hey everyone welcome to this AZ 104 V2 study cram I created a version of this a couple of years ago it just passed a million views so I thought this was a pretty good time to update it there's actually not been a huge amount of change but still there have been some modifications there's been a few things removed and added so hey I thought it was a good time to go ahead and update now I do have in the description links to the different sections of the knowledge so you can absolutely jump around my recommendation is to make sure you actually go and do the activities so make sure you've gone and looked at the study guide for example so if we jump over go and look at the study guide and it breaks down what all of the different areas that you're going to need to study are so be able to have gone through through this and tick all of those different things get handson and actually go and try them out again I am only going to cover the theory about it there's just too much me try and show all of the handson go through the learn modules so if we actually go and look you can schedule obviously the exam but if you see the ways to prepare it has this self paste and it has fantastic learning modules that covers all of the knowledge you actually need to have now I also have my a 104 playlist I have links to my Azure masterclass V to where I go through the detail of that as well which is linked in the description but really prepare yourself in the best possible way try out the Technologies the new applied skills give you an environment you can try various types of the Technologies in a lot of those self-paced learning there are Labs that again gives you a chance to get some Hands-On so the administrator exam is really about knowing how to do the various things so make sure you've equipped yourself in the best possible way and have actually gone and tried these things out try it from the portal try it through the CLI where templates apply make sure you've done it through all of those things so let's dive into the areas and the first one I want to talk about is entra ID now this used to be called azure ad but it's been renamed so if I think about entra ID well this is the identity Provider from Microsoft and what's going to happen is the whole point of entra is it speaks Cloud so if I think about the regular types of protocols we're going to interact with it well it's going to be things like a 2 open ID connect which is all about identification so authentication authorization speak things like saml WS fed and the key point of all of these things is these are useful to speak over the Internet it's using https TLS encryption so it works just over the internet I don't require a whole bunch of ports that I would typically have on a private Network now that's very different from what we used to do with on Prem so if I think about in our on Prem world what we would typically have is okay I've got my active directory domain Services where we have all of those domain controllers and then it speaks things like Cur Ross uh ntlm and if I want to interact with bit I use things like ldap over here in entra if we want to interact with it we have things like the Microsoft graph so the graph is really now the standard way that we interact with many of the things like Office 365 yes enter ID and with this it's all rest based calls and again that's going over that 443 that https so the whole point is this is an identity provider that speaks Cloud compared to your active directory domain Services that's really structured for private networks with lots of different ports available now active directory also has organizational units it has a structure to it we do not have that in entra entra is primarily flat but we will talk about something called administrative units to help delegate at a more granular level different types of permission ions now it is very common that we want to replicate from our active directory domain services to entra and the key Point here is the flow is always that way active directory domain Services is essentially the source of Truth and I'm replicating into my entra ID tenant now there's different Technologies for this there's really two so it's going to be entra connect and one of them is entra connect sync now with entra connect sync the actual engine runs on premises so my engine is down here the other option we have and I'll do this in a slightly different color is entra connect Cloud sync and as you might guess in Cloud syn the engine runs up in the cloud and I have these very lightweight agents that would run for example on my domain controllers so it's the means to be able to communicate but the engine that's actually working out or which identity links to which and creating and updating with Cloud syncs it runs in the cloud with entry connect sync it runs as a application I run on one of my Windows Server instances but again it always flows that way hey I have an account in my active directory domain Services up and it is going to replicate to and create an account in my entra ID so this is the key point it's always flowing that way and what's really nice about this obviously is once I have this Cloud identity configured what do we want to do with it what we would then have is applications will trust our particular instance for their authentication purposes so I might think about well there's obvious ones there's things like Azure there's things like Microsoft 365 and they're all going to trust a particular instance for its authentication and its authorization but also there's a huge amount of thirdparty Sasha SL applications so they would trust it as well and one of the recent things we're seeing is is you think of this secure Services Edge well I can also now have checks done for any internet site through internet access feature and even any TCP or UDP app on premises and control it through entry private access there's different ways to extend that but the key point is I have my instance and then different services will trust it for its authentication for its authorization needs now I drew this idea of entra ID what's actually happening is you as an organization will have a particular tenant so think of that as your particular instance with its users and its groups and its devices and its applications all of that its conditional access policies so in my example mine is going to be Sav Tech net that is my instance of it now by default when you create one of these things let's just have a quick look so if we go and look in my example close these tabs down if I look at my ENT tenant um I've got kind of my overview page we can see my name and we can see here my primary domain is Sav tech.net so what I have done is I have added a custom domain let's do show more and look at our settings and domain names what you'll always have by default first is it will be something. onmicrosoft.com and then you can go and add your own custom name now you have to verify it you have to go and create a record in your Zone to prove hey I own that domain name and then once you've done that it will now enable me to make that a usable name be my entertainent and I can then use it as part of my users and even make it the primary so we can see here I changed my primary to actually be that custom domain I added so I have full capabilities around that now one important thing people often get confused when we think about entra ID or enter tenant and Azure and subscriptions a tenant does not live in an Azure subscription it's not an Azure service it's a global instance it's just available to us and then I take a subscription and I trust a particular tenant but this does not live within the subscription that's really an important thing to understand and then I can do different types of branding So within my particular tenant one of the things if I went and looked for example um at my user experiences down here we can see I have the idea of company branding and I can tweak a lot of the interface so I can configure different backgrounds I can configure background images I can set messages for example when they log on with have some special characters that do things like bold and underlined so I can customize a lot of the experience around that now within my particular tenant I'm going to have accounts so I can think well here if I look at all my users there are accounts that I create in my tenants they would be Cloud accounts so here I could for example look at this is my on premises synced this is no so this was just created directly in the cloud so this is a cloud account other of my accounts were synchronized so this is a hybrid it was created in active directory domain services and then it was synchronized up I also have the concept of guests so a guest is coming from some external instance or other identity provider so here there's an example of a guest that comes from a different ENT tenant but I might also have ones if we look down here well this one came from Google I could have ones coming from Facebook I could have ones coming from some other S I have one here coming from a Microsoft account so the whole point around this and the reason we have this is yes I can have accounts that are native to my organization and either they're hybrid or I create them in there but realize I might also be very commonly in interacting with users from other organizations and I don't want to create them a separate account because that's a horrible experience for them to have to remember a different password and they probably wouldn't they would use the same on so then it's a security risk if I have the same password in lots of places it's painful for me to have to be able to reset their password it's painful for their company that if they leave they have to talk to me to disable their account and so what we have therefore is this idea of external users so if I think of external Now by default they would be guests be my tenant but they don't have to be I could make them a member which impacts certain ways policies are applied for example but I can have external users when it's an external user it has a little kind of stub object that refers to their primary identity but their primary identity still lives out here so that could be hey a different entra ID tenant could be a Microsoft account could be as we saw Google Facebook saml there's other options available I can just do it from a one-time code that I emailed to them which would still prove they owned their mailbox so different things I can do but we're going to end up with all of these accounts in our environment so I have the ability to synchronize accounts that's obviously a big one I can can create them I might get them provisioned from an external system so I talked about hey my active directory is the source of truth but maybe it isn't um my source of truth actually could be some kind of HR System and what there are is there are a number of move move this out my way there are a number of actual provisioning end points that entry provides one is for some spefic specific HR systems one is for apis but my HR System may actually talk to this kind of provisioning endpoint and it then goes and creates the accounts but it's clever enough that even if I'm talking to the entra provisioning endpoint it could actually go and create it an active directory first through these connectors and then it will go and replicate it into entra so it's really nice so I could create them here replicate HR could provision them creates it I can bulk create so if we go back to that portal we saw here the idea that I'm talking about hey users and I can absolutely here create a new user from scratch I could invite an external so busino business but notice there's also this idea of bulk operations I can bulk create bulk invite so bulk invite people from other organizations identity providers if I do the bulk create what it's going to do is give me a CSV template I edit it and then I upload it and it will go ahead and create all of those accounts now obviously I could also write my own scripts there's various things that I can do here but the whole point is there's many ways I can actually go and provision my accounts now I talked about users but we also have groups because if I think about it most of the time I don't want to give a permission so a role or a set of access to different files to individual users or even licenses it gets very cumbersome to manage so what I typically am going to do is I'm going to create groups so I want to create these groups that could have different things could be devices and then I add users into those groups and then I grant the roll the permission the license to the groups and then I'm not worried about oh I forgot to remove something from a user or left a license behind on the user so ideally we want to use groups for a lot of those types of interactions and there's two types of groups so a group could either be if we look down here we have security and Microsoft 365 so security is going to be the most common type that we can actually assign it to roles Microsoft 365 type groups is we're going to use it for collaboration tools uh calendars SharePoint Etc and then well I can either assign membership directly so I specifically pick certain people or certain devices or I can do Dynamic with Dynamic that's one or the other users or devices I just select rules and then it's going to periodically check well who should be in this group based on or maybe if their display name contains something or more likely hey you're in a certain Department you have a certain job title and then I can pick various values and it will then populate those groups if I look to all of my groups for example you can see it shows me is it assigned or is it Dynamic and notice I've got a couple of dynamic ones here so I've got based on the group hire date so maybe I have a group that hey only include people hired within the last 30 days is a good example of that I have one for iOS devices I have one for my Justice League and here if you went and go and look at my definition for this one so look at my properties we can see he it's a security it is dynamic user and I have my Dynamic membership rules and all I'm looking for does the job title match hero wild card so it could be hero or heroine so I've got different things I can use in there and then once we have those groups notice I could assign it licenses I could assign it to Applications I can assign it roles and that's going to be our preferred way to do that type of management now the other thing we have obviously is devices and we're used to the idea that in the past we would always just join our devices to The Domain but one of the thing we're trying to shift to especially for the desktop is well it could be anywhere they could be working from a coffee shop or home I don't want to have to establish always a VPN so they can talk to a domain controller so one of the things that is now very common is we want our devices to interact directly with our ENT tenant and we have two options for this so one is we register now if we register it becomes a known entity and we can do certain management so it will show up I can apply policies I could use inun to manage it for example the other one is we can join it now we think about use register if it's a user's own personal device but they want to talk to corporate applications register would be appropriate for that we still want to do certain validations as the company to make sure it's not being jailbroken it's healthy join would be if it is our corporations device and I want absolute control over it because now in addition to these things so it's all of this and I can actually authenticate with those accounts so at log on screen hey I'll log in directly with my John atav tech.net and so obviously now these machines show up as well as objects in my particular ENT tenant now there are different licenses when I think of entra and I can grant them at a per user level doesn't have to be everyone in the tenant has to have exactly the same license there's different levels of license depending on which functionality I actually want now I'm going to talk about the entra ID licenses But realize many times they are bundled with something else hey I've got Microsoft 365 E5 well I get the P2 license if I've got the E3 hey maybe it's the P1 if we look at the licenses the key Point here is you get different sets of functionality now there's three and I actually get a good amount of functionality with that but then we go up to the P1 and the P2 and there is also now a governance add-on which adds things like life cycle workflow capabilities and that's going to add on over time we can go and see the different pieces so obviously that identity governance also has some new uh types of audit reports so you got entitlement management verified ID life cycle workflows governance dashboard machine learning certifications and access reviews that I was talking about but what you really see here is P1 adds key things like conditional access and that it's a huge deal to this HR driven provisioning hey that's a P1 feature and then P2 adds the Richer features like privilege identity management um the core access reviews um the identity protection features so we can go down and see all the different types of functionality we have see the identity protection different types of self-service hey a lot of that I need P1 for self-service password reset with right back to on premises hybrid identity so there's these different versions and once again I might have different licenses for different people it's not that everyone has to have the same one maybe my more privileged users well they need a P2 because I want privileged identity management I want that stronger identity protection although the identity protection is really useful for everyone but then maybe there's some more basic workers why I just do the P1 license and then some of them I want the lifecycle workflow add-on because they're using those richer life cycle capabilities so I can adjust and again typically we'll assign those to particular groups of users it's not going to be the same for every person and then I talked about self-service password reset as a feature so that's a really nice capabilities people will forget their passwords now ideally you're moving to password less Solutions we want to try and get rid of the password as much as possible but where they do have that for cloud accounts hey we can just reset our password for hybrid again if we have that right back capability that P1 we can reset it and it writes it back down to here and we can pick different options for how that password right back will work if we go once again and look at our users and then in here if we where's it gone all my users password reset down here I can configure exactly what options I want to do so who is enabled for password reset and then the Authentication methods hey is it just one of these types of things and I can include custom questions or hey I want you to go through two of these to be able to go and reset your password so this saves the help desk being pinged every time someone forgets their particular password they can just automatically retrieve it themselves provided they've set up that self-served password reset which you'll prompt them when they first join the organization and log on for the first time now while I'm in here here we talked about roles there are a number of key roles as part of this the big one is global administrator so Global administrator you really want to restrict who has this because it is the most privileged role but there were many others so I could pick certain delegated sets of permissions I need for particular roles and that it is calling out hey these are privileged so this would give you an indication of hey I want to be careful of who I'm actually giving this to now I mentioned the idea that entry is flat but then I also mentioned administrative units so here we have administrative units and what this lets us do is create these units I can then put in users I can put in groups I can put in devices and then at the particular administrative unit level I can can grant roles so hey for this particular group of users I could then Grant someone a particular role so I can actually go through and hey I want to pick one of these roles and Grant it but it would only apply to the objects in that particular administrative unit it wouldn't apply just in general so this is the way that I can be more granular in who has permission over which particular users or groups or devices and a key part to hear and it makes a lot of sense if you really think about it if I add a group to an administrative unit I do not give permission for a role set of that admin unit for the users in the group I would have to specifically add the users into the administrative unit as well because otherwise imagine I had privileges over an administrative unit and really they just wanted me to do group management but if it also extended to the people in the group well I could add people in the group to then get permissions over the users you probably don't want that so I would have to explicitly add the users into the admin unit in addition to the group if I wanted people to be able to manage the users as well so that's really a safety feature there okay so moving on from the identity and obviously idenity is key we always think of idenity as that First Security parameter in the cloud now let's actually start talking about the cloud now one of the first Concepts you'll see when you use this is well there are actually a number of different clouds we always think about aure but that Azure commercial is one of the clouds if I was to jump over to my vs code just super quickly and what I'm running here is this idea of so using Powershell and the Powershell module get a environment so the different clouds are also known as environments notice it showing me three clouds the Azure commercial Cloud the Asia us gov cloud and then Asia China now there are others there are other more secret instances for government agencies so they're not publishing the different URLs but notice a key Point here is each of those environments has a different URL for the control plane interaction and for talking to entra so talking to what was the