Azure Administrator Associate (AZ-104)

 

 

 

Welcome to the Azure Administrator Associate (AZ-104) Certification Course!

 

I am excited to have you embark on this journey to mastering Microsoft Azure administration.
This course is designed to help you build real-world skills while preparing you to successfully pass the AZ-104 certification exam.

Throughout the modules, you will:

  • Learn how to manage Azure identities and governance
  • Implement and manage storage solutions
  • Deploy and manage Azure compute resources
  • Configure and manage virtual networking
  • Monitor and back up Azure resources effectively

 

Whether you’re aiming to kickstart your career in cloud computing or advance your existing skills, this course will give you the hands-on experience, best practices, and confidence you need to excel as an Azure Administrator.

 

So, get ready to dive deep into the Azure portal, CLI, and automation tools, practice with real-life scenarios, and move one step closer to becoming a certified Azure professional.

 

Let’s begin your cloud journey — Welcome aboard!

 

 

 

                                                                         Contents

Chapter 1:

Setting up Azure free account

Create a budget in Azure account

Azure Core Services

Programming and Scripting in Azure

 

Chapter 2:

Manage Azure Active Directory

Role Based Access Control (RBAC)

 

Chapter 3:

Manage Subscriptions and Governance

Create and Configure Storage Accounts

Import and export data to Azure

AZCopy : Upload and Download files from or to Azure Storage account using AZcopy

Implement Azure Backup and Recovery

Azure Virtual Machines

 

Chapter 4:

Monitoring CPU and Memory Utilization in Azure

Autoscale Azure Virtual Machine Scale Set

Auto-Stop Virtual Machines based on CPU utilization

 

Chapter 5:

Virtual Network Peering and VNet-to-VNet VPN gateway connection:

Azure App Services

Create a Web App

Scaling Web apps

Backup Web apps

Azure Kubernetes Services (AKS)

Create Azure Firewall

Implement and Manage Virtual Networking 

Configure Load Balancing

 

Chapter 6:

Monitor and Troubleshoot Virtual Networking

Monitor Resources by using Azure Monitor

 

Chapter 7:

Azure Update Manager

 

Chapter 8 :

Configure and Trigger Backup for SAP HANA

 

Chapter 9 :

SLES 12 SP5 to SLES 15 SP5 Upgrade of Azure Systems

De-Register and Register in SUSE Manager

Changing the swap space for Cloud-init Virtual machines

 

 

 

 

 

 

 

Chapter 1 : Setting up Azure free account:

 

An Azure Free Account is Microsoft’s way of letting you try its cloud services without paying upfront, giving you credits, free services, and a safe environment to learn or test projects.

  1. Creating the Free Azure account
  2. Go to https://azure.microsoft.com/free.
  3. Click on “Start for free” button.
  4. You will be redirected to a sign-in form. You need the Microsoft account.

5.                  After your successful authorization you will be redirected to Identity verification by card form

6.                  click sign up and your Azure account is created

For First Azure registration , Microsoft  free credits and services

  1. Microsoft will give you €170 or $200 free credit for the duration of 30 days . When your first month ends (30 Days), the credit expires and you will be asked to choose one of the available subscriptions. 
  2. It provides 12 months of popular services for free.
  3. It gives 25 services independently for free. Offer might differ in different regions.
  4. Each Microsoft account or Microsoft service is associated with the Azure Active Directory (AAD). AAD is Microsoft’s cloud-based identity and access management service which ends with onmicrosoft.com suffix. You can see the name of your AAD after clicking your name at top right corner and then click at switch directory link. ADD Will create a directory (Tenant) for your id.

 

Create a budget in Azure account:

In an Azure account, a budget is a cost management tool that lets you set a spending limit or target so you can track and control your Azure expenses.

Go to subscription > Go to budget > Enter unique name

Give the threshold value as 100 %

Provide the recipients email id to get notified once the budget reached the 100% amount

 

Azure Core Services:

  1. Virtual Machines
  2. Virtual Networking
  3. Storage

Virtual Machines  : Linux or Windows:

You can deploy Linux or Windows virtual machines and connect them using RDP /SSH .

Windows : RDP , Linux : SSH

You can install third party software , patches , updates, load banacers etc.

VMs can be deployed through Azure batch,VM scale sets, Azure kubernetes services , Service fabric

APP Servcies: . Net, Core.Net, Java, ruby etc

Azure Virtual Networking :

  1. Virtual Network
  2. Expresssroute _: WAN Faster way of encrypted transmission (high cost)
  3. VPN Gateway – VPN encrypted Gateway
  4. Azure DNS: Public/ Private Domain Name 
  5. Peering: Network Connection between one region to other region
  6. Bastion: Allows RDP without RDP port/ software

Network Security :

  1. Network Security group (NSG) – Access control 
  2. Azure Private link
  3. Distributed Denial of Service( DDOS)
  4. Azure Firewall
  5. Web App Firewall (WAF)
  6. Virtual End Points
  7. Network Delivery
  8. Content Delivery Network (CDN)

Azure Storage:

Managed Disk storage are managed by Microsoft Azure and you don't need any storage account while created new disk.

Unmanaged Disk storage, you must create a storage account in resources to hold the disks (VHD files) for your Virtual Machines

You can create Azure storage up to 5PB . Each blobs ,queues,tables,fiels replicates local to global ( 2 copies of files). 

There are 3 types of storage tyres: Hot  , Cool , Archive 

  1. Hot: Most recent using /usable files
  2. Cool: Rarely usable files
  3. Archive: The files that can be archived

DB’s Used: MangoDB, Maria DB, SQL DB…

MicroServices: Microservices are built in Azure application that can be used as a template.

Monitoring Services :

  1. Network Watcher 
  2. Expressroute Monitoring
  3. Azure Monitoring

Programming and Scripting in Azure: 

There are 2 types of scripting being used in Azure:

  1. Powershell
  2. Bash /CLI

Powershell: Example: 

Get-AzVm

New-AzVm

Get-AzVirtualNetwork

New-AzVirtualNetwork

Remove-AzVirtualNetwork

BASH /CLI Commands Example: 

  • az vm list
  • az vm create
  • az vm delete
  • az keyvault create
  • az keyvault delete
  • az network vnet list
  • az network vnet create
  • az network vnet delete
  • az network vnet subnet list
  • az network vnet subnet create 
  • az network vnet subnet delete



You can use azure cloud shell using:

https://portal.azure.com/#cloudshell/

(or) Go to Azure portal and select Cloud Shell.

Select Bash or PowerShell.

From the drop-down switch to Bash/ Powershell

 

Chapter 2 :

Manage Azure Active Directory:

AD Licencing:

Azure AD licensing refers to the different subscription tiers of Microsoft Entra ID (formerly Azure Active Directory) that determine what identity and access management features you get in Azure and Microsoft 365

  1. Free Licencing
  2. Office 365 apps
  3. Premium P1
  4. Premium P2

https://docs.microsoft.com/en-in/azure/active-directory/authentication/concept-mfa-licensing#available-versions-of-azure-ad-multi-factor-authentication.

Every Azure AD has a unique tenant. When you create an Azure account it will automatically create a tenant for you. Tenant refers to your organisation name or public domain.Ex: xyz.example.com. If Domain not specified it will be assigned as example.onmicrosoft.com

  • More than one account can be owner in tenant 
  • More than one subscription can be used for a tenant

AD Accounts/ Users:

The AD account user can be individuals mail id /MFA

Application Managed identity:  It can be a program or service

Creating an AD in Azure:

Azure AD is a sign- in directory for On-premises AD



Cpu Radiator          →→         →→

Usercomputer                                        Azure AD                              On-Premises Active Directory



Go to Home > Click on Azure Active Directory from the left menu items>Manage Tenants>

>Click on Create>Azure Active Directory>On configuration tab> Provide Organisation Name,Domain Name, Region >Create

Switch between Azure AD tenants:

Go to Azure AD > Manage Tenants>Select the AD account you wish to switch and click on switch tenants.

