STUDENT USE PROHIBITED

3-16 Implementing Virtual Machines

You can host domain-based namespaces in Azure virtual machines, including environments with
Azure AD, though a single namespace cant encompass both on-premises namespace servers and
namespace servers hosted in Azure VMs, even when using Active Directory Federation Services.

DFS Replication
o

Do not export, clone, or copy the Azure virtual machines running the DFS role.

When backing up data in a replicated folder hosted in a virtual machine, you must use backup
software from within the guest virtual machine.

DFS Replication requires access to physical or virtualized domain controllersit cannot


communicate directly with Azure AD.

If you are replicating between Azure and on-premises DFS servers, DFS Replication will require a
VPN connection between your on-premises replication group members and any members hosted
in Azure VMs.

For more information on deploying the DFS Namespace and DFS Replication server roles on an Azure
virtual machine see the Interoperability with Azure virtual machines section:
DFS Namespaces and DFS Replication Overview
http://go.microsoft.com/fwlink/?LinkID=522630

Discussion: Which Workloads In Your Current On-Premises Environment


Would You Consider For Migration To Microsoft Azure?

Lesson 3

Creating Virtual Machines

MCT USE ONLY. STUDENT USE PROHIBITED

Microsoft Azure for IT Professionals

3-17

You should now have a better understanding of virtual machines in Microsoft Azure, and be able to relate
this feature to virtual machines in Hyper-V. In this next lesson, you will investigate how to create those
virtual machines, both by using the portal and by using Windows PowerShell scripts.

Lesson Objectives
After completing this lesson, you will be able to:

Plan for virtual machine deployment.

Deploy Windows virtual machines in Microsoft Azure.

Create and delete virtual machines and cloud services by using Windows PowerShell.

Use prebuilt Linux images.

Deploy Linux virtual machines.

Create and manage virtual machine images.

Planning for Virtual Machine Deployment


When planning for virtual machine deployment in
Microsoft Azure, there is a range of factors to take
into account, such as:

Storage how much, where, and in what


configuration

Disk sizing, persistence, and caching

Compute resources capacity required

Availability uptime requirements, geodistribution, accessibility

Service level agreements (SLAs)

Costs of providing Azure services, such as storage and compute

Microsoft provide a set of tools and resources that can help an organization plan for virtual machine
deployment.

Virtual Machine Pricing

The main planning factor with any cloud-based service is not so much the availability of resources, but the
price that an organization is willing to pay for those resources. To help with estimating the potential costs
when planning for virtual machines in Microsoft Azure, you can use the Virtual Machines Pricing Details
page on the Microsoft Azure website, at http://go.microsoft.com/fwlink/?LinkID=511945 . You can also
use the Pricing Calculator tool which enables you to cost out different workloads and services in Microsoft
Azure. This can be accessed at http://go.microsoft.com/fwlink/?LinkID=511946.

Microsoft Azure Virtual Machine Readiness Assessment

The Microsoft Azure Virtual Machine Readiness Assessment tool automatically inspects your on-premises
environment, whether it is physical or virtualized, and provides you with a check list and detailed report
on steps you need to take to move your environment to the cloud. The Microsoft Azure team provides

MCT USE ONLY. STUDENT USE PROHIBITED

3-18 Implementing Virtual Machines

tailored guidance and recommendations for migrating your environment to Microsoft Azure. This tool is
specifically designed to help you get started with planning Active Directory, SQL, or SharePoint migrations
to Azure.
Automated Assessment

This tool will provide a high level checklist and a detailed report.

The checklist outlines areas which are ready to move and areas which may need additional
configuration or design changes.

The detailed report offers expert guidance and advice tailored to your environment.

Expert Advice

Your report shows areas that are ready to move and areas that need additional configuration or
design changes.

Click into each area to get expert guidance and advice tailored to your specific situation.

For more information on the Microsoft Azure Virtual Machine Readiness Assessment tool, and download
links, see:
Microsoft Azure Virtual Machine Readiness Assessment
http://go.microsoft.com/fwlink/?LinkID=511947

Microsoft Azure Virtual Machine Optimization Assessment

The Microsoft Azure Virtual Machine Optimization Assessment tool will automatically inspect your virtual
machines running in Microsoft Azure and enable you to optimize your Microsoft Azure deployment,
through the provided prioritized recommendations. This assessment is specifically focused on SQL Server,
AD, and SharePoint.
For more information on the Microsoft Azure Virtual Machine Optimization Assessment tool, and
download links, see:
Microsoft Azure Virtual Machine Optimization Assessment
http://go.microsoft.com/fwlink/?LinkID=511948
For more information on performance considerations for SQL Server workload, see:
Performance Guidance for SQL Server in Azure Virtual Machines
http://go.microsoft.com/fwlink/?LinkID=511949

Deploying Windows Virtual Machines


There are several ways to deploy Windows virtual
machines in Microsoft Azure.

Deploying Virtual Machines by using the


Azure Preview Portal
The key steps for creating a Windows Server
virtual machine in the Preview Portal are as
follows:

MCT USE ONLY. STUDENT USE PROHIBITED

Microsoft Azure for IT Professionals

3-19

1.

Select an image in the VM gallery.

2.

Provide a host name, user name and password


for the new virtual machine.

3.

Configure any optional configuration settings, such as domain membership, virtual network or affinity
group settings, a storage account, and an availability set.

4.

Start the virtual machine provisioning process.

There are several optional configuration settings that you can configure for your virtual machines, but you
will be creating and configuring a virtual machine for yourselves in the Preview Portal in the lab for this
module.
For quick access, you can pin your virtual machines to the Startboard, and can unpin them if no longer
needed.

Deploying Virtual Machines by using the full Microsoft Azure Management Portal

If you use the Microsoft Azure Management Portal, you can either use the QUICK CREATE option to
rapidly provision a virtual machine, and then configure and customize it later, or use the FROM GALLERY
option to select an image from the gallery and configure it upfront.
With the QUICK CREATE method, you only need to provide the following information to provision a
virtual machine:

DNS name for the virtual machine.

Select an image to provision the virtual machine from.

Select a pricing tier size for the virtual machine (the default for a Windows-based virtual machine is
A1).

User name and password.

Region or affinity group.

With the FROM GALLERY method, you need to provide more information to provision a virtual machine:

Select an image from the gallery.

Select a version release date for the image (to ensure they have the most up-to-date version).

Virtual machine name.

Select a pricing tier size for the virtual machine (the default for a Windows-based virtual machine is
Standard A1).

User name and password.

A cloud service to create the virtual machine in (create new or select existing).

Region, affinity group, or virtual network to deploy the virtual machine to.

A storage account.

An availability set (optional).

Additional endpoints (optional).

Install VM Agent (optional).

Add configuration and security extensions (optional).

Deploying Virtual Machines by using Microsoft Azure PowerShell


You can also use the Microsoft Azure PowerShell interface to create virtual machines using Windows
PowerShell cmdlets.
You can first define a virtual machine configuration, and then create the virtual machine, as in this
example:
Creating a VM

MCT USE ONLY. STUDENT USE PROHIBITED

3-20 Implementing Virtual Machines

$newVM = New-AzureVMConfig -name $vmname -Instance $instance -ImageName $osimage | AddAzureProvisioningConfig -Windows -AdminUsername $adminname -Password $password | SetAzureSubnet -SubnetNames $subnet
New-AzureVM -ServiceName $cloudservice -AffinityGroup $affinitygroup -VMs $newVM VNetName $vnet -DnsSettings $dns -WaitForBoot

You can also create and configure a virtual machine in one step, as in this example:
Creating a quick VM
New-AzureQuickVM -Windows -ImageName $osimage -Location $location -Name $vmname
ServiceName $svcName -InstanceSize $size -AdminUserName $adminname Password $password

There are more configuration options if you use the New-AzureVMConfig and New-AzureVM cmdlets,
such as the ability to use a static internal IP address by using Set-AzureStaticVNetIP.

For more information on using Microsoft Azure PowerShell to provision and deploy virtual machines, see:
Introduction to Windows Azure PowerShell
http://go.microsoft.com/fwlink/?LinkID=511950
Creating Windows Azure Virtual Machines with PowerShell
http://go.microsoft.com/fwlink/?LinkID=511951
For more information on using static internal IP addresses, see:
Configure a Static Internal IP Address for a VM
http://go.microsoft.com/fwlink/?LinkID=522631

Logging on to a Windows Virtual Machine

To log on to a Windows virtual machine you click the Connect button to start a Remote Desktop
Connection session. In the Microsoft Azure Management Portal, the CONNECT button is located in the
command bar at the bottom of the screen. In the Preview Portal, the CONNECT button is in the top menu
bar in the virtual machines blade. When you click CONNECT, you get the option to either open the RDP

MCT USE ONLY. STUDENT USE PROHIBITED

Microsoft Azure for IT Professionals

3-21

file to immediately start the Remote Desktop Connection session, or save the RDP file so that you easily
connect to the virtual machine without having to select it in the portal.

Demonstration: Creating and Deleting Microsoft Azure Virtual Machines


and Cloud Services using PowerShell
In this demonstration, you will see how to:

Create virtual machines and cloud services using the Microsoft Azure PowerShell.

Delete virtual machines and cloud services using the Microsoft Azure PowerShell.

Demonstration Steps
Create a virtual machine using Microsoft Azure PowerShell
1.

On the taskbar, right-click Microsoft Azure PowerShell and click Run ISE as Administrator. Click
Yes when prompted.

2.

In the PowerShell ISE, in the command prompt pane, enter the following command to add an Azure
account to the local PowerShell environment:
Add-AzureAccount

3.

When prompted, sign in using the Microsoft account associated with your Azure subscription.

4.

In the PowerShell ISE, in the command prompt pane, enter the following command and press Enter:
Get-AzureSubscription

5.

In the PowerShell ISE, click File and then click Open.

6.

In the Open dialog, browse to D:\Demofiles\Mod03\.

7.

Click ExampleCommands.ps1 and then click Open.

8.

If the Script pane is not visible, on the View menu, click Show Script Pane.

9.

In the PowerShell ISE, in the command prompt pane, select the subscription name, then right-click,
and click Copy.

10. In the PowerShell ISE, in the Script pane, paste the subscription name.

11. In the PowerShell ISE, in the command prompt pane, enter the following command and press Enter:
Get-AzureStorageAccount

12. In the PowerShell ISE, in the command prompt pane, select the storage account name, then rightclick, and click Copy.
13. In the PowerShell ISE, in the Script pane, paste the storage account name.
14. In the PowerShell ISE, in the Script pane, locate the following code:
Set-AzureSubscription -CurrentStorageAccountName <#Copy your storage account name
here#> -SubscriptionName <#Copy your subscription name here in quote marks#>

15. Replace <#Copy your storage account name here#> with your storage account name.

16. Replace <#Copy your subscription name here in quote marks#> with your subscription name; ensure
that you use single quote marks around the name.

17. In the PowerShell ISE, in the Script pane, select the code you have just edited.
18. On the toolbar, click the Run Selection button and wait for the script to complete.
19. In the PowerShell ISE, in the Script pane, select the following code:
$svcName = "20533lab03cloudsvc" + (Get-AzureStorageAccount).Label.Substring(15,6)

20. On the toolbar, click the Run Selection button and wait for the script to complete.
21. In the PowerShell ISE, in the command prompt pane, type the following and press Enter:
$svcName

MCT USE ONLY. STUDENT USE PROHIBITED

3-22 Implementing Virtual Machines

22. This variable should now contain a unique cloud service name, using the same unique number used
to create the storage account during lab preparation.
23. In the PowerShell ISE, in the Script pane, select the following code:
$location = (Get-AzureStorageAccount).Location

24. On the toolbar, click the Run Selection button and wait for the script to complete.
25. In the PowerShell ISE, in the command prompt pane, type the following and press Enter:
$location

26. This variable should now contain the Azure region used during lab preparation.
27. In the PowerShell ISE, in the Script pane, select the following code:
$osimage = (Get-AzureVMImage | where {$_.ImageFamily -like "Windows Server 2012 R2
Datacenter*"} | sort PublishedDate -Descending)[0].ImageName

28. On the toolbar, click the Run Selection button and wait for the script to complete.
29. In the PowerShell ISE, in the Script pane, select the following code:
New-AzureQuickVM -Windows -ImageName $osimage -Location $location -Name DemoVM1
ServiceName $svcName -InstanceSize Small -AdminUserName Student Password
'Pa$$w0rd123'

30. On the toolbar, click the Run Selection button and wait for the script to complete.
31. In the PowerShell ISE, in the Script pane, select the following code:

New-AzureQuickVM -Windows -ImageName $osimage -Name DemoVM2 ServiceName $svcName InstanceSize Small -AdminUserName Student Password 'Pa$$w0rd123'

32. On the toolbar, click the Run Selection button and wait for the script to complete.
33. In the Microsoft Azure Preview Portal, click BROWSE, then click Virtual machines.
34. On the Virtual machines blade, note the two new virtual machines listed, called DemoVM1 and
DemoVM2.

Delete virtual machines and a cloud service using Microsoft Azure PowerShell
1.

In the PowerShell ISE, in the command prompt pane, enter each of the following commands and
press Enter after each one:
Remove-AzureVM ServiceName $svcName Name DemoVM1
Remove-AzureVM ServiceName $svcName Name DemoVM2
Remove-AzureService -ServiceName $svcName

MCT USE ONLY. STUDENT USE PROHIBITED

Microsoft Azure for IT Professionals

3-23

2.

In the Confirm dialog box, click Yes.

3.

In the Microsoft Azure Preview Portal, click BROWSE, then click Virtual machines.

4.

On the Virtual machines blade, note the two virtual machines called, DemoVM1 and DemoVM2,
are no longer listed.

5.

Close the Virtual machines blade.

6.

On the Microsoft Azure Preview Portal home screen, click the AZURE PORTAL tile to open the full
management portal.

7.

In the Microsoft Azure Management Portal, click CLOUD SERVICES.

Verify that the cloud service is not listed.


Reset the Environment
1.

Close all open applications without saving any files.

2.

On the taskbar, right-click Microsoft Azure PowerShell, and then click Run as administrator. In the
User Account Control dialog, click Yes.

3.

Type the following command, and then press Enter:


Reset-Azure

4.

When prompted, sign in using the Microsoft account associated with your Azure subscription.

Note: This script may remove Azure services in your subscription. It is therefore recommended that you
use an Azure trial pass that was provisioned specifically for this course, and not your own Azure account.
The script will take 5-10 minutes to reset your Microsoft Azure environment, ready for the next lab.

The script removes all storage, VMs, virtual networks, cloud services, and resource groups. The script does
not remove the Automation account (or the organizational account); this can either be manually deleted
or you can leave it in place, as it does not affect subsequent labs.

Important: The script may not be able to get exclusive access to a storage account to delete it (if this
occurs, you will see an error). If you find objects remaining after the reset script is complete, you can rerun Reset-Azure script, or use the full Azure Management Portal to manually delete all the objects in your
Azure subscription, with the exception of the default directory.

Using Prebuilt Linux Images


The Virtual Machines Image Gallery contains
prebuilt Linux images that are provided by
commercial distributors.
The list below summarizes the different versions
supported for each Linux distribution:

Ubuntu by Canonical 12.04.1+, 13.10, and


14.04

CentOS by OpenLogic 6.3+

Oracle Linux 6.4+

SUSE Linux Enterprise Server SLES 11 SP3+

OpenSUSE 13.1+

MCT USE ONLY. STUDENT USE PROHIBITED

3-24 Implementing Virtual Machines

For more information on all prebuilt Linux images, including updates since this course was published, see:
Linux on Azure-Endorsed Distributions
http://go.microsoft.com/fwlink/?LinkID=511952

If you wish to use a Linux distribution that is not provided in the gallery, you can use your own virtual
machine image, and upload it as a VHD. Uploading and managing VHDs is covered in a later topic in this
lesson. You can also make use of community-supplied images on the VM Depot site:
https://vmdepot.msopentech.com./
http://go.microsoft.com/fwlink/?LinkID=523984
Note: Important: The Azure platform SLA only applies to virtual machines running the
Linux OS if you use one of the endorsed distributionsand if using the recommended
configuration. The Linux distributions provided in the Azure image gallery are endorsed
distributions, and have the required configuration.

Deploying Linux Virtual Machines


There are several ways to deploy Linux virtual
machines in Microsoft Azure.

Deploying a Linux Virtual Machine by


using the Microsoft Azure Management
Portal
The steps to deploy a new Linux virtual machine in
the Microsoft Azure Management Portal are as
follows:
1.

Select a Linux virtual machine from the list of


vendor distribution images in the image
gallery.

2.

Provide a virtual machine name, tier, and size.

3.

Provide a new admin user name.

4.

Select the authentication mechanism/s and provide a password if required.

5.

Create a new cloud service or select an existing one.

6.

Select a region, affinity group or virtual network in which to deploy the virtual machine.

7.

Select whether to automatically generate a storage account or use an existing one.

8.

Select whether to add this virtual machine to an availability set.

9.

Verify the endpoint that is created for the SSH connection.

10. Verify that VM Agent will be installed (this setting is always on for Linux images and cannot be
disabled).
11. Finish deploying the virtual machine.

MCT USE ONLY. STUDENT USE PROHIBITED

Microsoft Azure for IT Professionals

3-25

If you use the new Preview Portal to create Linux virtual machines, the only authentication option is an
RSA encrypted OpenSSH public key encapsulated in an X509 certificate. If you use the full Microsoft Azure
Management Portal, you can choose between providing an SSH public key certificate or entering a
password to authenticate.

Deploying a Linux Virtual Machine by using Microsoft Azure PowerShell

You can also use the Microsoft Azure PowerShell interface to create Linux virtual machines using Windows
PowerShell cmdlets; the syntax is similar to that for Windows virtual machines.
To create and configure a Linux virtual machine in one step, you could use code such as that used in this
example:
Create a Linux VM
New-AzureQuickVM -Linux -ServiceName $cloudSvcName -Name "LinuxVM1" -ImageName
$linuximage -LinuxUser LinuxUser Location $location InstanceSize Small Password
'Pa$$w0rd123'

Logging on to a Linux Virtual Machine

To log on to the Linux virtual machine from a Windows operating system, you need to download an SSH
client such as PuTTY. You will need to determine the host name and port information to log in to the
Linux virtual machine with your SSH client. This information can be obtained from the dashboard of the
Linux virtual machine under SSH DETAILS.
For more information on deploying Linux virtual machines in Microsoft Azure, see:
Create a Virtual Machine Running Linux
http://go.microsoft.com/fwlink/?LinkID=511953
Introduction to Linux on Azure
http://go.microsoft.com/fwlink/?LinkID=511954

Creating and Managing Virtual Machine Images


Images are used in Microsoft Azure to provide a
new virtual machine with an operating system that
may have one or more data disks.
Images are available from several sources:

Microsoft Azure provides a large image


gallery to select from. This gallery includes
recent operating system images of Windows
Server and various distributions of several
other operating systems such as Linux. Some
images also contain applications, such as SQL
Server. MSDN Benefit and MSDN Pay-as-YouGo subscribers also have access to additional
images.

The open source community offers images through VM Depot.

You can store your own images in Microsoft Azure, by either capturing an existing Microsoft Azure
virtual machine for use as an image or by uploading an image.

Common Tasks for Managing Images

MCT USE ONLY. STUDENT USE PROHIBITED

3-26 Implementing Virtual Machines

These common tasks for managing Microsoft Azure images can be performed using either the Microsoft
Azure Management Portal or Microsoft Azure PowerShell.

Capture an image of a VM running Windows Server

Capture an image of a VM running Linux

Create and upload a VHD that contains the Windows Server operating system

Create and upload a VHD that contains the Linux operating system

Capturing an Image of a VM Running Windows Server


These are the main steps in the process to capture an image from a virtual machine that is running the
Windows Server operating system:
1.

In the Microsoft Azure Management Portal, connect and log on to the virtual machine running
Windows Server.

2.

Open a command prompt, and change the current directory to %Windir%\system32\sysprep.

3.

Run sysprep.exe from the command prompt.

4.

In Sysprep choose:

5.

a.

Select Enter System-Out-of-Box Experience (OOBE) as the System Cleanup Action.

b.

Turn on the Generalize option.

c.

Choose Shutdown as the shutdown option.

In the Microsoft Azure Management Portal, after the virtual machine shuts down, select Capture.
a.

Provide a name for the new image.

b.

Confirm you have already sysprepped the image.

c.

Capture the image.

For more information about capturing Windows images, see:


How to Capture a Windows Virtual Machine to Use as a Template
http://go.microsoft.com/fwlink/?LinkID=511955

Capturing an Image of a VM Running Linux

MCT USE ONLY. STUDENT USE PROHIBITED

Microsoft Azure for IT Professionals

3-27

These are the main steps in the process to capture an image from a virtual machine that is running the
Linux operating system:
1.

In your Secure Shell (SSH) client, connect and log on to the virtual machine running Linux.

2.

In the SSH window, run the sudo waagent deprovision command.

3.

In the Microsoft Azure Management Portal, shut down the virtual machine.
a.

Click Capture.

b.

Provide a name for the new image.

c.

Confirm you have already deprovisioned the image with waagent.

d.

Capture the image.

For more information on capturing a Linux image, see:


How to Capture a Linux Virtual Machine to Use as a Template
http://go.microsoft.com/fwlink/?LinkID=511956

Creating and Uploading a Windows Server VHD to Microsoft Azure to Create an


Image

These are the main steps in the process of creating and uploading a VHD containing the Windows Server
operating system to Microsoft Azure as an image:
1.

On the Windows Server, open a command prompt and change the current directory to
%Windir%\system32\sysprep.

2.

Run sysprep.exe from a command prompt.

3.

In Sysprep choose:

4.

a.

Select Enter System-Out-of-Box Experience (OOBE) as the System Cleanup Action.

b.

Turn on the Generalize option.

c.

Choose Shutdown as the shutdown option.

In the Microsoft Azure Management Portal, after the virtual machine shuts down:
a.

Create a storage account in Microsoft Azure.

b.

Create a container for your uploaded VHDs.

5.

Establish a secure connection to your Microsoft Azure subscription by downloading and importing
your publish settings file.

6.

In Microsoft Azure PowerShell, upload the VHD file using the Add-AzureVhd cmdlet.

7.

In the Microsoft Azure Management Portal, add the uploaded VHD as an image by doing the
following:
a.

Open Virtual Machines.

MCT USE ONLY. STUDENT USE PROHIBITED

3-28 Implementing Virtual Machines

b.

Click Images.

c.

Click Create an Image.

d.

In the Create an image from a VHD window, enter the name, description, URL for your image,
operating system family, and confirm you have run Sysprep.

e.

When complete, your new image will be listed under My Images when you create a new virtual
machine.

For more information on uploading VHDs, see:


Create and upload a Windows Server VHD to Azure
http://go.microsoft.com/fwlink/?LinkID=511957
Creating and Uploading a Virtual Hard Disk that Contains the Linux Operating System
http://go.microsoft.com/fwlink/?LinkID=511958

Managing Images Using Microsoft Azure PowerShell

There are several cmdlets available in Microsoft Azure PowerShell to help you create and manage images
in Microsoft Azure:

Get-AzureVMImage returns a list of the images that are available for your subscription, including
those provided with Microsoft Azure and your own custom images.

Save-AzureVMImage is the cmdlet that captures virtual machines as generalized images.

Remove-AzureVMImage deletes an image, but it does not delete any virtual machines created from
the image.

For more information on managing images with Microsoft Azure PowerShell, see:
Manage Images using Windows PowerShell
http://go.microsoft.com/fwlink/?LinkID=511959

Lab: Implementing Virtual Machines


Scenario

MCT USE ONLY. STUDENT USE PROHIBITED

Microsoft Azure for IT Professionals

3-29

As part of the planning for Microsoft Azure, A. Datum need to understand their requirements for virtual
machine workloads; you have been asked to determine the virtual machines that will be needed to run
two intranet web applications, together with their sizes and locations. One application is a simple
expense-reporting application that runs on Windows and IIS, and uses SQL server to store data. The other
application is for pool car booking and runs on Linux and Apache and uses MySQL to store data. You will
then deploy and configure Windows and Linux VMs.

Objectives
After completing this lab, you will be able to:

Deploy Windows virtual machines in Microsoft Azure.

Deploy Linux virtual machines in Microsoft Azure.

Lab Setup
Estimated Time: 60 minutes
Virtual Machine: 20533B-MIA-CL1
User Name: Student
Password: Pa$$w0rd

Before starting this lab, ensure that you have performed the Preparing the Environment demonstration
tasks at the beginning of the first lesson in this module, and that the setup script has completed.

Exercise 1: Deploying Windows Virtual Machines


The main tasks for this exercise are as follows:
1. Deploy a Custom Windows Virtual Machine
2. Deploy a Windows Virtual Machine in Microsoft Azure PowerShell

Task 1: Deploy a Custom Windows Virtual Machine


1.

In Internet Explorer, sign into the new Azure Preview Portal using the Microsoft account that is
associated with your Azure subscription.

2.

Create a new Windows-based virtual machine with the following settings:


o

Image: latest Windows Server 2012 R2 Datacenter image

Host name: WebVM1

User name: Student

Password: Pa$$w0rd123

Virtual network: existing ADATUM-HQ-VNET virtual network

Note: At the time of writing, there appears to be a bug with the Azure Preview Portal, where the
NOTIFICATIONS list shows the virtual machine provisioning process lasting indefinitely. Also, the
Startboard may also fail to update; the fix is to switch to the Full Portal, which does correctly show the
status of VM provisioning.

Task 2: Deploy a Windows Virtual Machine in Microsoft Azure PowerShell


1.

Start the Microsoft Azure PowerShell interactive scripting environment (ISE) as Administrator.

2.

Add your Azure account to the local PowerShell environment by using Azure AD authentication.

3.

Use the code snippets in D:\Labfiles\Lab03\Starter\ExampleCommands.ps1 to help you during


this exercise.

4.

Find the latest virtual machine image for Windows Server 2012 Datacenter.

5.

Use Microsoft Azure PowerShell to create a new virtual machine with the following settings:

6.

Service and VM Name: WebVM2

VM image: latest Windows Server 2012 R2 Datacenter image

Administrator: Student

Password: Pa$$w0rd123

Results: After completing this exercise, you will have:


Deployed a custom Windows virtual machine using the Preview Portal.
Deployed a Windows virtual machine using Windows PowerShell.

Exercise 2: Deploying Linux Virtual Machines


The main tasks for this exercise are as follows:
1. Deploy a Custom Linux Virtual Machine
2. Configure SSH
3. Reset the Environment

Task 1: Deploy a Custom Linux Virtual Machine


1.

2.

In the Microsoft Azure PowerShell ISE, create a new virtual machine with the following settings:
o

Service Name: a unique cloud service name

VM name: LinuxVM1

VM Image: the latest SUSE Linux Enterprise Server 11 SP3 image

Linux User: LinuxUser

Admin Password: Pa$$w0rd123

Use the code snippets in D:\Labfiles\Lab03\Starter\ExampleCommands.ps1 to help you during


this exercise.

Task 2: Configure SSH

MCT USE ONLY. STUDENT USE PROHIBITED

3-30 Implementing Virtual Machines

1.

In Internet Explorer, browse to the download page for PuTTY, and download the putty.exe file for
Windows on Intel x86 platforms.

2.

Using the new Azure Preview Portal, determine the host name and port number for the new Linux
virtual machine, LinuxVM1.

3.

Open the PuTTY client and connect to the LinuxVM1 virtual machine using the following credentials:
o

User: LinuxUser

Password: Pa$$w0rd123

MCT USE ONLY. STUDENT USE PROHIBITED


4-1

Module 4
Managing Virtual Machines
Contents:
Module Overview

4-1

Lesson 1: Configuring Virtual Machines

4-2

Lesson 2: Managing and Configuring Virtual Machine Disks

4-12

Lesson 3: Managing and Monitoring Virtual Machines

4-19

Lab: Managing Virtual Machines

4-31

Module Review and Takeaways

4-36

Module Overview

Creating virtual machines (VMs) is the first step in deploying an Azure environment, but equally important
is understanding the options for configuring and then monitoring VMs. Configuration and management
are essential in delivering secure, available and scalable solutions. Azure provides highly flexible options
for all three of these requirements, but simply leaving systems at default settings seldom delivers the best
solution, for security, availability, or scalability.

In this module you will see some of the configuration, security, and monitoring options available for Azure
administrators.

Objectives
After completing this module, you will be able to:

Configure virtual machine IP addresses, availability, scalability, and security.

Manage and configure virtual machine disks.

Manage and monitor virtual machines.

Managing Virtual Machines

Lesson 1

Configuring Virtual Machines

MCT USE ONLY. STUDENT USE PROHIBITED

4-2

Virtual machines are the basis of Microsoft Azure and provide support for the platforms implementation
of Infrastructure as a Service (IaaS). In this lesson, you will look at the different configuration options that
you can controlsuch as IP addressesalong with storage, availability, scalability, and security
architectures and settings.

Lesson Objectives
After completing this lesson, you will be able to:

Describe the implementation of public and private IP addressing in Azure virtual machines.

Configure IP addresses for Azure virtual machines.

Explain the options for configuring VMs for availability.

Explain the options for configuring VMs for scalability.

Outline the options for configuring virtual machine security.

Demonstration: Preparing the Environment

Perform the following tasks to prepare the lab environment. The Microsoft Azure services you will use in
the lab will be described in this module while the environment is being configured.
Important: The scripts used in this course may delete any objects that you have in your
subscription. For this reason, you should complete this course against a new Azure subscription.
You should have received sign-up details and instructions for creating an Azure Learning Pass for
this reason. Alternatively, create a new Azure Trial Subscription. In both cases, use a new
Microsoft account that has not been associated with any other Azure subscription. This avoids
confusion in labs and setup scripts.

The labs in this course use custom Microsoft Azure PowerShell cmdlets, including Setup-Azure, to
prepare the Azure environment for a lab, and Reset-Azure to perform clean-up tasks at the end of a lab.
For this lab, Setup-Azure creates a storage account in the Azure region you select. It then creates a virtual
network (ADATUM-HQ-VNET), then creates 2 VMs (one a regular Windows server, and one with SQL
Server), then uploads a VHD (and makes copies) to Azure, and then removes the Azure subscription and
account from the Azure PowerShell session.
Before you start the lab preparation, your instructor will decide which Azure region is the closest to your
classroom location. You will need this information during the lab setup, and during the lab.

MCT USE ONLY. STUDENT USE PROHIBITED

Implementing Microsoft Azure Infrastructure Solutions

Demonstration Steps
Sign in to your Microsoft Azure Subscription

4-3

1.

Ensure that the MSL-TMG1 and 20533B-MIA-CL1 virtual machines are both running, and then log on
to 20533B-MIA-CL1 as Student with the password Pa$$w0rd.

2.

You should already have created a Microsoft Azure trial subscription. If you have not done so, follow
the instructions in D:\Creating a Microsoft Azure Trial Subscription.htm. Provisioning may take
several hours.

3.

When your trial subscription has been provisioned, in Internet Explorer, browse to
http://azure.microsoft.com, click Portal, and sign in using the Microsoft account that is associated
with your Microsoft Azure subscription. Close any initial "welcome" messages.

4.

At the top right, click your Microsoft account name and click Switch to new portal. Then, in the new
tab that is opened, close any initial "welcome" messages for the new portal.

5.

If you are prompted for credentials, sign in using the Microsoft account that is associated with your
Microsoft Azure subscription.

Prepare the Microsoft Azure Environment


1.

On the taskbar, right-click Microsoft Azure PowerShell, and then click Run as administrator. In the
User Account Control dialog, click Yes.

2.

Type the following command, and then press Enter:


Setup-Azure

3.

At the prompt, type the module number, and then press Enter.

4.

Confirm your selection, and then press Enter.

5.

When prompted, sign in using the Microsoft account associated with your Microsoft Azure
subscription.

When prompted, enter the Azure region to use (do not use East Asia), and then press Enter.

Note: This script may remove Azure services in your subscription. It is therefore recommended that you
use an Azure trial pass that was provisioned specifically for this course, and not your own Azure account.

The script will take 30-40 minutes to configure your Microsoft Azure environment, ready for the lab at the
end of this module.
At the end of setup, you should have the following:

A uniquely named storage account.

A virtual network named ADATUM-HQ-VNET (10.0.1.0/24).

An Azure DNS named ADATUM-DNS at 10.0.1.4.

A VM called WebVM1, running IIS.

A VM called WebVM2, running IIS.

Managing Virtual Machines

Overview of VM IP Addressing
In Module 3, IP addressing for IaaS cloud services
was discussed, and you saw how you can
communicate with a virtual machine by using
endpoints. You will now see how IP addresses are
assigned to individual virtual machines.

Dynamic IP Addresses
By default, a new Azure virtual machine is
automatically deployed with a single virtual NIC
(vNIC), and with a single dynamic IP (DIP) address.
The DIP address is randomly assigned by Azure,
from available addresses for that cloud service. If
you wish to use specific IP address ranges, you can
use VNets.

MCT USE ONLY. STUDENT USE PROHIBITED

4-4

If you use VNets to assign IP addresses from a subnet during VM deployment, the first VM to be created
will get the first available IP address from the subnet. For example, for the address range 10.0.0.0/11, the
first available IP address is 10.0.0.4 (as Azure reserves 10.0.0.1, 10.0.0.2, and 10.0.0.3, and 10.0.0.0 is not
available for assignment). In this example, the second VM to be deployed will get 10.0.0.5, and so on. So,
if using VNets to assign dynamic addresses, you do control the address range, but the only way to be able
to predict the IP address for each VM by knowing the order of VM deployment.
If you use the Stop-AzureVM cmdlet, or if you shut down a VM from the portal, the VM will enter the
Stopped (Deallocated) state, and will lose its IP address unless you used VNets to assign IP addresses
from a subnet during deployment.

Static IP Addresses

An organization typically requires static internal IP addresses on VMs that are running IP address sensitive
services, such as domain controllers or DNS servers. By contrast to a DIP address, a static IP is maintained
for a VM even when the VM is in the Stopped (Deallocated) state. Azure supports the assignment of
static IP addresses for VNets by using Azure PowerShellthese cmdlets are described in the next topic.
Important: Both dynamic and static IP addresses are primarily concerned with
communications within the IaaS cloud service. For communication between external networks
and Azure, additional addressing mechanisms must be taken into account, such as VPNs, as
discussed in Module 2.

Instance-level Public IP Addresses


If you want to be able to connect to a VM from outside the cloud service, by an IP address assigned
directly to it, rather than by using the cloud service VIP:<portnumber>, you can use instance-level
Public IP Addressing (PIP).

PIP addresses are assigned using Azure PowerShell (currently), and are subject to the same address limits
as for the reserved VIP addresses discussed in Module 3; for example, up to five addresses are available
with a standard Azure subscription; PIP addresses also have a billable cost. Note that, unlike reserved VIP
addresses, PIP addresses cannot be reserved; if the VM enters the Stopped (Deallocated) state, the PIP
address is not retained.

MCT USE ONLY. STUDENT USE PROHIBITED

Implementing Microsoft Azure Infrastructure Solutions

Typical usage scenarios for PIPs include:

4-5

Passive FTP using a PIP, the VM can receive traffic on just about any port; you will not have to open
up a specific endpoint to receive traffic. This enables scenarios like passive FTP where the ports are
chosen dynamically.

Outbound IP outbound traffic originating from the VM goes out with PIP as the source and this
uniquely identifies the VM to external entities.

The assignment of PIP addresses by using Azure PowerShell is described in the next topic.

Configuring VM IP Addressing
The method used to assign an IP address to an
Azure virtual machine varies, depending on the
type of address required.

Configuring DIP
No configuration is needed for VMs to get internal
IP addresses using DIP, unless you are using VNets;
configuring addresses using VNets is discussed in
Module 2 of this course.

Configuring Static Internal IP Addresses

A static IP can be requested, either when a new VM is created, or by updating and existing VM
configuration. This is a request, rather than a guaranteed allocation, and the IP address is set by Azure and
not within the VM itself. The administrator should check that the required IP address is available by
running the Azure PowerShell cmdlet Test-AzureStaticVNetIP for the VNet.
To request a static IP address when creating a VM or by updating a currently existing VM, you can use the
Set-AzureStaticVNetIPAzure PowerShell cmdlet.
If a VM has a static IP address, this must be removed, before a new static IP address is assigned, by using
the Remove-AzureStaticVNetIP cmdlet.

You can specify a static IP address when creating a new virtual machine; you must first ensure that the
address you are specifying is within the VNet subnet you are using, and that the address is not already in
use. The following example shows 10.0.1.4, from the subnet defined in $subnet, being assigned during
deployment:
Specifying a static internal IP address when creating a VM

New-AzureVMConfig -Name $vmname -InstanceSize $instance -ImageName $image | Set-AzureSubnet


SubnetNames $subnet | Set-AzureStaticVNetIP -IPAddress 10.0.1.4 | New-AzureVM ServiceName $service
VNetName $vnet

Managing Virtual Machines

MCT USE ONLY. STUDENT USE PROHIBITED

4-6

You can set a static IP address for a previously created VM, by using Update-AzureVM. UpdateAzureVM automatically restarts the VM as part of the update process, and the address that you specify
will be assigned after the VM restarts. The following example shows 10.0.1.4 being assigned to the VM
name defined in $vmname:
Assigning a static internal IP address for a previously created VM

Get-AzureVM -ServiceName $service -Name $vmname | Set-AzureStaticVNetIP -IPAddress 10.0.1.4 | UpdateAzureVM

It is good practice to separate the VMs that have static IP addresses from those using dynamic addressing
(and from any PaaS instances) in the same virtual network, by creating a separate subnet for the VMs and
deploying them to that subnet. This configuration enables you to readily identify VMs with static IP
addresses.
For more information, see Configure a Static Internal Address for a VM:
http://go.microsoft.com/fwlink/?LinkID=522631

Configuring Instance-level Public IP Addresses

To assign a PIP either at VM creation, or as a post-configuration step, you use the Set-AzurePublicIP PublicIPName "<name>" cmdlet. Azure will then assign an available IP address; this address will be lost
when the virtual machine enters the Stopped (Deallocated) state so that, when the VM starts again, it
will get a new PIP.
You can specify a PIP address when creating a new virtual machine; the following example shows a PIP,
with the name defined in $PublicIP being assigned to the VM name defined in $vmname during
deployment:
Specifying a PIP address when creating a VM
New-AzureVMConfig -Name $vmname -InstanceSize $instance -ImageName $image | AddAzureProvisioningConfig -Windows -AdminUsername $admin -Password $password | Set-AzurePublicIP PublicIPName $PublicIP |New-AzureVM -ServiceName $service

You can set a PIP address for a previously created VM, by using Update-AzureVM. Update-AzureVM
automatically restarts the VM as part of the update process, and the address will be assigned after the VM
restarts. The following example shows a new PIP, with the name defined in $PublicIP, being assigned to
the VM name defined in $vmname:
Assigning a PIP address for a previously created VM

Get-AzureVM -ServiceName $service -Name $vmname | Set-AzurePublicIP -PublicIPName $PublicIP | UpdateAzureVM

MCT USE ONLY. STUDENT USE PROHIBITED

Implementing Microsoft Azure Infrastructure Solutions

Configuring VM Availability
Just like on-premises deployments, administrators
must design their Azure deployment to ensure
service availability, against planned and unplanned
maintenance events. Azure offers Availability Sets
as part of a well-designed approach to
maintaining service availability.
When designing an Azure VM environment, you
should:

Configure multiple virtual machines in an


Availability Set for redundancy.

Configure each application tier into separate


Availability Sets.

Combine the Load Balancer with Availability Sets.

Avoid single instance virtual machines in Availability Sets.

4-7

An Availability Set is a logical grouping of two or more VMs. Each virtual machine in an Availability Set is
automatically assigned an Update Domain and a Fault Domain.

Update Domains

An Availability Set consists of up to five non-user-configurable Update Domains (by default) to which VMs
are assigned; by modifying the service definition (.csdef) file, it is possible to configure a maximum of 20
Update Domains. Each Update Domain contains a set of virtual machines and associated physical
hardware that can be updated and rebooted at the same time.
When more than five virtual machines are configured within a single Availability Set, the sixth virtual
machine will be placed into the same Update Domain as the first virtual machine, the seventh in the same
Update Domain as the second virtual machine, and so on. During planned maintenance, only one Update
Domain is rebooted at a time.

Fault Domains

Fault Domains define a group of virtual machines that share a common set of hardware, such as a server
rack serviced by a set of power or networking switches. VMs in an Availability Set are placed across two
Fault Domains. This placing of VMs in Availability Sets mitigates against the effects of hardware failures,
network outages, power interruptions, or software updates.

By placing common application servers, such as web or database servers in function-based Availability
Sets and then using load balancing (discussed in the next topic), you can protect each service and enable
traffic to be continuously served by at least one instance of each service.

Managing Virtual Machines

Configuring VM Scalability
Microsoft Azure includes three types of load
balancing:

Traffic Manager load balancing, which loadbalances external traffic across multiple
externally-facing VMs, cloud services, or
website instances.

Microsoft Azure load balancing, which


automatically load-balances specific traffic
types between multiple VM endpoints or
cloud services.

Internal load balancer, which load-balances


internal network traffic, such as front-end to middle tier transactions.

Traffic Manager Load Balancing

MCT USE ONLY. STUDENT USE PROHIBITED

4-8

By default, Traffic Manager uses DNS-level load balancing (round-robin) to distribute requests across
different cloud services located in different data centers. You can even distribute traffic across different
subscriptions, although this configuration is not supported and would only work with anonymous
requests. With the new nested profiles, weighted round-robin feature, and support for external endpoints,
you can use Azure PowerShell or REST API commands to create flexible load balancing schemes, such as
always distributing traffic to the region closest to an applications end-user.

Azure Load Balancing

Azure Load Balancing is an automatic feature that maps a single public IP address and port number of
incoming traffic to the private IP addresses and port numbers of a set of VMs, known as a load-balanced
set.

To configure Azure load balancing across VMs in a cloud service, you must create the load-balanced set,
and include in this set all the VMs that you wish to respond to external requests to a particular public IP
address and port number. VMs and services within the cloud service listen on their private IP address and
private port; the Azure Load Balancer, therefore, maps the public IP address and port number of incoming
traffic to the private IP address and port number of one VM in the set, and reverses this for the response
traffic from the VM.
By default, Azure provides random distribution of the incoming traffic. Traffic is distributed between the
VMs in the load-balanced set by calculating a hash value of the following client values:

Source IP address

Destination IP address

Protocol (TCP or UDP)

Source port

Destination port

This value is mapped to an available VM in the set. All the packets from the same connection map to the
same server in the set.

MCT USE ONLY. STUDENT USE PROHIBITED

Implementing Microsoft Azure Infrastructure Solutions

4-9

With the new source IP affinity distribution mode (also known as session affinity or client IP affinity), the
Azure Load Balancer can be configured to use either Source IP + Destination IP, or Source IP +
Destination IP + Protocol to map traffic to available servers. Source IP affinity ensures that connections
initiated from the same client computer always go to the same DIP endpoint; without source IP affinity,
when a client closes and re-opens a connection, or starts a new session from the same source IP, the
source port changes and may be directed to a different DIP endpoint.
For more information on the steps necessary to configure Azure load-balancing, see:
Configure a load-balanced set
http://go.microsoft.com/fwlink/?LinkID=511712.

Internal Load Balancing


Azure also supports internal load balancing of traffic between:

VMs within a cloud service.

Between cloud services within a virtual network.

On-premises computers, and VMs in a cloud service in a cross-premises virtual network.

Administrators can create endpoints through the full portal or by using the Azure PowerShell cmdlet
Add-AzureEndpoint.
For more information on scenario-based examples for internal load balancing, see:
Internal load balancing
http://go.microsoft.com/fwlink/?LinkID=511713

Direct Server Return

One potential issue with load balancing is the potential for the Azure load balancer to become a
bottleneck. This can be the case with a large number of requests in high traffic environments. An
administrator can configure a load-balanced set to provide Direct Server Return. This enables the server
that is servicing a client request to respond directly to the client. This means that the load balancer is free
to handle new requests, rather than responses. Direct Server Return is commonly implemented for UDP
requests for video or audio, as these real-time applications are susceptible to network delays.

Configuring Virtual Machine Security


In addition to the Network ACLs discussed in
Module 3, there are several other security
configurations that should be considered when
deploying Azure virtual machines.

Network Security Groups


Network security groups (NSGs) can be used to
control traffic to virtual machines in a virtual
network. NSGs contain access control rules that
allow or deny traffic to specific VMs, or to all the
VMs in a subnet within a VNet. NSGs require a
regional VNet, and are not compatible with VNets
associated with an affinity group. You cannot associate Network ACLs and NSGs with the same VM.

For more information on NSGs, see:


About Network Security Groups
http://go.microsoft.com/fwlink/?LinkID=522632

Firewall Rules

MCT USE ONLY. STUDENT USE PROHIBITED

4-10 Managing Virtual Machines

Firewall rules allow or deny connections through the host VM firewall. You can define VM firewall rules by
configuring the Windows Firewall with Advanced Security settings on individual VM, either manually or by
using group policies.
For RDP, Remote PowerShell, and SSH, the configuration of access through firewalls is automatic. For
other endpoints, you must manually configure firewall access provision. So, if you set up another
endpoint, such as SMTP, then you must manually add open port 25 on the VM to publish out that service.
You will also need to configure firewalls if the default port numbers on the automatically configured
services is changed.

Certificates

By default, RDP and Remote PowerShell are secured using self-signed certificates. If you wish to use
certificates linked to a trusted certificate authority, one approach is to deploy a Remote Desktop Gateway,
and secure RDP connections through the gateway, using your own certificate. You could also use
PowerShell to deploy a certificate to a VM during VM deployment. Although secure, one potential
disadvantage of these approaches is that the certificate would need to be installed on the client
computers that will be used as RDP clients. By contrast, the default self-signed certificates do not require
installation, but will generate a dialog box saying, The publisher of this remote connection cannot be
identified. Do you want to continue anyway?

For Linux-based VMs, exposing SSH to the Internet from the cloud can present a security weakness. In
addition to configuring unique userids (not root or admin), the endpoint should be configured on private
key/certificate SSH authentication. The Azure Management Portal accepts SSH public keys encapsulated in
an X509 certificate.
For more information on how to generate and deploy certificates for SSH, see:
How to Use SSH with Linux on Azure
http://go.microsoft.com/fwlink/?LinkID=511722

Deployment of certificates and SSH keys into new VMs can be scripted with Azure PowerShell. The Azure
PowerShell cmdlets for certificate management include:

Add-AzureCertificate

Get-AzureCertificate

Remove-AzureCertificate

Encryption

MCT USE ONLY. STUDENT USE PROHIBITED

Implementing Microsoft Azure Infrastructure Solutions

4-11

Windows Azure provides highly secure environments and rigorous security governance for customer data
protection. However, customers should still consider encryption for highly sensitive data. BitLocker is only
supported on data disks in Azure VMs, not on the OS disk. Microsoft is working with partners to deliver
secured data with BitLocker-like technologies, such as CloudLink, which supports a fully automated start
up from an encrypted volume.
For more information on protecting Azure storage, see:
Protecting Data in Microsoft Azure
http://go.microsoft.com/fwlink/?LinkID=398382
For more information on CloudLink, see:
Azure Virtual Machine Disk Encryption using CloudLink
http://go.microsoft.com/fwlink/?LinkID=511715

Lesson 2

Managing and Configuring Virtual Machine Disks


Azure virtual machines use several types of disk, for operating systems, for data, and for temporary
storage.

MCT USE ONLY. STUDENT USE PROHIBITED

4-12 Managing Virtual Machines

In this lesson you will see the types of disk used by virtual machines, and how to manage and configure
these disks. You will also see how to attach new and existing disks to virtual machines, and how to import
and export large amounts of data to and from Azure.

Lesson Objectives
After completing this lesson, you will be able to:

List the types of disk used by virtual machines.

Manage and configure virtual machine disks.

Describe how administrators add new disks to virtual machines.

Attach new and existing disks to virtual machines.

Import and export data disks.

Overview of Virtual Machine Disks


Drives, disks, and images that you attach to VMs
are all stored as Virtual Hard Disks (VHDs) within a
storage account. A Storage Account is a
namespace that identifies a storage area, which
can include Binary Large Objects (blobs), table,
and queue storage. You can create a Storage
Account through the Preview Portal, the Microsoft
Azure Management portal, or programmatically
for example, by using Windows PowerShell Azure
management cmdlets.

VHDs within storage accounts are managed as


blobs. Azure hosts two types of blobsblock
blobs, which are typically used for large single files such as videos of up to 200 GB, and page blobs. Page
blobs are files of up to 1TB that consist of 512-byte pages and are optimized for random read-write
access.
Azure supports three types of disk:

OS disks
o

One per VM

Appears to VM as a SATA drive

Labeled as C: drive

Maximum capacity 127 GB

Temporary disks
o

Labeled as D: drive

Size varies depending on tier size used

Provides temporary, non-persistent storage (for example, page files)

Not suitable for storing data

Data disks
o

VHD that can be attached to a VM

Provides persistent storage (for example, application data, file data)

Maximum size is 1 TB

Appears to VM as a SCSI drive

You choose an available drive letter

Maximum number of data disks that can be attached is determined by the size of the VM

MCT USE ONLY. STUDENT USE PROHIBITED

Implementing Microsoft Azure Infrastructure Solutions

4-13

OS and data disks are both implemented as blob storage in a storage account; however, OS disks and
data disks appear to the VM operating system as SATA and SCSI respectively. Temporary disks are
implemented as local storage.
Note: Another storage option for Azure VMs is Windows Azure Files (currently in preview).
Windows Azure Files allows Azure VMs to mount a shared file system using the SMB protocol,
and provides a way to share files between VMs.

Managing Virtual Machine Disks


The typical management tasks for virtual machine
disks vary, depending on the type of disk:

Operating system disks are automatically


created when you create a virtual machine.
You can also create a new operating system
disk by using a .vhd file that has been
uploaded or copied to a storage account that
is part of your subscription.

Temporary disks are created automatically


when you create a new virtual machine, and
cannot be directly managed.

Data disks can be created by either attaching an empty disk to a virtual machine or by attaching a
data disk, which already contains data, to the virtual machine.

For operating system disks and data disks, you can view a list of disks, add and delete disks, and update
disks by using the Microsoft Azure Management Portal or the Microsoft Azure PowerShell cmdlets.

When using the portals, you can see information about the disks attached to a virtual machine by using
either the virtual machines dashboard; or the Disks page in the Virtual Machines section in the full Azure
Management Portal; or the Virtual Machines blade in the new Azure Preview Portal.

Configuring Caching

MCT USE ONLY. STUDENT USE PROHIBITED

4-14 Managing Virtual Machines

An Azure VM operating system disk has an in-built disk cache, which supports ReadOnly and ReadWrite
caching. Data disks support the following cache configurations:

None (default)

ReadOnly

ReadWrite

These can be modified in the new Azure Preview Portal, by opening the blade associated with the VM disk
and selecting the required cache configuration; caching can also be configured in the Full Portal.
Changing disk cache settings requires a reboot of the VM.
Disk cache can also be modified by using the following Azure PowerShell cmdlets:

Set-AzureDataDisk to configure the cache of a data disk

Set-AzureOSDisk to configure the cache of an operating system disk

Creating Storage Spaces


Windows Server 2012 introduced Storage Spaces and Storage Pools. These features enable you to
virtualize storage by grouping disks into storage pools, and then creating virtual disks called storage
spaces from the storage pools. In effect, you are removing the link between the underlying storage
medium (two or more physical or virtual disks) and how that data is presented to the operating system.
Storage spaces can provide the following benefits:

Better performance from striped disks

Higher reliability from mirrored or parity configuration

Larger volumes using spanning

The steps for creating a Storage Space are:


1.

Create a new virtual machine running Windows Server 2012. This must be on a medium sized server,
rather than the smallest server, as small servers can only attach two disks.

2.

Attach new, blank disks to the server.

3.

Connect to the server, by using RDP.

4.

Open the Server Manager and navigate to File and Storage Services.

5.

Click Storage Pools and then click Tasks.

6.

Click New Storage Pool and allocate the blank disks to the pool.

7.

In File and Storage Services, select the pool and then, in the Virtual Disks pane, click New Virtual
Disk.

8.

Set the disk layout and size, then click Create.

9.

The New Volume wizard appears. Select the disk and select the drive letter, then create the volume.

For more information on Storage Spaces, see:


Storage Spaces Overview
http://go.microsoft.com/fwlink/?LinkID=522633
Note: You can also configure software RAID on Linux VMs, so that multiple attached data
disks appear to the operating system as a single RAID device, by using the Linux mdadm tool.

Initializing and Formatting Disks

MCT USE ONLY. STUDENT USE PROHIBITED

Implementing Microsoft Azure Infrastructure Solutions

4-15

For Windows VMs, a new disk or storage space can be initialized by using the Server Manager Disk
Management tools, in the same way as for managing disks in any on-premises computer. You need to be
logged in to the VM to run this tool. Disk Management shows the VM as Unallocated space, which you
can then configure as a new volume. This process is exactly the same as with an on-premises virtual
machine or a physical computer running Windows. You can then format the volume using you choice of
file system.
The process for attaching empty or existing disks to a Linux machine is the similar. The initialization
process requires the administrator to connect and log in to the Linux VM. The process is then to run the
Linux- version-specific commands for disk initialization.
For more information on initializing disks for Linux VMs, see:
How to Attach a Data Disk to a Linux Virtual Machine
http://go.microsoft.com/fwlink/?LinkID=511711

Attaching New and Existing Disks


You can add new or existing disks to a VM by
using the full Azure Management Portal or the
new Azure Preview Portal, or by using Azure
PowerShell cmdlets. The process for attaching
empty or existing disks is the same whether you
are deploying, or managing, a Windows or a Linux
virtual machine.

Attaching Data Disks in Microsoft Azure

In Microsoft Azure you can either attach an empty


data disk or an existing data disk to a virtual
machine. In the full Azure Management Portal, on
the Virtual Machine page, there is a button to
ATTACH disks. If there are no existing disks in the VM Storage Account, the only option available is to
ATTACH EMPTY DISK. This disk is automatically created in the VM storage location. When you click the
execute tick, the disk is created and attached to the VM, and then listed in the VM dashboard.

With the VHD in place, the Full Portal ATTACH button will now display the ATTACH DISK option, in
addition to the ATTACH EMPTY DISK option. This option lists the available disks for the VM, which can be
added.
To attach an empty disk in the full Azure Management Portal:
1.

Click Virtual Machines, and then select the appropriate virtual machine.

2.

On the command bar, click Attach, and then select Attach empty disk.

3.

In the Attach Empty Disk dialog box, in File Name, either accept the automatically generated name
or type a new descriptive name. (The data disk that is created from the .vhd file will always use the
automatically generated name.)

4.

In Size, enter the size of the data disk in gigabytes.

5.

Click the check mark to attach the empty data disk.

6.

You will now see the data disk listed on the dashboard of the virtual machine.

To attach an existing disk in the new Azure Preview Portal:


1.

Click Browse, then click Virtual Machines.

2.

On the Virtual Machines blade, click the virtual machine you want to add a disk to.

3.

On the blade for the selected virtual machine, scroll down and under Configure, click Disks.

4.

On the Disks blade, in the top command bar, click ATTACH EXISTING.

5.

On the Attach an existing disk blade, click VHD FILE Configure required settings.

6.

On the Choose a disk blade, click CHOOSE STORAGE ACCOUNT Configure required settings.

7.

On the Storage account blade, click one of the existing storage accounts.

8.

On the Choose a disk blade, click CHOOSE CONTAINER Configure required settings.

9.

On the Storage container blade, click the name of a storage container.

10. On the Choose a disk blade, click CHOOSE A DISK Configure required settings.
11. On the Storage blob blade, click the name of an existing disk.
12. On the Choose a disk blade, click OK.
13. On the Attach an existing disk blade, click OK.

MCT USE ONLY. STUDENT USE PROHIBITED

4-16 Managing Virtual Machines

You can upload a VHD from your on-premises computer to the VM Storage Account by using the Azure
PowerShell Add-AzureVHD cmdlet:
Uploading a VHD
Add-AzureVhd -Destination "<source_location>/<VHDName>.vhd" -LocalFilePath <LocalPathToVHD>

Note: When attaching an existing disk to a Microsoft Azure virtual machine, it must be at
least 20 MB in size.

Demonstration: Attaching New and Existing Disks


In this demonstration, you will see how to:

Attach a new empty disk

Detach a disk

Attach an existing disk

Demonstration Steps
Attach a new empty disk
1.

In the Microsoft Azure Preview Portal, click BROWSE, then click Virtual machines.

2.

On the Virtual machines blade, click WebVM1.

3.

On the WebVM1 blade, scroll down and under Configuration, click Disks.

4.

On the Disks blade, in the top command bar, click Attach New.

5.

On the Attach a new disk blade, click STORAGE CONTAINER Configure required settings.

6.

On the Choose a container blade, click CHOOSE STORAGE ACCOUNT Configure required
settings.

7.

On the Storage account blade, click the existing storage account.

8.

On the Choose a container blade, click CHOOSE CONTAINER Configure required settings.

9.

On the Storage container blade, click the datadisks storage container.

10. On the Choose a container blade, click OK.


11. On the Attach a new disk blade, click in SIZE and type 500, then click OK.

MCT USE ONLY. STUDENT USE PROHIBITED

Implementing Microsoft Azure Infrastructure Solutions

4-17

12. The new disk will now be added to the list of data disks on the Disks blade (this process may take 2-3
minutes to complete).
13. Close the Disks blade.
Detach a disk
1.

In the Microsoft Azure Preview Portal, on the WebVM1 blade, scroll down and under Configuration,
click Disks.

2.

On the Disks blade, click the disk shown under DATA DISKS.

3.

On the blade for the disk, in the top menu bar, click Detach.

4.

Click Yes.

5.

The disk will now be removed from the list of data disks on the Disks blade (this process may take 23 minutes to complete).

6.

Close the Disks blade.

Attach an existing disk


1.

In the Microsoft Azure Preview Portal, on the WebVM1 blade, scroll down and under Configuration,
click Disks.

2.

On the Disks blade, in the top command bar, click Attach Existing.

3.

On the Attach an existing disk blade, click VHD FILE Configure required settings.

4.

On the Choose a disk blade, click CHOOSE STORAGE ACCOUNT Configure required settings.

5.

On the Storage account blade, click the existing storage account.

6.

On the Choose a disk blade, click CHOOSE CONTAINER Configure required settings.

7.

On the Storage container blade, click the datadisks storage container.

8.

On the Choose a disk blade, click CHOOSE A DISK Configure required settings.

9.

On the Storage blob blade, click datadisk4.vhd.

10. On the Choose a disk blade, click OK.


11. On the Attach an existing disk blade, click OK.
12. The existing disk will now be added to the list of data disks on the Disks blade.

13. The new disk will now be added to the list of data disks on the Disks blade (this process may take 2-3
minutes to complete).
14. Close the Disks blade.

Importing and Exporting Data Disks


You can upload and download VHD files from
Azure by using the portals, or Azure PowerShell. In
addition, Microsoft Azure provides an import and
export service to enable its customers to transfer
large amounts of data to Microsoft Azure storage
locations when the amount of data makes it
unfeasible or too expensive to upload to the
datacenter over the Internet. Customers can also
use the service to retrieve large amounts of data
located in blob storage back to their on-premises
environment.
The process involves creating import and export
jobs as follows:

MCT USE ONLY. STUDENT USE PROHIBITED

4-18 Managing Virtual Machines

You create an import job to transfer data from your on-premises infrastructure onto hard drives that
you will send to your Microsoft Azure storage account in the datacenter.

You create an export job to request that data currently held in your Microsoft Azure storage account
be transferred to empty hard drives that you ship to the Microsoft Azure datacenterwhich can then
be shipped back to you with the requested data on.

For more information on the Microsoft Azure Import/Export service, see:


Use the Microsoft Azure Import/Export Service to Transfer Data to Blob Storage
http://go.microsoft.com/fwlink/?LinkID=522634

Lesson 3

Managing and Monitoring Virtual Machines

MCT USE ONLY. STUDENT USE PROHIBITED

Implementing Microsoft Azure Infrastructure Solutions

4-19

Virtual machine (VM) management is as important in Azure as is systems management in an on-premises


deployment. Azure provides a number of tools to manage the VM lifecycle, both for Windows and Linux
systems.
In this lesson you will see some of the management tools and configuration options for maintaining an
effective production environment.

Lesson Objectives
After completing this lesson, you will be able to:

List the tools for managing an Azure Windows or Linux environment.

Describe the function of the VM Agent and VM Agent Extensions.

Describe the use of Custom Script Extension.

Discuss the function and deployment of management tools such as Puppet and Chef.

Describe the installation and use of Xplat-cli.

List the monitoring and diagnostics options for an Azure VM.

Overview of VM Management Options


There are various options for managing Azure
VMs; some are available for all platforms, and
others just for Windows or Linux VMs.

Cross-Platform Management Options


There are several VM management options that
are available across both Windows and Linux
platforms.

VM Agent and VM Agent Extensions

The VM Agent is a light weight process intended


to bootstrap additional solutions, offered both by
Microsoft and partners, for configuring, and
managing virtual machines. You can disable VM Agent installation when creating a Windows VM, but you
cannot disable the agent when creating a Linux VM.
VM Agent Extensions are software components that extend the VM functionality and VM management
operations. An administrator can install multiple VM extensions on a VM. Currently available extensions
include management facilities such as Chef and Puppet.
The VM Agent, and VM Agent Extensions, are covered in greater depth later in this lesson.

Azure Cross-Platform Command-Line Interface

MCT USE ONLY. STUDENT USE PROHIBITED

4-20 Managing Virtual Machines

The Azure Cross-Platform Command-Line Interface (xplat-cli) provides a set of open source, crossplatform commands for working with the Azure Platform. Although available for all platforms, xplat-cli is
primarily for use with Linux-based VMs, as Windows VMs are usually managed from a command line by
using Azure PowerShell cmdlets.
Xplat-cli is covered in greater depth later in this lesson.

Windows Management Options


As well as the cross-platform management tools, there are several options that are available specifically
for Windows VMs.

Microsoft Azure PowerShell

Like Windows PowerShell, Microsoft Azure PowerShell offers a rich configuration and automation toolset
for the deployment and management of all aspects of an Azure environment. An administrator must
install the Azure PowerShell modules to start using the facilities.
For more information on installing and configuring Microsoft Azure PowerShell, see:
How to install and configure Azure PowerShell
http://go.microsoft.com/fwlink/?LinkID=511717

Remote Desktop Protocol

Remote Desktop Protocol (RDP) enables administrators to establish a graphical user interface session with
an Azure virtual machine. The full and new portals provide a Connect option that provisions a .rdp file,
which can be downloaded and saved for initiating an RDP connection to the specified VM. The RDP
endpoint is created by default when creating a new Windows VM, but can be removed if you do not wish
to use RDP.
Closely associated with the RDP utility is the Remote Desktop Connection Manager. This utility provides
an interface for grouping and managing multiple VMs through RDP connections.
For more information on using Remote Desktop Connection Manager with Azure, see:
Importing Windows Azure Cloud Services into Remote Desktop Connection Manager (RDC
Man)
http://go.microsoft.com/fwlink/?LinkID=522635
Note: It is possible to use RDP with Linux VMs, as long as a GUI such as X desktop has been
installed on the VM; in such a scenario, you could then use an option such as xrdp to provide the
RDP service on the Linux VM.

Linux Management Options


In addition to the cross-platform management tools, there is also a Linux-specific VM management
option.

