mopdf.com

Use Azure Network Watcher302Troubleshoot external networking306Troubleshoot virtual network connectivity307Skill 4.5: Integrate an on-premises network with anAzure virtual network. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 310Create and configure Azure VPN Gateway311Create and configure Azure ExpressRoute315Configure Azure Virtual WAN320Thought experiment. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 325Thought experiment answers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 326Chapter summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 327Chapter 5Monitor and back up Azure resources333Skill 5.1: Monitor resources by using Azure Monitor. . . . . . . . . . . . . . . . . . . . 334Configure and interpret metrics336Configure Azure Monitor logs340Query and analyze logs347Set up alerts and actions352Configure Application Insights363Skill 5.2: Implement backup and recovery. . . . . . . . . . . . . . . . . . . . . . . . . . . . . 365Create a Recovery Services Vault366Create and configure Backup Policy368Perform backup and restore operations by usingAzure Backup Service371Perform site-to-site recovery by using Azure Site Recovery384Configure and review backup reports390Thought experiment. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 392Thought experiment answers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 393Chapter summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 393Index 395Contents9780136805380 print.indb 9ix30/06/21 4:38 PM

This page intentionally left blank

AcknowledgmentsI would like to acknowledge the flawless support I have received throughout the journey ofbook by Loretta and Charvi from the Pearson team. They have been very supportive andflexible, knowing the fact that I was dealing with multiple things at my end. I would also liketo thank my wife, Divya, for her tremendous support in the making of this book. Despite herpregnancy, she played an instrumental role by encouraging and allowing me to complete thebook on time. And last but not the least, the cuddle and cute smile of my little bundle of joy,Rivan, was a real energy booster during breaks in the middle of the night.xi9780136805380 print.indb 1130/06/21 4:38 PM

This page intentionally left blank

About the AuthorHARSHUL PATE L is a technology enthusiast formerly from India who currently lives inCanada. He has been a cloud consultant with Microsoft Services for more than six year. Hedrives the adoption of Microsoft’s cloud platforms for enterprise customers. He is thoroughlyknowledgeable across various virtualization and cloud technologies. Harshul is an experiencedauthor and an early adopter of many Microsoft products. He is a frequent speaker at varioususer group gatherings and a co-founder of a few global user groups.Apart from work, Harshul is a happy-go-lucky guy. He loves to travel and spend time withhis family and friends. Harshul and his wife, Divya, had a baby boy during the production ofthis book; they call him Rivan.xiii9780136805380 print.indb 1330/06/21 4:38 PM

This page intentionally left blank

IntroductionThe AZ-104 exam focuses on common tasks and concepts that an administrator needs tounderstand to deploy and manage infrastructure in Microsoft Azure. Manage Azure identities and Azure subscriptions is a key topic on the exam, which includes managing Azure ADobjects (users, groups, and devices), use of Azure AD join and self-service password resets; italso covers role based access control, tagging, subscription level policies and resource organization using resource groups, subscription and management groups. Another topic coveredis implement and manage storage, which includes creating and configuring storage accountsas well as configuring Azure files and understanding the services for importing and exporting data to Azure. A significant portion of the exam is focused on deploying and managingAzure compute resources, which includes configuring high availability of Azure VMs, creatingand configuring virtual machine and their automated deployments as well as creating andconfiguring container solutions such as Azure Kubernetes Service (AKS) and Azure ContainerInstances (ACI); it also covers configuring web apps using app service and app service plans.This book also covers the creation and management of virtual networks, DNS, connectivitybetween virtual networks, configuring network security groups, Azure firewall and Azure bastion service; it also explains the load balancing solutions including configuration of applicationgateway. The final topic is monitor and backup Azure resources, which includes topics on howto monitor resources using Azure Monitor as well as how to implement back and recovery ofAzure VMs including site to site recovery using Azure site recovery.This book is geared toward Azure administrators who manage cloud services that span storage, security, networking and compute. It explains how to configure and deploy services acrossa broad range of related Azure services to help you prepare for the exam.This book covers every major topic area found on the exam, but it does not cover everyexam question. Only the Microsoft exam team has access to the exam questions, and Microsoftregularly adds new questions to the exam, making it impossible to cover specific questions.You should consider this book a supplement to your relevant real-world experience and otherstudy materials. If you encounter a topic in this book that you do not feel completely comfortable with, use the reference links provided throughout this book and take the time to researchand study the topic. Great information is available on Microsoft Docs.Organization of this bookThis book is organized by the “Skills measured” list published for the exam. The “Skills measured”list is available for each exam on the Microsoft Learning website: https://aka.ms/examlist. Eachchapter in this book corresponds to a major topic area in the list, and the technical tasks inxv9780136805380 print.indb 1530/06/21 4:38 PM

