https://www.microsoftazurepass.com/ Try Microsoft Azure Pass. We're offering an Azure Pass, so for a limited time period, you can try Azure for free. *No credit card required. * must read [[https://stackify.com/top-azure-paas-services-developers/|top-azure-paas-services-developers]] ====== Cloud Models ====== {{:burim:azure:training:microsoft-azure-cloud-models-768x433.png?400|}} ====== 21 Oktober - 25 October ====== * Fastlane * email burimaz300@outlook.com * After completing this course, students will be able to: Managing Azure Subscriptions and Resources Implementing and Managing Storage Deploying and Managing VMs Configuring and Managing Virtual Networks Managing Identities using Azure Active Directory Evaluating and Performing Server Migration to Azure Implementing and Managing Application Services Implementing Advanced Virtual Networking. Securing Identities using Azure AD. Design and Connectivity Patterns Hybrid Networking Address Durability of Data and Caching Measure Throughput and Structure of Data Access Use shell commands to create an App Service Web App Create Background Tasks Use Swagger to document an API Create a reliable service Create a Reliable Actors app Hands-on with Reliable collections Understand the Azure Container Registry Use Azure Container instances How to configure a message-based integration architecture Understand how to Develop for Asynchronous Processing Begin creating apps for Autoscaling Understand Azure Cognitive Services Solutions ====== Day1 ====== * slides {{:burim:azure:training:impro_slides.pdf|}} * Glauben statt wissen https://www.heise.de/select/ix/2018/9/1535787443285145 ====== course notes ====== Azure Ramp-Up (ARM) MSDN subscription for testing best option Resource groups or other elements can not be renamed Ein resource group representiert eine applikation Do not use Classic resource management anymore * resource group export json template {{:burim:azure:training:resource-group-export.png?200|}} use templates to deploy resource groups no CAPEX only OPEX Without internet use Azure Storage Emulator Azure Storage Explorer azure sdk https://azure.microsoft.com/de-de/downloads/ AzCopy use to copy disks from A to B az login connect from cmd * documentation for az cmd's https://docs.microsoft.com/en-us/cli/azure/group?view=azure-cli-latest PowerShell old modules Get-AzureVM Get-AzureRmVM new azure module Get-AzVM use dir + cd to navigate in azure objects with powershell example new-azvm new-azm -location "westeurope" azure can only vhd nd no vhdx * third party for deployment terraform open source / https://www.terraform.io/ for deploying HACL language terraform can be executed also in azure shell file format terraform file.tf terraform init / initiazlize the modules terraform validate / verify that all good terraform graph /show the file in json format terraform plan / verify test if the rollout works terraform apply / to execute the deployment ====== Day1 DevOPS ====== Visual Studio Code for SAS von Microosoft AzureDevOps https://azure.microsoft.com/de-de/services/devops/ DevOps Projects Windows WebApp (front end) Function APP (back-end) Ci/CD pipeline https://azure.microsoft.com/de-de/services/devops/pipelines/ * DevOps project hosting domain .azurewebsites.net ====== Day1 project test DevOps ====== burimaz300@outlook.com Azure Cognitive Services / text analytics https://azure.microsoft.com/de-de/services/cognitive-services/text-analytics/ It can analize the text and find out what language it is. #Anleitung Social Media Analyzer https://docs.microsoft.com/en-us/azure/azure-functions/functions-twitter-email Function APP / create Orchestration / azure durable function / Logic App if this than that IFTTT ====== Day2 Costs / Service different options ====== {{:burim:azure:training:kosten.pdf|}} Contract Type (Pay as you go or business contracts) EA subscription / not possible to set a cost upper limit best to use MSDN subscription budget based platform based SQL is less costly as deploying a virtual machine azure Advisor for costs management / provides recomendations TCO calculator Traffic calculations regional / Ingress will not be calculated / Egress traffic will be calculated Different prices for internet traffic and regional traffic DR calculate also traffic costs I can use my own licenses that I have physical in the cloud / per Core license. VM Auto Shutdown Azure RIs / Reservation's should be more cheaper Subscription quotas / can be changed by opening a ticket with Microsoft Create Policies / what may be deployed / virtual NIC's with public IP's etc.. ====== Day2 task ====== two tier apps website used DB / create read delete / WWW ----CRUD---- SQLC Option1 1) SQL Database 2) APP service instance Option2 no schema data base