Add Custom Domain:

If you have a custom domain you can change your custom domain as your Azure Default domain as a primary domain.

Go to Azure AD >> Click on Custom Domain Names from the left menu items>Add Custom Domain(EX:xyz.com)

Once you create a custom domain you will get TXT and MX DNS records. You will need to register the TXT or MX record in to Domain register such as namecheap.com or godaddy.com. Once it is successfully registered the custom name status would be verified.

Go to verified custom Domain and click on Make Primary. Just to validate your custom domain you created go to AD and create a user .Now you should be able to see your new custom domain along with AD default directory.

Azure AD Administrative Units:

It is a kind of providing specified permissions to selected set of people in your organisation and restricts other access.

Go to Azure AD >> Click Administrative Units from the left menu items>Click on Add>

In Properties tab >Provide Administrative name ad Description

In Assign roles tab you can see the default Assigned roles to administrative tasks

 

Click on Create. You are done!!

Manage Azure AD Objects:

Creating Groups in AD : Go to Azure AD>Click on groups>New Group>select type Security>

Provide group name and description> Membership type: Assigned>Select owners and Members to the group and create. 

  • Owners: AD users can be the owners to the groups
  • Members: Program / Service and the users can be the members to the groups



You can also select a membership type as Dynamic group

Dynamic Group is a rule based group to create with a display name:

Example: If the display name prefix with “Muthu” it will add all user account starting with prefix “Muthu” will get automatically added to the group. 

Creating New User in AD:

Go to Azure AD> Click on users> New user> Fill up the details 

Provide the user role and groups you want to add the user to. Click on create

Inviting external user to AD tenant account:

Go to Azure AD> Users> New Guest User>You will be landed to below webpage portal.

Send an invite to new user and provide user mail id and post a message. Once the user accepts the invite he would be added to the AD tenant.

Self-Service password reset:

The self-service password reset requires a premium account subscription.

Enable self-service password reset for a group of Azure AD users

    Set up authentication methods and registration options

    Test the SSPR process as a user

Self –Service password reset for groups:

Self-Service authentication methods for users:

Once you enabled self-service password reset option, users can access the Azure portal through a web browser and easily reset their Azure AD password

Manage Devices to AD:

You can connect your personal device with Azure AD .Here is an example given 

How to connect your windows 10 PC to azure AD.

In window10 , you have an option “Access Work or School” >Click on connect +> add you Microsoft tenant user account and password.

Once your account successfully verified , the device will be added to you Azure tenant.

Go to Azure AD>Devices> All Devices> Verify your device is been added to AD.

You can enable /Disable any time from AD , until you disconnect or remove the added AD account from your device.

Bulk Upload/ Download in Azure AD:

Azure provides an option to bulk upload /download the users to/ from AD .

Go to AD> Users> Click on Bulk operations

Here you can download the given template and do the required operations. 

ROLE BASED ACCESS CONTROL (RBAC):

RBAC is providing access to the computer or resources based on the roles of users in the organisation.

Go to Resource groups>Select the resource group >click on Access control ( IAM)>In right corner select add role assignment to assign role> select the role > add members>review and assign.

Assigning roles to the users: 

Go to Azure AD> Roles and Administrators> Select the role you want to grant to the user from the list>Go to role description and end …>Click on assignments> Add Assignments>Select the user and add

To verify Go to Azure AD> Select the user and check the Assigned roles

Creating Custom Role:

Go to resource group > Select the resource group >click on Access control ( IAM)>at the right bottom click on create custom role

For creating custom role you can clone from any existing role or create from the scratch .

Once you created a custom role . Go to resource group > Select the resource group >click on Access control ( IAM)> Roles> you can view your new custom role listed here.

Select the custom role>View> select the assignments(3rd Tab)>Click on Add Assignments>

Add Members / Groups and assign

Chapter 3 :

Manage Subscriptions and Governance :

  1. Accounts 
  2. Subscriptions
  3. Resource Groups

Accounts :  Azure AD account is an individual account /MFA

Subscriptions : Free, Pay- As- You- Go, Enterprise agreements

Resource Groups : Resource groups are bunch of resources 

Expected resources : VM,Webapp, storage,..

Unexpected(Autocreated) Resources : Public Ip address,Network interface card,NSG



Subscription Dashboard: 

In Azure, the Subscription Dashboard is essentially your control panel for managing the subscription you’re using — whether it’s a Free Trial, Pay-As-You-Go, or an Enterprise Agreement subscription.

Goto Subscriptions>Select Subscription>Cost Analysis>



In this page you can view which is consuming the more or less cost in your subscription.

Assign Administrator to Subscription:

Goto Subscriptions>Select Subscription>Access Control (IAM)> Add Role assignment>

Here you can add role to user or groups in AD.

Cost center and tagging:

Goto Cost Management +Billing>Cost Management> Cost Analysis>

Resource Groups and Locks:

Resource lock provides administrators to prevent deletion or changing the resources. It will also restrict access to resources for all users. 

Go to Resource groups>Locks>Click on add to create a lock for resources 

 

Azure Policy:

Azure Policy is a service in Microsoft Azure that lets you create, assign, and enforce rules (called policies) to make sure your Azure resources follow your organization’s standards and compliance requirements. You can assign an Azure policy as per your company standard. Example: If your company instructed to create VM with limited parameters due to cost constraint. You can set as a policy to restrict user to create a VM with limited parameter set (VM Size)

Go to Policy> Click on Assignments>Assign Policy>Fill in the details as mentioned below and create one.

 

One of the examples below:

 

Move Resources between regions:

Go to Resource group > Select resource >Click on move to another resource group>

Once it is successfully move to another resource group. Goto resource >Properties >Validate the resource ID.

Subscriptions and Management:

Change the name of the subscription

Goto Subscriptions> Select the subscription > Click on rename > Enter the new name and save.

Create and Configure Storage Accounts:

In Azure, a Storage Account is the container that holds all your storage data objects — like blobs (files), queues, tables, and disks — in the Azure cloud

To create a storage account:

Go to Storage accounts> create>

Fill-up Subscription, Resource group, Storage Name, region

Performance: Standard _ General purposev2

Redundancy: 

  1. Geo (Will have secondary storage /Copy of storage)
  2. LRS : Will have 2 additional copies (locally) same region
  3. GRS: Will have 6 Copies of your files
  4. ZRS: Will have a copy in separate data centre
  5. GZone- Combination of GRS and ZRS



  1. Require secure transfer for REST API operations: https enabled secure transfer
  2. Enable infrastructure encryption : Double Encryption
  3. Enable blob public access: Providing public access to storage
  4. Enable storage account key access: Key based access

Select latest TLS version

Select tier Hot or cool

Networking tab >Public end point for all networks

Network Routing>Microsoft network routing

Microsoft network routing: Microsoft Global network (region to region) paid service

Internet routing:  Internet routing through router to router (free service) not recommended

Provide the retention policies in Data protection.Add tags if required and click on “Review +create”

 

Access Keys and SAS:

In Azure Storage, Access Keys and SAS (Shared Access Signatures) are two different ways to authenticate and authorize access to your storage account resources — but they work at different levels and with different levels of control.

Goto Storage Account>Access Keys>Click on show keys.

You will have 2 keys. you can share the keys with your vendor who want to access your storage account since you have public endpoint. We can regenerate the key whenever needed.

Shared access signature:

Goto Storage Account>Shared access signature>

Configure the settings as mentioned above and >Click on generate SAS and connection string. You can share the SAS URL to access your storage account instead of sharing your keys.

AZCopy : Upload and Download files from or to Azure Storage account using AZcopy :

AzCopy is a command-line utility used to upload and download files to or from a storage account .

Create a storage account and create a container.