Secure SHell

When creating a Linux VM, you can choose to enable Secure Shell (SSH); an administrator can then
establish a connection from a Windows client by using the Secure Shell (SSH) protocol with a terminal
emulator, such as PuTTY. From a Linux client, an administrator may use an SSH client such as OpenSSH.
The SSH endpoint is created by default when creating a Linux VM, even if you choose not to enable SSH
itself during deployment.

Overview of VM Agent and VM Agent Extensions


The VM Agent is a lightweight process that runs in
a Windows or Linux VM. It provides the platform
to install agent extensions. Agent extensions are
loadable modules designed to extend VM
functionality and streamline VM management.

VM Agent

MCT USE ONLY. STUDENT USE PROHIBITED

Implementing Microsoft Azure Infrastructure Solutions

4-21

The VM Agent is automatically installed when


creating a VM from Quick Create. You can opt out
of installing the VM Agent by creating a VM using
the From Gallery option in the full Azure
Management Portal and clearing the Install the
VM Agent check box, or by using Azure
PowerShell. This option is only available for Windows Server VMs; Linux-based VMs always have the VM
Agent installed.

VM Agent Extensions
The VM Agent on Windows VMs can have in-built extensions, such as the BGInfo extension, which
displays information about a Windows VM on the desktop of the VM instance during an RDP session
connection, such as internal and public IP, disk space, and memory.

The VM Agent enables some management operations external to the guest operating system
functionality, such as resetting a password with the VMAccess extension. An administrator can install and
configure the VM Agent on an existing VM by installing the VM Agent and running the associated .msi
file.
It can then be enabled by running the Update-AzureVM Azure PowerShell cmdlet.

VM Extensions enable an administrator to deploy functionality during the build process, rather than
having to log in and install software. Extensions are held as packages in the Azure VM Extension Gallery,
from where they can be loaded on to the VM.

Typically, extensions are written and distributed by software companies registered with Microsoft. Some of
these are already available in the From Gallery VM creation wizard, such as Chef and Puppet.

Demonstration: Enabling RDP with the VM Agent


In this demonstration, you will see how to:

Create a VM in a separate IaaS cloud service.

Disable RDP Access in a Virtual Machine.

Use the VM Agent Access Extension to fix RDP access.

Reconnect to RDP on the fixed virtual machine.

Demonstration Steps
Create a VM in a separate IaaS cloud service
1.

In Internet Explorer, switch to the full Azure Management Portal.

2.

In the navigation on the left, click VIRTUAL MACHINES.

3.

In the toolbar at the bottom, click NEW and then click FROM GALLERY.

4.

In the list of images, click Windows Server 2012 R2 Datacenter, and then click Next.

5.

In the VIRTUAL MACHINE NAME text box, type WebVM3.

6.

In the NEW USER NAME text box, type Student.

7.

In the NEW PASSWORD text box, type Pa$$w0rd123.

8.

In the CONFIRM text box, type Pa$$w0rd123 and then click Next.

9.

In the CLOUD SERVICE drop-down list, select Create a new cloud service.

MCT USE ONLY. STUDENT USE PROHIBITED

4-22 Managing Virtual Machines

10. In the CLOUD SERVICE DNS NAME box, add some numbers to WebVM3 to make a unique name.
11. In the REGION/AFFINITY GROUP/VIRTUAL NETWORK box, select your closest region.
12. Click Next and then click Complete.
Note: Do not complete any subsequent steps until the STATUS columns for WebVM3
shows the status Running. Do not proceed while the STATUS is Running (Provisioning).
Disable RDP Access in a Virtual Machine
1.

In the list of virtual machines, select WebVM3.

2.

In the toolbar at the bottom, click CONNECT and then click Open.

3.

In the Remote Desktop Connection dialog box, click Connect.

4.

In the Username box, type Student.

5.

In the Password box, type Pa$$w0rd123, and then click OK.

6.

In the Remote Desktop Connection dialog box, click Yes.

7.

If the Networks pane appears, click No.

8.

Press the Windows key and then type regedit.

9.

Click regedit.exe.

10. Navigate to the following key: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Terminal


Server
11. Double-click fDenyTSConnections.
12. In the Value data box, type 1 and then click OK.
13. In the Remote Desktop Connection dialog box, click OK.
14. In Internet Explorer, click OK.

15. In the list of virtual machines, select WebVM3.


16. In the toolbar at the bottom, click CONNECT and then click Open.
17. If the Remote Desktop Connection dialog box appears, click Connect.
18. The RDP connection cannot be completed. In the dialog box, click OK.
19. In Internet Explorer, click OK.
Use the VM Agent Access Extension to fix RDP access
1.

Start Microsoft Azure PowerShell.

2.

Type the following command, and then press Enter:


Add-AzureAccount

3.

In the Sign in dialog box, enter the credentials for the account associated with your Azure
subscription and then click Sign in.

4.

Type the following command, and then press Enter:


Get-AzureVM

5.

Note the Service Name value for the WebVM3 virtual server (or copy to the clipboard).

6.

Type the following command, and then press Enter:


$vm3 = Get-AzureVM -Name WebVM3 -ServiceName servicename

Where servicename is the service name you noted in step 5.


7.

Type the following command, and then press Enter:


$vm3.VM.ProvisionGuestAgent

MCT USE ONLY. STUDENT USE PROHIBITED

Implementing Microsoft Azure Infrastructure Solutions

4-23

If the command returns True then the Azure VM Agent, which is required to use Azure Agent Extensions,
is installed.
8.

Type the following command, and then press Enter:


Set-AzureVMAccessExtension -VM $vm3 | Update-AzureVM

The command ensures that RDP access is enabled and that the virtual server has a firewall rule that
permits RDP access.
9.

When the operation is complete, switch to Internet Explorer.

Reconnect to RDP on the fixed virtual machine


1.

In the list of virtual machines, click WebVM3.

2.

In the toolbar at the bottom, click RESTART and then click Yes.

3.

When the restart operation is complete, in the toolbar at the bottom, click CONNECT and then click
Open.

4.

In the Remote Desktop Connection dialog box, click Connect.

5.

If you get an RDP connection cannot be completed message, in the dialog box, click OK, then in
Internet Explorer, click OK, and, then wait a few minutes and try again from step 3.

6.

In the Password box, type Pa$$w0rd123, and then click OK.

MCT USE ONLY. STUDENT USE PROHIBITED

4-24 Managing Virtual Machines

7.

In the Remote Desktop Connection dialog box, click Yes. RDP connects and displays the desktop.

8.

Close the RDP connection.

9.

In the Remote Desktop Connection dialog box, click OK.

10. In Internet Explorer, click OK.

Configuring VMs by Using VM Agent Custom Script Extensions


The Custom Script extension is a VM Agent
Extension that is used to automatically download
scripts and files from Azure Storage and launch
these scripts on a VM. These scripts can then be
used to install other software components.
To install the Custom Script extension, run the
Azure PowerShell cmdlet for the VM:
Installing the Custom Script extension
Set-AzureVMExtension -ExtensionName
CustomScriptExtension

The Custom Script extension can upload script files to Azure Storage Accounts. By default, it will use the
default Storage Account for the VM, but this can be configured in the PowerShell script:
Uploading scripts using the Custom Script extension
Set-AzureVMCustomScriptExtension -FileUri <URI_and_File.ps1_name> -VM <VM_Name>
Update-AzureVM

For more information on the Custom Script extension, see:


Automating VM Customization tasks using Custom Script Extension
http://go.microsoft.com/fwlink/?LinkID=511725

Configuration Management with Puppet and Chef


Puppet and Chef are third-party tools that are
used for configuration, and are available during
VM deployment.

Puppet
Puppet is an open source IT management tool
written in Ruby for system automation and server
management for both on-premises and cloud
environments, and across a range of operating
systems. Although it is open source, it is
maintained by Puppet Labs. Puppet can manage
up to 50,000 physical or virtual machines.

Puppet uses a configuration scripting and command language. Puppet automatically updates managed
systems to match configuration changes in the Puppet Master.

Puppet Architecture

MCT USE ONLY. STUDENT USE PROHIBITED

Implementing Microsoft Azure Infrastructure Solutions

4-25

The architecture is a client/server configuration that restricts VM access to raw Puppet modules. Each VM
gets a configuration that is compiled specifically for that VM. This means that there is an overarching
principle of least privilege, with package creation and deployment separated.

Puppet PowerShell cmdlets

The Puppet Agent Extension is deployed either during the full portal From Gallery installation option or
through PowerShell or other command line management tools. The PowerShell cmdlets supplied by
Puppet Labs include:

Set-AzureVMPuppetExtension adds the Puppet Enterprise agent and extension handler to a


Windows VM.

Get-AzureVMPuppetExtension retrieves the status of the Puppet extension handler.

Remove-AzureVMPuppetExtension deinstalls the Puppet Enterprise agent from a VM.

For more information on Puppet, see:


http://puppetlabs.com/solutions/microsoft

Chef

Chef provides an automation system for building, deploying, and managing azure infrastructure.
Administrators can manage resources using recipesreusable definitions that provide instructions for
tasks.

The Chef client runs on all VMs managed by the Chef server. A single Chef server can manage up to
10,000 nodes. Each client queries Chef server for the latest set of applicable configuration changes, called
recipes. The suitability of recipes is defined by the Chef server based on the client role. A client executes
the recipes in the same order to ensure consistent management changes. Chef applies recipes when a
client update is required. If no changes exist for that client, no changes are made.

Chef Architecture

Chef employs a convergent configuration model. Changes propagate through clients to bring the entire
network to the required configuration standard. By default, the client polls configuration updates from
the Chef server once every 30 minutes.

Chef Deployment
Chef provides a VM Agent Extension that can be deployed through the full portal From Gallery
installation option.
For more information on Chef, see:
About Chef and Azure Virtual Machines
http://go.microsoft.com/fwlink/?LinkID=511721

Configuration Management with Xplat-CLI


The Azure Cross-Platform Command-Line
Interface (xplat-cli) provides a set of open source,
cross-platform commands for working with the
Azure Platform. The xplat-cli provides the
following command line utilities to manage
services provided by the Azure platform:

account manage account information and


publish settings

config manage local settings

hdinsight manage HDInsight accounts

mobile manage Mobile Services

network manage Networks

sb manage Service Bus configuration

service manage Cloud Services

site manage Web Sites

sql manage SQL Server accounts

storage manage Storage objects

vm manage Virtual Machines

Installation
Administrators can install xplat-cli by using installer packages for Windows and Linux, or by using the
npm command. The latter requires Node.js to be installed.

MCT USE ONLY. STUDENT USE PROHIBITED

4-26 Managing Virtual Machines

For more information on downloading the latest xplat-cli source, including the INSTALL file containing the
latest information on the installation process, see:
https://github.com/Azure/azure-xplat-cli/releases

When xplat-cli is installed, the system will list the xplat-cli commands on the command-line prompt. The
commands are run by typing azure <command_name>.
For example, an administrator can interrogate account information by typing azure account.

Xplat-cli can manage both resources and services, although the former does not currently offer the same
breadth of functionality. To configure resources, run the config mode command: azure config mode
arm.

To return to service management mode, run azure config mode asm. Service management is the default
mode.
For more information on xplat-cli, see:
Install and Configure the Azure Cross-Platform Command-Line Interface
http://go.microsoft.com/fwlink/?LinkID=511726

Monitoring Virtual Machines


Health Probes
An administrator must deploy health probes in
order to use load-balanced set endpoints. The
probe tests for the availability of a VM in a loadbalanced set. When you configure the loadbalanced set in the full Azure Management Portal,
you can fix the default probe interval in seconds
and the how many probe checks can be missed
before the load balancer considers the node
configured for that endpoint to be unresponsive.
The default setting is that if two probes, 15
seconds apart, are missed, then the node is
considered to be not responding.

Custom Probes

MCT USE ONLY. STUDENT USE PROHIBITED

Implementing Microsoft Azure Infrastructure Solutions

4-27

The basic health probe only determines whether the VM in the load-balanced set is alive. A custom probe
can provide more specific detail about the activity and availability of an application on a VM in a loadbalanced set.
For more information on creating an application for a custom probe, see:
Custom Probe for IaaS Load Balanced sets in Windows Azure and ACL Part 2
http://go.microsoft.com/fwlink/?LinkID=511727

Alerts

Alert rules enable administrators to monitor metrics for an Azure service, including VMs. Rules can have
assigned thresholds which trigger an alert when they are exceeded. This triggers an email to specified
administrators. Notifications trigger when a condition occurs and when it resolves.

The Alerts page in the Management Services section of the full portal lists the configured alert rules. The
page displays the status for existing rules. An administrator can also access details about a rule, create new
rules, and manage existing rules.
An administrator can create up to 10 alert rules per Azure subscription. To add a new rule when 10 exist,
the administrator must delete one rule.
An administrator can configure virtual machine alert rules on:

Monitoring metrics from the virtual machine host operating system

Web endpoint status metrics

For more information on how to create an alert rule, see:


How to: Receive Alert Notifications and Manage Alert Rules in Azure
http://go.microsoft.com/fwlink/?LinkID=511728

Configure Endpoint Monitoring


To configure an endpoint for monitoring, from the full portal, open the Monitoring section of the
Configure page. On the Settings page of the full portal, create a rule to trigger an alert when the
appropriate metric reaches a threshold value.

Configure Diagnostics

MCT USE ONLY. STUDENT USE PROHIBITED

4-28 Managing Virtual Machines

The administrator enables and configures VM diagnostics from the Monitoring area of the new portal VM
blade. By clicking any of the panes, such as CPU percentage today or Disk read and write, and then
clicking DIAGNOSTICS in the Metric blade, the administrator can enable diagnostic logging for:

Basic metrics

Network and web metrics

.NET metrics

Windows event system logs

Windows event security logs

Windows event application logs

Diagnostics infrastructure logs

IIS logs

The logs that are generated by the diagnostics function are held in the default Storage Account for the
VM, although this can be changed to an alternative account if required.
The latest VM Agent now installs the Windows Azure Diagnostics (WAD) extension.

Working with diagnostics data


The new portal provides charts for the metrics generated by the VM. The administrator can edit and
modify these charts by right-clicking a chart and selecting Edit Chart. This opens the Edit Chart blade
where different options for the chart metrics are available for selection. This can also narrow the time
range of the diagnostic recording. The administrator must save changes to update the chart.

Demonstration: Monitoring Virtual Machines


Demonstration Steps
Set a monitor alert
1.

In Internet Explorer, in the full Azure Management Portal, in the navigation panel on the left, click
Virtual Machines.

2.

In virtual machines, click the right arrow next to WebVM1 and click MONITOR.

3.

Show the configured monitors.

4.

Show switching on and off a monitor, by clicking the tick icon.

5.

Click CPU Percentage, then click ADD RULE.

6.

Give the alert a name and click the arrow.

7.

Ensure that the condition is greater than, then in the THRESHOLD VALUE box, enter 10.

8.

Select Send an email to the service administrator and co-administrators.

9.

Ensure that Enable Rule is selected.

10. Click the check mark.


Chew some processor cycles
1.

On WebVM1, click the back arrow.

2.

Click CONNECT and click Open.

3.

In the Remote Desktop Connection dialog box, click Connect.

4.

Log onto the RDP session as WEBVM1\Student with a password of Pa$$w0rd123.

5.

In the Remote Desktop Connection message box, click Yes.

6.

If the Network pane appears, click No.

7.

Start Task Manager and click More Details, then click the Performance tab.

8.

Start a Command Prompt session and arrange side-by-side with Task Manager.

9.

At the Command Prompt, type Cd\ and press Enter.

10. At the root of the C: drive, type DIR /S and press Enter.

MCT USE ONLY. STUDENT USE PROHIBITED

Implementing Microsoft Azure Infrastructure Solutions

4-29

11. Let the listing operation run for a minute or so. The processor usage on the Taskbar should be near
100 percent.
Show the alert has tripped
1.

Switch back to the portal.

2.

In virtual machines, click WebVM1 and click MONITOR.

3.

Click the refresh button occasionally until you see the CPU line jump upwards. Note that this can take
up to fifteen minutes for the alert to be generated.

4.

Under ALERT RULES, click 1 rules configured.

5.

Click the alert name.

6.

Note any alert occurrences.

Show the alert email


1.

Create a new tab in Internet Explorer, and browse to mail.live.com. You should be logged on
automatically.

2.

Click one of the ALERT ACTIVATED emails.

3.

Show the alert email.

4.

Switch back to the RDP session and close the Command Prompt window.

5.

Exit the RDP session.

Reset the Environment

MCT USE ONLY. STUDENT USE PROHIBITED

4-30 Managing Virtual Machines

1.

Close all open applications without saving any files.

2.

On the taskbar, right-click Microsoft Azure PowerShell, and then click Run as administrator. In the
User Account Control dialog, click Yes.

3.

Type the following command, and then press Enter:


Reset-Azure

4.

When prompted, sign in using the Microsoft account associated with your Azure subscription.

Note: This script may remove Azure services in your subscription. It is therefore recommended that you
use an Azure trial pass that was provisioned specifically for this course, and not your own Azure account.
The script will take 5-10 minutes to reset your Microsoft Azure environment, ready for the next lab.
The script removes all storage, VMs, virtual networks, cloud services, and resource groups.

Important: The script may not be able to get exclusive access to a storage account to delete it (you will
see an error, if this occurs). If you find objects remaining after the reset script is complete, you can re-run
Reset-Azure script, or use the full Azure Management Portal to manually delete all the objects in your
Azure subscription, with the exception of the default directory.

Lab: Managing Virtual Machines


Scenario

MCT USE ONLY. STUDENT USE PROHIBITED

Implementing Microsoft Azure Infrastructure Solutions

4-31

Now that the planning and VM deployment for the two A. Datum applications is complete, you must
configure VHDs and configure availability and scalability for these VMs. You will place the two IIS web
servers, which will host the front end for the expense application, in a load-balanced availability set. For
the expenses web application, you will attach a new disk to an IIS server to store the ASP.NET disk cache
and create a new Storage Space on the SQL Server to increase the efficiency of the database. Finally, you
will use the Cross-Platform Command Line Interface to manage a virtual machine.

Objectives
After completing this lab, you will be able to:

Set up Azure virtual machines in availability sets and load balanced sets.

Configure virtual data disks for Azure virtual machines and create fault tolerant disks.

Use the Cross-Platform Command Line Interface.

Lab Setup
Estimated Time: 40 minutes
Virtual Machine: 20533B-MIA-CL1
User Name: Student
Password: Pa$$w0rd

Before starting this lab, ensure that you have performed the Preparing the Environment demonstration
tasks at the beginning of the first lesson in this module, and that the setup script has completed.

Exercise 1: Exploring Availability


Scenario

For the expenses web application, you have been asked to ensure maximum uptime. To achieve this
objective, you want to place the virtual machines in the same availability set and load-balanced set. In this
exercise, you will configure this arrangement and use HTML pages to test what happens if a server goes
offline.
The main tasks for this exercise are as follows:
1. Specify Availability Sets
2. Configure the Azure Load Balancer
3. Add Test Pages
4. Test Availability

Task 1: Specify Availability Sets


1.

In 20533B-MIA-CL1, start the Microsoft Azure PowerShell ISE as an administrator.

2.

Using Microsoft Azure PowerShell, get the properties of the WebVM1 virtual machine. Notice that
the virtual machine is not in an availability set.

3.

Add the WebVM1 virtual machine to a new availability set named adatumfrontend.

4.

Add the WebVM2 virtual machine to the adatumfrontend availability set.

5.

Use the code snippets in D:\Labfiles\Lab04\Starter\ExampleCommands.ps1 to help you during


this exercise.

Task 2: Configure the Azure Load Balancer


1.

2.

In the Azure preview portal, join the WebVM1 virtual machine to a new load balanced set. Use the
following information:
o

Endpoint Name: AdatumWebEP

Private Port: 80

Load Balanced Set Name: AdatumWebLBS

Protocol: TCP

Public Port: 80

Probe Protocol: TCP

Probe Port: 80

Interval: 15 seconds

Retries: 31

Add the WebVM2 virtual machine to the AdatumWebLBS load-balanced set. Use the following
information:
o

Endpoint Name: AdatumWebEP

Private Port: 80

Task 3: Add Test Pages


1.

MCT USE ONLY. STUDENT USE PROHIBITED

4-32 Managing Virtual Machines

Use the D:\LabFiles\Lab04\Starter\WebVM1.rdp file to connect to the WebVM1 virtual machine.


Use the following credentials:
o

Username: Student

Password: Pa$$w0rd123

2.

In the C:\inetpub\wwwroot folder, create a new text file named Test.txt.

3.

Add an HTML <h1> tag and a <p> tag to the Test.txt file. Use the following content for each tag:
o

<h1> content: A. Datum Test Page

<p> content: This is the WebVM1 server

4.

Rename the Test.txt file to be Test.htm. Ensure you can see file extensions in Windows Explorer.

5.

Close the RDP connection to WebVM1.

6.

MCT USE ONLY. STUDENT USE PROHIBITED

Implementing Microsoft Azure Infrastructure Solutions

Use the D:\LabFiles\Lab04\Starter\WebVM2.rdp file to connect to the WebVM2 virtual machine.


Use the following credentials:
o

Username: Student

Password: Pa$$w0rd123

7.

In the C:\inetpub\wwwroot folder, create a new text file named Test.txt.

8.

Add an HTML <h1> tag and a <p> tag to the Test.txt file. Use the following content for each tag:

9.

4-33

<h1> content: A. Datum Test Page

<p> content: This is the WebVM2 server

Rename the Test.txt file to be Test.htm. Ensure you can see file extensions in Windows Explorer.

10. Close the RDP connection to WebVM2.

Task 4: Test Availability


1.

In Internet Explorer, browse to the cloud service that hosts WebVM1 and WebVM2. Then access the
test.htm page within that web service. Note the virtual machine where the test page is located.

2.

In the Azure preview portal, shut down the virtual machine you noted in step 1.

3.

Refresh the display of the A. Datum Test Page. The page is now served by the other virtual machine
in the load balanced set.

Results: At the end of this exercise, you will have the WebVM1 and WebVM2 virtual machines configured
in an availability set and a load-balanced set.

Exercise 2: Configuring Virtual Machine Storage


Scenario
Detailed scenario to contextualize the exercise. This should provide brighter students with enough
information to figure out what theyll need to do before even looking at the tasks.
The main tasks for this exercise are as follows:
1. Upload a VHD to Azure
2. Connect a VHD to a Virtual Machine
3. Create a Storage Space

Task 1: Upload a VHD to Azure


1.

In 20533B-MIA-CL1, switch to the Microsoft Azure PowerShell, and use the GetAzureStorageAccount cmdlet to identify the name of the Azure Storage Account currently in use in
your subscription.

2.

Use the code snippets in D:\Labfiles\Lab04\Starter\ExampleCommands.ps1 to help you during


this exercise.

3.

Use the Get-AzureStorageKey cmdlet to find out the storage key value for the Azure Storage
Account from Step 1.

4.

Use the New-AzureStorageContainer cmdlet create a new storage container with the name of 1azure-storage. Note the Blob End Point value.

5.

Use the Add-AzureVHD cmdlet to upload the E:\Labfiles\Lab04\Starter\20533B_DataDisk.vhd


file to the new Azure storage container you created in Step 4.

Task 2: Connect a VHD to a Virtual Machine

MCT USE ONLY. STUDENT USE PROHIBITED

4-34 Managing Virtual Machines

1.

Switch to Internet Explorer, and click the new Azure Preview Portal tab.

2.

In the preview portal, add the new VHD file that you created in the previous task, to the WebVM2
virtual machine.

3.

Connect to the WebVM2 virtual machine, saving the RDP file to your desktop. Then open the RDP
file, log on and view the contents of the attached VHD.

4.

Detach the 20533B_DataDisk.VHD disk, then create two new virtual disks of 10GB and attach them
to WebVM2.

Task 3: Create a Storage Space


1.

Create a new storage pool called New Storage Pool and add both the 10 GB virtual disks to the
pool.

2.

Create a new virtual disk from the storage pool called New Virtual Disk. Set it to mirror, with thin
provisioning and a virtual disk size of 30 GB.

3.

Create a volume on the 30 GB storage space with a size of 15 GB, using the E: drive letter and a
volume label of RAID Volume. Review what virtual and physical disks the storage pool now uses, and
then view the E: drive in File Explorer.

Results: At the end of this lab, you will have an Azure virtual machine with two virtual data disks that are
configured in a storage space.

Exercise 3: Using the Cross-Platform Command Line Interface


The main tasks for this exercise are as follows:
1. Configure the Cross-Platform Command Line Interface
2. Use the Cross-Platform Command Line Interface
3. Reset the Lab Environment

Task 1: Configure the Cross-Platform Command Line Interface


1.

In Internet Explorer, browse to the download page for xplat-cli


(http://go.microsoft.com/?linkid=9828653) and download the executable to the Downloads
folder.

2.

Install the Azure Cross-Platform Command-Line Interface.

Task 2: Use the Cross-Platform Command Line Interface


1.

Use the Microsoft Azure Command Prompt to download and import the publish settings file using
your Microsoft Azure subscription credentials. You will need to use the following commands:
o

azure account download

azure account import

MCT USE ONLY. STUDENT USE PROHIBITED

Implementing Microsoft Azure Infrastructure Solutions

4-35

2.

View all the available Azure Cross-Platform Command-Line Interface commands by using the azure
command on its own.

3.

Run the following commands:


o

azure account list

azure network vnet list

azure vm list

azure vm disk list

Task 3: Reset the Lab Environment


1.

Close all open applications without saving any files.

2.

On the taskbar, right-click Microsoft Azure PowerShell, and then click Run as administrator. In the
User Account Control dialog, click Yes.

3.

Type the following command, and then press Enter:


Reset-Azure

4.

When prompted, sign in using the Microsoft account associated with your Azure subscription.

Note: This script may remove Azure services in your subscription. It is therefore recommended that
you use an Azure trial pass that was provisioned specifically for this course, and not your own Azure
account.
The script will take 10-15 minutes to reset your Microsoft Azure environment, ready for the next lab.
The script removes all storage, VMs, virtual networks, cloud services, and resource groups.
Important: The script may not be able to get exclusive access to a storage account to delete it (if this
occurs, you will see an error). If you find objects remaining after the reset script is complete, you can
re-run Reset-Azure script, or use the full Azure Management Portal to manually delete all the objects
in your Azure subscription, with the exception of the default directory.

Results: After completing this exercise, you will have: Configured the Cross-Platform Command Line
Interface to issue commands to a Linux virtual machine.
Question: In Exercise 1, you placed the two virtual machines in the same availability set and
the same load-balanced set. What would be the consequences if you had not placed the
virtual machines in the availability set but only configured the load-balanced set?
Question: You used PowerShell to configure two virtual machines with the same availability
set name. When you execute the Get-AzureVM cmdlet, both virtual machines report the
availability set name AdatumFrontEnd. However, when you examine the virtual machines in
the portal, they appear in separate availability sets with the same name. How can this
situation arise?

Module Review and Takeaways


In this module, you learned about:

Configuring virtual machine IP addresses, availability, scalability, and security.

Managing and configuring virtual machine disks.

Managing and monitoring virtual machines.

Review Question(s)
Question: You are configuring virtual machines for the Adatum expenses web application.
You have created four virtual machines that will host the web front end. You have also
created four virtual machines that will host the database. All the virtual machines are in the
same cloud service. What should you use to load-balance the web front-end virtual
machines? What should you use to load-balance the database virtual machines?

MCT USE ONLY. STUDENT USE PROHIBITED

4-36 Managing Virtual Machines

MCT USE ONLY. STUDENT USE PROHIBITED


5-1

Module 5
Implementing Websites
Contents:
Module Overview

5-1

Lesson 1: Planning for Website Deployment

5-2

Lesson 2: Deploying Websites

5-9

Lesson 3: Configuring Websites

5-18

Lesson 4: Monitoring Websites

5-23

Lesson 5: Traffic Manager

5-27

Lab: Implementing Websites

5-33

Module Review and Takeaways

5-39

Module Overview

Azure Infrastructure as a Service (IaaS) virtual machines can be used for a wide range of purposes,
including hosting websites by using Internet Information Services (IIS). However, Azure also includes a
specialized websites service that you can use to host any website without configuring a VM and associated
platform software. If you create an Azure website, you can choose from a wide range of common web
applications, including WordPress, Drupal, Umbraco, and others. Alternatively, you can upload a custom
web application from Visual Studio or another web developer tool. In this module, you will see how to
host robust and highly-scalable websites in Azure.

Objectives
After this module, you will be able to:

Choose a hosting plan and deployment method for a website in Azure.

Use Visual Studio, FTP clients, and PowerShell to deploy a website to Azure.

Configure websites and use WebJobs to schedule tasks.

Monitor the performance of a website.

Use Traffic Manager to distribute requests between two or more Azure websites.

Implementing Websites

Lesson 1

Planning for Website Deployment

MCT USE ONLY. STUDENT USE PROHIBITED

5-2

In this lesson, you will learn about Azure Websites and how they differ from Platform as a Service (PaaS)
cloud services and web applications hosted on Azure virtual machines. You will also see the four tiers
within which you can create an Azure website and the different features supported by each tier. Finally
you will learn how the tools and source code control systems used by developers influence your choice of
deployment methods.

Lesson Objectives
After this lesson, you will be able to:

Describe how Azure Websites integrates with other Azure services.

Choose whether to implement a web application within Azure as an Azure website, as a PaaS cloud
service, or as an application hosted on virtual machines.

Choose the best value pricing tier for your web application based on the functionality and scalability
that it requires.

Choose whether to create a web hosting plan to share features and resources across multiple
websites.

Decide how to deploy source code to an Azure website.

Plan how to deploy web applications of various types within Azure.

Demonstration: Preparing the Environment

Perform the following tasks to prepare the lab environment. The Azure services you will use in the lab will
be described in this module while the environment is being configured.
Note: Important: The scripts used in this course may delete any objects that you have in
your subscription. For this reason, you should complete this course against a new Azure
subscription. You should have received sign-up details and instructions for creating an Azure
Learning Pass for this reason. Alternatively, create a new Azure Trial Subscription. In both cases,
use a new Microsoft account that has not been associated with any other Azure subscription. This
avoids confusion in labs and setup scripts.

The labs in this course use custom Microsoft Azure PowerShell cmdlets, including Setup-Azure to prepare
the Azure environment for a lab, and Reset-Azure to perform clean-up tasks at the end of a lab. For this
lab, Setup-Azure only removes the Azure subscription and account from the Azure PowerShell session.
Before you start the lab preparation, your Instructor will decide which Azure region is the closest to your
classroom location. You will need this information during the lab setup, and during the lab.

MCT USE ONLY. STUDENT USE PROHIBITED

Implementing Microsoft Azure Infrastructure Solutions

Demonstration Steps
Sign in to Your Microsoft Azure Subscription

5-3

1.

Ensure that the MSL-TMG1 and 20533B-MIA-CL1 virtual machines are both running, and then log on
to 20533B-MIA-CL1 as Student with the password Pa$$w0rd.

2.

You should already have created a Microsoft Azure trial subscription. If you have not done so, follow
the instructions in D:\Creating a Microsoft Azure Trial Subscription.htm. Provisioning may take
several hours.

3.

When your trial subscription has been provisioned, in Internet Explorer, browse to
http://azure.microsoft.com, click Portal, and sign in using the Microsoft account that is associated
with your Azure subscription. Close any initial "welcome" messages.

4.

At the top right, click your Microsoft account name and click Switch to new portal. If you are
prompted to sign in, use the Microsoft account that is associated with your Azure subscription. Then,
in the new tab that is opened, close any initial "welcome" messages for the new portal.

5.

Close the tab containing the new portal, keeping the full portal tab open.

Prepare the Azure Environment


1.

On the taskbar, right-click Microsoft Azure PowerShell, and then click Run as administrator. In the
User Account Control dialog, click Yes.

2.

Type the following command, and then press Enter:


Setup-Azure

3.

At the prompt, type the module number, and then press Enter.

4.

Confirm your selection, and then press Enter.

5.

When prompted, sign in using the Microsoft account associated with your Microsoft Azure
subscription.

6.

When the script is complete, close Internet Explorer and Microsoft Azure PowerShell.

Note: This script may remove Azure services in your subscription. It is therefore recommended that
you use an Azure trial pass that was provisioned specifically for this course, and not your own Azure
account.
The script will take 2-3 minutes to configure your Microsoft Azure environment, ready for the lab at
the end of this module.

Implementing Websites

Websites as a Component of Azure


The Azure Websites service is a platform of
technologies that enable you to host websites in
Azure without configuring and maintaining your
own virtual machines (VMs). You can run websites
written with the ASP.NET, PHP, Node.js, and
Python frameworks.

MCT USE ONLY. STUDENT USE PROHIBITED

5-4

Websites often require two supporting services:


data storage and file storage. The raw data that
server-side code formats into a webpage and
sends to the user is often kept in a database and in
Azure you can use SQL Database to host that
database. Alternatively, you can provision a
database in a VM or use Azure table storage. Websites often include media files, such as images, videos,
and sound files. Performance is usually improved if these images are stored outside the database. In
Azure, you can use a Storage Account for these files. Again, another alternative is to use the file system on
a VM for file storage.
You can implement multiple instances of each website to increase capacity and ensure resilience. The
Azure load balancer automatically distributes incoming requests between these instances. However,
Traffic Manager permits you to distribute load across instances of a website in different Azure regions.
You can implement this load balancing for resilience or to ensure that a user is served by a website
instance that is close to their physical location. You will learn more about Traffic Manager in Lesson 5 of
this module.

Comparing Websites, PaaS Cloud Services, and Virtual Machines


If you want to host a web application in Azure, you
can choose to use IaaS Virtual Machines, Azure
Websites, or PaaS Cloud Services. The level of
control, scaling flexibility, and the code languages
and frameworks you want to use will determine
which of the three options you select.
Note: In this course, the cloud services that
support virtual machines are termed IaaS cloud
services. The cloud services that support web roles
and worker roles are termed PaaS cloud services.
Virtual Machines

Since an IaaS virtual machine in Azure can include a web server, such as IIS or Apache, you can use them
to host web applications. This scenario is very much like running a traditional web farm to host your web
application, except that the servers are at Azure data centers and not on-premises. Virtual machines are
therefore commonly used to migrate an on-premises web application into Azure with as little
modification as possible. Supporting servers, such as SQL Servers to host databases, can be hosted on
other VMs in the same IaaS cloud service. Load balancing is available to scale out the web application
when necessary.

MCT USE ONLY. STUDENT USE PROHIBITED

Implementing Microsoft Azure Infrastructure Solutions

5-5

If you choose to host a web application in VMs, you have the maximum control over the operating system
and supporting software. For example, you could install a specific version of PHP on Apache if you need it.
However, you must invest the time to patch and maintain the infrastructure you create. If you want to
scale the application out, you must provision new VMs to host the new instances of the application. You
can use RDP to connect to IaaS virtual machines.
Azure Websites

Alternatively, you can choose to host your web application in the Azure Websites service. After creating a
new Azure website, you can either upload a custom web application or choose from a wide range of
popular general purpose web applications, including Drupal, Word Press, Umbraco, and others.
Developers can build custom web applications to host in Azure Websites by using ASP.NET, Node.js, PHP,
and Python.
You can scale up an Azure website by changing tiers. This increases the traffic a single instance of the site
can service. Alternatively, scale out by installing a website in multiple instances and using Azure load
balancing to distribute traffic. However, you can only scale the website as a single componentyou
cannot scale separate parts of the application differently. You also cannot gain RDP access to the web
server. You can use Azure SQL Database or SQL Server on a virtual machine to host an underlying
database.
PaaS Cloud Services

You can also choose to build a web application as an Azure PaaS cloud Service. A PaaS cloud service
consists of a web role, which includes the applications user interface, and worker roles, which run
background tasks. Since you can scale each role independently by specifying the number of role instances,
you have a great deal of control over scalability with PaaS cloud services. You can connect to the servers
that host your PaaS cloud service by using RDP.
However, PaaS cloud services are a specialized form of web applications that are unique to Azure. An
existing web application sometimes requires significant modification before it can run as a PaaS cloud
service. You will learn more about PaaS cloud services in Module 8.

Choosing a Pricing Tier


When you create a website in Azure, you can
choose to create it in one of four tiers: Free,
Shared, Basic, and Standard. The Free tier incurs
no charges but associated resources, such as
databases, may incur charges. The Shared tier is
$0.013 per hour per website. To find out the latest
details on website tiers and charging, see:
Websites Pricing Details
http://go.microsoft.com/fwlink/?LinkID=5117
29

Free tier websites are limited to 165 MB of outbound data transfer each day and must be hosted within
the azurewebsites.net domain. You cannot scale out a free tier website to multiple instances and they do
not qualify for any Service Level Agreement (SLA). However, you can use WebJobs and create up to 10
websites and use up to 1 GB of storage.

Implementing Websites

MCT USE ONLY. STUDENT USE PROHIBITED

5-6

Shared tier websites have unlimited outbound data transfer and can use a custom domain, although you
cannot use SSL to secure shared tier websites in custom domains. You can scale a shared tier website out
to six instances and use the Azure load balancer to distribute load.

Basic tier websites can use up to 10 GB of storage and can use custom domains with SSL encryption. Basic
tier websites also qualify for the 99.9 percent uptime SLA.
Finally, standard tier websites can use up to 50 GB of storage and you can scale them out to 10 dedicated
instances. Automatic scaling and staged publishing slots are only available for standard tier websites.

Planning Web Hosting Plans


A web hosting plan is a logical group, exclusive to
Azure Websites, which enables you to share
features and resources across several websites.
When you create a new website, you can choose
to create a new web hosting plan with the new
website as the only member. When you create the
web hosting plan you must choose a pricing tier
for it. Later, you can add other websites to that
web hosting plan.

All the websites within a web hosting plan share


the features and capacity of the pricing tier you
chose. So, for example, when you create a web
hosting plan that is configured to run instances on two virtual machines, all sites associated with that web
hosting plan will run on both virtual machines.
Note: Azure Websites is a PaaS service offering, so you do not have to create, configure,
and maintain the virtual servers, operating systems, and web servers that run your websites.
However, within Azure, virtual machines are created to run instances of your websites. The App
Fabric system creates and maintains these resources for you.

A web hosting plan must be contained within a single resource group. Although a resource group can
span multiple Azure regions, a web hosting plan must be contained within a single region. Web hosting
plans can only contain Azure websites. This contrasts with resource groups, which you can use to associate
websites with SQL Databases, PaaS cloud services, storage accounts, and other Azure services.

MCT USE ONLY. STUDENT USE PROHIBITED

Implementing Microsoft Azure Infrastructure Solutions

Planning for Deployment Methods


Developers and website administrators can take
many different approaches to deploying websites.
The chosen method often depends on where
source code is located. When there is an individual
developer or a very small team, source code may
be stored on developers computers where they
run an Integrated Development Environment (IDE)
that they use to write code. For larger teams, the
challenges associated with collaborative working
often require the use of a source control system
such as Microsoft Team Foundation Server (TFS).
Such source control systems can be based onpremises or in the cloud.
Source Code on Client Machines

5-7

If the developers are not using a source control system to coordinate their development, they can deploy
a website to Azure directly from their chosen IDE, such as Visual Studio or Web Matrix. The command-line
MSBuild tool can also be used to script deployment processes.
FTP can be used to transfer files but the Web Deploy technology has extra features that make it easier to
set configuration values, such as connection strings, and reduce deployment time.
Source Code in an On-Premises Source Control System

If developers are using a source control system located on servers within their on-premises network, they
can configure that system to perform continuous delivery to an Azure website. This site should be in a
staging slot, to ensure that changes can be tested before being moved to the production website. Onpremises source control systems include TFS, Git, and Mercurial repositories.
Source Code in a Cloud Source Control System

If developers are using a cloud-hosted source control system, such as Team Foundation Version Control
(TFVC) in Visual Studio Online (VSO), they can configure continuous delivery in a very similar way to onpremises source control systems. Developers have many choices in these systems. For example, they can
use Git for distributed source code in VSO instead of using the centralized TFVC.
For more information about these deployment mechanisms, see:
http://go.microsoft.com/fwlink/?LinkID=511730

Implementing Websites

Discussion: Planning a Website


In this topic, the instructor will lead a discussion of
the following scenarios:

Scenario 1: Existing Web Application


Your company has a website that is currently
running on an on-premises web farm. The website
is written in PHP and runs on the Apache web
server on Linux servers. The website uses a MySQL
database to store content.

Scenario 2: Large Scale Web Application


Your company is starting a brand new web
application development project with a large and
distributed development team. The team has decided to store source code in VSO and to use Git
repository. The application architects expect occasional demand spikes and you must ensure that the
deployed web application can cope with these spikes while remaining cost efficient.

Scenario 3: Production Website

MCT USE ONLY. STUDENT USE PROHIBITED

5-8

You company is initiating a new project to build the companys public website. There will be a small team
of developers using ASP.NET MVC.
Discuss the following questions for each scenario:

Should the web application be hosted as an Azure website, as a PaaS cloud service, or on virtual
machines in Azure?

Where is the best place to store the web applications source code and how should source control be
implemented?

How should the web applications source code be deployed to Azure?

If you choose to create an Azure Website, which of the four tiers should be used?

MCT USE ONLY. STUDENT USE PROHIBITED

Implementing Microsoft Azure Infrastructure Solutions

Lesson 2

Deploying Websites

5-9

Web applications are usually created by teams of web designers and developers by using a variety of tools
such as graphic design packages, image editing packages, web design software, and Integrated
Development Environments (IDEs) such as Visual Studio. When the first version of the web application is
complete, developers or administrators must deploy it to a web server and you can choose to use Azure
Websites as a web server to host your application. There are many ways to package and deploy a web
application to Azure and, in this lesson, you will learn about those methods and how to configure IDEs,
FTP tools, and source control software to deploy new web applications and updates as Azure Websites.

Lesson Objectives
At the end of this lesson, you will be able to:

Configure deployment credentials for an Azure website.

Create a new website in Azure by using the portals or PowerShell.

Use an FTP client to deploy a web application to Azure.

Describe the advantage of using Web Deploy to deploy a web application to Azure.

Use Web Deploy to deploy a web application to Azure from Visual Studio.

Deploy updates to an existing website.

Use deployment slots for staging a website.

Creating and Configuring Websites


Your development team may use web servers on
their workstations or an intranet web server to
host a web application during development. If you
have chosen to host the completed web
application in Azure, you can create a new Azure
website so that you or the developers can deploy
the site. If you intend to use Git or FTP to deploy
website code, you should configure credentials for
authentication. Developers or administrators can
then upload the web application to the new site so
that it becomes available for browsing.
Note: Websites deployed to the Azure
Websites service are publically available. You should not deploy a website unless you are
confident it protects any sensitive data that it handles.

Creating New Websites in Azure


To create a new website in the Azure Preview Portal, following this procedure:
1.

In the toolbar on the left, click NEW and then click Website.

2.

In the URL text box, type a unique and valid name. If the name is unique and valid, a green smiley
face appears.

3.

Select a web hosting plan such as Standard or Basic.

4.

Select a location. Use a location close to the audience you expect to be interested in your site.

5.

Click Create. Azure creates the new website.

You can also create websites by using the New-AzureWebsite cmdlet in the Azure PowerShell. For
example:
Creating New Websites in PowerShell
New-AzureWebsite Name MyNewWebsite Location "East US"

Setting up Deployment Credentials


If you use FTP or Git for source code deployment to Azure, your client cannot use your Azure account
credentials to authenticate. Instead, you must set up deployment credentials. To do this in the Azure
Preview Portal, follow these steps:
1.

In the tool bar on the left, click BROWSE and then click Websites.

2.

In the Websites blade, click the website you want to configure.

3.

Scroll down to locate the Deployment section, and then click Set deployment credentials.

4.

In the FTP/DEPLOYMENT USER NAME text box, type a username.

5.

In the PASSWORD text box, type a secure password.

6.

In the CONFIRM PASSWORD text box, type the same password and then click SAVE.

Downloading a Publishing Profile

MCT USE ONLY. STUDENT USE PROHIBITED

5-10 Implementing Websites

Azure can create a publish profile for each website you create. This profile is an XML file with a
.publishsettings extension that includes all the credentials, connection strings, and other settings required
to publish a website from an IDE such as Visual Studio.

Demonstration: Creating a New Website


In this demonstration, you will see how to:

Create a new website in Azure by using the preview portal.

Browse the new website from the Azure portal.

Demonstration Steps
Create a new website in Azure by using the preview portal

MCT USE ONLY. STUDENT USE PROHIBITED

Implementing Microsoft Azure Infrastructure Solutions

5-11

1.

Start Internet Explorer, and browse to http://azure.microsoft.com, click Portal, and sign in using
the Microsoft account that is associated with your Azure subscription.

2.

In the top right, click your username, and then click Switch to new portal.

3.

In the toolbar on the left, click New, and then click Website.

4.

In the URL text box, type a valid unique website name. If the name is valid and unique, a green smiley
is displayed.

5.

Click Location and then click a location near you.

6.

Click Create. Azure creates the website.


Note: The website creation process can take several minutes.

Browse the new website from the Azure portal


1.

When the website creation is complete, in the website blade, click Browse. Internet Explorer shows
the default webpage.

2.

Close the Internet Explorer tab and then close the tab containing the new portal, keeping the full
portal tab open.

Using FTP to Deploy Websites


FTP is an older but widely used protocol for
uploading web applications to web servers.

FTP Clients
Azure can act as an FTP server to enable you to
upload your website for publishing. You must
choose an FTP client to use. There are many clients
available. For example:

Web browsers. Most web browsers support


the FTP protocol as well as HTTP. This means
you can use your web browser to browse FTP
sites and upload content. However, advanced
features, such as retries for dropped connections, are not available in most browsers.

Dedicated FTP Clients. There are several dedicated FTP clients available for free download. These
include FileZilla, SmartFTP, CoreFTP, and others. The advanced features these clients include make
them suitable for website publishing, which can involve many hundreds of files and large file sizes.

IDEs. Visual Studio and other IDEs support FTP for website publishing.

Configuring an FTP Transfer

MCT USE ONLY. STUDENT USE PROHIBITED

5-12 Implementing Websites

In order to publish a site by using FTP, you must configure your client with the destination URL of the
remote FTP site and the credentials the FTP can use to log onto the FTP server. Ensure you use the FTP
credentials you configured for the Azure website and not your Azure account credentials. In addition, you
must select active or passive FTP mode.

By default, FTP uses active mode. In this mode, the client initiates the session and issues commands by
using a command port (usually port 21 on the server) and the server initiates data transfers by using a
data port (usually port 20 on the server). Firewalls may block the data transfers because they appear to be
a separate communication. In passive mode, both commands and data transfers are initiated by the client
and are less likely to be blocked by firewalls.

Limitations of FTP

The principal advantage of FTP is its wide use and broad compatibility. However, since FTP is an older
technology that was not designed specifically for uploading website source code, advanced features are
not available. For example:

FTP simply transfers files. It is not able to modify files or distinguish their use. Therefore it cannot
automatically alter database connection strings in web.config files to connect to the production
database instead of a development database. Web deploy, for example, can be configured to make
this modification.

FTP always transfers all the selected files whether they have been modified or not. This can result in
an operation re-uploading many files unnecessarily when changes are made.

Using Web Deploy to Deploy Websites


Web Deploy is a technology with client-side and
server-side components that synchronizes both
content and configuration values with IIS servers.
Web Deploy can be used to migrate content from
one IIS web server to another but in this topic, you
will about about its more frequent usageto
deploy websites from development environments
to staging and production web servers. Web
Deploy is the recommended tool for deploying
web applications to Azure websites from Visual
Studio.
For more information about Web Deploy, see:
Introduction to Web Deploy
http://go.microsoft.com/fwlink/?LinkID=511731

MCT USE ONLY. STUDENT USE PROHIBITED

Implementing Microsoft Azure Infrastructure Solutions

5-13

Web Deploy is only supported with IIS web servers, which are used to host Azure Websites. It is also only
supported by a small number of clients, such as Visual Studio and Web Matrix. However, when this
software is available, Web Deploy has the following advantages:

Web Deploy only uploads files that have changed so modifications can be performed reliably with
much less network traffic.

Web Deploy works over the secure HTTPS protocol. It does not require extra ports to be open on the
web servers firewall.

Web Deploy can secure the files it transfers by setting Access Control Lists (ACLs).

Web Deploy can use SQL scripts to deploy a database to a remote server.

Web Deploy can automatically modify the web.config file. For example, it can replace a database
connection string so that the deployed website connects to a production database.

MSDeploy.exe

The Web Deploy client is implemented as a command-line utility named MSDeploy.exe. Visual Studio,
Web Matrix and PowerShell cmdlets all use this program to execute Web Deploy operations. You can use
MSDeploy.exe at the command prompt manually or as part of a batch file.
You can download the MSDeploy.exe tool at the following location:
Web Deploy Download
http://go.microsoft.com/fwlink/?LinkID=522636

Using Web Deploy in PowerShell

The Windows Azure PowerShell includes the Publish-AzureWebsiteProject cmdlet, which uses Web Deploy
to upload a Visual Studio package or project file to Azure. With this cmdlet you can automate website
deployment.
For example, use the following PowerShell command to package and publish a Visual Studio web
application project:
Using the Publish-AzureWebsiteProject Cmdlet
Publish-AzureWebsiteProject Name AdatumWebsite ProjectFile "AdatumWebsite.csproj" Configuration
Release

Demonstration: Deploying a Website by Using Web Deploy


In this demonstration, you will see how to:

Download a publishing profile from the Azure portal.

Import the publishing profile into a Visual Studio website project.

Validate the connection to Azure and publish the website content.

Demonstration Steps
Download a publishing profile from the Azure portal
1.

In Internet Explorer, in the navigation on the left, click WEBSITES.

2.

In the list of websites, click the website you created previously.

3.

Under Publish your app, click Download the publish profile.

4.

In the dialog, click Save.

Import the publishing profile into a Visual Studio website project


1.

On the taskbar, click Visual Studio 2013.

2.

On the FILE menu, point to Open, and then click Project/Solution.

3.

Browse to the following folder: D:\DemoFiles\Mod05\ \AdatumWebsite folder, click


AdatumWebsite.sln and then click Open.

4.

In the Solution Explorer, right-click the AdatumWebsite project, and then click Publish.

5.

In the Publish Web wizard, on the Profile page, click Import, and then click Browse.

6.

Locate and select the publish profile you just downloaded, click Open, and then click OK.

Validate the connection to Azure and publish the website content


1.

On the Connection page, click Validate Connection. If the connection is valid, a green tick is
displayed.

2.

Click Publish. When the publishing process is complete, Internet Explorer displays the site.

3.

Close the Internet Explorer tab containing the website, but keep the full portal page open.

MCT USE ONLY. STUDENT USE PROHIBITED

5-14 Implementing Websites

Website Updates
After you have deployed a finished version of a
website to Azure, development rarely ceases. In
most cases, new features and bug fixes will be
made by developers to improve the site and
ensure a compelling user experience. These
changes are deployed in different ways,
depending on the location of your source code
and the deployment tool you choose.

MCT USE ONLY. STUDENT USE PROHIBITED

Implementing Microsoft Azure Infrastructure Solutions

5-15

If you use FTP for deployment, you must simply


upload new files and overwrite any changed files.
Note that FTP is not able to distinguish changed
files automatically so you must either keep a
careful record of altered files or else overwrite all the files in the site. If you take the second approach,
even a small update requires a lengthy upload operation. This is one advantage to using Web Deploy,
because MSDeploy.exe can compare files in source and destination and upload only modified files.

Continuous Deployment

Continuous Delivery is a recent approach to software development in which the source code for a project
is regularly changing with bug fixes and new features. Continuous Deployment is part of the Continuous
Delivery model and involves regular and automatic builds and deployments of the project to a staging
environment. If you use a centralized source control system, such as TFS or GitHub, to develop an Azure
Website, you can configure continuous deployment of that website to Azure on an automated schedule
or in response to any committed changes.
To enable and use Continuous Deployment you must:

Connect the project to the Azure Website. In the Azure portal, you must configure the location of
your source code repository and provide credentials that Azure can use to authenticate with the
repository.

Make one or more changes to the source code and commit them to the repository.

Trigger a build and deploy operation.

The precise steps involved in this configuration depend on the repository you are using. For example steps
for a Git repository in Visual Studio Online, see:
Continuous delivery to Azure using Visual Studio Online and Git
http://go.microsoft.com/fwlink/?LinkID=522637

Staging and Production Slots

Before you deploy source code to a public-facing website, you must have confidence in its integrity and
reliability. For this reason it is important to implement a strict testing and acceptance regime that
identifies bugs and other issues in code before they are deployed to the production website. Much of this
testing can be performed in the development environment. For example, unit tests can be run on
developers computers. However, the final testing location should be the staging environment. The
staging environment should match the production environment as closely as possible.
If you are using standard tier Azure websites, you can create two or more slots for each site. Create one
slot for the production website and deploy tested and accepted code there. You can create a second slot
as the staging environment. Deploy new code to this staging slot and use it to run acceptance tests. The
staging slot has a different URL for browsing.

When the new version in the staging slot passes all tests, you can safely deploy it to production by
swapping the slots. This also provides a simple rollback path: if the new version causes unexpected
problems you can swap the slots a second time to move back to the old production site.
Best Practice: If you are using Continuous Deployment, you should never configure it to
deploy code to a production website. This would result in untested code in a user-facing
environment. Instead, configure deployment to a staging slot or a separate website, where tests
can be run before final deployment.
When you swap a production and a staging slot, the following settings in the production slot will be
replaced with those of the staging slot:

Connection Strings

Handler Mappings

Monitoring and diagnostic settings

MCT USE ONLY. STUDENT USE PROHIBITED

5-16 Implementing Websites

For staging, you usually run the website against a dedicated staging database, which is defined in the
connection string. When you swap slots, the new production database will use the database you were
using while staging the site. If you want to continue to use the original database because it contains upto-date production data, you must edit the connection string in the new production slot. You should only
do this if the database schema has not changed in the new version. If the schema has changed, you must
instead migrate production data into the staging database before you perform the swap.
The following production slot settings will not change when you swap a staging slot into a production
slot:

Publishing endpoints

Custom domain names

SSL certificates and bindings

Scale settings

Staging slots are publically available, but since the URL is not widely known, Internet users are unlikely to
find your staging site. However, you may wish to restrict access to your staging slot so that only your
developers and testing team can access it. You can do this by adding IP address white lists to the
web.config file in the website.
For more details of this technique, see:
Azure Web Sites block web access to non-production deployment slots
http://ruslany.net/2014/04/azure-web-sites-block-web-access-to-non-production-deployment-slots/

Demonstration: Creating a Staging Slot


In this demonstration, you will see how to:

Evaluate your Azure websites in PowerShell.

Change the hosting tier for a website.

Create a new staging slot for a website.

Demonstration Steps
Evaluate your Azure websites in PowerShell
1.

Start the Microsoft Azure PowerShell if it is not already running.

2.

If you are not logged in, type the following command, and then press Enter:
Add-AzureAccount

3.

Log in with the account associated with your Azure subscription.

4.

Type the following command, and then press Enter:


Get-AzureWebsite

Change the hosting tier for a website


1.

In Internet Explorer, in the website you created previously, click SCALE.

2.

In the WEB HOSTING PLAN MODE ensure STANDARD is selected.

Create a new staging slot for a website

MCT USE ONLY. STUDENT USE PROHIBITED

Implementing Microsoft Azure Infrastructure Solutions

5-17

1.

Click DASHBOARD.

2.

Under quick glance, click Add a new deployment slot.

3.

In the NAME text box, type Staging.

4.

In the CONFIGURATION SOURCE list, select the website you created previously, and then click the
Complete icon.

5.

When the configuration is complete, click the arrow to the left of the website you created in the first
demo.

6.

Point out to the students that the new slot is a separate website within the first website.

7.

Switch to PowerShell.

8.

Type the following command, and then press Enter:


Get-AzureWebsite

Lesson 3

Configuring Websites

MCT USE ONLY. STUDENT USE PROHIBITED

5-18 Implementing Websites

Once you have created and deployed an Azure website, you have many settings that you can configure
on an ongoing basis. For example, you can configure SSL and website certificates to support encryption,
link databases and storage accounts to a website to ease scalability and monitoring, and scale websites to
cope with peak demand. In this lesson, you will see how to configure a website for best performance and
best value and how to use WebJobs to schedule scripted tasks that maintain your website.

Lesson Objectives
After this lesson, you will be able to:

Use the Configure page in the portal to manage framework versions, security, configuration strings,
and app settings.

Link databases and storage accounts to an Azure website.

Scale-up and scale-out a website to improve availability and increase capacity.

Describe how WebJobs can be used to run background tasks.

Create a WebJob and set how it runs.

Configuring General Settings


In the Azure portal, the Configure tab for a
website enables administrators to set up many
aspects of website behavior. These include:

Framework versions. Server-side code that


executes to render webpages requires a
framework. Developers select the framework
when they begin developing the website.
Azure supports the ASP.NET, PHP, Java, and
Python frameworks. Older websites may
require an older version. You can select from
all the supported versions for these
frameworks.

Web Sockets. Web sockets are a mechanism that enables two-way communication between server
and client. Developers can build chat rooms, games, and support tools by using web sockets. If your
developers are using web sockets, you must enable them on the Configuration tab.

Note: Many developers in ASP.NET use the SignalR package to build two-way messaging
into their web applications. SignalR is built on web sockets.

Always On. Many web development technologies, such as ASP.NET and PHP, unload a website from
memory when there have been no requests for a prolonged period. When the first new request is
received, code may need compilation and reloading before a response can be sent to the user and
this process can delay a response. The Always On feature avoids this problem by regularly pinging the
website with a simple request. Always On is only available for websites in the Standard tier.

MCT USE ONLY. STUDENT USE PROHIBITED

Implementing Microsoft Azure Infrastructure Solutions

5-19

Platform. Use the Platform setting to control whether to run server code in 32-bit or 64-bit mode.
The 64-bit mode is only available in basic or standard tier websites.

Certificates. If you want to use Secure Sockets Layer (SSL) to encrypt communications between the
web browser and the server, you must obtain and upload a certificate from a recognized certificate
authority. Use the Certificates section to add such a certificate to your site.

Domain Names. If you have registered a custom domain name, such as adatumcorp.com, with an
ISP, you can use that domain name to host your site. All Azure sites without custom domain names
are in the azurewebsites.net domain.

SSL Bindings. To use SSL with a custom domain, you must ensure the custom domain appears in the
certificate when you purchase it from the certificate authority. Once you have uploaded the
certificate, you can bind it to the custom domain by using the SSL Bindings table.

App Settings. You can use app settings to pass custom name/value pairs to your application at
runtime. Work with your development team to determine what settings are required by the website
code. For example, you could use an app setting to specify an administrators email address. The
website code must take this setting and display it in an appropriate place on the site.

Connection Strings. These strings are used by the website to connect to a database. Most websites
use databases to store all dynamic data and cannot function without a connection to one or more
databases. Connection strings are stored in configuration files such as the web.config file. You can use
the Connection Strings section to override these connection strings without modifying and uploading
a new web.config file.

Default Documents. The default document list specifies the page that will be displayed if a user does
not specify one. For example, if they want to see the home page, most users specify the domain name
of the site and do not add default.htm, index.htm or some other page. Work with your developers to
ensure the website home page appears in the default documents list. Optimize the website by
ensuring that the home page is at the top of the list.

Managing Linked Resources


You can use the Linked Resources tab to show
Azure SQL Databases, MySQL instances, and Azure
storage accounts that the current website depends
upon.
Note: It is not required to add a database or
storage account to the Linked Resources list in
order for the website to connect to it. For
example, if a website has the correct connection
string configured to open a SQL Database, the
connection works even if the database does not
appear in the Linked Resources tab.

Declaring databases and storage accounts as linked resources has the following advantages:

MCT USE ONLY. STUDENT USE PROHIBITED

5-20 Implementing Websites

Other Azure administrators can easily determine the databases and storage accounts that are used by
each website without examining connection strings or web.config files.

It is easier to scale databases and storage accounts as you scale the corresponding website.

It is easier to configure monitoring for databases and storage accounts as you configure monitoring
for the corresponding website.

Configuring Availability and Scalability


The scaling options you have available depend on
the service tier you select. For Shared and Basic
tiers you can only increase the size of individual
website instances and the number of instances. For
the Standard tier you can also configure automatic
scaling. You can scale a website based on a
schedule, which can be helpful if you expect a
demand peak at a predictable time. Alternatively,
you can respond automatically to high demand by
setting a metric that will trigger scaling when it
reaches a preconfigured value.
For more information about scaling websites, see:
How to Scale Websites
http://go.microsoft.com/fwlink/?LinkID=511732
To configure scaling for a website, following these steps:
1.

In the Azure portal, click the website you want to configure.

2.

Click the SCALE tab.

3.

In the Web Hosting Plan section, choose SHARED or BASIC to configure simple static scaling. If you
want to use automatic scaling, chose STANDARD.

4.

In the Capacity section, you can scale up by choosing a larger Instance Size. You can also scale out
by choosing a larger Instance Count.

5.

In standard tier websites, click Set up schedule times to automatically create extra instances to cover
an expected demand spike.

6.

Click Scale by Metric to set conditions that will trigger the creation of extra instances. By using these
metrics, you can respond to unexpected demand spikes.

Best Practice: When you specify a schedule for scaling instances, bear in mind that it can
take several minutes for each instance to start and become available to users. Therefore, ensure
that you provide enough time from the start of the schedule and the time when you expect peak
traffic to occur.

Overview of WebJobs
WebJobs are a new feature of Azure Websites that
enable administrators and developers to run
automated background tasks. These tasks can be
run:

On Demand. That is whenever an


administrator executes the task.

Continuously. That is a task that continuously


re-executes its main method. For example,
such a task may continuously check for the
presence of new files to process.

On a Schedule. That is at times specified by


the site administrator.

MCT USE ONLY. STUDENT USE PROHIBITED

Implementing Microsoft Azure Infrastructure Solutions

5-21

WebJobs are often used for important maintenance tasks that should not have an impact on the delivery
of content to visitors. For example:

Image processing. Processes that must be run on uploaded images are often CPU intensive.

File maintenance. For example, you might want to scan log files and remove unimportant events.

RSS aggregation. Importing information from an RSS feed can be CPU-intensive when there are many
articles.

Best Practice: By default, Azure Websites are unloaded and halted after a prolonged
period of inactivity. This also interrupts any WebJobs in process. To avoid these halts and prevent
interruption for WebJobs, use the Always On feature.
The operations and logic that a WebJob performs are defined in a script file. These files can include:

Batch files

PowerShell scripts

Bash Shell scripts

PHP scripts

Python scripts

Node.js scripts

The type of script you create for a WebJob depends on your own experience. For example, if you are a
Windows administrator with little web development experience, you are more likely to code WebJob
operations as a PowerShell script than as a Node.js script.

Implementing WebJobs
Use the following procedures to create and
monitor WebJobs.

Creating a WebJob
To create a WebJob, first compress your script file
and any supporting files it requires into a zip file.
Then following these steps:

MCT USE ONLY. STUDENT USE PROHIBITED

5-22 Implementing Websites

1.

In the Azure full portal, in the navigation on


the left, click WEBSITES.

2.

Click the relevant website, and then click the


WEBJOBS tab.

3.

In the command bar at the bottom, click Add.

4.

In the NAME text box, type a descriptive name for the new WebJob.

5.

In the CONTENT box, browse to the zip file you created.

6.

In the HOW TO RUN drop-down list, select On demand, Run continuously, or Run on a Schedule.

7.

If you are creating a scheduled WebJob, in the SCHEDULER REGION drop-down list, select an Azure
data center where you want the scheduler to run.

8.

