AZ-104        4

Azure auth        4

Azure Admin Services        4

AAD - User        4

Intune - Device Management Service        4

AIP - Azure information protection - Data Creation        4

CAS - Cloud App Security        4

ATP - Advanced Threat Protection        5

EMS - Enterprise Mobility Security        5

ASR - Azure recovery site        5

AAD Connect        5

Exchange Online and O365        6

Governance and Compliance        6

Managing subscriptions        6

Management group        6

Azure Policy        6

Tags        7

Identity        7

Azure Active Directory        7

Managing Tenants        9

Creating and managing Users, Groups and Roles        9

Admin Tasks        11

Administrative units        11

SSPR - Self Service Password Reset        12

Azure AD Device Management        13

Hybrid Identity/Azure AD Connect        14

Callouts        16

Storage        16

Azure Storage Account        16

Sub-Service        16

Components of storage account        16

Redundancy        17

Callouts        18

Azure Blob Storage        18

Types        18

Access Control        18

Blob Object Replication        18

Blob Lifecycle Management        19

Azure Files        20

Azure File Sync        22

Storage Network Access        22

Securing Storage Accounts        23

SA Encryption        23

SA Authentication        23

Securing SA        23

Azure Jobs        23

Storage Utilities        25

Networking        25

Basic Understanding        25

TODO        25

Terminologies        25

Common Questions        26

Architect Components        26

Flow        27

Delivery        27

DNS        27

Azure Traffic Manager        29

Azure Front Door        29

Content Delivery Network        30

Security        31

Network Security Group - NSG        31

Application Security Group - ASG        31

Load Balancer        32

Application Gateway        32

Firewall        33

Connectivity        35

Routing        35

Service Endpoint        36

Private Endpoint        37

VNet peering        37

VPN & VPN Gateway        38

Types        39

2 types of Gateways        40

Architecture        42

Steps        43

Express Route        44

Virtual WAN        45

Hub And Spoke        46

VNet Strategy        46

VNet/Subnet Strategy        46

Security Strategy        47

Performance Strategy        48

CALLOUTS        48

Compute        49

VM        49

VM Availability and Scale Sets/Availability set        50

VMSS        51

Managing VM Updates        51

Azure Bastion        52

Load Balanacer        53

Application gateway        55

App Service Plan        56

Web App        56

ACI        57

Messaging        57

Event Grid        57

Notification Hub        59

Event Hub        59

Service Bus        60

Azure Relay        61

Monitoring        62

Azure Monitor        62

Setting up Alerts and Action Group        64

Configuring Azure Monitor Logs        65

Log Analytics        65

Monitor Insights        65

Application Insights        66

Network Watcher        67

Backup        67

Backup Concepts        67

Disaster recovery        67

Recovery Point Objective VS Recovery Time Objectives        68

Disaster recovery method        68

Azure Backup        68

Azure Site Recovery        71

Backup Reports        72


Azure auth

Access mode

  1.  Azure portal
  2.  Azure CLI
  3.  Powershell


  1.  Access mode —> Azure resource manager —> Azure resource providers —> Azure resources

Azure Admin Services

AAD - User

What: cloud or hybrid identity  

Intune - Device Management Service

What: security and compliance has to be check on user’s device in order to be access to enterprise resources

How: Define security and compliance policy and configuration policy of the user device  

AIP - Azure information protection - Data Creation

What: brings lot of services(O365, Apps, file service, directory sync, share point) into one place  

Why: add protection of data of above services  

How: create AIP, create policy(apply to user or groups), provide labels  

CAS - Cloud App Security

What: User can use different platform/software which are not approved by your enterprise


ATP - Advanced Threat Protection



Other Usage 

EMS - Enterprise Mobility Security

What: all the above services comes user one suite

How: plan based: E5, E3  

ASR - Azure recovery site

Backup: Azure VM, SQL server

What: recover VM from primary location to secondary location - one Az to another AZ/Region

How: VM has data stored in SA, ASR caches data in SA, replicate data to target location, create VM based on Data

AAD Connect




Exchange Online and O365

Governance and Compliance 

Managing subscriptions

Azure AD Tenant

Management group

What: Manage multiple subscriptions and management group


Azure Policy

What: enforce compliance and enable auditing


  1. Prohibit resources
  1. Control costs
  2. restrict service access(ex: only certain VM SKU can be created, restrict creation of certain resources)
  1.  Allowed locations


  1. policy definition: which defines the great area for compliance and defines the actions that take place
  2. policy assignment: This is the scope to which we will assign our policy. The scope could be a management group, subscription, resource group, or resource.
  3. Initiative definition: which is a collection of policies that are tailored to achieving a singular high-level goal together, for example, ensuring that VMs meet standards



What: to identify what resource belongs to whom


  1.  Can delete resources/RG based on the tags  
  2.  Shutting down resources baes in tags
  3.  Cost analysis

Callouts on Cloud Governance

  1.  Defining rules, policies, and compliance standards for the organization
  2.  Control over resources, enforce rules, policies, and standards  


  1.  Management groups and subscription: organize into hierarchy  
  2.  Azure RBAC: Provide access to resources at varying scopes
  3.  Policies and blueprint: to enforce standards for cloud environments
  4.  Locks and tagging: lock resources to prevent deletion  


Azure Active Directory





Managing Tenants

Designing tenants

  1.  Build a secure foundation
  1. set up best practices like MFA, SSPR, backup global admin, and privileged users for specific tasks
  1.  Populate identity resources
  1. add users, create groups, add devices, and setup hybrid identity
  1.  Manage apps
  1. identify apps to be used from AD Gallery, and register apps from on premise
  1.  Monitor and automate
  1. Monitor administrators, perform access reviews and automate user lifecycles


Creating and managing Users, Groups and Roles


What: Create users in org tenants

Types of user

  1.  Admin users: user with admin role assigned  
  2.  Member of AD: regular users that are native to AAD
  3.  Guest user: external users that are invited to the AAD tenant  


What: container for users


  1.  Owner and member of group

Types of group

  1.  Security: provision access to Azure resources
  2.  Microsoft 365: provides permission to Microsoft 365 suite

Membership type

  1. Assigned: Users are specifically selected to be members of group
  2. Dynamic user: membership rules are created, that automate group membership via user attributes
  1. Ex: add users into the group based on their properties. Write query
  2. If user type is guest then add into the guest group
  1. Dynamic device: membership rules are created that automate group membership via device attributes


Azure Roles - RBAC

Roles: a definition that defines what actions are allowed or denied for that specific role

Who: security principal (group or user)

What: roles are what users are able to do

Scope: where users are able to perform those actions(MG, Subscription, RG, resources)  

Security principal  —> Role assignment —> Roles

Security principal  —> Effective Permission —> scope


You have a user(security principal)

Provide user a Azure/RBAC role (Contributor)

At specific scope (MG, Subscription, RG, resources)

Type of role

  1.  Owner: Full access to resources and delegates access
  2.  Reader: can only view resources
  3.  Contributor: Can create and manage resource
  4.  User access administrator: ability to delegate access to resources to other users

Azure AD Roles

What: rather than assigning roles to cloud resources, such as virtual machine or subscriptions or resource groups, we are providing access to the identities resources like the user and groups inside of our azure AD tenant


Role Example:

  1. Global administrator: Provides the user assigned to this role, the ability to manage all the azure AD resources and provide access to other users for Azure AD roles
  2. Billing administrator: provides the user the ability to perform billing tasks
  3. User administrator: provides the ability for user to manage other users that are inside of our Azure AD tenant and groups level
  4. Helpdesk administrator: provides the ability to reset passwords for other users, and perform similar helpdesk tasks

Azure AD Roles

Azure Roles - RBAC

Controls access to Azure AD identity resources inside Azure AD Tenant(Users and Groups)

Controls access to Azure resources (MG, Subscription, RG, resources)

Manage access to Azure AD resources

Manage access to Azure resources

Scope is at tenant level

Scope can be at multiple levels

Supports custom roles

Supports custom roles  

Main roles (Global, User, Billing administrator)