Select the Storage account >IAM> Grant “Storage blob data Contributor” and “Storage blob data Owner” access.

Download the AZcopy executable files based on your Operating system (Windows/ Linux) from Microsoft site.Upload the executable AZcopy file and upload in Azure Storage fileshare

      

To access the AZcopy file go to the file share path you have mounted on the system.

Open the Bash shell and access the file:

 

Windows : Extract the azcopy_windows_amd64_10.13.0.zip

 Linux :To extract the file use tar –xvzf azcopy_linux_amd64_10.13.0.tar.gz

 

Upload a file to Storage account:

Login to Azcopy :

Azcopy login:

Use azcopy copy to upload a file:

Command : azcopy copy “file path” “container URL”

Example :azcopy copy 'C:\path\reports.txt' 'https://mystorageaccount.blob.core.windows.net/path/reports.txt'

Upload multiple files by using a symbol (*) in the file path or file name. 

For example: 'C:\path\*.txt', or C:\path*\*.txt

Upload a Directory:

azcopy copy 'C:\path' 'https://mystorageaccount.blob.core.windows.net/path' –recursive

Upload a Directory Contents:

azcopy copy 'C:\path\*' 'https://mystorageaccount.dfs.core.windows.net/path/newblob'

Download a file using Azcopy:

azcopy copy 'https://mystorageaccount.dfs.core.windows.net/mycontainer/myTextFile.txt' 'C:\ path\reports.txt'

Download a Directory: 

azcopy copy 'https://mystorageaccount.dfs.core.windows.net/path/newblob' 'C:\path'  --recursive

Upload a Directory Contents:

azcopy copy 'https://mystorageaccount.blob.core.windows.net/path/newblob/*' 'C:\path'

Upload Files using SAS Token:

AZcopy using Shared access signature:

Go to Storage account  >SAS > Generate SAS & Connection String >Copy the SAS token

 

Logout from Azcopy login : azcopy logout

azcopy copy 'C:\path\reports.txt' 'https://mystorageaccount.blob.core.windows.net/path/reports.txt(addSAS token here)'

Download files using SAS token :

azcopy copy 'https://mystorageaccount.dfs.core.windows.net/mycontainer/myTextFile.txt(addSAS token here)' 'C:\ path\reports.txt'

 

Storage Explorer:

Azure Storage Explorer is a free, standalone, cross-platform tool from Microsoft that lets you manage and interact with your Azure Storage resources (like blobs, files, queues, and tables) from a graphical desktop application instead of using only the Azure Portal or command-line tools.

 

Goto Storage Account>Containers>+ Container>Select Blob (anonymous read access for blobs only)> Create

Once you create a container > Go to created container and upload a file from local machine>Select the uploaded file and Click on Generate SAS and right corner (…).

Share the blob SAS URL to access the file from public network.

Storage explore agent can be downloaded and used to the storage access view . However there is a web-based storage explorer also available in Azure portal. You can create directory /files inside the containers.

Azure Log Analysis:

Azure Log Analytics is a cloud-based service in Azure that lets you collect, search, and analyse log and telemetry data from your Azure resources, on-premises servers, and other environments.

Go to storage account> Monitoring>

  1. Insights
  2. Alerts
  3. Metrics
  4. Workbooks
  5. Diagnostic Settings
  6. Logs Preview

Insights:  It is an application performance monitoring tool. It will monitor your application availability, performance, failures, and usage by combining data from Application Insights SDKs with Azure Diagnostics data from your cloud services.

Alerts:  You can set us alert rule to notify once the storage account reaches the max size or threshold level.

Metrics: To view the storage performance using graphical representation.

Workbooks:  To view storage account logs

Diagnostic Settings: Add diagnostic setting to list of categories of platform logs and/or metrics that you want to collect from a resource.

Logs Preview: Azure managed predefined scripts or queries to get the storage logs

 

Redundant Storage: 

In Azure, redundant storage means your data is stored in multiple copies (in one or more locations) to protect it from hardware failures, network issues, or even entire datacenter outages.

Go to Storage account> Setting> configuration> Change the replication you wish 

Life- Cycle Management:

In Azure Storage, Lifecycle Management is a feature that lets you automatically move, archive, or delete data in your storage account based on rules you define — helping you save costs and manage data efficiently over time.

Go to Storage account> Lifecycle management>Add a rule>add a condition based on modified time to move/ delete/ archive.

 

Object Replication:

In Azure Storage, Object Replication is a feature that automatically copies (replicates) block blobs from one storage account to another — usually in a different region — to improve data availability, disaster recovery, and performance.

Go to storage account>Object replication>Setup Replication rules> Provide source and destination.> Add filter and object parameters> Save and apply

Import and export data to Azure:

Import and Export data to Azure refers to Azure’s service that helps you transfer large amounts of data between your on-premises environment and Azure Storage — either by shipping physical drives or by using network-based transfer tools.

Azure calls the physical transfer method Azure Import/Export Service.

Moving Large Files:

Go to Home> Import/Export jobs>Create a job and provide the shipping courier name.

The Courier company will provide the empty Azure Data box to collect the data and courier to your Azure data center.

Blob Storage account:

Blob storage account will have media, images, other multimedia files,binary executable codes, text.

 Go to storage account> Create a storage account with performance Standard type

Content Delivery Network (CDN):

The Azure Content Delivery Network is designed to send audio, video, apps, photos and other files to your customers faster and more reliably, using the servers closest to each user. It can be hosted in Azure or any other location.

Go to Home> CDN Profile> Create

It requires Standard or Premium tier pricing. It will create a public URL to access the contents

Configure Azure Files:

Azure file Share:

Azure File Share is a cloud-based, fully managed file storage service in Azure that uses the Server Message Block (SMB) protocol (and optionally NFS) to let you store files in the cloud and access them just like a regular network drive.

Goto Home> Storage Accounts>Create a new storage

Go to Storage account >File Share>select  type Hot or cool

Click on File Share >Connect>Map the drive letter and run the powershell script

Azure File Sync:

Azure File Sync is a Microsoft cloud service that lets you centralize your file shares in Azure Files while keeping the flexibility and performance of local file servers.

Go to Create Resource>Azure File Sync>Create

Go to newly created file sync group >Click on Sync Groups> Create Sync Group

Download and install Azure file sync agent on your local machine and register the server you want to sync. Synchronise with same sync group.

Troubleshooting Azure Sync:

https://docs.microsoft.com/en-us/azure/storage/file-sync/file-sync-troubleshoot?tabs=portal1%2Cazure-portal

 

Create an Azure file share and Mount Windows and Linux Vm's:

 

Create an Azure file share and Mount Windows and Linux Vm's:

Two types of File Share Protocol:

  1. SMB Protocol File Share (Server Message Block)
  2. NFS Protocol File Share (Network File share)

SMB File Share:

Performance requirements:

Standard file shares ,hard disk-based (HDD-based) hardware

Premium file shares, solid-state disk-based (SSD-based) hardware.

Redundancy requirements:

Standard file shares offer locally-redundant (LRS), zone redundant (ZRS), geo-redundant (GRS), or geo-zone-redundant (GZRS) storage, however the large file share feature is only supported on locally redundant and zone redundant file shares. Premium file shares do not support any form of geo-redundancy. Premium file shares are available with locally redundancy and zone redundancy in a subset of regions.

File share type:

Standard file shares (GPv2), LRS/ZRS

Standard file shares (GPv2), GRS/GZRS

Premium file shares (FileStorage), LRS/ZRS

We need a storage account to create a file share. Please refer Azure Administration Document for storage account creation.

While creating storage ,Enable file share option.

A screenshot of the large file share setting in the storage account's advanced blade.

Create a brand new Windows and Linux Virtual machines:

Ensure port 445 is open: SMB communicates over TCP port 445 - check to see if your firewall is not blocking TCP ports 445 from client machine.

