AZ-900 자격증 준비 5 - Describe Azure compute and networking services

5.1 Describe Azure virtual machines

With Azure Virtual Machines (VMs), you can create and use VMs in the cloud. 

VMs provide IaaS in the form of a virtualized server and can be used like a physical computer, where you can customize all of the software running on it.

An Azure VM gives the flexibility of virtualization without having to buy and maintain the physical hardware that runs the VM.

However, as an IaaS offering, you still need to configure, update, and maintain the software that runs on the VM.

 

VMs are ideal when you need:

- total control over the operating system (OS)

- the ability to run custom software

- to use custom hosting configurations

 

Scale VMs in Azure

You can run single VMs for testing, development, or minor tasks and cna group VMs together to provide hgih availability, scalability, and redundancy.

 

Virtual machine scale sets

Virtual machine scale sets let you create and manage a group of identical, load-balanced VMs.

If you simply create many VMs, you need to do all the configuration and monitor them, but with virtual machine scale sets, the process is automated.

Scale sets allow you to centrally manage, configure, and update a large number of VMs in minutes.

The number of VM machines can automatically scale in response to demand or you can set it to scale based on a defined schedule.

Virtual machine scale sets also automatically deploy a load balancer to make sure that your resources are being used efficiently.

 

 

Virtual machine availability sets (availability sets are free)

Availability sets ensure more resilient and highly available environment: ensure that VMs stagger updates and have varied power and network connectivity, preventing you from losing all your VMs with a single network or power failure.

Availability accomplish these objectives by grouping VMs in two ways: update domain and fault domain.

- Update domain: The update domain groups VMs that can be rebooted at the same time. This setup allows you to apply updates while knowing that only one update domain grouping is offlien at a time. All of the machines in one update domain update. An update group going through the update process is given a 30-minute time to recover before maintenance on the next update domain starts.

- Fault domain: The fault domain groups your VMs by common power source and network switch. By default, an availability set splits your VMs across up to three fault domains, which helps protect against a physical power or networking failure by having VMs in different fault domains (connected to different power and networking resources).

 

Examples of when to use VMs

- During testing and development: VMs can create different OS and application configurations and can be deleted easily when they are no longer needed.

- When running applications in the cloud: The ability to run certain applications in the public cloud as opposed to creating a traditional infrastructure to run them can provide substantial economic benefits (e.g. might need to handle fluctuations in demand).

- When extending your datacenter in a cloud: 

- During disaster recovery: Can save money in disaster recovery as it's running in the cloud

 

VM resources:

- Size (purpose, bumber of processor cores, amount of RAM)

- Storage disks (hard disk drives, solid state drives, etc)

- Networking (virtual network, public IP address, and port configurations)

 

 

 

Describe Azure virtual desktop

Azure Virtual Desktop is a desktop and application virtualization service that runs on the cloud.

It enables you to use a cloud-hosted version of Windows from any location.

Azure Virtual Deskop works across devices and operating systems, and works with apps that you can use to access remote desktops or most modern browsers.

 

 

Enhance security - Remote desktop infrastructure and remote users

Azure Virtual Deskop provides centralzed security management for users' desktops with Microsoft ID. 

You can enable multifactor authentication to secure user sign-ins and also secure access to data by assigning granular role-based access controls (RBACs) to users.

With Azure Virtual Deskop, the data and apps are separated from the local hardware.

The actual desktop and apps are running in the cloud, meaning the risk of confidential data being left on a personal device is reduced.

Additionally, user sessions are isolated in both single and multi-session environments.

 

 

 

Describe Azure containers

While VMs are good way to reduce costs versus the investments that are necessary for physical hardware, they are limited to a single OS per virtual machine.

If you want to run multiple instances of an application on a single host machine, containers are good choice.

 

What are containers?

Containers are a virtualization environment, mch like running multiple VMs on a single physical host, you can run multiple containers on a single physical or virtual host.