use Tables Services Azure Cosmos DB no sequel DB server name server-sql / password admin01/*** WebConfig holds the connection string use SAS (Shared Access Signatures) you can do everything expect delete, or only specific IP's will be allowed. Deploy a website using Microsof Visual Studion templates are offered [[https://docs.microsoft.com/en-us/azure/app-service/app-service-web-tutorial-dotnet-sqldatabase|WebApp using Data Base]] ====== Day 2 Design patterns ====== use key vaults for DB connectivity ====== Day2 Catalog of patterns ====== * Configuration Store pattern Poweshell script {{:burim:azure:training:rotate-servicebus-primary-key.7z|}} #Anleitung Social Media Analyzer https://docs.microsoft.com/en-us/azure/azure-functions/functions-twitter-email #Movies DB (Azure Cosmos DB) https://github.com/mikepfeiffer/movieapp-documentdb #Key Rotation Application (External Config Store Pattern) https://github.com/kasunkv/AzureKeyVaultServiceBusKeyRotationExample ====== Day2 example to search the pictures for text====== yelp is based on Azure uses a search service in Azure * OCR OCR (optical character recognition) is the recognition of printed or written text characters by a computer. This involves photoscanning of the text character-by-character, analysis of the scanned-in image, and then translation of the character image into character codes, such as ASCII, commonly used in data processing * Deploy microsoft search service * Data source / create a storage account to store the pictures * after creating the storage account you can use storage explorer to upload the pictures * store the data Need The storage account. A container in the storage account A blob in a container * Search Demo Repo http://azjobsdemo.azurewebsites.net/ ====== Day2 how to publish a git repository ====== https://www.youtube.com/watch?v=_gURf7CW1lg ====== Day2 monitoring ====== monitor dashboard activity log monitors all the activities that happen in azure alerts, if something happens a notification will be sent traffics set a metric logs analytics services azure data explorer cluster query logs use take command to see 10 logs * kusto_kql #https://docs.microsoft.com/de-de/azure/azure-monitor/log-query/get-started-portal #https://portal.loganalytics.io/demo //1. Ziehen einer Stichprobe SecurityEvent | take 10 //2. Datensätze filtern SecurityEvent | where Level == 8 //3. Einsatz der Volltextsuche search in (SecurityEvent) "A new process has been created" | take 10 //4. Gruppiertes Zählen Event | where EventLevelName == "Error" | where TimeGenerated > ago(1d) | summarize count() by Source //5. Daten erweitern und aufbereiten SecurityEvent | top 10 by TimeGenerated | extend EventCode=substring(Activity, 0, 4) //6. Anzeigen bestimmter Spalten SecurityEvent | top 10 by TimeGenerated | project TimeGenerated, Computer, Activity //7. Entfernen von Duplikaten AzureActivity | where ActivityStatus == 'Succeeded' and ResourceProvider == 'Azure Web Sites' //| distinct CorrelationId * application insights * network watcher ====== Day3 application insights ====== ====== Day3 Security ====== My questions beim PAAS how does Microsoft apply patches SLA's sync with client? * SAS / user attacks / user's identity can be stolled / 2factor authentication * PAAS / application code audited / QA checks bugs issues / injections? / Data retention / * IAAS / most vulnerable * design patterns Federated Identity pattern / AD not / conditional access rules ADFS ADFS is recomended to be used allways Active Directory Federation Services (ADFS) is a Single Sign-On (SSO) solution created by Microsoft. As a component of Windows Server operating systems, it provides users with authenticated access to applications that are not capable of using Integrated Windows Authentication (IWA) through Active Directory (AD) * MIM microsoft identity management * learn website https://www.troyhunt.com/hack-yourself-first-how-to-go-on/ * Gatekeeper pattern https://docs.microsoft.com/en-us/azure/architecture/patterns/gatekeeper * OWASP Top 10 security attacks - 2019 * Microsoft WAF can not be customized * Valet key PAAS https://docs.microsoft.com/en-us/azure/architecture/patterns/valet-key ====== Day 3 Security cont. ====== * debuging strg + shift + j * enable MFA for users different options dependent on AD setup * admin per change requests that are allowed only for limited time / 4 eyes / ticket based admin role * Identity Protection - Risky users (Users flagged for risk) it collects minus points if failed attempts / connecting from different region / connecting from TOR network . etc.. (low - MFA request / medium - password change / high - user disabled). * Azure Information Protection / i.e NTFS not enough apply encryption / applying automated security policies based on risk class. * PAAS security use https://www.sonarqube.org to check Code Quality and Security * Advisor / security - redundancy - performance - costs etc. * Using management groups you can apply different classification policies for security ====== Day3 application setup ====== web tier + application tier + database * step1 requirements 1) upload pictures in to the cloud 2) consistency automated / thumbnails 3) analyze motivs of the picture what it shows 4) data grid that shows all the files that are in the cloud i.e listing of the photos. 