Create a file share:

Go to Storage account >File share>+ File Share>Create 

 

 

 

Click on the Fileshare you created>Upload any file from your Local machine

Once you upload a file , click on connect to map drive letter >Windows>Authentication method is Storage Account key (Since it is a Workgroup server)

Copy the script generated in notepad. In the Windows VM, open PowerShell and paste in the contents of the Notepad, then press enter to run the command. It should map the drive.       

 Method 1:

 

You have now mounted your Azure file share.

 

Method 2: 

Go to VM>This PC>Computer>Map Network Drive> Finish

Create a share snapshot

Go to Fileshare created>Snapshots>+Add Snapshot>Provide Name>ok

Go to VM> Modify the file you created with any text

Browse a share snapshot to test the files

On your file share, select Snapshots.On the Snapshots blade, select the first snapshot in the list.

Open that snapshot, and select Azure Fileshare.txt

Restore from a snapshot:

From the file share snapshot blade, right-click the Azure Fileshare.txt, and select the Restore button.

 

Select Overwrite original file.

Delete a share snapshot:

On your file share, select Snapshots. On the Snapshots blade, select the last snapshot in the list and select Delete.

Use a share snapshot in Windows:

In File Explorer, locate the mounted share.

Select Azure Fileshare.txt and > right-click and select Properties from the menu.

Select Previous Versions to see the list of share snapshots for this directory. Select Restore. This action copies the contents of the entire directory recursively to the original location at the time the share snapshot was created.

Steps to mount File share on Linux VM :

Ensure the cifs-utils package is installed.

On Ubuntu and Debian, use the apt package manager:

sudo apt update

sudo apt install cifs-utils

On Red Hat Enterprise Linux 8+ use the dnf package manager:

sudo dnf install cifs-utils

On older versions of Red Hat Enterprise Linux use the yum package manager:

sudo yum install cifs-utils 

On SUSE Linux Enterprise Server, use the zypper package manager:

sudo zypper install cifs-utils

 

Login to Linux server from Putty:

 df –h to display the amount of available disk space for file systems details

Copy the script generated in notepad. In the Linux VM, paste in the contents of the Notepad, then press enter to run the command. It should map the drive.   

Follow the same steps we used in Windows File share for recovery process.

Implement Azure Backup and Recovery

Azure Backup:

Azure Backup is a cloud-based backup service from Microsoft that helps you protect and restore your data from the Microsoft Azure cloud.
It’s designed for reliable, secure, and cost-effective backup of files, folders, applications, and entire virtual machines (VMs).

Manage VM Backups: 

Enable backup for VM:

Goto VM> Backup> Create New> Fill in the details as default > Enable backup

Go to VM resource group> Backup Policies > Edit backup Policy and Update

VM Backup Jobs and restore: 

Goto VM> Backup>View all jobs> Select the backup you want to restore > Click on 3 dots(…)at right most corner of the selected backup > Restore VM

To restore VM ,you need to create a new VM to restore backup. You may also restore or replace existing disk options to restore backup.

 

Go to Home> Create resource >Backup and Site recovery > Create

(Or ) Go to Home> Recovery Services vault.> Create

Goto Recovery services vault> Backup >Azure> File Share>Select Storage account>Select Fileshare to backup > Enable backup

Now Go to backup Items and check the backup item count in Azure file share

Now go to Backup infrastructure>Storage account> Check the backed-up items

File Recovery from VM Backup:

File Recovery from VM Backup in Azure is a feature that lets you restore individual files or folders from an existing Azure Virtual Machine backup — without having to restore the entire VM.

Go to VM>Backup > Enable backup with Default settings

Once you enable backup> Click on backup to backup your VM

Go to Backup Center if the backup is on progress

Once the backup is completed, go to backup> select site recovery> select recovery point >Download executable file>Mount the disk to recover file>Umonut disks.

On-Premises Backup:

On-Premises Backup in Azure refers to using Azure Backup to protect and store data from your local (on-premises) servers, workstations, or VMs in the cloud — without having to first move those workloads to Azure.

Go to recovery services vault> select the vault>Backup>On premises >Select what you want to backup> Prepare infrastructure

Follow the instructions as mentioned below:

 

Backup Reports: 

Backup Reports in Azure are a built-in monitoring and analytics feature that give you detailed insights into your Azure Backup jobs, storage usage, and trends — all in one place.

They are designed to help you track, analyze, and optimize your backup environment across Azure and on-premises workloads

 

To Enable backup reports, Go to Recovery Services Vault>Select Vault> Diagnostic Setting >Add Diagnostic setting. Set a setting for log alaysis

Soft Delete for VM Backups:

You can enable soft delete, by keeping 14 days logs in AZURE. On 15th day it will get auto delete. You can resume or recover VM from the backup before 14 days from the day of deletion.    For Virtual Machine: Go to VM>Backup>Stop backup>

Now go to backup and select Undelete 

You can also select Restore VM to recover the backup by specifying the date rage.

Chapter 4 :

Monitoring CPU and Memory Utilization in Azure:

                  To monitor CPU and memory utilization in Azure, use the Azure portal to access metrics for virtual machines and other resources, such as Virtual Machines, Container Apps, and App Services. The primary tool for this is Azure Monitor, where you can select resource types, choose specific metrics like "Percentage CPU" and "Memory Usage," and adjust the time range to view data.

Login to Azure portal > Go to Virtual Machines and select your azure VM.

Under Monitoring >Metrics

Select a resource: Choose your VM or other resource type

Select the Percentage CPU.

Select the metric: Choose metrics like Percentage CPU and Memory Usage

Set the time range: Adjust the time period to see data for different durations

View graphs: The charts will show average CPU and memory usage for the selected period.

 

Select the aggregation type you want to check. (Avg,Min,Max,Sum)

By default, you can fetch only last 90 days data in Azure.

Select the time range to monitor the CPU utilization

 

 

Memory Utilization:

Home > Host Name > Monitoring >Metrics

Select Metric > Available Memory Bytes.

Follow the same as Select the aggregation type (Avg,Min,Max,Sum)

Select the time range to monitor the Memory utilization.

Alert Creation in Azure:

Azure Monitor alerts are automated notifications that provide insights into the status of your Azure resources.

To begin, log into the Azure Portal and navigate to the "Azure Monitor"

Click the "+ New alert rule

Select a scope as resource group and apply.

Select the condition and select the custom log search for the query

Specify the details of the condition, such as Aggregation type, Operator, Threshold sensitivity

and other parameters

 

In Action Group Tab Click on “+ Select action groups” to enable notification sent to users via email/ SMS.

Specify the alert rules in details tab

Apply tags in any

Select the "Review + create" tab to validate the details are correct. Click on create button to create an alert rule.

 Autoscale Azure Virtual Machine Scale Set:

Auto scaling feature enables you to dynamically allocate or remove resources based on the load on the services/application. You can mention the number of instances to run and add or remove VM's based on a scale set of rules.

There could be many reasons for Increase / Decrease the instances. Here are few examples:

Case 1 : You have an application running with heavy load everyday during 3PM to 5PM.So you would like to increase the instances during that time. Outside this window the your application usage is less and you want to reduce the instance count to save cost.

Case 2:Your customer is releasing a new product on your application on next week (date specific). So during the heavy peak season , you wna to increase the CPU count for those 2 days.

Case 3:You want to increase the Instance count when there is unpredictable performance fluctuations in these environment of your application.

Virtual machine scale set scaling options:

In Azure, there are 3 options for scaling VM instances up and down. 

  • Manually through the Azure portal
  • Auto scale based on metrics
  • Auto scale based on a defined schedule

You can configure scaling options either at the time of creating the virtual machine scale set or existing VM’s. You can configure in scaling tab to enable policy during VM creation. See below

 

Manual Scale set though Azure Portal :

Go to >Virtual machine scale set>Scaling>Increase the Instance count to scale manually in the box>Save

Auto scale based on metrics:

The below auto-scale condition will increase the VM instance count by 1, when the average CPU utilization is greater than 70%. The instance count is decreased by 1, when the average CPU utilization falls below 25%.