Unlike VMs, you don;t manage the OS for a container; they appear to be an instance of an OS that you can connect to and manage.

Containers are lightweight and designed to be created, scaled out, and stopped dynamically.

It's possible to create and deploy VMs as application demand increases, but containers are a lighter weight, more agile method.

Containers are designed to allow you to respond to changes on demand.

With containers, you can quickly restart if there's a crash or hardware interruptions.

 

Azure Container Instances

Auzre Container Instances offer the fastest and simplest way to run a container in Azure without having to manage any VMs or adopt any additional services.

Azure Container Instances are a platform as a service (PaaS) offering.

Azure Container Instances allow you to upload your containers and then the service runs the containers for you.

 

Azure Container Apps

Azure Container Apps are similar in many ways to a container instance: they allow you to get up and running right away, they remove the container management piece, and they are a PaaS offering.

Container Apps have extra benefits such as the ability to incorporate load balancing and scaling.

 

Azure Kubernetes Service

Azure Kubernetes Service (AKS) is a container orchestration service. 

An orchestration service manages the lifecycle of containers → makes management simpler and more efficient

 

Use containers in your solutions

Containers are often used to create solutions by using a microservice architecture (you break solutions into smaller, independent pieces).

E.g. Split website into a container hosting front end and another hosting back end and a third for storage.

With containers, you can scale the back-end separately to improve performance, and you can change one component without affecting other components.

 

 

Describe Azure functions

Azure Functions is an event-driven, serverless compute option that doesn't require maintaining VMs or containers. 

If you build an app using VMs or containers, those resources have to be running in order for your app to function, but with Azure Functions, an event wakes the function, alleviating the need to keep resources provisioned when there are no events.

Using Azure Functions is ideal when you are only concerned about the code running your service and not about the underlying platform or infrastructure.

Functions are commonly used when you need to perform work in response to an event (e.g. REST request), timer, or message from anothe Azure service, and when that work can be completed quickly.

 

Serverless computing in Azure

Serverless computing: responsibility of managing serveers is handled for you, it takes off infrastructure matters.

 

Benefits of Azure Functions

- Functions scale automatically based on demand

- Azure Functions runs your code when it triggers and automatically deallocates resources when the function is finished, so Azure only charges you for the CPU time used while your function runs

- Functions can be either stateless or stateful. When they are stateless (default), they behave as if they restart every time they respond to an event. When they are stateful (Durable Functions), a context is passed through the function to track prior activity.

- Functions are a key component of serverless computing. This flexibility allows you to manage scaling, run on virtual networks, and even completely isolate the functions.

 

 

Describe application hosting options

If you need to host your application on Azure, both VMs and containers provide excellent hosting solutions.

VMs give you maximum control of the hosting environment and allow you to configure it exactly how you want.

Containers provide the ability to isolate and indivually manage different aspects of the hosting solution.

There are other hosting optionsthat you can use with Azure, including Azure App Service.

 

Azure App Service

App Service enables you to build and host web apps, background jobs, mobile back-ends, and RESTful APIs without managing infrastructure.

It offers automatic scaling and high availability.

Azure App Service lets you focus on building and maintaining your app, and Azure focuses on keeping the environment up and running.

Azure App Service is an HTTP-based service for hosting web applications, REST APIs, and mobile back ends. Supports many languages and both Windows and Linux environments.

 

Types of app services

With App Service, you can host the following:

- Web apps: hosting web apps

- API apps: REST-based web APIs b

- WebJobs: WebJobs feature to run a program, which can be scheduled or run by a trigger (often background tasks)

- Mobile apps: iOS and Android apps

 

App Service handles most of the infrastructure matters:

- Deployment and management are integrated into the platform

- Endpoints can be secured

- Sites can be scaled quickly to handle high traffic loads

- The built-in load balancing and traffic manager provide high availability

 

 

 

Describe Azure virtual networking

Azure virtual networks and virtual subnets enable Azure resources, such as VMs, web apps, and DBs, to communicate with each other, with users on the internet, and with your on-premises client computers.