each topic area determine a chapter’s organization. If an exam covers six major topic areas, forexample, the book will contain six chapters.Preparing for the examMicrosoft certification exams are a great way to build your resume and let the world knowabout your level of expertise. Certification exams validate your on-the-job experience andproduct knowledge. Although there is no substitute for on-the-job experience, preparationthrough study and hands-on practice can help you prepare for the exam. This book is notdesigned to teach you new skills.We recommend that you augment your exam preparation plan by using a combination ofavailable study materials and courses. For example, you might use the Exam Ref and anotherstudy guide for your ”at home” preparation and take a Microsoft Official Curriculum course forthe classroom experience. Choose the combination that you think works best for you. Learnmore about available classroom training and find free online courses and live events athttp://microsoft.com/learn. Microsoft Official Practice Tests are available for many exams athttp://aka.ms/practicetests.Note that this Exam Ref is based on publicly available information about the exam and theauthor’s experience. To safeguard the integrity of the exam, authors do not have access to thelive exam.Microsoft certificationsMicrosoft certifications distinguish you by proving your command of a broad set of skills andexperience with current Microsoft products and technologies. The exams and correspondingcertifications are developed to validate your mastery of critical competencies as you designand develop, or implement and support, solutions with Microsoft products and technologiesboth on-premises and in the cloud. Certification brings a variety of benefits to the individualand to employers and organizations.MORE INFOALL MICROSOFT CERTIFICATIONSFor information about Microsoft certifications, including a full list of available certifications,go to 136805380 print.indb 1630/06/21 4:38 PM

Quick access to online referencesThroughout this book are addresses to webpages that the author has recommended you visitfor more information. Some of these links can be very long and painstaking to type, so we’veshortened them for you to make them easier to visit. We’ve also compiled them into a singlelist that readers of the print edition can refer to while they read.Download the list at MicrosoftPressStore.com/ExamRefAZ104/downloadsThe URLs are organized by chapter and heading. Every time you come across a URL in thebook, find the hyperlink in the list to go directly to the webpage.Errata, updates, & book supportWe’ve made every effort to ensure the accuracy of this book and its companion content. Youcan access updates to this book—in the form of a list of submitted errata and their related 104/errataIf you discover an error that is not already listed, please submit it to us at the same page.For additional book support and information, please visit MicrosoftPressStore.com/Support.Please note that product support for Microsoft software and hardware is not offeredthrough the previous addresses. For help with Microsoft software or hardware, go tohttp://support.microsoft.com.Stay in touchLet’s keep the conversation going! We’re on Twitter: 136805380 print.indb 17xvii30/06/21 4:38 PM

This page intentionally left blank

CHAPTER 2Implement and managestorageImplementing and managing storage is one of the most important aspects of building ordeploying a new solution using Azure. There are several services and features available foruse, and each has its own place. Azure Storage is the underlying storage for most of the services in Azure. It provides service for the storage and retrieval of files, and it has services thatare available for storing large volumes of data through tables. Also, Azure Storage includesa fast and reliable messaging service for application developers with queues. In this chapter,we review how to implement and manage storage with an emphasis on Azure Storage.Also, we discuss related services such as Import/Export, Azure Files, and many of the toolsthat simplify the management of these services.Skills covered in this chapter: Skill 2.1: Secure Storage Skill 2.2: Manage Storage Skill 2.3: Configure Azure Files and Azure Blob StorageSkill 2.1: Secure StorageAn Azure Storage account is an entity you create that is used to store Azure Storage dataobjects such as blobs, files, queues, tables, and disks. Data in an Azure Storage account isdurable and highly available, secure, massively scalable, and accessible from anywhere in theworld over HTTP or HTTPS.This section covers how to: Configure network access to storage accounts Create and configure storage accounts Generate shared access signatures Manage access keys Configure Azure AD Authentication for a storage account639780136805380 print.indb 6330/06/21 4:39 PM