Auto scale based on a defined schedule:

Scale set to increase the instance count on specific day / time schedule

 

You will get a below error if you have not register 'Microsoft.insights' to your azure subscription.

Failed to update configuration for 'vmss-demo'. {"error":{"code":"MissingSubscriptionRegistration","message":"The subscription is not registered to use namespace 'microsoft.insights'. See https://aka.ms/rps-not-found for how to register subscriptions.","details":[{"code":"MissingSubscriptionRegistration","target":"microsoft.insights","message":"The subscription is not registered to use namespace 'microsoft.insights'. See https://aka.ms/rps-not-found for how to register subscriptions."}]}}.

Go to Home> Subscription >Resource Providers>Search "Microsoft.Insights">Register

 

 

Auto-Stop Virtual Machines based on CPU utilization:

Microsoft Azure provides a service to Start or stop virtual machines (VMs) whenever there is more/less load of CPU utilization.

  Prerequisites to test the Auto shutdown based on CPU utilization:

  • A resource group containing the VMs
  • An automation account with an azure run as account
  • An azure monitor log analytics workspace

Go to Home> "Start/Stop VMs during off hours" > Create

Click on Add Solution> Create New Workspace > Fill-up the details > Create.

Click on Automation Account> Create an Automation Account> Ok

Click on Configuration> Parameters >Fill-up the  required details.

You can mention * to include for all resource group as target resource group and none to include all VM’s .

 In this case we mentioned a resource group.To exclude any VM’s mention the VM Name with comma separated values.

Mention the Start and Stop schedule of the VM’s and configure mail id for notification >Ok 

 

Go to Automation Account > Schedules> Disable the Scheduled-StopVM so that the machine won’t stop as per the schedule

Go to Automation Account > Variables> Search “External_AutoStop”

External_AutoStop_Condition: This is the conditional operator required for configuring the condition before triggering an alert. Possible values are [GreaterThan, GreaterThanOrEqual, LessThan, LessThanOrEqual]

External_AutoStop_Threshold: Threshold for the Azure Alert rule. Possible percentage values ranging from 1 to 100

External_AutoStop_TimeAggregationOperator: The time aggregation operator which will be applied to the selected window size to evaluate the condition. Possible values are [Average, Minimum, Maximum, Total, Last]

External_AutoStop_TimeWindow: The window size over which Azure will analyze selected metric for triggering an alert. This parameter accepts input in timespan format. Possible values are from 5 mins to 6 hours.

For Testing: In this case ,I configured the VMs to stop automatically if the average CPU usage is Less than or equal to 50% for period of 15 Secs.

Go to Automation Account > Schedules, enable and modify the schedule for Schedule_AutoStop_CreateAlert_Parent.

To Review the schedule /running  Jobs :Go to Automation account >Jobs

To Review the VM logs : Go to VM>Activity logs

 

Restore VM disks and VM from the Azure Snapshot:

                   Restoring from an Azure snapshot involves creating new managed disks from the snapshot data and then using these disks to build a new Azure Virtual Machine (VM) or to replace the existing disks of a running VM. You can restore individual disks to rebuild a VM with a restored file system, or restore all relevant disks from a VM restore point to recreate the entire VM

From the Azure Portal, select your Azure VM and click on Backup and select restore VM.

Select the recovery point and type (Snapshot and Vault or Vault) to proceed.

Here you have 2 options to select either create new /Replace existing.

1. “Create new” will create a new machine from the backup retore point.
2. “Replace existing” will replace the Virtual Hard disk on the server from the backup retore point.

Azure is offering a simple feature called “Snapshot”. You can create a snapshot from an existing disk, even being up and running on a VM.

It is useful to restore the system with a snapshot if something goes wrong. In Azure, we can't revert back Azure VM directly, we should create disk or VM from that snapshot.

If you need to create a snapshot, just go to the disk and click on “Create snapshot”     

Home>Snap shot>Create>

 

Select the resource group of the VM>Select the Source disk of the VM>Create

Creating a new managed disk from a snapshot:

Home>Disks>+ Create>Source snapshot - Select the previously created snapshot>Create

Go to VM>Stop VM (deallocate) it. Click on the Disks option on the VM page. And Click on Swap OS disk.

Select the newly created OS disk from the drop-down menu and click on OK. Confirm the VM name down for which VM you are swapping OS Disk

Once the OS disk is swapped. As per the requirement. Click on the “X” at the end of the data disks to detach them. Once it is saved. You can power on the VM and validate.

Creating a virtual machine from a managed disk:

Home>Disks>Click on newly created disk>+ Create VM

Create a New VM with the managed disk with default settings to restore VM. 

 

Azure Site Recovery: 

Azure Site Recovery (ASR) is Microsoft’s Disaster Recovery as a Service (DRaaS) solution.
It keeps your applications and workloads running during outages by replicating your servers (physical, virtual, or Azure VMs) to another location so they can be quickly failed over when the primary site goes down.

It provides 99.95 SLA and High availability to the VM

Go to VM> Disaster Recovery >Target region>Advanced settings>

>Start Replication.

To check the progress of replication, Go to Recovery Services Vault>Select the service>Under protected Items>Replicated items> Check the VM Status.

 

ASR Test Failover:

ASR Test Failover in Azure Site Recovery is a feature that lets you simulate a disaster recovery scenario without impacting your production workloads.

Go to VM>Go to Disaster Recovery> Replicated items>Test Failover

Cleanup the test Failover once done.

Azure Virtual Machines: 

Create a VM:

Go to Create a Resource>Compute>Virtual Machine Create>

Azure spot Instance is based on pricing tag assigned to your VM. It is recommended for Low priority tasks.

Once the VM deployed successfully, Click on download the template.

Connect to a VM:

Go to VM> Select connect> RDP/SSH 

Required to download putty for Linux and RDP file for Windows

Note: You can stop VM to dis-allocate the pubic  IP address to save cost.

VM Monitoring:

Goto VM>Overview tab> Monitoring> Pin CPU>Go to Dashboard>Select CPU>Edit Custom settings

Goto VM>Diagnostic setting>Enable –guest level monitoring

Go to Performance counter tab>Enable CPU,Memory ,Disk monitoring

Go to Logs Tab> Enable  Critical ,Error , Warning

Go to Crash Dump> EnableGo to Sinks> Diagnostic logs for application data on VM

Agent> Agent can be removed/ Delete 

Insight Monitoring:

Go to VM>Insights> Enable

VM Custom Script Extension:

Go to VM> Extension> Add the custom extension you wish> Create

Bastion Service:

Bastion service provides secure and seamless RDP or SSH connections to VM’s in your virtual network.

Go to VM> Bastion> Create Azure Bastion using Defaults

Virtual Machine Scale Sets:

Scaleset is an Azure loadbalaces to assign resources based on VM load

Goto Create a resource> Search Virtual machine Scaleset>Create

Proceed with Default Settings. Enable application Health in Health tab.

Automatic Repair policy will delete the corrupted VM and recreate a new one

Enabling  VM Scale set is free of cost , you can enable it for all running VM’s

Create a VM using Power shell:


Start and Stop VM in PowerShell:


Creating Windows and Linux VMs:

Modifying Existing ARM Template:

Azure Resource Management Module is used for Automatic VM Deployment

Go to Resource group> select VM> select Resource group>Deployment>View Template>Download.

You can modify the Json template parameter to create a new VM based on your requirement. Ex: change VM name, Public ip address, network interface. Once you make changes you can add the template by using  Add to Library option.