Azure virtual networks provide the following key networking capabilities:

- Isolation and segmentation

- Internet communications

- Communicate between Azure resources

- Communicate with on-premises resources

- Route network traffic

- Filter network traffic

- Connect virtual networks

 

Azure virtual networking supports both public and private endpoints to enable communication between external or internal resources with other internal resources.

- Public endpoints have a public IP address and can be accessed from anywhere in the world

- Private endpoitns exist within a virtual network and have a private IP address from within the address space of that virtual network.

 

Isolation and segmentation

Azure virtual network allows you to create miltiple isolated virtual networks.

When you set up a virtual network, you define a private IP address by using either public or private IP address ranges.

The IP range only exists within the virtual network and isn't internet routable.

You can divide that IP address space into subnets and allocate part of the defined address space to each named subnet.

You can also configure the virtual network to use either an internal or an external DNS server.

 

Internet communications

You can enable incoming connections from the internet by assigning a public IP address to an Azure resource, or putting the resource behind a public load balancer.

 

Communicate between Azure resources

Enable Azure resources communication in one of two ways:

- Virtual networks can connect not only VMs but other Azure resources, such as the App Service Environment for Power Apps, azure Kubernetes Service, and Azure virtual machine scale sets.

- Service endpoints can connect to other Azure resource types, such as Azure SQL databases and storage accounts. This approach enables you to link multiple Azure resources to virtual networks to improve security and provide optimal routing between resources.

 

Communicate with on-premises resources

Azure virtual networks enable you to link resources together in your on-premises environment and within your Azure subscription: you can create a network that spans both your local and cloud environments.

Three mechanisms to achieve this:

- Point-to-site virtual private network connections are from a computer outside your organization back into your corporate network. In this case, the client computer initiates an encrypted VPN connection to connect tothe Azure virtual network.

- Site-to-site virtual private networks link your on-premises VPN device or gatewayto the Azure VPN gateway in a virtual network → the devices in Azure can appear as being on the local network. The connection is encrypted and works over the internet.

- Azure ExpressRoute provides a dedicated private connectivity to Azure that doesn't travel over the internet. ExpressRoute is useful when you need greater bandwitdth and even higher levels of security.

 

Route network traffic

Azure routes traffic between subnets on any connected virtual networks, on-premises networks, and the internet. 

 

Filter network traffic

 

Connect virtual networks

 

 

 

Describe Azure virtual private networks

A virtual private network (VPN) uses an encrypted tunnel within another network, which are typically deployed to connect two or more trusted private networks to one another over an untrusted network (public internet).

Traffic is encrypted while traveling over the untrusted network to prevent eavesdropping or other attacks.

VNPs can enable networks to safely and securely share sensitive information.

 

VPN gateways

A VPN gateway is a type of virtual network gateway.

Azure VPN Gateway instances are deployed in a dedicated subnet of the virtual network and enable the following connectivity:

- Connect on-premises datacenters to virtual networks through a site-to-site connection

- Connect individual devices to virtual networks through a point-to-site connection

- Connect virtual networks to other virtual networks through a network-to-network connection

 

All data transfer is encrypted inside a private tunnel as it crosses the internet. 

You can deploy only one VPN gateway in each virtual network, but you can use one gateway to connect multiple locations, which includes other virtual networks or on-premises datacenters.

When setting up a VPN gateway, you must specify the type of VPN - either policy-based or route-based.

- Policy-based VPN gateways specify statically the IP address of packets that should be encrypted through each channel. It evaluates every data packet against those sets of IP addresses to choose the tunnel where that packet is going to be sent through.

- Route-based gateways: IP routing decides which one of these tunnel interfaces to use when sending each each packet. These are more resilient to topology changes such as the creation of new subnets.