You can specify either a one-off time for the job to execute or a recurring schedule.

Viewing the WebJob History

The WebJob history shows when the WebJob was run and the result of the script execution. To access the
history, take the following steps:
1.

In the Azure full portal, in the navigation on the left, click WEBSITES.

2.

Click the website that runs the WebJob and then click the WEBJOBS tab.

3.

For the relevant WebJob, click the link in the LOGS column.

4.

Azure displays the WebJob details page. This page displays the script run, the duration of the script
execution, and the status.

5.

To see further details, click the link in the TIMING and then click Toggle output. Individual events in
the execution of the WebJob are displayed.

Lesson 4

Monitoring Websites

MCT USE ONLY. STUDENT USE PROHIBITED

Implementing Microsoft Azure Infrastructure Solutions

5-23

Running websites consume resources and incur costs. They may also generate errors, for example if users
request webpages that do not exist. Azure helps you to stay in touch with your websites behavior by
providing a range of diagnostic logs and tools. In this lesson, you will see how to use configure logging
for your website and how to view and analyze the data generated.

Lesson Objectives
At the end of this lesson, you will be able to:

Configure site diagnostics and application diagnostics to log the behavior of an Azure website.

Use diagnostic logs and the Azure portal to investigate your website and diagnose problems.

Use the KUDU user interface to access further information about your website.

Configuring Website Diagnostics


If you want to troubleshoot website errors or
improve website performance, you need to gather
information about the behavior of the website.
Azure Websites include application diagnostics
and site diagnostics, which you can configure to
record such information for later analysis.
Best Practice: Configure site diagnostics
and application diagnostics to record detailed
information only when investigating website
behavior. When you have completed your
investigation and want to tune the website for
high performance, you should minimize the amount of information the diagnostic tools log. This
is because logging has a small but potentially significant impact on website performance.

Application Diagnostics

By using application diagnostics, you can work with website developers to capture and log individual
events that occur as the website code executes. In order to record such an event, the developer must use
the System.Diagnostics.Trace class to send a message. Developers often send trace messages in error
handling code but they can also send them simply to record a successful operation.

Application diagnostics are switched off by default, which means that trace messages are not recorded. If
you switch on application diagnostics, you must configure the following settings:

Log storage location. Choose whether to store the application diagnostic log in the website file
system, a table in an Azure storage account, or a blob container in an Azure storage account. You can
choose to enable any combination of these locations.

Logging level. Choose whether to record informational, warning, or error messages in the log. The
verbose logging level records all the message the application sends. You can configure a different
logging level for each log storage location.

Retention period. Logs stored in blob storage are not automatically deleted. If you want to enable
automatic deletion, you must set a retention period.

These settings can be configured in the CONFIGURE tab for any Azure Website.

Site Diagnostics

MCT USE ONLY. STUDENT USE PROHIBITED

5-24 Implementing Websites

Site diagnostics can be used to record information about HTTP requests and responses, which are the
communications between the web server and the web browser. You can enable or disable the following:

Detailed Error Logging. In HTTP, any response with a status code of 400 or greater indicates an error.
Often, users may only see a simple error page with no technical details. The details stored in site
diagnostic logs may help you to diagnose the problem.

Failed Request Tracing. This option includes rich tracing information logged when an error occurred.
As the trace includes a list of all the IIS components that processed the request and timing
information, you can use this trace to isolate problematic components.

Web Server Logging. This enables the standard W3C extended log for your website. Such a log shows
all requests and responses, client IP addresses, and timings and can be used to assess server load,
identify malicious attacks, and study client behavior.

For more information about diagnostic logging, see:


Enable diagnostic logging for Azure Websites
http://go.microsoft.com/fwlink/?LinkID=511734

Monitoring Websites
Once you have enabled application and site
diagnostic logs, you must download the logs to
examine the recorded data. In addition, you can
use the MONITOR tab in the Azure portal to
profile a websites performance.

Accessing Diagnostic Logs


The application and site diagnostic logs can be
accessed by using FTP. An FTP link is provided in
the Quick Glance section of each websites
DASHBOARD tab. You can use these links in your
web browser or copy them into a dedicated FTP
client such as CoreFTP. To access the logs, you
must authenticate with the deployment credentials you configured for FTP and Git.
The logs are located in the following folders:

Application Logs: /LogFiles/Application

Detailed Error Logs: /LogFiles/DetailedErrors

Failed Request Traces: /LogFiles/W3SVC#########/

Web Server Logs: /LogFiles/http/RawLogs

To examine the Failed Request Traces, ensure you download both XML and XSL files to the same folder.
You can then open the XML files in Internet Explorer.

MCT USE ONLY. STUDENT USE PROHIBITED

Implementing Microsoft Azure Infrastructure Solutions

5-25

Instead of using FTP, you can also download the logs by using the Save-AzureWebsiteLog PowerShell
cmdlet:
Downloading Website Logs in PowerShell
Save-AzureWebsiteLog -Name MyWebsite -Output .\LogFiles.zip

Finally, you can use the Azure cross-platform command line interface to download logs:
Using the X-Plat-CLI to Download Logs
Azure site log download MyWebsite

Diagnostic logs are easy to understand but can be challenging to analyze when they contain a large
quantity of data. One way to analyze diagnostic logs is to use HDInsight. You can find PowerShell scripts
that enable this approach at the following location:
Analyze Windows Azure Website application logs using transient HDInsight cluster
http://go.microsoft.com/fwlink/?LinkID=511735

Monitoring Sites in the Portal

The Azure portal also includes a MONITOR tab for every website. You can use this to view performance
counters that describe how your website uses resources such as CPU time and network traffic. By default
the counters include:

CPU Time

Data In

Data Out

HTTP Server Errors

Requests

Other metrics that you can add to the graph include:

Average Memory Working Set

Average Response Time

Various HTTP error type counts

HTTP Successes

By adding these counters and displaying them in the graph, you can examine how demand and website
response has varied over the hour, 24 hours, or seven days.

You can also set alerts that can trigger an email when a counter exceeds a threshold. Typically, you would
use alerts to automatically notify your team of administrators when there is a demand spike or some other
performance issue. To add an alert, follow these steps:
1.

In Azure full portal, in the navigation on the left, click WEBSITES and then click the website you want
to monitor.

2.

Click the MONITOR tab.

3.

Select the metric you would like to add an alert to.

4.

In the toolbar at the bottom, click ADD RULE.

5.

In the NAME text box, type a descriptive name and then click Next.

6.

In the CONDITION drop-down list, select a condition, such as greater than.

7.

In the THRESHOLD text box, type the value that should trigger the alert.

8.

In the ALERT ELEVATION WINDOW drop-down list, select the time period over which the value
should exceed the threshold.

9.

Select the Send an email to the service administrator and co-administrators, and then click
Complete.

Using Kudu
Project Kudu is an open-source component of
Azure Websites that implements Azures support
for continuous deployment from Git and Mercurial
source code control systems. It also includes the
code that supports WebJobs.
Kudu includes a user interface that publishes
diagnostic information and can help you obtain
troubleshooting and performance information.

Accessing the Kudu User Interface


Every Azure Website includes a hidden Kudu site.
To access this, add the scm sub-domain to the
azurewebsites.net fully-qualified domain name for your site. For example, if your site is found at:
http://mywebsite.azurewebsites.net
You can access the corresponding Kudu user interface at:
https://mywebsite.scm.azurewebsites.net

MCT USE ONLY. STUDENT USE PROHIBITED

5-26 Implementing Websites

To access the information in Kudu, you must authenticate with your Azure administrator account and the
connection is encrypted by using SSL. The default page displays information about the IIS environment
the website is hosted on. You can also run commands, either at a Windows command prompt or in
PowerShell, by using the links of the Debug Console menu.
The Process Explorer tab shows a list of all the processes within the Azure website and includes
information such as their memory usage and uptime. For each process you can find out what DLLs it has
loaded and the threads it runs, as well as the environment variables that are in place.
Other links in Kudu enable you to view diagnostic log files and add NuGet extensions to the website.

Lesson 5

Traffic Manager

MCT USE ONLY. STUDENT USE PROHIBITED

Implementing Microsoft Azure Infrastructure Solutions

5-27

If you are running a large global website, you may want to scale the website out to multiple data centers.
This helps to provide a rapid response to user requests from a web server close to their physical location.
Alternatively, you may want to increase availability for your website by providing failover websites that
take over in case the primary website has a problem. You can set up these scenarios by using Traffic
Manager. In this lesson, you will learn how to configure and use Traffic Manager to support highly
responsive and available websites.

Lesson Objectives
At this end of this lesson, you will be able to:

Describe how Traffic Manager distributes requests to multiple websites.

Configure DNS prefixes and endpoints for Traffic Manager.

Describe best practices for a Traffic Manager configuration.

Distribute web requests to Azure websites by using Traffic Manager.

Overview of Traffic Manager


When you create a website in Azure, you must
choose an Azure data center where the site will be
physically located. If you have chosen a basic or
standard tier website, you can create multiple
instances of your website to increase capacity and
resilience to failure. These instances will be in the
same Azure data center and have requests
automatically distributed by the Azure load
balancer.
However, you may also wish to distribute load
across websites located in different Azure data
centers. You can do this distribution by using
Traffic Manager.

How Traffic Manager Works

A client resolves a fully qualified domain name (FQDN) to an IP address, through Traffic Manager, in the
following way:
1.

The user requests a FQDN, for example by typing it into a browser address bar or by clicking on a
link. In this example, the user requests www.adatum.com.

2.

In the Domain Name System (DNS), the requested FQDN is forwarded to a traffic manager URL, by
using a CNAME record. Administrators must configure such a record in DNS in order to use Traffic
Manager with their own domains. The traffic manager URL must be within the trafficmanager.net
domain.

3.

Traffic Manager has been monitoring the endpoints configured for the requested traffic manager
URL. It returns the IP address of one endpoint. The endpoint chosen depends on the configured load
balancing method.

4.

The client receives the IP address and makes a connection to the website endpoint.

Note: Traffic Manager can be used to distribute load across Azure Websites, PaaS Cloud
Services, IaaS Cloud Service, or external endpoints. Therefore, do not consider Traffic Manager to
be useful only for web services: in fact it is a general Azure service that you can use to increase
performance and availability for many endpoints within and outside of Azure.

Configuring Traffic Manager


Before you can use Traffic Manager to distribute
load to two or more Azure websites, you must
create those websites in different locations and
deploy identical website content to all the sites.
Both content and configuration should be
identical on every website you use in a Traffic
Manager set. Having completed the deployment,
complete the following tasks to configure Traffic
Manager:
1.

Add a CNAME record to DNS. The CNAME


record should be registered in the publicfacing DNS system within your usual company
domain name. The CNAME record should forward users to the trafficmanager.net domain.

2.

Create a Traffic Manager profile. The profile will store all the subsequent settings.

3.

Configure a DNS Prefix. Choose a unique prefix within the trafficmanager.net domain. You must
ensure the CNAME record forwards users to this fully-qualified domain name.

4.

Choose a Load Balancing Method. You can choose from:

MCT USE ONLY. STUDENT USE PROHIBITED

5-28 Implementing Websites

Failover. All traffic is forwarded to the first endpoint unless that endpoint is offline.

Round Robin. Traffic is distributed equally between all endpoints.

Performance. Each request is forwarded to the nearest endpoint to the client. This increases
performance because, with endpoints located around the world, the website can be served from
a location close to the user.

5.

Add Endpoints to the Traffic Manager Profile. Each endpoint is an Azure website in a different
physical location.

6.

Configure Monitoring. Traffic Manager polls each endpoint in the profile to confirm that it is online.
You can use TCP or HTTP for this monitoring. If you use HTTP, you can specify a page that the Traffic
Manager will request each time. You must ensure this page exists for each endpoint in the Traffic
Manager profile.

Traffic Manager Best Practices


Follow these best practices to ensure the best
resilience from Traffic Manager:
Best Practice:

MCT USE ONLY. STUDENT USE PROHIBITED

Implementing Microsoft Azure Infrastructure Solutions

5-29

Use a unique Traffic Manager prefix. All Traffic


Manager profiles must have a fully qualified
domain name within the trafficmanager.net
DNS domain. Ensure you choose a unique
prefix that is not already in use. The portal
indicates clearly when your chosen prefix is
not unique.

Take care when changing the DNS TTL value.


This value determines how often the web browsers local caching name server will query Traffic
Manager for the IP address of the endpoint. When you change any endpoints in a profile, it may take
up to this time for changes to reach all clients.

Endpoints should all be in the same subscription. You can add endpoints to the Traffic Manager
profile in a different subscription, such as a partner organizations subscription. You can also add
endpoints that are external to Azure. However, Traffic Manager will not automatically remove external
endpoints from the profile if they are deleted. You must delete them manually.

Only production endpoints can be used. You cannot add staging slots to a Traffic Manager profile.

Name endpoints clearly. Traffic Manager profiles can include many endpoints; administrators may
confuse them if you do not ensure the endpoint names are systematic and include the endpoints
location.

Make endpoints consistent. If the content and configuration of all the endpoints in the Traffic
Manager profile are not identical the response sent to users may be unpredictable.

Disable endpoints for website maintenance. Website maintenance operations, such as update
deployment, can be achieved without interruptions in service because other endpoints can take over.
To enable this, disable the endpoint you want to maintain before beginning your administrative
actions. All traffic will be forwarded to another endpoint until you have finished and re-enabled the
endpoint.

Demonstration: Configuring Traffic Manager


In this demonstration, you will see how to:

Use PowerShell to test whether a given traffic manager profile URL is available.

Create a new traffic manager profile, by using PowerShell.

Add an endpoint to a traffic manager profile, by using the portal.

Demonstration Steps
1.

In the Microsoft Azure PowerShell, type the following command and then press Enter:
Test-AzureTrafficManagerDomainName DomainName yourname.trafficmanager.net

MCT USE ONLY. STUDENT USE PROHIBITED

5-30 Implementing Websites

If the command returns true, you can use this domain for this demonstration. If the command returns
false, try other domain names within trafficmanager.net.
2.

Type the following command and then press Enter:


New-AzureTrafficManagerProfile Name DemoProfile DomainName "yourname.trafficmanager.net"
LoadBalancingMethod Performance MonitorPort 80 MonitorProtocol Http MonitorRelativePath "/" ttl
60

Azure configures and returns the new traffic manager profile.


3.

In Internet Explorer, in the navigation on the left, click Traffic Manager.

4.

Click the traffic manager profile you created in step 5. If the profile is not visible, refresh the page.

5.

Click ENDPOINTS.

6.

Click ADD ENDPOINTS.

7.

In the SERVICE TYPE drop-down list, click Web Site.

8.

In the list of websites, select the website you created in Lesson 2, demo 1.

9.

Click the Complete icon.

Note: It may take several minutes for the new endpoint to be checked and to be listed as
Online.
Reset the Environment
1.

Close all open applications without saving any files.

2.

On the taskbar, right-click Microsoft Azure PowerShell, and then click Run as administrator. In the
User Account Control dialog, click Yes.

3.

Type the following command, and then press Enter:


Reset-Azure

4.

When prompted, sign in using the Microsoft account associated with your Azure subscription.

Note: This script may remove Azure services in your subscription. It is therefore recommended that
you use an Azure trial pass that was provisioned specifically for this course, and not your own Azure
account.
The script will take 2-3 minutes to reset your Microsoft Azure environment, ready for the next lab. The
script removes all storage, VMs, virtual networks, cloud services, and resource groups.

Traffic Manager Advanced Features


Traffic Manager has some advanced features that
can be only be enabled and configured from
PowerShell at the time of writing. These advanced
features broaden the reach of Traffic Manager and
enable greater load balancing flexibility.

External Endpoints

MCT USE ONLY. STUDENT USE PROHIBITED

Implementing Microsoft Azure Infrastructure Solutions

5-31

You can add an endpoint to a Traffic Manager


profile, even if that endpoint is external to Azure.
For example, consider the scenario in which A.
Datum has a website running at an ISP. You want
to move this website into Azure but, because the
website is mission critical, you want to perform the
move in stages. You will add instances of the website in Azure but want the ISP-hosted website to
continue responding to requests. If the Azure instances fail, you want all web requests to be forwarded to
the ISP-hosted instance. You can build this configuration by adding the ISP-hosted website as an external
endpoint to the Traffic Manager profile, which also includes the Azure websites as endpoints.
To configure an external endpoint, use the Add-TrafficManagerEndpoint cmdlet and specify the value
Any for the Type parameter. If you are adding the external endpoint to a Traffic Manager profile that
uses Performance load balancing, then you must also specify an Azure region by using the Location
parameter.

In this example, the command adds an external endpoint to a Performance-based Traffic Manager profile.
Adding an External Endpoint
$profile = Get-AzureTrafficManagerProfile -Name "AdatumMainWebsite"

Add-AzureTrafficManagerEndpoint -TrafficManagerProfile $profile -DomainName "www.adatum.com" -Status


"Enabled" -Type "Any" -Location "North Europe" | Set-AzureTrafficManagerProfile

Weighted Round Robin Load Balancing

If you choose round robin load balancing for your Traffic Manager profile, Traffic Manager distributes
load approximately equally between endpoints. If there are three endpoints in the profile, one third of
Traffic Manager responses will forward requests to the first endpoint. An equal proportion of responses
will forward requests to the second and third endpoints.
Note: Sometimes caching and other issues can distort the distribution of traffic. For
example, if a proxy server with a large number of clients caches a Traffic Manager response, all
the clients that use that proxy server will connect to the same endpoint while that response
remains in the cache. However, with a large number of clients from across the Internet, such
distortions tend to average out and the distribution of traffic becomes approximately equal.

Sometimes, however, you would prefer an unequal distribution of traffic. For example, if one endpoint is a
website in the standard tier, it can be scaled more easily than a website in the basic tier. For such
situations, you can bias the distribution of load, by specifying a weight for each endpoint. Endpoints with
larger weights receive more traffic.
Weights can be specified between 1 and 1000. All endpoints have a default weight of 1.

The following command adds a new endpoint with a specific weight to a Traffic Manager profile:
Adding a Weighted Endpoint
$profile = Get-AzureTrafficManagerProfile -Name "AdatumWebsite"
Add-AzureTrafficManagerEndpoint -TrafficManagerProfile $profile -DomainName "adatumus.azurewebsites.net" -Status "Enabled" -Type "Website" -Weight 70 | Set-AzureTrafficManagerProfile

Nested Profiles
In most cases a Traffic Manager endpoint is either a website, a PaaS cloud service, or a VM in an IaaS
cloud service. However, you can also specify a Traffic Manager profile as an endpoint. This creates a
nested profile, in which a parent profile contains one or more child profiles.

MCT USE ONLY. STUDENT USE PROHIBITED

5-32 Implementing Websites

You can use this technique to increase the flexibility of load balancing. For example, you could set up a
parent profile that uses Performance load balancing to distribute load over several endpoints around the
world. Client requests would be sent to the endpoint closest to the user. Within one of those endpoints,
you could use round robin load balancing in a child profile to distribute load equal between two websites.
To set up nested profiles, create the parent and child profiles separately and configure their endpoints.
Then add the child profile as an endpoint to the parent profile, specifying the parameter Type =
TrafficManager. This operation can only been done in PowerShell.
The following command adds a Traffic Manager profile as a child endpoint to a parent Traffic Manager
profile:
Nesting Traffic Manager Profiles
$parent = Get-AzureTrafficManagerProfile -Name "AdatumWebsites"
$child = Get-AzureTrafficManagerProfile -Name "EuropeRoundRobinWebsites"
$parent = Add-AzureTrafficManagerEndpoint -TrafficManagerProfile $parent -DomainName
"euroundrobin.trafficmanager.net" -Status "Enabled" -Type "TrafficManager" -Location "North Europe"
Set-AzureTrafficManagerProfile -TrafficManagerProfile $parent

Lab: Implementing Websites


Scenario

MCT USE ONLY. STUDENT USE PROHIBITED

Implementing Microsoft Azure Infrastructure Solutions

5-33

The A. Datum public-facing website currently runs on an IIS web server at the companys chosen ISP. You
want to migrate this website into Azure and you have been asked to test Azure Websites functionality by
setting up a test A. Datum website. The website is maintained and developed by an internal team who
have provided a test website to deploy. You want to ensure they can continue to stage changes to the
website before those changes are deployed to the public facing site. Since A. Datum is a global company,
you also want to test Traffic Manager and show business decision makers how it can distribute traffic to
instances close to the website visitors.

Objectives
After completing this lab, you will be able to:

Create a new Azure website and configure deployment slots and credentials.

Deploy a web application to Azure by using a publishing profile.

Use deployment slots to stage and deploy sites.

Configure Traffic Manager to load balance websites.

Lab Setup
Estimated Time: 60 minutes
Virtual Machine: 20533B-MIA-CL1
User Name: Student
Password: Pa$$w0rd

Before starting this lab, ensure that you have performed the Preparing the Environment demonstration
tasks at the beginning of the first lesson in this module, and that the setup script has completed.

Exercise 1: Creating Websites


Scenario

You have been asked to set up an A. Datum test website in Azure. As the first step in the setup process,
you want to create a new Azure website. Later in this lab, you will deploy the test web application to this
site.
The main tasks for this exercise are as follows:
1. Create a Website
2. Add a Deployment Slot
3. Configure Deployment Credentials

Task 1: Create a Website

MCT USE ONLY. STUDENT USE PROHIBITED

5-34 Implementing Websites

1.

Ensure that the MSL-TMG1 and 20533B-MIA-CL1 virtual machines are both running, and then log on
to 20533B-MIA-CL1 as Student with the password Pa$$w0rd.

2.

In Internet Explorer, browse to http://azure.microsoft.com and sign into the portal using the
Microsoft account that is associated with your Azure subscription. Then switch to the new portal.

3.

Create a new website. Use the following information:


o

URL: any unique valid server name

Web Hosting Plan Name: WebsiteStandardPlan

Web Hosting Plan: S1 Standard

Location: a location near you

Task 2: Add a Deployment Slot


1.

2.

Add a new deployment slot to the website you created in Task 1. Use the following information:
o

Name: Staging

Configuration Source: choose the website you created in Task 1

Use the PowerShell Get-AzureWebsite cmdlet to check the website and staging slot you have created.

Task 3: Configure Deployment Credentials


1.

Set the following deployment credentials for the website you created in Task 1:
o

FTP/Deployment User Name: ftpadminXXXX where XXXX is a unique number

Password: Pa$$w0rd

Results: After you have completed this lab, you will have created a new website in the Azure portal and
configured the new website with deployment slots and deployment credentials.

Exercise 2: Deploying a Website


Scenario

Now that you have created a website and deployment slot for the A. Datum test website, you can publish
the web application supplied to you by the A. Datum web development team. In this Exercise, you will use
a publishing profile in Visual Studio 2013 to connect to the new website and deploy the web content.
The main tasks for this exercise are as follows:
1. Obtain a Publishing Profile
2. Deploy a Website

Task 1: Obtain a Publishing Profile


1.

Switch to the full Azure portal and then download and save a publish profile for the website you
created in Exercise 1.

2.

Open the following web application project in Visual Studio Express 2013:
o

3.

D:\LabFiles\Lab05\Starter\AdatumWebsite\AdatumWebsite.sln

Start the web application and examine the contents. Then close Internet Explorer.

Note: When you start the web application in Visual Studio, the website runs in IIS Express
on your local workstation.

Task 2: Deploy a Website


1.

In Visual Studio, start the Publish wizard for the AdatumWebsite project and then import the
.PublishSettings file you downloaded in Task 1.

2.

Verify that the publish settings file includes correct connection information.

3.

Ensure that the Release configuration is used for the published website.

4.

Preview the file changes and then Publish the new website to Azure.

Note: The Publish operation may take 2 to 3 minutes. When the operation is complete,
Internet Explorer opens and displays the new website hosted in Azure.

MCT USE ONLY. STUDENT USE PROHIBITED

Implementing Microsoft Azure Infrastructure Solutions

5-35

Results: After you have completed this lab, you will have a deployed website hosted in Windows Azure
that you can visit with any common web browser.

Exercise 3: Managing Websites


Scenario

The web deployment team have created an updated style sheet for the A. Datum test website. You want
to demonstrate to decision makers how changes such as this can be deployed to a staging slot and tested,
before deployment to the production A. Datum website. In this exercise, you will upload the new website
to the staging slot you created in Exercise 1. You will then move the new site into the production slot.
The main tasks for this exercise are as follows:
1. Deploy a Website for Staging
2. Swap Deployment Slots
3. Rollback a Deployment

Task 1: Deploy a Website for Staging


1.

In the Azure full portal, download a publish profile for the Staging slot for your website.

2.

Open the following project in Visual Studio:


o

D:\LabFiles\Lab05\Starter\NewAdatumWebsite\AdatumWebsite.sln

3.

Publish the new website and import the staging publish settings file you just downloaded.

4.

Validate the connection and choose the Release configuration.

5.

Publish the new website to the Staging slot.

6.

Close Internet Explorer and Visual Studio.

Task 2: Swap Deployment Slots

MCT USE ONLY. STUDENT USE PROHIBITED

5-36 Implementing Websites

1.

In Internet Explorer, access the properties of the website you created in Exercise 1.

2.

Browse the website. Notice that the color scheme is the old one, because the new color scheme is still
in the staging slot. Close the A. Datum website.

3.

Swap the staging and production website slots.

4.

When the swap is complete, browse the website. Notice that the color scheme is the new one.

Task 3: Rollback a Deployment


1.

In the Azure portal, swap the staging and production slots again.
Note: By swapping the slots a second time, you simulate a deployment rollback.

2.

When the swap is complete, browse the website. Notice that the color scheme has reverted to the old
one.

Results: An updated website staged and published in Azure websites.

Exercise 4: Implementing Traffic Manager


Scenario
Since A. Datum is a global brand, you want to ensure that the A. Datum website responds rapidly to
requests from multiple locations around the world. You have been asked to evaluate the Azure Traffic
Manager to see if it can ensure web content is served from a location close to users. You want to set up
Traffic Manager to serve content from two different Azure regions.
The main tasks for this exercise are as follows:
1. Deploy a Website to Another Region
2. Create a Traffic Manager Profile
3. Add Endpoints and Configure Traffic Manager
4. Test Traffic Manager
5. Reset the Environment

Task 1: Deploy a Website to Another Region

MCT USE ONLY. STUDENT USE PROHIBITED

Implementing Microsoft Azure Infrastructure Solutions

5-37

1.

In Windows Azure PowerShell, get a list of all the websites in your Azure subscription. Note the name
of your original website.

2.

Get a list of the Azure locations and chose a location that is not the location you chose in Exercise 1.

3.

Create a new website. Use the following information:


o

Name: Use the name of your original website with the number 2 appended.

Location: Use the location you chose in step 2.

4.

In the Azure full portal, download a publish profile for the website you just created (WebsiteName2).

5.

Open the following project in Visual Studio:


o

6.

D:\LabFiles\Lab05\Starter\AdatumWebsite\AdatumWebsite.sln

Start the Publish Web wizard and import the publish settings file you just downloaded.

Note: Be sure to add a new publish settings file on the Profile tab, so that the content can
be published to the new website.
7.

Validate the connection and choose the Release configuration.

8.

Publish the website. Close Internet Explorer and Visual Studio.

9.

In the Windows Azure full portal, configure the new website in the Standard tier.

Task 2: Create a Traffic Manager Profile


1.

Use the Test-AzureTrafficManagerDomainName cmdlet in Windows Azure PowerShell to determine


an available domain name to use in this Exercise.

2.

In the full Azure portal, create a new Traffic Manager profile. Use the following information:
o

DNS Prefix: Use the domain name you chose in step 1

Load Balancing Method: Performance

Task 3: Add Endpoints and Configure Traffic Manager


1.

Add the websites you created in Exercise 1 and Exercise 4 as endpoints in the Traffic Manager profile.

2.

Configure the DNS time to live value to be 30 seconds.

Task 4: Test Traffic Manager


1.

Browse the traffic manager URL you created in Task 2.

2.

Use the nslookup command to resolve the DNS NAME for your traffic manager profile.

Note: In the DNS aliases, traffic manager returns the website you created in Exercise 1,
which is closest to your physical location.
3.

In the Azure portal, disable the traffic manager endpoint that is the website you created in Exercise 1.

4.

Use the nslookup command to resolve the DNS NAME for your traffic manager profile. The results
should differ from those in step 3.

Note: If the aliases have not changed, reissue the nslookup commands until there is a
change.

Task 5: Reset the Environment

MCT USE ONLY. STUDENT USE PROHIBITED

5-38 Implementing Websites

1.

Close all open applications without saving any files.

2.

On the taskbar, right-click Microsoft Azure PowerShell, and then click Run as administrator. In the
User Account Control dialog, click Yes.

3.

Type the following command, and then press Enter:


Reset-Azure

4.

When prompted, sign in using the Microsoft account associated with your Azure subscription.

Note: This script may remove Azure services in your subscription. It is therefore recommended that
you use an Azure trial pass that was provisioned specifically for this course, and not your own Azure
account.
The script will take 5-10 minutes to reset your Microsoft Azure environment, ready for the next lab.
The script removes all storage, VMs, virtual networks, cloud services, websites, and resource groups.
Important: The script may not be able to get exclusive access to a storage account to delete it (if this
occurs, you will see an error). If you find objects remaining after the reset script is complete, you can
re-run Reset-Azure script, or use the full Azure Management Portal to manually delete all the objects
in your Azure subscription, with the exception of the default directory.

Results: At the end of this exercise, you will have a website set up in two Azure regions and Traffic
Manager will be configured to distribute requests between them.
Question: In Exercise 2, you deployed the A. Datum production website to Azure. In Exercise
3, you deployed a new version of the site to a staging slot. How can you tell, within Internet
Explorer, which is the production site and which is the staging site?
Question: At the end of Exercise 4, you used an FQDN within the trafficmanager.net domain
to access your website. How can you use your own registered domain name to access this
website?

Module Review and Takeaways


In this module, you learned about:

Choosing hosting plans and deployment methods for Azure websites.

How administrators can deploy a completed web application to Windows Azure.

How to configure websites for best performance and use WebJobs.

How to monitor website activity.

How to use Traffic Manager to distribute requests for a website in Azure.

Review Question(s)
Question: What are the advantages of deploying a website to Azure Websites over those of
deploying a website to an Azure VM running IIS?

MCT USE ONLY. STUDENT USE PROHIBITED

Implementing Microsoft Azure Infrastructure Solutions

5-39

MCT USE ONLY. STUDENT USE PROHIBITED

MCT USE ONLY. STUDENT USE PROHIBITED


6-1

Module 6
Planning and Implementing Storage
Contents:
Module Overview

6-1

Lesson 1: Planning Storage

6-2

Lesson 2: Implement and Manage Storage

6-11

Lesson 3: Backup and Monitoring Storage

6-20

Lab: Planning and Implementing Storage

6-26

Module Review and Takeaways

6-31

Module Overview

The Microsoft Azure Storage Services provides a range of options for storing and accessing data. The
core structures provision storage of content in blob containers, tables and queues, but this is also evolving
with the addition of Azure Files. In addition to storage, Microsoft Azure also provides Recovery Services,
which deliver failover and backup and restore facilities for sites and data. Storage can be provisioned
through the full portal, and IT Professionals can access storage and manage it using a range of command
line and graphical tools as well as Azure PowerShell. In this module, you will learn about the available
options for data storage and management.

Objectives
After completing this module, you will be able to:

Describe how to plan Azure storage.

Explain how to implement and manage Azure storage.

Describe the options for backing up and managing Azure storage.

Planning and Implementing Storage

Lesson 1

Planning Storage

MCT USE ONLY. STUDENT USE PROHIBITED

6-2

Microsoft Azure Storage and Recovery Services enable you to hold and protect your business data in a
cloud storage environment. The range of storage types mean that it is important for you to understand
not only how to deliver storage services but also how these are best deployed for your business solutions.
As with all Microsoft Azure facilities, storage is a billable commodity, so you need to manage you storage
and recovery options to ensure that you deploy the most business and cost efficient solutions. This lesson
discusses the various data services that are available in Microsoft Azure and describes considerations for
choosing a data storage solution.

Lesson Objectives
After completing this lesson, you will be able to:

Identify data storage options in Azure storage.

Plan backup and recovery with Azure Site Recovery and Backup.

Choose the most appropriate storage for different apps.

Plan storage based on billable storage requests.

Demonstration: Preparing the Environment

Perform the following tasks to prepare the lab environment. The Azure services you will use in the lab will
be described in this module while the environment is being configured.
Important: The scripts used in this course may delete any objects that you have in your
subscription. For this reason, you should complete this course against a new Azure subscription.
You should have received sign-up details and instructions for creating an Azure Learning Pass for
this reason. Alternatively, create a new Azure Trial Subscription. In both cases, use a new
Microsoft account that has not been associated with any other Azure subscription. This avoids
confusion in labs and setup scripts.

The labs in this course use custom Microsoft Azure PowerShell cmdlets, including Setup-Azure to prepare
the Azure environment for a lab, and Reset-Azure to perform clean-up tasks at the end of a lab. For this
lab, Setup-Azure creates a storage account in the Azure region you select; then creates a virtual network
(ADATUM-HQ-VNET); then creates a Windows server VM; and then removes the Azure subscription and
account from the Azure PowerShell session.
Before you start the lab preparation, your instructor will decide which Azure region is the closest to your
classroom location. You will need this information during the lab.

MCT USE ONLY. STUDENT USE PROHIBITED

Implementing Microsoft Azure Infrastructure Solutions

Demonstration Steps
Sign in to Your Azure Subscription

6-3

1.

Ensure that the MSL-TMG1 and 20533B-MIA-CL1 virtual machines are both running, and then log on
to 20533B-MIA-CL1 as Student with the password Pa$$w0rd.

2.

You should already have created a Microsoft Azure trial subscription. If you have not done so, follow
the instructions in D:\Creating a Microsoft Azure Trial Subscription.htm. Provisioning may take
several hours.

3.

When your trial subscription has been provisioned, in Internet Explorer, browse to
http://azure.microsoft.com, click Portal, and sign in using the Microsoft account that is associated
with your Azure subscription. Close any initial "welcome" messages.

At the top right, click your Microsoft account name and click Switch to new portal. Then, in the new tab
that is opened, close any initial "welcome" messages for the new portal.
Enable Preview Features
1.

In Internet Explorer, click the tab for the Full Portal.

2.

At the top right of the Azure portal page, click your Microsoft account name and click View my bill.

3.

In the new tab that is opened, click preview features.

4.

Click try it now for the Windows Azure Files preview feature, and activate it for your subscription.
Note: Preview features are constantly changing. If this feature is unavailable, continue to the next
step.

5.

Close Internet Explorer, closing all tabs.

Prepare the Azure Environment


1.

On the taskbar, right-click Microsoft Azure PowerShell, and then click Run as administrator. In the
User Account Control dialog, click Yes.

2.

Type the following command, and then press Enter:


Setup-Azure

3.

At the prompt, type the module number, and then press Enter.

4.

Confirm your selection, and then press Enter.

5.

When prompted, sign in using the Microsoft account associated with your Azure subscription.

6.

When prompted, enter the Azure regions to use, and then press Enter.

Note: This script may remove Azure services in your subscription. It is therefore recommended that
you use an Azure trial pass that was provisioned specifically for this course, and not your own Azure
account.
The script will take 1520 minutes to configure your Microsoft Azure environment, ready for the lab
at the end of this module.
At the end of setup, you should have the following:

A uniquely named storage account.

A virtual network named ADATUM-HQ-VNET (10.0.1.0/24).

An Azure DNS named ADATUM-DNS at 10.0.1.4.

A VM called AdatumSvr1.

Planning and Implementing Storage

Storage as a component of Azure


Azure Storage is used to store files, and virtual
machine disks, together with other types of
information. Azure Storage is used by websites,
mobile apps, desktop applications, and cloud
services, as well as custom solutions.
Azure Storage is part of Azure Data Services,
together with backup and recovery, and this
module covers all these components.

Overview of Azure Storage


Azure Storage is a service that you can use to store
files, messages, tables and other types of
information. You can use Azure storage on its
ownfor example as a file sharebut it is often
used by developers as a store for working data.
Such stores can be used by websites, mobile apps,
desktop applications, and many other types of
custom solution. Azure storage is also used by IaaS
virtual machines, and PaaS cloud services.

Storage Accounts
In order to use Azure Storage, you begin by
creating a storage account. You can create many
storage accounts within a single Azure subscription. Each storage account can contain up to 500 TB of
data. For each storage account, you must specify:

MCT USE ONLY. STUDENT USE PROHIBITED

6-4

A URL. This defines the URLs at which the storage account can be accessed by clients. All storage
accounts are within the core.windows.net domain. The full URL, depends on the type of storage you
want to use. For example, if you specify the URL mystorageaccount, you can access BLOB storage at
http://mystorageaccount.blob.core.windows.net.

A Location or Affinity Group. This assigns the primary data center where your storage account
maintains data. Choose a location close to the location where you expect most users.

A Replication Option. In order to ensure resilience and availability, Azure automatically replicates
your data to multiple physical servers. You can choose one of four replication schemes:
o

Locally Redundant. Your data is replicated synchronously, so that there are three copies within a
single facility in a single region. Locally Redundant Storage (LRS) protects your data against server
hardware failures but not against the failure of the facility itself.

Zone Redundant. Your data is replicated synchronously, so that there are three copies across
two or three facilities in a single region. Zone Redundant Storage (ZRS) is more redundant that
LRS but does not protect against failures that affect a while region. ZRS is only available for BLOB
storage.

MCT USE ONLY. STUDENT USE PROHIBITED

Implementing Microsoft Azure Infrastructure Solutions

6-5

Geo-Redundant. Your data is replicated asynchronously, with three copies of the data in the
primary region, and three copies of the data stored in a secondary region. If there is failure at the
primary region, Azure Storage will failover to the secondary region. Geo-Redundant Storage
(GRS) is the most resilient of the replication schemes.

Read-Access Geo-Redundant. As with GRS, your data is replicated asynchronously across two
regions. However, with read-access GRS, the three copies in the secondary region are enabled for
read-only access to the data, if the primary region is unavailable.

Storage Types

Each storage account can contain the following types of storage. You can use more than one of these
types in the same storage account:

BLOB Storage. Binary Large Objects (BLOBs) can be any type of file or binary data. This can include
documents, images, videos, backup files, configuration files, and data logs. You can create any
number of containers within a single storage account. Within each container, you can store any
number of blobs up to the 500 TB limit.

Table Storage. You can use tables to store data without specifying a schema as you would in a
database. This schema-less design makes it easy for developers to adapt a table to changing
requirements. Developers can use table storage as the back-end data store for websites, mobile apps,
PaaS cloud services, and other types of solution.

Queue Storage. When developers architect distributed applications, they need a method by which
components of the application can reliably communicate asynchronously. One popular method is to
use a queue: a source component sends a message by placing it into a queue. The destination
component works though the messages in the queue one at a time. You can use Azure Queue
Storage to provide such a message queue with all the redundancy and reliability provided by Azure
Storage.

File Storage. Azure file storage enables you to create an SMB file share. Client computers can browse
this share or map a network drive to the share as they might access a file share on an on-premises
Windows file and print server.

For more information on performance and costs of the different Azure storage options, see:
Best Practices for Performance in Azure Applications
http://go.microsoft.com/fwlink/?LinkID=522638

Overview of Recovery Services


Two other Azure services are designed to store
data: Azure Site Recovery and Azure Backup.
However, unlike Azure Storage, these services are
both designed to protect data by backing up
information in Azure.

Planning and Implementing Storage

Azure Site Recovery

MCT USE ONLY. STUDENT USE PROHIBITED

6-6

Azure Site Recovery is a service you can use to orchestrate protection for on-premises virtual machines
that run on Hyper-V. The Hyper-V host servers can be part of a System Center Virtual Machine Manager
(VMM) cloud, but this is not a requirement. The Azure Site Recovery Manager replicates the protected
virtual server and ensures that, in the event of a failure, services are smoothly failed over to the replicated
virtual server. The replicated virtual server can be located:

On Premises. In this configuration, the Site Recovery Manager replicates the virtual server to second
VMM cloud in another physical location from the source.

In Azure. In this configuration, the Site Recovery Manager replicates the virtual server to an Azure
virtual machine.

For more information about Azure Site Recovery, see:


Plan for Azure Site Recovery Deployment
http://go.microsoft.com/fwlink/?LinkID=522639

Azure Backup

The Azure Backup service is designed to enable you to use Azure as a backup medium to replace physical
media such as tapes, hard drives, and DVDs. To use Azure Backup to protect your data, you must:
1.

Create a backup vault in Azure. A vault is a virtual location to which data will be backed up. You
should create the vault in an Azure region close to the physical location of the data.

2.

Download the vault credential. The Azure Backup Agent uses the vault credential to authenticate with
Azure when it starts a backup operation.

3.

Download and install the Azure Backup Agent. Choose the correct backup agent for your backup
tool. There are separate downloads for System Center Data Protection Manager and for Windows
Server Essentials.

4.

Use Windows Server Backup to configure and schedule backups. Once the agent is installed and
configured, Azure appears as a data destination within the Windows Server Backup MMC snap-in,
and there is a separate Azure Backup management console available on the Start menu. You can also
use PowerShell to configure and initiate backup operations.

For more information about Azure Backup, see:


Backup
http://go.microsoft.com/fwlink/?LinkID=522640

MCT USE ONLY. STUDENT USE PROHIBITED

Implementing Microsoft Azure Infrastructure Solutions

Choosing Storage for Apps


If you are using Azure Storage to store
information for a custom solution, such as a
mobile app or website, the project architects must
select the storage type for each functional
requirement. To help with this decision, you must
understand the limits and features of each storage
type.

Blob Storage

6-7

The Azure Blob storage service is designed to store


large amounts of unstructured data in the form of
files. Each blob can be hundreds of gigabytes in
size, and all blob data is accessible using a URL.
For example, a blob named myblob.jpg in a container named mycontainer in a storage account
named myaccount can be downloaded (subject to access control restrictions) from the following URL:
http://myaccount.blob.core.windows.net/mycontainer/myblob.jpg
Each blob must be one of two types:

Block blobs. Block blobs are designed to enable developers to upload large files efficiently. Data is
uploaded in the form of data blocks, each of which is up to 4 MB in size. Block blobs can be up to 200
GB in size.

Page blobs. Page blobs are designed for random read and write operations. Blobs are accessed as
pages, each of which is up to 512 bytes in size. When you create a page blob, you specify the
maximum size to which it may grow up to a limit of 1 TB.

Table Storage

The Azure Table storage service can be used to store structured data in tables without the constraints of
traditional relational databases. Within each storage account you can create multiple tables. Each table
can contain multiple entities. Because table storage does not mandate a schema, the entities within a
single table need not have precisely the same set of properties. For example, one Product entity may have
a Size property, while another Product entity in the same table may have no Size property at all. Each
property consists of a name and a value. For example, the Size property may have the value 50 cm for a
particular product.
Tables can be accessed through a URL; for example, to access a table named mytable in a storage
account named myaccount, applications use the following URL:
http://myaccount.table.core.windows.net/mytable

The number of tables in a storage account is unlimited. The number of entities in a table is unlimited.
Each entity can be up to 1 MB in size and possess up to 252 custom properties. Every entity also has
partition key, row key, and timestamp properties. It is important to choose these two key values (partition
key and row key) carefully, because it is much more efficient to search on these keys than on other values
(this is because only the key values are indexed). The partition key partitions the data, and should be used
to group similar data.

Planning and Implementing Storage

Queue Storage

MCT USE ONLY. STUDENT USE PROHIBITED

6-8

The Azure Queue storage service can store long queues of messages for asynchronous processing.
Developers can use a queue to ensure reliable messaging between the components of a distributed
system. The separate components add messages to the queue and remove messages from the queue by
issuing commands over the HTTP or HTTPS protocols.
Queues can be accessed through a URL; for example, to access a queue named myqueue in a storage
account named myaccount, applications use the following URL:
http://myaccount.queue.core.windows.net/myqueue

You can create any number of queues in a storage account and any number of messages in each queue
up to the 200 TB limit for all data in the storage account. Each message can be up to 64 KB in size.

File Storage

The Azure File Storage service enables you to create Server Message Block (SMB) file shares in Azure just
as you would on an on-premises file and print server. Within each file share, you can create multiple levels
of directories to categorize content. Each directory can contain multiple files and multiple directories.
Files can be up to 1 TB in size.

Protecting Azure Storage


Security is of vital importance in any cloud
solution. Poor security can mean that malicious or
unauthorized users can access and edit sensitive
data from anywhere in the world. Azure Storage
authenticates connections from applications by
using either access keys or shared access
signatures. In this topic, you will see how to
manage these authentication credentials.

Access Keys

Azure automatically generates a primary and


secondary access key for each storage account,
which can be used to authenticate requests for
storage and enable client applications and management tools to connect. You can copy these keys to the
clipboard from the Azure portal, or retrieve them in PowerShell by using the Get-AzureStorageKey
cmdlet.

MCT USE ONLY. STUDENT USE PROHIBITED

Implementing Microsoft Azure Infrastructure Solutions

6-9

Use the following command to obtain the storage keys for a storage account named myaccount in your
Azure subscription:
Obtaining Storage Keys
Get-AzureStorageKey StorageAccountName myaccount

Two storage keys are always in use for every storage account. This enables you to regenerate each key
from time to time without interrupting service to users. For example, if you regenerate the primary key,
apps can use the secondary key for authentication until you reconfigure them with the new primary key.
You can regenerate access keys in the Azure portal or by using the New-AzureStorageKey PowerShell
cmdlet.
Use the following command to regenerate a primary key:
Regenerating Keys
New-AzureStorageKey -KeyType Primary -StorageAccountName myaccount

Shared Access Signatures

The automatically generated Primary and Secondary access keys provide full administrative access to
storage, which creates a potential security risk. For this reason, Azure storage also supports Shared Access
Signature (SAS) authentication, in which access to a specific container, blob, table, or queue is granted for
a limited time period based on a token. This method uses a primary Storage Account Key (SAK) and
secondary secret key, or Shared Access Signature (SAS). Role instances, VMs, and applications access
storage using the SAK, and get full control over their associated data. Scoped access to Azure storage
data, such as time-limited access, is controlled through the SAS token. The SAK and SAS are plain text
keys, but within an application, developers can secure these keys by encrypting the connection string
using PKCS-7 within the applications configuration file.
The SAS is created through a query template (URL), signed with the SAK. That signed URL can be given to
another process (delegated), which can then fill in the details of the query and make the request of the
storage service. A SAS enables you to grant time-based access to clients without revealing the storage
accounts secret key. SAS tokens are usually generated by applications using the Azure API, but you can
also generate them using PowerShell. For example, the New-AzureStorageContainerSASToken cmdlet
generates an SAS token for a blob container.
For more information about using Shared Access Signature, see:
Shared Access Signatures, Part 1: Understanding the SAS Model
http://go.microsoft.com/fwlink/?LinkID=511741

Understanding Billable Requests


Azure Storage costs are calculated based on what
you use. Four factors are used to calculate your
charges:

MCT USE ONLY. STUDENT USE PROHIBITED

6-10 Planning and Implementing Storage

Bandwidth. Inbound data transfers are free.


Outbound data transfers are free for the first 5
GB in a month. Above this level, there is a
banded pricing scheme. When services or
applications are co-located with their storage,
Azure provides free bandwidth between
compute services and storage; each data
transfer is charged only if computation and
storage are held in different regions.

Transactions. A transaction is a read or a write operation to or from a storage account.

Capacity. The capacity of a storage account is the amount of data you have stored in it. This is
charged on a per GB basis. In the case of VHDs, for example, this means that, if you create a new 100
GB VHD, but only upload 10 GB of data to the VHD, you will only be billed for the storage space used
by the page blob, regardless of how much space was allocated.

Replication Scheme. Locally Redundant Storage (LRS) storage accounts are cheaper than Zone
Redundant Storage (ZRS) accounts, which are cheaper than Geographically Redundant Storage (GRS)
accounts; Read-Access Geographically Redundant Storage (RA-GRS) accounts are the most expensive.

For the latest information on pricing, see the following URL:


Azure Storage Pricing
http://go.microsoft.com/fwlink/?LinkID=522642

Lesson 2

Implement and Manage Storage

MCT USE ONLY. STUDENT USE PROHIBITED

Implementing Microsoft Azure Infrastructure Solutions

6-11

In this lesson you will see how to implement several of the storage options in Microsoft Azure. You will
also see the tools and utilities that are available to manage storage accounts and containers by using the
utilities and commands available for Microsoft Azure.

Lesson Objectives
After completing this lesson, you will be able to:

Create a storage account.

Choose a storage access tool.

Implement blobs.

Implement tables and queues.

Implement Azure files.

Creating a Storage Account


You can create a Storage Account in the new
Azure Preview Portal, the full Azure Management
Portal, or using the New-AzureStorageAccount
PowerShell cmdlet. A Storage Account name must
contain 3-24 characters and include only lowercase letters and numerals.
When you create a storage account, Azure
generates the following endpoints for access to
data storage:
http(s)://account_name.blob.core.windows.net/
http(s)://account_name.table.core.windows.net/
http(s)://account_name.queue.core.windows.net/
Additionally, the Azure Files feature creates an endpoint for file access at
http(s)://account_name.file.core.windows.net/.

You can create a storage account by using the Azure portal or by using PowerShell. To create a storage
account in the Azure Preview Portal, follow these steps:
1.

In the Azure Preview Portal, in the toolbar on the left, click NEW and then click Storage.

2.

In the STORAGE textbox, type a unique URL within the core.windows.net domain. If the URL you
choose is unique and valid, a green smiley appears.

3.

Click PRICING TIER and then click GRS, LRS, or RA-GRS and then click Select. ZRS is not available in
the Preview Portal.

4.

Click LOCATION and then click a location close to the users of the data.

5.

Click Create.

In the Azure PowerShell, you can create a new storage account by issuing the following command:
Creating a New Storage Account in PowerShell

MCT USE ONLY. STUDENT USE PROHIBITED

6-12 Planning and Implementing Storage

New-AzureStorageAccount -StorageAccountName mystorageaccount -Label "My Storage Account" -Location


North Central US

Whichever method you use to create a storage account, you must ensure that the name you use is unique
within the whole of Azure (not just your subscription), and of a length between three and 24 characters.
The name can contain only lower-case letters and numerals. During account creation, Azure creates the
two account access keys and the storage endpoints for all the storage services.

Storage Access Tools


Azure Storage services are designed principally to
support custom applications and solutions.
Therefore, most access operations to files and data
in storage are completed through programmatic
interfaces called from custom code. These
programmatic interfaces include the libraries in
the Azure SDK and the Representational State
Transfer (REST) interfaces that developers can call
through HTTP and HTTPS requests.
However, several tools are available that enable
administrators and other users to examine storage
account content without writing custom code.
These tools include PowerShell cmdlets, AzCopy.exe, and Storage Explorer.

PowerShell Storage Cmdlets


The following Azure PowerShell cmdlets can be used explore the content in an Azure storage account:

Get-AzureStorageBlob. Lists the blobs in a specified container and storage account.

Get-AzureStorageBlobContent. Downloads a specified storage blob.

Get-AzureStorageContainer. Lists the containers in a specified storage account.

Get-AzureStorageFile. Lists the files and directories in a specified storage account.

Get-AzureStorageFileContent. Downloads a specified file from Azure file storage.

Get-AzureStorageQueue. Lists the queues in a storage account.

Get-AzureStorageShare. Lists the file shares in a storage account.

Get-AzureStorageTable. Lists the tables in a storage account.

Azure PowerShell enables you to obtain more storage information than is currently available from the
Azure portals, although without the graphical UI.

AzCopy.exe

MCT USE ONLY. STUDENT USE PROHIBITED

Implementing Microsoft Azure Infrastructure Solutions

6-13

AzCopy.exe provides a command line option that is optimized for reading and writing content from local
machines to Azure cloud storage. This is a high-performance tool that you can use to upload, download,
and copy data to and from blob, table and file storage. For a detailed explanation of AzCopy.exe,
including options and example commands, see the following link:
Getting Started with the AzCopy Command-Line Utility
http://go.microsoft.com/fwlink/?LinkID=522643

Storage Explorer

Storage Explorer is available through CodePlex. It provides a graphical interface for management of blobs,
tables, and queues, though not currently Azure Files. This is a managementbut not a creationtool for
storage accounts. These must be created in either the new portal or the full portal.
To download Storage Explorer, see:
Azure Storage Explorer
http://go.microsoft.com/fwlink/?LinkID=511744
Azure Storage Explorer 6 is the latest version of Azure Storage Explorer, and is currently available in
preview form. With this utility, you can create and manage:

Containers

Blobs

Tables

Queues

Security

Access Level

Shared Access Signatures (SAS)

Cross-Origin Resource Sharing (CORS for blob containers)

Visual Studio 2013

If you have installed the Azure SDK for .NET in Visual Studio 2013, you can use the Server Explorer tool to
access Azure storage accounts and manage the contents. The Microsoft Web Platform Installer installs
Microsoft Azure SDK for .NET (VS 2013) 2.4.
Unlike the CodePlex Storage Explorer, Server Explorer in Visual Studio 2013 can also create Storage
Accounts, as well as managing storage components within an account.
To review the information for using Server Explorer for Visual Studio 2013, see:
Browsing Storage Resources with Server Explorer
http://go.microsoft.com/fwlink/?LinkID=511745

Implementing Blobs
Blobs are stored in a container within the Azure
storage account, and containers can be created
programmatically or in the Azure portal.

Creating Blob Containers


When you create a container, you must give it a
name and specify the level of access you want to
permit from the following options:

Private. Default. The container is private and


can be accessed only by the account owner.

Public Blob. Allows public read access to the


blobs in the container.

Public Container. Allows full public read access to blobs and to the container metadata.

Use the following commands in PowerShell to create a new container. Before you can create the
container, you must obtain a storage context object by passing the storage account primary key.
Creating a Blob Container in PowerShell

MCT USE ONLY. STUDENT USE PROHIBITED

6-14 Planning and Implementing Storage

$storeKey = Get-AzureStorageKey "mystorageaccount" | %{ $_.Primary }


$storeContext = New-AzureStorageContext -StorageAccountName "mystorageaccount" -StorageAccountKey
$storeKey
$container = New-AzureStorageContainer Name mycontainer -Permission Container -Context
$storeContext

Administrators can view, modify, and upload blobs and blob containers using tools such as AzCopy and
Azure Storage Explorer or they can use the following PowerShell cmdlets:

Get-AzureStorageBlobCopyState to get the copy state of a specified storage blob.

Remove-AzureStorageBlob to remove the specified storage blob.

Set-AzureStorageBlobContent to upload a local file to the blob container.

Start-AzureStorageBlobCopy to copy to a blob.

Stop-AzureStorageBlobCopy to stop copying to a blob.

Implementing Tables and Queues


Tables and queues are typically created
programmatically by applications, which then read
and write key/value pairs to tables or messages to
queues.
However, administrators can view and manage
tables by using tools such as Azure Storage
Explorer, or by using PowerShell.

For example, you could use the following code to create a table:
Creating a Storage Table in PowerShell
$storageAccount = "mystorageaccount"
$storageKey = (Get-AzureStorageKey -StorageAccountName $storageAccount).Primary
$context = New-AzureStorageContext -StorageAccountName $storageAccount -StorageAccountKey
$storageKey
New-AzureStorageTable -Name "MyTable" -Context $context

To create a new messaging queue, use the following commands:


Creating a Storage Queue in PowerShell
$storageAccount = "mystorageaccount"
$storageKey = (Get-AzureStorageKey -StorageAccountName $storageAccount).Primary
$context = New-AzureStorageContext -StorageAccountName $storageAccount -StorageAccountKey
$storageKey
New-AzureStorageQueue -Name myqueue -Context $context

Implementing Azure Files


The Azure Files service enables you to create file
shares in an Azure storage account that can then
be accessed with the SMB 2.1 protocol. Since all
Windows computers and many other devices
support this protocol, an SMB file share can be
used in a wide variety of situations. It can be
particularly helpful when you migrate an onpremises application to Azureif that application
uses a file share to store configuration or data
filesbecause you can store these files in Azure
with no recoding to the application. You can also
use Azure Files to share data between Azure VMs.

Enabling the Azure Files Preview

MCT USE ONLY. STUDENT USE PROHIBITED

Implementing Microsoft Azure Infrastructure Solutions

6-15

At the time of writing, Azure Files are in preview. To access this feature, you must request access for your
subscription by following these steps:
1.

In a browser, navigate to http://azure.microsoft.com/en-us/services/preview/.

2.

Scroll down to locate the Azure Files section.

3.

In that section, click Try It.

4.

If you are requested to sign in, authenticate with the credentials associated with your Azure
subscription.

5.

In the Add Preview Feature dialog, click Complete.

Once you have enabled the preview feature, new storage accounts will be automatically created with a
files service endpoint. This endpoint can be found at:
http://<storage account name>.file.core.windows.net/
Existing storage accounts cannot be enabled for file storage.

Creating File Shares

MCT USE ONLY. STUDENT USE PROHIBITED

6-16 Planning and Implementing Storage

Within a file service enabled storage account, you can create multiple file shares. Within each share, you
can use directories to create a categorized hierarchy of content. Developers can create file shares by
coding against the REST API. Administrators can use PowerShell to create file shares.
Use the following commands to create a file share, create a directory, and upload a file:
Using an Azure File Share
$storageAccount = "mystorageaccount"
$storageKey = (Get-AzureStorageKey -StorageAccountName $storageAccount).Primary
$context = New-AzureStorageContext -StorageAccountName $storageAccount -StorageAccountKey
$storageKey
#Create the new share
$share = New-AzureStorageShare -Name myshare -Context $context
#Create a directory in the new share
New-AzureStorageDirectory -Share $share -Path mydirectory
#Upload a file
Set-AzureStorageFileContext -Share $share -Source C:\upload\instructions.txt -Path mydirectory

Using File Shares


Azure File Shares can be accessed from VMs in the same region by using the NET USE command, tools
such as RoboCopy, or by mapping network drives in File Explorer.
The following command will map drive Z: to the share reports, where the storage account is called
adatum12345 and the storage key is PlsDTS0oEJWWQ8YOiVbL5kvow0/yg==
Mapping a drive to an Azure File Share
net use z: \\adatum12345.file.core.windows.net\reports /u:adatum12345
PlsDTS0oEJWWQ8YOiVbL5kvow0/yg==

Azure File Shares are accessible from on-premises clients and Azure services in remote regions using REST
API, PowerShell, or AzCopy. AzCopy can copy files between local systems and Azure file shares.
For more information about the Azure Files service, see:
Introducing the Azure File Service
http://go.microsoft.com/fwlink/?LinkID=511746

Demonstration: Implementing Storage


In this demonstration, you will see how to:

Create a storage account.

Use PowerShell to upload blobs.

View blob storage in Visual Studio.

Demonstration Steps
Create a Storage Account

MCT USE ONLY. STUDENT USE PROHIBITED

Implementing Microsoft Azure Infrastructure Solutions

6-17

1.

Ensure that you are logged on to 20533B-MIA-CL1 as Student with the password Pa$$w0rd, and
that the setup script you ran in the previous demonstration to prepare the environment has
completed.

2.

Start Internet Explorer and browse to https://portal.azure.com. When prompted, sign in using the
credentials for the Microsoft account associated with your Azure subscription.

3.

On the menu hub, click NEW, and then click Everything.

4.

Close the Everything blade, then under Marketplace, click Storage, cache, + backup.

5.

On the Storage, cache, + backup blade, under Storage and Cache, click Storage, and then click
Create.

6.

In the Storage account blade, apply the following settings and click Create:
o

STORAGE: Enter a valid, unique name

PRICING TIER: Standard-GRS

RESOURCE GROUP: Click the current resource group, and then click Create a new resource
group

Name the new resource group Demo-Storage and click OK

SUBSCRIPTION: Your Azure subscription

LOCATION: Select the region nearest to you

DIAGNOSTICS: Leave as not configured

Add to Startboard: Clear

7.

In the hub menu, click NOTIFICATIONS and wait for the storage account to be created.

8.

In the hub menu, click BROWSE, and then click Storage.

9.

In the Storage blade, click the storage account you just created.

10. In the blade for your storage account, click the Containers tile.

11. On the Containers blade, click ADD. Then in the Add a container blade, apply the following settings
and click OK:
o

NAME: demo-container

Access type: Private

MCT USE ONLY. STUDENT USE PROHIBITED

6-18 Planning and Implementing Storage

12. If the new container does not appear in the Containers blade within a few seconds, refresh the page
in Internet Explorer.
13. Close the Containers blade.

14. In the blade for your storage account, click KEYS, and on the Manage keys blade view the primary
and secondary access keys that have been generated for your storage account. Note that you can
copy the keys to the clipboard from this blade.
15. Close all open blades, and close Internet Explorer.
Use PowerShell to Upload Blobs
1.

In the D:\Demofiles\Mod06 folder, right-click UploadBlobs.ps1 and click Edit to open the file in
the Windows PowerShell interactive scripting environment (ISE).

2.

In the Windows PowerShell ISE, in the command prompt pane, enter the command GetAzureAccount and verify that your Microsoft account is displayed.
Note: If your account is not displayed, enter the command Add-AzureAccount and sign in using
your Microsoft account.

3.

In the script pane, in the $storageAccountName variable declaration at the beginning, replace the
value <your_storage_account_name> with the name of the Azure storage account you created in the
previous task.

4.

Review the script, noting that it perform the following tasks:


o

Declares a variable named $containerName that references the demo-container container you
created in the previous task.

Finds the folder where the script is stored and declares a variable named $sourceFolder that
references the data subfolder.

Uses the Get-AzureStorageKey cmdlet to retrieve the access key for your storage account.

Uses the New-AzureStorageContext to create a storage context that connects to your storage
account using the access key.

Iterates through the files in the source folder and uses the Set-AzureStorageBlobContent
cmdlet to write each file as a blob in the container.

5.

Save the script, then on the toolbar, click Run Script.

6.

Observe the script as it runs, and view the output, which indicates that the three files in the
D:\Demofiles\Mod06\data folder were uploaded to the demo-container container in your storage
account.

Note: If you get The remote server returned an error: (404) Not Found. message, the storage account
may not have completed provisioning. Wait a few minutes, and then try steps 5 and 6 again.
7.

Close the Windows PowerShell ISE without saving any changes.

View Blob Storage in Visual Studio

MCT USE ONLY. STUDENT USE PROHIBITED

Implementing Microsoft Azure Infrastructure Solutions

6-19

1.

Start Visual Studio.

2.

On the TOOLS menu, click Connect to Microsoft Azure Subscription. If you are prompted to sign
out, click OK.

3.

Sign into Azure using the Microsoft account associated with your Azure subscription.

4.

On the VIEW menu, click Server Explorer.

5.

In Server Explorer, expand Azure and expand Storage.

6.

Under Storage, expand the storage account you created in the first task, and expand Blobs.

7.

Under Blobs, right-click demo-container and click View Blob Container.

8.

In the demo-container [Container] page, verify that the container contains the files that were
uploaded by the PowerShell script in the previous task.

9.

Close Visual Studio.

Lesson 3

Backup and Monitoring Storage

MCT USE ONLY. STUDENT USE PROHIBITED

6-20 Planning and Implementing Storage

Microsoft Azure offers more than just easy-to-configure, scalable storage; it also provides facilities for you
to monitor your storage deployment and backups for sites and data. These are configurable, both
through the full and new portals and through Azure PowerShell cmdlets. In this lesson, you will find out
more about how to monitor and manage storage and provide backup and failover security for your
business sites and data.

Lesson Objectives
After completing this lesson, you will be able to:
Monitor storage.
Implement Azure Backup.