Deploy Linux VM using ARM template :

az vm image list  -- output table

Go to Resource group> select VM> select Resource group>Deployment>View Template>

Change the imageReference : Publisher  “Redhat” & Offer “RHEL”

ARM Custom Script Extension:

It is a post deployment action on your VM. If any script or application need to be installed on brand new VM post deployment., such action can be done automatically using Custom script extension.

Go to VM> Extensions> Add> Search “Custom Script Extension.”>Next>Browse the File (.sh) where you located >Review + Create 

You can also install Software with custom script extension

Go to VM> Extensions> Add> Select the software > >Review + Create 

Manage Azure VM :

Add Data disk to VM:

Azure provides default encrypted OS disk with 127GB . You cannot save application files on it. You need to create a data disk to store app files.

Go to VM> Disks> Under Data Disks> Create and Attach a new disk

Provide the necessary details: LUN – Default ,Disk Name,Storage type, Size ,Host Caching,

>Create

To Resize the Disk

Stop the VM> Go to Data Disk> Select theDisk> Under Settings>Size +Perfomrance>Select the Size and Performance tier >Resize 

Add NIC Interface to VM:

Go to VM> Networking>Check the ip configuration

Go to VM resource group>Go to Vnet>Subnet>Add Subnet> Save

Now stop the VM and go to Networking>Attach Network Interface>Select the secondary interface>OK

Change VM Size:   Go to VM>Size> Select the VM size >Resize 

Redeploy a VM:  In some cases ,based on client request you may have to redeploy VM. Ex: If RDP,SSH of the VM not connecting /working

Go to cloud shell > Pshell

Set-AzVM -ResourceGroup “ResourceGroup” -Name “VMName” -Redeploy

Redeploy a VM with PowerShell

Go to VM >Check the VM status in overview

Ensure the VM is running >Click on Redeploy +Reapply

Select Redeploy>OK. The Redeploy will take VM offline and start the deployment process. It takes only few mins to complete. Once finished, the VM is running on a new host.  The Activity Logs will show that the Redeploy ran and if it was successful.

Reapply : Reapplying your virtual machine’s state. This operation will rerun VM provisioning and help solve the VM failed state, in case when VM provisioning failed while executing a previous VM action.

Azure Disk Encryption: 

Go to VM> Disks> Additional Settings>Disks to encrypt> Select the disk> Create a Key vault>Key >Version

Enable Access “Azure Disk Encryption for volume encryption” in access policy and create 

Enabling the Azure Disk encryption require a VM reboot.

Chapter 5:

Virtual Network Peering and VNet-to-VNet VPN gateway connection 

Virtual Network Peering:

Virtual network peering is used to connect two or more Virtual Networks in Azure. Once the Virtual networks are connected using peering it will appear as one network. The traffic between VM is routed through Microsoft infrastructure through private IP addresses only.

Types of Virtual network peering:

  • Virtual network peering: Connect virtual networks within the same Azure region.
  • Global virtual network peering: Connecting virtual networks across Azure regions. 

Step by Step procedure to create a Virtual network peering:

Create two Virtual Networks:

Go to Home >Virtual networks>Create>

Fill up the required fields > Review and Create

 

Create two Virtual Machines:

Go to Home >Virtual Machine >Create

Fill up the required fields as mentioned below> Ensure you select the appropriate VNets for VM1 and VM2

>Review and create 

Connect the VM’s using RDP Downloaded File

 

Create a Peering between Vnet1 and Vnet2:

Go to VNet1 you created >Peering> + Add

Specify the Peering Link Names >Add

Now you successfully created a peering between VNet1 and Vnet2 

 

Disable Firewall on both VM1 and VM2 (Disabling a firewall permits all data packets to entering and exiting the network unrestricted) to allow the private ip’s of VM’s

Go to VM> Control Panel>System Security> Windows Firewall>

Turn Off Windows Firewall

 

To Verify the Peering connection:

Copy the private ip of the VM2 and Ping the IP from the VM1 Machine

 

 

You should be able to ping the Private IP of VM2 from VM1 .

Vice versa:

 

Ping from VM2 machine:

VNet-to-VNet VPN gateway connection:

A VPN gateway is a specific type of virtual network gateway that is used to send encrypted traffic between an Azure virtual network and an on-premises location over the public Internet.
You can also use a VPN gateway to send encrypted traffic between Azure virtual networks over the Microsoft network. A local Gateway (on-prem) reffers to on premises router WITHIN azure. Azure fetches the required information from on prem router and configures a Virtual Device (local Gateway) within Azure.

Create two Virtual Networks for 2 regions:

Go to Home >Virtual networks>Create>

From the Azure portal, Click on Virtual Networks> Add >Provide Ip Address (10.0.0.0/16)> Create
 Select Subnet>Gateway subnet>Verify your network requirements and assign the address range to the gateway subnet accordingly. We use the 10.0.1.0/24 address range

 

Fill up the required fields > Review and Create

 Create two Virtual network gateways:

Go to Home >Virtual Network Gateway> Add button> Fill up the details>Gateway type as VPN >VPN type as Route-based

Create a public IP address or select the existing one>Select the location >create 

  

   Creating connection between two regions:

V-Net1 to V-Net2 
Go to Virtual Network Gateway >Add Connection>

                                         

 Fill up the details> Connection type V-Net-to-V-Net> The Virtual Network gateway field will get filled automatically.
 Select the Second Virtual Gateway>Create Shared key (PSK) secret for both gateway to share >Ok

Create another connection for  V-Net2 to V-Net1.

Once the Connection is established you can see the status of the two virtual network gateway's as connected.Double-click each Connection to view amount of Data transferred between the two virtual networks.

Verify VPN Gateway connection using Azure portal 

 

Azure App Services:

Azure web apps are built in application in Azure. In order to run the web app resources you need to create an app services plan.

Go to Create a resource> App Service plan>Create 

Create a Web App:  Go to Create a resource> Web app Service> Create>Fill in the tabs> Create>   

Go to Webapp service >Click on the URL in the overview portal to check if it is working . You may able to access the page with “Your web app is running and waiting for your content”.

Go to Webapp service> Deployment Center>You can authorize the app such as Github,Bitbucket to deploy and build codes.

Go to Webapp service>Configuration>General settings> You can change the product versions>

Go to Webapp service>Custom Domain> Enable /Disable HTTPS connection

Go to Webapp service>Networking > Access restrictions>  Whitelist Vendor IP to access the webapp service. 

Scaling Web apps:

There are two types of scaling: Scaling up and scaling down

You can scale up or scale down based on the response time of the App service plan.

Go to Webapp service>Scale up> Based on the Environment (Dev/ Prod) select the pricing tier and apply

Go to Webapp service>Scale Out >Confiure>Manual scaling > Increase the instance count up to 3>

Standard and Premium plan support Autoscaling feature upto 10 Instances. You can set auto scaling in Standard and Premium plan. 

Go to Webapp service>Scale up>Autoscaling> Set the value of CPU threshold

Ex: If the CPU percentage is more than 80 % for 10 mins increase the no of instances 

Go to Webapp service>Scale out>Autoscaling> Set the value of CPU threshold

Ex: If the CPU percentage is less than 15% for 10 mins decrease the no of instance being used.

Backup Web apps:

Go to Webapp service> >Backups > Configure> Apply

Under backup click on “Backup is not configured. Click here to configure backup for your app.”

Under Backup storage> Click on storage no configured>Create a Storage account with Standard Performance>OK

Click on storage account you created>+ Container>Private access>Create

Now you can schedule manual/Scheduled backup

Go to Webapp service> >Backups >Backup >it will initiate a backup

Schedule backup: Go to Webapp service> >Backups >Configure>Schedule >Schedule backup on>Apply the schedule 

App Service Networking:

Go to Webapp service>Networking > Access restrictions>  Add rule>Add ip address to allow /Deny access

Go to Webapp service>Networking> Outbound traffic>VNet Integration> Add VNet to allow private internal Microsoft communication.