Configure network access to the storage accountsStorage accounts are managed through Azure Resource Manager. Management operations areauthenticated and authorized using Azure Active Directory and RBAC. Each storage accountservice exposes its own endpoint used to manage the data in that storage service (blobs inBlob Storage, entities in tables, and so on). These service-specific endpoints are not exposedthrough Azure Resource Manager; instead, they are (by default) Internet-facing endpoints.Access to these Internet-facing storage endpoints must be secured, and Azure Storage provides several ways to do so. In this section, we will review the network-level access controls: thestorage firewall and service endpoints. We also discuss Blob Storage access levels. The following sections then describe the application-level controls: shared access signatures and accesskeys. In later sections, we also discuss Azure Storage replication and how to leverage Azure ADauthentication for a storage account.Storage firewallThe storage firewall allows you to limit access to specific IP addresses or an IP address range. Itapplies to all storage account services (blobs, tables, queues, and files). For example, by limitingaccess to the IP address range of your company, access from other locations will be blocked.Service endpoints are used to restrict access to specific subnets within an Azure VNet.To configure the storage firewall using the Azure portal, open the storage account bladeand click Firewalls And Virtual Networks. Under All Access From, click Selected Networksto reveal the Firewall and Virtual Network settings, as shown in Figure 2-1.FIGURE 2-1 Configuring a storage account firewall and virtual network service endpoint accessWhen accessing the storage account via the Internet, use the storage firewall to specify theInternet-facing source IP addresses (for example, 32.54.231.0/24, as shown in Figure 2-1) thatwill make the storage requests. All Internet traffic is denied, except the defined IP addresses64CHAPTER 2  Implement and manage storage9780136805380 print.indb 6430/06/21 4:39 PM

in the storage firewall. You can specify a list of either individual IPv4 addresses or IPv4 CIDRaddress ranges. (CIDR notation is explained in the chapter on Azure Networking.)The storage firewall includes an option to allow access from trusted Microsoft services.These services include Azure Backup, Azure Site Recovery, and Azure Networking. For example, it will allow access to storage for NSG flow logs if the Allow Trusted Microsoft ServicesTo Access This Account exceptions checkbox is selected (see Figure 2-1). It will also allowread-only access to storage metrics and logs.NOTEADDRESS SPACE FOR STORAGE FIREWALLWhen creating a storage firewall, you must use public Internet IP address space. You cannotuse IPs in the private IP address space.Virtual network service endpointsIn some scenarios, a storage account is only accessed from within an Azure virtual network.In this case, it is desirable from a security standpoint to block all Internet access. Configuringvirtual network service endpoints for your Azure Storage accounts allows you to remove accessfrom the public Internet and only allow traffic from a virtual network for improved security.Another benefit of using service endpoints is optimized routing. Service endpoints createa direct network route from the virtual network to the storage service. If forced tunneling isbeing used to force Internet traffic to your on-premises network or to another network appliance, requests to Azure Storage will follow that same route. By using service endpoints, youcan use direct route to the storage account instead of the on-premises route, so no additionallatency is incurred.Configuring service endpoints requires two steps. First, from the virtual network subnet,choose Microsoft.Storage from the Service Endpoints drop-down menu. This creates theroute from the subnet to the storage service but does not restrict which storage account thevirtual network can use. To update the subnet settings, you should choose virtualNetwork1from the Virtual Networks blade. Then go to Subnets in the left pane under Settings. ClickSubnet1 to access the subnet settings. Figure 2-2 shows the subnet settings, including theservice endpoint configuration.The second step is to configure which virtual networks can access a particular storageaccount. From the storage account blade, click Firewalls And Virtual Networks. Under AllAccess From, click Selected Networks to reveal the Firewall and Virtual Network settings,as shown previously in Figure 2-1. Under Virtual Networks, select the virtual networks andsubnets that should have access to this storage account.Skill 2.1: Secure Storage   CHAPTER 29780136805380 print.indb 656530/06/21 4:39 PM