Azure ad so when I think about these different clouds these different clouds well they have their own entra sets of tenant I can't use the same tenant between Azure commercial and Azure gov or China they're different instances and they have their own regions and so when I deploy something I deploy it into a region so let's draw a particular idea here of a region this is region one now within this region there's going to be a whole set of different data centers and very commonly what happens is and we're going to talk a lot more about this they get divided up into this idea of availability zones az1 az2 az3 once again we're going to talk about this but think of it different sets of data centers and when I deploy a resource very commonly I get this choice of do I want it Zone redundant so I can say hey Zone redundant and what that means is it spans the availability zones my other option very commonly is I can make it zonal if it's zonal it exists within a specific availability Zone and so that's when we think about resiliency within a particular region and we always want to make sure we don't have dependencies on things outside of the region outside of our availability Zone and there are a huge number of these regions so for example if I jump over for a second this is a nice little pretty map of azure let's just look at the flat Maps maybe a little bit easier and I could pick notice the different types of regions we have but if I drill down so it's I can see West Us West us 3 West us 2 West Central Canada Central so there's regions all around the world all of these little blue dots it's even giv me information about sustainability and other cool stuff there's huge numbers of regions and when I talked about those availability zones I can see which ones have availability zones through here now the goal I think is eventually all of the regions will have availability zones and it's always going to be three a subscription only ever exposes three availability zones the physical location may have more sets than that but you are always going to see three when you look at your particular subscription for a particular region now realize things can happen there can be natural disasters so what we want to do is we should always be using at least two regions so if I think about hey there's another region over here we call this region two and we want to pick them such that this distance is huge so I want to think about hey I want hundreds of miles maybe 100 it's going to very obviously depending on where you're using how big the land mass is to be able to spread them apart but we want the a large distance if there was some natural disaster or problem here it wouldn't impact this as one and aure actually pair their regions now the pairing is being deemphasized for many things so you get more Choice like a lot of the databases you pick how you want to replicate um even storage accounts now I have a certain amount I can do object level replications but if you think about roll outs deploying through Azure they go to their internal systems they go to their um Early Access the canary regions they go to a pilot region broader regions and then the first one in a pair and then the second one so we're using paired regions you make sure as Microsoft rolls out its safe deployment practice well if I have things imp paired regions they won't get the same change at the same time and those pairings are detailed in the documentation and they're always going to try and stay in the same geopolitical boundary so we can see well Australia sticks to Australia Brazil is the one exception because Brazil South replicates to South Central Us South Central us does not replicate to Brazil this was because originally Brazil only had one region so it had to replicate outside of it but for everything else they always stay in that same geopolitical boundary and we can see that through this map no it's the gov clouds they stick to other gov regions and we can go and see that detail exactly what those pairings are again you do not have to stick to those pairings only you do have choices but for things like the safe deployment practice that absolutely does roll out using those pairings so if I don't use the pairings well then hey there is a chance that the same change applies at the same time now they still try and roll it out AZ by a but there's a certain risk you are taking there so we pick our regions typically based on where we want to consume the services from like that's the whole point I have all this choice I can get instances of my service close to where I'm consuming it so I get the lower latency and again think about those maybe data sovereignty requirements of that but what we actually deploy into is a subscription so if we come back over here for a second so I've got my tenant and my tenant's there for a very valid reason remember our subscription is going to trust a very specific tenant but I think okay well I'm going to go ahead and I'm going to have a subscription so let's say I have my subscription one and this is where I'm going to go and in deploy my different resources this can help me organize my resources it's a boundary for some resources like virtual networks and I can actually create a hierarchy because I'm going to want to do other things I'm going to have governance requirements I'm going to maybe want to track budget I'm going to want to assign roles and very often I may want to do that at a higher level that encompasses lots of different subscriptions and so what we do is we have this Management Group structure now our Management Group structure actually starts at our particular tenant so HED to our tenant we also have a Root Management Group now under that Root Management Group I can go and create my own hierarchy of management groups it could be based on geography it could be based on business unit it could be based on prod and nonpr where am I going to want different policies where am I going to want um different roles assigned where might I want to track budget at different levels so I can go and create these different structures based on what makes for sense for me and then ultimately subscriptions will tie in at a certain level of that and we can see these so if we go and jump over now I'll go and look in the Azure portal I can see my management groups and we see we have our tenant root group now under that I have one subscription tied to it directly then I have a child manag group called all Sav Tech subscriptions if I open that up well I've got two subscriptions under that management group but then I have two further child management groups and at these Management Group levels if I was just to pick one notice we have access control notice we have policy and notice we have budgets so these are really the core three things that I want to use those management groups for so if I think about what might I be doing that I need to do well very commonly what I'm going to want to be doing is sure Grant roles at certain levels so I may want to apply role-based access control I might have governance requirements to say hey you can't use this type of resource you must have this agent installed you cannot use these regions so that's governance that I want to set guard rails in place well that's Azure policy and then I also may have Financial requirements so I have budgets well I can set these as well and when I set any of these they're inherited so if I was to set a role or policy or a budget at this level it would apply to every child thing underneath then likewise I can set all of these at a subscription level I could set a rooll I could set policy I could set a budget and we think about will'll be more generalized the higher up we are it applies to more things as we get closer and closer to resources we can get more specific with our particular requirements now when you're planing around with this you can get free trial accounts there's a lot of services that are always free in your company they may have an Enterprise agreement and you could maybe go and get a subscription there for non produce but if you're starting out if you're playing around you can absolutely go and get a free trial now a huge point of the cloud is it is consumption based you pay for what you are using and so you always want to be really careful that you don't leave things running you're not using you try and optimize to pick the right type of skew for exactly what you want to do but you can go and see this stuff so if I was to go and look notice I have for example cost analysis but I'm just going to go and pick a certain subscription and I have my cost analysis in here in the main menu you also have this cost management and billing so that's the primary place you can go but notice in my cost analysis it shows me well what I've spent and then it's showing me the idea of a forecast now this is accumulated cost but I could also do for example cost by resource daily cost cost by service instead of an invoice I could just pick this month it's showing me my budget line again it's showing me my forecast So based on my current spending this is what it thinks so it's showing me my forecast I'm going to end up spending I can get detail based on the type of service the location the resource Group and there are smart views if I was look at my resources smart views will actually look at what I'm doing and it would detect things like hey this particular Resource Group is 24% of your cost there are other insights it would detect hey 15% of my cost am I got any anomalies based on how I normally spend money there's something a bit off around this so I have a lot of flexibility in my cost analysis I can go and add additional tabs to look at resource groups I could look at my daily costs which will then show it by the different resources so I just have a lot of control over here when I do think about optimizing my cost realize Azure ad ADV visor is also your friend here there could be recommendations about cost I don't have any but there are a huge number of different areas it would recommend stopping resources right sizing lots of different aspects to this but it would also recommend about reliability and performance and operational excellence security so you want to go and review this at least weekly but one of the other things I can do on that budget budget side if we jump back over is well I can go ahead and set up budgets so a budget is going to enable me to set a certain amount of financial unit say dollars so I can set that amount and then what I can do is once I go ahead and configure that now I've done one already I can then go and set alerts so alerts can be based on the amount I've actually spent so hey if you hit 80% go and call a certain Action Group which we're going to talk about later on but it could be an SMS message caller web hook caller function lots of different things or it could be based on forecasted So based on the current trend of the rate of spend if it looks like I'm going to pass 120% of my budget hey I want you to go and do this and I can add ADD alert recipients as well so budgets are super useful to be able to not just track my spend because I can track as well notice it's showing me based on a particular budget how much I've spent so far and what do I forecast to spend but I can also set thresholds to do things at certain amounts of that so that's a really useful capability both so to get insight and to raise awareness by kind of pinging me to say hey uh do you mean to be spending this much money now when I create a resource while it does live in a subscription there is another level that we actually deploy into So within a subscription what we actually do is we create one or more resource groups so I can think about hey within this subscription maybe I've Crea Resource Group one I would have other resource groups as well now you cannot Nest them might have Resource Group Two might have Resource Group three Etc and once again all of these different things well I can apply arbac and policy and budget here as well which makes sense because I may want to be even more granular with very specific policies or particular roles to now only a subset of the resources and that's what I create in here now I'll actually go ahead and create my resources so maybe it's a virtual machine maybe it's a storage account maybe it's a load balancer whatever that might be I go ahead and create my resources within a certain Resource Group and the way I want to use them is think of using a resource Group for resources that will get provision together that will run together that ultimately will get decommissioned together I deleted together so those resources together provide a certain set of functionality maybe it's a certain business application so yeah it's got a bunch of VMS or a kubernetes environment and a low balancer maybe a database they form a unit and the reason we want to put them in the same Resource Group is yes for tracking the resources but also most likely they're going to want a common set of role based access control I may want to apply a certain common set of policy may want to track the spend of that particular application so hey let's put it in a resource group together so that is a very logical thing we want to do now I guess while I'm talking about spend I showed budgets and budgets are great to control the cost of the Azure resources and we try and optimize by picking the right size of resources stopping them when they're not running but there are also some Financial things that are purely about how much we build so if I think for a pure money perspective I'm going to use dollars could be gold bars what whatever uh your company being build in there were different aspects to certain types of resource and the money I pay for example with a virtual machine if I think of a virtual machine yes I pay money for the compute resource the virtual machine object itself But realize that VM also runs an operating system so if that's Windows Server if that's red hat Enterprise Linux well that cost me money as well and maybe I'm running software inside it that cost me money so for example if I'm running Windows and then maybe I'm running SQL Server they all have cost elements to it so one of the first things we can do is we have something called Azure hybrid benefit and the idea of this is it's basically applying to licenses so if I have existing Windows Server licenses could be standard or data center if I have for example software Assurance on those I can bring and use them in the cloud now if it's standard I have to move it to the cloud if it's data center I can use it in both at the same time but I could do it for SQL Server I could do it for Red Hat Enterprise Linux so this would apply and remove the Azure consumption cost of this part so that would save me money I also have the option of something called Azure reservations and this is very specific so this would be for a very specific service in a very specific region so I have to be super specific but it will save me money for that very specific service for that very specific location and then we have something called Azure savings plan now Azure savings plan is very flexible but it's only for included compute services so a bunch of virtual machine types most of them um I can do things like as a dedicated host I think it's the premium V2 or V3 app service plans there's different things it applies to and for both of these typically it's a one or threeyear term so I'm committing to say hey either I'm going to use this type of storage in this region for 3 years and you get a discount or this is just I'm going to spend $20 per hour for the next one year or three years and I get a big discount and we can see this in the pricing calculator so let's quickly over here do I have one open yes we got virtual machines perfect so if this was Windows notice it shows me the different breakdown for the license cost and the compute cost so if I was to bring Azure hybrid benefit the license cost part has gone away if this was a squal VM notice now there's two bits of Licensing cost maybe I've only got Azure hybrid benefit for the OS or maybe I have it for SQL as well those parts all go away and I'm only paying the compute charge and then for the compute charge well reserved instance we get a discount based on if it's one or three years so say threee and I can pay it monthly or I can pay it up front or I do a savings plan now notice the Savings Plan discount on this skew is a lot less if I picked a better newer skew so let's try V5 um no it's now the Savings Plan discount is better so the Savings Plan discount varies by skew and type of service and the way the Savings Plan would apply is every hour it's a billing mechanism it wakes up and it will try and apply the best discount it can first to whichever resource is running and then so kind of go down but I can only have one or the other it savings plan or it's reserved instance on a particular resource but if I looked at let say a storage account so a storage account I can do reserved instance but there's no concept of savings plan a savings plan only applies to those particular included compute services so these are pure Financial options these are not about shrinking a VM or anything around that stopping it's hey I've got stuff running how can I financially try and reduce my bill now leading on and it does tie into the cost is very often great we're organizing things into nice hierarchies and subscriptions and resource groups but we may need to know additional data about a certain resource or subscription or Resource Group we may want to be able to filter Down based on certain metadata so key value pairs of resources maybe we even use it for billing purposes so one of the other things we can do is we can apply tags now I can set tags at subscription levels I can set it at a resource Group I can set them on resources directly and I can even do RB back on resources directly we don't like to it's too messy but tags are just key value pairs it's normally 50 tags per resource or Resource Group but they are not inherited so that's an important point if I set a tag at the subscription it does not get applied also to the resource groups and the resources if I set a tag at the resource Group it does not get inherited by the resources as well now I could do things with Azure policy to copy them so here in my Dev subscription I have tags I could add tags to it so I've got environment Dev I could look at resource groups and if I pick a resource Group Well I can apply tags if I was to look at a certain resource I can apply tags again it's just key value pairs notice this one hey I want to be able to know who the owner is that's really useful for tracking I've got something useful for me just to track what OS version it is hey the environment the cost center the business unit all things that might be useful for me to later on if I was just for example browsing my resources well notice I could add a filter and I might use for example the certain tag down here that hey only show things where the cost center is demo group one or something so I can use it to filter My Views I could use it for billing purposes as well it's a really useful capability but they do not get inherited now if I Ed a a policy and we're jumping ahead a bit here but I just wanted to point it out and if I look in my categories and just search for tag one of the things you will see here are things like hey inherit it from the resource Group if I'm missing I can inherit from the resource Group anyway I can inherit from the subscription so there are various things we can do to force resources to take from the parent but it's not the default Behavior by default I have to have it set on the particular sub or Resource Group or resource but if I needed to hey I can modify those things speaking of azure policy then the whole point of policy is in ye old days if I wanted to create a resource I would go to the operations team and say hey I need this resource they would maybe check a bunch of standards for the company and if we met them it would approve it in the cloud I just go and selfs serve I go and create it myself there is no person in the middle of that interaction and so a your policy lets us set those guard rails to configure our requirements but I can also go and then track compliance for those various policies so if we jump back over again and we look at policy well you can see straight away on the overview I'm tracking my compliance for the policies I do have I can see what they are and I can see how compliant am I for the ones I've configured and then we have definitions so these are all the definitions and they are builtin I can create my own and then we'll see there are initiatives and there are policies so a policy is a specific condition I'm looking at and then a particular effect I want to apply so for example if I was to look at my ones I have a policy so allowed locations for example well all this is doing if we look at the definition is it get past a parameter of which locations is allowed and then my rule says Hey the field location on what I'm trying to create if it's not in the list that I've set of allowed or it's not Global then I'm going to have a certain effect and in this case my effect is to deny now I could also just do audit just tell me so I can track compliance and there's a whole bunch of these different effects so deny would actually stop it happening but I also might want to just audit and generally if we're starting off with a new policy we'll start in audit so we can understand the effect it's going going to have if we just starting deny straight away maybe we've misunderstood we're going to have a really negative effect on people so typically yes we're going to start off in the audit mode understand what we're doing and then we can do deny but there's other ones as well so there's things like hey deploy if not exists so maybe it's an agent I want and if the agent isn't there well then what I would actually do is run a template to go and install that agent so they're really powerful capabilities but that's one policy at a time very often the result I want to do might be based on a huge number of different policies so then we can have initiatives so an initiative is just a set of policies so here we