Main roles(owner, contributor, reader, and user access administrator

Admin Tasks
  1. Create/Delete AAD users, groups, roles
  1. User: revoke/block access, reset password
  2. Groups: add members to the group
  1. Create/Delete bulk AAD users, groups, roles using CSV files
  1. User: revoke/block access, reset password
  2. Groups:
  1. You can’t create bulk groups
  2. You can add bulk users into the group

Administrative units



Business Usecase 


  1. In AAD → Admin Units, add a new AU
  2. Assign role: User Admin (Why: Scope role to this AU )
  1. Add assignment: select user (user you want to be admin)
  1. Create
  2. Nutshell, you have set admin user who can perform actions on users to specific country

SSPR - Self Service Password Reset




Localization →  Verification → Authentication →  Password Reset → Notification

Auth Method

  1. Mobile app
  2. Mobile app code
  3. Email
  4. Mobile phone // less recommended
  5. Office phone // less recommended
  6. Security questions

SSPR Consideration

  1. Enable and manage SSPR via Azure AD groups.
  2. Required Methods: One or more, available authentication methods is required for SSPR.
  3. SSPR for Admins: security questions not available for admins By default, admins must register for MFA methods
  4. Required Licenses: Azure AD P1 or P2, Microsoft Apps for Business, or Microsoft 365 licensing is required for SSPR.


Task: Enable SSPR on AAD Tenant level

  1. In AAD → Password rest
  1. Self service password reset enables: select one of the following
  1. None
  2. Selected: select AAD groups
  3. All
  1. Auth method
  1. Number of methods
  2. Choose method
  1. Registration
  2. Notification

Azure AD Device Management

What: register all the user devices(laptop, phone - from which user access Azure) in AAD so that we have some sort of control in terms of what resources, assets and data these devices are accessing

How to register device

  1. Azure AD Register: bring your own device(BYOD) model
  1. Least restrictive option: allowing for bring your own device (BYOD) with a personal Microsoft or local account.
  2. How: SSO
  3. Supports Windows 10, iOS, iPad, Android, and macOS.
  1. Azure AD joined
  1. Device is owned by the organization and accesses Azure AD through a work account.
  2. These identities exist only in the cloud.
  3. How: Intune
  4. Supports Windows 10 and Server 2019.
  1. Hybrid Azure AD Joined
  1. Similar to Azure AD joined; however, these device identities exist both on-premises and in the cloud.
  2. Supports Windows 7, 8.1, 10, and Server 2008


Task: register your laptop/VM with Azure AD

  1. AAD → Devices → All Devices
  2. Device settings
  1. User may join devices to AAD(for windows user)
  1. All
  2. Select: group
  3. None
  1.  User may register their devices to AAD(for windows user) (BYOD - model)
  1. All
  2. None
  1. Require MFA
  1. Set: yes
  1. Manage additional local admin on all Azure AD joined devices
  1. Add assignments
  1. Add user  
  1. Click save

Hybrid Identity/Azure AD Connect  

What: Azure Active Directory (AD) Connect is the underlying Microsoft tool used to deploy, configure, manage, and monitor hybrid identity between on-premises AD and Azure AD.


  1. Provides the ability to configure and deploy the following hybrid identity solutions:
  1. Password hash synchronization (PHS)
  2. Pass-through authentication (PTA)
  3. Federation integration including AD Federation Services


  1. Synchronization of users, groups, and other objects between on-premises AD and Azure AD
  2. Health monitoring, providing monitoring data which is visible within the Azure Portal

Important information about the synchronization service:

  1. Staging mode allows for Disaster recovery of Azure AD Connect:
  1. Azure AD Connect is installed to a separate server ideally in a different location to the first.
  2. During the configuration of Azure AD Connect, staging mode is enabled.
  3. Staging mode must be disabled for synchronization and hybrid identity functionality to be enabled.
  1. The following is a summary of some key management operations:
  1. To check the status of the synchronization service with PowerShell: Get -ADSyncScheduler.
  2. The Synchronization Service Manager GUI tool supports configuration and monitoring of synchronization operations.
  3. Sync operations can be triggered with PowerShell: Start -ADSyncSyncCycle.
  1. Note that by default, sync operations will operate every 30 minutes


  1.  When you signing into Azure you’ll get the default global AAD with your selected domain.
  1.  There you can have your users and subscription
  1. You can create multiple AAD tenants from the default AAD.
  1.  Forex: create a tenant for AI or Big Data organization  
  2. There you can have your users and subscription for those tenants
  1.  Inside the org tenant, you can create, users, and groups  


Azure Storage Account


  1. Azure Queue: message-based storage for microservices
  2. Azure table: non-relational, semi-structured data storage service
  3. Azure Files: cloud-based file sharing service
  4. Azure Blob: store MP3, images, and VHD file


Components of storage account
  1. Account Type: determines feature and cost
  2. Performance Tier:  determines performance level
  3. Replication: determines infrastructure redundancy
  4. Access Tier: determines access level and data cost  
  1. Local Redundant Storage - LRS
  1. Store data inside of one availability zone within a single region
  1. Zone Redundant Storage - ZRS
  1. Store data inside of multiple availability zones within a single region
  2. Why: if one zone is down, then we have copy of our data in another AZ
  1. Geo Redundant Storage - GRS
  1. Store data in multiple regions
  2. How: store data in a single AZ in each region
  1. Geo Zonal Redundant Storage - GZRS
  1. Store data in multiple regions
  2. How: store data in multiple AZ in the home region, and store data in one AZ within the secondary region
  1. Read Access - Geo Zonal Redundant Storage: RA-GZRS
  1. Store data in multiple regions
  2. How: same as GZRS, except data stored in the secondary region, has read access



Azure Blob Storage



Access Control

Container Access Levels

What: 3 concepts, access container and access blob inside that container, access both

  1. Private: No anonymous access to container
  2. Blob: anonymous read access to blob within a container(can’t access container though, because access is only allowed to blob and not the container)
  3. Container: anonymous read access to container and blobs it contains

Practical Usage Example 

  1. Create SA
  2. Create Blob Container and upload files as blobs
  3. Review Access Level
Blob Object Replication

What: Object replication synchronously copies block blobs between storage accounts



  1. Minimized latency: for read request  
  2. Increased efficiency: processing block blog in different region  
  3. Data distribution: processing and analyzing data in one location that replicates to another region
  4. Cost optimization: moving replicated data into archive tier can reduce cost  


  1. Create 2 SA, each in different region(1 src and 1 destination)
  2. Under “data protection” field,
  1. enable versioning for blobs
  2. Enable change feed
  1. Repeat the same step for destination SA, except do not enable change feed for this SA
  2. Create containers on both SA
  3. On SRC container, data management → object replication = create replication rules
  1. Select DEST SA  
  2. Select SRC container
  3. Select DEST container
  4. Add prefix: prefix/   // this is a folder where you store data to be copied from src to dest.
  1. So in the src container you will have 2 replicas of your objects. One at the root level and second under the prefix folder
  2. And objects under the prefix folder gets copied in =to dest container  
  1.  Copy over → everything
  1. Upload files in the SRC container
  1. Upload at the root level
  2. Upload the same files but with prefix (prefix is the folder)
Blob Lifecycle Management


Task: configure lifecycle management on SA 


  1. Create SA
  2. Create container and upload files
  1. Upload regular files
  2. Upload files with prefix (folder)
  1. Under data management → lifecycle management
  1. Add a rule
  1. Name: move-to-cool
  2. Rule scope:
  1. Apply rule to all blobs in SA
  2. Limit blobs with filter // select this
  1. Blob type: block and append
  2. Blob subtype: base block
  1. Set condition
  1. If blob last modified 30 days ago
  2. Then move blob to cool
  1. Set filters
  1. Enter container/prefix/ // so anything inside this folder will go to move from hot to cool tier

Azure Files

What: sub-service of SA

Why: to replicate/mount files(which is on File Share) to local machine/VM with proper file structure/system. So that you can have file share in Azure which copies files from your local VM