5) authenticate against azure AD * step2 create a framne how the website should look like. 1) If I hover over to a picture the description text should show up 2) Login button a storage account is good enough for a website to be published function app is needed if I need to run a backend the difficulty will be how to interconnect the micro-services to talk to each other * Needed files {{:burim:azure:training:pictureanalysis.zip|}} * how to setup storage account name i.e storage001ba * enable static website * not documented / change runtime version to 1 to support ASP.NET * each function only one triger * set triger GetUploadUrl * Valet key design pattern / application will ask target resource for the key / target resource will response with the key * CORS / establish trust between storage and function in both directions * next step thumbnails * computervision use from Microsoft https://azure.microsoft.com/en-us/services/cognitive-services/computer-vision/ * caption text for the hover over * smartcrop * create the data grid of the images that will be written to the data base * for performance use EventGrid / to solve the issue were one function has only one trigger https://azure.microsoft.com/en-us/services/event-grid/ * training https://de.linkedin.com/learning/azure-functions-grundkurs ====== Day4 automation ====== * Marketplace automation / works with checkpoints / it will run only on required times * SAM inventory creation * change tracking / which file is changed etc. * desired state configuration / use a script to restore a state / timely activated + event activated * Update Management / which update is missing, which update to be installed etc. * runbooks / are scripts / i happens job based * scripts can be written or use a microsoft library * watcher tasks, an event triggert the other runbook * credentials for scripts * topic modules / for different cmd's different module versions * PowerShell Workflow supports checkpoints * Test pane / can be used for testing it's a real run against the system / no undo possible * Tags can be used in resources and used referenced in the cost analyses * automation brings costs also / charged based on process automation [[https://gallery.technet.microsoft.com/scriptcenter/Delete-all-your-empty-1e045b74|Test script remove resource groups]] ====== Day4 RBAC ====== subscription ----ResourceGroups are flat organized and not hierarchical * IAM Reader / can use the vm start/stop not possible to add disks or delete vm's Contributor / can do all / but cannot change premonitions Best practice / one resource group use per application do not use the practice per service / like resource group attached to DataBase / this will not work with the Azure architecture example for DB's give roles on top to the subscription with DB role and he will get the roles for DB access in all the resource groups. [[https://docs.microsoft.com/en-us/azure/role-based-access-control/custom-roles| Azure custom roles]] ====== Day4 Container/kubernetes ====== #AKS (Kubernetes on Azure) https://docs.microsoft.com/en-us/azure/aks/kubernetes-walkthrough#run-the-application {{:burim:azure:training:kubernetes_auf_azure.pdf|}} costs / nodes traffic + disks pod smallest deploy-able load tests can be performed from dev ops ====== Day4 VM's ====== https://karrierebibel.de/eisenhower-prinzip/ * not able to change availability set afterwards / fault and updates domains {{:burim:azure:training:68d4291a-b0fa-43d7-aa1d-83b9839e35aa.jpeg?50|}} * VM scaleset {{:burim:azure:training:vm_scaleset.7z|}} * you can create also own images for deployment * packer multicloud problem disk images * peering vnet peering to interconnect different instances ====== Day4 apps migrate to cloud ====== https://appmigration.microsoft.com/ https://azure.microsoft.com/en-us/services/site-recovery/ traffic manager same as load balancer but can switch from one site to another site Recovery site tools ====== Day4 excercise ====== migrate a service ====== Day5 ====== https://www.flande.de/eval Password = 9c05b2ff AMS Video Indexer ====== Day5 Certification ====== Powershell need to understand * Singleshot voucher * Secondshot voucher * azure backup rule