can see one Azure creates and it uses it for its Defender for cloud and it's a huge number of different policies again if we look at definitions we can see these are all initiatives and we can see for example this one has 665 different policies in it and the benefit here is twofold so think about this for a second by having that initiative which is a whole set of policies one try and imagine assigning 665 policies it would take forever more an initiative I just can assign it collectively but also to track compliance rather than looking at the compliance of 665 different things things I look at the compliance of the initiative which would show me the overall hey how compliant am I to that so that's a really useful thing and yes I can track the compliance and I can set it at Management Group levels subscription and of course resource groups as well now there's a Microsoft cloud security Benchmark which is free for the other initiatives and the Regulatory Compliance I need the paid plan and then that gives me a whole set of additional Regulatory Compliance options so I would need the paid plan to be able to use things like that fed ramp um Hippa there's a whole set ISO ones there's a lot of them there but I would need the PID plan the next thing is this role-based access control so we talked about again assigning permissions at a certain scope and really Azure is made up of resource providers and resources and there are actions apply to the different types of resource well I may not want almost never will want to give someone or I did a group we assign roles to groups and put users in the group so they don't get left behind I don't want someone to have that permission on everything now maybe it's my network team and yes they need permission on Virtual networks of the entire structure so I could give them the role at a fairly High Management Group level but if I'm a subscription user then my role might own only be at the subscription level or maybe I'm working on only a particular component or service well my role should be a particular Resource Group and we always think least privilege I give them the smallest set of permissions required at the smallest possible scope so they can get the job done we don't give people extra we'll hear things about privileged identity management where it's just in time they can have maybe higher roles but they don't get it all of the time they have to go and Elevate up and then they get the role for that finite amount of time and the way we think about role-based access control is well if I have all of these different possible Scopes the way role based access control is going to work is I think about well there's a certain role which remember a role is a set of actions from the different resource providers there's a certain identity a user or group or service principle for a particular application and what role based access control is doing is this identity and this role is given at a certain scope which again could be a Management Group a sub Resource Group or even individual resource and that is a role assignment but always always always whenever you're doing this always think least privilege so at all times the minimum amount of permissions at the smallest possible scope so if I was to go and look at a resource Group I'll just pick anyone it doesn't matter I can look at access control it will have a huge number of possible roles because it's a resource Group a resource Group can contain any type of resource so every possible role will be shown If instead I looked at a certain type of object so if I looked at here container registry and looked at access control the roles available will be a lot less because it's a certain type of object if I look to a storage account its Access Control will be less because hey it's only going to have roles that apply to a storage account it's doing something with the storage resource provider but if I was to look at a certain role let's view this one it shows me the exact permissions it has so this is very small I have read and write to The Container registry now there are some that are way more powerful owner is the ultimate this can access any type perform any action change permissions on it for whatever scope it's set at contributor can do all of those things except change the permissions reader can read everything but can't change anything so those are some core ones and again you want to be really careful but if we look to owner for example notice it's taken a while because it can do everything it has 16,000 permissions because it can do anything so just realize hey be careful of those things you don't want to give more than you need to and I can absolutely create custom roles so if I was to add um actually not there can't do the storage count let's go upper level so I can add a custom roll now I could also do this at a subscription or Management Group level now I I could base this on an existing role so I could clone an existing role and then I could add and remove different roles and actions from it so these are the permissions it has but I could go and add a particular permission I could exclude so maybe it's a broader permission I'm giving it like a wild card and then I want to remove a particular one maybe right or delete I wanted to remove and I can say well where can I assign this to what scope is valid to apply this to and then I could go and give this custom roll so this is all about the idea of how can I give that least privilege maybe the built-in roles are too broad I don't want to do that so I'll create a custom role with just the specific actions it needs to be able to do its job and again this is inherited so if I was to set this role assignment at Management Group one anything under it would have that role assigned and you'll see this all the time so if I was to look let's say at a just pick a storage account doesn't really matter which one but this one I use a lot if I look at my rooll assignments it will tell me so this permission for example of owner this was inherited from a Management Group whereas this permission for contributor was inherited from its subscription and if I keep looking down so Management Group subscription and then some of them were set on this resource directly so here I can see well blob data owner this was actually directly on this resource so that's one I configured there I've got one based on a managed identity for a virtual machine hey that was set on this particular resource so they get inherited but I can be super granular where I need to be now I should point out all of these roles I'm talking about are different from the entra roles so entra has its own roles that apply for the tenant types of permissions now some of these can impact our Azure subscription specifically there's this idea of a um there's a user access control that I can do so if I'm an administrator I can boost myself up then any subscription that trusts it I then get that particular permission I don't know if that's showing on here but I do have that capability so right you see this user access administrator from the route because I've enabled that user access administrator permission for myself so I can now even if I wasn't granted anything at a subscription level if I'm a global admin at the tenant that the subscription trusts hey I can give myself that permission and and do the things I need to do now another thing we might have is we think of roles as permissions I can have we can also lock resources now I can apply a lock at different levels so I can apply locks when I think about yes subscription level Resource Group level and even resource level and there's two types of lock I can say cannot delete which would make sense it means you can't delete it or there's read only so cannot delete means I could change it I just can't delete it read only means I can't even write or modify it as well but a huge Point here is a lock only applies to the control plane of azure because realize then underneath that you have the data plane so if I was a database well hey I create the database I size the database that's control plane you're talking to the Azure control plane to do those things but then to write a record to a table if it's a storage account to create a blob or the Le a blob that's talking to the data plane that's not talking to the control plane so when iuse resource locks I'm stopping doing something at the control plane so I can't modify the Azure resource but I can still do things create write delete at the data plane so I could write a record in a database I could change a blob I could create an image in a something so realize when I lock things yes I'm doing the lock and I'm restricting at the control plane and of course they get inherited down but if we look at my locks for example I've got a backup protection lock so the lock type is delete so I can't delete it but I can still delete things in the storage account it's just saying hey you can't delete the storage account but I can still absolutely go in within and delete blops so it's only impacting uh the control plane so just a useful thing to know and understand okay so now let's shift gears and let's talk about networking now one of the key things to bear in mind when I think of networking is generally in Asia we don't pay for Ingress so data coming into Asia from outside but we do pay for egress so data leaving our Azure set of data centers so that's just a core point that carries on for everything now if you're already into the deep networking you should probably watch my A700 study Crown because I go into a lot more networking detail here but let's talk about the fundamentals of the networking and I guess the most basic building block would be a virtual Network so I can think about a virtual Network draw it quite big so put some other stuff in here so we have the idea of our v-net now interestingly enough a virtual Network lives within a particular subscription so you can kind of think almost like a boundary here and a particular region so it lives within a sub and region that's its boundary it cannot span regions it cannot span subscriptions so this is the span of my particular virtual Network subn region now for my virtual Network we call this vet one it's defined as one or more ipv4 side ranges so very common we think the RFC 1918 the 10/8 the 17262 the 1921 16816 it doesn't have to be so I could bring my own private IP space or public that I've paid for outside of those But realize they won't be able to talk to the internet directly you still have to have some other mechanism to communicate to actually be able to communicate to them from the internet they're not just going to work and be internet routable and then optionally I can have IPv6 and if I have an IPv6 I also have to have at least one ipv 4 ip6 subnet as well and to that point I'm going to break my vnet down into subnets so I might think about um subnet one 2 3 4 which will be a subset of the IP spaces available in the virtual Network make sure you pick unique IP spaces because I may want to connect networks together to my on premises to other virtual networks if you use the same IP range well they won't be a to Route you'd have to have some kind of network address translation to facilitate that communication so that would add a complexity to it also note these subnets I talked about availability zones this is regional so even if I'm using availability zones I could have this one subnet could span a one two and three and and it just does this is a regional resource there's no restriction that oh subnet lives within a particular a it doesn't I can have resources connected to all of the different things in all different azs within that region now each of these subnets I will lose five IP addresses so no matter what the size is I'm always going to lose five so I'm always losing five because the0 is the network address which is just standard networking in the same way the last one the 255 now I'm assuming I'm doing a slash 24 here but whatever the last and whatever the first is the last one is the broadcast so I lose that that's just standard again I can't give that to a resource the the one after that the dot one in this case will be the Gateway the Azure Gateway resource and then the dot two and Dot three these are used for DNS purposes so we're always going to lose five from any subnet we create so just when I think of sizing realize hey there's a certain amount we always lose and again these are private IP spaces so if I create a resource in here and again the resource doesn't actually live in the subnet the resource is somewhere else and it has a virtual Nick and that virtual Nick is attached to a certain Subnet in a particular v-net but what this is going to get is a private IP allocated from the IP range of the subnet now it's using DHCP but it so you can't run your own DHCP server in here the Azure fabric will allocate an IP address now one of the things I can do is if I needed it to always be the same IP address you can do from the Azure fabric I can say hey this resource should always be given this IP addresses but this is a private IP space this is not accessible from the public internet I would have to do something to enable it to be communicated to from the internet now one option and this is ugly and we would we wouldn't want to do this but let's just draw them out one option is hey I can create a public IP and what I can do is I can associate it with the network configuration of the resource and a public IP if we just go and look at public IPS we can create a prefix with a contiguous block if I create a new one we always want to use standard today um it still gives me the option but we want to use the standard I think they may even have a warning that basic's going away at a certain point but we want to use a standard skew with standard it will always be static it won't change if I stop using it if I do basic it can be dynamic but again oh there we go it's telling us 30th September 2025 basic public IP will be retired so I wouldn't be using it you want to move away from that so you want to be using standard and it can be ipv4 IPv6 and it can be Regional or Global so Global can be used for Global anycast Services to utilize and then hey I can now just leverage this for one of my resources so I have to go and create a public IP now you also saw it had the idea of for what up here was prefixes so I could get a contiuous block of IP addresses now recently they have changed that you can bring your own IP addresses that is a whole set of processes that has to go into that and I'll talk a bit more about that but you can bring your own prefix to Azure now it has to be I think uh between a sl21 and a sl24 if it's IPv6 it has to be a slash 48 so that's your range that you use and own you want to leverage that in aure there's a set of processes you have to validate prove you own it you have to provision it you have to make it available and assign it to a resource then you have to commission it so it's advertised out to the internet there's a whole set of process is but technically yes now you could bring your own public IP range to Azure but most people will not I said this is yucky because when I assign it directly to a resource very often if we're talking about things in the internet we want to make it highly available so I'd probably want instead of this I'd want to use a standard low balancer and then people talk to the standard low balancer which has a backend set to make that service resilient I could use a KN Gateway so the whole point of KN Gateway is with KN Gateway is very efficient with my PS for the snat because I have to do Network address translation from the source and I can associate that with a subnet level and then I can get external egress to the internet through that I could route VI Azure firewall I could have yeah right the external standard low balancer could give me egress out as well if I add outbound rules but the default implicit internet access that is there today but is going going away is going away so if I want resources to be able to talk to the internet going forwards I have to do something explicit I have to give them a public IP I have to associate a KN gateway to its subnet I have to have a network virtual Appliance or Azure firewall with user Define routes to tell it to use that for egress or if it's behind a standard low balancer I have to have outbound rules so I have different options to do it but that implicit just default where Azure takes care that is going away I have to do some explicit access to that um as I mentioned this is DHCP but I can spec specify specific resources if I need to to always get the same IP as part of the configuration of the resource now as I talked about this virtual network is bound to a particular region and it's bound to a particular subscription well what about if I'm using another region what about if I have other subscriptions I don't want if they're using each other's resources to have to go and talk via some public endpoint so what happens if hey I've got another virtual network over here so I got vet 2 and maybe I've also got a v-net 3 and I want the resources to be able to communicate using these private IP addresses well what I can do is I can peer them and this can be within the region this can be inter region so I could add peerings here now imagine this was our Hub so imagine for example this virtual Network had our Gateway now this Gateway could be for a sight to site VPN to connect on parametes could be express route we're going to talk about these and these are spokes and these spokes want to be able to use the Gateway the connectivity and be told about the routes that this knows what I can say is on this end of the peering relationship I can say allow Gateway Transit and on this end I'll tell it to use remote Gateway and what that will do is when I have those things this will now be allowed to Route traffic to these from its gateways and it will also using bgp borderless Gateway protocol the routes it knows about through the IP space that the Gateway talks to it will tell this v-net so the vnet knows oh if I want to get to whatever other IP spaces on the other end of this Gateway I'll send it across this link and if we look they did change the terminology so it doesn't actually say Gateway Transit anymore they changed the term but it is the same thing behind the scenes if we look at my peerings so I can see I've got two connected and if I look at it it would be this allow Gateway in the hub to Ford 2 so that's allow Gateway Transit and then on the spoke I would do this one allow to use the remote Gateway so that's obviously the wrong way around so I would actually go to the spoke Network it's peerings it has a peering to the hub and so I would enable the spoke to use use the hub's remote Gateway so those two things together we now El it to use the hub's actual connectivity now one really important point when I think about these relationships these peerings so I've got these Spokes and these spokes are talking to the hub it's not transitive these can't talk I would have to go and add specifically peerings between bnet 2 and vnet 3 or what I could do is if I had something um like Azure firewall so let's say for example I put Azure firewall or it could be some other network virtual Appliance I could tell v-net 2 hey if you want to get to the IP space of v-net 3 send it to the Azure firewall and then it could go and send it so I could enable them to be transitive if I actually went and use something like as a firewall or an other NBAA and told it hey from your IP routing so i' have to have userdefined routes so i' have a UDR hey to get to here your next hop would be over here so the whole point is it would be lots of user defined routes to say hey go here and then it could go and forward it back when I think of that connectivity yes I can manually go and create the peers manage the peers and try and view the topology of the peers but there is actually another solution so what we have is something called aure virtual network manager and it does a number of things what I'm going to focus on here in this instance is configuration and what I can do is I can create network groups so I create these Network groups and this could be static or Dynamic so I could manually put virtual networks into a group or I could create rules with Dynamic that based on certain criteria they get added into this network group a v-neck can be part of multiple groups and then what I can do is I can define a configuration of connectivity and that configuration could be the Hub and spoke I okay there's my main v-net with the Gateway and then I have a bunch of spokes hanging off of it or I could say I want mesh and obviously in a mesh everything just talks to everything and it doesn't use traditional peerings it does this other clever stuff and I've got a whole video on a virtual network manager so go and check that if you want to learn more but it's doing its own thing and then within that region it just gives an any to any connectivity so that's one part of its functionality and it has a great ability to view them I'm now centrally manage them this this is really powerful compared to trying to manually create all the peerings now the other thing it does is I can create this idea that's a bit more space of security admin rules and now think about you've got just the traffic coming in now this is going to apply before any local virtual network uh subnet level or Nick level rules and what I can say is sure I can set it to allow so if I say allow this type of traffic it's going to flow through to the Network level things I can do I.E it will apply the next thing which is network security groups which we're about to talk about but I can also say always allow this bypasses the NSG and goes straight to the Target so even if a local NSG tried to block the traffic it couldn't think of this as a funnel that goes through here first and then allow would then hit the NSG always allow says I don't care what the NSG wants I'm going to let the traffic through now that would be really useful consider I had maybe domain controller connectivity maybe I had certain resources that we had to use for maintenance patching I don't want to risk some local admin or owner who