Note :Vnet Integration only allow Private connection to the app service

Go to Webapp service>Networking>Inbound Traffic>App Assigned address>Enable Secure connection Protocol.

Azure Kubernetes Services (AKS):

Containers: 

Containers are bundle of software packages with the related configuration files and libraries and with the dependencies required for the app to run. You can create a container in local machine and deploy container image to cloud (AWS ,Azure) .

To Create Docker Container:

Go to Create a resource >Create Web App>Instance Details>Publish*>Docker Container>Create

To Create Container Instance:

Azure Container Instances offers the fastest and simplest way to run a container in Azure, without having to provision any virtual machines and without having to adopt a higher-level service.

 

Go to Create a resource >Container Instance > Create

There are other containers available under >Crete a resource>Containers.

Create an AKS Clusters:

Go to Create a resource >Kubernetes Service> Create>Select Default Kubernetes version

Node Pools> Virtual node>Disable (No downtime)>Leave rest all tabs as default settings>Create

To install AKS:

Go to Azure Bash > az aks install-cli

>az aks get-credentials  --resource group “Name” –name “Name”

Deploy a container to AKS: 

Copy Azure-vote.yaml from the portal

Go to bash>kubectl apply –f azure-vote.yaml

>kubectl get nodes

>kubectl get service

Scaling Kubernetes: 

Go to bash > kubectl get nodes

>kubectl get pods

>kubectl get –o wide

Autoscale:  kubectl autoscale

Azure Container Instance (ACI):

The ACI is used to run the container directly on the azure public cloud without requiring  the use of VM’s. The ACI’s are good for Dev, test or small application .It is not recommend for Production environment.

Go to Cre>ate a resource> Create a Container Instance>Fillup the necessary details>Create.

Manage Virtual Networking: 

Create Virtual Network:

Go to Create a resource> Create a virtual network>Provide the private IP

Note: Anything starts with 10 is a private Ip address. Ex: 10.0.0.0/16

Add frond and backend Ip address along with default subnet

Ex :Front end :10.0.0.0/24 , Backend :10.0.1.0/24

Click on Review + Create

Create Public IP address:

Public IP addresses allow Internet resources to communicate inbound to Azure resources. Public IP addresses enable Azure resources to communicate to Internet and public-facing Azure services.

Go to Create a resource>Public IP address > Create with Default settings

Network Routing:

Azure automatically routes traffic between Azure subnets, virtual networks, and on-premises networks. If you want to change any of Azure's default routing, you do so by creating a route table.

Go to Create a resource>Route table> Create with Default settings

Goto Created route table>Routes>Add route>Provide backend ip

Subnets>Associate>Select virtual network>Subnet >backend

Create Azure Firewall: 

Azure Firewall is a controlled security utility that defends your Azure Virtual Network resources. It comes with high availability and unlimited cloud scalability, Which means that you don’t have to deploy additional infrastructure for high availability like two firewalls or three firewalls and also no need for the load balancer. An important point to note here is that by default Azure Firewall blocks all the traffic.

Go to Create a resource>Firewall>Create>Availability zone> None>

IP address Ex: 10.0.5.0/24 ,subnet:10.0.5.0/25

Public ip address>Add new >with any name> Create

Configure firewall: Go to Create a resource >Route table> Create>

Goto Route table > Routes>Add with Ip address prefix>Next hop type Virtual appliance >Ok

Goto Route table >Subnets>Associate>Select Virtual network and Subnet>

Go to Create a resource>Firewall>Rules> Add rule> 

  1. NAT Rule 
  2. Network Rule
  3. Application Rule

Network Rule: Firewall>Public Ip configuration>Copy the Ip address

Go to VM and copy Private Ip. Now Go to Firewall>Rules> NAT Rules>Set RDP rule

Source * , Destination Public ip addess , Translated address VM Private IP.

NAT Rule: You can allow /Deny DNS ,Protocol-UDP,Provide Source and destination IP, Port Number.

Application Rule:  Firewall>Rules>Application rule>add rule to allow Microsoft network.

Source IP Address >VM Ip range, Protocol : HTTTP,HTTPS

Target FQDN:www.microsoft.com

Implement and Manage Virtual Networking:

VM from one VNet cannot communicate VM in another VNet. Storage account ,SQL DB can be accessed in another region,but VNet is a private end point which cannot be accessed.

VNet Peering:

VNet Peering connects two virtual networks for resource sharing in one region or across regions in Microsoft Azure.The cost may differ based on zone selection.

Go to VNet>Peering>add>Peering link name 

Ex :Peering link names :Peering1to2 ,Peering2to1

Proceed with default settings> Add



 

 

Azure to Azure Virtual Network Gateway:

A VPN gateway is a specific type of virtual network gateway that is used to send encrypted traffic between an Azure virtual network and an on-premises location over the public Internet. You can also use a VPN gateway to send encrypted traffic between Azure virtual networks over the Microsoft network.

 

Goto VNet>Subnet>Gateway Subnet>Create with default settings

 

Go to create a resource>Virtual Network Gateway> Create with default settings> Create

 

Adding Network Gateway Connection:

Go to Virtual Network Gateway>Connections> Add>Create

Go to Virtual Network Gateway>Enable connection between Network gateways.

 

Configure Name Resolution:

There are 2 types of DNS in Azure:

  1. Azure Default DNS
  2. Azure Private DNS

Azure Default DNS : For Azure Default DNS does not require configuration . You can use hostname to connect to VM on same Vnet.

Azure Private DNS : Create a own custom domain names such as dev.local,staging.local,prod.local etc.

 

Create Private DNS Zone: 

Private Zone: Setting up your Own Custom Domain.

Go to Home>Search DNS>

Click on Private DNS Zones > Create>Name(ex :dev.local)> Create

Go to Private DNS Created>Virtual Network  Links>Enable Auto Registration

Go to Create a resource > Create VM1 > Select Private DNS Vnet> Create

Go to Create a resource > Create VM2 > Select Private DNS Vnet> Create

Got to Private DNS >Record Set>Custom name>VM1 IP>Ok

Got to Private DNS >Record Set>Custom name>VM2 IP>Ok

Enable Firewall between two servers Powershell Command :

New-NetFirewallRule –DisplayName "Allow ICMPv4-In" –Protocol ICMPv4

Create Public DNS :

Go to Home>Search DNS>DNS Zones> Create

Ensure the Domain Name is registered in the Domain register Ex:contoso.com

Go to DNS Zone you created will have 4 Name servers. Register all 4 servers in custom DNS in domain register.

Go to  VM1> add IIS role and go to NSG of the VM1 >add inbound port rule >http

Go to VM resource group > Click on DNS zone created>Record Set>www> A type>Provide public IP of the web server>Ok

Secure Access to Virtual Network:

Network Security Group (NSG) :

The VM Will have the default NSG configured. To change the NSG

Go to VM> Virtual network/subnet>Under Connected device> Network Interface>Network Security Group>Change NSG from the drop down>Save

To Verify : Go to > Network Interface>Under support and troubleshooting>Effective Security rules

Go to VM > Select the unassigned NSG> Network interface (Check if any entries)>Subnets(Check if any Entries) > Check Connected Devices.

Delete NSG if no connected devices 

Configure Load Balancing:

Load Balancing in Azure is Microsoft’s way of distributing incoming traffic or workloads across multiple resources (like Virtual Machines, App Services, or regions) to ensure high availability, performance, and fault tolerance.

There are two types of load balancing in Azure:

  1. Load Balancer (Level 4)
  2. Application Gateway (Level 7)

Load Balancer (Level 4) : To distribute traffic/load from single source (app/service) to multiple destination servers. It is a rule based load balancer, it will assign the traffic based on 5 rules source ip /port ,destination ip/port and protocol. If one load balancer is failed /timeout it will send load to another server automatically.

Frontend IP configuration : You can assign another Public IP to the same load balancer if your VM has more than one application running. 