Monitoring and Diagnosing Storage


Monitoring features are built into Azure Storage
services so that you can record and analyze the
performance and demands upon your storage
accounts.

Enabling Monitoring
Monitoring can be set in both the preview portal
and the full portal. Monitoring and diagnostics are
switched off by default, but can be configured
after a storage account is created.
Monitoring is configured for the entire storage
account, but the level of detail recorded can be set
for blob containers, tables, and queues separately. The following monitoring levels are available:

Off. Turns off monitoring. Existing monitoring data is persisted through the end of the retention
period. This is the default setting for each storage type.

Minimal. Collects basic metrics such as ingress and egress, availability, latency, and success
percentages, which are aggregated for the Blob, Table, and Queue services.

Verbose. In addition to the minimal metrics, verbose monitoring collects the same set of metrics for
each storage operation in the Azure Storage Service API. Verbose metrics enable closer analysis of
issues that occur during application operations but may impact performance.

The administrator can also set a retention policy period from 1 to 365 days for each storage type.
To enable monitoring for a storage account, follow these steps:

MCT USE ONLY. STUDENT USE PROHIBITED

Implementing Microsoft Azure Infrastructure Solutions

6-21

1.

In the Azure full portal, in the navigation on the left, click Storage.

2.

Click the storage account you want to configure.

3.

In the Monitoring section, choose Off, Minimal, or Verbose, for each storage type that you use in
that storage account.

4.

For each storage type, use the Retention textbox to set the data retention period in days.

5.

In the toolbar at the bottom, click Save.

Using verbose monitoring for long periods will incur a cost because monitoring data is stored in the
storage account in the following tables:

$MetricsTransactionsBlob

$MetricsTransactionsTable

$MetricsTransactionsQueue

$MetricsCapacityBlob

Managing Analytics

Once you have enabled monitoring for a storage account, data should start to appear in the portal user
interface within about an hour. In the full portal, monitoring statistics are displayed in charts on the
Dashboard and Monitor pages for the storage account. The full set of metrics are only available on the
Monitor page.

A default set of metrics are automatically displayed. To add a new metric to the monitoring chart, follow
these steps:
1.

In the full portal, in the navigation in the left, click Storage.

2.

Click the storage account you want to monitor and then click the MONITOR tab.

3.

In the toolbar at the bottom, click ADD METRICS.

4.

Select the counters you want to monitor and then click OK.

You can also configure alerts for the metrics displayed in the monitoring chart. An alert monitors one of
the counters in the chart and sends an email if the counter exceeds a threshold you define. By using alerts,
you can ensure that Azure immediately informs administrators when there is a peak in demand. To add an
alert:
1.

In the list of counters below the monitoring chart, select the counter that interests you.

2.

In the toolbar at the bottom, click ADD RULE.

3.

In the NAME text box, type a descriptive name for the alert and then click NEXT.

4.

In the CONDITION drop-down list, select a condition such as greater than or less than.

5.

In the THRESHOLD text box, type the value that should trigger the alert.

6.

In the ALERT EVALUATION WINDOWS drop-down list, select the time period over which the
counter must exceed the threshold to trigger the alert.

7.

Under ACTIONS select Send an email to the service administrator and co-administrators.

8.

Click Complete.

Enabling Logging

MCT USE ONLY. STUDENT USE PROHIBITED

6-22 Planning and Implementing Storage

In addition to monitoring, you can also create activity logs for each of the storage types that you use in
your storage account. These are diagnostic logs that record read, write, and delete operations. You can
use these logs to examine storage operations in detail and diagnose poor performance, malicious attacks,
and other problems.
These are held, by default, in an Azure blob at http://<accountname>.blob.core.windows.net/$logs.
This store can be interrogated in Visual Studio.
For more information on logging, see:
Review Collecting Logging Data by Using Azure Diagnostics
http://go.microsoft.com/fwlink/?LinkID=511748
View Diagnostic Data Stored in Azure Storage
http://go.microsoft.com/fwlink/?LinkID=511749
To enable logging for a storage account, take the following steps:
1.

In the full portal, in the navigation on the left, click Storage and then click the storage account you
want to configure.

2.

Click the CONFIGURE tab, and then scroll down to the Logging section.

3.

For each storage type, select Read Requests, Write Requests, or Delete Requests. You can use the
check boxes to select more than one type.

4.

For each storage type, in the Retention text box enter a number of days to retain logged data.

5.

In the toolbar, click SAVE.

Demonstration: Configuring Monitoring and Logging


In this demonstration, you will see how to:

Configure monitoring and logging.

View logged events.

Demonstration Steps
Configure Monitoring and Logging
1.

Start Internet Explorer and browse to https://portal.azure.com. When prompted, sign in using the
credentials for the Microsoft account associated with your Azure subscription.

2.

In the hub menu, click BROWSE. Then click Storage.

3.

In the Storage blade, click the storage account you created in the previous demonstration.

4.

Maximize the blade for your storage account. Then click the TotalRequests today tile. Then in the
Metric blade, click DIAGNOSTICS.

5.

In the Diagnostics blade, under STATUS, click ON. Then select all available check boxes and click OK.

6.

On the Metric blade, note the areas where chart and tables of monitoring data will be displayed. No
data is available yet, but it will be collected and displayed here after a period of time.

7.

Close the Metric blade.

View Logged Events


1.

In the blade for your storage account, click the Events in the past week tile.

2.

The Events blade is used to summarize operations that have occurred for the storage account; if
there are any events listed, click one and view its Detail blade.

3.

Close all open blades and close Internet Explorer.

Reset the Environment

MCT USE ONLY. STUDENT USE PROHIBITED

Implementing Microsoft Azure Infrastructure Solutions

6-23

1.

Close all open applications without saving any files.

2.

On the taskbar, right-click Microsoft Azure PowerShell, and then click Run as administrator. In the
User Account Control dialog, click Yes.

3.

Type the following command, and then press Enter:


Reset-Azure

4.

When prompted, sign in using the Microsoft account associated with your Azure subscription.

Note: This script may remove Azure services in your subscription. It is therefore recommended that you
use an Azure trial pass that was provisioned specifically for this course, and not your own Azure account.
The script will take 5-10 minutes to reset your Microsoft Azure environment, ready for the next lab.

The script removes all storage, VMs, virtual networks, cloud services, and resource groups. The script does
not remove the Backup Vault; this can either be manually deleted or you can leave it in place as it does
not affect subsequent labs.
Important: The script may not be able to get exclusive access to a storage account to delete it (you will
see an error, if this occurs). If you find objects remaining after the reset script is complete, you can re-run
Reset-Azure script, or use the full Azure Management Portal to manually delete all the objects in your
Azure subscription, with the exception of the default directory.

Implementing Azure Backup


In Azure Recovery Services, you can use Site
Recovery to replicate and fail over from one onpremises set of virtual servers to another.
Alternatively, you can replicate and fail over to a
set of virtual machines in Azure. You can also use
Azure Backup Vaults to protect data by effectively
using Azure as an off-site backup medium.

Site Recovery Vault


You can set up replication and failover from onpremises virtual servers in one physical location to
another, or to virtual machines in Azure. Before
you start this configuration, review the
prerequisites at the following location:
Prerequisites and Support
http://go.microsoft.com/fwlink/?LinkID=511750

MCT USE ONLY. STUDENT USE PROHIBITED

6-24 Planning and Implementing Storage

Configuring Site Recovery is a complex task that requires forward planning to ensure success, particularly
for on-premises to on-premises scenarios which involve System Center VMM administration.
Administrators must complete the following tasks to set up site:

1.

Plan the System Center VMM infrastructure (if required). The System Center administrators must set
up the on-premises VMM clouds and, for on-premises to on-premises failover that includes a HyperV cluster with a static IP address, set up the Hyper-V Replica Broker role.

2.

Create an Azure Site Recovery Vault. In the Azure full portal, when you create the vault, Azure
generates a registration key, which the Site Recovery provider will use to authenticate.

3.

Deploy the Azure Site Recovery Provider. This provider is a key component that you must install on
either every VMM server or every Hyper-V host that you want to protect.

4.

Deploy the Azure Site Recovery Services Agent. You must install this agent on every Hyper-V host
server that runs virtual machines that you want to protect.

5.

Configure network mapping. Network mapping ensures that virtual machines do not lose
connectivity to each other and to clients after failover. In VMM, System Center administrators must
set up logical networks and VM networks correctly. If you want to fail over to Azure virtual machines,
you must also configure an Azure virtual network.

6.

Configure for storage mapping. Storage mapping enables administrators to control where virtual
machine hard disks are stored after failover takes place. For on-premises to Azure protection, you
must specify an Azure geo-replicated storage account in the same regions and subscription as the
Site Recovery service.

7.

Enable protection for Virtual Machines. System Center must enable and configure protection for the
VVM cloud.

For full details of each of these steps, see:


Deploy Azure Site Recovery
http://go.microsoft.com/fwlink/?LinkID=522644

Backup Vault

You can use Backup Vaults to protect server data off-site with automated backups to Azure. The
maximum retention time for production data using Azure Backup is 30 days, and the maximum size of a
single backup from a specific volume is 850 GB. If you wish to retain data for longer than 30 days, you
should use System Center 2012 Data Protection Manager with Azure Backup, and this will provide up to
120 days retention of Azure protected data.
Note: Update Rollup 3 (UR3) for System Center 2012 R2 Data Protection Manager, and the
updated Microsoft Azure Backup, provide long term retention for Azure cloud backups. The
maximum retention with these tools is now 3360 days (over nine years).
The administrator can manage cloud backups from the backup tools in:

Windows Server 2012 (and R2) Essentials

System Center 2012 (and R2) Data Protection Manager

To implement Azure backups, you must complete the following tasks:


1.

Create a backup vault in the Azure Management Portal.

2.

Download a vault credential.

MCT USE ONLY. STUDENT USE PROHIBITED

Implementing Microsoft Azure Infrastructure Solutions

6-25

3.

Download and install a backup agent.

4.

Configure the backup agent to use the vault credential, and register the server with Azure Backup.

5.

Configure a backup job in the usual management tool on the protected server.

You will complete these configuration tasks in the lab. For full details of the process, see:
Configure Azure Backup to quickly and easily back up Windows Server
http://go.microsoft.com/fwlink/?LinkID=522645

Lab: Planning and Implementing Storage


Scenario

MCT USE ONLY. STUDENT USE PROHIBITED

6-26 Planning and Implementing Storage

The IT department at A. Datum uses an asset management application to track IT assets, such as computer
hardware and peripherals. The application stores images of asset types and invoices for purchases of
specific assets. As part of A. Datums evaluation of Microsoft Azure, you need to test Azure storage
features as part of your plan to migrate the storage of these images and invoice documents to Azure.

Objectives
After completing this lab, you will be able to:

Create and configure Azure storage.

Use Azure file storage.

Use an Azure backup vault.

Lab Setup
Estimated Time: 60 Minutes
Virtual Machine: 20533B-MIA-CL1
User Name: Student
Password: Pa$$w0rd

Before starting this lab, ensure that you have performed the Preparing the Environment demonstration
tasks at the beginning of the first lesson in this module, and that the setup script has completed.
Note: The new Azure portal is in preview, and occasionally the user interface may fail to refresh
automatically. If this happens, refresh the page in Internet Explorer.

Exercise 1: Creating and Configuring Storage


Scenario
A. Datum currently stores images for IT assets as files in a local folder. As part of your evaluation of
Microsoft Azure, you want to test storing these images as blobs in Azure so that they can be easily
accessed by a new Azure-based version of the asset management application.
The main tasks for this exercise are as follows:
1. Create a Storage Account
2. Install AzCopy
3. Use AzCopy to Upload Blobs

Task 1: Create a Storage Account


1.

Ensure that you are logged on to 20533B-MIA-CL1 as Student with the password Pa$$w0rd, and
that the setup script you ran in the Preparing the Environment demonstration has completed.

2.

Use Internet Explorer to sign into the new Azure portal at https://portal.azure.com using your
Microsoft Account.

3.

Create a new storage account with the following settings:


o

Name: A valid, unique name

Pricing tier: Standard-GRS

Resource group: A new resource group named Asset-Management

Subscription: Your Azure subscription

Location: Select the region nearest to you

Diagnostics: Leave as not configured

4.

After the storage account has been created, add a container named asset-images with private
access.

5.

Start the Microsoft Azure PowerShell ISE as Administrator.

6.

Open the code snippets in D:\Labfiles\Lab04\Starter\ExampleCommands.ps1 and record the


name of the storage account you created in the previous task.

Task 2: Install AzCopy

MCT USE ONLY. STUDENT USE PROHIBITED

Implementing Microsoft Azure Infrastructure Solutions

6-27

1.

Download and install AzCopy from http://aka.ms/AzCopy. Note that this page also includes
documentation and examples for using AzCopy.

2.

Add the installation path for AzCopy (C:\Program Files (x86)\Microsoft SDKs\Azure\AzCopy) to
the Path system variable.

3.

Test the installation by running the following command in a command prompt window:
AzCopy /?

Task 3: Use AzCopy to Upload Blobs


1.

In the new Azure portal, view the keys for your storage account. Note that you can copy access keys
to the clipboard.

2.

In a command prompt, enter use AzCopy to copy all of the .png files in the
D:\Labfiles\Lab06\Starter\asset-images folder to the asset-images container in your storage
account.

3.

Use the code snippets in D:\Labfiles\Lab06\Starter\ExampleCommands.ps1 to help you during


this exercise; make sure that you copy your commands to the command prompt window, and do not
try to run them as PowerShell.

Results: At the end of this exercise, you will have a new Azure storage account with a container named
asset-images.

Exercise 2: Using Azure File Storage


Scenario

A. Datum currently stores invoices for IT assets in Microsoft Word format in a local folder. As part of your
evaluation of Microsoft Azure, you want to test the uploading of these files to a file share in your Azure
storage account to make it easier to access them from virtual machines in Azure.
The main tasks for this exercise are as follows:
1. Create a File Share and Upload Files
2. Access a File Share from a Virtual Machine

Task 1: Create a File Share and Upload Files


1.

MCT USE ONLY. STUDENT USE PROHIBITED

6-28 Planning and Implementing Storage

Use the Windows PowerShell Interactive Scripting Environment (ISE) to create a PowerShell script that
performs the followings tasks:
o

Uses the Get-AzureStorageKey cmdlet to retrieve the access key for your storage account.

Uses the New-AzureStorageContext to create a storage context that connects to your storage
account using the access key.

Uses the New-AzureStorageShare cmdlet to create a file share named assets.

Uses the New-AzureStorageDirectory cmdlet to create a folder named invoices in the file
share.

Uses the Set-AzureStorageFileContent cmdlet to upload each file in the


D:\Labfiles\Lab06\Starter\invoices folder to the invoices folder in the file share.

Note: You can edit FileShare.ps1 in the D:\Labfiles\Lab06\Starter folder if you prefer not to write the
script from scratch.
2.

Run the script to upload the files.

Task 2: Access a File Share from a Virtual Machine


1.

Connect to the AdatumSvr1 virtual machine in your Azure subscription using the following
credentials (this was created by the setup script you ran earlier in the module):
o

User name: AdatumSvr1\Student

Password: Pa$$w0rd123

2.

In the remote desktop session to AdatumSvr1, turn off IE Enhanced Security Configuration for
administrators, and use Internet Explorer to sign in to the Azure portal and copy the primary access
key for your storage account to the clipboard.

3.

In an administrative command prompt window, type the following command to map a network drive
to the assets file share in Azure storage. Replace both instances of storage_account with the name of
your storage account and paste your access key in place of access_key (to paste into a command
prompt window, click the control box at the top left of the window, point to Edit, and click Paste):
net use z: \\storage_account.file.core.windows.net\assets /u:storage_account access_key

4.

In the command prompt window, enter the following command to view the contents of the invoices
folder in the Z: drive (which is now mapped to the assets file share you created in the previous task):
dir z:\invoices

5.

Verify that three invoice files are listed.

6.

Sign out of the AdatumSvr1 virtual machine to end the remote desktop session.

Results: At the end of this exercise, you will have a file share named assets that contains a folder named
invoices. This folder will contain three invoice documents and be accessible from the AdatumSvr1 virtual
machine.

Exercise 3: Protecting Data with Azure Backup


Scenario

MCT USE ONLY. STUDENT USE PROHIBITED

Implementing Microsoft Azure Infrastructure Solutions

6-29

A. Datum currently uses an on-premises backup solution. As part of your evaluation of Microsoft Azure,
you want to test the protection of on-premises master copies of your image files and invoices by backing
them up to the cloud. To accomplish this, you intend to use Azure Backup.
The main tasks for this exercise are as follows:
1. Create a Backup Vault
2. Create a Certificate
3. Install and Configure a Backup Agent
4. Create a Backup Schedule
5. Run a Backup
6. Reset the Environment

Task 1: Create a Backup Vault


1.

In Internet Explorer, open the full Azure management portal.

2.

Create a new backup vault in your closest region.

Task 2: Create a Certificate


1.

In the full Azure Management Portal, click Recovery Services, then click your new backup vault.

2.

On the backup vault Quick Start page, click Download vault credentials.

3.

Click Save to download the vault credentials to the Downloads folder.

Task 3: Install and Configure a Backup Agent


1.

Download and install the Azure backup agent for Windows Server and System Center - Data
Protection Manager.

2.

Install any available updates for the backup agent.

3.

Use the desktop shortcut that has been created, start Microsoft Azure Backup, and register the server
using the vault credentials you downloaded earlier.

4.

Generate a passphrase and store it in the D:\Labfiles\Lab06\Starter folder.

Task 4: Create a Backup Schedule


1.

Use Microsoft Azure Backup to schedule a weekly backup, to run at 9:30 on Sunday, of the following
folders:
o

D:\Labfiles\Lab06\Starter\asset-images

D:\Labfiles\Lab06\Starter\invoices

Task 5: Run a Backup


1.

Use Microsoft Azure Backup to back up now.

2.

In the full Azure management portal, verify that the MIA-CL1 server has been registered, and note the
newest recovery point for the protected items (which should include files and folders on D:\).

Task 6: Reset the Environment

MCT USE ONLY. STUDENT USE PROHIBITED

6-30 Planning and Implementing Storage

1.

Close all open applications without saving any files.

2.

On the taskbar, right-click Microsoft Azure PowerShell, and then click Run as administrator. In the
User Account Control dialog, click Yes.

3.

Type the following command, and then press Enter:


Reset-Azure

4.

When prompted, sign in using the Microsoft account associated with your Azure subscription.

Note: This script may remove Azure services in your subscription. It is therefore recommended that
you use an Azure trial pass that was provisioned specifically for this course, and not your own Azure
account.
The script will take 5-10 minutes to reset your Microsoft Azure environment, ready for the next lab.
The script removes all storage, VMs, virtual networks, cloud services, and resource groups. The script
does not remove the Backup Vault; this can either be manually deleted or you can leave it in place as
it does not affect subsequent labs.
Important: The script may not be able to get exclusive access to a storage account to delete it (you
will see an error, if this occurs). If you find objects remaining after the reset script is complete, you can
re-run Reset-Azure script, or use the full Azure Management Portal to manually delete all the objects
in your Azure subscription, with the exception of the default directory.

Results: At the end of this exercise you will have an Azure backup vault in your subscription, created
Backup Vault Credentials, and installed the Azure backup agent on 20533B-MIA-CL1. You will have
backed up the contents of the asset-images and invoices folders to the backup vault.
Question: The asset management application stores images of hardware components as
blobs and invoices as files. If the application needed to also store the location of each asset
using a unique asset number and a text description of the location, what storage options
should you consider?

Module Review and Takeaways


In this module, you have learned how to use Azure storage and recovery services.
Best Practice: When using Azure storage, consider the following best practices:

MCT USE ONLY. STUDENT USE PROHIBITED

Implementing Microsoft Azure Infrastructure Solutions

6-31

Choose the most appropriate storage type based on your application requirements and the format of
the data to be stored.

Co-locate storage accounts and the services that use them in the same region or affinity group.

When storing blobs, use block blobs for large objects that you want to upload or stream, and use
page blobs when the application will read and write data using random access semantics.

Review Question(s)
Question: Why should you co-locate storage accounts and the Azure services that use them?

MCT USE ONLY. STUDENT USE PROHIBITED

MCT USE ONLY. STUDENT USE PROHIBITED


7-1

Module 7
Planning and Implementing Data Services
Contents:
Module Overview

7-1

Lesson 1: Data Services in Microsoft Azure

7-2

Lesson 2: Implementing Azure SQL Database

7-8

Lesson 3: Managing Azure SQL Database Security

7-15

Lesson 4: Monitoring Azure SQL Database

7-23

Lesson 5: Managing Azure SQL Database Business Continuity

7-27

Lab: Planning and Implementing Data Services

7-31

Module Review and Takeaways

7-36

Module Overview

Microsoft Azure includes a range of services that you can use to manage data. In particular, Microsoft
Azure SQL Database provides a relational database management service based on Microsoft SQL Server,
which you can use to implement a relational data store for applications without having to take on the
responsibility of managing SQL Server itselfor the operating system that supports it. In this module, you
will learn about the available options for data storage and analysis, and how to provision, configure, and
manage Azure SQL Database.

Objectives
After completing this module, you will be able to:

Identify data services in Microsoft Azure.

Provision, configure, and manage Azure SQL Database.

Configure security for Azure SQL Database.

Monitor Azure SQL Database.

Manage data recovery and availability for Azure SQL Database.

Planning and Implementing Data Services

Lesson 1

Data Services in Microsoft Azure

MCT USE ONLY. STUDENT USE PROHIBITED

7-2

Microsoft Azure provides multiple services that you can use to store, manage, and analyze data. The
appropriate service to use depends on the specific data management requirements of the applications
your Azure infrastructure must support. This lesson discusses the various data services that are available in
Microsoft Azure, and describes considerations for choosing a data storage solution.

Lesson Objectives
After completing this lesson, you will be able to:

Describe how Azure data services can be used to support compute services and app services in
applications.

Identify data services in Microsoft Azure.

Choose between Azure SQL Database and Microsoft SQL Server.

Demonstration: Preparing the Environment

Perform the following tasks to prepare the lab environment. The Azure services you will use in the lab will
be described in this module while the environment is being configured.
Important: The scripts used in this course may delete any objects that you have in your
subscription. For this reason, you should complete this course against a new Azure subscription.
You should have received sign-up details and instructions for creating an Azure Learning Pass for
this reason. Alternatively, create a new Azure Trial Subscription. In both cases, use a new
Microsoft account that has not been associated with any other Azure subscription. This avoids
confusion in labs and setup scripts.

The labs in this course use custom Microsoft Azure PowerShell cmdlets, including Setup-Azure to prepare
the Azure environment for a lab, and Reset-Azure to perform clean-up tasks at the end of a lab. For this
lab, Setup-Azure creates a database with sample data on the local SQL Server, and then removes the
Azure subscription and account from the Azure PowerShell session.
Before you start the lab preparation, your instructor will decide which Azure region is the closest to your
classroom location. You will need this information during the lab setup, and during the lab.

Demonstration Steps
Sign in to Your Microsoft Azure Subscription
1.

Ensure that the MSL-TMG1 and 20533B-MIA-CL1 virtual machines are both running, and then log on
to 20533B-MIA-CL1 as Student with the password Pa$$w0rd.

2.

You should already have created a Microsoft Azure trial subscription. If you have not done so, follow
the instructions in D:\Creating a Microsoft Azure Trial Subscription.htm. Provisioning may take
several hours.

3.

When your trial subscription has been provisioned, in Internet Explorer, browse to
http://azure.microsoft.com, click Portal, and sign in using the Microsoft account that is associated
with your Azure subscription. Close any initial "welcome" messages.

MCT USE ONLY. STUDENT USE PROHIBITED

Implementing Microsoft Azure Infrastructure Solutions

7-3

4.

At the top right, click your Microsoft account name and click Switch to new portal. Then, in the new
tab that is opened close any initial "welcome" messages for the new portal.

5.

Close the tab containing the new portal, keeping the full portal tab open.

Enable Preview Features


1.

In Internet Explorer, at the top right of the Azure portal page, click your Microsoft account name and
click View my bill.

2.

In the new tab that is opened, click preview features.

3.

Click try it now for the following preview feature, and activate it for your subscription:
o

Auditing for Azure SQL Database

Note: Preview features are constantly changing. If either of these features is unavailable, continue to the
next step.
4.

Close Internet Explorer, closing all tabs.

Prepare the Azure Environment


1.

On the taskbar, right-click Microsoft Azure PowerShell, and then click Run as administrator. In the
User Account Control dialog, click Yes.

2.

Type the following command, and then press Enter:


Setup-Azure

3.

At the prompt, type the module number, and then press Enter.

4.

Confirm your selection, and then press Enter.

5.

When prompted, sign in using the Microsoft account associated with your Microsoft Azure
subscription.

Note: This script may remove Azure services in your subscription. It is therefore recommended that
you use an Azure trial pass that was provisioned specifically for this course, and not your own Azure
account.
The script will take 2-3 minutes to configure your Microsoft Azure environment, ready for the lab at
the end of this module.
At the end of setup, you should have a new database on your local machine. There should be no
objects in your Azure subscription except the default directory.

Data Services as Components of Azure


Virtually all applications have the need to store
data. In a traditional, on-premises application or a
web application hosted at an ISP, data is often
stored in databases. These range from small
database applications, such as Access, to fully
fledged Relational Database Management Systems
(RDBMSs) such as Microsoft SQL Server, which can
scale to the largest sizes and handle very intense
traffic.
In Azure, you can migrate on-premises databases
into the cloud quickly and easily, by hosting them

Planning and Implementing Data Services

MCT USE ONLY. STUDENT USE PROHIBITED

7-4

on Virtual Machines (VMs). This arrangement provides a very familiar environment for Database
Administrators (DBAs) but, because VMs are an Infrastructure as a Service (IaaS) offering, you are
responsible for managing and maintaining all the underlying software, including the operating system
and database management software. You must also take responsibility for maintaining fault tolerance and
scaling.
Microsoft has included the SQL Database service within Azure. This is a Platform as a Service (PaaS)
offering that frees you from patching and maintaining operating systems and database management
software. It also includes built-in features for fault tolerance and scalability. In this module, you will learn
in detail about SQL Database and how to set up databases to support your applications.

The Azure Storage service provides an alternative location for data storage. For example, for storing files,
you can use blob storage. Many web applications, for example, use a database for structured data, such as
product details, but keep images outside of the database in blobs. This arrangement may result in better
performance.
The Azure Storage service also includes table storage. Tables are similar to databases in that they store
structured data in rows but they do not have a rigid schema for each table. This means each row in the
table can have different columns. For example, in a Products table, a bicycle product may include a
column for frame size that a bicycle pedal product does not include. This is often termed semi-structured
data.

Overview of Data Services in Microsoft Azure


Microsoft Azure includes a range of data services.

Application Data Storage Services


Services that you can use to store data in
Microsoft Azure include:

Azure Storage. You can use an Azure Storage


account to store binary large objects (BLOBs),
files, and name/value pair records in NoSQL
tables. Applications can read and write data
directly to Azure Storage using the published
application programming interfaces (APIs),
and Azure Storage blob containers can be
used as a file store by other Azure services (for example, Azure virtual machines store their virtual
hard disk files in an Azure Storage page blob container).

Cache. Azure cache services enable application developers to cache application data for faster data
access and improved application performance. Application developers can choose from caching
solutions based on the AppFabric cache engine and open source Redis Cache technologies.

Azure SQL Database. Azure SQL Database is a PaaS solution (sometimes referred to as a Databaseas-a-Service solution) that provides a relational data storage solution based on Microsoft SQL Server
technologies.

Virtual Machines. You can create Azure virtual machines that host a relational database
management system (RDBMS) such as SQL Server, Oracle, and MySQL, creating an IaaS solution for
relational data storage.

MCT USE ONLY. STUDENT USE PROHIBITED

Implementing Microsoft Azure Infrastructure Solutions

Data Processing and Analysis Services


Services that you can use to process and analyze data in Azure include:

7-5

HDInsight. HDInsight is an Azure-based implementation of Apache Hadoop that provides a platform


for Big Data processing. You can use HDInsight to use MapReduce data processing techniques on
large volumes of structured and unstructured data.

Machine Learning. Azure Machine Learning uses statistical algorithms to train predictive models,
which you can use to apply data mining techniques to data sets or individual records and predict
unknown values.

Data Infrastructure Services


Azure provides the following data services that you can use to implement and manage enterprise
infrastructure solutions:

StorSimple. Azure StorSimple is a hybrid storage management solution that enables enterprises to
provide centralized access to data that is stored across on-premises storage devices and Azure.

Backup. Azure backup vaults provide an effective off-site backup solution for enterprise data.

Site Recovery. Azure Site Recovery services provide a site-to-site or on-premises-to-Azure failover
solution for virtual machines hosted in Microsoft System Center Virtual Machine Management clouds.

Azure SQL Database vs SQL Server


Most business applications use a relational
database to store data. When using Microsoft
Azure to support business applications, you can
choose to store relational data in Microsoft SQL
Server (or another database management system)
in a virtual machine in Azure, or in Azure SQL
Database.
Azure SQL Database provides a PaaS solution that
removes much of the overhead associated with
managing a relational databases system. SQL
Database supports much of the same functionality
as SQL Server, with some key differences.

Unsupported Features

Azure SQL Database supports many of the same objects as SQL Server, and database developers can
create and manage tables, views, and stored procedures using familiar Transact-SQL syntax. You can
implement most common database workloads in Azure SQL Database, but be aware that SQL Database
does not support some SQL Server features, including:

SQLCLR

Global temporary tables

Service broker

Some system tables and dynamic management views

Trace flags

Additionally, some other features of SQL Server have limited support in Azure SQL Database.

Planning and Implementing Data Services

Database Isolation

MCT USE ONLY. STUDENT USE PROHIBITED

7-6

A key principle on which Azure SQL Database is based, is strict isolation of databases. In a SQL Server
instance, applications can open a connection to one database, and then change the database context (by
using the USE statement) or reference objects in a different database. In Azure SQL Database, access is
restricted to the database to which the connection was initially made. Applications cannot change
database context without opening a new connection.

Common Operations Tasks

Although Azure SQL Database eliminates or simplifies many of the configuration and management tasks
required to maintain a relational database, administrators still need to create databases, manage security,
and recover databases in the event of a disaster. However, there are some key distinctions between how
you perform some of these tasks in a SQL Database environment and how you carry them out in SQL
Server. The following table summarizes these differences:
Operations task

SQL Server

SQL Database

Creating databases

You can define specific


storage paths for data and
log files, based on the
physical or virtual storage
volumes accessible by
your database server. You
can also configure
compression and
encryption for these files.

All physical storage details are


abstracted by Microsoft Azure.
When you create a database,
you must specify an edition,
performance level, and
maximum size, but you cannot
define individual file storage
for the database.

Configuring security

You can choose Windows


Authentication and/or
SQL Server Authentication
for account types and
connections. You must
then create the required
logins at the server level,
and users at the database
level, add users to
appropriate server-level
and database-level roles,
and assign the required
permissions to support
your applications data
access requirements.
Additional access
restrictions can be
enforced by configuring
the Windows Firewall
settings on the host
server.

SQL Server Authentication is


the only mechanism supported.
All access is through
username/password
combinations. You must create
logins and users, and apply
permissions; but the security
hierarchy in Azure SQL
Database has some key
differences from SQL Server. In
particular, server-level roles are
implemented as database roles
in the master database.
By default, there is no network
access to the server except
through the Management
Portal. Specific IP addresses
and ranges must explicitly be
allowed to connect at both the
server and the individual
database level.

Managing Data Recovery

Administrators can define


backup solutions that
include full database
backups, differential
backups, file and filegroup
backups, and transaction
log backups. These
backup operations can be
scheduled and automated
based on specific recovery

Azure SQL Database does not


support user-initiated backup
operations. To implement a
custom backup solution, you
must copy the database and
export it to a BACPAC file,
which you can then import into
an Azure SQL Database server
if you need to recover the
database. Alternatively, you

MCT USE ONLY. STUDENT USE PROHIBITED

Implementing Microsoft Azure Infrastructure Solutions

Operations task

SQL Server
requirements.
Additionally, SQL Server
supports a range of highavailability solutions;
including failover
clustering, database
mirroring, and log
shipping.

SQL Database
can rely on the built-in
automated backup
functionality discussed later in
this module.
Azure SQL Database stores
data in redundant storage
within the Azure data center,
reducing the likelihood of
failure. Additionally, Standard,
and Premium SQL Databases
are automatically replicated up
to geo-redundant storage on a
frequent basis enabling you to
restore a database to a specific
point in time up to the most
recent backupeven if the
database has been deleted.

Reference Links: For more information about supported features in Azure SQL Database,
see the article Azure SQL Database Transact-SQL Support in the Azure documentation, on the
MSDN website at
http://go.microsoft.com/fwlink/?LinkID=511756.

7-7

Planning and Implementing Data Services

Lesson 2

Implementing Azure SQL Database

MCT USE ONLY. STUDENT USE PROHIBITED

7-8

Azure SQL Database is a cloud-based SQL service that provides subscribers with a highly scalable platform
for hosting their databases. By using Azure SQL Database, organizations can avoid the cost and
complexity of managing on-site SQL Server installations, and quickly set up and start using database
applications.
In this lesson, you will learn about the key features of Azure SQL Database and how to provision and
manage databases in Azure SQL Database.

Lesson Objectives
After completing this lesson, you will be able to:

Describe the architecture of Azure SQL Database.

Provision Azure SQL Database.

Describe tools with which you can manage databases in Azure SQL Database.

Migrate SQL Server databases to Azure SQL Database.

Connect SQL Server Management Studio to Azure SQL Database and use it to manage databases.

Azure SQL Database Architecture


Azure SQL Database is a PaaS relational database
service based on SQL Server. SQL Database
provides a familiar relational database storage
solution that implements many of the
fundamental capabilities of SQL Server, including
tables, views, stored procedures, and other
database objects.
The goal of SQL Database is to enable quickly
provisioned databases that scale to meet the
needs of a business while removing the
requirement to manage the operating system and
hardware. This enables administrators to focus
primarily on the logical management of the database platform.
From the perspective of the SQL Server developer or administrator, SQL Database operates much like a
traditional SQL Server instance, with a few key distinctions, as described in the previous lesson. You can
write SELECT queries against tables and views, and invoke functions and stored procedures against
databases that are hosted in SQL Database, just as you would in SQL Server.

Beyond the relational database engine provided by SQL Database, it is necessary to understand the model
behind the Azure platform, so you can set up your own account, provision a server, and create databases.

MCT USE ONLY. STUDENT USE PROHIBITED

Implementing Microsoft Azure Infrastructure Solutions

7-9

There is a relationship between four core objects in SQL Databasethe subscription, the resource group,
the server, and the database. The following table describes these objects:
Azure object

Description

Azure
Subscription

All Azure activity is metered and assigned to an Azure subscription. An Azure


subscription may have zero or more SQL Database servers.

Resource Group

Resource groups are conceptual containers in which you can group related
Azure resources to aid manageability. You can create your SQL Database
resources in a single resource group, along with other related resources, such
as Azure web applications, that use a SQL Database to store data. An Azure
subscription can contain multiple resource groups.

SQL Database
Server

SQL Database servers are logical servers that host SQL Databases. Each SQL
Database server has a Domain Name System (DNS) name, administrator
accounts, and firewall rules. SQL Database servers may host zero or more
user databases in addition to the master system database that is used to
store server configuration data. You can choose to organize SQL Database
servers into resource groups to help administrators manage them. Multiple
database servers can be placed into each resource group.

SQL Database

Databases in a SQL Database server, like databases in a SQL Server instance,


are containers for data objects such as tables, views, functions, and
procedures, as well as user security accounts. Unlike a SQL Server instance,
SQL Database does not expose system databases, other than master. Each
database is isolated from the others on the same server, and sessions cannot
switch between databases. Each SQL Database server can contain multiple
databases.

Provisioning Azure SQL Database


You provision Azure SQL Database services from
the Azure management portal, where you can
create a database and specify an existing or new
server in which it is to be hosted; or create a server
ready for a database to be added later.

Creating a Database
When you create a database, you must specify the
following information:

A name for the database.

The service tier of SQL Database you want to


use, the desired performance level (expressed
in database throughput units, or DTUs), and the maximum size you want the database to grow to.
These settings determine the cost of the database.

The collation that you want the database to use.

The server on which to create the database. You can select an existing server that you have previously
created in the same subscription, or create a new server.

The resource group in which the database and its server should be created (if an existing server is
selected, the database is automatically added to the existing resource group to which the server
belongs).

Note: A Database Transfer Unit (DTU) is a measure of the capacity of a database tier or
server. It depends on the CPU resources, memory, read operations, and write operations available
to the tier. A database tier with five DTUs has approximately five times the capacity of a tier with
1 DTU. Each Azure SQL Database server supports a maximum of 1600 DTUs spread across
databases in different tiers.

Creating a Server

MCT USE ONLY. STUDENT USE PROHIBITED

7-10 Planning and Implementing Data Services

You can create a server either as part of the process of creating a database, or on its own. In scenarios
where you are producing new databases for applications, you typically create the server as part of the
process of creating the first database. However, in some cases, you might want to create the server
without any user databases, and then add databases to it later; for example, by migrating them from an
on-premises SQL Server instance.

Each SQL Database server must have a globally unique name. The fully qualified name of the server is in
the form <server_name>.database.windows.net; for example, abcd1234.database.windows.net.
When you create a server, you must specify the following information:

A globally unique server name (when using the full portal, this is generated automatically).

A login name and password for the administrative account that you will use to manage the server.

The geographical region where the Azure data center hosting the server should be located.

Whether or not to allow other Azure services to connect to the server. Enabling access from Azure
creates a firewall rule that permits access from the IP address 0.0.0.0.

Note: After you have created a server, you must configure its settings to enable remote
network access based on IP address. Firewall rules are discussed in more depth later in this
module.

Tools for Azure SQL Database


You can implement and manage databases in
Azure SQL Database by using the following tools:

The Azure management portals. You can


use this tool to provision Azure SQL database
servers and databases, and to manage
configuration settings such as server firewall
rules, database size limits, and conversion
between database editions. You can also
restore databases from automatic backups,
export and import databases, configure
database auditing, and monitor database
metrics. The full management portal includes
a web-based management tool for SQL Database, which you can use to create database objects, such
as tables, and to execute Transact-SQL statements.

SQL Server Management Studio. You can use SQL Server Management Studio (SSMS) to connect to
an Azure SQL Database Server and manage it in a similar way to SQL Server instances. The ability to
manage SQL Server instances and SQL Database servers by using the same tool is useful in hybrid IT
environments. However, many of the graphical designers in SSMS are not compatible with SQL
Database, so you must perform most tasks by executing Transact-SQL statements.

MCT USE ONLY. STUDENT USE PROHIBITED

Implementing Microsoft Azure Infrastructure Solutions

7-11

SQLCMD. You can use the SQLCMD command-line tool to connect to Azure SQL Database servers
and execute Transact-SQL commands.

Visual Studio. Developers can use Visual Studio to create databases and deploy them directly to
Azure SQL Database.

Migrating a SQL Server Database to Azure SQL Database


A common scenario for Azure SQL Database is the
migration of a database from a SQL Server
instance to a SQL Database server. This
requirement may be due to the migration of an
on-premises application to the cloud, or because
developers created a database by using SQL Server
before deploying it to a production environment
in SQL Database.
There are two primary techniques you can use to
migrate a database from SQL Server to Azure SQL
Database:

Generate Transact-SQL scripts for the objects


in your SQL Server database and run them in a database in Azure SQL Database.

Export a data-tier application (DAC) from SQL Server and import it into Azure SQL Database. A DAC
can be exported as a .dacpac file (a database snapshot file) or as a .bacpac file (a logical backup file).

Of these two techniques, using a DAC is the simplest way to ensure the correct migration of the database
and all its server-level dependencies. You can export and import the DAC by using the tools in SSMS and
the Azure SQL Database management portal, or you can use a wizard in SSMS to automate the entire
process.

The Export Data-Tier Application wizard in SSMS enables you to specify an Azure Storage account as the
destination for an exported package. The Import Data-Tier Application wizard enables you to specify an
Azure Storage account as the source for a package that you want to import. This makes it easy to migrate
a database from SQL Server to Azure SQL Database in two stages, using Azure Storage as an intermediary
storage location for the DAC package.
Alternatively, you can use the Deploy Database wizard to export a SQL Server database as a DAC package
and import it into an Azure SQL database server in a single operation.
Note: Whichever technique you use to deploy a SQL Server database to Azure SQL
Database, you will need to resolve any compatibility issues before migration, and reconfigure
security for the database after migration. Although DAC packages include logins and maintain
mappings to database users, the migration operation does not include passwords; you must reset
these after the migration completes. Additionally, if the source database uses Windows
authentication, you may need to create new logins and users in Azure SQL Database because SQL
Database does not support Windows authentication.

Demonstration: Using Azure SQL Database


In this demonstration, you will see how to:

Create an Azure SQL Database.

Configure firewall settings.

Use SQL Server Management Studio.

Configure a client connection string.

Demonstration Steps
Create an Azure SQL Database
1.

Ensure that you are logged on to 20533B-MIA-CL1 as Student with the password Pa$$w0rd, and
that the setup script you ran in the previous demonstration to prepare the environment has
completed.

2.

Start Internet Explorer, browse to http://azure.microsoft.com, click Portal, and sign in using the
Microsoft account that is associated with your Azure subscription.

3.

At the top right, click your Microsoft account name and click Switch to new portal.

4.

In the Hub menu on the left, click New, and then click SQL Database.

5.

In the SQL database blade, in the NAME box, type demodb.

6.

Click SELECT SOURCE, and then click Blank Database.

7.

In the PRICING TIER section, ensure that Standard S1 is selected.

8.

Click SERVER, and then in the Server blade, click Create a new server.

9.

In the New server blade, enter the following settings and click OK:
o

SERVER NAME: any valid unique name

SERVER ADMIN LOGIN: instructor

PASSWORD: Pa$$w0rd

CONFIRM PASSWORD: Pa$$w0rd

LOCATION: closest region to your location

10. In the SQL database blade, click RESOURCE GROUP, and then in the Resource group blade, click
Create a new resource group.
11. In the Create resource group blade, in the NAME box, type DemoRG and click OK.

MCT USE ONLY. STUDENT USE PROHIBITED

7-12 Planning and Implementing Data Services

12. In the SQL database blade, ensure that Add to Startboard is selected and click Create. Then wait for
the SQL Database to be created.
Configure Firewall Settings
1.

In Internet Explorer, switch to the tab containing the full Azure portal.

2.

In the service pane on the left, click SQL DATABASES and verify that the demodb database you
created in the new portal is listed. If not, refresh the page in Internet Explorer.

3.

On the sql databases page, click SERVERS, and verify that the uniquely named server you created in
the previous task is listed.

4.

Click the server name, and then click CONFIGURE.

5.

7-13

Note the CURRENT CLIENT IP ADDRESS, and click the ADD TO THE ALLOWED IP ADDRESSES
icon. Change the START IP ADDRESS to XXX.XXX.0.0, and the END IP ADDRESS to
XXX.XXX.255.255, leaving XXX as it is (where XXX.XXX is the first two fields of Current Client IP
address), and then at the bottom of the page, click SAVE.

Use SQL Server Management Studio


1.

MCT USE ONLY. STUDENT USE PROHIBITED

Implementing Microsoft Azure Infrastructure Solutions

Start SQL Server 2014 Management Studio, and in the Connect to Server dialog box, specify the
following settings (replacing server name with the unique name you specified when creating your
SQL Database server), and click Connect:
o

Server type: Database Engine

Server name: server_name.database.windows.net

Authentication: SQL Server Authentication

Login: Instructor

Password: Pa$$w0rd

2.

In SQL Server Management Studio, in Object Explorer, under the server name, expand Databases and
verify that the demodb database is listed.

3.

Expand the demodb database and then right-click its Tables folder, point to New, and click Table.
Note that this opens a Transact-SQL template that you can use to create a tablethere are no
graphical tools in SQL Server Management Studio for creating Azure SQL Database objects.

4.

Replace the Transact-SQL code in the template with the following code:
CREATE TABLE dbo.demotable
(
id integer identity primary key,
dataval nvarchar(50)
);
GO

5.

On the toolbar, in the Available Databases list, ensure that demodb is selected. Then click Execute.

6.

In Object Explorer, expand the Tables folder and verify that dbo.demotable is listed (if not, rightclick Tables and click Refresh).

7.

Click New Query and enter the following Transact-SQL code in the new query pane. This code inserts
100 rows containing automatically generated globally unique identifier (GUID) values into the table:
INSERT INTO dbo.demotable
VALUES
(newid());
GO 100

8.

On the toolbar, in the Available Databases list, ensure that demodb is selected. Then click Execute.

9.

In Object Explorer, right-click dbo.demotable, point to Script Table as, point to SELECT To, and
click New Query Editor Window. This generates a Transact-SQL query that retrieves data from the
table.

10. On the toolbar, in the Available Databases list, ensure that demodb is selected. Then click Execute.
11. View the query results and verify that a table of id and dataval values is returned.
12. Keep SQL Server Management Studio and Internet Explorer open for the next demonstration.

Configure a Client Connection String

MCT USE ONLY. STUDENT USE PROHIBITED

7-14 Planning and Implementing Data Services

1.

In the D:\Demofiles\Mod07 folder, double-click CompileClientApp.cmd. This compiles a client


application for the demodb database you created previously.

2.

Double-click DemoClientApp.exe to run it, wait for a few seconds, and note that the application
displays an error indicating that it cannot open a database connection. Then press Enter to end the
application.

3.

Double-click DemoClientApp.exe.config.

4.

In the How do you want to open this type of file (.config)? dialog box, click Microsoft Visual
Studio 2013 to open the configuration file in Visual Studio, and note the value of the
connectionString attribute for the demoConnectionString setting. This must be modified to
reference the demodb database in your Azure SQL Database server.

5.

In Internet Explorer, on the tab containing the new Azure portal, if the demodb SQL Database blade
is not open, in the Startboard, click the tile for the demodb SQL Database (which was pinned to the
Startboard when you created it).

6.

In the demodb SQL Database blade, click Properties, and view the properties of the demodb
database.

7.

On the Properties blade, click Show database connection strings.

8.

On the Database connection strings blade, click the Click to copy icon for the ADO.NET
connection string. If prompted, click Allow access.

9.

In Visual Studio, replace the existing connection string with the one you copied from the Azure portal.
Then in the copied connection string, change the Password parameter with Pa$$w0rd. The new
connectionString value should look similar to this:
Server=tcp:server_name.database.windows.net,1433;Database=demodb; User
ID=Instructor@server_name;Password=Pa$$w0rd;Encrypt=True;TrustServerCertificate=False;Connectio
n Timeout=30;

10. Save DemoClientApp.config and close Visual Studio.

11. In the D:\Demofiles\Mod07 folder, double-click DemoClientApp.exe to run it, and note that it now
connects successfully to the database and displays the data values from the dbo.demotable table.
Then press Enter to end the application.

Lesson 3

Managing Azure SQL Database Security

MCT USE ONLY. STUDENT USE PROHIBITED

Implementing Microsoft Azure Infrastructure Solutions

7-15

Azure SQL Database provides a highly secure platform for subscribers databases. However, whilst the
principles of security for Azure SQL Database will be familiar to users of SQL Server, there are some
differences between the two. In this lesson, you will learn about the security model in Azure SQL
Database, and how to manage firewall rules, logins, users, roles, and permissions.

Lesson Objectives
After completing this lesson, you will be able to:

Describe the key features of Azure SQL Database security.

Explain how to configure firewall rules.

Manage logins and users.

Manage roles and permissions.

Use SQL Server Management Studio to configure SQL Database security.

Overview of Azure SQL Database Security


Azure SQL Database has a hierarchical security
architecture similar to that of SQL Server.
However, the cloud-based nature of Azure creates
some additional considerations that you must
address when planning and implementing
security.

Server-Level Security Features


At the server level, access to SQL Database is
restricted, based on the identity of the user
requesting the connection, and the computer or
device from which the connection is requested.

Server Firewall Rules

To restrict access from specific devices or networks, SQL Database uses a firewall, which by default allows
no external connections. When you create a server, you can optionally grant access from other Azure
services, which are identified by the IP address 0.0.0.0. In the Azure management portal, you can enable
access from the current IP address of the client device being used to access the portal. You can also
specify one or more ranges of IP addresses that should be permitted to access the SQL Database server.

Logins

In a similar way to SQL Server, Azure SQL Database uses logins at the server level to authenticate user
requests. SQL Database does not support Windows integrated authentication, so all logins consist of a
login name and password. Logins are defined in the master database.

Master Database Roles

MCT USE ONLY. STUDENT USE PROHIBITED

7-16 Planning and Implementing Data Services

Azure SQL Database provides the following two database roles in the master database, to which you can
assign users, in order to grant them server-level permissions:

loginmanager. This role has permission to create and manage logins.

dbmanager. This role has permission to create and manage databases.

Note that this architecture is different to that of SQL Server. A SQL Database server is a logical entity that
contains only databases, including the master database. To assign server-level management privileges to
a login, you must create a user for that login in the master database, and then add the user (not the
login) to the role.

Database-Level Security Features

At the database level, SQL Database provides an additional layer of firewall protection, as well as the same
security principals as SQL Server.

Database Firewall Rules

As well as restricting access to the SQL Database server based on client IP address, you can define
additional firewall rules for individual databases. This enables you to host multiple databases on the same
server while restricting access to each database, based on different ranges of IP address.

Users

Like SQL Server, SQL Database requires that logins be mapped to a user in each database to which they
require access. The system administrator login you create when first provisioning the server is
automatically mapped to the dbo user in all databases.

Database Roles
SQL Database provides the same database roles that you would find in a database in a SQL Server 2014
instance:

db_accessadmin. This role can create and manage database users.

db_backupoperator. This role can back up the database.

db_datareader. This role can read all data from all user tables in the database.

db_datawriter. This role can write data in all user tables in the database.

db_ddladmin. This role can create and manage objects in the database.

db_denydatareader. This role cannot read data from any table in the database.

db_denydatawriter. This role cannot write data in any table in the database.

db_owner. This role can perform all configuration and management tasks in the database.

db_securityadmin. This role can manage role membership and permissions.

Schema and Object Level Security Features

At the schema and object level, SQL Database uses the same permissions-based authorization model as
SQL Server. You can use GRANT, REVOKE, and DENY statements to assign permissions on database
objects to users and roles in the database.

Managing Firewall Rules


Based on the IP address of the client computer or
device initiating the connection, firewall rules
restrict access to SQL Database.

Managing Server Firewall Rules


You can manage firewall rules for a SQL Database
server in the Azure management portal. There are
three ways in which you can permit access to the
server from specific IP address ranges:

MCT USE ONLY. STUDENT USE PROHIBITED

Implementing Microsoft Azure Infrastructure Solutions

7-17

Allow Azure Services. Enabling this option is


the equivalent of creating a firewall rule that
allows the IP address range from 0.0.0.0 to
0.0.0.0.

Allow the current client IP address. This option provides a quick way to add a range of allowed IP
addresses that includes only the public facing IP address presented in requests from the computer or
device from which you are currently accessing the Azure management portal. If you are connected
directly to the Internet, this will be the Internet-facing IP address of your computer. More commonly,
it is the Internet-facing IP address of the edge device that connects your local network to the Internet.

Specify one or more explicit ranges of allowed address. Each range consists of a unique name, a
starting IP address, and an ending IP address.

You can also manage server firewall rules programmatically through a representational state transfer
(REST) application programming interface (API) or by using the sp_set_firewall_rule and
sp_delete_firewall_rule system stored procedures in the master database. You can view server firewall
settings by querying the sys.firewall_rules system view in the master database.

Managing Database Firewall Rules

To manage database firewall rules, you can use the sp_set_database_firewall_rule and
sp_delete_database_firewall_rule system stored procedures in the database to which the firewall rule
applies. You can also use the Azure REST API or PowerShell to manage these.
You can view the database firewall rules in a specific database by querying its
sys.database_firewall_rules system view.
Note: Firewalls can make troubleshooting connectivity issues difficult, so you should always
start by using the sys.firewall_rules and sys.database_firewall_rules views to determine exactly
what IP addresses have been granted access in Azure. Note that firewall rules can take several
minutes to become active. If the correct ranges have been granted access, check your local
firewall configuration and IP address. Your local firewall must permit outbound TCP connections
to port 1433. If your client device uses dynamic IP settings, you must verify that the current IP
address is included in one of the ranges defined in Azure SQL Database. Note that network
address translation (NAT) can cause the IP address detected by the Azure SQL Database firewalls
to differ from the one shown in your local IP settings.

Managing Logins and Users


You can manage logins and users in Azure SQL
Database by running Transact-SQL statements and
using system stored procedures. To manage
logins, you must establish a session that is
connected to the master database; to manage
users, you must connect to the database where
the user is to be defined. Remember that you
cannot change database context in a session. To
create a login and a database user, you must first
connect to the master database to create the
login, and then establish another session in the
appropriate database to create the associated
user.

Managing Logins
To create a login, connect to the master database and use the CREATE LOGIN Transact-SQL statement,
specifying a name and password for the login.

MCT USE ONLY. STUDENT USE PROHIBITED

7-18 Planning and Implementing Data Services

The following code sample shows how to create a login named MyLogin with the password Pa$$w0rd:
Creating a Login
CREATE LOGIN MyLogin
WITH PASSWORD = Pa$$w0rd;

After you have created a login, you can change the password by using the ALTER LOGIN statement and
delete the login by using the DROP LOGIN statement.

When connecting to Azure SQL Database, client applications must use SQL Server authentication and
specify the login name and password in the connection string used to establish the connection. When
specifying the login name, you should use the syntax <login_name>@<server_name>. For example, if
your SQL database server is named abcd1234, and your login is named MyLogin, your connection string
should specify the login as MyLogin@abcd1234.

Managing Users

Users are the mechanism by which logins are granted access to databases. To create a user, connect to the
database to which you want to grant access and use the CREATE USER Transact-SQL statement, specifying
the associated login.
The following code sample shows how to create a user named MyUser for the MyLogin login created
previously in this topic:
Creating a User
CREATE USER MyUser
FROM LOGIN MyLogin;

After you have created a user, you can delete it by using the DROP USER statement.

Managing Role Membership and Permissions


Azure SQL Database uses roles to simplify
permissions management for groups of users.
Additionally, you can use GRANT, REVOKE, and
DENY statements to explicitly assign permissions
or to override permissions inherited by an
individual user from membership of a role.

Managing Role Membership

MCT USE ONLY. STUDENT USE PROHIBITED

Implementing Microsoft Azure Infrastructure Solutions

7-19

Server level permissions in SQL Database are


primarily concerned with the management of
databases and logins. To perform any server-level
tasks, a login must have a user account in the
master database, and this user must be a member
of a role that has permission to carry out the task. The loginmanager role has permission to create and
manage logins, and the dbmanager role has permission to create and manage databases.

To add a user in the master database to a role with server-level permissions, use the sp_addrolemember
system stored procedure as shown in this example:
Adding a User in the Master Database to a Role with Server-Level Permissions
EXEC sp_addrolemember 'dbmanager', 'MyUser';

At the database level, administrative permissions are encapsulated in database roles defined in each
database, to which you can add users.

To add a user to a database role, use the sp_addrolemember system stored procedure in the appropriate
database as shown in this example:
Adding a User to a Database Role
EXEC sp_addrolemember 'db_datareader', 'MyUser';

Note: The ALTER SERVER ROLE and ALTER ROLE statements are not supported in Azure
SQL Database. You must use the sp_addrolemember system stored procedure to add users to
server roles (in the master database only) and database roles (in all databases).

Managing Permissions

You can use GRANT, REVOKE, and DENY statements to assign explicit permissions that enable users to
perform specific tasks or access particular database objects. In general, the simplest approach to designing
database security is to use role membership to define the base set of permissions that are required, and
only use explicit permissions to extend or override permissions inherited from role membership.
The following example shows how to deny SELECT permission on a specific table, even if the user has
been granted permission through membership of the db_datareader role:
Managing Permissions
DENY SELECT ON dbo.MyTable TO MyUser;

Demonstration: Configuring Security


In this demonstration, you will see how to:

Manage firewalls.

Manage logins, users, roles, and permissions.

Demonstration Steps
Manage Firewalls

MCT USE ONLY. STUDENT USE PROHIBITED

7-20 Planning and Implementing Data Services

1.

Ensure that you have completed the previous demonstration in this module.

2.

In Internet Explorer, on the tab containing the full Azure portal, click the SQL Databases icon in the
left pane. Then on the sql database page, click SERVERS, click the name of your SQL Database
server, and view its CONFIGURE tab.

3.

Note the allowed IP addresses that are currently defined for the server, and that you can enter a rule
name, start IP address, and end IP address to add rules that permit access from a range of IP
addresses. Note also that Windows Azure services are allowed to access this server.

4.

In SQL Server Management Studio, in Object Explorer, under Databases, expand System Databases.

5.

Right-click the master database and click New Query.

6.

In the query editor, enter the following Transact-SQL code, which retrieves details of server firewall
rules:
SELECT * FROM sys.firewall_rules;

7.

Click Execute and view the results.

8.

In Object Explorer, right-click the demodb database and click New Query.

9.

In the query editor, enter the following Transact-SQL code, which retrieves details of database firewall
rules:
SELECT * FROM sys.database_firewall_rules;

10. Click Execute and view the results. There are currently no database firewall rules, so only clients
within the ranges allowed by the server-level firewall can connect to this database.
11. In the query editor, under the existing code, add the following Transact-SQL code:
EXEC sp_set_database_firewall_rule N'All Internet', '0.0.0.0', '255.255.255.255';

12. Select the EXEC statement you just added and click Execute.
13. Select the SELECT statement you added in step 9 and click Execute. Note that a new rule has been
added to allow access to the demodb database from any Internet-connected computer. However,
only computers with an IP address that is allowed in the server-level firewall rules will be able to
access the master database (and any other databases that are added to this server).
Note: Permitting access to a database from any Internet-connected computer is not recommended for
production databases, and is only used here as an example for demonstration purposes.

Manage Logins, Users, Roles, and Permissions

MCT USE ONLY. STUDENT USE PROHIBITED

Implementing Microsoft Azure Infrastructure Solutions

7-21

1.

In SQL Server Management Studio, in Object Explorer, under your Azure SQL Database server, expand
Security (ensure you expand the server-level folder, and not the database-level folder of the same
name for the demodb database).

2.

Expand Logins, and note that the Instructor login you specified when creating the database server is
listed.

3.

Right-click Logins and click New Login. Then modify the Transact-SQL script that is generated as
shown here and click Execute:
CREATE LOGIN DemoLogin
WITH PASSWORD = 'Pa$$w0rd';
GO

4.

In Object Explorer, right-click the Logins folder and click Refresh to verify that the DemoLogin login
has been created.

5.

In Object Explorer, under the Databases folder, under the demodb database, expand Security, and
expand Users.

6.

Right-click Users and click New User. Then modify the Transact-SQL script that is generated as
shown here and click Execute:
CREATE USER DemoUser
FOR LOGIN DemoLogin
WITH DEFAULT_SCHEMA = dbo;
GO
EXEC sp_addrolemember 'db_datareader', 'DemoUser';
GO
EXEC sp_addrolemember 'db_datawriter', 'DemoUser';
GO

7.

In Object Explorer, right-click the Users folder and click Refresh to verify that the DemoUser user
has been created. This user has been added to the db_datareader and db_datawriter database roles,
giving it permission to read and write to all tables and views in the database.

8.

In the query editor, under the existing Transact-SQL code, add the following code:
DENY update, delete ON dbo.demotable TO DemoUser;

9.

Select the DENY statement you just added and click Execute.

10. Click New Query. Then, when the new query editor window opens, click anywhere in the blank query
pane, point to Connection, and click Change Connection.
11. In the Connect to Database Engine dialog box, change the Login value to DemoLogin and in the
Password box, type Pa$$w0rd, Then click Connect and note that an error is displayed because
DemoLogin does not have a user account in the master database, and no alternative default
database was specified when you created the login.

12. Click OK on the error message. Then in the Connect to Database Engine dialog box, click Options;
on the Connection Properties tab in the Connect to database box, type demodb, and click
Connect. This time the connection succeeds because the login has a user account in the demodb
database.
13. In the query editor window, enter the following Transact-SQL code:
SELECT * FROM dbo.demotable;

14. Click Execute, and note that the query succeeds because the user has permission to read the table
through membership of the db_datareader role.
15. In the query editor window, under the existing code, enter the following Transact-SQL code:
INSERT INTO dbo.demotable
VALUES
(newid());

MCT USE ONLY. STUDENT USE PROHIBITED

7-22 Planning and Implementing Data Services

16. Select the INSERT statement you just typed, and click Execute. Note that the query succeeds because
the user has permission to modify the table through membership of the db_datawriter role.
17. In the query editor window, under the existing code, enter the following Transact-SQL code:
UPDATE dbo.demotable
SET dataval =newid()
WHERE id = 1;

18. Select the UPDATE statement you just typed, and click Execute. Note that an error is returned.
Although the user has permission to modify the table through membership of the db_datawriter
role, permission to update the table has been explicitly denied to the user.
19. In the query editor window, under the existing code, enter the following Transact-SQL code:
DELETE dbo.demotable
WHERE id = 1;

20. Select the DELETE statement you just typed, and click Execute. Note that an error is returned.
Although the user has permission to modify the table through membership of the db_datawriter
role, permission to delete data from the table has been explicitly denied to the user.
21. Close SQL Server Management Studio without saving any files, but keep Internet Explorer open for
the next demonstration.

Lesson 4

Monitoring Azure SQL Database

MCT USE ONLY. STUDENT USE PROHIBITED

Implementing Microsoft Azure Infrastructure Solutions

7-23

While Microsoft Azure SQL Database requires less ongoing maintenance than a SQL Server instance, you
should still monitor your databases to help determine usage requirements, plan upgrades, and
troubleshoot performance and security issues.

Lesson Objectives
After completing this lesson, you will be able to:

Describe how SQL Database monitoring metrics and alerts enable administrators to profile the
performance of each server and database.

Use dynamic management views to monitor SQL Database.

Configure auditing for SQL Database.

Monitor SQL Database metrics and configure alerts.

SQL Database Metrics and Alerts


You can monitor key metrics for SQL Database in
the Azure management portal.

Viewing SQL Database Metrics


You can view trends for SQL Database metrics,
including:

Successful and failed connections.

Storage utilization.

These metrics these are shown as charts in the new


Azure portal.

Configuring Alerts
You can configure alerts for each metric, triggering an automated e-mail notification when a metric
exceeds a specified threshold value over a specified period of time.

Dynamic Management Views


Azure SQL Database supports a subset of the
dynamic management views (DMVs) and dynamic
management functions (DMFs) provided in
Microsoft SQL Server. These objects enable
database administrators to query system metadata
to retrieve details of:

Current activity. For example, transactions that


are currently active in the database.

Historic activity. For example, a list of


previously executed queries ordered by
execution time.

The ability to retrieve details of current activity is particularly useful for troubleshooting concurrency
issues, where data access tasks from one client application are blocking activity for another.
Reference Links: For details of dynamic management views supported in SQL Azure, see
System Views (Azure SQL Database) at http://go.microsoft.com/fwlink/?LinkID=511757.

SQL Database Auditing


Many organizations require data access to be
audited for compliance reasons, to ensure nonrepudiation of data access, or to troubleshoot
database activity. Azure SQL Database supports
auditing for SQL Databases based on Basic,
Standard, and Premium editions. Azure SQL
Database also provides a user interface in the
Azure portal and a Microsoft Excel workbook
template that you can use to view and analyze
audit events. The audit event records are stored in
a table in an Azure Storage account.