doesn't 100% understand the implications of rules they might create I don't want them to be a to block it I always want to let that through so I can do that with this and of course I can also do deny if I say deny it just kills it it won't even ever get to the NSG so this Azure virtual network manager and these security admin rules are really nice for that set of capability now speaking of network security groups so I drew this idea of oh okay well it it goes to the NSG so let's talk a little bit about these nsgs so an NSG is fundamentally a set of rules now these rules are based on a number of different attributes but I have a priority for the rule I have a name for the rule I have a source I have a destination and we have ports and we have an action allow deny now these source and destinations are interesting because we'd obviously think I can do these based on IP addresses so yes I can do it based on IP but maybe I want to control access to Azure Services now Azure Services have a huge range of IP addresses they can change maybe I want to access any Azure service maybe only those in a certain region that would be impossible for me to try and maintain all of the IP addresses that are the public endpoints that that service could be available via and so we also have this concept of a service tag now they won't always be available for source and destination it depends which direction this rule is applying to I also have the ability to have application security groups and really this is just a tag that we put on the Nick let's let's look at one of these so if we jump over so let's just look at Network Security Group and we'll just create a new one so we would pick a re Resource Group now it has to be in the region of the v-net I want to create it in so that's an important point the region has to match where I'm going to use it from and then once we create one let's just go and pick a really basic one you can see we have inbound rules and we have outbound rules now you'll notice it has these very low priority the lower the number i1 is the smallest number is the highest priority so one is best 65,500 is basically the worst so it has default rules for outbound and inbound so the default rules is basically saying look anything from the virtual Network and talk to anything in the virtual Network anything going out to the internet is allowed anything else is denied for the inbound rules I've added one so you can see it's got a lower priority I did it for Port 80 so TCP Port 80 inbound into the virtual Network I'm actually blocking but virtual Network to the virtual Network I'm allowing the Azure low balancer I'm allowing anything else is denied and you can hide those default rules to just see the ones you have created if I go and add a rule so notice I could do an IP address I could do a service tag or an application Security Group so if I pick service tag it has ones for internet so internet is any IP space that isn't the known virtual Network now the known virtual Network could be the virtual networks but also anything it's peered to any known space it has that's considered virtual Network and then you can see there's as a load balancer it has to be able to talk probe Etc then hey there's lots for API management per region or global app service Global and then ones per region so I can be super specific about what I want to allow so that's the source and then the destination hey where is that going to service tag or sets of IP addresses could be IPS or side ranges I can do a custom service so I can pick the P I can pick the protocol and I can allow or deny then I set the priority and the name now the whole idea of this application Security Group it's just a tag and it's just a value that I configure on a network interface so I could think about if we just search for them application security groups so I created a few and and again you'll only see the ones in the same region as the NSG and all I would do here is my virtual machine look at it network settings but here you can see my application security groups and if I hit configure I can just add one of the available application security groups that is in my region to it and the benefit here if you think about it is what we're going to do is these network security groups we create we are going to associate so I'm going to say hey this NSG here well I'm going to associate it to that subnet so we do this Association and they all if they were just based on IP addresses it means hey everything of a certain type maybe it's a secet database I want to create a rule for or web front ends I'd have to have very particular sets of Ip spaces or it gets really messy if I use the application Security Group I could just tag the network configuration of all my SQL databases as your SQL database all my webfront ends as webfront ends and then my rules can just say hey webfront ends are allowed to talk on Port 1433 to SQL databases and I'm done so now I'm not worried about well which IP address are they actually using it makes it more flexible for me to actually be able to use so that's why the application security groups are there um it's a really useful capability and if I'm ever curious about what rules a resource is seeing if we were to go and look for example at my um virtual machine for a second so here I can see the inbound Port rules that are applying to it right here but if I look at my Network can see my IP addresses and notice what I've have down here is effective routes so these are the routes that my Nick is getting from hey the virtual Network it belongs to so this is where hey if I'm peered I would know about my peered if I had user defined routes that said go go and talk to this aure firewall but you can see all of the different ones I have that are impacting this particular Nick now I did mention Azure Fireball so Azure Fireball is a first party Microsoft network virtual Appliance and what I can do with Azure firewall is Define rules so I can think about having rules this could be for inbound and outbound so it can perform outbound snat but it can also perform inbound so it can do dnat I can do rules at layer four so TCP UDP so I can have Network layer rules so layer four and I can do application Level rules so layer seven now the exact features vary by skew so if we go and look at the different SKS that are available we see there are quite a few now so we have this idea of basic standard and premium and as you can see like basic has pretty low performance whereas standard could go up to 30 gbits per second premium up to 100 but then from a feature perspective so standard and premium can do filtering based on categories it can act as a DNS proxy and then if you go to the premium it also can do inbound and outbound TLS termination it it's a fully managed intrusion detection prevention system it can do URL filtering so it can do SSL termination to then go and look at the actual path that is part of the URL so there's different sets of functionalities based on the exact functionality you require and what I would do is once I've created my instance well then we have to userdefined routes to send traffic to it from different places on our Network so that's the goal of what we're doing there the next thing I wanted to talk about was actually Azure DNS so we as humans are terrible with IP addresses we can't remember IP addresses and so we need DNS to have a friendly name for a particular resource that we can go and leverage and aure DNS has both public and private DNS capabilities so if I think about another color so aure DNS so from a public perspective so a public Zone would be hey on the internet we're going to go and look at these different types of record and I can create particular types of Records like host records and C Name Records I think there MX records but I can also do something called an alias very often we'll create a record that actually points to an Azure resource and imagine we used this uh an alias or C name referencing the service and then we deleted that service but we'd still have this pointing now to a resource that doesn't exist this is called dangling DNS and a bad guy could notice we have this dangling DNS and go and create a service with that name so now a record in our public trusted zone is pointing to a bad guy's service so what Alias does is you actually tell it to create the record but point to an Azure resource and so if I then went and deleted I mean entra no let's go over to Azure so if I was in DNS my DNS owns and I went and created a new record so I can create a record set and it could just be again all these different types of record are available to us but what I could also do is I could say yes is an alias record set now it will limit the types of record I can create like I don't think I could write MX I can't do Alias but I can absolutely do this and I'm going to point to a specific resource and so the point now is if I deleted that resource that this record pointed to then that record will become an empty set so a bad guy can't go and try and hijack that from me anymore it would be unusable to them so that's a really useful thing now there is azure traffic manager as well remember which creates public DNS records but normally I wouldn't point to that directly I would actually use a DNS record in my vanity my custom domain um to point to that so that's the key goal around that then we have the idea of private so these records are accessible from the internet then I have the idea of private where I'll create my private Zone and once again I can create different types of record in here now I can once again manually create records but I can also have automatic what automatic will do is I'm creating this private DNS Zone and me have all the different types of record A and C name service text list goes on but what I can do is yes I could manually go and add entry is but also a I'm going to associate this to Virtual networks so I can associate in for two different purposes so I can associate something called auto registration now a virtual Network can only Auto registrate to one private DNS Zone and a particular private DNS Zone can be used by up to 100 virtual networks for that registration purposes so I can have 100 different v-ets registering records to this Zone I also can configure it for resolution I looking stuff up and I can a virtual Network can actually connect to up to a thousand different private DNS zones to look up records and a particular Zone can be used by a thousand virtual networks for resolution purposes so that would mean hey I create a resource of a certain name if it's configured to Auto register to this private Zone it will go and create the record in that to go and leverage the different lookups so that's a really um powerful capability to have name resolution uh between my different Services now when I think about these private DNS zones for example when I create a resource How does it go and use azure's DNS well azure's DNS is accessible on 168 63129 do6 always so aure resources will talk to that IP to look up Azure DNS which Al can go and resolve to internet things but then it would be able to go and tie into these records now this IP address is only accessible to resources in a virtual network if I wanted to use this from on premises for example then I would need a resolver running in here now I could manually create a resource that it could talk to that would then go and talk to this or Azure now has the Azure private DNS resolver that is a target for things outside the v-net to talk to which that private DNS resolver can then resolve records in these private DNS zones but also the Azure private DNS resolver can be configured for things that are using Azure DNS it can go and for to custom DNS servers for my own zones so the Azure private DNS resolver is really powerful to enable both of those um particular sets of capabilities uh there is a default DNS Zone um for each v-net that's just there you can't manually records to it but by default you'll see this internal. cloud app.net and for your resources where I'm not doing this kind of auto registration these are Global so I can attach these to v-ets anywhere in the world uh if with the right permissions even any subscription even any tenants I just have to have the permission to go and link to it and of course I can use custom as well so I absolutely can at my v-net level I can tell it which DNS servers I want it to configure as part of that DHCP when I create resources what it wants to point to now if you're using custom make sure well does it still needs to be able to resolve to this as well do I need to put forwarding in place or some mechanism to allow that to work to ensure especially if I'm using private link and automatic registration of those I can still go and resolve to this successfully as well so that that's an important thing to consider but hey this ability to Auto registrate and have these private zones super powerful and you may have split brain DNS you may have some published to the internet which will be in a public Azure DNS Zone and then maybe I want a different resolution internally well that would then obviously just be a private DNS zone so I have both of those uh options available to me now I talked about internet egress and the fact that hey by default the default internet ESS is going away and we're going to have to have an explicit way to talk to it that Gateway behind a standal low balance without bound rules Azure fire whatever that is but what about if I want to talk to private resources so to give myself a bit more space let's draw v-net again slightly smaller this time so I have my virtual Network and we'll just do a particular subnet here this is going to be my Gateway subnet because I want to be able to talk to other private things minimum is a slash 29 the recommendation nowadays is a sl27 so I could have coexistence with things like a sight site VPN and an express route and if we start off with VPN there are two types there's both a policy based which is static routing it's really not recommended so if I do the policy so let's say we have a VPN Gateway yes I can do policy but if I do policy it's one tunnel and it it's super restrictive on what I can do it's not common with today's gateways I think it it's considered Legacy only using the basic skew I think I have to use poers shell with the Azure CLI to create it generally we are not going to use that what we're typically going to use is the route based or dynamic routing so if I do route based I can have n number of tunnels and also one of the really nice things it has is point to site VPN so I can have an individual computer it wants to go connect to the VPN Gateway so it can have connectivity the only reason I'd ever use policy is if the VPN client I have on premise wasn't very good my VPN server and it had to use that but we just wouldn't really want to do that and so my goal here would be if I think I have my then my on premises Network I am over the internet I have my own VPN server and I'm establishing now that private IP space to IP space now there are different models for this on the Azure side typically you're going to have this idea of an active uh and a passive but you can do active active and so from on the customer side it might be hey it kind of just normally does this conversation or I could absolutely set it up so that the customer maybe has redundant gateways and this could actually be active and you could also have kind of combinations of those you can make it resilient so you do have a lot of flexibility in how resilient you want that configuration to be but this super common sight site VPN connecting this IP space to this IP space and it's known if remember those peerings use remote Gateway I I can do those things it's going over the internet some people don't like that it's encrypted latency may vary because I'm going over the Internet so my other option for private connectivity is express route so if we think about Microsoft Microsoft has this huge Global Network so you have this Microsoft backbone the one and all of its regions are connected to it using these uh resilient redundant Regional Network gateways and Microsoft extends their Network at certain points of presence or meat meares around the world so you'll hear them called pairing points uh meat meares they carrier hotels they're neutral facilities where different networks come together and connect so if we call these a peering Point what I can do as the customer is I can extend my network now I'm probably going to use a carrier to do this but maybe I've got multiple locations I might have an MLs I might have a direct connectivity but ultimately I'm going to extend my network into this as well and then within that location there is a cross connect and now I have via an Express rout circuit my network is connected to the Microsoft backbone then I have an express route Gateway what this is now going to facilitate is private peering so it's a particular type of connectivity so now what I can turn on is private peering which again is this IP space connected to this IP space and I can have multiple networks so I could also kind of connect up through here that that could work as well and have its cross connect that could that would be a different circuit CU it's different meet me different circuit but this Gateway could connect to both of them so this could maybe have a a different waiting I could use path pre pending to make it less desirable but if this was down I could go and use this as a backup route so Express r private peering lets me connect private IP spaces to my virtual Network and it's known connected spaces now one point on this my on premise Network probably has its own connectivity between them but maybe I want a backup route to be able to Route via the Azure backbone so one of the things I can turn on is something called express route Global reach what that now enables me to do is over the Microsoft backbone connect my networks together that's what Global reach is it's using the Microsoft backbone it will route between your different express route circuits to your different locations to enable me to have connectivity between my locations so it's different so the private peering is about hey my IP space talking to the IP space within my particular virtual Network and it's peers Global reach is I want my locations to talk to each other using the Microsoft backbone those express route circuits I have created so that's the goal of this um I can coexist with s site VPN so either I have a backup express route in case there was a problem at this particular meet me location again natural disasters cold weather we've had so I could have a second one meet me again long distance away or I could use sight site VPN as my backup path I I can choose whatever one I want to do there pricing is based on the circuit there's premium premium lets me connect to Regions outside my geopolitical boundary lets me use Microsoft 365 Services over it it lets me have more routes advertised for very large complex Network that may be required I can also I guess I should point this out so I talked about a virtual Network we'll realize there's also a whole bunch of aure kind of P services and one of the things I might want to do is I want to talk to the P services but not going through a v-net and private endpoint I just want to be able to talk to like my storage accounts or a database using a private connectivity and so what we can do here is we have something called Microsoft peering so Microsoft peering if I enable this on my circuit what I have is if you think about this bgp to advertise routes I create a route filter which says which services do I want to advertise to on Prem to come through this connection and then well it would talk through their express route circuit to talk to those various P Services I've advertised and enabled through that route filter so there we go this may seem like it's getting pretty complicated okay so I'm creating gateways I'm creating My Hub networks for the connectivity on Prem and between other networks wow can't someone else do it and so that idea of can't someone else do it is what Azure virtual one is you may hear about virtual one and virtual one is exactly this idea now there's two SKS there's basic and standard for the basic skew it's really about sight to sight VPN only so that I get with basic but if I then think about the standard skew well the standard skew yes does sight to sight VPN but then it also does express route it also has this idea of hey you have your own v-ets and want them to have that transitive communication it does that I could also think about well I have other virtual W typically my virtual W is going to be this Regional construct hey I want to be able to connect to other virtual WS so standard is going to let me do those things so that it is probably something if I'm in a a richer environment I'm going to want to do that and if we look at the documentation it says exactly this so hey basic is site to site only standard Express ra user point to site site to site intraub vet to vet transitive I can use I can have a secured Azure VW it puts Azure firewall I can deploy my own network virtual appliances into the virtual one so standard is is obviously the typical one most will use but if I'm in a really basic environment well then hey maybe I don't need that I can just use uh the basic and it's going to be cheaper and that's really the key Point around a lot of these things is as is consumption based I'm going to pay for what I need to use so I can leverage that we've mentioned this a few times and it is about kind of the routing and we drew this over here user defined routes so there's a default set of routes that a virtual network will learn based on its gateways based on maybe I've got Azure route server which can then go and talk to my own network virtual appliances to learn the IP space it can connect to but I can also with userdefined routes override those default routing policies and all the UDR lets me do is I say hey for this IP space your next hop should be this type of service and this particular IP address so it's just a way to override the default routing that I'm going to so that that's our goal so use user Define routes if I want to modify how traffic