Practical Scenarios

  1. Life and shift application
  1. Ex: if you have an application running on web server and app has a drive that stores the data or logs
  2. You can create SA, File Share. Now you can mount this File Share to your local machine drive,
  3. So from that point all the file that your application saves to a local drive, will be saved to azure File Share through SMB
  1. Replace/Extend on-prem server as cache with Azure file sync
  1. Ex: you have file server on-prem, you expose them using SMB, FTP, NFS.
  2. Create SA, File Share 
  3. Install Azure file sync agent on your on-prem file server
  1. This agent is responsible for syncing the server’s local folders with Azure SA
  2. Use Storage Sync Service - Sync Group to create the above sync
  3. In Sync Group you’ll point to that file sync agent and tell him synchronize those folders with this specific share
  4. This way your local file server act as a cache and Azure File share performs actual syncing

  1. Persistent storage for Kubernetes  


  1. SMB/NFS Connectivity
  2. Supports windows/linux/mac
  3. Extended by azure file sync  

Connectivity Options

Task: Create Azure File Share and connect to it from local file system


  1. Create SA → File Share(Transaction Optimized type)
  1. Edit quota
  1. Upload file and folder in the File Share you created
  2. Connect to this File Share
  1. windows/linux/mac OS
  2. Auth method: SA Key/AD
  3. Show script
  1. Use this to moute this File Share to a client
  1. Paste it in your RDP session


  1. Create File Share to share files to local PC or VM
  2. So files you have inside your Azure File Share will be replicated to VM
Azure File Sync

What: extension of azure Files that allows you to extend the capabilities of on-prem file server



  1. Locally cache frequently accessed files
  2. Require windows 2012 R2 or later
  4. Require File Sync Agent


  1. Create SA, File Share
  2. Create VM
  1. Public inbound port: RDS, HTTP, HTTPS
  2. Attach new disk: where we map our file share for the file sync
  1. Create Azure File Sync
  2. Navigate to VM
  1. Connect with RDP
  2. Download RDP file


Your company needs to ensure that backups are in place for all Azure file shares. Because employees are often modifying files within the file share, file versioning is also important. To test functionality, you are tasked with taking a snapshot of a file share and restoring it to your Windows machine.

  1. Create SA, FS
  2. Connect FS to VM(RDP)
  3. Take a snapshot and recover data

Storage Network Access

What: to access storage account

Access options

  1. Public endpoint: All services are public by default using the service's public endpoint URL.
  1. Each storage sub services(table, queue, files, blob) has its own URL, through which user can access it over the internet
  2. You can protect/secure public access via adding a SA firewall so that only specific IP address spaces, VNets can access the service
  1. Restrict access: Storage account access can be restricted to virtual networks, IP address ranges via the storage account's firewall, and via specific resource instances.
  2. Private endpoint: Allow private IP access for resources in an associated virtual network.

Securing Storage Accounts

SA Encryption
  1. Storage Service Encryption: By default, all data stored (data at rest) in any Azure Storage service is secured using Storage Service Encryption (SSE).
  2. All data in transit can be secured using transport-level security (HTTPS).: This means request to our data happens at HTTPS, rather than HTTP
  3. Enable Infrastructure encryption as an added layer of encryption on the actual Infrastructure inside of data center
SA Authentication

2 layer of providing access/auth to SA services

  1. Management: this layer is at SA
  2. Data: this layer is at SA services

Ways to access SA

  1. Access keys: Azure-generated keys that provide unlimited access to both the management and data layer of an Azure Storage solution.
  2. Shared Access Signature (SAS): An access signature, generated from access keys, that provides limited access at either the account level or the service level.
  3. Azure AD Authentication: Uses Azure role-based access control (RBAC) and Azure Active Directory (AD) identities to provide authentication (instead of access keys).
  1. This service is for Queues and Blobs
Securing SA

Use Azure Defender for SA

Azure Jobs

What: Move large amounts of data between on-premises and Azure Storage(Blob & Files).

Supported drive types:

  1. SATA
  2. HDD
  3. SSD

Azure Import Job

What: Send large amounts of data to the Azure cloud when network bandwidth won't support data migration.

Task: import data from on prem to Azure

  1. Prepare disks (WAlmportExport): prepare disk and put the data on that disk
  2. Create job: provide carrier info and journal file
  3. Ship drives: ship drives to Azure
  4. Check job status: to see if we successfully uploaded data to Azure blob/files
  5. Receive disks
  6. Check data in Azure Storage

Azure Export Job

What: Receive large amounts of data on-premises from the Azure cloud when network bandwidth won't support data migration.

  1. Create job
  2. Ship drives (WAImportExport)
  3. Check job status
  4. Receive and unlock disks



Task: import/Export data from on-prem into Azure

  1. Azure → Import/Export jobs
  2. Create // to create a job
  1. Basics
  1. Name
  1. Job details
  1. Upload journal file: Download the latest WAlmportExport tool to generate the .jrn file
  2. Destination azure region: this is your import destination where you want to dump on-prem data
  3. SA
  1. Shipping
  1.  Carrier name
  2. Carrier account number

Storage Utilities

What: ways to work with SA outside of Azure account

Why: is it work with SA Activities like create blobs, snapshot, upload data

Ways to works with SA

  1. Storage Explorer: A Graphical User Interface (GUI) tool for working with storage accounts. Supported for Windows, Linux, and MacOS.
  1. Download Storage Explorer client to use all the capabilities
  2. Storage Explorer in Azure portal has limited capabilities
  1. AzCopy: A command-line utility for working with storage accounts. Supported for Windows, Linux, and MacOS.
  1. Download AzCopy tool


Basic Understanding

  1.  Determine IP CIDR
  2.  Subnetting requirements
  3.  Connectivity needs
  1.  What type of connectivity is needed: internet, resources to resources, resources to service
  1. VNet
  1. DHCP server
  1. Subnet
  2. Network interface card - NIC: IP configuration  
  1. What: Decide/set whether you want public or private connectivity with your resource that is attached to NIC
  2. Ex: if you want your VM to be accessible via the public internet, then you use NIC and associate Public IP in NIC, NIC is attached to VM. that’s how you can connect to your VM through public internet
  1. Caveat: you will need to attach NSG with NIC to allow inbound traffic  
  1. Network security group - NSG
  2. Peering
  3. Network gateway
  1. AZ spanned
Common Questions

What happens when you create a resource in VNet

  1.  Network interface Card(NIC) gets created/installed with your resources  
  1. What: where you can see all the resources VNet details:
  1. which subnet it belongs to, what’s it IP address
  2. Assign static IP - You can also assign a specific IP address to the resources
  1. By default intra network traffic (private: subnet to subnet inside Vnet) and outbound traffic(communication to the internet) are allowed
  2. Private IP: By default, resources created in this VNet/Subnet get private IP, and they can communicate with resources with the same Vnet
  3. Public IP: resources to talk to the internet
  1. Basic SKU type: accessible by default and require NSG to restrict traffic, no Zonal supper
  2. Standard SKU: dynamically assigned IP, not accessible by default. Require NSG to allow traffic

Architect Components  

What happens when you have VNet

  1. VNet
  1. Security
  1. Bastion host
  2. DDoS protection standard
  3. Firewall
  1. Subnetting 
  1. 5 IPs are reserved
  2. x.x.x.0-3 and x.x.x.255(last octate)
  1. Private networking: Resources you put inside VNet(ex: VM) gets a private IP address.
  1. How: served out from DHCP server, which is built in to VNet
  1. Public networking: VNet supports public IP addressing(IPV4 IPV6) so that resources can have public connectivity
  1.  Say explicitly whether you want to assign a Public IP to your resource
  1. Peering: the connection between VNet to VNet
  1. Peering in the same region and global region
  1. Network gateway(device): Azure VNet uses Network gateway(device) in gateway subnets to make VPN connection
  2. Monitoring: view logs of VNet to see where resources are in VNet
  3. Security: through firewall
  1.  NSG at Subnet and NIC level
  2. Firewall
  1. Web application firewall with application gateway(layer 7 LB)
  2. Azure front door
  1. Managed firewall  
  1. Create Vnet with multiple subnets (depending upon your application component)
  1. Ex: Web server subnet, App server subnet, DB server, backup server
  1. Each subnet has its own NSG - security settings
  2. Create/Place resources in a subnet.
  1. Each resource you put into the subnet will get private IP within that subnet CIDR range
  2. How: resources are added to the subnet through NIC(installed in them)
  1. Resources can have multiple NICs to connect multiple subnets at the same time
  1. NIC also supports NSG - acting as a firewall(same as subnet NSG) - so you get 2 layers of NSG (1 at subnet and 1 as NIC)
  2. 2 NSG at both of these layers is not recommended because of complexity and troubleshooting reasons
  1. NSG: the starting point of security. Use advanced features along with NSG
  1. When you create VNet with a subnet, NSG has 3 default inbound traffic rules
  1. AllowVnetInBound: traffic between computers running on the same network or connected networks is allowed: Vnet peering and VPN traffic
  2. AllowAzureLoadBalancerInBound: This is traffic from the load balancer. For example, from health probe is allowed
  3. DenyAllInBound: all other traffic is denied
  1. rules are evaluated in order. From the lowest priority number to the highest. The first rule to match the traffic is the rule that wins
  2. create custom rules with high priority to override the default rule effectively. because the default rule can’t be removed but rather overridden
  3. rule example: Port80, 443, 3389, 22