 

Route-based VPN gateway preferred for following types of connectivity:

- Connections between virtual networks

- Point-to-site connections

- Multisite connections

- Coexistence with an Azure ExpressRoute gateway

 

High-availability scenarios

To maximize the resiliency of your VPN gateway:

 

Active/standby

By default, VPN gateways are deployed as two instances in an active/standby configuration. 

When planned maintenance or unplanned disruption affects the active instance, the standby instance automatically assumes responsibility for connections without any user intervention.

 

Active/active

You assign a unique public IP address to each instance and create separate tunnels from the on-premises device to each IP address. 

You can extend the high availability by deploying an additional VPN device on-premises.

 

ExpressRoute failover

Another high-availability option is to configure a VPN gateway as a secure failover path for ExpressRoute connections. 

ExpressRoute circuits have resiliency built in but they are not immune to physical problems that affect the cables or outages that affect the complete ExpressRoute location.

If there is risk with an outage of ExpressRoute circuit, can also set up VPN gateway that uses internet as an alternative method of connecitivity so that there is always a connection to the virtual networks.

 

 

 

Describe Azure ExpressRoute

Azure ExpressRoute lets you extend your on-premies networks into the Microsoft cloud over a private connection called ExpressRoute Circuit.

WIth ExpressRoute, you can establish connections to Microsoft cloud services.

This feature allows you to connect offices, datacenters, or other facilities to the Microsoft cloud.

Each location would have its own ExpressRoute circuit.

With ExpressRoute, your data doesn't travel over the public internet, reducing the risks associated with internet communications.

ExpressRoute is a private connection from your on-premises infrastructure to your Azure infrastructure.

 

Features and benefits of ExpressRoute:

 

1. Connectivity to Microsoft cloud services across all regions in the geopolitical region

ExpressRoute enables direct access to the following services in all regions:

- Microsoft Office 365

- Microsoft Dynamics 365

- Azure computer services, such as Azure VMs

- Azure cloud services, such as Azure Cosmos DB and Azure Storage

 

2. Global connetivity

You can enable ExpressRoute Global Reach to exchange data across your on-premises sites by connecting your ExpressRoute circuits.

E.g. Office in Asia and datacenter in Europe. You can use ExpressRoute Global Reach to connect those two facilities, allowing them to communicate without transferring data over the public internet.

 

3. Dynamic routing

ExpressRoute uses the BGP (Border Gateway Protocol), which enables dynamic routing between your on-premises network and services running in the Microoft cloud.

 

4. Built-in redundancy

Each connectivity provider uses redundant devices to ensure that the connections are highly available.

 

 

 

Describe Azure DNS

Azure DNS is a hosting service for DNS domains that provides name resolution by using Microsoft Azure infrastructure.

 

Benefits of Azure DNS

1. Reliability and performance

DNS domains in Azure DNS are hosted on Azure's global network of DNS name servers, providing resiliency and high availability.

Azure DNS uses anycast networking, so the closes available DNS server answers each DNS query, providing fast performance and high availability.

 

2. Security

Azure DNS is based on Azure Resource Manager, which provides features such as:

- Azure role-based access control (Azure RBAC) to control who has access to specific actions for your organization.

- Activity logs to monitor

- Resource locking to lock a subscription, resource group or resource to prevent users accidentally deleting or modifying critical resources.

 

3. Ease of use

Integrated in the Azure portal → easy to use

 

4. Customizable virtual networks with private domains

Azure DNS also supports private DNS domains, which allows custom domain names.

 

5. Alias records

You can use an alias record set to refer to an Azure resource, which points to the service instance, and the service instance is associated with an IP address.

 

 

Module assignment

1. Which Azure Virtual Machine feature staggers updates across VMs based on their update domain and fault domain?

Availability sets

 

2. Which Azure service allows users to use a cloud hosted version of Windows from any location and connect from most modern browsers?

Azure Virtual Desktop

 

3. If you need connections between virtual networks, point-to-site connections, multisite connections, or coexistence with an Azure ExpressRoute gateway, which type of VPN gateway should you use?

Route-based VPN gateway