is going to flow hey I need to send my traffic to Azure firewall I'm going to create UDR and going to link it to the subnet which will say hey the next hop for this target IP space is this virtual Appliance and it's the private IP address of my Azure firewall so this has a private IP that would be the target of my user defined route the next thing I want to talk about is when I think about protecting uh communication to I did this idea of a p service but imagine the idea that okay I do have for example a storage account so network security groups are fantastic for controlling communication to and from things in the virtual network but what about if I want to protect my pan service on what can talk to it so they have their own little firewalls so there's this idea that in front of my service it has a firewall and if I want to be able to say well look this particular v-net here this subnet so subnet three I want it to be allow to talk to the storage account the problem is this is a public endpoint this is not living in my virtual Network it doesn't have a private IP address this is just exposed really out to the internet with this public endpoint so there's some public endpoint here this is all private IP space so how do I say hey look a resource in this subnet is allowed to talk to this so what we can do is we can create something called service endpoints so what we're going to do is we add a service endpoint R for a particular type of service to the subnet what that now does is it makes this subnet a known entity to resources of the type I add the service m.4 so that now lets me do is hey if this is vnet one and this is subnet 3 now the rules on this service I can say hey I'm going to allow in vet 1 subnet 3 and it also establishes a a more direct communication path between them because in the log I'll actually see the private IP space is trying to talk to me so service endpoints are all about hey I'm going to enable a particular set of resources in this subnet it wouldn't apply to other things in different subnets it's only in this subnet to be able to be allowed to talk to a service so if I was to go and look at a virtual Network quickly if I look at my here my in for subnet I can go and enable it for particular service endpoints so now these types of service would see this particular subnet so I think I've actually got it on this subnet so look at this in for I got too many virtual networks in this environment but I could just light this up for any of these and then once I do that and I could just check that for really any one of them if I then look at my storage account and I just pick a storage account it has its concept of networking so I'm over here and it will actually enable me to go and add the service endpoint anyway for even if it doesn't have it now right now it's enabled for anything but if I enable it for selected virtual networks now what I could say is add an existing virtual viral network I can select a virtual Network that I have here and then I could pick a particular subnet oh it's service lockdown that's the one notice this one is not telling me I need the service endpoint required it's there already but it's now visible to me these ones it would have to go and add the service endpoint to the particular subnet but now I could allow through only particular subnets so that's what a service endpoint does a service endpoint is all about me saying Hey I want to let through things only in this subnet so even though it's a public endpoint I want to be able to say hey only these things are allowed to talk to it so great that is what this functionality is lighting up it's still a public endpoint it's going to let me leverage it there's another level I can take this to we have something called private endpoints now a private endpoint I'm just going to draw a different resource just for Simplicity and so now let's say I've got storage account to maybe I don't really want it that public endpoint open to anything so what I can do with private endpoints it creates an IP address in the subnet that private endpoint talks to a particular instance of the service so it's not talking to the public endpoint the public endpoint can completely shut off it's only using this private endpoint now I do also require some special DNS so I'd probably create an as of private DNS Zone because it still has to be able to use the name but there's going to be a private link version of it so there'll be records added that now says well to talk to storage count two it actually resolves to this IP address but it's the proper name so the TLs checks on the certificate will still work correctly so private endpoint it's an IP address in my Subnet just gets allocated out my Subnet the points to a particular instance of a service now I may also have my own Services consider maybe I've got my own virtual network over here and I've got some resources and they're sitting behind a standard load balancer so it has a front end IP address which is private and I want things in here or anything connected to it CU these are just IP addresses so the benefit of a private endpoint is whereas a service endpoint could only be used by things in its subnet this is an IP address so I could talk to this from other things in different subnets I could talk to it from P Vex I could talk to it to on Prem it's just an IP I just have to make sure this DNS resolves consistently wherever I'm trying to use it from so the name resolves to this IP instead of the public endpoint otherwise the TLs will fail I won't be able to talk to it but I've got my own custom service now I don't want to peer them because peering them would solve the problem because now this IP address will be routable maybe they're overlapping IP address ranges I can't peer them maybe I don't want to peer them maybe I'm providing a service but I just want them to access this one IP address so what I can add I can add the private link service to my standard low balancer and now I can create private endpoints that talk to this and it's going to do nting Network address translation for these things so I can also expose my own Services if I'm using a standard low balancer and I put private link service with it then I can go and talk um to that front end without having to peer the virtual networks so that's another way to secure and enable those Communications um another connectivity service I guess I should mention quickly is I've talked about VMS a few times now well I made a whole big point that giving a public IP address directly to the VM is ugly I don't want to do that it's it's risky horrible so then how do I talk to my VMS well ideally these private IP address I talk to because I've got site to site VPN I've got Express ra I can just talk to the private IP address of my resource but what if I can't so what I can deploy as a service is something called aab Bastian so AER basan enables me to talk for example from the internet and think it as a managed jump box so I'm going to talk to this and then from here I can go and communicate to my virtual machines I can do SSH I can do RDP it's integrating with entra so I could have things like conditional access policies to hey you have to have done a strong authentication before you're allowed to go and talk to this service it's really powerful here it's going to deploy into its own Azure basan subnets this is called azure Bastian subnet it's a sl26 in size but now it's just a manage jump box for me and there's there's different SKS available for this and really the skews divide the functionality there's a basic developer skew so it's only a VM in the same v-net if I go to basic and standard then I can talk to VMS in peered v-ets if I go standard skew I can use RDP to Linux and SSH to Windows so I can do kind of a crossplatform thing standard also lets me use the Azure CLI to connect and not the portal it has better scaling I can have a sharable link I can disable things like copy paste for the web clients so ordinarily I will just go in the portal and do connect but with the standard skew I can just use an a CLI command and to do that connect so we have different SKS available depending on the exact functionality I require okay so I mentioned load balancing and behind a standard load balancer so let's talk about that because it's super important when I think of any service I'm wanting my service to be available and there are two levels when I think about low balancing because I can think about there's the idea of a global level where I want one end point that I can go and talk to that's going to work no matter where my resources are and then I can think well obviously we have our regional level balancing High availability I got different instances within a region one end point to those for high availability and then I have deployments around the different regions I want one Global endpoint that is used by the client and we need both of these things and when you think about there's really two layers I can apply these Solutions too depending on the type of service we're offering now if I am a web based solution so I'm talking at layer seven I'm thinking HTTP S2 websockets Etc our solution is azure at Gateway so it's layer 7even solution that understands HTTP https and then we have a more more basic is the right word then we can have the concept of a layer four so a layer four so this would be TCP this would be UDP so this is the Azure load balancer now for the Azure Lo balance we actually start here there are two different skews available for this both of them are doing the same thing we have the idea that we have our Azure low balancer instance and it's going to have a front-end IP address now this can either be inter internal or external it's one or the other is an internal low balancer or it's an external low balancer and then what I'm going to have are one or more backend PS so I can have a backend P one I can have backend pull two because I can have different IP addresses using this that it's going to go and balance the traffic between there are Health probes that I configure that will be used to go and check what are the instances in the back end pool there and responding and available to us and what I do is I create rules now the rules are really based on the idea that well the the pool I'm going to use and then the number of two pools I want so I can have this idea of five three or two TS what does that mean destination IP Source IP destination Port Source Port protocol that's five Tuple so I could use five Tuple for my Ru which would mean Super specific I have to have all of those things matching to be sent to the same backend set member if I do three tupo I take out the port now I'm only caring about a destination Source IP and a protocol two t says I don't even care about the protocol the source and the destination IP match send it to the same backend set so it's how sticky I want to be from a particular client to always go to the same backend set member so that's why we have those different TS and so we can have these rules to Define hey coming in where does it go to we can have knat rules to go to particular sets I can have outbound for the standard low balancer which is a great point so we do have two different types so we have three I'm going to do it in red now free only supports 300 I think in a back end set in kind of availability set configurations there's no SLA but it's going away uh I think it's the 30th of September 2025 it's rest in peace it's gone same as the basic IP address public IP is going away on that same date they're basically killing these off and so this is generally not the something we're going to want to use what we're going to use is the standard so the standard can be a th000 it has to be in the same v-net so this is not spanning virtual networks the load balancer is in a particular virtual Network the backend members have to be in the same virtual network but it supports available ility zones obviously it's got an SLA they paid for resource and this is primarily what you're going to use if it's an external it's going to use a standard public IP it's locked down by default I have to add outbound rules to be able to go and talk to the internet and the backend pools what's really nice about this in standard is yes they can be Nicks or they can be IP addresses whereas with the free it's only ncks which can restrict from some of the newer types of service where it's more useful to be able to base it on the IP address but either way has to be in the same virtual Network the resources as the low balance itself and again if it's external the public IP has to match the skew of the lad balancer so a standard has to talk to a standard public IP a free has to go and talk to the free public IP addresses um yeah that IP address if I'm using AKs then the pods don't have their own Nick they have an IP address so now I could have pods as part of that backend set the health probe is going to use that HTTP um standard ads https checks to it TCP and those lad balancing rules bring all of that together there is something called a floating IP if I have a floating IP rule then when it gets sent to the backend pool member the IP address that is sent to to it is the front endend IP it doesn't translate it to its IP address the actual resource what that resource will see is what the front end IP address was and that's going to be useful to avoid that rewriting for a number of use cases as part of the communications so floating IP is doing that it's going to see this IP instead of its own IP being sent to it so layer four within a region I'm going to use standard low balancer fantastic okay but if it's a webbased solution I don't want to use this because I'd rather have richer functionality so that's where I use the app Gateway now from a a structure perspective once again it has a front end IP now what has recently changed so before it had to always have a public IP in preview at time of recording you can now turn off the public IP and optionally it can have private IP so at this time both of them are now optional I have to have one of them obviously but before we always used to have a public we could use NSG rules to make it unusable but it had to have it but now they do have the option o of removing that and this is absolutely focused on on HTTP htps http2 websocket type Communications it's at that layer seven there's a v there's basic and standard SKS there's a V2 skew the V2 skew adds Auto Scale based on load um Zone redundancy or it can be zonal but it still lives within a specific region now the backend targets you have a lot more flexibility but it itself is within a particular particular region now it deploys into a subnet you can pick which subnet it doesn't have to be a special name but it deploys into a subnet a sl24 is recommended for growth if it was the V1 only Sports 32 instances so you could use a sl26 optionally one of the nice things that I can do is you can add the web application firewall so what that adds is protection from a whole set of is the open web application security project it's a common set of vulnerabilities that people might try and use to compromise your web based app I pay for it but I can add it to my app Gateway instance and it will add protection for those but the whole point here is it understands the application I can do U URL based routing and redirection so I could do a HTTP to https for example I could can rewrite the URL I can rewrite things in the request header I can do SSL TLS termination I can offload that termination to the Gateway and take it off of my backend members I can do session I.E cookie based Affinity so there's a whole set of capabilities there it can be je stack so it can be ipv4 and IPv6 but what we're going to create from a structure perspective is we have a listener am the right color nope so we have the front endend IP we're going to have a listener now this listener is basically listening on a certain pole so I create the listener to listen on a certain pull on that front end configuration now from here I can have a basic type listener so all the basic is basically saying everything everything on that listener is going to a particular rule or I can have multisite and what a multi-site lessener does is I can have multiple listeners on the same port and I can based on the fully qualified domain name that is sent to the request that's fairly common we might use one IP one port for different fully qualified domain names well based on the fully qualified domain name I'll send it to a particular rle so I can have one IP so it could all be 443 for example but I have different sites sharing it we have that server name indication that we can put in the header so I could do different things based on that and again at The Listener I can do things like the SSL offload I have my certificate kind of management up there and so then the listener is using a particular Rule now remember my rules can do different things so my rule could be a basic rule now the rule could just hey I'm routing it through to a particular backend set I could base it on the path so actually look at the path based of the URL not just fully qualified domain name I can even rewrite so I can change aspects of what has been sent to me and then I'm sending it again I have this concept of my backend pulls I also have HTTP settings that the rule is going to use so this could be things like Affinity encryption other capabilities I want to expose of it but the nice thing here is these backend pulls I have a lot of flexibility here so these backend pools could be yes VMS they could be virtual machines scale sets but they can also be IP addresses they could be fully qualified domain names they could be app Services there's a huge amount of flexibility so what this means this could be stuff in AIA but it could be stuff on premises it could go and point to things a point sit like VPN or an express route private peering or even a public IP this is way more flexible with what it actually will go and use do um there's Health probes again that it's using to check are these possible targets available that I can go and send it to but if I'm layer seven hey I'm going to leverage those things great that's within the region I've made my service available but remember that was Regional what about globally there were a number of different solutions here now I don't if it's most basic is the right word to use for this but we have Azure traffic manager so Azure traffic manager is DNS it has a name you talk to the name it will resolve to one of the possible targets which could be anything it doesn't care if it's layer 4 or layer 7 it's just DNS resolution so that's a global endpoint that it can do things like performance so it would resolve it to the instance that's closest to me absolutely I can do that there's round Robbin there's waiting there's different things it can do to enable me to go and talk and it could talk to Azure endpoints like a pad service a web app a public IP it could just be any ipv4 IPv6 F qualified domain name it could be a nested endpoint it could talk to another traffic manager which maybe uses a different method to distribute the traffic but this is just DNS and there's a number of routing methods we go and look so it's talking about priority weighted again performance is very common that's going to send me to the closest one but I could restrict it to Geographic um multivalue subnet says just a whole set of things that I can do from that and one of the things I would do is I can set a time to live on the record which is how long it would cash it for before it goes and says hey is there a newer one that I want to do then let's think about this layer four did I forget to write four layer four at the same layer four well one of the things we have now is a cross region load balancer so this is a global IP address public has to be public that can then point to n number of regional low balances so is any casting the IP it's available in lots of points of presence the Microsoft One outputs to one end point clients can talk to and then it will Point them to hey one of those ones that is close to them and I did a whole video on this if you're interested in the detail so that's a great layer for solution for public services that I want to then go and talk to a regional remember the whole point is high availability at all of the levels I want it resilient within the region and then if the region goes down I want it resilient from a Global Perspective but it's in some ways maybe more common now what about layer seven so the layer seven level what we focus on now is azure front door so Azure front door is our layer s again public Global low balancing solution and this actually has a whole set of different things now once again in front of this it has a wa option to protect again against those common types of attacks that I may have on it and once again it can do SSL offloading cookie based Affinity url redirection url rewrite all of those great things but if you think about from again that Microsoft Global one that has all of these different points of presence around the world what Azure front door does is a number of different things firstly that IP address like this is anyc cost so the IP address is accessible from any of these points but if I'm the client what it actually does is called split TCP so I established my connection with this points of presence that will be close to me because they're all around the world and I'll establish my TCP session and then my TLS session with this so it's close Communications and then when I want to go and get content again on the Microsoft backbone Network where whatever the actual resource is it will go and fetch large blocks of the data and then I can optionally turn on caching so it's combining features of the CDN to add to this so it can also cach the content so after the first person tries to access it the second person will be accelerated because it's caching it but even if I don't cach it's still going to go and pull large blocks of the data it has multiple targets one's down I can go to another one and it's really common those back ends will be out gateways Regional Global so as your front door it is really useful for that um but they do have to be public it's a public IP it's a