  1. A web browser using a domain name wants to connect to a Web server
  1. Domain name has no clue on where this Web server is located, nor the path required to get there
  2. Task: find the domain name’s IP so that user can reach to it’s web server
  1. so the first step of connecting to the web server is to look up the domain name in the domain name system DNS
  1. The global domain name system DNS will return an IP address to the browser for that domain name
  1. from that point on the browser will use the IP address to connect to the server
  1. it will cache the address for a limited period of time so doesn’t have to look it up all the time
  1. Web brower → Domain name → DNS(will return IP of the server to web browser) → Web server

Azure DNS


What: Is a managed domain name hosting service inside Azure

Type of DNS zone

  1. Public:  accessible on your public internet
  2. Private: accessible on your private network 

Type of DNS Records

  1. A records: The IP address associated with the domain.
  1. This is the one that primarily translate a domain name into its IP address.
  2. Record set: you can assign same website map to different IPs. ex: Indian and US version of website
  3. Alias record: map Resource instead of IP. ex: Map domain name with dynamic Azure VM. so we don;t have to update IP regularly
  1. CNAME record: is used to indicate when one host or a subdomain is an alias for another
  2. MX record: The server that handles email


  1. Say you have domain name bought from AWS
  2. In Azure, create DNS zone
  1. Name:
  1. See the info on your name server(4 entries) and DNS zone with name server records and SOA record
  2. Take and add the name server(4 entries) to your AWS registrar for your domain
  3. Add record set to attach your domain to your Azure VM
  1. Name:
  2. Type: alias record
Azure Traffic Manager


  1. Avoid Region level failure
  1. If you have everything setup(LB, VMs) setup in one region, it can cause failure if the entire region is down
  1. ATM: Load balancing happens at global scale - global region
  1. Operates at DNS level
  2. Intelligent DNS server
  1. It’s not the true load balancer


  1. You have a solution running on multi-region with one domain name
  1. Have servers running in multi-region for the same website
  1. So users will be connected to servers close to them with the fastest response time
  2. This is done through reverse IP lookup. It knows you are requesting answers from Asia, US. so it will tell your browser to go to the solution that performs best for you


  1. Perform failover  
  1. If one region is down then another region will serve your traffic
Azure Front Door


  1. actual layer 7 load balancing between region
  1. Azure traffic manager is not load balancing solution at a global level, AFD is
  1. True load balancer:  provides a more robust load, balancing service at a global level
  2. AFD is a scalable and secure entry point for the fast delivery of your global applications.


  1. They provide performance benefits by having the service placed at edge locations closer to users.
  2. It provides global scale, layer 7 loads balancing similar to the application gateway. allowing you to distribute traffic to different regions intelligently based on the domain name and the path information
  1. Ex: /en traffic goes to certain region, /fr traffic goes to a certain region
  1. Also support caching just like CDN


  1. Provide WAF and DDoS protection

Practical Usage 

  1. Your solution is hosted in multiple regions. One acts as an active, the other is a standby
  2. If one fails, standby becomes active


Azure Traffic Manager

Azure Front Door

Avoid region failure

Avoid region failure

Requires your solution to run in multiple region at the same time

Requires your solution run in one region. If that region fails, it failover to another region

Operates at DNS level

Layer 7 LB

Content Delivery Network



  1. is a service that can reduce the number of files that your Web server needs to serve to any client and can also improve the performance perceived by your end user


  1. Akamai
  2. Verizon
  3. Microsoft CDN


  1. It has edge location servers all around the globe
  2. stores your static files on dozens of edge servers around the world
  3. when an end-user requests to file, the file is served from those servers and not the actual server
  4. The actual server will see drastically fewer requests overall

Azure Front Door

Content Delivery Network

Requires your solution run in one region. If that region fails, it failover to another region

It doesn’t require you to have solution deployed in multi-region

Layer 7 LB

Its a caching mechanism using edge servers


Network Security Group - NSG


  1. The starting point of security. Use advanced features along with NSG
  2. Controls traffic flowing through a VNet/Subnet, secure the routing pathways
  3. Create rules that’d define what is allowed/denied
  1. When you create VNet with a subnet, NSG has 3 default inbound traffic rules
  1. AllowVnetInBound: traffic between computers running on the same network or connected networks is allowed: Vnet peering and VPN traffic
  2. AllowAzureLoadBalancerInBound: This is traffic from the load balancer. For example, from health probe is allowed
  3. DenyAllInBound: all other traffic is denied
  1. Rules are evaluated in order. From the lowest priority number to the highest. The first rule to match the traffic is the rule that wins
  2. Create custom rules with high priority to override the default rule effectively. Because the default rule can’t be removed but rather overridden
  3. Rule example: Port80, 443, 3389, 22
  1. NSG is stateful, if you create an inbound rule for traffic, the outbound rule gets created automatically.

How: associate with a subnet or NIC


Application Security Group - ASG

What: Allows you to define certain ranges of IP addresses into certain categories in labels so you can group related resources together


Load Balancer

What: layer 4 LB(transport layer) - so it only understands IP, ports, and networking at the level. It doesn’t understand internet URL


Application Gateway

What: Layer 7 LB(application layer)


AG integrates with Azure monitor


What: create a firewall with routing rules.

Diagram: request comes to the firewall and then redirects to the respective server based on the routing rule you setup



Task: route traffic to VM using firewall  



  1.  Create VNet with default subnet
  2.  Create firewall subnet
  3.  Create firewall into its subnet: this will create firewall IP
  4.  Create a route table: to define route rules
  5.  Create a route: route all traffic to firewall IP
  1. Route name and address:, next hope type, hope add: firewall private IP
  1.  Associate route table with subnet
  2.  In firewall configure firewall rule
  1.  rules: NAT rules
  1. Configure it route traffic to VM
  2. Rule ex: allow RDP to firewall, which then translated to VM public IP // access RDP to VM via firewall



What: path for connectivity(for traffic)

  1. Traffic scenarios  
  1. Resources to Resources within same Vnet
  2. Resources to Resources with peer VNet
  3. Traffic with Internet
  4. Traffic with on-prem Network
  1.  Type of route
  1. System route: default route built in to VNet, can’t modify
  2. Custom route: override system route,  
  1. User defined route: firewall  
  2. Broader gateway protocol(BGP): hybrid and Vnet peering
  3. Flow of overriding: Custom > BGP > System


  1. You want to direct specific traffic to specific endpoints instead of default through route table


  1. Block outbound internet traffic
  1. Why: because by-default in NIC’s effective route for system routes allows public connectivity via outbound traffic to internet - so there’s a need to block outbound internet traffic via route table
  2. With system round you have outbound internet access via a route, but with custom route block ththe outbound traffic
  3. How: give outbound traffic, next hop to none // cancel out that route
  1. User define route - firewall example
  1. If we want to route outbound internet traffic through firewall only
  2. How: give outbound traffic, next hop to firewall
  1. BGP route for integrated network - peering, VPN
  1. In VNet peering or hybrid scenario(on-prem to vnet), set up route between these network, override system route we have in VNet