Enabling Auditing

MCT USE ONLY. STUDENT USE PROHIBITED

7-24 Planning and Implementing Data Services

Before you can enable SQL Database auditing, you must create an Azure Storage account in which the
audit events will be stored. After you have created this, you can enable auditing for any Basic, Standard, or
Premium database in the new Azure portal, specifying the events that should be audited.

Using Secure Connection Strings

Events are only audited for client applications that use a secure connection string to connect to a SQL
Database for which auditing has been enabled. A secure connection string includes a server name in the
form <server_name>.database.secure.windows.net instead of the default
<server_name>.database.windows.net, so you must modify the connection string used by applications
that perform activities you want to audit.

Viewing Audit Events

You can view a summary of audit events for a database in the Azure portal. Additionally, you can export
the audit events as an Excel workbook, which enables you to analyze the events using the tools in Excel.

Demonstration: Monitoring SQL Database


In this demonstration, you will see how to:

View SQL Database metrics.

Configure SQL Database auditing.

Demonstration Steps
View SQL Database Metrics

MCT USE ONLY. STUDENT USE PROHIBITED

Implementing Microsoft Azure Infrastructure Solutions

7-25

1.

Ensure that you have completed the previous demonstrations in this module.

2.

In Internet Explorer, on the tab containing the new Azure portal, if the demodb SQL Database blade
is not open, in the Startboard, click the tile for the demodb SQL Database (which was pinned to the
Startboard when you created it).

3.

On the demodb SQL Database blade, note the charts displayed in the Monitoring section, which
show details of connections and storage space used.

4.

Click the Storage chart. Then in the Metric blade, view the chart.

5.

On the Metric blade, click ADD ALERT. Then in the Add an alert rule blade, specify the following
settings:

6.

RESOURCE: demodb

NAME: demodb storage alert

DESCRIPTION: storage alert for demodb database

METRIC: total database size

CONDITION: greater than

THRESHOLD: 100

PERIOD: over the last 15 minutes

EMAIL SERVICE AND CO-ADMINISTRATORS: selected

ADDITIONAL ADMINISTRATOR EMAIL: any email address

On the Add an alert rule blade, click OK to save the alert, which will notify administrators if the
database storage size exceeds 100 MB within a 15-minute period.

Configure SQL Database Auditing


1.

In Internet Explorer, in the new Azure portal, in the Hub menu, click New, click Everything, type
storage, and then click Storage.

2.

In the Storage blade, click Create.

3.

In the Storage account blade, enter the following details and click Create:
o

STORAGE: a valid, unique name for a new storage account

PRICING TIER: Standard-GRS

RESOURCE GROUP: DemoRG

SUBSCRIPTION: your Azure subscription

LOCATION: the same location where you created your Azure SQL Database server

DIAGNOSTICS: Leave as not configured

Add to Startboard: selected

MCT USE ONLY. STUDENT USE PROHIBITED

7-26 Planning and Implementing Data Services

4.

Wait for the new storage account to come online.

5.

On the startboard, click the demodb SQL Database tile, you may have to click the scrollbar. Then, on
the demodb SQL Database blade, scroll to the bottom if necessary and click Enable and setup
Auditing.

6.

In the Auditing blade, click STORAGE ACCOUNT. Then on the Storage account blade, select the
storage account you just created.

7.

In the Auditing blade, click CONNECTION STRINGS. Then on the Database connection strings
blade, under Security Enabled Connection Strings, click the Click to copy icon for ADO.NET. If
prompted, click Allow access.

8.

In the Auditing blade, click OK. Then wait for auditing to be enabled. No audit events should have
been recorded in the last 24 hours.

9.

In the D:\Demofiles\Mod07 folder, double-click DemoClientApp.exe.config to open it in Visual


Studio.

10. In Visual Studio, replace the existing connection string with the one you copied from the Azure portal.
Then in the copied connection string, change the Password parameter with Pa$$w0rd. The new
connectionString value should look similar to this:
Server=tcp:server_name.database.secure.windows.net,1433;Database=demodb; User
ID=Instructor@server_name;Password=Pa$$w0rd;Encrypt=True;TrustServerCertificate=False;Connectio
n Timeout=30;

11. Save DemoClientApp.config and close Visual Studio.


12. In the D:\Demofiles\Mod07 folder, double-click DemoClientApp.exe to run it, and verify that it
connects successfully to the database and displays the data values from the dbo.demotable table.
Then press Enter to end the application.
13. In Internet Explorer, in the new portal, in the demodb SQL Database blade, click the Auditing
Preview section, and note that the Auditing blade contains information about audit events.

Note: In this preview release, audit events may not be displayed immediately, so the portal may indicate
that no audit events have occurred in the last 24 hours.
14. Keep Internet Explorer open for the next demonstration.

Lesson 5

Managing Azure SQL Database Business Continuity

MCT USE ONLY. STUDENT USE PROHIBITED

Implementing Microsoft Azure Infrastructure Solutions

7-27

A core responsibility for database administrators and infrastructure managers is to ensure business
continuity in the event of a failure. At a simple level, this usually involves ensuring that data is backed up
on a regular basis and that backups are retained so that they can be used to restore applications in the
event of failure. Additionally, some business-critical applications may require a high-availability solution in
which a redundant copy of the database is maintained, and can be used as a failover solution in the event
of a failure.
This lesson discusses ways to ensure database recovery and failover for Azure SQL Database.

Lesson Objectives
After completing this lesson, you will be able to:

Copy and export a database.

Describe how database restoration can reduce service interruption for users.

Configure and manage geo-replication.

Restore a database from an automatic backup.

Database Copy and Export


In Azure SQL Database you cannot use the
database and transaction log backup capabilities
of SQL Server. To implement a backup solution for
Azure SQL database, you can periodically export a
copy of each database that you want to protect,
and store the copy in a .bacpac file in a storage
account. In the event of a SQL database or server
failure, you can then create a new SQL database
server if necessary and import the copy of the
database from the exported file.
This approach provides a simple data
recoverability solution that is analogous to a full
database backup strategy in SQL Server.

Self-Service Restore
When you create a database in a Microsoft Azure
SQL Database server, Microsoft Azure
automatically backs up the database periodically
to a remote data center, enabling you to restore
the database to a previous state. Additionally, if
the database is accidentally deleted, you can
restore it from the latest automatic backup. The
available restore points depend on the edition of
Azure SQL Database.

MCT USE ONLY. STUDENT USE PROHIBITED

7-28 Planning and Implementing Data Services

Basic. Basic edition databases can be restored


to the most recent daily restore point within a
24-hour period.

Standard. Standard edition databases can be restored to a specific point in time within a seven-day
period.

Premium. Premium database can be restored to a specific point in time within a 35-day period.

You can restore databases by using the Azure management portal, or by using Windows PowerShell. You
can restore an existing database to back out accidental or invalid changes to data. When you restore an
existing database, Azure creates a new database of the same service tier with a name that reflects the date
and time to which the database has been recovered. After youve verified that the recovered database
contains the required data, you can delete the original database and the use ALTER DATABASE statement
to rename the restored database to match the original name.
When you delete an entire database, it remains listed in the portal until its retention period has expired.
You can restore deleted databases to the most recently available recovery point.

Geo-Replication
While both copy-based and automatic backups
enable you to recover data in the event of a
database, server, or data center failure, the time
taken to recover the database can result in service
interruption for business-critical applications.

To reduce the time taken to recover an application


that relies on a SQL database, you can implement
geo-replication, in which a redundant secondary
copy of the database is maintained on a
continuous-copy basis in a remote data center. In
the event of a failure, you can then failover to the
secondary database and modify application
connection strings to use the copy, which is typically faster than restoring a large database from a backup.
Standard edition databases can be configured to support an offline secondary copy, which can be
brought online in the event of a failure in the primary data center. Premium edition databases also
support online secondary databases that support read-only workloads, enabling you to offload reporting
tasks to secondary databases and reduce contention on the primary database.

Demonstration: Managing Data Recovery and High Availability


In this demonstration, you will see how to:

Restore a database.

Configure Geo-Replication.

Demonstration Steps
Restore a Database

MCT USE ONLY. STUDENT USE PROHIBITED

Implementing Microsoft Azure Infrastructure Solutions

7-29

1.

Ensure that you have completed the previous demonstrations in this module.

2.

In Internet Explorer, on the tab containing the full Azure portal, click the SQL Databases icon in the
left pane.

3.

Select the row containing the demodb database (avoid clicking its name, as this will open its
dashboard). Then at the bottom of the page, click DELETE, and when prompted, click YES, DELETE.

4.

After the database has been deleted, in the D:\Demofiles\Mod07 folder, double-click
DemoClientApp.exe to run it, note that an error is displayed, and press Enter to end the application.

5.

In Internet Explorer, in the tab containing the full Azure portal, on the sql databases page, click
DELETED DATABASES.

6.

Select the demodb database, and at the bottom of the page click RESTORE.

7.

In the Specify restore settings dialog box, specify the following settings and click the Complete icon:
o

DATABASE NAME: demodb (delete the date and time)

TARGET SERVER: your Azure SQL Database server

RESTORE POINT: the most recent time available

8.

Wait for the restore operation to complete (this can take several minutes).

9.

In the D:\Demofiles\Mod07 folder, double-click DemoClientApp.exe to run it, verify that the
application now retrieves the data values from the restored database, and press Enter to end the
application.

Configure Geo-Replication
1.

In Internet Explorer, on the tab containing the full Azure portal, click the SQL Databases icon in the
left pane. Then click the name of the demodb database to open its dashboard.

2.

On the GEO-REPLICATION tab, at the bottom of the page, click ADD SECONDARY.

3.

In the Specify secondary settings dialog box, note that you can only select an OFFLINE secondary;
only Premium edition SQL Databases can be replicated to an online, readable secondary. Then, in the
TARGET SERVER list, select New SQL Database server and click the Next icon.

4.

On the SQL database server settings page, enter the following details and click the Complete icon.
o

LOGIN NAME: instructor

LOGIN PASSWORD: Pa$$w0rd

CONFIRM PASSWORD: Pa$$w0rd

REGION: the default selected region

ALLOW WINDOWS AZURE SERVICES TO ACCESS THE SERVER: selected

5.

On the Confirm Additional billing impact dialog box, select the check box to confirm you
understand the billing impact, and click the OK icon.

6.

Wait for replication to become active.

Reset the Environment

MCT USE ONLY. STUDENT USE PROHIBITED

7-30 Planning and Implementing Data Services

1.

Close all open applications without saving any files.

2.

On the taskbar, right-click Microsoft Azure PowerShell, and then click Run as administrator. In the
User Account Control dialog, click Yes.

3.

Type the following command, and then press Enter:


Reset-Azure

4.

When prompted, sign in using the Microsoft account associated with your Azure subscription.

Note: This script may remove Azure services in your subscription. It is therefore recommended that
you use an Azure trial pass that was provisioned specifically for this course, and not your own Azure
account.
The script will take 5-10 minutes to reset your Microsoft Azure environment, ready for the next lab.
The script removes all storage, VMs, virtual networks, cloud services, and resource groups.

Lab: Planning and Implementing Data Services


Scenario

MCT USE ONLY. STUDENT USE PROHIBITED

Implementing Microsoft Azure Infrastructure Solutions

7-31

Managers at A. Datum are planning to migrate some of the companys application databases to the cloud.
To achieve this goal, you plan to use Microsoft Azure SQL Database. You have been asked to test SQL
Database by creating a new database of A. Datum servers and by migrating sample data from the A.
Datum customer relationship management system. Managers have asked you to investigate how SQL
Database will support an existing custom application used with A. Datum, as well as disaster recovery
features.

Objectives
After completing this lab, you will be able to:

Provision Azure SQL Database.

Migrate a SQL Server database to Azure SQL Database.

Restore a deleted database.

Lab Setup
Estimated Time: 60 minutes
Virtual Machine: 20533B-MIA-CL1
User Name: Student
Password: Pa$$w0rd

Before starting this lab, ensure that you have performed the Preparing the Environment demonstration
tasks at the beginning of the first lesson in this module, and that the setup script has completed.

Exercise 1: Creating, Securing, and Monitoring an Azure SQL Database


Scenario

The operations team at A. Datum currently use a Microsoft SQL Server database to store details of servers
in the corporate infrastructure. You want to investigate Azure SQL Database as a new host for this
database. The operations team are interested in how they will be able to monitor the performance of this
database in Azure.
Note: The Microsoft Azure portal is continually improved, and the user interface may have been updated
since this lab was written. Your instructor will make you aware of any differences between the steps
described in the lab and the current Azure portal user interface.
The main tasks for this exercise are as follows:
1. Create a SQL Database
2. Configure Server Firewall Rules
3. Use SQL Server Management Studio
4. View Database Metrics

Task 1: Create a SQL Database


1.

Ensure that the MSL-TMG1 and 20533B-MIA-CL1 virtual machines are both running, and then log on
to 20533B-MIA-CL1 as Student with the password Pa$$w0rd.

2.

In Internet Explorer, browse to http://azure.microsoft.com and sign in to the portal using the
Microsoft account that is associated with your Azure subscription. Then switch to the new portal.

3.

Create a new SQL Database named operations based on the following settings:

MCT USE ONLY. STUDENT USE PROHIBITED

7-32 Planning and Implementing Data Services

Pricing Tier: Standard S1.

Server: a new server with a unique name. The server admin should be named Student with the
password Pa$$w0rd, and the server can be created in the region closest to your present location.

Resource Group: a new resource group named OpsRG.

Task 2: Configure Server Firewall Rules


1.

Switch back to the full Azure portal, and verify that the operations database is listed in the SQL
DATABASES page.

2.

On the SERVERS tab, verify that the uniquely named server you created is listed.

3.

Configure a firewall rule that permits the entire Class B subnet that includes the current IP address of
your local workstation to connect.

Task 3: Use SQL Server Management Studio


1.

Start SQL Server Management Studio and connect to your Microsoft Azure SQL Database server:
o

The fully-qualified name of your server is server_name.database.windows.net.

Use SQL Server authentication to connect as Student with the password Pa$$w0rd.

2.

Verify that the operations database exists on the server.

3.

Open the Operations.sql file in the D:\Labfiles\Lab07\Starter folder and execute it in the operations
database to create and populate a table of server IP addresses.

4.

Execute the following Transact-SQL query in the operations database, and verify that a list of three
servers and their IP addresses is returned:
SELECT * FROM dbo.serverlist;

5.

Keep SQL Server Management Studio open for the next exercise.

Task 4: View Database Metrics


1.

In Internet Explorer, in the preview Azure portal, on the operations SQL Database blade, view the
charts in the Monitoring section, which show details of connections and storage space used.

2.

View the details of the Storage metric, and create an alert that will send an email to the service
administrator, co-administrators, and your own email address when the operations database total
database size metric is greater than 100 over the last 15 minutes.

3.

Keep Internet Explorer open for the next exercise.

Results: After completing this exercise, you will have created an Azure SQL Database named operations
on a new server with a name of your choosing. You will also have used SQL Server Management Studio to
create a table named dbo.serverlist and created an alert to help you monitor database storage.

Exercise 2: Migrating a SQL Server Database to Azure SQL Database


Scenario

MCT USE ONLY. STUDENT USE PROHIBITED

Implementing Microsoft Azure Infrastructure Solutions

7-33

The sales team at A. Datum uses a CRM application to track customer invoices. The application currently
stores customer data in an on-premises SQL Server database. You want to demonstrate that Azure can
support this CRM application by migrating the database for this application to Azure SQL Database, and
then reconfiguring the application to use the new, cloud-based database.
The main tasks for this exercise are as follows:
1. Deploy a Database to Azure
2. Configure SQL Database Security
3. Configure an Application Connection String

Task 1: Deploy a Database to Azure


1.

In SQL Server Management Studio, connect to the MIA-CL1 SQL Server instance using Windows
authentication.

2.

Verify that the sales database is listed in the Databases folder for the MIA-CL1 server.

3.

Right-click the sales database, point to Tasks, and click Deploy Database to Windows Azure SQL
Database. Then use the wizard to deploy the sales database on MIA-CL1 to your Microsoft Azure
SQL Database server.

Task 2: Configure SQL Database Security


1.

In SQL Server Management Studio, in Object Explorer, under your Azure SQL Database server, expand
Security, expand Logins, and verify that only the Student login is listed.

2.

Create a new login named SalesApp with the password Pa$$w0rd by executing the following
Transact-SQL code in the master database:
CREATE LOGIN SalesApp
WITH PASSWORD = 'Pa$$w0rd'
GO

3.

In Object Explorer, in the Databases folder for your Azure SQL Database server, expand the sales
database, expand Security, and expand Users to view the users that are defined in the sales
database.

4.

Create a user named SalesApp for the SalesApp login. The user should have a default schema of
dbo, and should be added to the db_owner database role. You can create the user by executing the
following Transact-SQL code in the sales database:
CREATE USER SalesApp
FOR LOGIN SalesApp
WITH DEFAULT_SCHEMA = dbo
GO
EXEC sp_addrolemember 'db_owner', 'SalesApp'
GO

5.

Keep SQL Server Management Studio open for the next exercise.

Task 3: Configure an Application Connection String

MCT USE ONLY. STUDENT USE PROHIBITED

7-34 Planning and Implementing Data Services

1.

Start Visual Studio and open the SalesApp.sln solution in the D:\Labfiles\Lab07\Starter folder. Then
open its Web.config file and note that the SalesConnectionString setting connects to the sales
database on the localhost server using integrated security (Windows authentication).

2.

In Internet Explorer, in the preview Azure portal, browse the SQL Databases in your subscription to
find the sales database.

3.

View the properties of the sales database and show its database connection strings. Then copy the
ADO.NET connection string to the clipboard.

4.

In Visual Studio, replace the existing connection string with the one you copied from the Azure portal.
Then in the copied connection string, change the User ID parameter to SalesApp@server_name
(where server_name is the unique name of your Azure SQL Database server); replace the Password
parameter with Pa$$w0rd. The new connectionString value should look similar to this:
Server=tcp:server_name.database.windows.net,1433;Database=sales; User
ID=SalesApp@server_name;Password=Pa$$w0rd;Encrypt=True;TrustServerCertificate=False;Connection
Timeout=30;

5.

Save Web.config. Then on the Debug menu, click Start Debugging.

6.

When Internet Explorer opens, verify that the sales application shows invoice history data for the
selected customer. The data is retrieved from the sales database you migrated to Microsoft Azure SQL
Database.

7.

Close the Internet Explorer window that contains the sales application, and then close Visual Studio,
saving changes if prompted.

Results: After completing this exercise, you will have deployed the sales SQL Server database on the local
SQL Server instance to your Azure SQL Database server, and configured the SalesApp web application to
use a connection string for the new Azure SQL Database.

Exercise 3: Restoring a Database


Scenario

The operations database you created is considered a mission-critical source of data for IT employees at A.
Datum. Before business decision makers can commit to using Azure to host this database, you must
ensure that the database can be recovered in the event of accidental deletion.
The main tasks for this exercise are as follows:
1. Delete a Database
2. Restore a Deleted Database
3. Reset the Environment

Task 1: Delete a Database


1.

In Internet Explorer, in the full portal, delete the operations SQL Database.

2.

In SQL Server Management Studio, refresh the Databases folder for your Azure SQL Database server
to verify that the operations database is no longer on the server.

Task 2: Restore a Deleted Database


1.

In Internet Explorer, in the full portal, restore the deleted operations SQL Database using the
following settings:
o

DATABASE NAME: operations (delete the date and time)

TARGET SERVER: your Azure SQL Database server

RESTORE POINT: the most recent time available

Note: If the operations database is not in the DELETED DATABASES list, press F5 to
refresh the portal display. You may have to wait several minutes before the database appears in
the list.

MCT USE ONLY. STUDENT USE PROHIBITED

Implementing Microsoft Azure Infrastructure Solutions

2.

When the restore operation has completed, use SQL Server Management Studio to verify that the
database has been restored.

3.

Use the following Transact-SQL query to verify that the data in the database has been recovered:
SELECT * FROM dbo.serverlist;

Task 3: Reset the Environment

7-35

1.

Close all open applications without saving any files.

2.

On the taskbar, right-click Microsoft Azure PowerShell, and then click Run as administrator. In the
User Account Control dialog, click Yes.

3.

Type the following command, and then press Enter:


Reset-Azure

4.

When prompted, sign in using the Microsoft account associated with your Azure subscription.

Note: This script may remove Azure services in your subscription. It is therefore recommended that
you use an Azure trial pass that was provisioned specifically for this course, and not your own Azure
account.
The script will take 5-10 minutes to reset your Microsoft Azure environment, ready for the next lab.
The script removes all storage, VMs, virtual networks, cloud services, and resource groups.

Results: At the end of this lab, you will have deleted and restored the operations database.
Question: If the SalesApp web application was deployed to a server with a fixed public IP
address, how could you enable it to access the sales database without allowing it to access
the master database or any other databases on the server?

Module Review and Takeaways


In this module, you learned about:

The fundamentals of Azure SQL Database.

Azure SQL Database security.

How to implement and manage databases in Azure SQL Database.

Review Question(s)
Question: What considerations are there for choosing between on-premises SQL Server, SQL
Server in an Azure virtual machine, and Azure SQL Database?

MCT USE ONLY. STUDENT USE PROHIBITED

7-36 Planning and Implementing Data Services

MCT USE ONLY. STUDENT USE PROHIBITED


8-1

Module 8
Implementing PaaS Cloud Services and Mobile Services
Contents:
Module Overview

8-1

Lesson 1: Planning and Deploying PaaS Cloud Services

8-2

Lesson 2: Configuring Cloud Services

8-12

Lesson 3: Implementing Mobile Services

8-18

Lesson 4: Monitoring and Diagnostics

8-25

Lab: Implementing PaaS Cloud Services

8-29

Module Review and Takeaways

8-34

Module Overview

Platform as a Service (PaaS) cloud services are another execution model you can use to host applications
in Microsoft Azure. Cloud services provide a platform that can host web applications and web services.
Cloud services use a modular architecture that enables you to scale your application to the largest sizes
while minimizing costs. In this module, you will see how to create, administer, and monitor cloud services
and mobile services.

Objectives
At the end of this module, you will be able to:

Plan and deploy a PaaS cloud service in Azure.

Configure PaaS cloud services by using configuration files or the Azure portal.

Create and administer a mobile service that supports an app for mobile devices.

Monitor the performance of cloud services and mobile services, and diagnose bottlenecks.

Implementing PaaS Cloud Services and Mobile Services

Lesson 1

Planning and Deploying PaaS Cloud Services

MCT USE ONLY. STUDENT USE PROHIBITED

8-2

Azure provides four execution models for applications: Azure Virtual Machines, Azure Websites, PaaS
Cloud Services, and Mobile Services. In this lesson, you will see how PaaS Cloud Services differ from Azure
Websites and Azure Virtual Machines and enable you to create a modular, flexible, and highly scalable
application architecture. You will also see how to configure cloud services and deploy the cloud service
code created by developers.

Lesson Objectives
At the end of this lesson, you will be able to:

Describe how PaaS Cloud Services and Mobile Services integrate with other Azure services to support
applications.

Choose whether to use Azure Virtual Machines, Azure Websites, Azure PaaS Cloud Services, or Azure
Mobile Services to host an application.

Describe how web roles and worker roles enable highly scalable and flexible application architectures.

Deploy a cloud service package to Azure by using Visual Studio, the Azure portal, or Visual Studio
Online.

Apply staging and deployment best practices to Azure PaaS cloud services.

Create a new PaaS cloud service and upload a service package.

Manage, stage, and deploy new versions of a cloud service.

Demonstration: Preparing the Environment

Perform the following tasks to prepare the lab environment. The Azure services you will use in the lab will
be described in this module while the environment is being configured.
Important: The scripts used in this course may delete any objects that you have in your
subscription. For this reason, you should complete this course against a new Azure subscription.
You should have received sign-up details and instructions for creating an Azure Learning Pass for
this reason. Alternatively, create a new Azure Trial Subscription. In both cases, use a new
Microsoft account that has not been associated with any other Azure subscription. This avoids
confusion in labs and setup scripts.

The labs in this course use custom Microsoft Azure PowerShell cmdlets, including Setup-Azure to prepare
the Azure environment for a lab, and Reset-Azure to perform clean-up tasks at the end of a lab. For this
lab, Setup-Azure removes any Azure subscription and account from the Azure PowerShell session.
Before you start the lab preparation, your instructor will decide which Azure region is the closest to your
classroom location. You will need this information during the lab setup, and during the lab.

MCT USE ONLY. STUDENT USE PROHIBITED

Implementing Microsoft Azure Infrastructure Solutions

Demonstration Steps
Sign in to Your Microsoft Azure Subscription

8-3

1.

Ensure that the MSL-TMG1 and 20533B-MIA-CL1 virtual machines are both running, and then log on
to 20533B-MIA-CL1 as Student with the password Pa$$w0rd.

2.

You should already have created a Microsoft Azure trial subscription. If you have not done so, follow
the instructions in D:\Creating a Microsoft Azure Trial Subscription.htm. Provisioning may take
several hours.

3.

When your trial subscription has been provisioned, in Internet Explorer, browse to
http://azure.microsoft.com, click Portal, and sign in using the Microsoft account that is associated
with your Azure subscription. Close any initial "welcome" messages.

4.

At the top right, click your Microsoft account name and click Switch to new portal. Then, in the new
tab that is opened, close any initial "welcome" messages for the new portal. If you are prompted for
credentials, sign in using the Microsoft account that is associated with your Microsoft Azure
subscription.

5.

Close Internet Explorer.

Prepare the Azure Environment


1.

On the taskbar, right-click Microsoft Azure PowerShell, and then click Run as administrator. In the
User Account Control dialog, click Yes.

2.

Type the following command, and then press Enter:


Setup-Azure

3.

At the prompt, type the module number, and then press Enter.

4.

Confirm your selection, and then press Enter.

5.

When prompted, sign in using the Microsoft account associated with your Microsoft Azure
subscription.

Note: This script may remove Azure services in your subscription. It is therefore recommended that
you use an Azure trial pass that was provisioned specifically for this course, and not your own Azure
account.
The script will take 2-3 minutes to configure your Microsoft Azure environment, ready for the lab at
the end of this module.
At the end of setup, you should only have the default directory service in your Azure subscription.

Implementing PaaS Cloud Services and Mobile Services

PaaS Cloud Services and Mobile Services as Components of Azure


Azure Virtual Machines is an Infrastructure as a
Service (IaaS) execution model that enables you to
install and configure servers to run applications in
the cloud. Azure Websites is a PaaS execution
model that you can use to run websites without
maintaining underlying hardware, operating
systems, and web servers. You have seen these
services earlier in this course. In this module, you
will learn about the other computation services
currently available in Azure: PaaS Cloud Services
and Mobile Services.

MCT USE ONLY. STUDENT USE PROHIBITED

8-4

You can use the PaaS Cloud Services execution


model to host websites or any other web service that can be addressed through the HTTP protocol. You
can build these web services with a more modular architecture than those that you host in Azure
Websites. Specifically, a PaaS cloud service can include:

Web roles. A web role hosts the front end of the cloud service and always runs on a dedicated virtual
machine that hosts an Internet Information Services (IIS) web server. In a website, for example, the
web role would include the webpages that make up the user interface for the application.

Worker roles. A worker role executes asynchronous tasks and also runs on a dedicated virtual
machine. The web roles call worker roles to complete long-running, intensive, or perpetual
procedures.

Like Azure Websites, in PaaS Cloud Services, you can create multiple instances of web roles and worker
roles to ensure fault tolerance and increase scalability. However, you have extra flexibility in PaaS cloud
services because you can scale each role separately from all the others in the same service.
Note: In Azure, the term cloud service can refer to either a cloud service that hosts IaaS
virtual machines or a cloud service that hosts web roles and worker roles. In this course, the term
IaaS cloud service refers to a service that contains IaaS virtual machines and the term PaaS
cloud service refers to a service that contains roles. This terminology ensures clarity. However,
note that writers and technicians are sometimes ambiguous: when the term cloud service is
used, ensure you know which type of cloud service is being discussed.

Azure is frequently used to host back-end portions of a mobile device app. Many mobile apps, for
example, require a centralized database to store information for all users and a centralized location to run
business logic. The Azure Mobile Services compute feature is an execution model that brings together all
the commonly used server-side features that developers assemble to support mobile apps. A mobile
service makes it easy for developers to put together the functionality they need.
The Azure storage accounts and SQL Databases that you have already seen are frequently used as
information stores in both PaaS cloud services and mobile services. In this module, you will also see how
Service Bus queues can be used to enable communications between web roles and worker roles and how
the Push Notification feature can be used to ease messaging to mobile devices.

MCT USE ONLY. STUDENT USE PROHIBITED

Implementing Microsoft Azure Infrastructure Solutions

PaaS Cloud Services Overview


The four main execution models in Azure are:

8-5

Virtual Machines. To run an application on


virtual machines, you must create and
maintain your own platform within Azure data
centers. Azure provides the IaaS. You can
create web servers, database servers, email
servers, and any other type of server you use
in on-premises applications.

Azure Websites. To run a web application in


Azure, you can choose to use Azure Websites.
In this case, Azure provides the PaaS so you
do not need to maintain operating systems
and virtual servers. You can only deploy web application in Azure Websites.

Cloud Services. Alternatively you can choose to run web applications and web services as Azure Cloud
Services. Cloud services have a more flexible and distributed architecture than Azure Websites and
offer more control over the servers that run the application. Again, Azure provides the PaaS.

Mobile Services. Many mobile apps connect to a server-side portion of the application to access a
centralized database, execute server-side code, and authenticate. To run these centralized portions of
a mobile app, you can choose Azure Mobile Services. Azure provides a set of PaaS features that many
mobile apps require. For example, Mobile Services makes it easy for users to authenticate with their
Microsoft account.

Roles in a PaaS Cloud Service

In a PaaS cloud service, architects can divide code into separate roles. Each PaaS cloud service includes an
application file, with compiled code, and a configuration file. There are two kinds of role:

Web Roles. A web role provides an Internet Information Services (IIS) web server, which is used to
host the front end for the application. For example, if you implement a website as a PaaS cloud
service, the web role hosts the user interface webpages.

Worker Roles. A worker role runs asynchronous, long-running, or perpetual tasks and is initiated from
a web role. Worker roles do not interact directly with users and do not provide an IIS server.

A PaaS cloud service can include any number of roles. Each role can be configured to have multiple
instances. By created multiple instances for each role, you can scale the cloud service out and increase its
resilience to failures.
Web roles and worker roles enable the most flexible and efficient scaling. For example, if an application
has one processor-intensive task, such as a video processing task, developers can place that code in a
worker role to separate it. When you deploy the cloud service, you can scale the processor-intensive task
independently without incurring extra costs by scaling out the entire application.
Best Practice: Create at least two instances of each role in your PaaS cloud service. By
doing this, you ensure that an instance is available to respond to users in the event of a single
failure. You must create at least two instances of each role in order to qualify for the 99.95
percent uptime guarantee in the Azure service level agreement (SLA). Instances of the same role
run in separate fault domains and separate upgrade domains.

Implementing PaaS Cloud Services and Mobile Services

MCT USE ONLY. STUDENT USE PROHIBITED

8-6

Like websites, many PaaS cloud services utilize a database to store underlying data. You can use an Azure
virtual machine or Azure SQL Database to run such a database.

PaaS Cloud Service Deployment


Developers create PaaS cloud services by coding in
an Integrated Development Environment (IDE)
such as Visual Studio. The Azure Software
Development Kit (SDK) include emulators that can
run web roles and worker roles on developers
computers in an environment that closely matches
Azure. However, when the cloud service is
complete, you must create a cloud service in Azure
and deploy the completed service.

Creating a PaaS Cloud Service


To create a PaaS cloud service in the Azure portal,
take the following steps:
1.

In the navigation on the left, click CLOUD SERVICES.

2.

In the toolbar at the bottom, click NEW and then click QUICK CREATE.

3.

In the URL text box, type a unique URL for the cloud service within the cloudapp.net domain.

4.

In the REGION OR AFFINITY GROUP drop-down list, select a region close to the users.

5.

Click CREATE CLOUD SERVICE.

Alternatively, you can create a PaaS cloud service by using the New-AzureService PowerShell cmdlet, as in
the following example:
Creating a PaaS Cloud Service in PowerShell
New-AzureService -ServiceName MyNewService -Location "West Europe"

Deploying Service Code


Once the service is created, developers must deploy the compiled service code and the service
configuration file. Three common ways to perform this deployment are:

From Visual Studio, you can use the Publishing Wizard. To ease this deployment method, you can
obtain a publish profile from Azure and import it into the Visual Studio. Deployment of web roles
uses Web Deploy.

From the Azure Portal, you can upload a cloud service package and configuration file. Developers can
create these files by using the packaging wizard in Visual Studio. Administrators can use these files to
upload the service code and start the application.

From Visual Studio Online, you can configure continuous deployment. If you choose this option, you
must take care to ensure untested code is not deployed to the production environment. Frequently,
Visual Studio Online is configured to deploy code to a staging environment. When the staged code
has been tested thoroughly, administrators can move it to the production environment.
Note: In the lab, you will see how to deploy a PaaS cloud service by using the Azure portal.

MCT USE ONLY. STUDENT USE PROHIBITED

Implementing Microsoft Azure Infrastructure Solutions

Deployment Environments
A PaaS cloud service runs in different locations
during development, for testing, and for
production. In each organization, development
teams work to different project models. For
example, some teams may perform most testing
toward the end of a project while those using
Agile or Test Driven Development (TDD) models
test throughout the project. For this reason, the
environments teams use to test code vary widely.
However, the following divisions are commonly
used.

During Development

8-7

Most developers run informal tests on their code as they write. However, coded tests, which are run
repeatedly by all the developers in the team as they modify code, are now considered essential in many
organizations. Such tests are commonly of two types:

Unit Tests. These tests execute a small unit of code such as an individual procedure. Fixed inputs are
passed to the procedure and the outputs are evaluated.

End-to-End Tests. These tests simulate a complete operation in which multiple components of the
code may be involved. For example, an end-to-end test may simulate a user request and response.

Because these tests are executed so frequently, they are coded and executed in the IDE. At this stage of
the project, code is run on developers computers.

For an Azure PaaS cloud service project, developers need an environment on their local computer where
they can run teststhis must closely match Azure itself. Such an environment is provided by the Azure
SDK. There are two important components of the SDK model Azure. Both these components start in the
developers computer when they enter debugging mode:

The Azure Compute Emulator. Web roles and worker roles execute within this emulator.

The Azure Storage Emulator. Blob storage, file storage, and table storage are simulated by this
emulator.

During Staging

Staging is the last opportunity to test a project before it is deployed to production. The following tests are
commonly performed at this stage:

Acceptance Testing. These tests check that the completed project satisfies the functional and nonfunctional requirements.

Performance Testing. These tests simulate user demand and determine the CPU, memory, and other
resources that may be required to cope with the expected load.

Beta Testing. A limited number of the final users of the project can be granted access to the staging
environment to try out the software and identify issues.

For an Azure PaaS cloud service project, the staging environment should be in Azure itselfso you must
deploy the project. You can use a staging slot for this deployment. A staging slot is a deployment of the
cloud service with the following characteristics:

In the Azure portal, it appears within a single cloud service, together with the production slot.

Implementing PaaS Cloud Services and Mobile Services

MCT USE ONLY. STUDENT USE PROHIBITED

8-8

To access the staging slot cloud service, use a URL that includes the Globally Unique Identifier (GUID).
For example, if your cloud service is found at http://myservice.cloudapp.net, the staging slot is found
at http://GUID.cloudapp.net. You can determine the GUID by browsing the services dashboard in the
Azure portal.

Alternatively, you could create a separate PaaS cloud service for staging. By using a staging slot, when all
tests have been passed, you can deploy the service to production by using a virtual IP swap. In this
operation, the staging and production slots are swapped, which means that the accepted new version is
moved to production without a new deployment of the code.

During Production

The production environment is the final destination for the PaaS cloud service code. This environment
runs thoroughly tested and debugged code that your team has complete confidence in and services real
user requests based on live databases and files.

Discussion: Deployment Methods


Now that you understand the development,
staging, and production environments that the
Azure SDK and Azure itself provide, you can
consider how your own organization may use
them. The instructor will lead a discussion based
on the following questions. Contribute to the
discussion by describing how development,
staging, and production environments are
currently built in your company. Consider how
your testing policies can be implemented in Azure:

How are testing, staging, and production


deployments separated in your organization
for on-premises applications?

How are testing, staging, and production deployments separated in your organization for cloud
applications?

How will Azure modify your approach to testing, staging, and production deployment?

Demonstration: Creating and Deploying Cloud Services


In this demonstration, you will see how to:

Create a new PaaS cloud service by using PowerShell.

Configure and package a cloud service project in Visual Studio 2013.

Deploy a packaged cloud service project by using the Azure portal.

Demonstration Steps
Create a new PaaS cloud service by using PowerShell
1.

Start Internet Explorer, and browse to http://azure.microsoft.com, click Portal, and sign in using
the Microsoft account that is associated with your Azure subscription.

MCT USE ONLY. STUDENT USE PROHIBITED

Implementing Microsoft Azure Infrastructure Solutions

2.

In the navigation on the left, click CLOUD SERVICES.

3.

Point out that there are no PaaS cloud services configured.

4.

Start the Microsoft Azure PowerShell as Administrator from the taskbar.

5.

Type the following command, and then press Enter:


Add-AzureAccount

6.

Sign in with the user credentials associated with your Azure account.

7.

Type the following command, and then press Enter:


Get-AzureLocation

8.

From the list of locations, choose a location near you and note the locations name.

9.

Type the following command and then press Enter:


New-AzureService ServiceName SmallCloudServiceXXX Location "My Location"

8-9

Where XXX is a unique number, and My Location is the Azure location you selected in step 8.. Azure
creates a new PaaS cloud service.
10. Type the following command and then press Enter:
New-AzureStorageAccount StorageAccountName smallstorageXXX Location "My Location"

Where XXX is a unique number, and My Location is the same Azure location you used in step 5.
11. Switch to Internet Explorer and press F5 to refresh the portal.
12. Click SmallCloudServiceXXX and then click INSTANCES.
13. Point out that the service has been created but not deployed
Configure and package a cloud service project in Visual Studio 2013
1.

Start Visual Studio 2013.

2.

Click FILE, click Open, and then click Project/Solution.

3.

Browse to D:\Demofiles\Mod08\SmallCloudService.

4.

Click SmallCloudService.sln and then click Open.

5.

In the Microsoft Azure Tools dialog box, click OK.

6.

In the View Downloads - Internet Explorer dialog box, click Run.

7.

In the User Account Control dialog box, click Yes.

8.

In the Web Platform Installer 5.0 dialog box, on the Microsoft Azure SDK for .NET (VS 2013) 2.4 page, click Install.

9.

In the Web Platform Installer 5.0 dialog box, on the PREREQUISITES page, click I Accept.

10. Wait for the download to complete and install.


11. In the Web Platform Installer 5.0 dialog box, on the CONFIGURE page, click Continue.
12. In Internet Explorer, close the tab that has just opened.
13. In the Web Platform Installer 5.0 dialog box, on the FINISH page, click Finish.

14. In the Web Platform Installer 5.0 dialog box, on the Spotlight page, click Exit.
15. In the View Downloads - Internet Explorer dialog box, click Close.
16. In Visual Studio, on the FILE menu, click Exit.
17. Start Visual Studio 2013.
18. Click FILE, click Open, and then click Project/Solution.
19. Browse to D:\DemoFiles\Mod08\SmallCloudService.
20. Click SmallCloudService.sln and then click Open.
21. In the Solution Explorer, expand SmallCloudService and then expand Roles.
22. Right-click SmallWebRole and then click Properties.
23. If you are prompted to log on, use the username and password associated with your Azure
subscription.
24. Click Settings.
25. In the list of settings, click in the Value column of the only setting.
26. Click the button on the right.
27. In the Create Storage Connection String dialog box, select Your subscription.

MCT USE ONLY. STUDENT USE PROHIBITED

8-10 Implementing PaaS Cloud Services and Mobile Services

28. If the Subscription and Account name boxes are empty, click Sign In, and then enter the username
and password associated with your Azure subscription.
29. In the Account name box, select smallstorageXXX and then click OK.
30. Click FILE and then click Save All.
31. In the Solution Explorer, right-click SmallCloudService and then click Package.
32. In the Package Azure Application dialog box, click Package. When the package operation is
complete, the package and configuration files are displayed in Windows Explorer.
Deploy a packaged cloud service project by using the Azure portal
1.

Switch to Internet Explorer.

2.

In the navigation on the left, click CLOUD SERVICES.

3.

In the list of PaaS cloud services, click SmallCloudServiceXXX.

4.

Under Deployment settings, click New production deployment.

5.

In the DEPLOYMENT LABEL box, type Demo.

6.

To the left of the PACKAGE box, click FROM LOCAL.

7.

Browse to
D:\DemoFiles\Mod08\SmallCloudService\SmallCloudService\bin\release\app.publish.

8.

Click SmallCloudService.cspkg and then click Open.

9.

To the left of the CONFIGURATION box, click FROM LOCAL.

10. Click ServiceConfiguration.Cloud.cscfg and then click Open.


11. Select Deploy even if one or more roles contain a single instance and then click OK.
Note: Deployment may take several minutes.

Upgrading Cloud Services


After the first completed version of a PaaS cloud
service has been deployed, developers continue to
improve the code. Changes can include:

New features.

Bug fixes.

Efficiency improvements and streamlining.

Code that utilizes new features of the Azure


platform.

Code that implements real-world user


feedback.

MCT USE ONLY. STUDENT USE PROHIBITED

Implementing Microsoft Azure Infrastructure Solutions

8-11

To deploy a new version of a PaaS cloud service to Azure, you must upload the compiled package file and
configuration file in the same way as you did to deploy the first version. You can do this in Visual Studio
by using the Publishing Wizard in the Azure portal by uploading the files manually, or using continuous
deployment by using Visual Studio Online. You should ensure that proper staging is complete for the new
version, as you did for the first version.
Staging slots provide an extra advantage when deploying upgraded services. When you move the staged
code into the production slot, the older version of the service is automatically moved into the staging slot
and not overwritten. In the event of any problem with the new version, you can rapidly roll back the
deployment to the old version by swapping again.

Lesson 2

Configuring Cloud Services

MCT USE ONLY. STUDENT USE PROHIBITED

8-12 Implementing PaaS Cloud Services and Mobile Services

Developers write code in PaaS cloud services but Azure administrators must be able to configure
deployed cloud services. For example, administrators must ensure that a cloud service responds smoothly
to expected and unexpected peaks in demand. In this lesson, you will see how to configure a cloud service
by using configuration files and the Azure portal.

Lesson Objectives
At the end of this lesson, you will be able to:

Reconfigure a PaaS cloud service for deployment to Azure by modifying the service configuration file.

Choose whether to use storage account queues, service bus queues, or direct communication to
enable communication between PaaS cloud service roles.

Choose how to scale a cloud service for expected and unexpected load peaks.

Configure scaling for every role in a cloud service.

Modifying Configuration Files


When you deploy a PaaS cloud service to Azure,
you upload two files:

The Package File. This file contains the


compiled code for web roles and worker roles.

The Configuration File. This file contains


configuration settings that Azure uses when it
starts the cloud service.

The configuration file used in development is not


appropriate for staging or production. Therefore,
you must modify configuration values when you
deploy. There are several ways to modify these
values:

You can edit the file directly. The configuration file is an XML, so any text editor can be used to make
changes.

You can edit many values in the Azure portal after deployment.

You can use the Visual Studio Publishing Wizard. This tool provides help for formulating connection
strings correctly.

The following code shows a simple PaaS cloud service configuration file:
Example Service Configuration File
<ServiceConfiguration serviceName="ContosoAdsCloudService"
xmlns="http://schemas.microsoft.com/ServiceHosting/2008/10/ServiceConfiguration"
osFamily="4"
osVersion="*"
schemaVersion="2014-01.2.3">
<Role name="ContosoAdsWeb">
<Instances count="1" />
<ConfigurationSettings>
<Setting name="Microsoft.WindowsAzure.Plugins.Diagnostics.ConnectionString"
value="UseDevelopmentStorage=true" />
<Setting name="StorageConnectionString"
value="UseDevelopmentStorage=true" />
</ConfigurationSettings>
</Role>
<Role name="ContosoAdsWorker">
<Instances count="1" />
<ConfigurationSettings>
<Setting name="Microsoft.WindowsAzure.Plugins.Diagnostics.ConnectionString"
value="UseDevelopmentStorage=true" />
<Setting name="StorageConnectionString"
value="UseDevelopmentStorage=true" />
<Setting name="ContosoAdsDbConnectionString"
value="Data Source=(localdb)\v11.0; Initial Catalog=ContosoAds;
Integrated Security=True; MultipleActiveResultSets=True;" />
</ConfigurationSettings>
</Role>
</ServiceConfiguration>

The example above is a typical configuration file used in the development environment. Only one
instance of each role is configured; connection strings use the Azure storage emulator and a local
database.

MCT USE ONLY. STUDENT USE PROHIBITED

Implementing Microsoft Azure Infrastructure Solutions

8-13

To prepare this configuration for deployment to Azure, the following changes are commonly required:

Instance Count. You should always use two or more instances of every role in the production
environment. This greatly improves resilience and qualifies the service for the 99.95 percent uptime
condition in the SLA. Use the Count attribute of the <Instances> tag to specify the number of
instances for each role.

Database Connection Strings. You must ensure that the database connection strings point the cloud
service to the production database. This database may be an Azure SQL Database instance or a SQL
Server instance running on a virtual machine. For SQL Database instances, you can copy the
connection string from the database dashboard in the Azure portal.

Storage Connection Strings. If the service uses an Azure storage account, you must ensure that the
storage connection strings point the cloud service to the production storage account. You can copy
the connection string from the storage account dashboard in the Azure portal.

Managing Endpoints and Queues


When you use separate web roles and worker roles
in an Azure PaaS cloud service, you must enable
the roles to communicate reliably. You can either
use a direct communication, where a role calls an
endpoint on another role, or you use a queue. The
choice of communication mechanism is made by
software architects and developers. However, as an
administrator, you must understand the methods
used by a PaaS cloud service in order to properly
manage the necessary Azure resources.

Direct Communication

MCT USE ONLY. STUDENT USE PROHIBITED

8-14 Implementing PaaS Cloud Services and Mobile Services

Roles can communicate directly; for example, a


web role can service a user request by calling a method in a worker role. To enable these communications,
you must create an endpoint in the destination role. Endpoints are of three types:

Input Endpoints. These external endpoints enable services and other clients outside the PaaS cloud
service to call the role.

Internal Endpoints. These endpoints enable roles within the same PaaS cloud service to communicate.

Direct Port Endpoints. These endpoints enable services and other clients outside the PaaS cloud
service to call a specific instance of a role on a specific port.

You can administer endpoints in the PaaS cloud service configuration file. For example, the following XML
code defines an internal endpoint for a worker role:
Worker Role Endpoint Definition
<WorkerRole name="ImageProcessorRole">
<Endpoints>
<InternalEndpoint name="InternalImageIn" protocol="tcp" port="1000"/>
</Endpoints>
</WorkerRole>

The following XML code defines an external endpoint for a web role:
Web Role Endpoint Definition
<WebRole name="FrontEndRole">
<Endpoints>
<InputEndpoint name="HttpIn" protocol="http" port="80" localPort="80" />
</Endpoints>
</WebRole>

Using Azure Queues and Storage Bus Queues

Instead of using direct communication, developers may choose to use a queue to send messages from
one role to another. By using a queue, you ensure that a message reaches a role; the role works its way
through all the messages in the queue asynchronously. You can also control the processing of messages in
a queue; for example, by throttling the queue to ensure it does not consume all service resources.
Therefore, a queue is a popular communication method.

MCT USE ONLY. STUDENT USE PROHIBITED

Implementing Microsoft Azure Infrastructure Solutions

8-15

Azure has two types of queue in different services: storage queues and service bus queues. Developers
and software architects usually decide which queuing mechanism to use. However, IT professionals must
be aware of the two mechanisms and be able to configure them as dependencies when a cloud service
uses them.
Characteristic

Azure Queues

Storage Bus Queues

Average Latency

10 ms

100 ms

Maximum Message Size

64 KB

256 KB

Maximum Queue Size

1 TB

5 GB

Maximum Message Time-to-Live

7 days

Unlimited

For more information about the differences between storage account queues and service bus queues, see:
Comparing Microsoft Azure Queues and Service Bus Queues
http://go.microsoft.com/fwlink/?LinkID=511758
Azure Queues and Service Bus Queues - Compared and Contrasted
http://go.microsoft.com/fwlink/?LinkID=522646

Adding a PaaS Cloud Service to a Virtual Network


By default, a PaaS cloud service is separated from
any IaaS virtual machines and other cloud services
in your Azure subscription. The cloud service can
communicate with those virtual machines or other
cloud services in the same way that external clients
can: by using a public endpoint.
Alternatively, you may choose to enable direct
communication between a group of PaaS cloud
services and virtual machines by placing all of
them into a single Virtual Network (VNet). To learn
more about VNets and how to create them, see
Module 2. By using a VNet in this way, you can:

Reduce the latency of communications between PaaS cloud services and virtual machines because
communication can be direct and does not have to take place through public endpoints and the
Azure load balancer.

Enable on-premises clients to connect directly with PaaS cloud service. This is possible if the VNet has
a VPN connection to your on-premises network.

To add a PaaS cloud service to a VNet you must add a <NetworkConfiguration> section to the service
configuration file. This section must be inserted after all the roles have been defined in the file.

MCT USE ONLY. STUDENT USE PROHIBITED

8-16 Implementing PaaS Cloud Services and Mobile Services

In the following example, the service configuration file determines that the current PaaS cloud service will
be added to the A. Datum HQ VNet:
Adding a PaaS Cloud Service to a VNet
<NetworkConfiguration>
<VirtualNetworkSite name="AdatumHQ" />
<AddressAssignments>
<InstanceAddress roleName="SimpleWebRole">
<Subnets>
<Subnet name="HQSubnet1" />
</Subnets>
</InstanceAddress>
</AddressAssignments>
</NetworkConfiguration>

Note: You must add one <InstanceAddress> element to the <NetworkConfiguration>


element for every role in your cloud service.

Discussion: Scaling Services


The instructor will lead the class in a discussion of
the scenarios on the slide. In each scenario, discuss
with the class:

How many instances of each web role and


worker role are required?

How you can determine whether a cloud


service is responding rapidly to user requests?

How you can scale the cloud service should


demand exceed the capacity of the cloud
service?

Demonstration: Scaling Cloud Services


In this demonstration, you will see how to:

Set the default instance count for a cloud service.

Schedule a larger instance count for an expected load peak.

Best Practice: The scheduled scaling technique you see in this demonstration ensures that
sufficient instances of all roles are present to maintain good responsiveness during an expected
demand peak. After the peak passes, instances are automatically de-provisioned to avoid extra
costs. When you set the schedule, bear in mind that it can take a few minutes for each new
instance to come online. Start your schedule well before the expected peak to ensure that full
capacity is reached in a timely manner.

Demonstration Steps
Set the default instance count for a cloud service

MCT USE ONLY. STUDENT USE PROHIBITED

Implementing Microsoft Azure Infrastructure Solutions

8-17

1.

Start Internet Explorer, and browse to http://azure.microsoft.com, click Portal, and sign in using
the Microsoft account that is associated with your Azure subscription.

2.

In the navigation on the left, click CLOUD SERVICES.

3.

In the list of cloud services, click SmallCloudServiceXXX.

4.

At the top, click SCALE and then click PRODUCTION.

5.

In the INSTANCE COUNT box, type 2.

6.

In the toolbar at the bottom, click SAVE.

Schedule a larger instance count for an expected load peak


1.

Click set up schedule times.

2.

Under SPECIFIC DATES in the NAME box, type Demo Schedule.

3.

In the START AT column, select todays date.

4.

In the START TIME column, type a time 10 minutes from now.

5.

In the END AT column, select todays date.

6.

In the END TIME column, type a time 20 minutes from now, and then click Complete.

7.

In the INSTANCE COUNT box, type 5.

8.

In the toolbar at the bottom, click SAVE.

9.

At the top, click INSTANCES.

10. The instances are displayed in the table. After 10 minutes, the number of instance increases to five. To
see the new instances, you may need to refresh the page by pressing F5.

Lesson 3

Implementing Mobile Services

MCT USE ONLY. STUDENT USE PROHIBITED

8-18 Implementing PaaS Cloud Services and Mobile Services

One of the more common uses for the services and tools available in Azure is as a back end for mobile
apps that run on phones, tablets, and other devices. Microsoft has responded to this demand by adding
mobile services to Azure. A mobile service provides the facilities and features that are widely used by
mobile app developers in a single service with a single Application Programming Interface (API). In this
lesson, you will see how to create and administer a mobile service to support a mobile app created by
your team of developers.

Lesson Objectives
At the end of this lesson, you will be able to:

Describe common requirements relevant to the majority of mobile apps.

List the features of Azure mobile services.

Create and configure a new Azure mobile service by using the Azure portal.

Configure external authentication providers in a mobile service.

Deploy a mobile service by using a publish profile or by using continuous deployment.

Implement a mobile service by using the Azure portals.

Discussion: Mobile Apps


The instructor will lead the class in a discussion of
mobile apps. Use your general experience of apps
on mobile phones and tablets to contribute.
Consider how mobile apps commonly use:

Data

Authentication

Communication

Business Logic

Overview of Mobile Services


Azure Mobile Services are designed to solve
common problems for developers writing mobile
device apps. Such apps commonly have these
requirements:

To store and access structured data.

To receive notifications when events happen


in the cloud.

To authenticate and authorize users based on


Facebook, Twitter, Microsoft or other
identities.

To define business logic.

MCT USE ONLY. STUDENT USE PROHIBITED

Implementing Microsoft Azure Infrastructure Solutions

8-19

Many of these needs can already be satisfied with other parts of Azure. For example, mobile devices can
use SQL Database to store data without creating a mobile service. However, mobile services provides a
simple way for developers to access all these features through a single API that is compatible with a wide
range of mobile devices. For example:

Developers can access Azure SQL Database and define a data schema and edit data by calling
methods in the Mobile Services API.

A mobile service includes a free Azure notification hub that can push messages to mobile clients.
With a simple call, developers can send messages targeted to individual users or target large
audiences with personalized content. Each mobile device operating system type has a different
Platform Notification Service (PNS). An Azure notification hub can send the same message to many
different PNSs. This frees developers from writing multiple portions of code to support multiple
device types. This code is built into a notification hub for developers to call.

By configuring authentication in your mobile service, you can authenticate against Facebook, Twitter,
Outlook.com, Google, and Azure Active Directory through the Mobile Service APIwithout writing
separate code in your app for each provider.

In a mobile service, you can add JavaScript or .NET code that encapsulates business logic and runs in
Azure. This removes load from mobile devices.

Note: Mobile Services are designed principally to make mobile app development easier for
developers. However, IT professionals must know how to administer mobile services if developers
choose to use them. For example, if a spike in demand is expected, IT professionals must scale a
mobile service. This lesson focuses on such tasks.

Creating and Configuring a Mobile Service


As for Azure websites and PaaS cloud services, you
must create a new mobile service in Azure, and
then deploy the completed compiled code written
by your development team. Access keys
authenticate the app itself against Azure. In this
topic, you will see how to complete common
administrative tasks.

Creating a Mobile Service


To create a new mobile service, complete the
following tasks:

MCT USE ONLY. STUDENT USE PROHIBITED

8-20 Implementing PaaS Cloud Services and Mobile Services

1.

In the Azure full portal, in the navigation on


the left, click MOBILE SERVICES.

2.

In the toolbar at the bottom, click NEW and then click CREATE.

3.

In the URL text box, type a unique valid URL for the mobile service. The mobile service must be
unique within the azure-mobile.net domain.

4.

In the DATABASE drop-down list, choose whether to use a database that you have already created or
to create a new database in Azure SQL Database.

5.

In the REGION drop-down list, choose a region near your users.

6.

In the BACKEND drop-down list, choose the language for business logic code. Work with your
developer team to choose the language.

7.

Click Next.

8.

If you have chosen to create a new database, in the NAME text box, type a name for the database.

9.

In the SERVER drop-down list, choose a SQL Database server to run the new database.

10. Click Complete.


Note: If you want to create a new notification hub for your mobile service, or to configure
an existing hub, select CONFIGURE ADVANCED PUSH SETTINGS on the first page of the
wizard.

Managing Access Keys

In order for an application to access your mobile service, it must send the application key with its request.
An application key is created by default when you create your mobile service, but you can choose to
regenerate it. You can also regenerate the master key, which authorizes the highest level of access that is
suitable for app administrators.
To manage the application and master keys, take the following steps:
1.

In the Azure full portal, in the navigation on the left, click MOBILE SERVICES.

2.

Click the mobile service you want to administer.

3.

In the toolbar at the bottom, click MANAGE KEYS.

4.

You can copy a key to the keyboard by clicking the Copy button. To replace the key, click
Regenerate.

Best Practice: Application keys are often hardcoded into the mobile app your developers
create. If you regenerate the key, old versions of the app that use the original key will no longer
function. You will need to distribute a new version of the app to fix this issue. Only regenerate the
key if you can deploy a new version of the app quickly.

Scaling a Mobile Service

MCT USE ONLY. STUDENT USE PROHIBITED

Implementing Microsoft Azure Infrastructure Solutions

8-21

You can scale out a mobile service by specifying a higher level tier for the service. There are three tiers
available:

Free. Free tier services are limited to 60 minutes of CPU time per day, 165 MB of outbound data
transfer per day, and 500 active devices.

Basic. Basic tier services have no limits on CPU time, outbound data, or the number of active devices.
Scaling out is limited to six units.

Standard. Standard tier services have no limits on CPU time, data transfer, devices, or the number of
units.

You can scale out basic and standard tier mobile services by creating multiple units. As well as specifying a
default number of mobile service units, you can scale up, based on a schedule or in response to a
threshold in a metric, such as CPU time.
Full details of mobile services tiers and their pricing can be found at the following URL:
Mobile Services Pricing Details
http://go.microsoft.com/fwlink/?LinkID=511759

Configuring Authentication
The popularity of social networking means the
majority of potential users for your app already
have a Microsoft, Facebook, Twitter, or Google
user account. They also trust these services
because they use them on a regular basis. By
enabling users to authenticate in your mobile app
with credentials from these external services, you
can take advantage of this trust and avoid the
need for all users to create a new account for your
appwith separate credentials to remember.
In order for an app to authenticate with Facebook,
you must:
1.

Register the app as a Facebook client.

2.

Obtain credentials for the app from Facebook. This is often an app access key.

3.

Configure the app to forward the access key on authentication.

This process is similar for other external providers such as Twitter, although the details of the credentials
may vary.

MCT USE ONLY. STUDENT USE PROHIBITED

8-22 Implementing PaaS Cloud Services and Mobile Services

Usually, the app access key is hardcoded into the app itself. If you want to support authentication against
multiple external providers, you must hardcode multiple access keys into your app. Azure Mobile Services
eases this situation in two ways:

By storing configurable access keys for each supported provider. This means that access keys need no
longer be hardcoded into apps.

By enabling developers to authenticate against multiple external providers with a single portion of
code.

If your developers have chosen to enable external authentication providers in their mobile app using the
Mobile Services API, you must configure access keys in the Azure Portal. To complete this process, take
the following steps:
1.

In the Azure full portal, in the navigation on the left, click MOBILE SERVICES.

2.

In the list of mobile services, click the service you want to configure.

3.

Click the IDENTITY tab.

4.

If you want to authenticate users with Microsoft accounts, fill in the CLIENT ID, CLIENT SECRET, and
PACKAGE ID values in the Microsoft Account Settings section.

5.

If you want to authenticate users with Facebook accounts, fill in the APP ID/APP KEY and APP
SECRET values in the Facebook Settings section.

6.

If you want to authenticate users with Twitter accounts, fill in the APP KEY and APP SECRET values in
the Twitter Settings section.

7.

If you want to authenticate users with Microsoft Google accounts, fill in the CLIENT ID and CLIENT
SECRET values in the Google Settings section.

8.

If you want to authenticate users with Azure Active Directory accounts, fill in the APP URL and
CLIENT ID values in the Microsoft Account Settings section.

Deploying a Mobile Service


From the Azure portal, developers can download a
starter project for your mobile service. They can
import this project into Visual Studio 2013 and
add their custom code. When the mobile service is
completed, they can import a publish profile into
their project just like PaaS cloud services or Azure
websites. With a publish profile in your Visual
Studio project, it is easy to deploy your completed
mobile service to Azure by using the Publishing
Wizard.
Alternatively, you can use a Git repository to host
your mobile service source code. You must set up
a username and password in the mobile service in order to connect to the repository.
Note: At the time of writing, Git source control is a preview feature. Mobile services do not
currently support staging slots, so continuous deployment must be used with care.

Demonstration: Implementing a Mobile Service


In this demonstration, you will see how to:

Create a new mobile service.

Configure push notification settings for a mobile service.

Configure database settings for a mobile service.

Download a Visual Studio starter project for the mobile service.

Demonstration Steps
Create a new mobile service

MCT USE ONLY. STUDENT USE PROHIBITED

Implementing Microsoft Azure Infrastructure Solutions

8-23

1.

Start Internet Explorer, and browse to http://azure.microsoft.com, click Portal, and sign in using
the Microsoft account that is associated with your Azure subscription.

2.

In the navigation on the left, click MOBILE SERVICES.

3.

In the toolbar at the bottom, click NEW and then click CREATE.

4.

In the URL box, type a valid unique name. If the name is valid and unique a green tick appears.

5.

In the DATABASE drop-down list, select Create a free 20MB SQL Database.

6.

In the REGION drop-down list, select a location near you.

7.

Select the CONFIGURE ADVANCED PUSH SETTINGS check box and then click Next.

Configure push notification settings for a mobile service


1.

In the NAMESPACE NAME box, type a valid unique name.

2.

In the NOTIFICATION HUB NAME box, type a valid unique name, and then click Next.

Configure database settings for a mobile service


1.

In the SERVER drop-down list, select New SQL Database Server.

2.

In the SERVER LOGIN NAME box, type your first name.

3.

In the SERVER LOGIN PASSWORD box, type Pa$$w0rd.

4.

In the CONFIRM PASSWORD box, type Pa$$w0rd.

5.

In the REGION drop-down list, select the same location you used in step 6.

6.

Click Complete.

Download a Visual Studio starter project for the mobile service


1.

When the mobile service creation is complete, click the mobile service you just created.

2.

Under GET STARTED, click CREATE A NEW WINDOWS OR WINDOWS PHONE APP.

3.

Under Download and run your app, click Download and then click Save.

4.

Click Open folder.

5.

Right-click the zip file, click Extract All, and then click Extract.

6.

Double-click the .sln file.

7.

In the How do you want to open this type of file (.sln)? dialog box, click More options, and then
click Visual Studio 2013.

MCT USE ONLY. STUDENT USE PROHIBITED

8-24 Implementing PaaS Cloud Services and Mobile Services

8.

In the Security Warning dialog box, clear the Ask me for every project in this solution check box,
and then click OK.

9.

If the Developer License dialog box opens, click Cancel.

10. If the User Account Control dialog box appears, click Yes.
11. In the Solution Explorer, show the students the Windows 8.1 and Windows Phone 8.1 projects.
Reset the Environment
1.

Close all open applications without saving any files.

2.

On the taskbar, right-click Microsoft Azure PowerShell, and then click Run as administrator. In the
User Account Control dialog, click Yes.

3.

Type the following command, and then press Enter:


Reset-Azure

4.