publicly resolvable DNS name but again this can obviously be across regions zones don't if even be in Asia as long as they have public connectivity now again there are different SKS it talks about Azure front door premium and standard don't really worry about classic so much but you can see all the different capabilities that are available path based routing rules engine Microsoft manage rule set so if you think about from a waft perspective there's included rule sets if I'm using um this premium skew you don't only have to create custom ones there's bot protection available just different capabilities you can go and read through that and understand all of that great stuff um that you can do soly networking was very very heavy on this I totally get it um but really with aure a lot of the big things is the networking like that that's one of the the biggest things to understand and if you do understand it it it's super useful for everything you're going to do but let's change track so if that was our networking give myself a lot of space well we we did a lot of stuff zoom out a second all right yeah we start over here all right so let's talk about storage now the storage there's a lot of different storage services in Asia but typically we need durable storage we need persistent long-term storage for various things so if I think storage the most basic building block we are going to have is going to be a storage account and once again this is this lives in a particular region so I'm going to give it a name it lives in a particular region it has a certain performance now most of the time what you are going to create is general purpose V2 that exposes all of the types of blobs and cues and tables and files it's the most common used I wouldn't ever use general purpose V1 or the standard block blob you just going to use general purpose V2 but then there are also so this is kind of the the regular but then also premium options now the premium are service specific it's built on SSD type technology so there's block blob there's page blob typically not going to use that and then there's files one important point to know about premium files premium files builds you based on the provisioned size not the amount of data you write ordinarily I pay for the date where I write to the service with files premium I pay for the size of the share I create because the performance goes up based on the size so maybe I'm creating a share of a certain size because I need the performance that Associates with that size so it doesn't matter if I write nothing to it I will pay for the provision size of the share because that's where the performance is being driven from so that's a really super important point to understand now when I I think about those services for a second let's just talk about that so the common services are blob and within blob I can think of block which is probably the most common like got multimedia files um page we don't typically interact with page anymore page is for Random Access we used to use it for discs but now we have managed discs so we won't play with this a lot um but also aend a pend is if we just want to keep adding like logging to the end of something but then we also have files this ismb or NFS file based protocols shares I could have table which is really key um value pairs of data table is a kind of an odd term for what it's really doing there's no schema to it it's just I want to add these key values to it then there's Q hey I'm writing some message first in first out leveraging it for that purpose so we have these different capabilities and if we saw a storage account let's just go and create one you'll notice it asks me for the region it asks me is it standard or premium if I select premium then I have to say well what type whereas standard it's not even giving me a choice it's just saying you should probably just use a general purpose V2 I can through a template or the command use a different type but yuck we generally just not going to do that and when I have this general purpose if I jump over for a second to storage Explorer so this actually one of the great tools that we can use to interact so I'm looking at a storage account and notice I can see all of my types I can see blob file shares cues and tables I can see I've got containers with files in them I can see maybe I've got a file share so I've got images file share can see it's content I've got folders I could have a queue which I can write items to I can delete items so I could add an item storage Explorer lets me do that so I do test so now it's written item to it and I could DQ it yep DQ now it's gone I could have tables which again there's no schema to this but I have a partition key a row key and then bits of data but I can write anything I want when I do add yes it shows me ones I've added in the past for properties but I can just add a property anything I want with some value I want so it's schema list it's really just all about key value pairs of data that I want to store and I see this that storage Explorer idea put it back to my account so I see the the same basic viewing here containers file shares cues Etc and notice it actually has a storage browser so it gives me a version of that experience in the portal as well so there are a number of different tools that I can use and leverage to interact with this so it's actually a pretty nice and we we'll come back and talk about this obviously I can use apis and other things as as well but it's it's a nice way to do that basic interaction but the other key thing is we do have this idea of redundancy that we set when we create the storage account and we can modify that post creation so I think about the redundancy of the data so the resiliency of my data we have a number of options on how that data is going to be stored so my next thing is the redundancy now remember what we talked about so if I think of a region so storage count lives in a region remember that region very commonly today is made up of availability zones so I could think of my a easy 1 2 3 and within there there are physical facilities let's just say there's just one data Senter or cluster whatever that might be so when I have the reliability the redundancy for my storage account I get to pick so the most basic is locally redundant storage where there's always three there's minimum three copies of my data so with locally redundant storage there's three there within the same storage cluster then I could pick Zone redundant storage only in regions that have availability zones well now my three copies are spread over the three availability zones fantastic so that's resilient at different levels within the region well what about if I want protection beyond that so I talked before about those pairs of regions so this is where this is used so let's say region two remember region two also has some storage clusters over here my next option that I can perform it's make big different colors um is GRS so with GRS there's three copies within a certain storage cluster and there's another three copies over here as well so there's six in total now this is a as synchronous it's always asynchronous between regions asynchronous means when I try and perform the operation as soon as it's durably stored to the primary it will acknowledge it to the client that's performing the action and then as quick as it can it will copy it over and replicate it because the latency is high between regions it would slow down my app too much to make this synchronous so that's GRS there's also the option of of G zrs so with gzrs the three copies are spread over the three availability zones and then there's three but it will be within the same storage cluster on the other end so again you got three and three always a minimum of three so now I get six I have that there is a modifier so my modifier is I can optionally say read access NOP okay that scared me for a second now okay so optionally we can also say read access and exactly as the name suggests what read access is saying is that I can also read from the replica they're not files but it does allow me to for example blob hey maybe I just want to be a to read from the replica in the other region so I can leverage that now there are other features I can turn on things like hierarchical namespace which then for the blob it's posic style akles and I can leverage those things once again we have firewall on the storage account so I could restrict it to service endpoints or private endpoints when I think of interacting with the storage so I guess I drew this idea of of obviously the portal so I can always use the portal to go and interact with my storage account but then really powerful is that storage Explorer it's a fantastic tool to go and interact so go and play around with that I can upload data I can manipulate there's also um a copy so a copy is a really powerful command line tool um let me just show you the documentation on this so easy copy I can upload I can download one of the other nice things it can do is something called a server side asynchronous copy and what that means is imagine I was doing a large scale copy between different storage accounts normally when I copy data I kind of download the data to my client and then copy it to the Target that's really inefficient if I'm trying to copy between store accounts in the cloud so an async server side copy it just copies it directly between them so it's a really efficient copy um there's also things like data box data dis this is a really useful way for large scale data migrations I can get entire units or individual discs send them to Azure data centers they import my data rather than sending over the network or send it back to me so that can be a large scale migration capability there's things like data Factory to create pipelines to bulk move uh I can do extract transform load type things there's a lot of different ways to interact blob fuse I can mount within a Linux file system my blob storage account and lots of capabilities there so um different ways to interact with my data but fundamentally lots of different services available I get to pick my ileny now one thing we always talk about is optimizing our spend if I think about blobs blobs could be huge I might have lots of image files and uh different media so I pay for the capacity I use but I also pay for the interactions with it so one of the things we can do with blob it's a different color so with my block blob I have the ability to tiar and there's four tiers that we have available so let's use all of our colors I have hot I have cool I have cold and then I have archive I can set this at a per blob level now why we have these is think about my different requirements I may have so there may be data I'm constantly interacting with and so there's two Dimensions to the money I pay I can think about I pay for the capacity natural amount I'm storing but then I also pay for the transactions actually interacting with it so with hot I pay the most money for the capacity but I pay the least for the transactions whereas with cold I pay a very small amount for the capacity but I pay a lot for the transactions so it's it's a tradeoff now archive it's super cheap but there is no interaction this is offline to actually read the data I have to bring it out of archive back into another tier so the way I would use this if it's data I'm constantly interacting with hot would make the most sense if it's data I interact with occasionally it may be cool if it's data I've never interact with but it has to be available instantly if I needed it I would use cold if it's data I have to keep for a long time and I could wait maybe 12 13 hours to be able to read it because it takes time to bring it back then archive so it's all about optimizing how I want to spend my money and the the pricing would show this so here if I look at the pricing and obviously there's that premium blob as well where I pay kind of the most but you notice the pricing goes down as I move from hot to cool to cold to Archive but if I then looked at the operations it gets more expensive Hots the cheapest then cool then cold and then archive that's about bringing it back out of archive but also realize there were minimum amounts of time so if I think about where' it Go the the time here we go there's early deletion so it has to sit in Co cool for at least 30 days it has to live in archive for 180 days and it has to live in cold for 90 days and if I was to delete it out of there before then it would still Bill me for the remaining days that it has to be in their minimum of so there are minimum times I have to keep it in those particular tiers for so it's important to understand that when I think about picking my tier and how long I'm actually expecting it to live in there and if I was to look while we're in here I can completely mix it up so in this one container I've got some files in hot which is my default I've got some in cool some in cold and one in archive and the key point is I could interact with any of them except the archive if I try and access the archive notice download is gray out I cannot download it because it's offline I would have to change its tier and bring it back into another tier to be able to read from it and that operation could take hours whereas with all of the others I've got a download button so even if it's in cold I can still go and download it it is available online so I use the tii to optimize that now I can manually set this taring but that gets kind of cumbersome to do and so what commonly we're going to have is life cycle workflows or life cycle management so what life cycle management this will let me create rules to say hey based on maybe filters based on its name based on last time it was accessed or modified or created I could move it between the tiers maybe I'll even delete it after a certain amount of time so I can completely automate all of the different aspects around that and I'd want to make sure I respect those minimum times remember but here if I jump back over if I look at life cycle management I've created different rules here but I've got move data for Access tiers and so I've got things that hey if I've not accessed it for 15 days move it to cool 45 days move it to cold 135 days move it to Archive so you can create rules I can create filters based on hey bits of the name I could use a blob index key there's different things I could use to control how I actually want to use those different things and I didn't show it but on that redundancy side just FYI I can trigger the failover and it will show me how up toate the replication is so last time in my time zone was 7:23 so right now it's about 2 minutes ago so there would be a chance if I did that there would be some data loss of stuff that was past that point so I can manually trigger those different failovers and then there's also features like uh versioning and sofly and change feed for a whole sets of those different things the other thing you can do is object replication so maybe I don't want to be stuck to the pair region what object replication does is it enables me at a container level so I could pick a different storage account anywhere and I can say look stuff from this container I want you to copy it to this in that container and I could add filters to what it's going to control so the whole point of this object level replication is that ordinarily as we talked about what it is doing is to the paired region so this is the key Point here this is all about the pair I I can't configure anything else beyond that but what I can do with this other capability is now if I think about I have my storage account and I have my different containers so container one container two well I could have a different storage account anywhere I want it this is storage account to and it has a container and another storage account this is storage account three and it has its container I can create my own rules to say well everything in here copy to there everything in here copy to here different regions I have complete flexibility so that gives me a lot more power to modify how I want that actual replication to go so that that's a nice thing uh that I can do from The Blob um moving mov on that was all about blob and again there's a ton of features about protecting the data and being able to restore it and monitoring change feeds realize another huge service that we think about all of the time is azure files and just like a bit of space so if I think about files go over here so we have the same capability of tiers so we we have transaction optimized we have hot call and once again the idea is we're trading off between the idea of capacity and the interactions with the data there's also that premium which is obviously a different type of storage count that we have to create and once again I can do things like soft delete on the file share so look so one of the nice things here for example is if I was to look at my files so if I just go and look at my images we can see for example here I've got different capabilities I've got the performance that I've got configured I can have backup snapshot so I can configure snapshots so I can go and see a certain point in time I've got soft delete so I can undelete things for up to 14 days and that could be between 1 and 365 days so I've got the soft delete so I can easily go and go back in time for those different capabilities I can use a backup Vault to orchestrate those snapshots that are being created I can integrate with entra ID so Azure ad for the data plane controls and access to that and I should have pointed that out with blob so all of these things now I can also do data plane permissioning on but one of the unique things you may have with file shares is great I've got my file share in Azure so I can think about okay here's Azure I created my Azure files SMB share fantastic but you may also have on premises on my windows file server I have a file share and maybe over here on a different location I have a Windows file share one of the things I can do is we have something called Azure file sync and what I can do is I can create a sync group and exactly as the name suggests these can now synchronize to the cloud endpoint now they're not replicating to each other changes go to here and then they can be red from the others and I can have up to a 100 of these and it's always one Cloud endpoint in any syn group but the other nice thing I can do is imagine I have a lot of data and I've got a finite amount of space on my physical file servers or I can do tiering so I could say hey look when I'm down to x% free space the least used stuff just go and tear it up to here it'll still have a a thumbnail a link to the data and it can pull it down if someone tries to access it but it can offload it up into the cloud so that gives me obviously a really great capability for for infinite scale fundamentally and that's really what I would want to be able to do I can my great ler gives me a good Dr capability if this goes down well I can still go and get the DAT to enable access to there um the other thing um security so on this storage account what you actually have is the idea of you have two access Keys now the Reas you have two is I'm using one I want to regenerate so change the other one once it's changed I'll start using the one I've just regenerated now I could regenerate the first one so you have too so I don't have to have an interruption to my interaction with the services but these are all powerful um what's preferred these days is remember I talked about the data plane most Services now have a data plane role based access control so a blob data reader cues and you'll see this on the accounts so if I was to go and look let's just go back up to the storage account level ACC Access Control roles one of the things let's just type in the word data notice we can see all these here so I have blob data contributor blob data owner blob data reader file data QE data table data so all of these roles enable me to give entra identities be it users or service principles doesn't matter permission on the data plane so I don't have to use what are these all powerful access keys and that it gives me the option to rotate them I can block them now I can completely block them if I look at my configuration one of the options we have is allow storage account key access so I can disable it one thing to bear in mind another capability we have is we can generate something called a shared access signature now these can be at the account level or they can be at the service level but these are signed by the access key so if I disable the access key I can't use um service those signatures anymore so realize yes these are not ideal to have but if I disable them I can't use a shed access signature and so those Shar shed access signatures are about giving more granular access to a particular service so if I was creating that for example so if we looked at um the storage account level well then it's an account level signature so if I rightclick and say I want to get a shared access signature again I can do this from the portal as well but if I do this I can pick which Services I want to enable because it's at the account level all of the things I can pick which permissions which times which IP ranges for every granula or I could dive into a particular service and then I can create a service shared access signature so that's not asking me what type of service but I'm just setting well what properties what do I want to allow how long do I want this to be used for and this is signed by there so shed access just enable me to do a more granular set of configuration to that but if you disable the access key I can't use those anymore so just something to understand and make sure you're leveraging that the other thing is encryption so by default the encryption is using a platform managed Keys that's Microsoft managing it you can do a customer managed key customer managed key means you're going to have your Azure key volt and you're going to have a key and that's what you're going to use to encrypt you are responsible for the rotation of that now I can use Azure key auto rotation policies to do that I can use Azure policy to alert me when there's less than 30 days left there's