Example Demo

  1. Block outbound internet connection
  1. Create route table
  2. Inside routes, add route
  1. Name
  2. Address prefix: destine traffic:
  3. Next hop type: None - kill the traffic
  1. Inside subnet, associate this route to your subnet  


  1. Rule: Any traffic destines to range of IP address(can use any IP address) send them to followings
  1. VNet gateway
  2. VNet
  3. Internet
  4. Virtual appliances // firewall
  5. None: kill the traffic  
  1. Associate rule to your NSG/subnet       

Example - block internet access

Service Endpoint




  1. When you want to access service privately. Ex: Storage account File Share


  1. Inside your subnet, create a service endpoint(can also create service endpoint policy - for specific storage account) specifically for this subnet -
  2. See the service endpoint blade under subnet setting.
  3. So any connected devices connected to subnet has a route that allows private connectivity from subnet to storage through microsoft backbone


  1. Secure storage account access from internet traffic
  2. Secure database access from application traffic (web → app → database)

Private Endpoint

What: using Azure private link, you can connect your services as connected resources in your network with a private IP known as a private and point


  1. NIC inside your VNet, act as the private IP that is going to provide the connection for private connectivity over an IP to that service so that we can access that service inside of a virtual network via that private IP


Task: Create private endpoint for Azure file inside VNet

  1. In Azure, create private link
  1. Resource type:
  2. Resource: your storage account
  3. Target sub resource: azure file on your storage account


  1.  if you have a NSG enabled for the subnet above it, it will be disabled for private and points on this subnet only. other resources on the subnet will still have NSG enforcement
VNet peering


  1. Say you have multiple VNets and resources inside these VNets need to be able to communicate.
  2. By-default these VNets are isolated and thus can’t communicate

What: Connection bw VNet to VNent in Azure


  1. Under Vnet1, settings → peering
  2. Add peering
  1. Link name: VNet1toVNet2
  2. Peering link name: VNet2toVnet1
  3. VNet: VNet2
  1. Repeat step 1,2 in the VNe3 (conneting to VNet2)

Design: Hub and Spoke Topology

How: This has 1 VNet in the middle and all of the satellite VNet connect to it

VPN & VPN Gateway

What: Connection bw Azure VNet to On-prem network over public internet

Practical Example: connect your home device/entire office network to Azure network so that you can have access to Azure resources  

How in Practical:

  1. It creates the encrypted channel between single machine/network and another network
  2. Access resources protected behind the firewall
  3. You have to install special software on your home computer or use reconfigured work laptop to connect to your office files from home. This happens over a VPN.


  1. Create Gateway subnet required in VNet // small subnet that only contains the gateway device
  2. Add VNet Gateway device(in Azure, in Gateway Subnet) for VPN gateway // VNet gateway establish VPN gateway
  1. VNet gateway is the device that connects to the network on the Azure side and also performs the encryption and decryption of the traffic between it and the device connected to it on the other side
  1.  Public IP per VNet gateway // because it’s internet connection
  2.  IPSec tunnel for encryption

How 2:

Local Network Gateway is the device outside of Azure, at your office (or remote site), typically a router or firewall capable of making a VPN connection to Azure. This device must have a Public IP Address.

Virtual Network Gateway is the device inside Azure in your Virtual Network. This appliance has a Public IP Address.

A VPN Connection is established over the Internet between a Local Network Gateway and a Virtual Network Gateway. They use their Public IP Addresses to 'connect' each other and establish the VPN tunnel.

A Real Example:

You have a Cisco Integrated Services Router (ISR) at your branch office in Brisbane and a Virtual Network Gateway in your Virtual Network in the Australia East region in Azure. Users in the Brisbane branch office can connect to the resources in the Virtual Network using a VPN connection established between the Brisbane Office and the Virtual Network in Australia East.

  1. Point-to-site VPN(computer to Azure network)

  1. Site-to-Site VPN(IT office network to Azure network)

2 types of Gateways
  1. Static routing - policy based
  1. old style of VPN routing: fixed routing table
  2. you have a router table that has hard-to-find IP addresses that tell traffic where to go.
  3. so for a particular range of IP addresses, send traffic over this VPN connection to the other side
  1. Dynamic routing - route based
  1. BGP: It allows 2 gateway devices to exchange information with each other
  2. each device tells the other what network ranges it supports. So device A tells device B that it wants traffic from this range so that device B Will send it that traffic.
  3. no table contains a static list of addresses.

VPN Availability

  1. Redundant connection: if the connection between your office network, and Azure network fails, this will act as a single point of failure. So networks can’t talk to each other
  1. Azure gives two connections between the two devices. So if one connection fails, you could have it fall over to the other. few seconds of downtime at the time of failover happens
  1. Multiple Device support: if the gateway device itself failed in your office network
  1. you can have multiple VPN gateway device at your office network connecting to the same VNet gateway in Azure

  1. Active-Active configuration: 

  1. Dual redundancy Active-Active

  1.  Setup VPN gateway

  1. Create a gateway subnet in Azure
  2. Create HQ local network gateway in Azure
  1. Create with the configuration details of the connection we have with on-prem network
  1. Setup VNet gateway in gateway subnet
  1. This will allows to communicate
  1. Create a connection from VNet gateway to HQ local network gateway 

  1. Create gateway subnet in on-prem
  2. Create azure side local network gateway in on-prem
  3. HQ side VNet gateway
  4. Create connection from VNet gateway to Azure local network gateway


Both the steps must be performed for both network

  1.  Create VNet gateway on Azure
  1. Gteway Type: VPN
  2. VPN Type: route-based // dynamic incase your VM increases
  1.  Create gateway subnet
  1.  Create public IP address
  1. Create local network gateway
  1. Need public IP of VNet gateway created in the above step
  2. Create local network gateway
  1. IP address: provide VNG IP
  2. Address space: Azure VNet IP CIDR
  1.  Create connection bw local network gateway and VNet gateway
  1.  In the VNet gateway, create connection
  2.  setting —> Connection
  3. Add connection
  1. type: site to site  
  2. Shared key: key has to be the same on both side

Test: ping VM from VNet 1 to VNet 2 as a part of VPN

Express Route

What: make direct physical connectoon into Azure resources



Virtual WAN

What: allows single operational interface to be able to manage hub and spoke style network



  1. Basic
  1. Transitive connection not allowed
  2. S2S VPN connection only
  1. Standard 
  1. Transitive connection allowed
  2. S2S,P2S, ExpressRoute, VNet to Vnet connection

Task: Create Virtual WAN, Virtual Hub to configure S2S,P2S, ExpressRoute, VNet to Vnet connection for that Virtual WAN through single operational interface

  1. Create virtual WAN // single operational interface to manage fully mash network(manage hubs that manages VNets inside region, for this region you can configure S2S,P2S, ExpressRoute)
  1. Type: standard
  1. Create hub // for specific region
  1. Basics
  1. Name
  2. Private address
  1. S2S
  2. P2S
  3. ExpressRoute
  4. Create hub