When prompted, sign in using the Microsoft account associated with your Azure subscription.

Note: This script may remove Azure services in your subscription. It is therefore recommended that
you use an Azure trial pass that was provisioned specifically for this course, and not your own Azure
account.
The script will take 5-10 minutes to reset your Microsoft Azure environment, ready for the next lab.
The script removes all storage, VMs, virtual networks, cloud services, and resource groups.
Important: The script may not be able to get exclusive access to a storage account to delete it (if this
occurs, you will see an error). If you find objects remaining after the reset script is complete, you can
re-run Reset-Azure script, or use the full Azure Management Portal to manually delete all the objects
in your Azure subscription, with the exception of the default directory.

Lesson 4

Monitoring and Diagnostics

MCT USE ONLY. STUDENT USE PROHIBITED

Implementing Microsoft Azure Infrastructure Solutions

8-25

Cloud services and mobile services may need to support large numbers of users and still respond quickly.
During times of high demand, you should be able to monitor the performance of your service in detail so
that you can be sure users have a smooth experience. In this lesson, you will see how to enable
monitoring and obtain detailed data to allow you to diagnose performance bottlenecks and add capacity
in the right components.

Lesson Objectives
At the end of this lesson, you will be able to:

Configure a diagnostic connection to a storage account so that a cloud service can use verbose
monitoring.

Add metrics and alerts to measure the performance of a cloud service.

Obtain diagnostic monitoring data for the notification hubs and databases that support mobile
services.

Configuring Verbose Monitoring


Azure provides built-in monitoring functionality
for every PaaS cloud service. You can use this
monitoring tool to determine how the cloud
service is using server resources. In the event of
poor performance you can use monitoring to
diagnose any bottlenecks.

Minimal Monitoring
By default, PaaS cloud services use minimal
monitoring. In this mode, the following counters
are available:

CPU Percentage

Data In

Data Out

Disk Read Throughput

Disk Write Throughput

If you have multiple role instances, you can monitor these counters either for individual instances or in
total for all instances of each role.

Verbose Monitoring

When you enable verbose monitoring, you can record a much larger range of counters. This enables you
to gain a much more detailed picture of the performance of instances and roles. Unlike minimal
monitoring, verbose monitoring stores data in table storage. Therefore you must create a storage account
and connect it to the monitoring tool to use verbose monitoring.

Note: Minimal monitoring is free. However, because verbose monitoring stores data in a
storage account, it incurs extra costs for using the Azure Storage service.
For information on the steps to create a storage account, go to Module 5, or see:
How to Create a Storage Account
http://go.microsoft.com/fwlink/?LinkID=522647
To configure verbose monitoring:

MCT USE ONLY. STUDENT USE PROHIBITED

8-26 Implementing PaaS Cloud Services and Mobile Services

1.

In the Azure full portal, click STORAGE and then click the storage account you want to use for
monitoring data.

2.

In the toolbar at the bottom, click MANAGE KEYS.

3.

Next to the storage account key, click Copy.

4.

In the navigation on the left, click CLOUD SERVICES and then click the PaaS cloud service you want
to monitor.

5.

Click the CONFIGURE tab.

6.

In the DIAGNOSTIC CONNECTION STRINGS section, enter the name of the storage account, and
then paste the storage account access key.

7.

Click SAVE.

8.

In the Monitoring section, click VERBOSE.

9.

Click SAVE.

Monitoring Metrics and Alerts


You can add metrics to the monitoring display in
the Azure portal. This enables you to see how the
chosen metrics have varied for the last one hour,
one day, or seven days. You can also add an alert
to a metric in the display. This instructs Azure to
send an email to administrators if a metric exceeds
a configured threshold.
To add a metric to the monitoring table:
1.

In the Azure full portal, in the navigation on


the left, click CLOUD SERVICES.

2.

Click the PaaS cloud service you want to


monitor and then click the MONITOR tab.

3.

In the toolbar at the bottom, click ADD METRICS.

4.

In the list of roles, choose the role instance you want to monitor. You can also select aggregated
counters for all the instances of each role.

5.

Metrics are listed in sections. Expand the section that interests you and then select the metric to add.

6.

Click OK.

MCT USE ONLY. STUDENT USE PROHIBITED

Implementing Microsoft Azure Infrastructure Solutions

8-27

Once you have added a metric to the table, configure an alert for that metric by following these steps:
1.

In the list of metrics on the MONITORING tab, select the metric that interests you.

2.

In the toolbar at the bottom, click ADD RULE.

3.

In the NAME text box, type a descriptive name for the alert and then click NEXT.

4.

In the THRESHOLD VALUE textbox, type a value that should trigger the alert when it is exceeded.

5.

In the ACTIONS section, choose whether to email the service administrators or to email another
address.

6.

Click Complete.

Monitoring Mobile Services


Most of the monitoring information available for
mobile services is logged by the notification hubs
and databases that the mobile service uses.
Database counters include:
Successful Connections. This counts the number
of connections to the database. Instances of a
mobile service make a single connection for all
clients.
Failed Connections. This counts the number of
connections to the database that failed.

Deadlocks. A database deadlock occurs when two


or more tasks permanently block each other by maintaining a lock on a row that the other is trying to
lock. Azure SQL Database automatically resolves these issues by choosing one of the tasks to complete
and logs the event. Deadlocks may indicate that database access code should be redesigned.
Notification Hub counters include:

Incoming messages. This counts the number of messages that mobile services are sending to the
mobile devices that are registered.

Errors. This counts the number of messages that could not be delivered.

Registrations. This counts the number of clients that register as a destination for messages.

Successful Operation. This counts notifications that are successfully delivered to mobile devices.

Mobile Service diagnostic logs only contain data if developers have coded logging actions in their code
by using the Services.Log.Info() and similar methods. However, if developers are using logging correctly,
this is a good place to find diagnostic information that may help you with fault finding. Developers will
see these logged events in Visual Studio when they run the mobile service in debugging mode.
Administrators can see these events in the full portal. To examine the diagnostic log:
1.

In the Azure full portal, in the navigation on the left, click MOBILE SERVICES.

2.

In the list of mobile services, click the service you want to troubleshoot.

3.

Click the LOGS tab.

MCT USE ONLY. STUDENT USE PROHIBITED

8-28 Implementing PaaS Cloud Services and Mobile Services

Messages in the diagnostic log can be of three levels: Information, Warning, and Error. The message string
displayed is fixed by the developer in their code. Each event in the log also shows the method in which
the event was logged. This value helps developers to precisely identify the source of the problem.

Lab: Implementing PaaS Cloud Services


Scenario

MCT USE ONLY. STUDENT USE PROHIBITED

Implementing Microsoft Azure Infrastructure Solutions

8-29

You want to evaluate the potential of PaaS cloud services to host A. Datum web applications. Your
development team has provided a simple cloud service project that you can use to investigate Azure
functionality. You want to show how staging and production slots can be used to ease the deployment of
new versions of the PaaS cloud service. You also want to demonstrate that you can monitor the service to
get clear information on resource usage. This will help the administration team evaluate service
performance during its staged deployment.

Objectives
At the end of this lab, you will be able to:

Configure and deploy a PaaS cloud service to Azure.

Deploy a PaaS cloud service for staging and enable RDP access.

Configure metrics and alerts to monitor PaaS cloud service behavior.

Lab Setup
Estimated Time: 60 minutes
Virtual Machine: 20533B-MIA-CL1
User Name: Student
Password: Pa$$w0rd

Before starting this lab, ensure that you have performed the Preparing the Environment demonstration
tasks at the beginning of the first lesson in this module, and that the setup script has completed.

Exercise 1: Deploying a PaaS Cloud Service


Scenario
You have been asked to deploy the sample PaaS cloud service to Azure for evaluation.
The main tasks for this exercise are as follows:
1. Create Linked Resources
2. Configure the Service Definition File
3. Deploy the Cloud Service
Task 1: Create Linked Resources
1.

Ensure that the MSL-TMG1 and 20533B-MIA-CL1 virtual machines are both running, and then log on
to 20533B-MIA-CL1 as Student with the password Pa$$w0rd.

2.

In the Microsoft Azure PowerShell, connect and log in to your Azure account.

3.

In PowerShell, get a list of Azure locations and note the name of a location near you.

4.

In PowerShell, create a new Azure SQL Database server. Use the following information:

5.

Administrator Login: your name

Administrator Login Password: Pa$$w0rd

Location: an Azure location near you

In PowerShell, get the name of the SQL Database server you created in step 4.

6.

7.

In the Azure full portal, create a new SQL Database. Use the following information:
o

Name: CloudServiceProdDB

Server: Use the SQL Database server name you noted in step 5

In Windows Azure PowerShell, create a new Azure storage account. Use the following information:
o

Storage Account Name: cloudappprodXXX where XXX is a unique number

Location: use the location you noted in step 3

Task 2: Configure the Service Definition File

MCT USE ONLY. STUDENT USE PROHIBITED

8-30 Implementing PaaS Cloud Services and Mobile Services

1.

Open the following file in Visual Studio 2013:


D:\LabFiles\Lab08\Starter\Production\Package\ServiceConfiguration.Cloud.cscfg.

2.

In the service configuration file, set the instance count attribute to 2 for both the
AdatumAdsWebRole role and the AdatumAdsWorkerRole role. Save your changes.

3.

In the Azure Portal, copy the primary access key for the cloudappprodXXX storage account to the
clipboard.

4.

In Visual Studio, configure the StorageConnectionString setting for the AdatumAdsWebRole role.
Use the following information:
o

DefaultEndPointsProtocol: https

AccountName: cloudappprodXXX

AccountKey: paste the primary key that you just copied to the clipboard

5.

Configure the StorageConnectionString setting for the AdatumAdsWorkerRole role with the same
information.

6.

Configure the Microsoft.WindowsAzure.Plugins.Diagnostics.ConnectionString setting for the


AdatumAdsWebRole role with the same information.

7.

Configure the Microsoft.WindowsAzure.Plugins.Diagnostics.ConnectionString setting for the


AdatumAdsWorkerRole role with the same information.

8.

In the Azure Portal, copy the ADO.NET connection string for the CloudServiceProdDB database to
the clipboard.

9.

In Visual Studio, copy the connection string from the clipboard to the value attribute of the
<Setting> element named AdatumAdsDbConnectionString.

10. Set the password in the pasted connection string to Pa$$w0rd.


11. Save your changes and close Visual Studio.

Task 3: Deploy the Cloud Service


1.

2.

In the Azure portal, create a new PaaS Cloud Service. Use the following information:
o

URL: use your name or another unique URL

Region: use the same region you used in Task 1

Deploy the cloud service. Use the following information:


o

Package: D:\LabFiles\Lab08\Starter\Production\Package\AdatumAds.cspkg

Configuration: D:\LabFiles\Lab08\Starter\Production\Package\ServiceConfiguration.Cloud.cscfg

Note: The deployment process for the PaaS cloud service can take several minutes to
complete. Wait for the Service Status column to display Created and the Production column to
display Running before you continue to the next task. If needed, you can refresh the webpage.

MCT USE ONLY. STUDENT USE PROHIBITED

Implementing Microsoft Azure Infrastructure Solutions

8-31

Results: In this exercise, you will create the necessary resources required by the PaaS cloud service (a
storage account and a SQL database). You will also edit the service configuration file and deploy the cloud
service to the production slot.

Exercise 2: Configuring Deployment Slots and Remote Desktop Protocol


Scenario

The development team has provided a second version of the simple PaaS cloud service. You want to
investigate how deployment slots can be used to stage and deploy new versions of cloud services. You will
use the same configuration you used for the production service.
The main tasks for this exercise are as follows:
1. Deploy a Staged Cloud Service
2. Configure Remote Desktop Protocol Access
3. Test Connectivity

Task 1: Deploy a Staged Cloud Service


1.

In the Azure portal, add a staging deployment to the PaaS cloud service you created in Exercise 1. Use
the following information:
o

Deployment Label: AdatumAdsStage

Package: D:\LabFiles\Lab08\Starter\Staging\Package\AdatumAds.cspkg

Configuration: D:\LabFiles\Lab08\Starter\Production\Package\ServiceConfiguration.Cloud.cscfg

Note: The deployment process for the PaaS cloud service can take several minutes to
complete. Wait for the Service Status column to display Created and the Staging column to
display Running before you continue to the next task. If needed, you can refresh the webpage.

Task 2: Configure Remote Desktop Protocol Access


1.

Enable RDP access for the production deployment of the PaaS cloud service. Use the following
information:
o

User Name: RDPAdmin

Password: Pa$$w0rd

Certificate: create a new certificate

Expires On: use a date one month from today

Task 3: Test Connectivity


1.

From the cloud service dashboard, browse to the production homepage.

2.

From the cloud service dashboard, browse to the staging homepage.

3.

MCT USE ONLY. STUDENT USE PROHIBITED

8-32 Implementing PaaS Cloud Services and Mobile Services

From the list of production instances, connect to the AdatumAdsWebRole_IN_0 instance by using
RDP.

Results: At the end of this exercise, you will be able to:


Deploy a PaaS cloud service package for staging.
Configure RDP access to cloud services.
Connect to production and staging instances from browsing and for RDP access.

Exercise 3: Monitoring Cloud Services


Scenario
You have been asked to evaluate the network traffic used by the new version of the PaaS cloud service
that you deployed to the staging environment. To do this, you will add new monitoring metrics and
configure an alert.
The main tasks for this exercise are as follows:
1. Add Metrics to the Monitoring Table
2. Create an Alert
3. Monitor an Active Cloud Service
4. Reset the Environment

Task 1: Add Metrics to the Monitoring Table


1.

Add the NETWORK OUT metric for the aggregated web role and worker role to the monitoring page
for the PaaS cloud service you created in Exercise 1.

2.

Add the Network Out metric for the AdatumAdsWebRole role to the monitoring graph.

3.

Add the Network Out metric for the AdatumAdsWorkerRole role to the monitoring graph.

Task 2: Create an Alert


1.

Add a new alert for the PaaS cloud service. Use the following information:
o

Name: Network Traffic Limit

Web role: AdatumAdsWebRole

Metric: Network Out

Condition: Greater than

Threshold: 100 bytes

Email Address: use the outlook.com email address associated with your Azure account

Task 3: Monitor an Active Cloud Service


1.

Inspect the data for the alert you created in task 3. Note whether the alert is active.

2.

In Internet Explorer, browse to http://www.outlook.com and open the emails for the account
associated with your Azure subscription. Examine any alerts sent from Azure.

3.

Close Internet Explorer.

Task 4: Reset the Environment

MCT USE ONLY. STUDENT USE PROHIBITED

Implementing Microsoft Azure Infrastructure Solutions

8-33

1.

Close all open applications without saving any files.

2.

On the taskbar, right-click Microsoft Azure PowerShell, and then click Run as administrator. In the
User Account Control dialog, click Yes.

3.

Type the following command, and then press Enter:


Reset-Azure

4.

When prompted, sign in using the Microsoft account associated with your Azure subscription.

Note: This script may remove Azure services in your subscription. It is therefore recommended that
you use an Azure trial pass that was provisioned specifically for this course, and not your own Azure
account.
The script will take 5-10 minutes to reset your Microsoft Azure environment, ready for the next lab.
The script removes all storage, VMs, virtual networks, cloud services, and resource groups.
Important: The script may not be able to get exclusive access to a storage account to delete it (you
will see an error, if this occurs). If you find objects remaining after the reset script is complete, you can
re-run Reset-Azure script, or use the full Azure Management Portal to manually delete all the objects
in your Azure subscription, with the exception of the default directory.

Results: At the end of this exercise, you will have configured monitoring for a PaaS cloud service with new
metrics and an alert.
Question: In Exercise 2, you enabled RDP access and used the RDP client to connect to an
instance of a web role. Why would administrators connect to cloud service role instances
with RDP?
Question: You want to ensure you can always see the network traffic your PaaS cloud service
has used over the last hour. Should you configure a monitoring metric or an alert?

Module Review and Takeaways


In the module, you learned about:

Planning, creating, and deploying PaaS cloud services.

Configuring cloud services by using configuration files or the Azure portal.

Using mobile services to support apps for mobile devices.

Monitoring cloud services and mobile services.

Review Question(s)
Question: Your company is developing a mobile app. You have been asked to host data and
notification hubs in Azure. What are the advantages of using an Azure mobile service instead
of creating separate SQL Databases and notification hubs?

MCT USE ONLY. STUDENT USE PROHIBITED

8-34 Implementing PaaS Cloud Services and Mobile Services

MCT USE ONLY. STUDENT USE PROHIBITED


9-1

Module 9
Implementing Content Delivery Networks and Media
Services
Contents:
Module Overview

9-1

Lesson 1: Implementing Azure Content Delivery Networks

9-2

Lab A: Implementing a Content Delivery Network

9-8

Lesson 2: Publishing Content with Azure Media Services

9-10

Lab B: Implementing Content Delivery Networks and Cloud Services

9-16

Module Review and Takeaways

9-20

Module Overview

Large amounts of online content is now stored as graphical images, audio, and video. It is important to
have a system to upload this content, convert it to an appropriate format, and store it. The content should
support the devices that your customers will use to consume the media and you might want to stream
video content to the consumers. Azure Media Services provides the functionality to upload, encode, store,
and stream your media.
Nowadays, your audience is often spread globally so you should consider performance for users who are
geographically distant from the source media or applications. A content delivery network (CDN) replicates
data globally so that all users have a local endpoint.

Objectives
After completing this module, you will be able to:

Implement an Azure content delivery network.

Publish content with Azure Media Services.

Implementing Content Delivery Networks and Media Services

Lesson 1

Implementing Azure Content Delivery Networks

MCT USE ONLY. STUDENT USE PROHIBITED

9-2

Microsoft Azure provides CDN functionality to deliver content that is as close as possible to users, no
matter where they are in the world. This lesson discusses content delivery networks and describes how to
implement Azure CDNs.

Lesson Objectives
After completing this lesson, you will be able to:

Describe how Azure CDNs integrate with other Azure services to deliver content.

Describe content delivery networks.

Describe the architecture of content delivery networks.

Discuss caching blob content with Azure CDNs.

Discuss caching cloud services content with Azure CDNs.

Describe using your own custom domain address with an Azure CDN.

Demonstration: Prepare the Environment

Perform the following tasks to prepare the lab environment. The Azure services you will use in the lab will
be described in this module while the environment is being configured.
Note: Important: The scripts used in this course may delete any objects that you have in
your subscription; therefore, you should complete this course against a new Azure subscription.
You should have received sign-up details and instructions for creating an Azure Learning Pass for
this reason. Alternatively, create a new Azure Trial Subscription. In both cases, use a new
Microsoft account that has not been associated with any other Azure subscription. This avoids
confusion in labs and setup scripts.

The labs in this course use custom Microsoft Azure PowerShell cmdlets, including Setup-Azure to prepare
the Azure environment for a lab, and Reset-Azure to perform clean-up tasks at the end of a lab. For this
lab, Setup-Azure removes the Azure subscription and account from the Azure PowerShell session.

Demonstration Steps
Sign in to Your Microsoft Azure Subscription
1.

Ensure that the MSL-TMG1 and 20533B-MIA-CL1 virtual machines are both running, and then log on
to 20533B-MIA-CL1 as Student with the password Pa$$w0rd.

2.

You should already have created a Microsoft Azure trial subscription. If you have not done so, follow
the instructions in D:\Creating a Microsoft Azure Trial Subscription.htm. Provisioning may take
several hours.

3.

When your trial subscription has been provisioned, in Internet Explorer, browse to
http://azure.microsoft.com, click Portal, and sign in using the Microsoft account that is associated
with your Azure subscription. Close any initial "welcome" messages.

MCT USE ONLY. STUDENT USE PROHIBITED

Implementing Microsoft Azure Infrastructure Solutions

9-3

4.

At the top right, click your Microsoft account name and click Switch to new portal. Then, in the new
tab that is opened close any initial "welcome" messages for the new portal. If you are prompted for
credentials, sign in using the Microsoft account that is associated with your Microsoft Azure
subscription.

5.

Close the tab containing the new portal, keeping the full portal tab open.

Prepare the Azure Environment


1.

On the taskbar, right-click Microsoft Azure PowerShell, and then click Run as administrator. In the
User Account Control dialog, click Yes.

2.

Type the following command, and then press Enter:


Setup-Azure

3.

At the prompt, type the module number, and then press Enter.

4.

Confirm your selection, and then press Enter.

5.

When prompted, sign in using the Microsoft account associated with your Microsoft Azure
subscription.

Note: This script may remove Azure services in your subscription. It is therefore recommended that
you use an Azure trial pass that was provisioned specifically for this course, and not your own Azure
account.
The script will take 2-3 minutes to configure your Microsoft Azure environment, ready for the lab at
the end of this module.
6.

Close all open windows.

Content Delivery Networks and Media Services as Components of Azure


In this module, you will learn about two Azure
services that enable you to deliver content quickly
and efficiently: Content Delivery Networks and
Media Services.
A CDN is a concept widely used on the Internet to
accelerate and improve the delivery of all kinds of
content to web users. The content can include text
files, script libraries, downloadable software, and
media such as video and audio files. In a CDN,
content is replicated to a large number of servers,
which are geographically distributed around the
world. When a user requests an item of content,
the request is forwarded to a CDN server that is close to the users location.

You can create your own CDN by configuring the Azure Content Delivery Network service. This service
can cache content from Azure storage accounts, PaaS cloud services, virtual machines in IaaS cloud
services, or Azure websites.

Azure Media Services provides the facilities many organizations need to stream media such as video and
audio content. You can use Media Services to encode, publish, and stream a wide variety of formats to a
broad base of clients, such as mobile devices, computers, and connected televisions. Media Services
streams content from Azure Storage accounts.

Implementing Content Delivery Networks and Media Services

Overview of Content Delivery Networks


Speed of delivery is a key factor in consumer
satisfaction for audio, video, images and webbased applications. A CDN is a geographic
distribution of servers hosting content to ensure
that the content is close to the consumer, no
matter where they are. The purpose of the CDN is
to place content closer to users and offload
workload from the content provider. A Microsoft
Azure CDN has a worldwide distribution.
There are several advantages when a CDN has
been implemented:

MCT USE ONLY. STUDENT USE PROHIBITED

9-4

The user experience is improved particularly if


the user is situated a long distance from the content.

The content has protection from distributed denial-of-service (DDoS) attacks because Azure CDNs
include systems to detect and mitigate against attacks; also, there are replica copies of the content in
many locations. Azure CDNs also support HTTPS calls, enabling you to integrate content from the
CDN into secure web pages.

Because the content is no longer located in one single location, there is no bottleneck, making a CDN
inherently scalable.

Reliability is increased by a CDN because it includes Azures redundancy and failover functionality. If
one node is unavailable, the content will be automatically retrieved from the next nearest node.

CDNs can contain any content, but the content should be static. Often this content consists of large
files such as multimedia content, but it can also include content from cloud services and Azure
websites. Dynamic content will need to be constantly refreshed from the content provider and any
benefits of implementing the CDN will be lost.

For more information about CDNs, see:


Using CDN for Azure
http://go.microsoft.com/fwlink/?LinkID=522648

In an Azure CDN, the content you place in an Azure storage account is automatically cached at multiple
points-of-presence (POPs), which are server distributed globally. For the latest list of POPs, see:
Azure Content Delivery Network (CDN) POP Locations
http://go.microsoft.com/fwlink/?LinkID=522649

MCT USE ONLY. STUDENT USE PROHIBITED

Implementing Microsoft Azure Infrastructure Solutions

Content Delivery Network Architecture


Azure CDNs cache Azure blobs stored in Azure
Storage on servers distributed globally.
Azure Storage is required to store the original
content and CDN capabilities can then be added.
It should be noted that CDNs are distinct from
Azure Storage, and are billed separately from
Azure Storage.

9-5

When a CDN is created, it creates multiple


endpoints, distributed globally, so that users have
access to data that is geographically near to them,
no matter where they are. When media is accessed
by a user, it is retrieved from the nearest endpoint,
if it is available. If it is not available, it is retrieved from Azure storage and subsequently cached at the
endpoint. As well as providing a global distribution of your content, CDNs are also useful to handle peak
traffic. When there is a significant event in an organization, traffic can increase dramatically for a short
period. A CDN can handle this increase without needing to implement a solution that permanently
handles the increased workload.
Cached content can be accessed over HTTP and, when enabled, HTTPS. Content can also come from
Azure Blobs, Azure Cloud Services, or Azure Websitesthis will be discussed in subsequent topics.

Because the endpoints must maintain copies of the storage data, CDNs should be used for non-volatile,
static data. Data that changes frequently can adversely affect the performance of a CDN.

Creating CDNs
Creating a CDN is very straightforward. Click NEW, click APP SERVICES, click CDN, and click QUICK
CREATE.
For more information on creating CDNs, see:
How to Enable the Content Delivery Network (CDN) for Azure
http://go.microsoft.com/fwlink/?LinkID=522650

Caching Content from Azure Blobs


Blobs must be publicly accessible in order to be
cached with CDNthat is to say, they must allow
anonymous access. When CDN is enabled for an
Azure Storage account, all public blobs in that
storage account can be cached with CDN.
To achieve this, you can either make the blob itself
public or make the container that contains the
blobs public. If you make the container public, all
its blobs and metadata will be available for CDN
caching.
When you enable CDN for a storage account, it
will generate a separate URL to access the blobs
through CDN, rather than directly to the storage account.

Implementing Content Delivery Networks and Media Services

MCT USE ONLY. STUDENT USE PROHIBITED

9-6

A blob stays in the CDN cache for a period of time called time-to-live (TTL)by default, this is seven days.
Therefore, if content is accessed frequently in a seven-day period, the CDN will have a significant
performance gain; if content were to be accessed every 10 days, CDN would provide no performance
gains. The TTL period can be defined using APIs or third-party tools.
For more information about TTL and how to change it, see:
How to Manage Expiration of Blob Content in the Azure Content Delivery Network (CDN)
http://go.microsoft.com/fwlink/?LinkID=522651

Caching Content from Cloud Services and Websites


CDN access can be enabled for cloud services and
Azure Websites. As with blobs, a separate URL is
generated.
You should be careful when you use CDNs with
content that changes oftenthe CDN continues
to serve cached content until its TTL has expired,
even if the content in the source location has
changed.
The cloud service or website to be cached must be
in a production slot and the content to be cached
by CDN must be in the /cdn folder, although you
can use IIS Virtual Applications/Directories to point
the /cdn directory to a different physical directory.
The object to be cached must be accessible by HTTP on port 80.

As with cached content from blobs, cached content from cloud services has a seven-day default TTL. This
can be modified by creating a web.config file in the /cdn folder. By modifying the clientCache settings,
you can specify a new default TTL value for all objects in the /cdn folder. You can customize TTL further
by setting CDN caching properties programmatically on individual objects.
For more information on TTL with cloud services, see:

How to Manage Expiration of Cloud Service Content in the Azure Content Delivery Network
(CDN)
http://go.microsoft.com/fwlink/?LinkID=522652
For more information on using CDNs with Azure websites, see:
Enabling a CDN Endpoint in Azure Websites
http://go.microsoft.com/fwlink/?LinkID=523983

MCT USE ONLY. STUDENT USE PROHIBITED

Implementing Microsoft Azure Infrastructure Solutions

Using a Custom Domain to Access a Content Delivery Network


In many cases, you will want to cache part of your
own custom domain with CDN, although you
should note that you can only map a subdomain,
such as www.adatum.com, and not a root domain,
such as adatum.com.
You create a CNAME record at your domain
registrar, which is a DNS feature to create an alias
for the CDN address. This allows the user to type
in the address of your subdomain, but actually
connect to the CDN domain. This process is
transparent to the user.

9-7

The subdomain must be used exclusively for CDN


and cannot be used for any other purpose whether that is within the original domain, on Azure, or in any
other location.
When you map a custom domain name to your CDN endpoint, you can specify that Azure will use the
asverify subdomain to preregister your custom domain. This will avoid any loss of service while DNS
records are updated, by acting as an intermediary.

Implementing Content Delivery Networks and Media Services

Lab A: Implementing a Content Delivery Network


Scenario

MCT USE ONLY. STUDENT USE PROHIBITED

9-8

The A. Datum developers have created a new website that uses many high-resolution images and videos.
Clients are expected to access the site from many different locations worldwide. You have been asked to
investigate Azure CDN services as a means to ensure that the site serves high-resolution photographs as
rapidly as possible wherever users request them.

Objectives
After completing lab, you will be able to:

Configure a content delivery network.

Lab Setup
Estimated Time: 20 minutes
Virtual Machine: 20533B-MIA-CL1
User Name: Student
Password: Pa$$w0rd
Before starting this lab, ensure that you have performed the Preparing the Environment demonstration
tasks at the beginning of the first lesson in this module, and that the setup script has completed.

Exercise 1: Configuring a Content Delivery Network


Scenario
To support your global audience, you will implement a content delivery network. Because it might take
some time to enable the CDN, you have decided to perform the setup steps now and upload content
later.

Note: The Microsoft Azure portal is continually improved, and the user interface may have been updated
since this lab was written. Your instructor will make you aware of any differences between the steps
described in the lab and the current Azure portal user interface.
The main tasks for this exercise are as follows:
1. Create a New Storage Account
2. Enable the Content Delivery Network

Task 1: Create a New Storage Account


1.

Ensure that the MSL-TMG1 and 20533B-MIA-CL1 virtual machines are both running, and then log on
to 20533B-MIA-CL1 as Student with the password Pa$$w0rd.

2.

Start Internet Explorer, browse to https://portal.azure.com, and sign in using the Microsoft account
that is associated with your Azure subscription.

3.

Create a new storage account with the following settings:


o

STORAGE: Use adatum + random numbers (for example, adatum123456); if you get a Storage
account name is not available message, change the numbers until you get a green tick. Note
this name for use in Exercise 1 of the second lab.

PRICING TIER: Standard-GRS.

MCT USE ONLY. STUDENT USE PROHIBITED

Implementing Microsoft Azure Infrastructure Solutions

RESOURCE GROUP: Default-Storage-EastAsia (click Resource Group and then, in the Create
resource group dialog box, delete the default name, type Default-Storage-EastAsia, and click
OK).

Subscription: Default value.

Location: Default value.

Add to Startboard: Selected.

Task 2: Enable the Content Delivery Network


1.

Start Internet Explorer, browse to http://azure.microsoft.com, click Portal, and sign in using the
Microsoft account that is associated with your Azure subscription.

2.

Create a new CDN using the storage account that you created in the previous task as the origin
domain.

Results: After completing this exercise, you will have:


1.

Created a storage account.

2.

Enabled a content delivery network.


Question: What level of uniqueness do you need for your storage account?

9-9

Lesson 2

Publishing Content with Azure Media Services

MCT USE ONLY. STUDENT USE PROHIBITED

9-10 Implementing Content Delivery Networks and Media Services

There are increasing numbers and types of devices that can consume online media. Whereas, historically,
you would need to support different types of personal computer, nowadays you might also need to
provide media to tablets, smartphones, games consoles, set-top boxes and smart TVs. Azure Media
Services allows you to encode media in many different formats, encrypt media, and stream media to users.

Lesson Objectives
After completing this lesson, you will be able to:

Describe Azure Media Services.

Assess which media formats you should support.

Upload, encode, and package your media.

Use the Azure portal to manage Media Services content.

Protect your media using encryption.

Overview of Azure Media Services


Media Services provides the full capabilities
required for media delivery including:

Uploading the media.

Storing the media.

Encoding the media to support streaming.

Packaging the media for distribution.

The potential audience could be located anywhere


and could be using any device. To enable this
audience, Media Services supports a very wide
range of devices, including PCs, phones, tablets,
games consoles, and smart TVs. To ensure that the widest range of devices is supported, Media Services
includes support for both Adobe Flash and HTML5, the two most popular formats for presenting Internetbased media.

Media Services is highly scalable, from a single video or audio file to hundreds of thousands of media files.
Media Services will also scale from a handful of consumers to an audience of many thousands. The Azure
CDN capabilities let you deliver content worldwide with low latency through the worldwide Azure
datacenters.
Although we have discussed a worldwide audience, not all content should be distributed publically. Azure
Media services includes the ability to authenticate users to ensure that the content is only seen by a
specific audience. Some content must be restricted by country or region; for example, you might need to
restrict the country/region for legal reasons, or you might create advertisements specific to the region of
the target audience. In Azure Media Services, geo-blocking allows you to filter geographically.
As with other Azure services, you only pay for what you, the producer of the content, uses.

Assessing your Audience


You should consider the capabilities of the devices
that will connect to your Media Services content. If
this is for an internal audience and you know the
specifications of the devices, then this is
straightforward. However, if it is for public
consumption or users can use their own devices,
then you have to target a baseline specification.
The lower the baseline, the more people can
access your content, but quality and functionality
might suffer as a result.

MCT USE ONLY. STUDENT USE PROHIBITED

Implementing Microsoft Azure Infrastructure Solutions

9-11

You should consider that offline viewing will


enable people with limited or sporadic Internet
connectivity to access your content, but the storage capacities of the device must be considered,
particularly for HD content. You will also have to consider storage content for progressive downloading.
Streaming is available for most devices, but an Internet connection is required to view the content.
Progressive downloading and streaming are similar, but progressive downloading downloads a copy of
the media while it is being viewed, whereas streaming does not download a copy.

Uploading, Encoding, and Packaging Media


You can upload content with the Media Services
SDK for .NET or by using the Azure Management
Portal. The Management Portal is straightforward,
but you can only upload a single file at a time; the
file cannot exceed 200 MB in size; and the file
must be in a format supported by Media Services.
There are third-party tools that take advantage of
high-speed ingest technology to increase the
upload speed.

For more information on uploading large sets of


files with high speed, see:
Uploading Large Sets of Files with High Speed
http://go.microsoft.com/fwlink/?LinkID=522653

Uploading content with the Management Portal is very straightforward; you simply create a Media
Services account, specifying name, region and storage account, and then the media services account has a
link to upload a video. Once a video is uploaded, there are links in the Management Portal to encode and
package the video.
When uploading, you should consider access control and group media files into assets that can have one
set of access constraints applied across the asset.

When encoding, you should consider the target devices that you assessed in the previous topic. Device
type, capabilities, and screen size will affect encoding settings.

MCT USE ONLY. STUDENT USE PROHIBITED

9-12 Implementing Content Delivery Networks and Media Services

Packaging does not re-encode your media, but places it into a file container for delivery. You can package
the media into multiple file containers to support the protocol requirements of different devices. You also
get to choose whether the content uses static packaging, or dynamic packaging, so that the client
application can choose the packaging format.

Demonstration: Publishing a Video to Media Services


In this demonstration, you will see how to:

Create a new storage account

Enable Media Services

Upload a video

Encode a video

Publish a video

Demonstration Steps
Create a storage account
1.

Start Internet Explorer, browse to https://portal.azure.com, and sign in using the Microsoft account
that is associated with your Azure subscription.

2.

Click NEW, and then click Everything.

3.

In the Marketplace blade, click Storage, cache, + backup, click Storage, and then click Create.

4.

In the Storage account dialog box, enter the following settings and click Create:
o

STORAGE: Use adatum + random numbers (for example, adatum123456); if you get a Storage
account name is not available message, change the numbers until you get a green tick. Note this
name for use in the next task.

PRICING TIER: Standard-GRS.

RESOURCE GROUP: Default-Storage-EastAsia (Click Resource Group and then in the Create
Resource group dialog box, delete the default name, type Default-Storage-EastAsia, and click
OK).

Subscription: Default value.

Location: Default value.

Diagnostics: Not configured.

Add to Startboard: Selected.

Enable Media Services


1.

When the storage account creation is complete, in Internet Explorer, browse to


http://azure.microsoft.com, click Portal, and sign in using the Microsoft account that is associated
with your Azure subscription.

2.

Click NEW, click APP SERVICES, click MEDIA SERVICE, and click QUICK CREATE.

3.

MCT USE ONLY. STUDENT USE PROHIBITED

Implementing Microsoft Azure Infrastructure Solutions

9-13

In the CREATE MEDIA SERVICE dialog box, enter the following settings and click CREATE MEDIA
SERVICE:
o

NAME: adatummediaservice12345.

REGION: The same location as the storage account in the previous task.

STORAGE ACCOUNT: In the drop-down list, select the account name from the previous task.

Note: For NAME use adatummediaservice + random numbers (for example,


adatummediaservice123456); if you get a The specified name is unavailable message, change the
numbers until you get a green tick.
Upload a video
1.

When the media service creation is complete, in the navigation bar on the left, click MEDIA
SERVICES.

2.

Click the media service that you created in the previous task.

3.

Under the MANAGEMENT TASKS section, click Upload a video file.

4.

Click FROM LOCAL.

5.

Navigate to D:\Demofiles\Mod09 and click Welcome.wmv.

6.

Click Open.

7.

Click OK.

Encode a Video
1.

When the video file upload is complete, the file appears in the list of content. Select the file, and then,
in the toolbar at the bottom, click ENCODE.

2.

In the PRESET drop-down list, select Play on PC/Mac (via Flash/Silverlight).

3.

In the OUTPUT CONTENT NAME textbox, type Encoded Welcome Video and then click OK.

Publish a Video
Note: At this point, wait until the encoding job is complete. When the job is complete, the
PUBLISH button is available when the Encoded Welcome Video item is selected.
1.

Select Encoded Welcome Video and then, in the toolbar at the bottom, click PUBLISH.

2.

Click Yes.

Note: To play the encoded video, you must install the Desktop Experience feature of
Windows Server 2008 R2. This feature includes the necessary Windows media codecs. Students
will perform this installation in the lab.
Reset the Environment
1.

Close all open applications without saving any files.

2.

On the taskbar, right-click Microsoft Azure PowerShell, and then click Run as administrator. In the
User Account Control dialog, click Yes.

3.

Type the following command, and then press Enter:


Reset-Azure

4.

When prompted, sign in using the Microsoft account associated with your Azure subscription.

MCT USE ONLY. STUDENT USE PROHIBITED

9-14 Implementing Content Delivery Networks and Media Services

Note: This script may remove Azure services in your subscription. It is therefore recommended that
you use an Azure trial pass that was provisioned specifically for this course, and not your own Azure
account.
The script will take 5-10 minutes to reset your Microsoft Azure environment, ready for the next lab.
The script removes all storage, VMs, virtual networks, cloud services, and resource groups.
Important: The script may not be able to get exclusive access to a storage account to delete it (if this
occurs, you will see an error). If you find objects remaining after the reset script is complete, you can
re-run Reset-Azure script, or use the full Azure Management Portal to manually delete all the objects
in your Azure subscriptionwith the exception of the default directory.

Protecting Media with Encryption


Media stored in Azure Media Services is
automatically encrypted, but you should consider
encrypting content so that it cannot be
intercepted when it is uploaded and encrypting
content to prevent streaming media from being
intercepted or copied.

Encrypting Content
If you have content that you want to encrypt while
it is being uploaded, you should use the
StorageEncrypted option.
For more information about the StorageEncrypted
option, see:
Producing Storage Encrypted Content
http://go.microsoft.com/fwlink/?LinkID=522654
If your content is already encrypted, you should use the CommonEncryption or EnvelopeEncrypted
options.
For more information about uploading encrypted content, see:
Uploading Encrypted Content
http://go.microsoft.com/fwlink/?LinkID=522655

Streaming Media
There are two methods that you can use to encrypt streaming media in Azure Media Services
PlayReady and AES.

PlayReady is a DRM system from Microsoft that encrypts the media and requires users to obtain a license
to view it. The advantage of DRM is that the media is always encrypted and can only be viewed by the
device with the license. Furthermore, additional limits can be placed on the content, such as how many

MCT USE ONLY. STUDENT USE PROHIBITED

Implementing Microsoft Azure Infrastructure Solutions

9-15

times the user can view it. If the file is copied to a different device, it will not be viewable. Media that you
wish to protect with PlayReady must be in the Smooth Streaming format.
For more information about encryption using PlayReady, see:
Securing Media
http://go.microsoft.com/fwlink/?LinkID=522656
Once you have PlayReady-encrypted Smooth Streaming, you can package the content as HLS with
PlayReady. HTTP Live Streaming (HLS) is a streaming technology.

AES encrypts the data so that it cannot be intercepted by an attacker using a man-in-the-middle attack,
but does not provide DRM functionality. It is relatively straightforward to redistribute AES protected
content that you are authorized to view.
For more information about encryption using AES, see:
Using Static Encryption to Protect HLSv3 with AES-128
http://go.microsoft.com/fwlink/?LinkID=522657
and:
Using AES-128 Dynamic Encryption and Key Delivery Service
http://go.microsoft.com/fwlink/?LinkID=522658

Lab B: Implementing Content Delivery Networks and


Cloud Services
Scenario

MCT USE ONLY. STUDENT USE PROHIBITED

9-16 Implementing Content Delivery Networks and Media Services

The A. Datum developers have created a new website that uses many high-resolution images and videos.
You have been asked to complete your investigation of Azure CDN, as well as to implement Azure Media
Services for hosting video content. Clients are expected to access the site using many different devices.
You have been asked to ensure that users can view your videos on a broad range of different devices from
different manufacturers.

Objectives
After completing this lab, you will be able to:

Add content to a content delivery network.

Create a Media Services account and upload content to the Media Services account.

Publish media content.

Lab Setup
Estimated Time: 60 minutes
Virtual Machine: 20533B-MIA-CL1
User Name: Student
Password: Pa$$w0rd
Before starting this lab, please ensure that you have completed the first lab in this module.

Exercise 1: Adding Content to the Source Service


Scenario

You have enabled a content delivery network and now wish to upload media and explore the media that
you have uploaded.

Note: The Microsoft Azure portal is continually improved, and the user interface may have been updated
since this lab was written. Your instructor will make you aware of any differences between the steps
described in the lab and the current Azure portal user interface.
The main tasks for this exercise are as follows:
1. Add a Container to the Storage Account
2. Upload Content to the Content Delivery Network
3. Explore the Content Delivery Network

Task 1: Add a Container to the Storage Account


1.

Add a container to the storage account that you created in the first lab with the following properties:
o

NAME: AdatumContainer

ACCESS: Public Container

Task 2: Upload Content to the Content Delivery Network


1.

Use PowerShell to upload a file to your CDN with the following properties:
o

Blob name: Welcome

Container: adatumcontainer

File: D:\Labfiles\Lab09\Starter\Welcome.png

Task 3: Explore the Content Delivery Network


1.

Open the adatumcontainer container and download the welcome.png file.

Results: After completing this exercise, you will have:


1.

Added a container to your storage account.

2.

Uploaded content to your content delivery network.

3.

Viewed media stored in your content delivery network.

Exercise 2: Creating a Media Services Account and Uploading Content


Scenario

MCT USE ONLY. STUDENT USE PROHIBITED

Implementing Microsoft Azure Infrastructure Solutions

9-17

You want to make content available to multiple device types. The data is currently stored in WMV format,
but you want to re-encode the video and store it for online viewing.
The main tasks for this exercise are as follows:
1. Create a New Storage Account
2. Enable Media Services
3. Upload Videos

Task 1: Create a New Storage Account


1.

Using PowerShell, view a list of available locations to store your media.

2.

Using PowerShell, create a new storage account with the following settings:
o

STORAGE: Use adatumstorage + random numbers (for example, adatumstorage123456); if


you get a ConflictError message, change the numbers until the cmdlet runs successfully. Note
this name for use in the next task.

Location: Southeast Asia

Task 2: Enable Media Services


1.

Create a media service with the following properties:


o

NAME: adatummediaservice12345.

REGION: Southeast Asia.

STORAGE ACCOUNT: Select the account name from the previous task.

Note: For NAME use adatummediaservice + random numbers (for example,


adatummediaservice123456); if you get a The specified name is unavailable message, change the
numbers until you get a green tick. Note this name for use in Exercise 3.

Task 3: Upload Videos


1.

Upload D:\Labfiles\Lab09\Starter\Welcome.wmv to adatummedia service media service.

Exercise 3: Publishing and Scaling Media Content


Scenario

MCT USE ONLY. STUDENT USE PROHIBITED

9-18 Implementing Content Delivery Networks and Media Services

Now that you have uploaded a video file to Media Services, you want to encode and publish the file for
delivery to users. In order to test the published media stream, you must install Windows Media Player,
which is part of the Windows Server 2008 R2 Desktop Experience feature.

Note: The Microsoft Azure portal is continually improved, and the user interface may have been updated
since this lab was written. Your instructor will make you aware of any differences between the steps
described in the lab and the current Azure portal user interface.
The main tasks for this exercise are as follows:
1. Encode Media
2. Publish Media
3. Scale Media Delivery
4. Play the Media Stream
5. Reset the Environment

Task 1: Encode Media


1.

Encode the Welcome.wmv file for playback on PC/Mac via Flash/Silverlight.

Task 2: Publish Media


1.

Publish the media that you encoded in the previous task.

Task 3: Scale Media Delivery


1.

Create a new streaming endpoint to scale up media delivery.


NOTE: The new streaming endpoint is stopped. In this lab, we will not start the origin to save time,
but you should observe the START button at the bottom of the page.

2.

View the publish urls for your media.

Task 4: Play the Media Stream


1.

In Server Manager, install the Desktop Experience feature on the MIA-CL1 server and then restart
the server.

2.

When the server has restarted, log in as Student and open the Azure full portal.

3.

In the Media Services section, play the Welcome-wmv-PCMac-Output file.

Task 5: Reset the Environment


1.

Close all open applications without saving any files.

2.

On the taskbar, right-click Microsoft Azure PowerShell, and then click Run as administrator. In the
User Account Control dialog, click Yes.

3.

Type the following command, and then press Enter:


Reset-Azure

4.

When prompted, sign in using the Microsoft account associated with your Azure subscription.

MCT USE ONLY. STUDENT USE PROHIBITED

Implementing Microsoft Azure Infrastructure Solutions

9-19

Note: This script may remove Azure services in your subscription. It is therefore recommended that
you use an Azure trial pass that was provisioned specifically for this course, and not your own Azure
account.
The script will take 5-10 minutes to reset your Microsoft Azure environment, ready for the next lab.
The script removes all storage, VMs, virtual networks, cloud services, and resource groups.
Important: The script may not be able to get exclusive access to a storage account to delete it (if this
occurs, you will see an error). If you find objects remaining after the reset script is complete, you can
re-run Reset-Azure script, or use the full Azure Management Portal to manually delete all the objects
in your Azure subscriptionwith the exception of the default directory.

Results: After completing this exercise, you will have:


1.

Encoded media.

2.

Published media.

3.

Scaled media delivery.


Question: You have media locally that will only work on a small subset of your customers
devices. How can you expand the reach of this media when it is stored online?
Question: You want to support a wide range of devices and a wide global area. What
technology, or technologies, should you implement?

Module Review and Takeaways


Review Question(s)
Question: What benefits could CDN and Media Services bring to your organization?

MCT USE ONLY. STUDENT USE PROHIBITED

9-20 Implementing Content Delivery Networks and Media Services

MCT USE ONLY. STUDENT USE PROHIBITED


10-1

Module 10
Implement Azure AD
Contents:
Module Overview

10-1

Lesson 1: Create and Manage Azure AD Directories

10-2

Lesson 2: Configuring Application Integration with Azure AD

10-13

Lesson 3: Overview of Azure AD Premium

10-16

Lab: Implementing Azure Active Directory

10-24

Module Review and Takeaways

10-31

Module Overview

Azure Active Directory is a cloud-based identity and access management solution. You can provide
secure access to sensitive services and data with multi-factor authentication (MFA), as well as single signon, to make application access more convenient for your users.
In this module, you will learn how to create a custom domain, integrate applications with Azure AD, and
use Azure AD Premium features.

Objectives
After completing this module, you will be able to:

Create and manage Azure AD directories.

Configure application integration with Azure AD.

Describe the features of Azure AD Premium.

Lesson 1

Create and Manage Azure AD Directories


In this lesson, students will learn about how to:

Manage users.

Add users from other Azure AD directories.

Automate user management using Azure PowerShell.

Associate custom AD domains with subscriptions.

Create a new Azure AD directory.

Use multi-factor authentication with global administrator accounts.

Lesson Objectives
After completing this lesson, you will be able to:

Understand Azure Active Directory.

Manage custom domains in Microsoft Azure.

Manage users and groups by using the Azure Management Portal and Azure PowerShell.

Manage Multi-Factor Authentication for Azure global administrators.

Manage multiple Azure AD directories.

Demonstration: Prepare the Environment

MCT USE ONLY. STUDENT USE PROHIBITED

10-2 Implement Azure AD

Perform the following tasks to prepare the lab environment. The Azure services you will use in the lab will
be described in this module while the environment is being configured.
Important: The scripts used in this course may delete any objects that you have in your
subscription. Therefore, you should complete this course against a new Azure subscription. You
should have received sign-up details and instructions for creating an Azure Learning Pass for this
reason. Alternatively, create a new Azure Trial Subscription. In both cases, use a new Microsoft
account that has not been associated with any other Azure subscription. This avoids confusion in
labs and setup scripts.

The labs in this course use custom Microsoft Azure PowerShell cmdlets, including Setup-Azure to prepare
the Azure environment for a lab, and Reset-Azure to perform clean-up tasks at the end of a lab. For this
lab, Setup-Azure removes any current Azure subscription and account details from the Azure PowerShell
session.

Demonstration Steps
Sign in to Your Microsoft Azure Subscription
1.

Ensure that the MSL-TMG1 and 20533B-MIA-CL1 virtual machines are both running, and then log on
to 20533B-MIA-CL1 as Student with the password Pa$$w0rd.

2.

You should already have created a Microsoft Azure trial subscription. If you have not done so, follow
the instructions in D:\Creating a Microsoft Azure Trial Subscription.htm. Provisioning may take
several hours.

MCT USE ONLY. STUDENT USE PROHIBITED

Implementing Microsoft Azure Infrastructure Solutions

10-3

3.

When your trial subscription has been provisioned, in Internet Explorer, browse to
http://azure.microsoft.com, click Portal, and sign in using the Microsoft account that is associated
with your Azure subscription. Close any initial "welcome" messages.

4.

At the top right, click your Microsoft account name and click Switch to new portal. Then, in the new
tab that is opened, close any initial "welcome" messages for the new portal.

5.

Close the tab containing the new portal, keeping the full portal tab open.

Prepare the Azure Environment


1.

On the taskbar, right-click Microsoft Azure PowerShell, and then click Run as administrator. In the
User Account Control dialog, click Yes.

2.

Type the following command, and then press Enter:


Setup-Azure

3.

At the prompt, type the module number, and then press Enter.

4.

Confirm your selection, and then press Enter.

5.

When prompted, sign in using the Microsoft account associated with your Azure subscription.

Note: This script may remove Azure services in your subscription. It is therefore recommended that you
use an Azure trial pass that was provisioned specifically for this course, and not your own Azure account.

The script will take a few seconds to configure your Microsoft Azure environment, ready for the lab at the
end of this module.

Active Directory as a Component of Azure


Azure Active Directory (AAD) has many similarities
with Windows Server-based/on-premises AD,
but there are many differences, one of the main
ones being that AAD is primarily an identity
management service, rather than a classic
hierarchical X.500-based directory service. AAD
also has built-in federation support.
AAD also supports multi-factor authentication
through a set of free MFA capabilities for global
administrators, or through paid-for MFA providers.

Overview of Azure Active Directory


There are three ways to deploy a Microsoft
directory service:

On-premises Active Directory

On-premises Active Directory on an Azure VM

Azure Active Directory

On-premises Active Directory

MCT USE ONLY. STUDENT USE PROHIBITED

10-4 Implement Azure AD

An on-premises Active Directory is the traditional


deployment of Windows Server-based Active
Directory on a physical or virtual server. Although
Windows Active Directory is commonly
considered to be primarily a directory service, Active Directory Directory Services (AD DS) is only one
component of the Windows Active Directory suite of technologies, which can also include Active Directory
Certificate Services (AD CS), Active Directory Lightweight Directory Services (AD LDS), Active Directory
Federation Services (AD FS), and Active Directory Rights Management Services (AD RMS).
When comparing AD DS with Azure Active Directory (AAD), it is important to note the following
characteristics of AD DS:

AD DS is a true directory service, with a hierarchical X.500-based structure.

AD DS uses DNS for locating resources such as domain controllers.

AD DS can be queried and managed through Lightweight Directory Access Protocol (LDAP) calls.

AD DS primarily uses Kerberos for authentication.

AD DS uses organizational units (OUs) and Group Policy Objects (GPOs) for management.

AD DS includes computer objects, representing computers that join an AD domain.

AD DS uses trusts between domains, for delegated management such as in AD forests, and for
authenticating forest users.

Windows Server-based Active Directory can be deployed on an Azure VM, and this can be a way to
enable scalability and availability for an on-premises AD; however, deploying Windows Server-based
Active Directory on an Azure VM does not make any use of Azure Active Directory. Note that deploying
AD on an Azure VM, requires an additional Azure data disk; this disk is needed to store the AD database,
logs, and SYSVOL, and Host Cache Preference for this disk must be set to None (you should not use the
C: drive for AD storage).

Azure Active Directory


Although Azure Active Directory (AAD) has many similarities with on-premises AD, there are also many
differences; it is important to appreciate that Azure AD is not the same as deploying an AD domain
controller on an Azure VM and adding it to your on-premises domain.
When comparing AAD with AD DS, it is important to note the following characteristics of ADD:

AAD is primarily an identity solution, and is designed for Internet-based applications using HTTP (port
80) and HTTPS (port 443) communications.

AAD users and groups are created in a flat structure, and there are no OUs or GPOs.

AAD does not support computer join.

AAD cannot be queried through LDAP; instead, AAD uses the REST API over HTTP and HTTPS.

MCT USE ONLY. STUDENT USE PROHIBITED

Implementing Microsoft Azure Infrastructure Solutions

10-5

AAD does not use Kerberos authentication; instead, authentication uses HTTP and HTTPS protocols
such as SAML, WS-Federation, and OpenID Connect (and authorization uses OAuth).

AAD includes federation services, and many third-party services (such as Facebook) are already
federated with (and trust) Azure AD. Federated applications are covered in Lesson 2 of this module.
You can also federate your on-premises AD DS with AAD; this is covered in Module 11 of this course.

AAD can integrate with existing AD infrastructures, such as by using Identity Federation based on ADFS
(Active Directory Federation Services) and SAML v2 as a protocol.

AAD Directory

The directory component of AAD is, by design, multi-tenant and provides a highly scalable cloud-based
directory service:

Multi-tenant. Microsoft hosts millions of users and directories within AAD, but as each Azure AD
directory is distinct and separate from other Azure AD directories, customer data and identity
information is completely isolated from other tenants; users and administrators of one Azure AD
directory cannot accidentally or maliciously access data in another directory.

Scalable. The directory technologies used by AAD have been in use as a directory supporting
Microsoft Office 365 and Microsoft Intune long before Azure became available; these are scalable to
millions of users. AADs flexible, extensible data model uses the REST-based Graph API (not LDAP).

AAD also supports federation by design, and can provide a federation platform, as well as a directory
service. AAD can also act as an authorization service for other cloud-based services, when federating with
them.
Note: the AAD Graph API is the interface for navigating the content of AAD (walking the
tree, or, more correctly, the graph) and accessing (and creating and manipulating) the
information stored there. Developers can perform CRUD (Create, Read, Update, Delete)
operations through REST (Representational State Transfer) API endpoints when developing, for
example, web applications and mobile appsas well as more conventional business processes.
Unlike AD DS, AAD is primarily designed to support applications. ADD includes user, mail-enabled
contact, and group objects, but computer and domain controller objects are not part of AAD.

AAD Tenant

An AAD tenant is a dedicated instance of Azure AD that is automatically provisioned for an organization
when it signs up for a Microsoft cloud service such as Azure, Office 365, or Windows Intune.

When you sign up for a new trial or paid subscription to Azure, Office 365, or Windows Intune, you
automatically get a new AAD tenant/instance. You can also associate a new, or existing, Azure
subscription with an existing AAD instance associated with an Office 365 or Windows Intune subscription.
There are three types of account that can be used with AAD:

An organizational account created within the default Azure directory, or any custom Azure
directory, either by the tenant administrator, or a co-administratorfor example,
<user>@<domain1>.onmicrosoft.com.

An account referencing an organizational account created within other AAD instancesfor


example, <user>@<domain2>.onmicrosoft.com.

An account referencing a Microsoft accountfor example, <user>@outlook.com.

The tenant administrator account is the account used to sign up for new trial or paid subscription. This
account can be either a Microsoft Account or an existing organizational account.

MCT USE ONLY. STUDENT USE PROHIBITED

10-6 Implement Azure AD

You can only manage AAD, if you are a Global Administrator of the AAD instance. You can only sign in to
an Azure portal if you are the tenant administrator, or if the tenant administrator has configured an
organizational account to be a co-administrator. Note that, by default, tenant administrators and coadministrators can manage AAD using the Management Portal because by default these accounts are
automatically granted Global Administrator role in the AD instance associated with the subscription.
Important: Within AAD, directory users can be configured with roles such as Global
Administrator, Billing Administrator, Service Administrator, User Administrator, and Password
Administrator. These roles are applicable to management tools such as Office 365 and Intune
portals, or Windows Azure Active Directory Module for Windows PowerShell cmdlets; they do
not control whether a user can manage AAD using the Azure portal or Microsoft Azure AD for
Windows PowerShell.

Manage Custom Domains


Administrators can add a custom domain name to
their Microsoft Azure AD tenant to use with any
Microsoft cloud services (Azure, Office 365,
Windows Intune).
Custom domain names are added to an Azure AD
tenant by using:

A Microsoft cloud service portal, such as the


Azure, Office 365, or Windows Intune
management portals.

The Microsoft Azure Active Directory Module


for Windows PowerShell.

Using the portal method, the high-level steps are:


1.

In the Microsoft cloud service portal, specify the custom domain name.

2.

In the Microsoft cloud service portal, note the DNS information that will need to be configured at
your domain registrar or DNS hosting provider.

3.

Log in in to your domain registrar or DNS hosting provider, and edit the DNS records.

4.

In the Microsoft cloud service portal, verify that the Microsoft cloud service can resolve the edited
DNS records for the custom domain.

Before you can verify a custom domain, the domain name must already be registered with a domain
name registrar, and the administrator must have appropriate sign-in credentials to be able to edit DNS
records for this domain; this could be at the domain registrar or at a DNS hosting provider. These DNS
records are required to verify the domain with the Microsoft cloud service, and to point traffic to the
cloud service. Azure AD provides the required DNS information, either TXT (preferably), or MX records if
your DNS provider does not support TXT records.

The following is an example of a TXT record used for custom domain verification:
Alias or Host name: @
Destination or Points to Address: MS=ms96744744
TTL: 1 hour

MCT USE ONLY. STUDENT USE PROHIBITED

Implementing Microsoft Azure Infrastructure Solutions

10-7

After verification, the administrator can make the domain the primary domain for the Azure tenant; for
example, replace adatum12345.onmicrosoft.com with adatum.com, so that new users will be
automatically created in this directory.

Demonstration: Adding a Custom Domain


In this demonstration, you will see how to:

Connect to the full Azure portal.

Add a custom domain and view the verification DNS records.

Demonstration Steps
Connect to the full Azure portal
1.

Start Internet Explorer, browse to http://azure.microsoft.com, click Portal, and sign in using the
Microsoft account that is associated with your Azure subscription.

Add a custom domain and view the verification DNS records


1.

In the navigation panel on the left, click ACTIVE DIRECTORY.

2.

Click Default Directory.

3.

Click DOMAINS.

4.

Click ADD A CUSTOM DOMAIN.

5.

On the Specify a domain name page, in the DOMAIN NAME box, type contoso.com.

6.

Click add.

7.

Click the right arrow.

8.

On the Verify contoso.com page, in the RECORD TYPE box, point out the options: TXT record and
MX record.

9.

Explain that these records will need to be created in your DNS (and propagated) before you click
verify.

10. On the Verify contoso.com page, point to the details of the TXT record that must be created in DNS.
11. In the RECORD TYPE box, click MX record, and point to the details of the MX record that must be
created on DNS; remind students that either TXT or MX records can be used (you do not require
both).
12. Click close.
13. Point out that the domain will continue to show as Unverified until the verification steps are
completed.

MCT USE ONLY. STUDENT USE PROHIBITED

10-8 Implement Azure AD

Manage Users and Groups by Using Azure Management Portal and Azure
PowerShell
Administrators can manage Azure AD users and
groups by using the Azure Portal, by using the
Windows Azure Active Directory Module for
Windows PowerShell, or through Windows Intune
or Office 365. You can add users to the directory,
and also add users to groups.
To use PowerShell to create users and groups, you
must first start the Windows Azure Active
Directory Module for Windows PowerShell, and
then, at the Windows Azure Active Directory
Module for Windows PowerShell prompt, type the
following command:
Connect-MsolService
You are then prompted for administrator credentials.
You can use PowerShell to create user accounts by using Windows Azure Active Directory Module for
Windows PowerShell commands such as:
New-MsolUser -UserPrincipalName mledford@adatum.com -DisplayName "Mario Ledford" FirstName "Mario" -LastName "Ledford" -Password 'Pa$$w0rd123' -ForceChangePassword
$false -UsageLocation "US"

You can use PowerShell to create groups by using Windows Azure Active Directory Module for Windows
PowerShell commands such as:
New-MsolGroup -DisplayName "Azure team" -Description "Adatum Azure team users"

To create multiple users in bulk, you can either import a CSV file containing account information (such as
by exporting from an existing on-premises directory) or use Azure PowerShell scripting to generate
multiple accounts. Administrators can also add users and groups by synchronizing an existing directory,
using Directory Synchronization (DirSync); this is covered in Module 11 of this course.
To use bulk import, you first need to assemble your user information:
UserName

FirstName

LastName

DisplayName

JobTitle

Department

Country

AnneW@adatum.com

Anne

Wallace

Anne
Wallace

President

Management

United
States

FabriceC@adatum.com

Fabrice

Canel

Fabrice Canel

Attorney

Legal

United
States

GarretV@adatum.com

Garret

Vargas

Garret
Vargas

Operations

Operations

You then need to create a CSV file containing this information:


UserName,FirstName,LastName,DisplayName,JobTitle,Department,Country
AnneW@adatum.com,Anne,Wallace,Anne Wallace,President,Management,United States
FabriceC@adatum.com,Fabrice,Canel,Fabrice Canel,Attorney,Legal,United States
GarretV@adatum.com,Garret,Vargas,Garret Vargas,Operations,Operations,United States

United
States

MCT USE ONLY. STUDENT USE PROHIBITED

Implementing Microsoft Azure Infrastructure Solutions

10-9

You can then use PowerShell to process this CSV file, and create the user accounts, using Windows Azure
Active Directory Module for Windows PowerShell commands such as:
$users = Import-Csv C:\Users.csv
$users | ForEach-Object {
New-MsolUser -UserPrincipalName $_.UserName -FirstName $_.FirstName -LastName $_.LastName DisplayName $_.DisplayName -Title $_.JobTitle -Department $_.Department -Country $_.Country
}

Manage Multi-Factor Authentication for Admin Accounts


By default, user authentication in Azure AD uses
passwords only. Azure Multi-Factor Authentication
adds a second level of authentication, requiring
users to also use a text message, an automated call
to an office phone, or mobile phone app.
The full Azure MFA capabilities enable MFA to be
used by all users, and for all global administrators
to be able to use the MFA management portal,
custom greetings, and reports. However, full Azure
MFA capabilities require an MFA provider to be
purchased and configured. MFA providers are
discussed in Lesson 3 of this module.

A subset of the full MFA capabilities are available at no cost to Global Administrators of the Azure AD
instance. These subset features are:

Ability to enable and enforce multi-factor authentication for end users (note that using MFA for end
users is not part of the free service).