things I can do but you would then be responsible for that um there are encryption Scopes encryption Scopes let me use a different key for maybe particular containers or even particular blobs if I don't change it at the container level so what that does is it says hey I'm on the storage account if I look at my encryption notice I can Define encryption Scopes so an encryption scope could use a different key key which is what I've got here and then on a particular either container I could pick so I've got special scope on this one if we look here properties we can see I'm using a different scope but also when I upload a blob if I haven't configured a special one on the container so if I just pick one that's the default as part of the upload I could pick a different encryption scope so at blob level I can also use a different key so this would be useful imagine I was an isv providing a service to my customers I might want to use a different encryption key for each customer but I don't want to have to use a different storage account so encryption Scopes enabled me to have a more granular set of encryption so I can config that at a more granular level okay so that's storage accounts when I'm using VMS or many other types of resource I talk about page blobs and how we we tend to not use those so much anymore the reason for that is what we use a lot today is the idea of a managed disk now what's happening behind the scenes is there is still a storage account there still a storage account there is still a page blob but it is completely abstracting it away from me all I see is my managed disc I don't care about the page blob I don't care about the storage count it's abstract Ed away completely now there are different types so we have the idea of standard part dis Drive based a standard SSD based then we have the idea of Premium SSD there's also now a premium SSD V2 and then we have the idea of ultra disk and exactly as you're going to expect the the it's getting better so this is the best this is the lowest latency half a millisecond latency what up 1 millisecond latency who knows the performance there's kind of a line to draw here I'm going to draw a line here so when I think about performance as the capacity goes up so too does the performance so the bigger the disc the better my performance will be now there are certain burst capabilities you need to be aware of if you go and look at the documentation it would talk about there's a certain amount of free burst you get as a certain paid that I can do for premium SSD premium SSD I can also pick a different performance tier because you can't shrink discs so the whole idea of being out to pick a performance tier would let me heighten my performance perance temporarily because then I can shrink the performance tier back down again whereas I I couldn't just make the disc bigger and then shrink it you can never shrink a disc you can only make them bigger if you wanted to shrink it you'd have to create a new one copy everything over would be super super painful so we would think about that so the performance is tied to the size of the capacity and we're see this in the pricing so if we go and look at pricing notice as the disc gets bigger so too does the performance and as I go from what is this and notice it talks about bursting so there's burst capabilities for some of these things premium SSD V2 I don't look at that yet standard SSD again bursting capabilities the bigger the disc the better performance now you'll notice SSD V2 doesn't have that it's separately talks about iops and throughput as does ultra disk a maximum but I pick the I Ops and throughput I want so what's very different here is under this line for premium SSD V2 and Ultra disk I pick the capacity and then I pick the iops and I pick the throughput now up to the Limit the capacity is still drives what the biggest it can be but I could go smaller and I pay for this what I'm actually using but these are Dynamic I can modify the iops and the through port at different times then there's a minimum time it has to be at a certain level maybe if I had some big batch job I can boost the performance temporarily to meet whatever my current requirements are and then shrink it back down again and I can do sharing for the standard SSD and prob have multiple different things connecting to the same dis so that that's a great capability I guess the final thing to talk about um for the managed diss is the encryption so remember on a storage account we could just use custom manage key it's a little bit different for a manage dis so from a manage dis what happens is I create something called a disk encryption set that dis encryption set is using a certain key in my Azure key Vault and then what I do is my managed discs are placed in that disk encryption set and then it will use that encryption key so that's how I use my own encryption with manag disc I create dis encryption set first that uses my own key then I create the manag discs will put them into that set so that's at the disk level encryption at rest my other option obviously could be well okay I've got a virtual machine that virtual machine is running a certain operating system and I could do the encryption within the guest so for Windows that could be bit Locker for Linux that would be DM Crypt and this is what we call Azure dis encryption ad so it still go and talk to key Vol to store the keys it's using but the actual encryption in a lot of ways is transparent to the dis it's happening inside the guest that gives me maybe a little bit more flexibility in terms of the encryption and how I'm doing it but also there's more constraints on how I can move things and manage them in other ways I think a lot of times now people will use the dis encryption set instead I can pair this with encryption at Host what encryption at Host will do is the cache files on the host that's running this VM so there's obviously a physical host running this thing what encryption at Host does is any cache files it encrypts with the same key uh my temp disk it will encrypt with a platform managed key and it will also encrypt the data in transit so it would encrypt that data encryption um going from the disc to the host as well so encryption at Host adds kind of that encryption and that so the encryption over the wire so I could combine encryption a host with dis encryption set so now it it's always encrypted which is probably saying very useful we want to do and again I'm going to pay for the size of the disc I create that that's the key Point here okay so that's storage done okay let's get back to a place this board in very very full I noce the performance is starting to waver a little bit hopefully we'll we'll make it through to the end so next thing I want to talk about is on the compute side now I guess before I go into detail on the compute realize there's different ways that we can provision our resources so if I think about provisioning I don't want to use the portal um and you might say why not I like the portal is very intuitive but imagine at scale I'm trying to create 100 resource in the same way clicking those buttons even for a storage account there's 10 pages of stuff to fill in you're going to make mistakes so we do not want to use the portal even things like the Azure CLI um Powershell I don't really want to use that to create things either because because yes I can script it I can use Version Control to make sure it's consistent but what if I have to change the configuration I can't just recreate the resource it exists already or error I have to use a different command to modify so we don't really like that either the best way to do provisioning is we want to use we have the arm Json template or Azure bicep and Azure bicep actually transpiles into Json and there are third party ones like terraform as well there are there are other ones out there but these are what we want to use to provision resources because they are declarative we're telling it what we want not how to do it if I apply a template and then change something in the template and apply it again it will make it so these are really useful that I could put in my version control system that I could then push with a pipeline it will always make sure it matches what's in the template this is what we want to be using so if I was to jump over and you should know understand the basic format of these the quick starts are fantastic but if I go and look at compute and let's find it's normally simple Windows yeah VM simple Linux this is what an arm template looks like now I've got these parameters things I can pass in at the start and then what it's going to do is actually create the resources themselves so if we look at the resources well it's from the microsoft. network resource provider is creating a resource called network interface and then it's the properties that it wants to create it's also going to create network security group it's also creating a virtual Network it's going to create public IP then from the microsoft. compute resource provider it's creating a virtual machine and a nice thing actually here is it doesn't look very nice but if you have an existing resource most of the time you can look at export template and it will go and create this Json file this arm Json template for you so it's generating the template right now that I could maybe go and use for my own purposes I could modify it a bit I can understand exactly what's going on normally this will just show it'll give me parameter options as well to leverage that when I'm creating resources in the portal often it will give me the option to hey show the template so here's the Json version of that the challenge with this as you're probably seeing it's not very human friendly and so that's why today we like bicep more this is creating exactly the same resource but in a lot of ways it's a lot easier to read okay I'm going to create a VM there we go and I can take a Json file and decompile it to bicep there's commands that enable you to do that but this is far more friendly so you should understand the basics of Json and bicep as the ways to provision them why we like using them for our all up sets of capabilities in Azure and this Json is actually how the backend of azure is storing the metadata about all of our different Services okay but actual compute resources once we provision them and we can use this for VMS everything we should do from a template what are the types of service we actually have in Azure and we always talk about these different levels of responsibility this actually could apply to database and other types of service as well but I can think layers so I could think well there's storage there's Network there's compute I the actual server running something there's a hypervisor there's an operating system maybe there's a runtime there's my application and there's my data and we used to the idea that on premises this is all my responsibility I might have different teams doing it but it's all my responsibility in the cloud we have different types of service now I could think about infrastructure as a service a VM in the cloud so here the line of responsibility is here so now the vendor let's say Azure is responsible for managing the hypervisor the physical servers the storage the networking now I still have to pick the right size and skew which controls how much resource it gets but then I'm responsible for the stuff inside the OS that means I am responsible for patching it I am responsible for anti virus I am responsible for backup I am responsible for um Dr planning and replication I'm responsible for antimalware now there's things to help me in Azure there's agents there's extensions there's extensions that can run a command there's extensions that can run entire scripts there are things to help me but it is my responsibility to make sure I've got those things in place then we have pass now this could also include managed databases here the responsibility is up here so now I'm only really responsible for my app and my data whereas the platform is responsible for all of these things and when we think about the different Technologies right this is a VM this could be something like a virtual machine scale set this could be Azure kubernetes services this could be app Services the ultimate would be serverless offerings like Azure functions and logic apps so there are different capabilities but we want to try and get as far that way as we can now to finish the picture we also have software as a service this is not Azure this will be something like Microsoft 365 or Dynamics 365 5 which is all managed by those teams I'm still responsible for things like identities but I'm not patching SharePoint I'm not patching exchange now sometimes now there have are extra functions where I could add on backups of some of those things but primarily I'm not really responsible there might be a bit of sharing for any of those layers it's all just provided for me and that that's really the key point point about it these different types of service and I want to be responsible for as little as possible it's not me being lazy for me what differentiates my business from other companies is probably not the OS or the hypervisor or the runtime it's the business value I can write in my application so that's why I want to really focus my time but it's super important to understand virtual machines although it's that leftmost service lots of things are built on top of it now when I think about my virtual machine realize there's different dimensions to my virtual machine so if I think about a certain VM it has a skew and a size now it has Dimensions so if I was to draw it as a 3D box one dimension could be CPU one dimension could be its amount of memory one dimension could be its storage characteristics one dimension could be Network capabilities another dimension could be as special gpus I know I'm messing up the dimensions but I can't draw in four or five Dimensions but imagine there different aspects and a common one might be the ratio so it might be the number of CPU caus to the amount of memory so I've got these different skews and sizes available why do I run a VM I run a VM because I have a certain workload that I want to run my workload has its own shape if it's a database typically wants a lot of memory a lot of storage throughput if it's a batch processing well it's going to use a lot of CPU so I want to understand what is the shape of the workload to map to the correct skew of the virtual machine cuz I don't want to waste resource I want to pick the right skew and size based on the type of work it's going to do and remember I picked the size as well I want multiple instances so we can do scaling I can add and remove them as the amount of work changes so I don't just pick one really big one I would rather have many small smaller ones so based on the skew I'll make them smaller so I can have lots of them so as the amount of work I have to do changes I can add them and I can remove them to keep matching that and Azure has that exact concept so if I go and look at sizes of virtual machines there were ones that are general purpose so if I look at general purpose I can see well hey there's different sizes but it's a 1:4 ratio of virtual CPU to memory has a certain amount of throughput certain amount of temporary storage and it has temporary storage because it's the D variant it has temporary disc and it tells me all the features it supports now it doesn't support premium storage because it's not the S variant the S variant adds the ability to use premium storage but we can see it has all of these capabilities it has different network bandwidth and Nick and cached disc burst capabilities normal non-burst I could look at the non D verion and the non D verion doesn't have temporary storage there's compute optimized compute optimized the ratio is 1:2 I could look at memory optimized memory optimized it's 1 to8 CPU to memory and also the storage and the network things change as well there are ones with gpus there are ones that are optimized for storage they have local nvme drives there are special versions of even the E Series these EB and these B series have better remote storage capabilities they have really higher remote storage there are things like the B series which are burstable so the burstable instead of it having hey always this amount of C CPU that you're paying for you only get a certain percentage of the base CPU but if I use less than that it's like a mobile phone plan I can Bank credits and then when I need it for a shorter period of time I can burst up and use those credits I've banked so I have the ability to exceed this CPU for a shorter amount of time so it's really useful if I have some burstable workload if maybe I want to um in a Dev environment hey look I want to try and minimize my bill as much as possible then I can leverage that type of capability now as this showed I have also that that storage capability for that virtual machine so if I think about I pick a certain VM skew realize that virtual machine is running on a certain host so I think about there's a physical host it has a certain amount of local storage I create my virtual machine and that virtual machine well it connects to remember manage discs typically for its op its OS for sure unless it's has the ability to use ephemeral now if I have ephemeral and that was one of those properties on the VM the OS can actually run off of this local dis in the host providing the VM has it's either used for temp purposes or caching purposes so if it's one of those those little D the variant there's a certain amount of this is carved out and it's attached as the temp drive for the machine well if I don't care about the state of the OS I'm Mass creating and deleting them all the time I can save the money on the manage disc and use a femoral like a virtual machine scale set and AKs node pool very commonly we'll use a femoral disc if it can cuz I don't want to bother paying for the managed disc and it'll be super low latency very high performance I may also remember connect to other diss for data purposes and maybe I can figure different caching options on those this is obviously completely optional but I can leverage that and then I can add various extensions onto this virtual machine for other things that temp Drive is D normally on Windows and/ Dev sdb on Linux again only if it's that little uh D variant from that again I talked about different extensions and there's a lot of extensions available when I think of these capabilities so yes I can run a command I can integrate with Azure backup so as your backup has a recovery let's just see this quickly so if we look to the virtual machine we see there extensions so I've got a whole bunch of them actually installed but I can run different types of extension which adds capabilities to this so custom script extension that's really useful to run a script on that particular workload I can always run individual commands very easily as well with the Run command there's things like auto shutdown to help me we save money cuz I only pay for the per seconds it's running but notice I can hook into backup I can hook into Disaster Recovery as well as part of that I can have managed identities I pick the size I have inventory capabilities huge amounts of features but when I think of backup if I go to my backup center which is a a central place that I can use for all of my backup management now if I want to create a vault there are two types so I have I think it's more Legacy The Recovery Services Vault supports these types of workloads the new a backup Vault Azure discs blobs database for postgress postgress flexible and kubernetes services so that controls the type of service that can be supported in the various types of Vault but backup center makes it very easy to centrally manage centrally configure all of those different uh types of capabilities and remember when we create that virtual machine we're going to want to be able to talk to it but that's where we use things like Azure basan I don't just give it a public IP and talk directly it's a huge attack surface I want to think about giving it through a managed jumpbox environment so it's protected so that's where we use Azure Bastion Azure Bastion is going to enable us to have that very um safe capability so virtual machines are great um but it's a single thing it's an instance running on a host now that host we drew there is sitting in a specific rack so I think about that rack is a certain fault domain now with in a particular data center what you'll often hear about is well I could have multiple racks and you might say fult domain Z fault domain one and fult domain 2 and we can use this with something called availability sets what that does is I add things into the availability set it kind of round Robbins through the different racks so it gives me resiliency from a rack level disaster and never mix workloads in the same availability set if I had a different type of workload I would create a second availability set to make sure they are also equally round Robbin if I put everything into one bad luck I may end up with all of One service in one rack all of another service and another R so I would always separate them out but my preferred approach these days if it supports it is remember in the region ideally we have these availabil zones and remember the whole point of availability zones is they isolate the power the cooling and the networking and also the control plane it has different fabric controllers so now if I use these instead and I separate my resource es over these so I've got kind of a VM here a VM in a different availability set a VM in a different one here that now the entire data center or a power substation could fail well the others are still okay so it's a much bigger blast radius I'm protected from compared to just running in different racks so I'll always use availability zones over availability sets if I can obviously if it doesn't support availab ility zones which some regions don't use availability sets whever possible this is the better option um to give me the the best possible protection okay so a virtual machine is a virtual machine it's one thing but I drew this idea of more things to give us um