Hub And Spoke



VNet Strategy

VNet/Subnet Strategy
  1. Good naming policy
  1. Ex: ProjectName-Env-Component-Resource = tiffintouch-dev-root-vnet
  1. Tag your resources
  1. Useful for internal reports and billing
  1. In what region you’re going to deploy VNet
  1. Resources should be place inside Vnet region
  1. Design VNet and Subnet
  1. Don’t overlap VNet/subnet address with any other VNet/subnet in the same/diffrent subscription
  1. Separate layer of your application within subnet
  1. Web server can live on their own subnet
  2. Mid tier and Application tier has their won subnet
  3. Database tier has their own
  1. Leave room for IP address for the future
  1. Ex: VPN, virtual node, express route need their own subnet
  1. Which device need public address
  1. Ex: if the internet traffic to your azure resources(VMs) would only go for administrative purposes, Use Bastion or VPN to protect access
  1. Does this network need to directly communicate with any other network using peering
  1. They can’t communicate when you have overlapping IP addresses - this is non-issue if the both the VNet is under the same subscription - because azure deosn’t allow creating 2 VNet with overlapping IP address
  2. If the networks with a same IP address in separate subscriptions can’t talk to each other
Security Strategy
  1. Create small set of NSGs
  1. Reuse the same NSG instead of creating a new one for every network
  2. Use application security group - ASG to simplify your NSG
  1. Limit the people who can create VNet resources - principal of least privilege
  2. Use subnet to separate your application into logical security zones
  1. Subnet for web server and SQL kept separately along with their own NSGs
  1. Use Azure AD conditional access to add an additional layer of security
  2. Just in time access
  1. So that ports are closed, except when someone is actively using them for legit purposes
  2. Disable RDP and SSH access to resources, except for specific purposes
  1. Use a temporary permission tool instead of admin privilege when people need elevated privileges to perform authorized task
  1. Use Azure AD conditional access and PIM(privileged identity management) so that those permission are removed after a short time
  1. Use tool for the job
  1. Load balancer
  2. application gateway for WAF
  3. Azure firewall
  4. Third-party azure appliances
  1. Reduce the size of the attack surface
  1. Don’t leave ports open
  2. Disable programs and services from running that you don’t need
  3. Remove executable code from your web service like disabled WordPress plug-ins
  4. use a virtual network, service endpoints to cut off public access to App service, storage, and SQL databases
  5. use network routing to ensure traffic can only travel to, and from your corporate network, or a VPN and block direct access to the Internet
  1. consider DDoS protection if you are a potential target
  1. if your user can’t access your application because it’s too busy, that might not be a direct security threat but it’s a form of an attack - basic DDoS protection is provided free by Azure to protect against Denial of service attack
Performance Strategy
  1. Choose the VM with the right configuration you need
  1. Depending on the instance type you choose, more NIC cards generally correlate with an increase in the upper limits of performance speed.


  1.  VNet with private IP Address
  1. Span within region and RG
  1.  Subnet with segregation of VNet
  1. Span within region and RG
  1.  VM NIC - Network Interface card
  1. VM is connected to NIC —> NIC is then connected to subnet
  1. Place/connect NIC in the subnet —> subnet pass IP to NIC —> which is then attached to VM
  1. flow: Subnet —> NIC —> VM
  2. VM can have multiple NIC. These NIC’s can connect to different subnet // both subnet can be part of the same VNet

  1.  Private IP: gets from subnet private IP. Can assign static IP if you want, by default it’s dynamic.  
  1. why: Used to communicate bw resources privately over VNet
  1. Public IP: you don’t need Public IP for NIC. But you can get/create one and attach to
  1.  Why: used to communicate bw internet traffic to your Azure resources(VM)
  2. ow: modify IP config in NIC for VM so that it has public IP
  1. 2 types are public IP.
  1. Basic: insecure and accessible by default, and allow traffic. Require NSG to deny traffic
  2. Standard:  secure by default and not accessible by default. Require NSG to allow traffic
  1.  what: Provides public connectivity for resources. Can connect to resource via internet  
  2.  Example flow: create standard public IP —> Create NIC —> configure Public IP in NIC —> Create VM with NIC —> SSH to VM with public IP // can’t make connection  




  1.  CPU and Memory
  1.  Determine VM sizing, select based on VM Use case
  1.  Networking
  1. VNet and Subnet: for giving private IPs to VM
  2. NIC: configure IP. Private or public
  3. Public IP: for public connectivity
  4. Network security rule: secure the public connectivity using NSG using security rules to control inbound and outbound traffic to our VM, NIC or subnet level
  1.  Storage by Azure disk  

        What:  Virtual disk/Azure Disk

  1. What: Virtual Hard Disk
  2. Why: VM uses this hard disk to store data; SSD storage optimized for I/O intensive read/write operations. For use as high-performance Azure virtual machine storage.
  3. Where: Azure disk use Microsoft storage infrastructure and store this disks as page blob inside the blob service

  1.  OS disk: default with VM
  1.  Stores OS
  2.  Labels as the C: drive for Windows and mounted at “/” for unix system
  3.  Max capacity: 4095 GiB
  1.  Temporary disk: you get by default for non persistent data storage  
  2.  Data disk:
  1. you can additionally add to VM for persistent storage  
  2.  Use for persistent data storage like files or database
  3.  Max capacity: 32767 GiB
  1. Type
  1.  Managed

                1. Azure managed storage account

                2. Availability supported

                3. RBAC control

                4. Snapshot support

                5. Backup support

  1.  Unmanaged

                1. Manually managed

                2. Availability not supported

  1. Disk type

            1. Ultra disk(SSD)

            2. Premium(SSD)

            3. Standard(SSD)

            4. Standard(HDD)


1. Property

    1. Name

    2. Region

    3. Size: Standard_B1s

    4. Image: Linux/Windows

    5. Disk: consist of OS disk and temporary disk by default. Can add additional Data disk

    6. NIC: configure IP; private or public for this VM

2. Example

    1. Create Linux VM

    2. Configure Disk: add a data disk to VM

        1. OS Disk: Premium SSD disk

        2. Data disk:

            1. Create new or attach existing disk

                1. size: 1 GB

    3. Configure networking: VNet, Subnet, NIC, PIP, NSG

    4. Install web-server: install Nginx using custom data

    5. Open NSG for HTTP: manage security rules for VM

        1. Inbound rule: traffic will be allowed from public Internet on port 80

        2. SSH on port 22

More on Compute

VM Availability and Scale Sets/Availability set

VM Availability

What: provide high availability of VM by deploying VM in multi-AZ

How: by using availability zone. So when one AZ gets down you have your VM up and running in another AZ

Practical: Multi-AZ Deployment: place your web VM and DB VM in multiple AZ. So each AZ will have both of your hardware. I.e. web VM and DB VM  

Scale Sets/Availability set






What: scaling VM when traffic reaches to certain thresholds

Managing VM Updates

What: to update VM for patching, system updates(security)  


  1.  Automation account —> this will manage VM
  2.  Hybrid runbook worker
  3.  Log analytic workspace
  4.  Log analytics agent

Azure Bastion


What: provides a way to securely connects to our VMs inside our VNets directly from your Azure portal



What you don’t need

  1.  no public IP is required on the Azure VM
  2.  RDP and SSH directly in Azure portal over SSL/TLS - So secure
  3.  no hassle of managing NSGs
  4.  protection, against port scanning, and zero day exploits
  5.  hardening in one place only


1. Create VM

    1. Public inbound port: none

    2. Networking

        1. Public IP: none (no creation of public IP)

2. Create subnet for Bastion

3. Create Bastion

4. Navigate to VM

    1. Connect: Bastion

    2. Enter VM’s Username and Password


  1. Create VMs without public IPs
  2. Bastion need its own subnet

Load Balanacer

What: is a networking solution for distributing traffic between backend compute that serves same website



1. create 2 NIC and 2 VM without public IP(we’ll access with LB’s PIP)

2. create LB

    1. type: internal or public

    2. sku: standard(production) or basic

    3. tier: regional

    4. PIP name

3. in the LB

    1. backend pool: configure it

        1. name

        2. VNet

        3. backend pool config: NIC or IP

        4. VM or VMSS

    2. health probe: create it

        1. name

        2. protocol: TCP (all general traffic)

        3. port: 80

        4. interval: 5

        5. threshold: 2

        6. ex: every time it goes unhealthy for more than two times around the five seconds interval so 10 seconds total then our health Praby is going to let us know it is unhealthy

    3. LB rules: how we want to balance traffic on LB

        1. name

        2. frontend Ip: LB’s Frontend IP

        3. protocol: TCP

        4. Port: 80

        5. backend port: 80

        6. backend pool

        7. health prob

        8. session persistence

    4. Inbound NAT rules: to configure DNAT(inbound port forwarding) and SNAT(outbound traf.)

        1. ex: if you want to be able to SSH into the back and compute, we can use inbound and80 rules to create that rule to allow that network address translation for over SSH traffic from the front and IP of the Loadbalancer

    5. Outbound rules

Application gateway


Difference between APP Gateway and LB is


  1.  Frontend IP: Load balancer comes with IP address(private or public endpoint for accessing the LB solution)
  2.  Backend Pool:  VM, VMSS, APP service
  3.  Listener: listen how to route traffic to our backend pool based on path routing