Use of text message, call to an office phone, or mobile phone app as a second authentication factor.

App passwords for non-browser clients, such as Microsoft Outlook.

Default voice messages during authentication phone calls.

The free MFA features do not require a Multi-Factor Auth provider.


For information on Azure Multi-Factor Authentication, including MFA for administrators, see:
http://go.microsoft.com/fwlink/?LinkID=511760
Note that MFA is also available as part of Office 365 subscriptions.
For information on Multi-Factor Authentication for Office 365, see:
http://go.microsoft.com/fwlink/?LinkID=511960

Implement Azure AD

Demonstration: Configuring Multi-Factor Authentication


In this demonstration, you will see how to:

Create a new directory called AdatumDemo.

Create a new Global Administrator user account.

Configure multi-factor authentication for the new user.

Set up multi-factor authentication for the new user.

Demonstration Steps
Create a new directory called AdatumDemo
1.

In Internet Explorer, in the navigation pane, scroll down, and click ACTIVE DIRECTORY.

2.

Click NEW, click DIRECTORY, and then click CUSTOM CREATE.

3.

In the Add directory dialog box, enter the following settings and click Complete (check mark):

DIRECTORY: Create new directory


NAME: AdatumDemo
DOMAIN NAME: Use your initial + the NAME field + random numbers (for example,
abcadatumdemo123456); if you get a The domain is not unique message, change the numbers
until you get a green tick.
COUNTRY OR REGION: United States

Create a new Global Administrator user account


1.

Click the right arrow next to the AdatumDemo directory.

2.

Click USERS.

3.

Click ADD USER.

4.

In the Tell us about this user dialog box, enter the following settings and click Next:

5.

TYPE OF USER: New user in your organization


USER NAME: rtorres

In the user profile dialog box, enter the following settings:

MCT USE ONLY. STUDENT USE PROHIBITED

10-10

FIRST NAME: Rick


LAST NAME: Torres
DISPLAY NAME: Rick Torres
ROLE: Global Administrator
ALTERNATE EMAIL ADDRESS: Type the email address of your Azure subscription.
Enable Multi-Factor Authentication: Selected

6.

Click Next.

7.

Click Create.

8.

On the Get temporary password page, note the value for NEW PASSWORD (you might want to
copy it to Notepad); as a backup, in the SEND PASSWORD IN EMAIL box, type the email address of
your Azure subscription.

9.

Click Complete (check mark).

Configure multi-factor authentication for the new user


1.

Click CONFIGURE.

2.

Under multi-factor authentication, click Manage service settings.

3.

If you get a Sign in page, enter the following credentials, and click Sign in:

Username: your Azure subscription name


Password: your Azure subscription password

MCT USE ONLY. STUDENT USE PROHIBITED

Implementing Microsoft Azure Infrastructure Solutions

10-11

4.

Point out the Allow users to create app passwords to sign into non-browser applications option.

5.

On the multi-factor authentication page, click users.

6.

In the users list, select the check box for Rick Torres, and in the quick steps section, point out that
MFA has already been enabled.

7.

In the quick steps section, click Manage user settings.

8.

Note the options to require users to provide contact methods again, and to delete all existing app
passwords. Then click cancel.

9.

In Internet Explorer, close the multi-factor authentication tab.

10. At the top right of the page, click your Azure subscription name, and then click Sign out.
Set up multi-factor authentication for the new user
1.

In Internet Explorer, in the address box, type


https://account.activedirectory.windowsazure.com/applications, and then press Enter.

2.

On the Windows Azure page, enter the following credentials (where XXXadatumdemoXXX is your
unique AdatumDemo directory name), and click Sign in:

Username: rtorres@XXXadatumdemoXXX.onmicrosoft.com
Password: the temporary password you noted above

3.

On the change password page, in the OLD PASSWORD box, type the temporary password; in the
CREATE NEW PASSWORD and CONFIRM NEW PASSWORD boxes, type Pa$$w0rd123, and click
submit. If you are prompted to sign in again, re-enter the new password Pa$$w0rd123.

4.

Note the following message: Your admin has required that you set up this account for additional
security verification.

5.

Click Set it up now.

6.

On the additional security verification page, click in the first box, and note the contact method
options: Authentication phone, Office phone, Mobile app.

7.

If you have access to a mobile phone, and have a signal or data connection in the classroom, you may
wish to complete the "additional security verification" steps by selecting your country or region, and
either getting a code sent to you by text message, or selecting Mobile app and configuring the app
for your phone.

8.

Close Internet Explorer.

Implement Azure AD

Manage Multiple Azure AD Directories


Support for multiple Azure directories, within the
same subscription, enables administrators to have
both a live production directory, and another
directory for testing or non-production use, or for
data synchronized from another AD forest.
Multiple directory support means that an
administrator can:

MCT USE ONLY. STUDENT USE PROHIBITED

10-12

Add a new directory for testing or other nonproduction usage, or for managing data
synced from another AD forest.

Manage all existing Windows Azure AD


directories, such as Azure, Office 365,
Windows Intune, using the same Microsoft accountas long as the same account is a Global
Administrator for all the directories.

Change the name of a directory to be descriptive of the organization, or label it for non-production
use, for example.

Add users to a new Windows Azure AD from an existing directory, such as to take users from a
production directory and use them in a test environment, without requiring those users to sign in
with new accounts and credentials.
For information on Managing Multiple Azure Directories, see:
http://go.microsoft.com/fwlink/?LinkID=511761

Lesson 2

Configuring Application Integration with Azure AD

MCT USE ONLY. STUDENT USE PROHIBITED

Implementing Microsoft Azure Infrastructure Solutions

10-13

In this lesson, students learn about how to add in-house and third-party applications to Azure AD,
configure application access, configure single sign-on (SSO) for Azure AD applications, compare Azureaware applications with applications using Azure AD, and how to use the application access panel.

Lesson Objectives
After completing this lesson, you should be able to:

Describe the application access enhancements in Azure AD.

Add gallery applications to Azure AD.

Add your own custom Azure AD-aware web apps to Azure AD.

Manage applications that use resources, such as user accounts, across multiple Azure tenant
subscriptions.

Overview of Application Access Enhancements in Azure AD


Single sign-on (SSO) enables users to access
Software-as-a-Service (SaaS) applications (such as
Office 365, Salesforce, and so on) by using a single
Azure AD organizational account. This means that
administrators no longer need to create and
update separate user accounts for each SaaS
application; SaaS SSO also means that users do not
have to remember a separate password for each
SaaS application. A user access panel enables users
to find out the SaaS applications that they have
been given access to; this access panel provides
quick launch options for users to access their
applications using SSO.

Account sync enables SaaS application users to be provisioned and deprovisioned by using accounts that
are ultimately managed in either an on-premises Active Directory or in Azure AD.
Centralized application access management in the Azure Management Portal provides a single point of
management for controlling application access and for management.

Unified reporting and monitoring enables administrators to easily detect anomalous user activity in Azure
AD.
For information on Application access enhancements for Azure AD, see:
http://go.microsoft.com/fwlink/?LinkID=511762

Implement Azure AD

Adding Gallery Applications to Azure AD


Azure AD gallery applications provide automatic
support for Azure AD, so that administrators do
not need to manually provision user accounts for
these applications. Examples of gallery
applications include Office 365, Dropbox for
Business, and Salesforce.
The Azure AD application gallery can be found at:
http://go.microsoft.com/fwlink/?LinkID=523982
Azure AD application access enhancements
provide administrators with security and access
governance controls, and enable central
management of user access for SaaS applications.

MCT USE ONLY. STUDENT USE PROHIBITED

10-14

If not using Azure AD, configuring SSO for multiple SaaS applications (so that users do not have to
remember a separate password for each application), and multiple vendors, can be difficult. The Azure AD
application gallery provides a range of popular Microsoft and third-party SaaS applications pre-integrated
with Azure AD, and ready to use.
There are three options for using SSO with Azure AD:

Azure AD SSO (federation between Azure AD and an app provider).

Password SSO (storing credentials in Azure AD).

Using an existing SSO (for example, ADFS).


For more information on Application access enhancements for Azure AD, see:
http://go.microsoft.com/fwlink/?LinkID=511762

Adding Custom Azure AD-aware Web Apps to Azure AD


Developers can enable their own custom
applications to use Azure AD, and obtain the same
features as for Azure AD gallery applications.
If a developer has a web application, and only
users from Azure AD will be allowed access, the
developer must:
1.

Register the web app in the Azure AD tenant.


When the app is registered, Azure AD will
accept user requests to authenticate against it.
This task can be completed using the Azure
portal.

2.

Add logic or code to the app, so that:


a.

Unauthenticated requests can be blocked and redirected to the correct Azure AD tenant for user
authentication.

b.

Users who authenticated with Azure AD can be recognized and granted access.

MCT USE ONLY. STUDENT USE PROHIBITED

Implementing Microsoft Azure Infrastructure Solutions

10-15

If the developers are using the .NET platform, this second step involves configuring the out-of-the-box
Windows Identity Foundation (WIF) .NET classes, so that they can work with claims-based identity and
federated authentication. WIF includes HTTP modules and configuration settings that can be used to add
an interception layer, and for performing redirection and authentication.
Step 2 involves configuring the application, using tools such as Visual Studio. Visual Studio provides
functionality to help developers automatically configure web apps. These apps can then use WIF to
redirect authentication requests to external authorities that support web-based SSO protocols, such as
WS-Federation.
For information on Adding Sign-On to Your Web Application Using Azure AD, see:
http://go.microsoft.com/fwlink/?LinkID=511763

Managing Multi-Tenant Applications


After an application has been configured to work
with a single Azure directory, the same
applications can then be configured to be
accessible using other Azure AD tenants. This
enables developers and administrators to meet the
following challenges:

Different Azure AD tenants may have very


different web sign-on methods, which would
traditionally require either the application to
be recoded for each tenant, or to force users
to adapt to custom sign-on procedures for
each application.

Different Azure AD tenants may maintain their identity and directory data in an infrastructure that is
inaccessible from cloud applications.

To meet these challenges, Azure AD provides a method for applications to request admins to grant access
to their directory tenants. This is done using the Azure AD Management Portal, using a similar UI to the
consent-granting functionality used by common social web applications, such as Facebook and LinkedIn.

The process for enabling multi-tenant application support involves adding something in front of your app,
such as a sign-in page, so that:

Unauthenticated requests can be intercepted, and redirected toward the correct Azure AD tenant for
user authentication.

Authenticated requests, from users who have already authenticated with Azure AD, can be
recognized and the user granted access.

After authentication, AAD generates a token which is passed back to the users browser or client-side app,
and is then used with all communications to the application.
For information on Developing Multi-Tenant Web Applications with Azure AD, see:
http://go.microsoft.com/fwlink/?LinkID=511764

Implement Azure AD

Lesson 3

Overview of Azure AD Premium

MCT USE ONLY. STUDENT USE PROHIBITED

10-16

In this lesson, students learn about how to use the features in Azure AD Premium, configure advanced
Multi-factor Authentication settings and use MFA with applications, and list the usage scenarios for Azure
AD Application Proxy.

Lesson Objectives
After completing this lesson, you should be able to:

List the features in Azure AD Premium, and compare with Azure AD Basic.

Describe the technical scenarios for Azure Multi-Factor Authentication.

Configure advanced Multi-Factor Authentication settings.

Describe how Multi-Factor Authentication can be used with on-premises applications and Windows
Server.

Describe the Azure AD Application Proxy.

Features in Azure AD Premium


Active Directory Free edition does not incur any
Azure costs and includes the following features:

User account management. Create users and


groups.

Directory synchronization. Synchronize AAD


with on-premises directories.

Single sign-on. Users can use a single set of


credentials across Azure, Office 365, and thirdparty SaaS applications.

Active Directory Basic edition incurs Azure costs


and adds the following features to those available
in Azure AD Free:

Company branding. Add company logo and color schemes to organization Sign In and Access Panel
pages, including localized versions for different languages and locales.

Group-based application access. Use groups to provision users, and assign user access, in bulk to SaaS
applications. Groups can be created in Azure AD, or be existing groups synced from on-premises
Active Directory.

Self-service password reset. Provides users with the ability to reset their own password.

AD Basic provides an enterprise SLA of 99.9 percent.

Active Directory Premium edition incurs Azure costs and adds the following features to those available in
Azure AD Basic:

Self-service group management. Enables users to create groups, request access to other groups, and
delegate group ownership, so that other users can approve requests and maintain group
memberships.

MCT USE ONLY. STUDENT USE PROHIBITED

Implementing Microsoft Azure Infrastructure Solutions

10-17

Advanced security reports and alerts. Provides detailed logs showing anomalies and inconsistent
access pattern reports. Advanced reports are machine learning-based to help improve access security
and response to potential threats.

Multi-Factor Authentication. Full MFA works with on-premises applications (using VPN, RADIUS, and
so on), Azure, Office 365 and Dynamics CRM Online, and third-party Azure AD gallery applications
(but not non-browser off-the-shelf apps, such as Microsoft Outlook). Full MFA is covered in more
detail in the following topics in this lesson.

Password reset with write-back to on-premises directories (such as used in hybrid Exchange
scenarios).

Azure AD Sync bi-directional synchronization.

Azure AD Application Proxy (described in the final topic in this lesson).

AD Premium provides an enterprise SLA of 99.9 percent.


For information on Azure Active Directory Editions, see:
http://go.microsoft.com/fwlink/?LinkID=511765

Technical Scenarios for Azure Multi-Factor Authentication


Multi-factor authentication is available by default,
as a no-cost option, for global administrators.
However, to extend MFA to all users and/or if
global administrators wish to be able to use the
MFA management portal, custom greetings, and
reports, an MFA provider must be purchased and
configured.
Multi-Factor Authentication for Office 365 is also a
no-cost option, but only works with Microsoft
Office 365 applications. Office 365 MFA is
managed from the Office 365 portal, and provides
the same set of features as provided at no cost to
all Azure administrators:

The ability to enable and enforce multi-factor authentication for end users (note that using MFA for
end users is not part of the free service).

The use of a text message, a call to an office phone, or a mobile phone app as a second
authentication factor.

App passwords for non-browser clients, such as Microsoft Outlook.

Default voice messages during authentication phone calls.

Note that you can also manage MFA for Office 365 users from the Azure Portal, as long as you add the
Office 365 directory to your subscription.
For information on Manage the directory for your Office 365 subscription in Azure, see:
http://go.microsoft.com/fwlink/?LinkID=522659

Implement Azure AD

MCT USE ONLY. STUDENT USE PROHIBITED

10-18

If you are deploying the Remote Desktop (RD) Gateway and Azure Multi-Factor Authentication Server
using RADIUS, the Azure Multi-Factor Authentication Server is configured as a RADIUS proxy between the
RD Gateway and Network Policy Server (NPS). Azure Multi-Factor Authentication Server is deployed onpremises to help secure VPNs, Microsoft Active Directory Federation Services (AD FS), IIS web applications,
Remote Desktop, and other remote access applications using RADIUS, and LDAP authentication.
For information on the Azure Multi-Factor Authentication Server and Enabling Multi-Factor
Authentication for On-Premises Applications and Windows Server, see:
http://go.microsoft.com/fwlink/?LinkID=511769

If an organization has federated on-premises AD with Azure AD using AD FS, the following MFA options
are available:

Secure Azure Active Directory resources using Azure MFA or AD FS.

Secure cloud and on-premises resources using Azure MFA Server.

To secure AD FS with Azure MFA Server, a plug-in is installed which can filter requests being made to the
AD FS server. IP whitelists (now called trusted IPs) can be configured, so that internal IP addresses do not
trigger MFA requests (IP whitelists are covered in the next topic).
For information on Technical Scenarios for Azure Multi-Factor Authentication, see:
http://go.microsoft.com/fwlink/?LinkID=511766

Configuring Advanced Multi-Factor Authentication Settings


Fraud Alert

The Fraud Alert feature enables users to report


fraudulent attempts to sign in to their Azure
resources. If a user receives an unexpected MFA
authentication request, simply ignoring the
request will deny access to anyone attempting to
authenticate. However, by using the fraud alert
feature, the user can respond to the request and
enter the fraud alert code (0# by default) to report
the attempted access. Using fraud alert denies the
authentication request, and also blocks the user's
account, so that additional authentication
attempts are automatically denied. Email notifications can also be sent to administrators, or others such as
security teams. After appropriate action has been taken, including changing the user's password, an
administrator can then unblock the user's account by using the MFA Management Portal.

One-Time Bypass

One-Time Bypass is a temporary setting, to enable a user to sign in without using MFA; the bypass expires
after the specified number of seconds. This can be useful if a user needs to use an Azure-hosted
application, but is not currently able to access a phone for text messaging, automated calls, or the MFA
app. The default one-time bypass period is five minutes.

Custom Voice Messages


Custom Voice Messages enable administrators to customize the messages used when MFA is used
through automated voice calls to an office phone. This means that you could record your own voice
phrases to replace the standard clips that are supplied with MFA.

Trusted IPs

MCT USE ONLY. STUDENT USE PROHIBITED

Implementing Microsoft Azure Infrastructure Solutions

10-19

IP whitelisting, or Trusted IP addresses, enables administrators to bypass multi-factor authentication for


users that are signing in from the companys local intranet. For managed tenants, this is achieved through
specific IP address ranges; for federated tenants, this can also be achieved using AD FS.

App Passwords

App Passwords permit users that have been enabled for multi-factor authentication to use non-browser
clients, such as Outlook 2013 with Office 365. App passwords are created within the Azure portal, and
enable the user to bypass multi-factor authentication for that application.
For information on Configuring Advanced Multi-Factor Authentication Settings, see:
http://go.microsoft.com/fwlink/?LinkID=511767
For information on App Passwords, see:
http://go.microsoft.com/fwlink/?LinkID=511768

Demonstration: Configuring and Using Azure AD Premium AD MultiFactor Authentication


In this demonstration, you will see how to:

Create a multi-factor authentication provider.

Configure fraud alerts.

View fraud alert reports.

Configure one-time bypass settings.

Create a one-time bypass.

Configure voice messages.

Configure trusted IP addresses.

Enable users to create app passwords.

Demonstration Steps
Connect to the full Azure portal
1.

Start Internet Explorer, browse to https://manage.windowsazure.com, and sign in using the


Microsoft account that is associated with your Azure subscription.

Create a multi-factor authentication provider


1.

In the navigation pane, scroll down, and click ACTIVE DIRECTORY.

2.

Click MULTI-FACTOR AUTH PROVIDERS.

3.

Click CREATE A NEW MULTI-FACTOR AUTHENTICATION PROVIDER.

4.

In the NAME box, type ADATUM-MFA.

5.

Leave the USAGE MODEL as Per Enabled User.

6.

In the DIRECTORY box, select AdatumDemo.

7.

Click CREATE.

Implement Azure AD

Configure fraud alerts

MCT USE ONLY. STUDENT USE PROHIBITED

10-20

1.

Click MANAGE at the bottom of the page to open the Azure Multi-Factor Authentication
management portal.

2.

In the Azure Multi-Factor Authentication management portal, click Settings.

3.

In the Fraud Alert section, verify that Allow users to submit Fraud Alerts has been enabled by
default.

4.

Verify that Block user when fraud is reported has also been enabled by default, so users will be
blocked when a fraud is reported.

5.

In the Code To Report Fraud During Initial Greeting box, type 999; this code can then be entered
by a user during call verification to report a fraud, and generate an alert.

6.

In the Send fraud alert notifications to these email addresses box, type the email address of your
Azure subscription.

7.

At the bottom of the page, click Save.

View fraud alert reports


1.

In the Azure Multi-Factor Authentication management portal, on the left of the page, under VIEW
A REPORT, click Fraud Alert.

2.

Point to the options to specify a date range for the report, and the options to specify usernames,
phone numbers and user status.

3.

Click Run, to show a default blank report.

Configure one-time bypass settings


1.

In the Azure Multi-Factor Authentication management portal, click Settings.

2.

In the One-Time Bypass section, point out the default time of 300 seconds; the bypass is temporary
and will automatically expire after this period.

3.

In the Send one-time bypass used notifications to these email addresses box, type the email
address of your Azure subscription.

4.

At the bottom of the page, click Save.

Create a one-time bypass


1.

In the Azure Multi-Factor Authentication management portal, under USER ADMINISTRATION,


click One-Time Bypass.

2.

On the One-Time Bypass page, click New One-Time Bypass.

3.

In the Username box, type rtorres@XXXadatumdemoXXX.onmicrosoft.com (where


XXXadatumdemoXXX is your unique AdatumDemo directory name).

4.

Note the warning message, as this user has not yet authenticated to this Multi-Factor Authentication
Provider.

5.

In the Bypass Reason box, type Lost phone, and click Bypass.

Configure voice messages


1.

In the Azure Multi-Factor Authentication management portal, in the CONFIGURE section, click
Voice Messages.

2.

Click New Voice Message.

3.

Click Manage Sound Files.

4.

Click Upload Sound File.

5.

Click Browse and navigate to C:\Program Files (x86)\Microsoft SDKs\Windows


Phone\v8.1\Sounds, select ListeningEarcon.wav, and click Open; you are using this file to
represent a valid voice message file.

6.

In the Description box, type MFA voice message, and click Upload.

7.

Note the Sound file was successfully uploaded message.

8.

In the CONFIGURE section, click Voice Messages.

9.

Click New Voice Message.

10. In the Language list, select en-US: English (United States).


11. Leave the Application box empty, as this message will not be for a specific application.
12. In the Message Type box, select Greeting (Standard); this will be the message type that will be
overridden with the custom message.
13. In the Sound File box, select ListeningEarcon.wav - MFA voice message.
14. Click Create.
15. Note the Message successfully created message.
16. Close the Azure Multi-Factor Authentication management portal tab.
Configure trusted IPs
1.

Under active directory, click DIRECTORY.

2.

Click AdatumDemo.

3.

Click CONFIGURE.

4.

In the multi-factor authentication section, click Manage service settings.

5.

If you get a Sign in page, enter the following credentials, and click Sign in:

Username: your Azure subscription name


Password: your Azure subscription password

6.

On the service settings page, under trusted ips, select For requests from federated users
originating from my intranet.

7.

At the bottom of the page, click save.

8.

After the updates have been applied, click close.

Enable users to create App Passwords

MCT USE ONLY. STUDENT USE PROHIBITED

Implementing Microsoft Azure Infrastructure Solutions

10-21

1.

At the top of the service settings page, ensure Allow users to create app passwords to sign into
non-browser applications is selected.

2.

At the bottom of the page, click save.

3.

After the updates have been applied, click close.

4.

Close Internet Explorer.

Reset the Environment


1.

Close all open applications without saving any files.

2.

On the taskbar, right-click Microsoft Azure PowerShell, and then click Run as administrator. In the
User Account Control dialog, click Yes.

Implement Azure AD

3.

Type the following command, and then press Enter:


Reset-Azure

4.

When prompted, sign in using the Microsoft account associated with your Azure subscription.

MCT USE ONLY. STUDENT USE PROHIBITED

10-22

Note: This script may remove Azure services in your subscription. It is therefore recommended that you
use an Azure trial pass that was provisioned specifically for this course, and not your own Azure account.
The script will take 5-10 minutes to reset your Microsoft Azure environment, ready for the next lab.

The script removes all storage, VMs, virtual networks, cloud services, and resource groups. The script does
not remove the Azure Directory; this can either be manually deleted or you can leave it in place, as it does
not affect subsequent labs.

Multi-Factor Authentication for On-Premises Resources


MFA can be used to protect on-premises resources
using the Azure MFA Server. The MFA Server
integrates with IIS authentication to secure
Microsoft IIS web applications, RADIUS
authentication, LDAP authentication, and
Windows authentication.
Before using the Multi-Factor Authentication
Server, you must download and activate it; the
download is available through a link on the MFA
Management Portal. The Azure Multi-Factor
Authentication Users Portal is an IIS website where
users can enroll for Azure MFA, and manage their
MFA accounts.

User Enrollment and Self-Management involves users completing their enrollment, such as by selecting an
authentication method if the administrator has not pre-specified this.
In order to use Azure MFA mobile phone apps:

The Azure Mobile App Web Service must be accessible via a public URL.

The Azure Mobile App Web Service, and the Azure Multi-Factor Authentication Web Service SDK,
must be secured with an SSL certificate.

When the Azure Mobile App Web Service has been deployed, and users have installed the Azure MultiFactor Authentication App to their mobile device, they can:
1.

Log in to the User Portal and generate an activation code or contact an administrator who will
generate an activation code for them.

2.

Activate the Azure Multi-Factor Authentication App by entering an activation code and URL, or by
scanning the barcode picture.

3.

Switch their authentication method to Mobile App or contact an administrator, who will change it for
them.

For information on Enabling Multi-Factor Authentication for On-Premises Applications and Windows
Server, see:
http://go.microsoft.com/fwlink/?LinkID=511769

Azure AD Application Proxy


The Azure AD Application Proxy is a cloud-based
proxy service that enables an organization's own
custom browser-based applications (such as
SharePoint Sites, Outlook Web Access and IIS
based applications) to use Azure AD.
The Azure AD Application Proxy is a reverse-proxy
service that supports browser-based applications,
using both unsecure (http:) and secure (https:)
connections. With the Azure AD Application Proxy,
you can achieve selective publishing of application
endpoints; post-review, it will also support preauthentication of users and devices.

MCT USE ONLY. STUDENT USE PROHIBITED

Implementing Microsoft Azure Infrastructure Solutions

10-23

To use the Azure AD Application Proxy, you must install a simple software agent, or connector, on an onpremises server, such as a backend application tier. This connector sends outgoing http and https requests
to the cloud-based Azure proxy service; the proxy service responses contain the incoming user requests.
User requests are routed from the connector to the target application, without requiring any
infrastructure in the perimeter network; users can access on-premises applications without needing any
direct access to an on-premises network.
For information on Public Preview of Azure AD Application Proxy, see:
http://go.microsoft.com/fwlink/?LinkID=511770

Implement Azure AD

Lab: Implementing Azure Active Directory


Scenario

MCT USE ONLY. STUDENT USE PROHIBITED

10-24

The IT department at A. Datum currently uses on-premises Active Directory, and a range of AD-aware
applications. As part of A. Datums evaluation of Microsoft Azure, you need to test the migration of some
users from on-premises Active Directory to Azure AD. As part of this testing, you need to create some
pilot users and groups in Azure AD.

A. Datum are also planning to deploy Azure-aware applications, and require users to use single sign-on
for these applications. There is then no additional administration overhead in maintaining separate user
accounts for each application. As part of A. Datums evaluation of Microsoft Azure, you need to install and
configure a test application, and confirm successful single sign-on.
A. Datum also require applications to use multi-factor authentication for all authentication requests from
outside the company intranet. As part of A. Datums evaluation of Microsoft Azure, you need to configure
and test MFA for global administrators.

Objectives
After completing this lab, you will be able to:
Administer Azure Active Directory.
Configure Single Sign-On for AD gallery applications.
Configure Multi-Factor Authentication for administrators.

Lab Setup
Estimated Time: 45 minutes
Virtual Machine: 20533B-MIA-CL1
User Name: Student
Password: Pa$$w0rd
Before starting this lab, ensure that you have performed the Preparing the Environment demonstration
tasks at the beginning of the first lesson in this module, and that the setup script has completed.

Exercise 1: Administering Azure AD


Scenario

As part of your test migration of some A. Datum users from on-premises Active Directory to Azure AD,
you first need to create a new Azure directory, and then create some pilot users and groups in Azure AD.
In these tasks, you will use both the portal and Microsoft Azure Active Directory module for Azure
PowerShell.
The main tasks for this exercise are as follows:
1. Create Directories
2. Manage Users in the Portal
3. Manage Groups in the Portal
4. Manage Users and Groups With Azure PowerShell

Task 1: Create Directories

MCT USE ONLY. STUDENT USE PROHIBITED

Implementing Microsoft Azure Infrastructure Solutions

10-25

1.

Ensure that the MSL-TMG1 and 20533B-MIA-CL1 virtual machines are both running, and then log on
to 20533B-MIA-CL1 as Student with the password Pa$$w0rd.

2.

In Internet Explorer, browse to http://azure.microsoft.com and sign into the portal using the
Microsoft account that is associated with your Azure subscription.

3.

Add a directory with the following settings:


o

DIRECTORY: Create new directory

NAME: Adatum

DOMAIN NAME: Use your initials + the NAME field + random numbers (e.g. abcadatum123456)

COUNTRY OR REGION: United States

Task 2: Manage Users in the Portal


1.

Create the following user in the Adatum directory:


o

USER NAME: rdesforges

FIRST NAME: Remi

LAST NAME: Desforges

DISPLAY NAME: Remi Desforges

ROLE: User

Enable Multi-Factor Authentication: Not selected

2.

Note the value for NEW PASSWORD; as a backup, in the SEND PASSWORD IN EMAIL box, type the
email address of your Azure subscription.

3.

Create the following user in the Adatum directory, and note the temporary password:
o

USER NAME: kgruber

FIRST NAME: Karen

LAST NAME: Gruber

DISPLAY NAME: Karen Gruber

ROLE: Global Administrator

In the ALTERNATE EMAIL ADDRESS box, type the email address of your Azure subscription

Enable Multi-Factor Authentication: Not selected

4.

Note the value for NEW PASSWORD; as a backup, in the SEND PASSWORD IN EMAIL box, type the
email address of your Azure subscription.

5.

Sign out of the portal.

6.

Sign in as Karen Gruber, and change the temporary password to Pa$$w0rd123.

Task 3: Manage Groups in the Portal


1.

Browse to https://manage.windowsazure.com, and sign in using the Microsoft account that is


associated with your Azure subscription.

2.

Create the following group in the Adatum directory:


o
o

NAME: Sales
DESCRIPTION: Sales team

Implement Azure AD

3.

Add Remi Desforges to the Sales group.

4.

Create the following group in the Adatum directory:


o
o

NAME: Marketing
DESCRIPTION: Marketing employees

5.

Add Remi Desforges to the Marketing group.

6.

Create the following group in the Adatum directory:


o
o

7.

NAME: Sales and Marketing


DESCRIPTION: Sales and Marketing employees

Add the Sales and Marketing groups to the Sales and Marketing group.

Task 4: Manage Users and Groups With Azure PowerShell

MCT USE ONLY. STUDENT USE PROHIBITED

10-26

1.

On the taskbar, right-click Windows Azure Active Directory Module for Windows PowerShell and
click Run ISE as Administrator.

2.

If a User Account Control dialog box appears, click Yes.

3.

In the PowerShell ISE, click File and then click Open.

4.

In the Open dialog box, browse to D:\Labfiles\Lab10\Starter\.

5.

Click ExampleCommands.ps1 and then click Open.

6.

If the Script pane is not visible, on the View menu, click Show Script Pane.

7.

In the PowerShell ISE, in the command prompt pane, enter the following command and press Enter:
Connect-MsolService

8.

In the Enter Credentials dialog box, log in as kgruber@XXXadatumXXX.onmicrosoft.com (where


XXXadatumXXX is your unique Adatum domain name), with a password of Pa$$w0rd123, and then
click OK.

9.

In the PowerShell ISE, in the Script pane, locate the following code:
New-MsolUser -UserPrincipalName mledford@<#Copy your Azure Directory name
here#>.onmicrosoft.com -DisplayName Mario Ledford -FirstName Mario -LastName Ledford Password Pa$$w0rd123 -ForceChangePassword $false -UsageLocation US

10. Replace <#Copy your Azure Directory name here#> with your Azure Directory name.
11. In the PowerShell ISE, in the Script pane, select the code you have just edited.
12. On the toolbar, click the Run Selection button and wait for the script to complete.

13. In the PowerShell ISE, in the command prompt pane, enter the following command and press Enter:
Get-MsolUser

14. In the PowerShell ISE, in the Script pane, locate the following code:
New-MsolGroup -DisplayName Azure team -Description Adatum Azure team users

15. In the PowerShell ISE, in the Script pane, select the above code
16. On the toolbar, click the Run Selection button and wait for the script to complete.

MCT USE ONLY. STUDENT USE PROHIBITED

Implementing Microsoft Azure Infrastructure Solutions

10-27

17. In the PowerShell ISE, in the command prompt pane, enter the following command and press Enter:
Get-MsolGroup

18. In the PowerShell ISE, in the Script pane, locate the following code:
$group = Get-MsolGroup | Where-Object {$_.DisplayName -eq "Azure team"}

19. In the PowerShell ISE, in the Script pane, select the above code.
20. On the toolbar, click the Run Selection button and wait for the script to complete.
21. In the PowerShell ISE, in the Script pane, locate the following code:
$user = Get-MsolUser | Where-Object {$_.DisplayName -eq "Mario Ledford"}

22. In the PowerShell ISE, in the Script pane, select the above code.
23. On the toolbar, click the Run Selection button and wait for the script to complete.
24. In the PowerShell ISE, in the Script pane, locate the following code:
Add-MsolGroupMember -GroupObjectId $group.ObjectId -GroupMemberType "User" GroupMemberObjectId $user.ObjectId

25. In the PowerShell ISE, in the Script pane, select the above code.
26. On the toolbar, click the Run Selection button and wait for the script to complete.
27. In the PowerShell ISE, in the Script pane, locate the following code:
Get-MsolGroupMember -GroupObjectId $group.ObjectId

28. In the PowerShell ISE, in the Script pane, select the above code.
29. On the toolbar, click the Run Selection button and wait for the script to complete.

30. In the portal, verify that Mario Ledford appears in the list of users, and that Azure team appears in
the list of groups.

Results: After completing this exercise, you will have created some pilot users and groups in Azure AD
using the portal and Microsoft Azure Active Directory module for Azure PowerShell.

Implement Azure AD

Exercise 2: Configure Single Sign-On


Scenario

MCT USE ONLY. STUDENT USE PROHIBITED

10-28

As A. Datum are planning to deploy Azure-aware applications, and require users to use single sign-on for
these applications, you now need to install and configure a test application, and confirm successful single
sign-on.
The main tasks for this exercise are as follows:
1. Add Directory Applications and Configure Single Sign-On
2. Test Single Sign-On

Task 1: Add Directory Applications and Configure Single Sign-On


1.

In the Adatum directory, create the following application from the gallery:
o

Microsoft Account (Windows Live)

2.

Verify that Configure single sign-on has been enabled by default.

3.

Assign the following user:


o

Mario Ledford

4.

Select to enter Microsoft Account (Windows Live) credentials on behalf of the user.

5.

In the Email Address box, type the email address of your Azure subscription. In the Password box,
type your Azure subscription password, and then click the check mark.

6.

In the Adatum directory, create the following application from the gallery:
o

Skype

7.

Verify that Configure single sign-on has been enabled by default.

8.

Assign the following user:


o

9.

Mario Ledford

Do not enter Microsoft Account (Windows Live) credentials on behalf of the user.

Task 2: Test Single Sign-On


1.

Go to https://account.activedirectory.windowsazure.com/applications, and sign in with the


following credentials (where XXXadatumXXX is your unique Adatum domain name):
o

Username: mledford@XXXadatumXXX.onmicrosoft.com

Password: Pa$$w0rd123

2.

On the applications page, note the options to Update credentials, and Report a problem for Microsoft
Account (Windows Live).

3.

Run Microsoft Account (Windows Live), and complete the Access Panel Extension Setup Wizard.

4.

Go to https://account.activedirectory.windowsazure.com/applications, and sign in using the


following credentials (where XXXadatumXXX is your unique Adatum domain name):

5.

Username: mledford@XXXadatumXXX.onmicrosoft.com

Password: Pa$$w0rd123

Click Microsoft Account (Windows Live), and verify that your sign-on to the Access Panel has
automatically signed you in to your Microsoft Account.

6.

MCT USE ONLY. STUDENT USE PROHIBITED

Implementing Microsoft Azure Infrastructure Solutions

10-29

Click Skype, and verify that you are now prompted for credentials, because you did not enter any
credentials on behalf of the user when configuring single sign-on.

Results: After completing this exercise, you will have installed and configured a test application, and
confirmed successful single sign-on.

Exercise 3: Configuring Multi-Factor Authentication


Scenario

As A. Datum require applications to use multi-factor authentication, you now need to configure and test
MFA for global administrators.
The main tasks for this exercise are as follows:
1. Configure Multi-Factor Authentication
2. Test Multi-Factor Authentication
3. Reset the Environment

Task 1: Configure Multi-Factor Authentication


1.

Sign in to the Azure portal using your Azure subscription.

2.

Configure the Adatum directory to enable MFA for Karen Gruber.

Task 2: Test Multi-Factor Authentication


1.

Go to https://account.activedirectory.windowsazure.com/applications, and sign in using the


following credentials (where XXXadatumXXX is your unique Adatum domain name):
o

Username: kgruber@XXXadatumXXX.onmicrosoft.com

Password: Pa$$w0rd123

2.

Note the following message: Your admin has required that you set up this account for additional
security verification.

3.

Click Set it up now.


On the additional security verification page, note the contact method options.

4.

Optional step: If you have access to a mobile phone in the classroom, and have a signal or data
connection, you may wish to complete the "additional security verification" steps on the additional
security verification page.

Task 3: Reset the Environment


1.

Close all open applications without saving any files.

2.

On the taskbar, right-click Microsoft Azure PowerShell, and then click Run as administrator. In the
User Account Control dialog, click Yes.

3.

Type the following command, and then press Enter:


Reset-Azure

4.

When prompted, sign in using the Microsoft account associated with your Azure subscription.

Implement Azure AD

MCT USE ONLY. STUDENT USE PROHIBITED

10-30

Note: This script may remove Azure services in your subscription. It is therefore recommended that
you use an Azure trial pass that was provisioned specifically for this course, and not your own Azure
account.
The script will take 5-10 minutes to reset your Microsoft Azure environment, ready for the next lab.

The script removes all storage, VMs, virtual networks, cloud services, and resource groups. The script
does not remove the Azure Directory; this can either be manually deleted or you can leave it in place
as it does not affect subsequent labs.

Results: After completing this exercise, you will have configured MFA for administrators.

Module Review and Takeaways


In this module, you learned about:

Creating and managing Azure AD directories.

Configuring application integration with Azure AD.

The features of Azure AD Premium.

Review Question(s)
Question: What are some benefits of hosting part or all of an organization's Active Directory
in Azure?

MCT USE ONLY. STUDENT USE PROHIBITED

Implementing Microsoft Azure Infrastructure Solutions

10-31

MCT USE ONLY. STUDENT USE PROHIBITED

MCT USE ONLY. STUDENT USE PROHIBITED


11-1

Module 11
Managing Active Directory in a Hybrid Environment
Contents:
Module Overview

11-1

Lesson 1: Extending On-Premises Active Directory into Azure

11-2

Lesson 2: Directory Synchronization

11-9

Lesson 3: Implementing Federation

11-24

Lab: Managing an Active Directory Hybrid Environment

11-35

Module Review and Takeaways

11-39

Module Overview

In this module, you will look at three alternative approaches for integrating on-premises Active
Directory with Microsoft Azure. These options are placing a domain controller into Azure,
implementing directory synchronization with optional password synchronization or single sign-on using
Active Directory Federation Services (AD FS). Finally, you will consider how to manage these types of
hybrid environment.

Objectives
After completing this module, you should be able to:

Extend your on-premises Active Directory domain into Microsoft Azure.

Synchronize user accounts between on-premises Active Directory and Microsoft Azure Active
Directory.

Set up single sign-on using federation between on-premises Active Directory and Microsoft Azure
Active Directory.

Lesson 1

Extending On-Premises Active Directory into Azure

MCT USE ONLY. STUDENT USE PROHIBITED

11-2 Managing Active Directory in a Hybrid Environment

So far, you have probably only considered having on-premises domain controllers, with those domain
controllers existing in your data center. You may also have deployed domain controllers to branch offices,
either as writable instances or as read-only domain controllers (RODC).
With Microsoft Azure, you can also place one or more domain controllers into the cloud, enabling
applications that run cloud-based instances to authenticate to one of those authoritative sources.

Lesson Objectives
After completing this lesson, you should be able to:

Plan for installing domain controllers into Microsoft Azure.

Extend your on-premises domain into Microsoft Azure.

Deploy any additional domain controllers into Microsoft Azure.

Demonstration: Preparing the Environment

Perform the following tasks to prepare the lab environment. The Azure services you will use in the lab will
be described in this module while the environment is being configured.
Important: The scripts used in this course may delete any objects that you have in your
subscription. Therefore, you should complete this course against a new Azure subscription. You
should have received sign-up details and instructions for creating an Azure Learning Pass for this
reason. Alternatively, create a new Azure Trial Subscription. In both cases, use a new Microsoft
account that has not been associated with any other Azure subscription. This avoids confusion in
labs and setup scripts.

The labs in this course use custom Microsoft Azure PowerShell cmdlets, including Setup-Azure to prepare
the Azure environment for a lab, and Reset-Azure to perform clean-up tasks at the end of a lab. For this
lab, Setup-Azure creates a storage account in the Azure region you select; it then creates a virtual network
(ADATUM-HQ-VNET); then creates a Windows server VM; then promotes this server to a DC and sets up
users; and then removes the Azure subscription and account from the Azure PowerShell session.
Before you start the lab preparation, your instructor will decide which Azure region is the closest to your
classroom location. You will need this information during the lab.

Demonstration Steps
Sign in to Your Microsoft Azure Subscription
1.

Ensure that the MSL-TMG1 and 20533B-MIA-CL1 virtual machines are both running, and then log on
to 20533B-MIA-CL1 as Student with the password Pa$$w0rd.

2.

You should already have created a Microsoft Azure trial subscription. If you have not done so, follow
the instructions in D:\Creating a Microsoft Azure Trial Subscription.htm. Provisioning may take
several hours.

MCT USE ONLY. STUDENT USE PROHIBITED

Implementing Microsoft Azure Infrastructure Solutions

11-3

3.

When your trial subscription has been provisioned, in Internet Explorer, browse to
http://azure.microsoft.com, click Portal, and sign in using the Microsoft account that is associated
with your Azure subscription. Close any initial "welcome" messages.

4.

At the top right, click your Microsoft account name and click Switch to new portal. If you are
prompted to sign in, use the Microsoft account that is associated with your Azure subscription. Then,
in the new tab that is opened close any initial "welcome" messages for the new portal.

5.

Close the tab containing the new portal, keeping the full portal tab open.

Prepare the Azure Environment


1.

On the taskbar, right-click Microsoft Azure PowerShell, and then click Run as administrator. In the
User Account Control dialog, click Yes.

2.

Type the following command, and then press Enter:


Setup-Azure

3.

At the prompt, type the module number, and then press Enter.

4.

Confirm your selection, and then press Enter.

5.

When prompted, sign in using the Microsoft account associated with your Azure subscription.

6.

When prompted, enter the Azure region to use, and then press Enter.

Note: This script may remove Azure services in your subscription. It is therefore recommended that you
use an Azure trial pass that was provisioned specifically for this course, and not your own Azure account.

The script will take 30-40 minutes to configure your Microsoft Azure environment, ready for the lab at the
end of this module.
At the end of setup, you should have the following:

A uniquely named storage account.

A uniquely named cloud service.

A virtual network named ADATUM-HQ-VNET (10.0.1.0/24).

An Azure DNS named ADATUM-DNS at 10.0.1.4.

A VM called AdatumDC1, running as a domain controller.

The script might take more than 30 minutes to configure your Microsoft Azure environment, ready for the
lab at the end of this module.
7.

When the script completes, navigate to D:\Labfiles\Lab11\Starter and double-click


AdatumDC1.rdp.

8.

In the Remote Desktop Connection dialog box, click Connect.

9.

Log on to AdatumDC1 as Student with a password of Pa$$w0rd.

10. In the Remote Desktop Connection dialog box, click Yes.


11. In Server Manager, click Local Server.
12. In PROPERTIES, on the right-hand side, next to IE Enhanced Security Configuration, click On.

13. In the Internet Explorer Enhanced Security Configuration dialog box, under both Administrators
and Users, click Off, then click OK.
14. Close Server Manager, and then close the AdatumDC1 session.

15. In the Remote Desktop Connection dialog box, click OK.


16. You are now ready to commence the lab.

Hybrid Active Directory as a Component of Azure


Azure Directory can be integrated with an onpremises Active Directory Directory Service, to
create a hybrid directory implementation. There
are several ways to implement such a hybrid
deployment, and this module considers the
advantages and disadvantages of each approach.

Summary of Active Directory and Microsoft Azure Active Directory


Integration Options
There are three main options for integrating
Microsoft Azure with your on-premises Active
Directory Directory Service. These three options
are:

MCT USE ONLY. STUDENT USE PROHIBITED

11-4 Managing Active Directory in a Hybrid Environment

Extending on-premises Active Directory


into Microsoft Azure. With this option, you
host virtual machines in Microsoft Azure that
you then promote to be domain controllers
within your on-premises Active Directory.

Synchronizing on-premises Active


Directory with Microsoft Azure Active
Directory. Directory Synchronization (DirSync)
propagates user, group and contact information into Active Directory and keeps that information
synchronized. It can be used with optional password synchronization so the user logs on to Microsoft
Azure using the same user account and password as his or her on-premises accountalthough the
authentication processes are still separate.

Implementing single sign-on between on-premises Active Directory and Microsoft Azure
Active Directory. This third option supports the largest range of integration features and enables a
user to log on to Microsoft Azure after being authenticated by the on-premises Active Directory. The
technology used is Active Directory Federation Services (AD FS) and a typical implementation uses AD
FS proxies to handle incoming authentication requests from the Internet. Alternatively, you can use
the Windows Server 2012 R2 Web Application Proxy (WAP) role service to provide this proxying.

The remainder of this module explains these differences further.

Identifying Reasons to Extend Active Directory to Microsoft Azure


As Microsoft Azure provides infrastructure as a
service (IaaS) facilities and can host virtual
machines in the cloud, it makes sense to consider
using Azure for hosting domain controllers, so
extending the boundaries of your on-premises
domains onto this platform. Hosting domain
controllers in Azure can provide a range of
benefits, both for on-premises users and for those
who connect to on-premises and Azure-based
services from around the world.
Reasons for placing Domain Controllers in Azure
include:

Providing resilience to the on-premises directory.

Keeping authentication requests for Azure-based services within the Azure environment.

Extending access to on-premises Active Directory to worldwide sites.

Enabling additional directory synchronization options such as DirSync and SSO with AD FS.

Planning Domain Controllers in Microsoft Azure


To begin the process of deploying domain
controllers into Microsoft Azure, you need to plan
the following areas:

Azure architecture

Inter-site connectivity

Site-to-site VPN setup

Forest and domain relationships

Active Directory site topology

FSMO Roles and GC Placement

Azure Architecture
When planning the architecture, you need to take into account the following guidelines:

MCT USE ONLY. STUDENT USE PROHIBITED

Implementing Microsoft Azure Infrastructure Solutions

11-5

Create an Azure virtual network, and IP address scheme, and deploy your DCs into this vNet.

Create the vNET first and allocate the DCs to that vNET on creation.

Deploy at least two DCs into Azure for resilience.

Allocate static IP addresses to your DCs using the Set-AzureStaticVNetIP PowerShell command.

Plan for a site-to-site VPN so that replication traffic can come in to your on-premises DCs from the
Azure-based DCs.

Consider carefully whether to deploy read-only domain controllers (RODCs) in Azure. Although this
arrangement reduces the amount of egress traffic and the charges on your Azure account, RODCs do
not work in situations where a service needs read/write access to the directory.

Inter-Site Connectivity
A key element is going to be the inter-site connectivity between your on-premises environment and
Microsoft Azure. To ensure that the VMs hosted in Azure can communicate with your internal DCs, you
must set up a vNet with site-to-site connectivity back in to your on-premises network (or use
ExpressRoute). To provide this connectivity, you must implement the following elements:

MCT USE ONLY. STUDENT USE PROHIBITED

11-6 Managing Active Directory in a Hybrid Environment

A VPN server that supports incoming connections from Azure.

A static IP address on your Internet connection. This IP address is used to establish the
communication endpoint to which the Azure environment can then connect.

A site-to-site connection in Microsoft Azure configured with a gateway to connect to the on-premises
network.
For more information about setting up site-to-site connectivity, see:
http://go.microsoft.com/fwlink/?LinkID=522660

Forest and Domain Relationship


You will need to plan how you configure the new DCs. You have three main options:

Create a separate Active Directory forest in Azure.

Create a separate Active Directory domain in Azure.

Add the Azure DCs to your on-premises domain.

The first option gives the best security separation between your on-premises and Azure environments but
would require to you establish and maintain trust relationships between the two forests. Note that you
will also have to put all of the Flexible Single Master Operations (FSMO) roles on to an Azure-hosted DC.
The second option provides namespace separation between your on-premises domain and your Azure
domain(s), but does not provide any additional security boundary. Use this option if you want to
implement namespace separation but be aware that this choice may affect future DirSync operations
you may have different UPNs for each domain, so domain synchronization would be more complex. Also,
you will have to place the domain-level FSMO roles on to an Azure-hosted DC.
The third option is likely to be the selected option, as this arrangement simply extends the on-premises
domain into the cloud while preserving a single namespace.

Active Directory Sites

If you select the separate domain or same domain option, you will need to configure sites in Active
Directory so that you can control the replication traffic between the on-premises and the Azure-based
DCs. In both cases, the Knowledge Consistency Checker (KCC) controls the replication process, but intrasite replication uses a bidirectional ring topology that assumes high-bandwidth, permanently available
connections. Replication traffic is not scheduled and updates are optimized for speed. By contrast, intersite replication uses a least-cost spanning tree topology with a default three-hour interval that can be
restricted to certain times of the day or week.

By default, Active Directory creates a default site and a default site IP link. You should plan for at least two
sites, one for the on-premises DCs, the other for the Azure-based DCs. You can then review the settings of
the default site IP link to check that it meets your requirements for replication and cost control.

FSMO Roles and GC Placement

MCT USE ONLY. STUDENT USE PROHIBITED

Implementing Microsoft Azure Infrastructure Solutions

11-7

If you have the choice, you would not want to place the FSMO roles on the Azure-hosted DCs. However, if
your Azure DCs are in a separate domain, then you will have to put the PDC Emulator, RID Master and
infrastructure master on those VMs. If the Azure DCs are in a separate forest, then the Schema Master and
Domain Naming Master will need to be hosted in Azure.
Regardless of your domain topology, you should configure all of your Azure-based DCs a Global Catalog
servers. This arrangement prevents global catalog lookups and evaluations of Universal Group
memberships from having to traverse from Azure to the on-premises GC and therefore incur network
usage charges.
Note: Because sites need different IP address ranges, you would not place your Azure DCs
in a vNet that shares the same IP address range as the on-premises network.

Discussion Placing Domain Controllers in Microsoft Azure


Discuss the following topics as they apply to your
own work environment:

Would your company consider deploying a


DC for your on-premises AD DS domain in
Azure?

What benefits would you expect to realize?

What would be your reservations about using


this approach?

Process for Extending an On-Premises Domain into Azure


To extend your on-premises domain into Azure,
you need to carry out the following process:

Create Virtual Network for Site-to-Site


Connectivity
You must have a site-to-site VPN so that the
Azure-based DC can open a connection back to
the on-premises DCs.
For information on how to configure a siteto-site VPN, see:
http://go.microsoft.com/fwlink/?LinkID=5226
61

Create Storage Account

MCT USE ONLY. STUDENT USE PROHIBITED

11-8 Managing Active Directory in a Hybrid Environment

You will need a storage account into which you are going to place the Azure virtual hard disk for the VM
operating system and then create a separate disk, with drive caching switched off, that will be the location
for the Active Directory Database, log files and Sysvol.
For more information on the procedure for creating a storage account, see:
http://go.microsoft.com/fwlink/?LinkID=522662

Create Virtual Machine and assign IP address


At this point, you create a virtual machine and assign it to the vNet that you created previously.
For information on the procedure for creating a virtual machine, see:
http://go.microsoft.com/fwlink/?LinkID=522663

Then use the Set-AzureStaticVNetIP command to assign the VM a static address. For example, to assign
the 10.0.0.15 address, use the following syntax:
Set-AzureStaticVNetIP -IPAddress "10.0.0.15"

To set up a static IP address at the same time that you configure a VM, use a PowerShell command similar
to the following:
New-AzureVMConfig -Name Name of the Virtual Machine -ImageName Name of the
Image InstanceSize Small | Set-AzureSubnet SubnetNames Name of Subnet | SetAzureStaticVNetIP -IPAddress IP address | New-AzureVM ServiceName Name of Web
Service AffinityGroup "Name of the Affinity Group";

Install DNS

Although AD DS setup adds the DNS role to the server, you will need to configure DNS to provide name
resolution services before thatso that the Azure-based VM can resolve the address of one of the onpremise DCs. You cannot use Azure internal name resolution in this scenario.
You can add the DNS role either through Add Roles and Features in Server Manager or by using the
following PowerShell cmdlet:
Add-WindowsFeature DNS

Promote Server to Domain Controller


To promote the server to a domain controller, you need to add and then configure Active Directory
Domain Services (AD DS). The AD database should be placed on a data drive with caching turned off.
You can add the AD DS role either through Add Roles and Features in Server Manager or by using the
following PowerShell cmdlet:
Add-WindowsFeature ADDS-Domain-Controller
Note: At the end of this configuration process, you might want to configure higher security
levels on the VM, such as removing the RDP endpoint and configuring additional outgoing traffic
rules.

Lesson 2

Directory Synchronization

MCT USE ONLY. STUDENT USE PROHIBITED

Implementing Microsoft Azure Infrastructure Solutions

In this second lesson, you move on to look at directory synchronization, or DirSync. DirSync provides a
mechanism for synchronizing users, groups and contacts in Active Directory to Microsoft Azure Active
Directory.

Lesson Objectives
After completing this lesson, you should be able to:

Describe the functionality that DirSync and Password Sync provides.

Contrast DirSync and Password Sync with single sign-on.

Discuss which option is best for your organization.

Prepare your on-premises Active Directory for directory synchronization.

Install and configure DirSync.

Manage and monitor DirSync.

Overview of Directory Synchronization


Directory Synchronization enables user, group,
and contact synchronization between on-premises
Active Directory and Microsoft Azure Active
Directory. In its simplest form, you just install a
Directory Synchronization component on a server
in your on-premises domain. You then provide an
account with Domain Admin and Enterprise
Admin access to Active Directory, and another
account with administrator access to Microsoft
Azure, and let it run. All your user accounts,
groups, and contacts from Active Directory will
then be replicated into Microsoft Azure Active
Directory. Those accounts can then be used to log on to and access services in Azure.
Note: Unless you activate Password Synchronization, users will have a separate password
from their on-premises environment for when they log on to a Microsoft Azure resource. If you
do implement Password Sync, users will still be prompted for their credentials when they access
the Azure resource, even on domain-joined computers. The difference with Password Sync is that,
to log on to the Azure resource, they use the same user name and password as their domain
login. They can also use any option to save credentials so that they are not prompted for their
password again when they next access that resource.

11-9

Managing Active Directory in a Hybrid Environment

MCT USE ONLY. STUDENT USE PROHIBITED

11-10

The Directory Synchronization toolset is currently in transition, with existing tools being phased out to be
replaced by new software. At the time of writing this content, there are two tool links provided from the
Quick Start page for an Azure Directory in the Full Azure Portal:

DirSync

AAD Connect

DirSync

In the Full Azure Portal, the Set up directory integration link, points to the download location for
DirSync. When you run this installer, it identifies as Windows Azure Active Directory Synchronization
tool (WAAD Sync), but is still generically referred to as DirSync.
DirSync is a cut-down version of Forefront Identity Manager (FIM) 2010 R2, Microsofts Identity
Management server. FIM is a metadirectory with agents that connect to the source directory services,
extract the directory objects, and place those objects attributes in the metadirectory database. The
metadirectory is stored as a series of tables, either in the Windows Internal Database or a full version of
SQL Server.

In a separate operation, another agent connects to the target directory service and then pushes those
objects into the target directory service which, with DirSync, is Microsoft Azure Active Directory. The main
difference between DirSync and the full version of FIM is that DirSync only has agents for Active Directory
and Microsoft Azure Active Directory. DirSync also has fewer options for filtering objects and attributes.

After the initial synchronization, DirSync then updates changes to user accounts on a three-hour schedule,
ensuring a flow of new objects and updated attributes (Delta Syncs) from Active Directory into Microsoft
Azure Active Directory. However, you can force synchronization using PowerShell, by using the FIM user
interface, or by re-running the DirSync configuration wizard.
With Microsoft Azure, the flow is one-way from Active Directory to Azure. However, with Office 365 in a
hybrid Exchange scenario, some attributes replicate in the other direction; with AD Premium enabled, you
can configure Azure to write passwords back to an on-premises Active Directory.
Note: A new feature, currently available in the AAD Connect preview, will enable password
write-back to the on-premises Active Directory. This feature requires Azure Active Directory
Premium.
For information on the attributes that are replicated from Active Directory to Microsoft Azure, see:
http://go.microsoft.com/fwlink/?LinkID=522664
DirSync supports limited filtering and customization of attribute flow, based on the following values:

Organizational unit

Domain

User attributes
For more information on DirSync attribute filtering, see:
http://go.microsoft.com/fwlink/?LinkID=522665

The current version of DirSync also supports password synchronization as an install-time option. With the
release of AAD Connect, DirSync will no longer be updated.

AAD Connect

MCT USE ONLY. STUDENT USE PROHIBITED

Implementing Microsoft Azure Infrastructure Solutions

11-11

As an interim release, there was an updated tool available as replacement for DirSync. This was called the
Microsoft Azure AD Sync Services (AADSync) tool but is no longer available as a separate download;
instead, it is delivered as a component of the new AAD Connect service. In the Full Azure portal, this is
currently available from the Download the preview of Azure AD Connect link.
The AADSync component differs from DirSync in several respects:

AADSync uses the new Microsoft Identity Manger (MIM) synchronization, built on a SQL 2012 R2
express database.

AADSync supports simple multi-forest scenarios.

AADSync enables filtering on individual attributes, and the synchronization of just those filtered
accounts using a specific Microsoft Online service, such as Exchange Online or SharePoint Online.

AADSync supports the synchronization of password hashes from multiple on-premises AD to AAD.

AAD Connect is a wizard-based tool designed to enable connectivity between an on-premises identity
infrastructure and Azure. Using the wizard, you choose your topology and requirements (such as for single
or multiple directories, password sync or federation); the wizard will then deploy and configure all the
required components. Depending on the requirements selected, this can include AAD Sync, Exchange
Hybrid deployment, password change write-back, AD FS and proxy servers, and the Azure AD PowerShell
module.
Note: At the time of writing, Azure AD Connect is currently in Public Preview 1, and is not
recommended for production deployments. For the remainder of this module, all references to
DirSync are also relevant to the new AAD Connect (AADSync) tool, unless specifically stated
otherwise.

Comparing DirSync, Password Sync, and Single Sign-On


It is important to understand the difference
between the three options for providing
synchronization between on-premises Active
Directory and Microsoft Azure Active Directory.
These three options are:

DirSync on its own

DirSync with Password Sync

DirSync with Single Sign-On

You need to appreciate that all three options


require directory synchronization.

DirSync Only

With DirSync on its own, you have two entirely separate directory services, but objects from on-premises
Active Directory are replicated into Microsoft Azure Active Directory. For example, DirSync maps
User.One@contoso.com from the on-premises Active Directory to user.one@contoso.com in Microsoft
Azure Active Directory.

Managing Active Directory in a Hybrid Environment

MCT USE ONLY. STUDENT USE PROHIBITED

11-12

Any change in User Ones attributes in Active Directory, such as telephone number, office location and so
on, will replicate through DirSync to Microsoft Azure Active Directory. At this point, passwords are
maintained separately in the two systems.

DirSync with Password Sync

Enabling Password Sync alongside DirSync provides same sign-on facilities. So if User One logs on to their
domain-joined computer with a user name of user.one@contoso.com and a password of Pa$$w0rd, they
are being authenticated by Active Directory. If they then connect to an Azure-based service or application,
they will see an authentication prompt. When they again enter the same credentials of
user.one@contoso.com and Pa$$w0rd at the prompt, they can access the Azure-based resources. When
accessing the Azure-based resource, the user is being authenticated by Microsoft Azure Active Directory.
In the background, the Password Sync component takes the users password hash from Active Directory,
then encrypts this hash and passes this as a string to Azure. Azure decrypts the encrypted hash and stores
the password hash as a user attribute in Microsoft Azure Active Directory.
When the user logs in to an Azure service, the logon challenge dialog box generates a hash of the users
password and passes that hash back to Azure. Azure then compares the hash with the one stored in that
users account. If the two hashes match, then the two passwords must also match and the user is given
access to the resource.

Of course, if the dialog box provides the facility to save credentials, then the user can check that option;
the next time they access the Azure resource, they wont be prompted. However, it is important to
understand that this is same sign-on, not single sign-on. The user is still being authenticated against two
separate directory services, albeit with the same user name and password. However, for many
organizations, the simplicity of this solution, without the added complexities and costs of an AD FS
implementation, makes the lack of true single sign-on a small price to pay.

DirSync with Single Sign-On

In addition to the configuration of AD FS itself, DirSync must also be configured in order to replicate
objects into Microsoft Azure Active Directory. With SSO, DirSync is again used to synchronize user, group,
and contact information from Active Directory to Microsoft Azure Active Directoryso these objects will
appear as directory service objects in Azure.
The difference between password sync and SSO is that in SSO, instead of two separate authentication
processes taking placeone on the on-premises Active Directory and the other in Microsoft Azure Active
Directorya federation trust is established between Azure and the on-premises directory. This trust
relationship enables users to access resources in Azure using their accounts in Microsoft Azure Active
Directory, delivered by a single sign-on to on-premises AD. However, the authentication of those users
does not take place in Azure, but in the on-premises Active Directory. The next lesson covers this process
in greater detail.
Authorization to access Azure resources is separate from authentication and takes place on the resource
side (in this case Azure). The on-premises Active Directory generates a token, which is passed to AD FS,
and then to Azure, using the federation trust relationship.

Costs and Benefits


The following table shows the features that each option supports:
Factor

DirSync Only

DirSync with
Password Sync

MCT USE ONLY. STUDENT USE PROHIBITED

Implementing Microsoft Azure Infrastructure Solutions

11-13

Single Sign-On
with AD FS and
DirSync

Sync users, groups and contacts to Azure

Yes

Yes

Yes

Sync incremental updates to Azure

Yes

Yes

Yes

Enable hybrid Office 365 scenarios

Yes limited
support

Yes limited
support

Yes full support

Users can sign on with on-premises


credentials

No

Yes

Yes

Reduce password admin costs

No

Yes

Yes

Control password policies from onpremises directory

No

Yes

Yes

Enable cloud-based MFA

Yes

Yes

Yes

Enable on-premises MFA

No

No

Yes

Authenticate against on-premises


directory

No

No

Yes

Implement single sign-on with corporate


credentials

No

No

Yes

Customize sign-in page

No

No

Yes

Limit access to services, based on


location or client type

No

No

Yes

The following table shows the high-level requirements for each option:
Requirement

DirSync Only

DirSync with
Password Sync

Single Sign-On
with AD FS and
DirSync

On-premises DirSync server

Yes

Yes

Yes

Highly-available AD FS server
infrastructure

No

No

Yes

Highly-available AD FS proxy or Web


Application Proxy infrastructure

No

No

Yes

It is important to understand that if AD FS is unavailable, users will not be to authenticate, and will not be
able to use Azure resources. If the DirSync server is unavailable, recent attribute changes (including
password hashes, if enabled) will not be synchronized by users will still be able to access resources.
Deploying AD FS, therefore, has much higher resource and management demands than either DirSync
Only or DirSync with Password Sync.