the ability to scale in scale out how do we do that without me manually creating and deleting virtual machines so what we leverage here is a virtual machine scale set now there's actually two types there's uniform which was our traditional type but now we also have this concept of flex but it both boils down to the idea of we're going to have this idea of a scaling profile and the SC accounting profile says a VM template to use the skew the the type the image the configuration I can set a minimum count a maximum count and then I can set scale actions so for example a good thing could be hey if CPU is greater than 70% add two instances if CPU is less than 30% remove an instance so what this is doing fundamentally is if I think about time and then if I think about the load the work I have to do changes it's got some seasonality well as those instances get buso and less busy well when it's quiet maybe there's just a couple of instances is running but then as it gets busier it has to add additional instances then when it gets quieter it can delete them so it can constantly add and remove now although I Dre it going up and down we always think about it horizontal so this is horizontal autoscaling it's adding and removing them as the amount of work applies that I hate drawing it that way it's just it matches the curve better vertical is normally would make it bigger or smaller we make the skew bigger and then make it smaller again but that's pretty impractical most of the time because to resize a skew we'd have to stop the workload change the size and then start it again so there' be downtime Associated so typically what we want to do got delete that cuz I hate it I do it to show it's aligning with how busy it is what really we'll be doing is adding so thens there at the quiet time it's only that many so we we are horizontally adding and removing Auto scaling based on those so with uniform we always have this with flexible what flexible does is I can optionally have a scaling profile I don't have to but I can also just add in regular virtual machines as part of a management profile I could mix different SKS I could use spot instances spot is the spare capacity Azure has the it lets you use at cheaper prices and so that again could think about hey I'm trying to optimize my spend for maybe some Dev workload or batch workload something that can be interrupted and then resumed again spot is really nice for that well I can mix them in VMS flex and still have that idea of that profile moving up the stack um we think about containers and if you think about a virtual machine is virtualizing the hardware containers is about virtualizing the operating system now what we typically will have in the container world is we have a container registry and a container registry is the images we're going to create our containers from now typically we'll have some kind of B image and then what we do is we write a Docker file so a Docker file explains what we want our particular image to look like we'll base it off of an existing image and then we'll say the things we want to do to change it add other layers add software run commands and then now we create our own custom image so now this is our application image and then we want to run the thing so to run the thing we have a container host so now we have a certain container host and the whole point of what this is doing is there's a kernel mode and a user mode and what containers are they're very thin a VM is a complete OS it's got its own OS image it's got all the processes it's a lot of overhead with a container host the kernel is shared and then what it does is at the user mode it uses different functions of the OS to create these sandboxes of where it actually runs a particular container image so this would execute in this sandbox so it's isolated at the user mode it couldn't see the processes it can't see the network of the other containers but they are sharing a particular con kernel instance so that would be me if I'm just manually running containers from an Azure perspective the most basic service we have is an Azure container instance so in Azure it has its own Azure container registry I can create an Azure container instance and hey this is where I can go and run my image and I pay for the time it's running I can group them into common groups they have some shared concept of networking Etc but typically that's where I've got some fairly individual use case I just need to run it uh basic maybe I'm bursting out for some level but very commonly I've got a bigger set of requirements I need richer orchestration I need more powerful scaling capabilities networking storage so how do I manage lots of containers and make it resilient so the solution is kubernetes so kubernetes is kind of the de facto orchestrator for containers oh that was wrong and the Azure solution is azure kubernetes service now what this splits into two so there is a management component layer the control plane this runs things like the API server that a component runs on each node Port that talks to this the Cub there's an etcd database for this the store there's a scheduler that says hey we need to create some pods that host the containers there are various um controllers in AKs this is all done for you you don't see this stuff what you have is node pools so you're going to create n number of node pools that as you would guess are running nodes so n number nodes again you have that cubeit this is all done for you that is communicating to the API server to find out what it's supposed to do it then creates pods which is a container to run your sorry it's a container it's the object that you runs the container instance inside of I can have the concept of persistent volume claims that can map to durable storage so I might hey I need some durable storage so that connects to persistent volume this could be Azure files it could be Azure net app files it could be an Azure dis um elastic sand Azure container storage so there's some specialist Services coming out for that but the whole point is um I have now these not these are actually built on virtual machine scale sets and these run in my subscription I can see them they're running those instances of the pods there's different networking models for this obviously it needs communication the most basic one is cubet it has a separate IP space the Pod C but it has to knat everything there's lots of weird things I have to do with rules to make that function so it's becoming a lot less popular then we have Azure cni so Azure cni the pods use the same IP space as the nodes but that can get problematic from an IP space perspective so then they added this Dynamic capability to Azure cni where the pods now use a different subnet from the nodes and it will grab them in Bates I think it's of 16 or something but it doesn't have to to pre-allocate all of them up front but now the preferred one is overlay so overlay uses a separate side range for the pods but it doesn't have the the issues you had in the past of cubet it uses its own native Plumbing for the communication and this is where people are trying to move to from that networking perspective of that realize scaling is still critical so there's two dimensions of scaling here the pods well the pods have to scale so from a pod perspective we have things like the horizontal pod autoscala so that's adding and removing pod instances as the work on the Pod changes or newer than that we have Kea the kues event driven autoscala it's more powerful it has more functions it can run on to decide to do the scaling and if you think at a certain point well there's too many pods we need more nodes at the node level then we have the cluster Auto scalar that if the scheduler says hey look I've got pods I need to add and I can't because there's no capacity on nodes it can come along and add new cluster nodes so they're scaling up both of those levels to facilitate that um one of the nice things you can do imagine it's shortterm burst I need more capacity well you can actually burst to Azure container instances there's a virtual cubet that represents ACI that would let me go and create my containers using Azure container instances so those things uh can interact as well uh and then if we go into more of the PAAD space I'm going to go into less detail on this CU there's there's so many of these um but maybe app service is the most basic one we'll ever see this is one of the first Services existed so with app service you create an app service plan and then in that app service plan I can run a certain number of apps app one app two and the key point is these basically are sharing the worker nodes that I create within my app service plan I can have deployment slots so I can have a staging and production but again they're using the same sets of capacity um Within These I'm going to create this all of these kind of live within a region I piig is it windows or Linux I pick the runtime stack I want to use there's the idea of an app service environment which deploys direct into your v-net that has no shared components at all if we actually go and look so if I quickly look for app service this is my app service plans so an app service plan if I create one I pick the OS I pick the pricing plan and again the pricing plan is going to dictate well there's different Hardware but then it dictates what features so can I have a custom domain and know it says free and basic there's shared um for some of these depending on what I'm looking at is it Zone redundant does it integrate with the virtual Network so I get different capabilities depending on what I'm doing like standard plans there's different types of scaling so rules is the traditional one where I conf figure how it's going to scale but what elastic does is this actually just just looks at what is the HTTP load and it decides how to add nodes it can have a pre-warmed instance so this is the automatic scaling I don't have to manually Define the rules it's just going to do this for me for some of them I can have things like custom domains I can publish data to this in a number of different ways I could use a devops pipeline with have get actions I could point it to URL I could upload it with fdp I could upload a zip or W file there's a huge number of different ways I can do this but hey I need to go and get my code into there to make all of this available to me and I know this video was super long um I want to kind of finish off now the next thing we have is monitoring um monitoring is so important because we have to have observability we have to know what's going going on to be able to make sure we are healthy in the different things we're doing and there's different layers of what we need to look at so if I think of monitoring think of the subscription level so that first level is our subscription changes we make at the subscription at the control role playe well they're going to show up in something called the activity log and that activity log is available it's free I can see the things in there if I could look at an individual resource or Resource Group it will show me just the logs for that particular resource but that's how I can see control planed things that are happening then we have the resources well the resource has metrics time based signals and these just get written to Azure monitor metrics and again they're free I can go and see these about my particular workload but then there's also logs logs do not exist by default if I want the logs what I have to do is configure something called diagnostic settings and then I pick which logs and I could take the B as well I want and where do I want to send them to now I could send them to Azure storage this would be an attractive option if I just want to keep it as quickly as sorry as cheaply as possible so this is really cheap but it's not particularly useful to interact with I could send it to an event hub this is a published subscribe mechanism and this would be useful if I had some external Sim that is going to go and subscribe and take the events or or and or I can do any combination of these I might send it to a log analytics workspace so this is really powerful for the storage but it has really powerful analytics capabilities as well so on this this I can do great analytics using kql so I can get great insight into the data now there's other things there's like guest metrics it was a VM there's guest capabilities there's the Azure monitor agent so once again I can get then metrics from within the guest OS I can get logs from within the guest OS there are data collection rules I've got a whole set of videos about this but if I was to just quickly look at a resource and a virtual machine it shows me basic monitors so it's telling me how you want to enable some alert rules I can see availability and CPU and dis bites I could go and look directly at my metrics so I could pick oh is it the host is it the guest what metric do I care about if it was a B series I could see CPU credit information there are ones that can split so notice this is an aggregation average use but I could apply splitting and then I would see it based on the particular lung that I'm using so it would show me if it's splitable or not but great levels of insight into that but if I want to get additional data I have to turn on diagnostic settings now because it's VM I can go and grab different performance counters and logs and lots more things but if I was to just pick something let's say o Cosmos DB and I go to its diagnostic settings here I add my diagnostic settings what do I want to capture so different category groups different categories metrics as well and then where do I want to send it to and I can create combinations of these so I can get that data and send it to different places so I have control of how much and I could also send things like the um activity log I could send that to a central location as well but it's critical you have observability there's layers I can go beyond this so like app insights will then go and look at the application running in the workload and then do synthetic transactions to test is the application all up functioning correctly as well so there's lots of different things I can do with this but I can capture I I can run analytics I can observe across all of these things but maybe I don't want to just observe maybe I want it to bring awareness to me so one of the things I can also configure is alerting so I can create alerts now alerts can be based off of the activity log alerts can be based off of these monitor metrics they could be based off of queries I run against my log analytics workspace they could hook into' got Azure Sentinel then that's running its own workspace there's many different places I can use these but I can create alerts and it recommends alerts to have or I can have my own based on the metrics based on do I find a result if I run this kql if I find an activity log that exists there are basic ones there are machine learning ones that looks at what's a common value and then if I'm outside of a certain threshold low medium high sensitivity then generate the alert and then once I have the alert well there's actually two things I can do here ideally I create something called alert processing rules so alert processing rules look to say hey look an alert has been generated yes it's showing up in a dashboard but now I want to do something now what I want to do is either I could go ahead and call an action group now an action group could be SMS it could be um email it could be call a function it could be called a web hook there's a a ton of different things I can do here but I could call an action group group or maybe what I actually want to do is suppress maybe it's Christmas maybe it's the weekend maybe if it's a lower priority and it's out of hours I don't page people maybe only if it's a certain critical so these alert processing walls let me both call Action groups and also I could suppress the alert being raised now I can also directly call an action group from an alert it's just neater to do it via the alert processing rule because then rather than having every alert I might have hundreds of these configured I have to manually say which action group instead I can just raise the alert and now create an alert processing rule that says hey any alert Rays that's of this type or for this group of objects call this Action Group call this Action Group it it's a need to way to organize them and if we go and look if we look at my monitor look at my alerts so we create the alert rules so there's many different ones I've got some based off app insights some based off of my subscription in the service Health if something unhealthy the activity log um some based off metrics we can Define the action groups which are things we want to do and there's huge numbers of options here so sure I could if we look at edit this we can email SMS call an arm roll we can also call a run book a function hook into an itsm to raise a service ticket a logic app a secure web hook all of these different combinations of things and then I can create an alert processing rule that can either say hey based on a particular scope I Define do I want to apply an action group or do I want to suppress I can set schedules around them so it's a way to BAS based on those things hey actually go and perform some action so I'm separating those things from each other uh a final thing just to understand super quick when I think of a log analytics workspace there's actually different types of workspace we have available now so there's the common workspace we think about which are the Analytics logs now this gives me the full kql capabilities included as part of the cost what I pay for in all of these is the data ingestion and I pay for the storage once it's pass the included amount of time but this could get really expensive so the other type we now have is basic logs now now basic logs have a subset of the kql I have to pay when I run them and I have to pay for the storage and obviously I still pay for the ingestion but it's 8 days that's all I can store and then both of them can now write to Archive now archive can be up to 12 years years I pay for the amount of time I keep it so these can go if I want to store it longer than 8 days or longer than my retention here it will go and write it to Archive I just pay for the storage but I can't do anything against this data if I want to act on it I have to either Run a search job or a restore job and I have to pay for those they cost money then it will bring the data back into here so I can perform operations this subset of the kql I can't do cross table queries but one of the nice things is things like container insights now lets me pick a V2 schema that everything is in the same table so I can use basic logs for that so it's a way to control um my cost for these we can see if you look at the pricing that basic logs are cheaper but yeah it's only 8 days where it says 12 years that's because it's going to put it in archive past the 8 days but I have to pay for the queries whereas analytics it's 30 or 90 days 90 if I have Sentinel up to two years interactive but up to 12 years the archive I can do alerting based on it there's the archive fee but then I also have to pay for search jobs or restore jobs then I also have to pay for basic if I run a query against it so we can see these different types of fees apply depending on how I use that and if I was actually going to look so let's have a look analytics workspace and let's just pick uh one look at my tables when we look at a table so I don't know if I have a container V2 so the nice thing about the container V2 let me just scroll there we go if I've run these three dots I can manage the table so currently it's analytics but I could change it to basic notice it's got this interactive versus archive because it's set to 30 days remember basic is only eight days so if I change it to basic well it will now put 22 of it in archive because I set my total retention to 30 if I change that time to furba it's more of it will go to Archive if I change it to analytics well now 30 will be an interactive 60 would go to Archive so I I can control how I want to use um that actual storage and finally I guess why I'm in this screen the other big thing we're typically going to do from a networking is we're trying to troubleshoot we have something called Network Watcher and network Watcher gives us a lot lot of capabilities around the overall health of our Network so I'm looking at my insights for just some basic information but now if I actually dive over let's look at Network Watcher we have these different sets of capabilities so I conf few the topology is one of the things we have within here got this topology view but I can do things like IP uh flow verify so that says does a security Ro exist that would block this communication I can do next hop show me what the next hop would be VPN troubleshooting the heal of the Gateway connection statistics NSG Diagnostics it uses flow logs uh to map the various IP traffic I can capture packets for troubleshooting purposes there's a connection troubleshoot which uses an extension into the resource to actually try and do a synthetic packet to see if it would work for it or not so it's just really useful ways to troubleshoot the all up environment and that's it so that's everything I wanted to cover now obviously we covered a ridiculous amount of stuff in what is a very long video again as I've mentioned my recommendation would be make sure you go through the learn modules and you've got as much Hands-On as possible when you take the exam don't panic if there's something you don't know try and eliminate the obvious things and then just make an intelligent guess Microsoft don't create functionalities to confuse you they're going to try and make it as logical as possible so think logical but make sure you've actually done these things it might have a series of steps put them in an order you need to do but just think what makes the most sense how would I want to do this and don't panic if you don't pass the first time look at the score report see where you're weakest and go and redouble your efforts there and you'll get it the next time so I hope that was useful uh good luck