FIGURE 2-2 Configuring a subnet with a service endpoint for Azure StorageBlob Storage access levelsStorage accounts support an additional access control mechanism that is limited only to BlobStorage. By default, no public read access is enabled for anonymous users, and only users withrights granted through RBAC or with the storage account name and key will have access to thestored blobs. To enable anonymous user access, you must change the container access level(see Figure 2-3). The supported levels are as follows: 66Private. With this option, only the storage account owner can access the containerand its blobs. No one else would have access to them.CHAPTER 2  Implement and manage storage9780136805380 print.indb 6630/06/21 4:39 PM

Blob. With this option, only blobs within the container can be accessed anonymously. Container.With this option, blobs and their containers can be accessed anonymously.FIGURE 2-3 Blob Storage access levelsYou can change the access level through the Azure portal, Azure PowerShell, Azure CLI,programmatically using the REST API, or by using Azure Storage Explorer. The access level isconfigured separately on each blob container.A shared access signature token (SAS token) is a URI query string parameter that grantsaccess to specific containers, blobs, queues, and tables. Use an SAS token to grant access to aclient that should not have access to the entire contents of the storage account (and therefore,should not have access to the storage account keys) but still requires secure authentication. Bydistributing an SAS URI to these clients, you can grant them access to a specific resource, fora specified period of time, and with a specified set of permissions. Frequently, SAS tokens areused to read and write the data to users’ storage accounts. Also, SAS tokens are widely used tocopy blobs or files to another storage account.NOTESAS TOKENS USING HTTPSWhen dealing with SAS tokens, you must use only the HTTPS protocol. Because active SAStokens provide direct authentication to your storage account, you must use a secure connection, such as HTTPS, to distribute SAS token URIs.Create and configure storage accountsAzure Storage accounts provide a cloud-based storage service that is highly scalable, available,performant, and durable. Within each storage account, a number of separate storage servicesare provided: Blobs. Provides a highly scalable service for storing arbitrary data objects such as textor binary data.Skill 2.1: Secure Storage   CHAPTER 29780136805380 print.indb 676730/06/21 4:39 PM

Tables. Provides a NoSQL-style store for storing structured data. Unlike a relationaldatabase, tables in Azure storage do not require a fixed schema, so different entries inthe same table can have different fields.Queues.Provides reliable message queueing between application components.Files. Provides managed file shares that can be used by Azure VMs or on-premisesservers.Disks. Provides a persistent storage volume for Azure VM which can be attached as avirtual hard disk.There are three types of storage blobs: Block Blobs, Append Blobs, and Page Blobs. PageBlobs are generally used to store VHD files when deploying unmanaged disks. (Unmanageddisks are an older disk storage technology for Azure virtual machines. Managed disks are recommended for new deployments.)When creating a storage account, there are several options that must be set: PerformanceTier, Account Kind, Replication Option, and Access Tier. There are some interactions betweenthese settings. For example, only the Standard performance tier allows you to choose theaccess tier. The following sections describe each of these settings. We then describe how tocreate storage accounts using the Azure portal, PowerShell, and Azure CLI.Naming storage accountsWhile naming an Azure Storage Account, you need to remember these points: The storage account name must be unique across all existing storage account names inAzure.The name must be between 3 to 24 characters and can contain only lowercase lettersand numbers.Performance tiersWhen creating a storage account, you must choose between the Standard and Premium performance tiers. This setting cannot be changed later. Standard. This tier supports all storage services: blobs, tables, files, queues, andunmanaged Azure virtual machine disks. It uses magnetic disks to provide cost-efficientand reliable storage.Premium. This tie

Skill 5.2: Implement backup and recovery . 365 Create a Recovery Services Vault 366 Create and configure Backup Policy 368 Perform backup and restore operations by using Azure Backup Service 371 Perform site-to-site recovery by using Azure Site Recovery 384