    1. port, protocol, certificate config(SSL termination)

  1.  Rules: LB rules, HTTP setting, health prob


    1.  Basic

        1. Name

        2. Tier: standard V2

        3. Vnet

        4. Subnet: create a subnet for App Gateway  

    2. Frontend

        1. IP type: Public, private, or both

        2. PIP: create new

    3. Backend

        1. Add 2 backend pool

        2. name:

        3. Target: add VM, App service

    4.  Configuration

        1. Rule name: multipath

        2. Listener

            1. Listener name: listener1

            2. Frontend IP: public

            3. port: 443

            4. Choose certificate: upload cert

        3.   Backend target

App Service Plan



  1. Shared: run the app on the same VM as another app, this App may run other customer’s app on the same VM
  2. Dedicated: run only apps using the same App service plan on a dedicated VM
  3. Isolated: run apps within dedicated VM and VNets


3 Categories

  1. Web Apps: website/online app hosted on azure’s managed platform
  1. Web apps for container:
  1. API apps: expose and connect your data backend


  1.  Create “App Service Plan”
Web App

What: this is a resource that run on app service plan to host web application(linux or windows).


1. Create “App Service(Web App)”

    1. Select app service plan

2. Deploy zip application on app service

Custom domain


  1.  To provide a custom domain for web application rather than using web app default URL
  1.  Add custom domain and validate
  2.  Create A record and TXT record; put them in DNS zone
  1.  A record: point domain name to our public IP address of our web application
  2.  TXT Record: validate our domain ownership
  1.  TLS/SSL setting: secure web application so app can accessible with https
  1.  Upload certificate to SSL binding  
  1.  Scaling: scale up/out
  1.  Scale up by upgrading app service plan
  1.  deployment: deployment slot
  1.  Stage a new version of the application by swapping (no cost associated)
  1.  Network configuration using a hyper connection or CDN
  2.  Backup
  1.  Store backup to blob storage
  2.  Backup type
  1.  Full: store app configuration, file content, database connection settings, restore app using blob
  2.  Snapshot: point in time recovery


What: to host container images or run contained application


  1.  Create docker file, create an image out of it
  2.  Push image to ACR
  3.  Based on the image, run the container on ACI

Difference between ACI and Web apps for container/Container Apps



Event Grid

What: is a publish subscribe, managed service for the distribution of event information.


  1. Let's say that you had some code that you wanted to run every time someone deployed a virtual machine. You had an app that was running, it needed to check some things, maybe it needed to configure some settings and so on.
  1. What you would do is your application sitting there, constantly polling and monitoring the environment for changes. Now, that's not really an effective use of your resources, your CPU, and so on


  1. Rather than have our application constantly polling a Azure subscription for any changes, we could have it associated with an Event Grid, that is monitoring that on our behalf.
  2. And then if anything does happen, Event Grid will notify our application, perhaps on this example via a webhook.
  3. In this way our application doesn't have to be constantly polling the Azure subscription for changes. Instead, it is actually just subscribed to Event Grid itself. // This how Event Grid is a publish subscribe solution.


  1. What we have is a range of different thing that can publish events to Event Grid. Event Grid will then send that information onwards, based on whether anyone has a subscription to that information.
  2. Source → Events → Topics → Subscriptions → Handlers
  1. Sources: can submit info; This can be Blob Storage, resource group, subscription
  2. Events: small info submitted about something has happened  
  3. Topics: The endpoint where publishers sends event; this contain all the event information;
  4. Subscription: the endpoint to route event, sometimes to more than one handler
  5. Handler: will be responding in some way, to the event occurring; App or service reacting to event; ex: serverless code, logic apps, other apps like webhook
  1. So, handler don’t directly talking to and monitoring these different sources. They subscribe to a topic which will contain all of the event information they want.
  2. In this way, when the sources emit event information, it goes to a topic. Depending on the subscriptions, Event Grid will then transfer that information on to anyone, any of the handlers who are subscribed to that topic.

  1. So there is Azure service that creates events. Ex: when you upload files to Blob container, you create Topic to receive the Blob Events, now you have application like Logic App which subscribed to Topic and receive these events
  2. Events can be custom

When to use

  1. When you want to transfer of events and not the data


  1. Consuming built-in events: use logic app to consume built-in event in Azure to react to blob changes
  2. Sending custom event: use logic app to send custom events to our event grid topic
  3. Subscribe to custom event: use custom event topic and create subscription

Notification Hub

What: Notification Hubs is a fully managed, scalable solution for managing push notifications to various platforms (iOS, Android, Google, Windows, Kindle, Baidu, etc.).

An overview of the typical setup of push notifications using Notification Hubs is as follows:

A summary of Notification Hub configuration is as follows:

  1. A namespace must first be configured, which includes:
  1. Name: Unique name of the namespace,
  2. Pricing tier, which currently includes Free, Basic and Standard:
  1. Pricing determines notification limits, monthly cost, features, and more.
  2. For more information on the different limits and features, refer to this Microsoft pricing link.
  1. Within a namespace, a hub can be configured, as follows:
  1. Typically a single hub is created for an individual application.
  2. Configuration is required for each vendor you wish to provide push notifications for, including:
  1. Some sort of registration (dependent on the vendor) typically including key and authentication
  1. Authentication is configured using Shared Access Signature Security (SAS):
  1. Two rules are automatically created with the Notification Hub:
  1. SAS rule with listen rights (for client app registration)
  2. SAS rule with all rights (for the application backend)

Event Hub

What: Azure Event Hubs provides a massively scalable solution capable of processing millions of events each second.

Important elements of an Event Hubs solution:

  1. Events: Small pieces of information about something that has happened:
  1. Often referred to as a datagram
  2. Can be published individually or in batches
  3. A single publication of events) cannot exceed 256 KB
  1. Publishers: An application, service, or device which emits an event:
  1. Publishers send event data using HTTPS or Advanced Message Queuing Protocol (AMQP) 1.0.
  1. Subscribers: Applications which receive data from an Event Hub using one of two methods:
  1. Event Processor Host: Simplified higher-level method receiver (depends on Event Hub Receiver)
  2. Event Hub Receiver: Lower-level method with greater complexity

Service Bus

What: Service Bus is a messaging broker designed to deliver messages between decoupled applications in a highly-available, highly-reliable way. Service Bus supports the "competing consumer" pattern

Important information about the Service Bus Namespace is as follows:

  1. A namespace is the parent container of any Service Bus Queues or Topics you wish to create
  2. Several important properties are configured at the Namespace level, including:
  1. The name, which also creates the DNS entry
  2. The pricing tier which currently includes Basic, Standard and Premium:
  1. Only Standard or Premium currently support Topics and Subscriptions.
  2. For more information on the different limits and features, refer to this Microsoft pricing link.
  1. Whether any zone redundancy is required (currently only supported with Premium pricing tier)
  1. Authentication and authorization through shared access signatures (SAS) applies at this level.

Azure Relay

What: Azure Relay service provides a secure method for exposing on-premises applications over the public Internet, by allowing communication to be relaved via Azure to on-oremises enttes

An overview of the flow of data when using Azure Relay is as follows:

  1.  An on-premises service establishes an outbound connection to the Azure Relay service
  1. Note: This is why onlv outbound connections are reauired although we are providing public access)
  1.  The outbound connection establishes a bi-directional socket
  2.  Clients can communicate with the on-premises service publicly, by communicating with the publicly accessible Azure Relay namespace address
  3.  The Azure Relay service then utilizes the bi-directional socket to allow communication.