Managing Active Directory in a Hybrid Environment

MCT USE ONLY. STUDENT USE PROHIBITED

11-14

There is also a potential issue with DirSync with Password Sync that might mitigate against its use in some
scenarios; when Password Sync is enabled, the Azure Directory password for a synchronized user is set to
never expire. So, if you have set a password expiry policy in AD, a user may still be able to log in using
Azure, even after the on-premises password has expired.

Discussion Which option is suitable for my environment?


Working with a partner, discuss which directory
synchronization option would be most
appropriate for your company. Use the table from
the previous topic to discuss which features you
might need.

Preparing On-Premises Active Directory for Directory Synchronization


When preparing for Directory Synchronization, a
range of factors should be taken into account.

Review DC requirements
To work with DirSync, domain controllers must be
running one of the following operating systems:

32-bit or 64-bit versions of Windows Server


2003 Standard Edition or Enterprise Edition
with Service Pack 1 (SP1).

32-bit or 64-bit versions of Windows Server


2008 Standard or Enterprise.

Windows Server 2008 R2 Standard or Enterprise, Windows Server 2008 Datacenter, or Windows
Server 2008 R2 Datacenter (all are 64-bit only).

Windows Server 2012 Standard or Datacenter (both are 64-bit only).

Windows Server 2012 R2 Standard or Datacenter (also 64-bit only).

For complex multi-forest scenarios, it is important to be able to manually select a unique Active Directory
attribute to use as a SourceAnchor (the link between on-premises Active Directory and Windows Azure
Active Directory). This must be an immutable attribute, such as Employee ID, as the default SourceAnchor
(GUID) is unique to one forest; if an object is moved across forests, the object will appear to DirSync to be
a new object. For this reason, unless AAD Connect is being used, multi-forest scenarios may require a full
deployment of a licensed copy of FIM 2010 R2.

Review DirSync computer requirements

MCT USE ONLY. STUDENT USE PROHIBITED

Implementing Microsoft Azure Infrastructure Solutions

11-15

The DirSync computer must be a member of a domain, and for standard single forest scenarios, this
computer must be joined to a domain within the same forest that will be synchronized. DirSync now
supports installations on domain controllers; previous versions did not. However, for production scenarios,
it is recommended to use a separate server for DirSync.
The computer running DirSync requires the following Windows Server versions:

64-bit edition of Windows Server 2008 R2 SP1 Standard or Enterprise (or later), or Windows Server
2008 Datacenter or Windows Server 2008 R2 Datacenter or later.

64-bit edition of Windows Server 2012 Standard or Datacenter or later.

In addition, DirSync requires the following software prerequisites:

Microsoft .NET Framework 3.5 SP1 and the Microsoft .NET Framework 4.0. The .NET Framework 4.0
will already be installed if you are using Windows Server 2012; Microsoft .NET Framework 3.5 SP1 will
need to be enabled.

Windows Azure AD Module for Windows PowerShell (64-bit version).

Review hardware recommendations

Deployments with more than 50,000 objects in Active Directory require a significant increase in memory
requirements (from 4 GB RAM to 16 GB); therefore, it is important to implement adequate hardware
resources when transitioning from the pilot to production phase.
Note that, if you have implemented DirSync in Azure, you may need to scale up the VM if your
synchronization requirements increase.
Number of objects in
Active Directory

CPU

Memory

Hard disk size

Fewer than 10,000

1.6 GHz

4 GB

70 GB

10,00050,000

1.6 GHz

4 GB

70 GB

50,000100,000

1.6 GHz

16 GB

100 GB

100,000300,000

1.6 GHz

32 GB

300 GB

300,000600,000

1.6 GHz

32 GB

450 GB

More than 600,000

1.6 GHz

32 GB

500 GB

Review Object Limits

The current release of Microsoft Azure Active Directory has a default object limit of 50,000 objects (users,
mail-enabled contacts, and groups). This object limit is automatically increased to 300,000 after the first
domain is verified. If a synchronization results in the existing quota being exceeded, the tenant
administrator will receive an email message, such as:
The Directory Synchronization batch run was completed on Tuesday, 23 December 2014 23:45:22 GMT for
tenant <name>
The following errors occurred during synchronization:
Synchronization has been stopped. The company has exceeded the number of objects that can be
synchronized. Contact Technical Support and ask for an increase in your companys quota.

Managing Active Directory in a Hybrid Environment

MCT USE ONLY. STUDENT USE PROHIBITED

11-16

If there is a verified domain and a requirement to synchronize more than 300,000 objects, or there are no
verified domains and a requirement to synchronize more than 50,000 objects, you will need to contact
Microsoft Technical Support to request an increase to the object quota limit. It is therefore important to
plan for any likely DirSync quota increase; otherwise, if left to the last minute, this could become a
deployment blocker.

Review Administrator Accounts


Installing and configuring DirSync requires the following accounts:

A Microsoft Azure account with Global Administrator permission in the Microsoft Azure tenant
(such as an organizational account), that is NOT the account used to set up the account itself.

An on-premises account with Enterprise Administrator permissions in the on-premises Active


Directory.

DirSync uses a Microsoft Azure Global Administrator account to provision and update objects when the
DirSync configuration wizard is run. You should create a dedicated service account in Microsoft Azure to
use for DirSync as you cannot use the Microsoft Azure tenant administrator account. This restriction is
because the account that you used to set up Azure may not have a domain name suffix that matches the
domain name. The account needs to be a member of the Global Administrators group.

On this new account, it is important to disable the default 90-day password expiration; otherwise, the
synchronization service will stop working when the password expires, which will require reconfiguration of
DirSync.
To disable service account password expiration by using the Windows Azure Active Directory Module for
Windows PowerShell, type the following command, and press Enter:
Set-MsolUser -UserPrincipalName <service account>@<domain>.onmicrosoft.com -PasswordNeverExpires
$true

On-premises, the account used to install and configure DirSync must have the following permissions:

Enterprise Administrator permissions in Active Directory. Required to create the synchronization user
account in Active Directory.

Local machine administrator permissions. Required to install the DirSync software.

The account used to configure DirSync and run the configuration wizard must reside in the local
machines FIMSyncAdmins group; by default, the account used to install DirSync (the Enterprise
Administrator) is automatically added to this group.
Note: You need to log off and log back in again to use the FIM interface, as your logon
account has to be added to the DirSync Admins group.

The Enterprise Administrator account is only required when installing and configuring DirSync, and the
Enterprise Administrator credential is not stored or saved by the configuration wizard. Therefore, it is
good practice to create a special "DirSync Administrator" account for installing and configuring DirSync,
and to only assign this account to the Enterprise Administrators group when DirSync is being set up. This
DirSync Administrator account should be removed from the Enterprise Administrators group after DirSync
setup is complete. It is also good practice to ensure that the password for this account is set to never
expire, in case you ever need to reinstall or reconfigure DirSync.

The Enterprise Administrator account is required to:

Create the MSOL_<id> domain account in the CN=Users container of the root domain.

Delegate the following permissions to MSOL_<id> on each domain partition in the forest:
o

Replicating Directory Changes

Replicating Directory Changes all

Replication Synchronization

The following accounts are created in Active Directory during DirSync configuration:

MCT USE ONLY. STUDENT USE PROHIBITED

Implementing Microsoft Azure Infrastructure Solutions

11-17

MSOL_<id>. This account is created during DirSync installation, and is configured to synchronize to
the Microsoft Azure tenant. The account has directory replication permissions in the local Active
Directory and write permission on certain attributes to enable Hybrid Deployment.

AAD_<id>. This is the service account for the Synchronization Engine, and is created with a randomly
generated complex password automatically configured to never expire. When the directory
synchronization service runs, it uses the service account credentials to read from the local Active
Directory and then write the contents of the synchronization database to Microsoft Azure using the
tenant administrator credentials entered during the DirSync wizard.

Note: Do not change this service account after installing DirSync, as DirSync will always
attempt to run using the account created during setup. If the account is changed, DirSync will
stop running and scheduled synchronizations will no longer occur.

Review Network Ports

Synchronization with Microsoft Azure Active Directory occurs over SSL; this synchronization is outbound
(as it is initiated by DirSync) and uses port 443. Internal network communication uses standard Active
Directory-related ports; for successful synchronization, the DirSync server must be able to contact all DCs
in the forest.
Service

Protocol

Port

LDAP

TCP/UDP

389

Kerberos

TCP/UDP

88

DNS

TCP/UDP

53

Kerberos Change Password

TCP/UDP

464

RPC

TCP

135

RPC randomly allocated high


TCP ports

TCP

1024 - 65535
49152 - 65535

SMB

TCP

445

SSL

TCP

443

SQL

TCP

1433

Managing Active Directory in a Hybrid Environment

Review UPN requirements

MCT USE ONLY. STUDENT USE PROHIBITED

11-18

When you synchronize user accounts into Microsoft Azure Active Directory, you need to ensure that you
match the UPN for your on-premises environment with the value that you will be using when creating the
new user accounts in Microsoft Azure Active Directory. For example, if your company uses @contoso.com
as its UPN suffix, you need to have registered contoso.com as a domain in Microsoft Azure. This
requirement is to ensure that Userb@contoso.com on the on-premise environment creates the
userb@contoso.com account in Microsoft Azure when DirSync runs.

If your on-premises domain uses a non-routable UPN, such as Contoso.local, then you need to change the
UPN to a routable value that maps to a registered domain in Microsoft Azure. Otherwise user accounts
will be created in Azure using the default domain, which is in the form
@usernamedomain.onmicrosoft.com, where usernamedomain is derived from the values in the email
address that you used to register your Azure subscription with. Therefore, it is important to ensure that
you have UPNs set up correctly in your on-premises directory, with the matching domains added to
Azure, before you synchronize.
Note: You need to check that UPNs are not empty. The next topic covers tools that can
help carry out this check.

Cleaning up Active Directory


Before deploying DirSync, it is essential that the
on-premises Active Directory and related
technologies are checked for potential issues, and
any issues discovered are remediated. Such checks
should include:

Analyzing the on-premises environment for


invalid characters in Active Directory object
attributes and for incorrect UPNs.

Identifying domain functional levels and


schema extensions, and identifying custom
attributes in use.

Recording network port use, as well as DNS records related to Microsoft Azure.

MCT USE ONLY. STUDENT USE PROHIBITED

Implementing Microsoft Azure Infrastructure Solutions

11-19

When preparing to clean up an on-premises AD, you should note the following attribute requirements
and invalid characters:
Attribute

Characters

Requirements
Must be unique

Invalid characters

proxyAddress

256

sAMAccountName

20

!#$%^&{}\{`~"/[]:
@<>+=;?*

givenName

64

?@\+

Surname

64

?@\+

displayName

256

?@\+

Mail

256

MailNickname

64

UserPrincipalName

64/256

Must be unique

)(;><][\

[!#$%&*+/=?^`{}]

"\ [ ] : > < ;

Must be unique in forest


@ character must exist
Must not include a space
or end in space, period,
& or @
Must be Internet
routable

After the checks have been carried out, key remediation tasks include:

}{#$%~*+)(><!/\
=?`

Removing duplicate proxyAddress and userPrincipalName attributes.

Updating blank and invalid userPrincipalName attributes, and replacing with valid userPrincipalName
attributes.

Removing invalid characters in the following attributes: givenName, surname (sn), sAMAccountName,
displayName, mail, proxyAddresses, mailNickname, and userPrincipalName.

UPNs that are used for SSO can contain letters, numbers, periods, dashes, and underscores; no other
character types are allowed. If the Microsoft Azure integration includes plans for SSO, it is important to
ensure that UPN names meet this requirement before SSO is rolled out, so it is worth considering this
factor at this stage, even if SSO is not currently planned.
For a list of attributes that may need cleaning up, see:
http://go.microsoft.com/fwlink/?LinkId=390909

Managing Active Directory in a Hybrid Environment

Active Directory Health Check Tools


The following Active Directory health check tools can be used to identify and remediate issues:

IdFix

MCT USE ONLY. STUDENT USE PROHIBITED

11-20

The IdFix tool enables you to identify and remediate the majority of object synchronization errors in
Active Directory, including common issues such as duplicate or malformed proxyAddresses and
userPrincipalName. IdFix is designed to run on Windows 7 and Windows Server 2008 R2; however, it does
also run on Windows Server 2012.

You can select the OUs for IdFix to check, and common errors can be fixed within the tool itself. Common
errors include such things as invalid characters that may have been introduced during scripted user
imports to attributes.
Note: For distinguished names that contain format and duplicate errors (such as two users
with the same distinguished name), IdFix may not be able to suggest an automatic remediation
for the error. Such errors can either be fixed outside IdFix, or be manually remediated within
IdFix.

For more information, and to download IdFix, see the IdFix DirSync Error Remediation Tool page on
the Microsoft Download Center.
http://go.microsoft.com/fwlink/?LinkId=390910

ADModify.NET

For errors such as format issues, you can make changes to specific attributes object by object, using either
ADSIEdit or Advanced Mode in Active Directory Users and Computers. However, to make attribute
changes to multiple objects, ADModify.NET is a better tool; the batch mode operation provided by
ADModify.NET is particularly useful for making changes to attributes such as UPNs across OUs or
domains.
Introduction to Active DirectoryModify.net.
http://go.microsoft.com/fwlink/?LinkId=390911

Installing and Configuring Directory Synchronization


Now that you have addressed any issues prior to
deployment, you can start the process of installing,
configuring, and running DirSync.
1.

Activate DirSync in the Microsoft Azure


Portal

To activate DirSync, carry out the following


procedure:
1.

Log into the Azure portal.

2.

Navigate to Active Directory > Directory


Integration.

3.

Click "Activate" in step 2.

MCT USE ONLY. STUDENT USE PROHIBITED

Implementing Microsoft Azure Infrastructure Solutions

11-21

To check if DirSync is activated in an account, start a Microsoft Azure PowerShell session and type the
following commands, pressing Enter after each line:
$cred = get-credential

When you're prompted, enter your cloud service admin credentials.


Connect-MSOLService -credential $cred
(Get-MSOLCompanyInformation).DirectorySynchronizationEnabled

This cmdlet returns a value of either True or False. If it returns a value of True, directory synchronization is
activated. If it returns a value of False, directory synchronization is not activated.
2.

Download and Install DirSync

To download and install DirSync, carry out the following procedure:


1.

Log into the Azure portal.

2.

Navigate to Active Directory > Directory Integration.

3.

Click the current download link, and run the installer.

3.

Configure DirSync

Configuring DirSync requires you to specify the credentials for the two accounts, one for Microsoft Azure
Active Directory and the other for Active Directory. You can then stop the process at the end of the wizard
prior to synchronization.
4.

Configure Filtering Options

At this point, you can use the FIM interface to configure filtering prior to synchronization. This procedure
is recommended at this point as it prevents accounts replicating into Microsoft Azure Active Directory that
subsequently would need to be deleted.
The FIM user interface isnt exactly in an obvious place. To start it, double-click on the following
executable:
%ProgramFiles%\Windows Azure Active Directory Sync\SYNCBUS\Synchronization
Service\UIShell\Miisclient.exe
After you have opened the interface, to configure filtering, carry out the following procedure:
1.

In Synchronization Service Manager, click the Management Agents tab.

2.

In the Management Agents tab, double-click Active Directory Connector.

3.

In the Properties dialog box, click Configure Directory Partitions.

4.

Click Containers.

Note: The credentials dialog box initially displays the MSOL_<id> account; this account
uses a randomly generated password, so administrators will not know it.
5.

In the Credentials dialog box, enter the credentials for your synchronization account that you
created earlier (your Active Directory Enterprise Administrator), and click OK.

6.

In the Select Containers dialog box, clear the root level check box then select, for example, the OUs
that you want to synchronize, and click OK.

7.

Click OK to close the Properties dialog box.

Managing Active Directory in a Hybrid Environment

8.

Now run a synchronization using the procedure below.

5.

Synchronize Directories

The third part of the operation is to carry out the synchronization itself. To synchronize through the
Configuration Wizard, carry out the following procedure:
1.

Restart the DirSync Configuration wizard by double-clicking on the icon on the desktop.

2.

Enter the administrative account credentials for both Microsoft Azure Active Directory and Active
Directory.

3.

Ensure that Synchronize your directories now is checked and click Finish.

Managing and Monitoring Directory Synchronization


There are several typical Directory Synchronization
management and monitoring tasks.

Verifying DirSync
Verifying the DirSync operation is very easy. Carry
out the following process:
1.

Log in to the Azure Portal with your


Administrator Account.

2.

Click on the Default Directory.

3.

Click the Users tab.

4.

Check that users from the on-premises Active Directory are visible.

MCT USE ONLY. STUDENT USE PROHIBITED

11-22

To confirm that updates are propagating, change a user attribute in the on-premises Active Directory and
check in Azure that the change has replicated across.

Forcing Replication

If you need to force a replication, such as to synchronize new accounts or group memberships, you have
three options for forcing replication and synchronizing directories manually:

Through the FIM interface.

Using the Start-OnlineCoexistenceSync command in a DirSync module PowerShell session.

Rerunning the Configuration Wizard.

The synchronization process is different, depending on whether this is an initial (full) or an update
operation.
In the FIM interface, an initial sync consists of three stages or run profiles:
1.

Full Import Full Sync.

2.

Full Confirming Import.

3.

Export.

An update sync also consists of three run profiles:


1.

Delta Import Delta Sync.

2.

Delta Confirming Import.

3.

Export.

You only see this differentiation in the FIM user interface. Using the Start-OnlineCoexistenceSync
command, or re-running the Configuration Wizard, always initiate a full synchronization.
To run the sync operation manually through the FIM interface, carry out the following procedure:

MCT USE ONLY. STUDENT USE PROHIBITED

Implementing Microsoft Azure Infrastructure Solutions

11-23

1.

Navigate to %ProgramFiles%\Windows Azure Active Directory Sync\SYNCBUS\Synchronization


Service\UIShell.

2.

Start Miisclient.exe.

3.

In the interface, click Operations.

4.

From the list, click the operation you want to run.

5.

Click the Run button.

6.

Repeat for the remaining two run profiles.

To synchronize through PowerShell, carry out the following procedure:


1.

Start a PowerShell session with administrative credentials.

2.

Run Import-Module DirSync and press Enter.

3.

Type Start-OnlineCoexistenceSync and press Enter.

4.

A full synchronization should now start.

To synchronize through the Configuration Wizard, carry out the following procedure:
1.

Restart the Configuration wizard by double-clicking on the icon on the desktop.

2.

Enter the administrative account credentials for both Microsoft Azure Active Directory and Active
Directory.

3.

Ensure that Synchronize your directories now is checked and click Finish.

Changing the Synchronization Schedule


To change the synchronization schedule, carry out the following process:
1.

Navigate to the %ProgramFiles%\Windows Azure Active Directory Sync folder.

2.

In Notepad, edit the Microsoft.Online.DirSync.Scheduler.exe.config file.

3.

Change <add key=SyncTimeInterval value=3:0:0 /> to whatever time you want the
synchronization interval to be.

4.

Restart the DirSync service, either with PowerShell or by using the Services console.

Note: Note that changing the synchronization interval is not a supported option. You are not
recommended to have too low a value for SyncTimeInterval, otherwise DirSync could start running
continually and never complete a synchronization. The minimum recommended value is 15 minutes. Note
also that all attributes do not sync on the same schedule; for example, passwords sync within a few
minutes.

Managing Active Directory in a Hybrid Environment

Lesson 3

Implementing Federation

MCT USE ONLY. STUDENT USE PROHIBITED

11-24

In this third lesson, you review the third directory service integration option, Single Sign-On (SSO), using
Active Directory Federation Services (AD FS). You will also look at the two options for protecting your AD
FS infrastructure from intrusion, using either the AD FS proxy role computer or the Web Application Proxy
(WAP) role in Windows Server 2012 R2.
Note: Throughout this section, the content refers to on-premises Active Directory directory
service integration with directory services in Microsoft Azure Active Directory. However, you may
already have extended your on-premises Active Directory into Microsoft Azure and want to use
this extended arrangement with AD FS, which is perfectly possible. Therefore, you can host your
organizations AD FS servers and proxies in Azure, along with one or more domain controllers, so
the separation between what is on-premises and what is in Azure can become indistinct.
Throughout this lesson, any references to on-premises Active Directory should be read as your
organizations original.

Lesson Objectives
After completing this lesson, you should be able to:

Describe the workings of claim-based authentication and federation trusts.

Explain how AD FS and the Web Application Proxy role interoperate.

Identify the process for federating between on-premises Active Directory and Microsoft Azure Active
Directory.

Prepare the environment for Federation.

Deploy Active Directory Federation Services.

Deploy the Web Application Proxy Role in Windows Server 2012 R2.

Manage the trust relationship between Azure and the on-premises AD FS.

Manage the single-sign on process with AD FS.

Introduction to Claims-Based Authentication and Federated Trusts


The underlying principles behind SSO and AD FS is
the use of claims-based authentication and
federated trusts to establish a mechanism by
which one environment (on-premises Active
Directory) can securely transmit evidence of
authentication to another environment (Microsoft
Azure Active Directory). That second environment
can then grant authorization to access resources,
based on the information provided by the
authenticating environment.

The concepts that you need to understand are as follows:

MCT USE ONLY. STUDENT USE PROHIBITED

Implementing Microsoft Azure Infrastructure Solutions

11-25

Identity provider: An identity provider is typically a directory service that authoritatively


authenticates a user. With AD FS, the identity provider is Active Directory.

Claims provider: A service that generates claims in response to requests. Also known as the Security
Token Service (STS). AD FS is an example of a claims provider.

Application provider: The party that provides access to applications based on information provided
by the claims from the STS. Also known as a relying party. Azure applications act as the relying party;
through the Azure directory service, Azure applications can provide access to resources to
authenticated users.

Claim: A claim is a statement about a user, such as the users email address, domain, group
membership, first name and last name or UPN. The claim enables the relying party to establish the
identity of the user requesting access to resources.

Token: A token is a file that contains claims about an authenticated user, along with an assertion that
the user has been correctly authenticated. Claims are typically signed to prevent alteration in transit
and also encrypted.

Federation: A collection of domains that have established trust; in this case, Azure Directory trusts
the on-premises AD for user authentication.

In summary, a user attempts to access a resource hosted by Azure. Azure directs authorization requests to
Microsoft Azure Active Directory, which then requests confirmation of that users identity and
authentication status from the STS (AD FS) through the federation trust. The STS contacts the on-premises
AD DS, confirms authentication of the user and extracts any information required to create the claim,
according to the claim rules for the federation trust.
The STS then signs (and typically encrypts) the token and passes it to the application provider (Microsoft
Azure Active Directory) using information from the federation trust. The relying party takes this token,
decrypts it and matches it to the user requesting access to the resource in Microsoft Azure. The user can
now access the application provider resource using his or her Active Directory credentials.
Note: Remember that in SSO, authentication is carried out by the on-premises Active
Directory and that information passed over to Microsoft Azure Active Directorythe password
for Microsoft Azure Active Directorydoes not get used at all. However, the accounts in both
directory services must still match up, hence the requirement to use DirSync as well as AD FS.

Microsoft online services, such as Azure and Office 365, use a specific Microsoft identity service to
establish federated-identity relationships between organizations; this service is called the Microsoft
Federation Gateway. The Microsoft Federation Gateway is responsible for directing communications
between the trusted identity provider (in this case, the on-premises Active Directory through AD FS) and
Azure Active Directory.
For more information on claims-based authentication, see:
A Guide to Claims-Based Identity and Access Control (2nd Edition)
http://go.microsoft.com/fwlink/?LinkID=523987

Managing Active Directory in a Hybrid Environment

Overview of AD FS and Web Application Proxy


AD FS is an example of a STS. AD FS works
seamlessly with Active Directory to create tokens
containing claims about users in an on-premises
directory service and send those tokens securely to
a relying party. This process of token exchange
enables the user to log on to the Azure resource
using his or her Active Directory credentials.
There have been several versions of AD FS since
the initial release, including:

AD FS 1.0 was originally released as a


Windows component with Windows Server
2003 R2.

AD FS 1.1 was released with Windows Server 2008 and Windows Server 2008 R2, as an installable
server role.

AD FS 2.0 was released as an installable download for Windows Server 2008 SP2 or above.

AD FS 2.1 was released with Windows Server 2012 as an installable server role.

AD FS 3.0 is an installable server role on Windows Server 2012 R2. AD FS 3.0 does not require a
separate IIS install and includes a new AD FS proxy role called the Web Application Proxy.

MCT USE ONLY. STUDENT USE PROHIBITED

11-26

AD FS is Microsoft's implementation of the WS-Federation Passive Requestor Profile protocol. AD FS also


implements the standards based WS-Federation protocol and Security Assertion Markup Language
(SAML). AD FS enables organizations to implement advanced identity management solutions, such as
provisioning, credential mapping, management, deactivation, and change management of partner
accounts.
Authentication is carried out through one of a number of methods. AD FS supports the following
authentication methods:

Forms authentication (default for Internet-based access).

Certificate authentication (SmartCard or user client certificate).

Windows authentication (default for intranet-based requests but not supported on all browsers; the
fallback is forms authentication).

AD FS also supports multifactor authentication (MFA) by using device authentication. The user has to use
a registered device to access a resource.
In the AD FS architecture, the AD FS servers for the claims provider connect directly to the domain
controllers for the domain, where they can access information about users held in Active Directory.
Because of this privileged access, AD FS servers need the same levels of protection as domain controllers.

To service access requests from the Internet, AD FS includes an AD FS proxy server role. An AD FS proxy
server typically sits in the perimeter network and intercepts the authentication requests, then proxies the
request through to the AD FS servers. The AD FS servers only accept incoming requests from Internetbased clients through the proxy, and only port 443 (SSL) needs to be open between the proxy and the AD
FS server.

MCT USE ONLY. STUDENT USE PROHIBITED

Implementing Microsoft Azure Infrastructure Solutions

11-27

An alternate way to configure AD FS to accept incoming requests from the Internet is through use of the
Web Application Proxy role service in Windows Server 2012 R2. This server would also be installed into the
perimeter network in a workgroup. A typical deployment is to use AD FS servers within the corporate
network for access by users on that network, and to use Web Application Proxy servers for users
connecting from the Internet.
For more information on how to configure WAP with AD FS, see:
http://go.microsoft.com/fwlink/?LinkID=522666

Processing Authentication Claims


The mechanism by which AD FS processes an
access request is as follows:
1.

A user attempts to access an Azure-hosted


resource.

2.

The resource requests authentication, and


sends a sign-in request by redirecting to
Azure AD, and including its app ID URI.

3.

The user enters his or her credentials.

4.

The Azure resource passes the credential


request back to Microsoft Azure Active
Directory.

5.

Microsoft Azure Active Directory identifies that there is a federation trust with the target organization
based on the users logon credentials.

6.

The authentication request is redirected from the Microsoft Federation Gateway to the AD FS proxy
for the target organization.

7.

The AD FS proxy proxies the request to the AD FS server.

8.

The AD FS server contacts a domain controller and confirms that the authentication request is valid.

9.

AD FS builds a token containing relevant claims about the user. The claims are specified by the claims
provider rules.

10. The AD FS server signs the token, encrypts it and then passes the token back to the Microsoft
Federation Gateway over SSL.

11. The Microsoft Federation Gateway decrypts the token, checks it is unaltered and then uses that token
to create an access token for the resource.
12. Microsoft Azure Active Directory posts the security token to the Reply URL of the resource.

13. The resource being accessed uses the access token to grant the user a connection to the resource.

Managing Active Directory in a Hybrid Environment

Planning Active Directory Federation Services


When planning for AD FS, a range of issues should
be considered.

Planning for Devices and Browsers


Access to resources in Microsoft Azure will often
be through browser-based applications. Any
current web browser with JScript enabled can
work as an AD FS client, although only Internet
Explorer, Mozilla Firefox, and Safari on Apple
Macintosh have been tested by Microsoft.
Cookies must be enabled, or trusted, for the
federation servers and Web applications that are
being accessed. Cookies prevent users from being continually prompted for logons within the same
session. The authentication cookie is signed, but not encrypted, which requires SSL support in AD FS.

Plan Server Placement

MCT USE ONLY. STUDENT USE PROHIBITED

11-28

The most critical component of an AD FS deployment is the federation server or server farm. Therefore, it
is important that server placement strategy is properly considered. AD FS servers must be domain-joined
and should be placed behind a firewall on the corporate network to prevent exposure to the Internet. AD
FS proxies should not be domain-joined and should be installed in the perimeter network.

Plan Server Numbers

The number of AD FS servers that should be deployed in an organization depends on the number of users
likely to issue authentication requests. The recommended minimum requirements are displayed in the
following table:
Number of users

Minimum number of servers

Fewer than 1,000

0 dedicated federation servers (install AD FS role on domain controllers)


0 dedicated federation server proxies (install AD FS role on web servers)
1 dedicated NLB server to load balance the federation server proxies

1,000 to 15,000

2 dedicated federation servers


2 dedicated federation server proxies

15,000 to 60,000

Between 3 and 5 dedicated federation servers


At least 2 dedicated federation server proxies

Plan Access Filtering

You may want to implement access filtering based on claims rules. For example, you might specify that
only users based in a particular location, or with a certain domain suffix, can access a certain resource in
Azure.
For more information on passing through or filtering incoming claims, see:
http://go.microsoft.com/fwlink/?LinkID=522667

Plan ADFS High Availability

MCT USE ONLY. STUDENT USE PROHIBITED

Implementing Microsoft Azure Infrastructure Solutions

11-29

AD FS can be deployed as a stand-alone server, or as a server farm. It is recommended that an AD FS


server farm always be used, even if the farm consists initially of just one server, as this provides the option
to add more AD FS servers later, for load balancing or fault tolerance. However, if AD FS is deployed as a
stand-alone federation server, then no additional servers can be added later.

Plan Database Servers

AD FS servers require a database, and can be configured to use either the Windows Internal Database
(WID) or full SQL Server. If WID is used, then AD FS servers in a farm are configured as primary or
secondary. A primary federation server is initially the first federation server in the farm, and has a
read/write copy of the AD FS configuration database. All other federation servers created in the farm (the
secondary servers) regularly poll the primary server and synchronize any changes to a read-only copy of
the AD FS configuration database stored locally. By default, the poll interval is five minutes, but an
immediate synchronization can be forced anytime by using Windows PowerShell.
Secondary servers provide fault tolerance for the primary server and, with appropriate server placement,
can load-balance access requests across network sites. If the primary federation server is offline, all
secondary federation servers continue to process requests as normal. However, no new changes can be
made to the AD FS database until the primary federation server has been brought back online, or a
secondary server is promoted to the primary role. Primary and secondary role assignment is managed by
using the Set-AdfsSyncProperties Windows PowerShell cmdlet.
If SQL Server is used to store AD FS information, all servers in the farm are considered "primary", as they
all have read/write access to the database.
For more information on AD FS databases, see:
The Role of the AD FS Configuration Database
http://go.microsoft.com/fwlink/?LinkID=523981

Preparing for Active Directory Federation Services


When preparing for AD FS, a range of factors
should be taken into account.

Review Account Requirements


Service accounts for AD FS always used to be user
accounts with the following additional
requirements:

Long, complex password (at least 10


characters).

Password never expires.

Logon as a service.

Logon as a batch file.

However, if your environment includes domain controllers that run Windows Server 2012 or later, then
you can use the new group managed service account (GMSA) feature. The advantage of the GMSA is that
it can automatically manage password changes for the account and does not require the administrator to
change the password manually.

Managing Active Directory in a Hybrid Environment

For more information about GMSAs, see:


http://go.microsoft.com/fwlink/?LinkID=522669

Review Namespace Requirements

MCT USE ONLY. STUDENT USE PROHIBITED

11-30

Again, as with DirSync, you need to ensure namespace consistency between the on-premises Active
Directory and Microsoft Azure Active Directory. In summary, that requirement means having UPN suffixes
that map to a registered domain name in Azure. So, if a company uses a UPN suffix of Contoso.com, then
Contoso.com needs to be a registered domain in Microsoft Azure Active Directory for that companys
account.

Review DNS Requirements

Client requests to AD FS need to be able to resolve to the correct access point for the AD FS service,
regardless of whether the client is on the internal network or on the Internet. Typically, internal clients
connect to the AD FS server, and external clients connect to the proxy (AD FS or WAP). However, to have
the same URL for both internal and external connections requires different entries in the internal and
external DNS to connect to the relevant part of the AD FS infrastructure (split brain DNS). For example, if
the host name to connect to your AD FS infrastructure is adfs.contoso.com, you will need to have the
following DNS entries:
INTERNAL DNS
Contoso.com zone
Host name
adfs

Address
192.168.10.12

Where 192.168.10.12 is the IP address of the AD FS server farm.


EXTERNAL DNS
Contoso.com zone
Host name
adfs

Address
131.107.21.65

Where 131.107.21.65 is the IP address of the proxy array.

Review Certificate Requirements


AD FS uses certificates for two purposes:

For Token Exchange

For SSL encryption

For token exchange, AD FS uses self-signed certificates. These certificates only validate that the content
has been unaltered in transit, so there is typically no requirement to use third-party issued certificates, or
to validate to a trusted CA.

By default, token exchange certificates automatically renew 20 days before certificate expiry. However,
there is still a requirement to update Microsoft Azure Active Directory when that change is made. If you
only have a single top-level domain, you can use the Microsoft Federation Metadata Update Automation
Installation Tool to create an automated task to update the certificate in Azure.

Microsoft Federation Metadata Update Automation Installation Tool is available for


download from the following link:
http://go.microsoft.com/fwlink/p/?linkid=248972

MCT USE ONLY. STUDENT USE PROHIBITED

Implementing Microsoft Azure Infrastructure Solutions

11-31

For SSL encryption, certificates must come from a trusted third party and do need to be replaced
manually before they expire. With the third-party SSL encryption certificates, either the common name
(cn) or the Subject Alternate Name (SAN) on the SSL certificate must match the fully-qualified domain
name (FQDN) name of the endpoint to which the client request is terminating. So, if the DNS name of the
STS is adfs.contoso.com, the SSL certificate for connecting to the proxy array must include either a cn or
SAN for adfs.contoso.com.
You dont have to wait for SSL certificate expiry but be warned that, as soon as the certificate expires, AD
FS will fail.
For more information on replacing certificates with AD FS 2.0, see:
http://go.microsoft.com/fwlink/?LinkID=522670
Note: It is not uncommon to use a single certificate for both the AD FS servers and the
proxies. This configuration ties in to the requirement for internal and external clients to use the
same URL to access either the proxies (if outside the corporate network) or the AD FS servers (if
inside the network).

Review Firewall Requirements

Firewall configuration is relatively simple in that external clients only need the SSL port TCP 443 to
connect to the AD FS proxy or WAP endpoint. The proxy then communicates with AD FS using only port
443.

Review Load-Balancing Requirements

To provide high availability, AD FS servers are typically configured as server farms and the client requests
load-balanced across the servers using Network Load Balancing (NLB) or through use of hardware load
balancers. Configuration of a load balancer results in a single IP address for the load-balancing array that
must then be entered into DNS and also set as the cn or SAN of the SSL certificate.
The proxy servers (WAP or AD FS) will also require load balancing, again either using NLB or hardware
load balancers.
For more information on load-balancing WAP proxies, see:
http://go.microsoft.com/fwlink/?LinkID=522671
Note: Note: As with DirSync, you also need to ensure that you clean up Active Directory by
removing unnecessary spaces, illegal characters, and duplicate addresses before implementing
AD FS. The topic on Cleaning Up Active Directory from the previous lesson covers these
considerations in detail.

Managing Active Directory in a Hybrid Environment

Deploying Active Directory Federation Services


There are three main tasks involved in deploying
AD FS:

Install and configure AD FS

Install and configure proxy servers

Convert domain to federated

Installing and configuring AD FS


To install and configure AD FS, the high-level steps
are:

MCT USE ONLY. STUDENT USE PROHIBITED

11-32

1.

Add AD FS role in Add Roles and Features


Wizard.

2.

Assign third-party SSL certificate to default website in IIS (no longer required in Windows Server 2012
R2).

3.

Run AD FS Federation Server Configuration Wizard.

4.

Configure as first server in AD FS server farm.

5.

Select third-party SSL certificate (must be installed into the computers personal store).

6.

Confirm Event ID 100 for operational federation server.

7.

Install second and subsequent servers in farm.

8.

Configure load balancing.


For more information on configuring AD FS on the AD FS server, see:
http://go.microsoft.com/fwlink/?LinkID=522672

Installing and configuring proxy servers


To install and configure proxy servers and connect them to the AD FS servers, the high-level steps are:
1.

Start Add Roles and Features Wizard.

2.

Select Remote Access and add Web Application Proxy.

3.

Run Web Application Proxy Configuration Wizard.

4.

Enter host name of AD FS service and credentials.

5.

Run auto-generated PowerShell script.

6.

Select pre-authentication method (AD FS or pass-through).

7.

Enter external and back-end URL and select SSL certificate (must be installed into the computers
personal store).

8.

Run auto-generated PowerShell script.

9.

Test connection to external URLshould get the login prompt for AD FS.

10. Optional: customize logon screen with logos, help buttons, and so on.
For more information on configuring AD FS proxies, see:
http://go.microsoft.com/fwlink/?LinkID=522666

Converting domains to federated

MCT USE ONLY. STUDENT USE PROHIBITED

Implementing Microsoft Azure Infrastructure Solutions

11-33

For federation to work, you have to add the domain to Azure and then convert it to federated. This
process creates the relying party trust between Azure and the on-premises domain. After conversion,
every synchronized on-premises user becomes a federated user and can use their corporate credentials to
access resources in Azure.
To convert a standard domain to federated, you can either use the Azure Portal, or use the following
Azure Active Directory PowerShell command:
Convert-MsolDomainToFederated DomainName <domain>
You can convert multiple domains by using the -SupportMultipleDomain switch.
To add new domain as a federated domain, you can either use the Azure Portal, or use the following
Azure Active Directory PowerShell command:
New-MsolFederatedDomain DomainName <domain>
When adding federated sub-domains, you must add the root domain first.
Important: After you have used the New-MsolFederatedDomain cmdlet to add a top-level
domain, you will not be able to use the New-MsolDomain cmdlet to add non-federated
(standard) domains.

The following link shows the detail of the steps for setting up federation between AD FS and
Microsoft Azure Active Directory:
http://go.microsoft.com/fwlink/?LinkID=522673

Discussion Determining Integration Requirements


A. Datum wants to plan for migrating existing HQ
and branch office resources to Azure. However,
this goal cannot be achieved immediately and a
period of hybrid operation will be necessary.
A. Datum has asked you to analyze the current
directory service environment and recommend the
best solution that fits the companys needs,
bearing in mind issues such as complexity, cost,
and ease of implementation.

Requirements:
1.

A. Datum currently has an on-premises Active


Directory domain. This domain is used to
authenticate users on domain-joined computers and to access applications and resources published
internally.

2.

The organization is also adopting a partial rollout of Microsoft Azure and will be deploying a number
of cloud services that evaluate user accounts prior to granting access to resources.

3.

The main Azure app is an internally-developed customer relationship management system that has
been migrated to the cloud platform. The front end of this application connects to a separate Oracle
database that includes inbuilt authentication and authorization.

Managing Active Directory in a Hybrid Environment

4.

To ensure the highest level of security on this CRM system, A. Datum plans to implement a cloudbased multi-factor authentication to ensure user identity prior to logon.

5.

A. Datum wants to preserve separate password policies between the on-premises directory and
Azure-based applications.

6.

A. Datum is not planning to implement Office 365 in the immediate future.

Propose a Solution:
1.

Which hybrid solution is most suitable for A. Datum?

2.

What factors make the other options unworkable?

3.

In the future, if A. Datum wants to provide single-source management of passwords and password
policies, what option could the organization enable?

MCT USE ONLY. STUDENT USE PROHIBITED

11-34

Lab: Managing an Active Directory Hybrid Environment


Scenario

MCT USE ONLY. STUDENT USE PROHIBITED

Implementing Microsoft Azure Infrastructure Solutions

11-35

A. Datum currently uses single sign-on for on-premises applications. As part of A. Datums evaluation of
Microsoft Azure, you need to test that A. Datum users can use the same credentials that they use to access
resources on the A. Datum intranet to access resources in Azure. When users change passwords and other
directory details, you want to ensure these changes will be reflected in both your on-premises and Azure
Active Directories. In this lab, you will evaluate this hybrid environment.

Objectives
After completing this lab, you will be able to:

Configure directory synchronization.

Synchronize on-premises Active Directory with Microsoft Azure.

Lab Setup
Estimated Time: 40 minutes
Virtual Machine: 20533B-MIA-CL1
User Name: Student
Password: Pa$$w0rd

Before starting this lab, ensure that you have performed the Preparing the Environment demonstration
tasks at the beginning of the first lesson in this module, and that the setup script has completed.

Exercise 1: Configuring Directory Synchronization


Scenario
A. Datum now wants to implement and test directory integration, and you need to configure DirSync
between your on-premises directory and the default domain in Azure. Due to the domain and DNS
requirements, you will be using the default DNS namespace for the Azure domain.
The main tasks for this exercise are as follows:
1. Enable Directory Synchronization in Microsoft Azure and Install the DirSync Tool
2. Create Service Accounts
3. Configure Directory Synchronization
4. Configure OU Filtering

Task 1: Enable Directory Synchronization in Microsoft Azure and Install


the DirSync Tool
1.

Log on to AdatumDC1 over RDP as ADATUM\Student with a password of Password123.

2.

Start Internet Explorer on AdatumDC1, and log on to the full Microsoft Azure portal, using the
Microsoft account associated with your Azure subscription.

3.

In the full Azure portal, navigate to the Active Directory tab. In the default directory, enable Directory
Integration. Note the name of the default DNS name.

4.

From the default directory dashboard page, download the latest version of the DirSync executable
and save it to the Downloads folder.

Managing Active Directory in a Hybrid Environment

MCT USE ONLY. STUDENT USE PROHIBITED

11-36

5.

Run DirSync.exe file setup, accepting the default settings but stop prior to configuration; installation
may take 15-20 minutes.

6.

Log off and log back on again as ADATUM\Student with a password of Pa$$w0rd123.

Task 2: Create Service Accounts


1.

On AzureDC1, in the Users OU, create an account called DirSync with a password of Pa$$w0rd123,
set that password to never to expire, and add the account to the Domain Admins and Enterprise
Admins groups.

2.

Verify that there are five user accounts in the Accounts OU.

3.

In Microsoft Azure, create a new global administrator account called


DirSyncAzure@<yourdomainname>.onmicrosoft.com. Log in with the temporary password and
reset the password to Pa$$w0rd123.

Task 3: Configure Directory Synchronization


1.

Run the Directory Sync Configuration Wizard from the Desktop. Use the
DirSyncAzure@yourdomainname.onmicrosoft.com and the ADATUM\DirSync account in Active
Directory, both with a password of Pa$$w0rd123. Do not enable Hybrid Deployment, do not enable
Password Sync, and do not synchronize directories.

Task 4: Configure OU Filtering


1.

In File Explorer, navigate to C:\Program Files\Windows Azure Active Directory


Sync\SYNCBUS\Synchronization Service\UIShell.

2.

Start the MIISClient.exe application.

3.

In Synchronization Service Manager, click the Management Agents tab.

4.

In the Management Agents tab, double-click Active Directory Connector.

5.

In the Properties dialog box, click Configure Directory Partitions.

6.

Click Containers.

7.

In the Credentials dialog box, use the following credentials:


o

User name: DirSync

Password: Pa$$w0rd123

Domain: ADATUM

8.

In the Select Containers dialog box, clear the root level check box, then select only the Accounts
check box, and click OK.

9.

Click OK to close the Properties dialog box.

Results: After completing this exercise, you will have installed and configured DirSync, ready for a test
synchronization.

Exercise 2: Synchronizing Directories


Scenario

MCT USE ONLY. STUDENT USE PROHIBITED

Implementing Microsoft Azure Infrastructure Solutions

11-37

A. Datum now wants to test directory integration, by synchronizing a specific OU within Active Directory
into Microsoft Azure Active Directory, changing attributes on a user account, and then forcing
synchronization.
The main tasks for this exercise are as follows:
1. Synchronize Directories
2. Initiate manual synchronization
3. Reset the Environment

Task 1: Synchronize Directories


1.

Run the Directory Sync Configuration Wizard from the Desktop. Use the
DirSyncAzure@<yourdomainname>.onmicrosoft.com and the ADATUM\DirSync account in
Active Directory, both with a password of Pa$$w0rd123. Do not enable Hybrid Deployment, do not
enable Password Sync, but select the option to synchronize directories.

2.

Log on to the Full Azure Portal, and check that the user accounts from the Accounts OU have
synchronized into Microsoft Azure Active Directory.

Task 2: Initiate Manual Synchronization


1.

Make a change to the attributes of some of your users in the Accounts OU in the Adatum directory.
Attributes to change include:
o

Job Title

Department

Street Address

City

State or Province

2.

Start a PowerShell session using administrative credentials, set the execution policy to unrestricted,
and then import the DirSync module using the Import-Module command.

3.

Run the Start-OnlineCoexistenceSync command.

4.

In the Full Azure Portal, check that the changes you have made to the user accounts have replicated
to Microsoft Azure; if you do not see any changes, wait a few minutes and refresh the page.

5.

Close the AdatumDC1 remote desktop session, and click OK when prompted.

Task 3: Reset the Environment


1.

On MIA-CL1, close all open applications without saving any files.

2.

On the taskbar, right-click Microsoft Azure PowerShell, and then click Run as administrator. In the
User Account Control dialog box, click Yes.

3.

Type the following command, and then press Enter:


Reset-Azure

4.

When prompted, sign in using the Microsoft account associated with your Azure subscription.

Managing Active Directory in a Hybrid Environment

MCT USE ONLY. STUDENT USE PROHIBITED

11-38

Note: This script may remove Azure services in your subscription. It is therefore recommended that
you use an Azure trial pass that was provisioned specifically for this course, and not your own Azure
account.
The script will take 5-10 minutes to reset your Microsoft Azure environment, ready for the next lab.
The script removes all storage, VMs, virtual networks, cloud services, and resource groups.
Important: The script may not be able to get exclusive access to a storage account to delete it (if this
occurs, you will see an error). If you find objects remaining after the reset script is complete, you can
re-run the Reset-Azure script, or use the full Azure Management Portal to manually delete all the
objects in your Azure subscription, with the exception of the default directory.

Results: After completing this exercise, you will have synchronized a specific OU within Active Directory
into Microsoft Azure Active Directory, changed attributes on user accounts, and forced synchronization.

Module Review and Takeaways


In this module, you learned about:

Extending your on-premises Active Directory domain into Microsoft Azure.

Synchronizing user accounts between on-premises Active Directory and Microsoft Azure.

MCT USE ONLY. STUDENT USE PROHIBITED

Implementing Microsoft Azure Infrastructure Solutions

11-39

Setting up single sign-on using federation between on-premises Active Directory and Microsoft Azure.

Review Question(s)
Question: How might you allay any security concerns with either DirSync and password sync
or single sign-on?

MCT USE ONLY. STUDENT USE PROHIBITED

MCT USE ONLY. STUDENT USE PROHIBITED


12-1

Module 12
Implementing Automation
Contents:
Module Overview

12-1

Lesson 1: Overview of Automation Components

12-2

Lesson 2: Implementing PowerShell Workflows

12-7

Lesson 3: Managing Automation

12-10

Lab: Implementing Automation

12-15

Module Review and Takeaways

12-20

Module Overview

In this module, you look at how you can use automation methods to administer Microsoft Azure. You
will review the automation architecture, such as accounts, assets, jobs, runbooks and integration modules.
Finally, you will see how these methods can combine to reduce the amount of time that it takes to keep
on top of management issues in Microsoft Azure.

Objectives
After completing this module, you should be able to:

Describe the automation components in Microsoft Azure.

Configure PowerShell workflows and convert scripts to workflows.

Manage automation through creating and publishing of runbooks and scheduling jobs.

Lesson 1

Overview of Automation Components

MCT USE ONLY. STUDENT USE PROHIBITED

12-2 Implementing Automation

In this first lesson, you investigate what Azure Automation is and review the crucial first step of connecting
Azure Automation to an Azure subscription, either by uploading a management certificate, or by using
Windows PowerShell credentials with Azure AD. You then move on to look at the different automation
assets you can create and what each of those assets does.

Lesson Objectives
After completing this lesson, you should be able to:

Explain Azure Automation and list its components.

Connect Azure Automation to an Azure subscription.

Create Azure Automation assets.

Demonstration: Preparing the Environment

Perform the following tasks to prepare the lab environment. The Azure services you will use in the lab will
be described in this module while the environment is being configured.
Important: The scripts used in this course may delete any objects that you have in your
subscription. Therefore, you should complete this course against a new Azure subscription. You
should have received sign-up details and instructions for creating an Azure Learning Pass for this
reason. Alternatively, create a new Azure Trial Subscription. In both cases, use a new Microsoft
account that has not been associated with any other Azure subscription. This avoids confusion in
labs and setup scripts.

The labs in this course use custom Microsoft Azure PowerShell cmdlets, including Setup-Azure to prepare
the Azure environment for a lab, and Reset-Azure to perform clean-up tasks at the end of a lab. For this
lab, Setup-Azure creates a virtual network (ADATUM-VNET), and then removes the Azure subscription and
account from the Azure PowerShell session.
Before you start the lab preparation, your instructor will decide which Azure region is the closest to your
classroom location. You will need this information during the lab. Note that, at the time of writing, the
only available regions for Azure Automation were East US, Southeast Asia, and West Europe; you must
choose one of these regions.

Demonstration Steps
Sign in to Your Microsoft Azure Subscription
1.

Ensure that the MSL-TMG1 and 20533B-MIA-CL1 virtual machines are both running, and then log on
to 20533B-MIA-CL1 as Student with the password Pa$$w0rd.

2.

You should already have created a Microsoft Azure trial subscription. If you have not done so, follow
the instructions in D:\Creating a Microsoft Azure Trial Subscription.htm. Provisioning may take
several hours.

3.

When your trial subscription has been provisioned, in Internet Explorer, browse to
http://azure.microsoft.com, click Portal, and sign in using the Microsoft account that is associated
with your Azure subscription. Close any initial "welcome" messages.

MCT USE ONLY. STUDENT USE PROHIBITED

Implementing Microsoft Azure Infrastructure Solutions

12-3

4.

At the top right, click your Microsoft account name and click Switch to new portal. Then, in the new
tab that is opened, close any initial "welcome" messages for the new portal.

5.

Close the tab containing the new portal, keeping the full portal tab open.

Prepare the Azure Environment


1.

On the taskbar, right-click Microsoft Azure PowerShell, and then click Run as administrator. In the
User Account Control dialog, click Yes.

2.

Type the following command, and then press Enter:


Setup-Azure

3.

At the prompt, type the module number, and then press Enter.

4.

Confirm your selection, and then press Enter.

5.

When prompted, sign in using the Microsoft account associated with your Azure subscription.

6.

When prompted, enter the Azure region to use (at the time of writing, the only available regions for
Azure Automation are East US, Southeast Asia, and West Europe), and then press Enter.

7.

When prompted, sign in using the Microsoft account associated with your Azure subscription.

Note: This script may remove Azure services in your subscription. It is therefore recommended that you
use an Azure trial pass that was provisioned specifically for this course, and not your own Azure account.

The script will take a while to configure your Microsoft Azure environment, ready for the lab at the end of
this module.

Automation as a Component of Azure


Azure Automation is an Azure service that enables
tasks such as the deployment of infrastructure as a
service (IaaS) VM and platform as a service (PaaS)
roles to be scripted and automated. Using an
Azure service to run scheduled and scripted tasks
provides a highly available and scalable platform;
if a task is interrupted, for example by a service or
network issue, it is automatically resumed when
the issue has been resolved.

Introduction to Azure Automation


Azure Automation uses runbooks, which are
implemented as Windows PowerShell
Workflows.
A workflow is a sequence of steps optimized for
long-running tasks, or multiple steps across
multiple endpoints (such as virtual machines).
Workflows can automatically recover from failures.
You write a workflow using Windows PowerShell
syntax, but it is actually processed by Windows
Workflow Foundation.

MCT USE ONLY. STUDENT USE PROHIBITED

12-4 Implementing Automation

In order to use PowerShell-based scripting, Azure


Automation uses Integration Modules. An
Integration Module contains a Windows PowerShell Module, and can be imported into Azure Automation;
these Windows PowerShell Modules contain the cmdlets and workflows that can be used in an
Automation runbook. Note that not all regular Windows PowerShell cmdlets are available in the Windows
PowerShell Integration Modules.
Azure Automation is similar to the features that the Service Management Automation (SMA) engine
provides for on-premises private cloud resources via the Windows Azure Pack and System Center 2012 R2
Orchestrator, but without needing to manually build and manage automation servers. Azure Automation
provides scalability and high availability automatically through the Microsoft Azure cloud platform.
For more information on Getting started with Azure Automation, see:
http://go.microsoft.com/fwlink/?LinkID=511771
For more information on Runbook Concepts, see:
http://go.microsoft.com/fwlink/?LinkID=511961

Connecting Azure Automation to a Subscription


There are two ways to connect to your Azure
subscription:

Using Azure AD

Using certificates

You can use either method with Azure


Automation.
The Azure AD method requires:
1.

An organizational account, with coadministrator rights.

2.

A PowerShell credential asset, which is called


from the Automation script.

The certificate method requires:

MCT USE ONLY. STUDENT USE PROHIBITED

Implementing Microsoft Azure Infrastructure Solutions

12-5

1.

A self-signed certificate this can be created using makecert.exe, and must then be uploaded to be
used with Azure Automation.

2.

An Azure Credential asset for the certificate.

3.

An Azure Connection asset for the certificate.

The Azure AD method is more simple to use, but does require an organizational account, with coadministrator rights.
For more information on How to install and configure Azure PowerShell, including the two
connection methods, see:
http://go.microsoft.com/fwlink/?LinkID=511717
For more information on the Getting Started with NEW Microsoft Azure Automation Preview
Feature, see:
http://go.microsoft.com/fwlink/?LinkID=511772

For more information on the Managing Azure Services with the Microsoft Azure Automation Preview
Service, see:
http://go.microsoft.com/fwlink/?LinkID=511773

Creating Azure Automation Assets


Azure Automation Assets are available to all
runbooks in an Automation environment.
Credentials are either a username and password
used with Windows PowerShell commands, and
accessed in runbooks using GetAutomationPSCredential, or an uploaded
certificate, accessed in the runbook with the GetAutomationCertificate activity. If using a
certificate, you need to upload a .pfx file, and
provide its password.

Connections contain all the information required


for a runbook to connect to a service or
application, such as a user name and password, a computer to connect to, certificate name or subscription
ID. Connection properties are accessed in the runbook with the Get-AutomationConnection activity.
Variables contain values that are available to all runbooks that run within the same automation account.
They can be created, modified, and retrieved from the management portal, Windows PowerShell, or from
within a runbook. Variables are useful for:

Sharing values between runbooks.

Sharing values between multiple jobs from same runbook.

Managing values initially set from the management portal or from the Windows PowerShell.

Variables are of the following types:

String

Integer

Boolean

Datetime

Variable values can be stored encrypted in the Azure Automation database; if a value is encrypted, you
cannot see the value in the portal, it is only available to be used in a workflow by using the GetAutomationVariable activity.

MCT USE ONLY. STUDENT USE PROHIBITED

12-6 Implementing Automation

Schedules enable runbooks to run automatically, either as a single date and time, or a recurring schedule.

Lesson 2

Implementing PowerShell Workflows


In this second lesson, you move on to look at PowerShell Workflows. In particular, you look at how
workflows go beyond simple scripts and can be used to automate a range of functions within Azure.

Lesson Objectives
After completing this lesson, you should be able to:

Describe the features and functions of PowerShell Workflows.

Create basic PowerShell workflows using sequences, checkpoints, and parallel processing.

Convert PowerShell scripts into workflows.

Overview of PowerShell Workflows


A key difference between workflows and
traditional PowerShell scripts is that workflows
support:

Long-running activities.

Repeatable activities.

Frequently-executed activities.

Running activities in parallel across one or


more machines.

Interruptible activities that can be stopped


and re-started, including across a reboot of
the system against which the workflow is executing.

MCT USE ONLY. STUDENT USE PROHIBITED

Implementing Microsoft Azure Infrastructure Solutions

12-7

A big advantage of Windows PowerShell Workflows is that they can perform a set of commands in
parallel, instead of sequentially, as with a typical PowerShell script. This is useful for runbooks that perform
multiple actions that take a significant time to complete, such as provisioning a group of virtual machines.
PowerShell workflows are dependent on .NET Framework Windows Workflow Foundation (WWF).
Specifically, Windows PowerShell Workflows are Windows PowerShell scripts, written using Windows
PowerShell syntax, launched by Windows PowerShell, but processed by Windows Workflow Foundation.
For more information on PowerShell Workflows: The Basics, see:
http://go.microsoft.com/fwlink/?LinkID=511774

Creating Basic PowerShell Workflows


Windows PowerShell Workflows start with the
keyword "Workflow", followed by the script body
enclosed in braces:
Workflow Test-Runbook
{
<Commands>
}
The keyword Parallel creates a script block
containing multiple commands that run
concurrently.

MCT USE ONLY. STUDENT USE PROHIBITED

12-8 Implementing Automation

The keywords ForEach Parallel concurrently process commands in a collection, and can be used where
items in a collection are processed in parallel, but commands in the script block run sequentially.
The keyword Sequence runs commands in sequence within a Parallel script block.

The keyword InlineScript runs a block of commands in a separate, non-workflow session and returns its
output to the workflow. Commands within an InlineScript block are processed by Windows PowerShell
(not by Windows Workflow Foundation).
Checkpoints are snapshots of the current state of the workflow, including the current values for variables.
Checkpoints are saved to the Automation database, so that workflows can resume after interruption or
outage. Checkpoints are set with the Checkpoint-Workflow activity. The Suspend-Workflow activity
can be used to force a runbook to suspend, and set a checkpointthis is useful for runbooks that need
some intermediate manual steps.

Converting PowerShell Scripts into Workflows


You can take an existing Windows PowerShell
script, and then convert it to use with Azure
Automation, by copying the code into a workflow.
However, because a workflow is not actually
Windows PowerShellbut Windows PowerShell
workflow functionality built on WWFit is
important to note that not all Windows PowerShell
cmdlets have been mapped to workflow activities.
For PowerShell cmdlets that are not mapped to
workflow activities, you can use an InlineScript,
which is effectively a Windows PowerShell script
block inside your workflow:
InlineScript {
Non-mapped command
}
To enable a series of commands to execute in parallel, add the parallel keyword to execute the code
between the braces {} in parallel.

MCT USE ONLY. STUDENT USE PROHIBITED

Implementing Microsoft Azure Infrastructure Solutions

12-9

To enable a series of commands to execute in sequence, add the sequence keyword to execute the code
between the braces {} in series.

In the following example, commands A and B (and the sequence C-D) will be executed in parallel (and
there is no way to know in advance which of these commands will complete first); commands C and D will
always execute in the order C then D, but might execute before command A or command B.
workflow test {
InlineScript { Code }
parallel {
Command A
Command B
sequence {
Command C
Command D
}
}

For more information on Azure Automation Capabilities in Depth: The Azure Automation PowerShell
Cmdlets, including currently mapped cmdlets, see:
http://go.microsoft.com/fwlink/?LinkID=511962

Implementing Automation

Lesson 3

Managing Automation
In this third lesson, you look at the methods for authoring new runbooks, how to edit and test your
runbook code, and how to publish a runbook in a live production environment. Finally, you look at
options for managing runbooks, runbook jobs, and log files.

Lesson Objectives
After completing this lesson, you should be able to:

Import and test runbooks.

Author runbooks.

Publish runbooks and manage runbook exceptions.

Importing and Testing Runbooks


There are several ways to create new runbooks:

Create a new empty runbook and add code to


the runbook.

Import a runbook from a script file containing


a Windows PowerShell Workflow.

Import a runbook from the Runbook Gallery.

When creating a new runbook, note that the


runbook name must start with a letter, and the
name can have letters, numbers, underscores, and
dashes.

MCT USE ONLY. STUDENT USE PROHIBITED

12-10

When creating a new runbook, it is initially saved as a Draft version; using drafts enables you to validate
runbook operation before making the runbook available for production use by overwriting the existing
Published version. When you test the runbook, the Draft version is run and any output sent to the
Output Pane in the management portal for administrators.

Note that when testing a runbook, the draft runbook is executed against your live Microsoft Azure
subscription (there is no what-if option), so you must check the consequences of executing the runbook
against provisioned cloud resources before clicking Test.
Important: Because there is no what-if, and Test runs against a live environment, you
may wish to use a separate development or test subscription for developing and testing your
automation runbooks. When you have the final version of a runbook, you could then export it,
and import it into a live production subscription.
For more information on Sample runbooks for Azure Automation, see:
http://go.microsoft.com/fwlink/?LinkID=511775
For more information on how to create a runbook, see:
http://go.microsoft.com/fwlink/?LinkID=511776

Authoring Runbooks
Runbook code is edited by using the management
portal editor.
There are several approaches to authoring a
runbook:

You can write workflow code manually,


directly into the management portal editor.

You can insert code from other runbooks.

You can insert any global setting into a


runbook.

You can insert Azure Activities (equivalent to


Windows Azure PowerShell cmdlets).

To insert code from other runbooks, click Insert in the management portal editor, and then click
Runbook.

MCT USE ONLY. STUDENT USE PROHIBITED

Implementing Microsoft Azure Infrastructure Solutions

12-11

To insert a global setting into a runbook, click Insert in the management portal editor, then click Setting.
Then, in the Setting Action column, select the type of code that you require (such as Get Variable, Get
Connection, Get Certificate, or Get Windows PowerShell Credential. You then select from the
available assets in the center column.
To insert an Azure Activity, click Insert in the management portal editor, then select the Azure
Integration Module.
For more information on Runbook and Module Operations, see:
http://go.microsoft.com/fwlink/?LinkID=511777

Demonstration: Authoring and Testing a Runbook


In this demonstration, you will see how to:

Create an Azure Automation account.

Add an Azure credential.

Add Azure variables.

Import a runbook.

Run a runbook that deploys two Azure VMs to a new storage account.

Demonstration Steps
Create a new Automation Account
1.

In the Management Portal, on left side, click AUTOMATION.

2.

On the Automation page, click CREATE AN AUTOMATION ACCOUNT.

3.

On the Add a New Automation Account page, in the ACCOUNT NAME box, type ADATUMDEMO; in the REGION list, select your nearest region (use the same region you selected when you
prepared the lab environment) and click OK.

Implementing Automation

Create a Windows PowerShell Credential


1.

On the Automation page, click the ADATUM-DEMO account.

2.

On the adatum-demo page, click ASSETS.

3.

At the bottom of the page, click ADD SETTING.

4.

On the ADD SETTING page, click ADD CREDENTIAL.

5.

On the Define Credential page, in the CREDENTIAL TYPE box, select Windows PowerShell
Credential, in the NAME box, type PScredential, and click the right arrow.

6.

On the Define Credential page, in the USER NAME box, type AutomationDemo@<domain>;
where domain is the part after the @ symbol you noted above (or paste from Notepad).

7.

In the PASSWORD and CONFIRM PASSWORD boxes, type Pa$$w0rd123, and click Complete
(check mark).

Create some string variables


1.

At the bottom of the page, click ADD SETTING.

2.

On the ADD SETTING page, click ADD VARIABLE.

3.

On the Define Variable page, in the VARIABLE TYPE box, select String; in the NAME box, type
SubscriptionName, and click the right arrow.

4.

On the Define Variable Value page, in the VALUE box, type the name of your Azure trial (for
example, Free Trial), and click Complete (