A summary of important information about Azure Relay:

  1. Using Azure Relay to provide public accessibility to on-premises applications:
  1. Does not require inbound firewall rules on-premises
  2. Only requires an outbound connection between on-premises and Azure Relay
  3. Supports bi-directional communication
  4. Does not require on-premises hardware
  5. Can be scoped to individual applications/services
  1. Authentication and authorization is supported using:
  1. shared Access signature authentication, for managing rights

Azure Relay supports both Hybrid Connections and WCF Relays, as summarized below:

  1. Hvbrid Connections: Supports open standard web socket communication
  2. WCF Relays: Only supports Windows Communication Foundation (WCE) communication using remote procedure calls (RPC)


Azure Monitor


What to monitor


How to Monitor


  1. Monitor VM
  1. Metrics
  1. Inside your VM → Monitoring → Metrics
  2. Explor Metrics
  1. Logs

Enable diagnostic settings for SA

  1. Inside your SA → monitoring → diagnostic settings
  2. Choose SA
  3. Add diagnostic settings
  4. Select metric // translation
  1. Send this metric to LAW, stream them to event hub, Archive to SA


Setting up Alerts and Action Group



Alert Example

Create alert against VM if it’s  

  1. Inside monitor  → alert
  2. Select resource → VM
  3. Add condition
  1. Signal type: activity log
  2. Signal name: deallocate VM
  1. whenever the activity log has an event with category= administrative, Signal name = deallocate virtual machine
  1. add action group
  1. create AG
  2. Notification Type: Email
  1. Action Type
  1. Automation Runbook
  2. Azure Functions
  3. ITSM
  4. Logic App
  5. Secure Webhook
  6. Webhook
  1. Create alert with Name

Configuring Azure Monitor Logs

Log Analytics

What: A service for aggregating log data in a single pen, where it can be analyzed, visualized and queried

How: capture this data from Metrics and Logs by enabling diagnostic settings to send the data to specifically log analytics workspace, which then act as a repository for our data

Data Source:

  Task: Configuring LAW


  1. Create Log Analytic Workspace
  2. Under workspace data sources → VM
  1. Connect your VM
  2. So this VM act as a data source into this LAW so that we can capture data from this VM and be able to query using Kusto Query
  1. Under LAW → logs
  1. Run Kusto Query

Monitor Insights

What: Service Monitoring

  1. VM Insights: Monitoring service specific to virtual machines and virtual machine scale sets (VMSS).

• Requires Log Analytics workspace

• Requires Log Analytics agent (installed when connected)

• Also known as Azure Monitor for VMs

  1. Network Insights: Monitoring service specific to virtual network resources.

• No agent installation required

• Works in tandem with Network Watcher if enabled

• Also known as Azure Monitor for Networks

  1. Container Insights: Monitoring service specific to containers or AKS clusters.

• Requires Log Analytics workspace

• Requires Log Analytics agent

  1. Application Insights: Monitoring service specific to application code.

• App Insights resource

• Instrumentation of app code

Application Insights


• Supports any application instrumented with Application Insights

• Repository for events and metrics data

• Telemetry data is streamed into an Application Insight resource


2 approaches

  1. Runtime instrumentation: codeless approach with Application Insights,
  1. where we don't have to use any specific packages inside of our application code to implement the Application Insights resource.
  2. provides us with not quite as much data that we're gathering as far as telemetry.
  1. Build-time instrumentation:  is a coded approach with Application Insights,
  1. where we're going to implement the SDK for Application Insights into our application's code
  2. then we're going to pass the instrumentation key as an environment variable in our applications, so that we can use the application to gather as much data as possible,
  3. and this gives us access to other features that we don't otherwise get with a runtime instrumentation.


  1. Metrics: Live Metrics Stream for near-real-time metrics data and Metrics Explorer for viewing how metrics vary over time.
  2. Alerts: Alerting on metrics or event data to notify application administrators of issues. 
  3. Profiler: Determine how requests are delivered, such as page elements and their performance.
  4. Application Map: A topological view of applications and dependencies used to identify dependency issues such as bottlenecks.
  5. Usage Analytics: Analyze user metrics from client-side events like user interaction.

Architectural component 

Network Watcher

What: Azure Network Watcher is a service comprised of networking tools for

monitoring and diagnostics.

• Overview of topologies

• Monitor connectivity in Azure

• Monitor connectivity in hybrid networks

• Troubleshoot connectivity issues

• Troubleshoot hybrid network solutions

• Enable per region in a subscription


Backup Concepts

Disaster recovery

What: The process of recovering from a disaster, such as a data center Power outage

What to do

  1. Assess risks
  2. Determine critical workloads
  3. Determine back up technique
  4. Test disaster recovery
Recovery Point Objective VS Recovery Time Objectives



What can we stand to lose in terms of data

How long does it take for us to recover

Represents the hours from the last successful backup to the point of disaster in time

Represents the number of hours in time in representation between the disaster and full point of recovery

Disaster recovery method
  1. Backup: copy of business-critical data
  2. Cold sites: A copy of critical infrastructure that needs preparation before a disaster recovery is complete.
  3. Hot site:  A copy of critical infrastructure in data that is ready to be swapped in as the production workloads

Azure Backup

What: is a managed service for backing up and recovering workloads



Supported workload

  1. Azure VM
  2. On-premises machines
  3. SQL Server workloads
  4. SAP HANA workloads


  1. You have your workload(VM, SQL)
  2. Create Recovery Services Vault(RSV)
  3. Create Azure Backup policy inside the RSV
  4. Backup Job: Run schedule backups (on VM, SQL)
  5. RSV receives backup data: providing us with data to recover from our workloads.


  1. Backup and restore Azure VM
  2. Backup File Share to another SA
  1. Lets say you have files in this File Share(within 1 SA) that needed to be backup and restore to the new SA

Task 1: Backup and Recover Azure VM workload.


  1. In the VM → Operation → Backup
  1. Create new RSV
  1. Name
  2. Choose backup policy: set backup time, and frequency
  1. Enable backup
  1. This will create RSV and Backup Policy
  1. Inside the RSV, see the details
  2. Click on VM → Operation → Backup
  1. Select Backup Now
  2. Snapshot: file system consistent
  1. Restore VM
  1. Stop VM
  2. Create Storage Account: this will act as a staging location whenever we’re restoring our VM
  3. Restore VM under the VM → Operations → backup
  1. Select restore point from snapshot
  1. Choose restore configuration
  1. Create new VM
  2. Staging location: SA

Task 2: Backup and Recover Azure File Share to another SA

  1. You have RSV and SA with File Share containing files
  2. Under RSV enable backup
  1. Workload: Azure → File Share
  2. Choose SA you want to backup
  3. Add records inside the File Share
  4. Backup policy: daily
  5. Enable backup
  1. Create backup
  1. Click on RSV
  2. Under Backup Items → select Type of your backup
  3. Select your item
  4. Select backup now
  5. Retain backup till: default date
  1. Restore backup
  1. On the backup item
  2. Click on restore backup
  3. Select restore point you created in the 3rd point
  4. Select alternate location
  1. SA: secondary backup
  2. Select restore



Azure Site Recovery

What: This is a disaster recovery solution that allows us to automate the process of recovering from a primary location into a secondary location.


  1. Requires an azure recovery services vault(RSV)
  2. Using RSV, we can make this recovery solution
  1. cross-zone
  2. cross-region


Task: Enable site to site recovery for VM


  1. Go to RSV → site recovery
  2. Enable replication for VM
  1. Select source location (East US)
  2. Select source VM
  3. Choose target location
  1. Select another region (WEST US)
  2. This will create new RG in that region with new VNet, SA(to cache the data), managed disk // so we can move that into the new region
  1.  Replication policy: time frequency
  2. Enable replication
  1. Go to RSV
  1. Replicated items - see the replicated VM
  2. From there, you can failover, test failover

Recovery plan

Backup Reports

What: Provides insight on backups from Azure backup, and those insights can be used to inform items such as



  1. Enable Azure backup
  1. this captures the data, generates reports from the backup
  1. Create Log Analytics Workspace
  1. to store logging data
  1. Configure diagnostics settings on RSV,
  1. to send all the backup data to LAW


  1. Create VM with Azure backup enabled
  2. Create RSV
  1. Backup item: to see which service is backup enabled
  2. Backup jobs: to see the data about backup, restore // when it happened
  1. Create Log Analytics
  2. On RSV → Monitoring → diagnostics settings
  1. Add diagnostics settings
  2. Enter name
  3. Select log data you want to capture
  1. Save
  1. On RSV, configure backup reports