Setup Load Balancer:

Before we create a Load balancer, Create three virtual machines in same availability set.

 

Go to Create a resource >Load Balancer>Create>Basic SKU>Pubic >Create a dynamic for frontend>Backend pools> add a backend pool>Virtual network>Virtual machines>IPv4>

Virtual machine> add> Select VM1 and Select the network Interface card>Add

Virtual machine> add> Select VM2 and Select the network Interface card>Add

Virtual machine> add> Select VM3 and Select the network Interface card>Add

Proceed with Default setting and create

Fill up healthprobe with below values for TCP connection

Open the Load Balancer> Health probe>Add>IPv4>TCP>80>5 sec>2>ok

Fill up healthprobe with below values for HTTP connection

Open the Load Balancer> Health probe>Add>IPv4>HTTP>/health.html>30 sec>2>ok

Trouble shooting a Load Balancer:

  1. Goto Load Balancer>Frondend Ip configuration >Copy the IP and Check in URL.
  2. Goto Load Balancer>Backendpools>Check VM status
  3. Goto Load Balancer>Health Probe>Check Protocol
  4. Goto Load Balancer>Load Balancing rules>Front end address
  5. Goto Load Balancer>Inbound NAT Rules
  6. Goto Load Balancer>Outbound Rules
  7. Goto Load Balancer>Check the Graph in health probe

 

Creating Application Gateway:

Go to Create a resource >Application Gateway>Create>Standard tier

Enable Autoscaling: Yes ( To enable scaleup application Gateway)

Proceed with Default settings>Frontend>Public ip address

Backuend>Add Backend Pool>Backend pool without configuration 

Configurations>Routing Rules>Rule name> Listener Name> Frontend Ip>

Backend Targets> Type>Backend pool>Backend Target name>HTTP>>80>

Additional Settings>Disable> Cookie-based affinity and Connection draining> Create

Chapter 6 :

Monitor and Troubleshoot Virtual Networking:

Azure Monitor:

Azure monitor collects data from various sources such as applications, operating systems, Azure resources, etc. in the form of metrics and logs.

Go to All Services> Monitor>Networks>Check the network health status> Connectivity>Create a Connection monitor>Fill Basics tab>Testgroup>

Note: To add Source Azure end point ,Network Watcher must be installed on VM’s

>Create Alert>Review+Create

Network Watcher:

Network Watcher provides you the ability to diagnose your most common VPN Gateway and Connections issues and help further investigate.

Go to All Services>Network Watcher>Enable

 >IP Flow Verify>Fill VM details> Give any IP and port as Remote IP address. You will get access allowed as the VM configured with NSG AllowAllInbound.

>Packet Capture>Add>Provide VM Details and Create with Default settings.

 

Monitor Resources using Azure Monitor:

Overview of Azure Monitor:

Azure Monitor is a cloud-based service from Microsoft that collects, analyzes, and acts on telemetry data from your Azure resources, on-premises environments, and applications.
It helps you monitor performance, track availability, detect issues, and optimize resources using metrics, logs, alerts, and visualization tools — all from a single unified platform in Azure.

Azure monitor is able to monitor the azure services such as App Services, Virtual machines,Storage accounts etc



Enabling Diagnostic for resources:

Go to Monitor> Diagnostic settings>Enable monitoring for the resource you want to.

Note :To enable Monitoring on VM , you need to install Azure monitoring agent on the guest OS.

Go to Monitor>Virtual Machines>Not Monitored>Enable will install /upgrade monitoring agent on the VM from Azure.

Running Basic Kusto Queries on Logs:

Go to Monitor>Logs>Select scope> Select azure built-in query and run the query.

Chapter 7 :

Azure Update Manager: 

Step by step procedure to install updates on Azure Windows/Linux servers with Azure Update Manager:

Azure Update Manager is an Automation tool /service used to install patches on Azure on-premises Windows/Linux computers. Below are the four steps to be followed to install the missing patches on computers using Azure update management component.

  • Create a Log Analytics workspace.
  • Create an Automation account.
  • Link the Automation account with the Log Analytics workspace.
  • Enable Update Management for Azure VMs.

Create a Log Analytics workspace:

In the Azure portal, select create a resource> Log Analytics workspaces>create

 

Fill up the details such as Resource group,Name,Region in basics tab> Review and create with default settings

Create an Automation account:

In the Azure portal, select create a resource>Automation accounts>create

 

Fill up the details such as Resource group,Name,Region in basics tab> Review and create with default settings

Link the Automation account with the Log Analytics workspace:

Go to Automation Account pane>Update Management>Select existing Log Analytics workspace>Enable

 

Click on Add Azure VM’s>Select the VM and enable update management for Azure VM’s

It will take approx. 15 mins to reflect your virtual machine in Update management pane

 

Deploy the Log Analytics agent and connect to a Log Analytics workspace. Before you deploy agent copy the Workspace and primary key from Log analytics >Agents Management

Install Log analytics agent on windows:

Download the Agent file from Microsoft and install on On-premises computer

I Agree>Next>Connect the agent to Azure log Analytics (OMS)

>Next>Azure Commercial> Fill up the Workspace ID and Key you copied from Agent Management

>Next >Install

Install OMS Agent on Linux Server

You can use the below command to install OMS agent on linux server. Update your Workspace id and Primary key in the below command and run as root /sudo

wget  https://raw.githubusercontent.com/Microsoft/OMS-Agent-for-Linux/master/installer/scripts/onboard_agent.sh && sh onboard_agent.sh -w <YOUR WORKSPACE ID> -s <YOUR WORKSPACE PRIMARY KEY>

 

Example : sudo wget https://raw.githubusercontent.com/Microsoft/OMS-Agent-for-Linux/master/installer/scripts/onboard_agent.sh && sh onboard_agent.sh -w d442485a-6cb6-47e5-be9d-39f6584d8198 -s LTfuzoXtrDxamiCl7CeNbeDgK8XDE+p4s6WgRClvlaxpd2OomayUJZXI9au44Tc5qfTzezGWTvjL5qh+rQxs/w==

 

Schedule and update Deployment:
Go to Automation account>Update management >Schedule update deployment

Under New update deployment>Provide name>Operating System

Select Groups to update > Fill Up subscription, resource groups, locations  of Azure VMs for your deployment >add >ok

Select Machines> Select the VM’s you want to deploy patches

Select the update classification as mentioned below based on the requirement.

Select Include/exclude selecting specific updates for deployment


Select Schedule setting to configure the schedule for deployment of patches>ok

Once the deployment is completed, Go to Update Management >History > to View the results of completed update deployment

Now you successfully deployed the missing patches using Azure update manager.

 

Use Dynamic groups with Update Management:

If you have more than 1000 machines, Microsoft recommend that you split up the updates among multiple update schedules.

Dynamic Groups can be created based on 

  1. Subscription
  2. Resource groups
  3. Locations
  4. Tags

Creating Dynamic Group for Patch Deployment:

Go to Azure monitor>Logs>

Example : Heartbeat | where Computer contains "Red" | distinct Computer 

>Run > Save as function 

Provide the group name >Save

Now you should be able to view the dynamic group while scheduling the Windows update deployment.

Chapter 8:

Configure and Trigger Backup for SAP HANA:

Configuring and triggering backups for SAP HANA in Azure involves several steps, primarily utilizing Azure Backup services.

Prerequisites for SAP HANA Backup:

Pre-registration script: Download and run the pre-registration script as the root user on each SAP HANA VM you intend to back up. This script prepares the HANA system for Azure Backup integration. If using HSR, run it on the primary node. If using private endpoints, include the -sn or --skip-network-checks parameter. 

2. Configure Backup in Azure:

  • Recovery Services Vault:

Create or select an existing Recovery Services vault in the Azure portal. This vault will store your SAP HANA backups. In Recovery services vault click on +Backup

 

  • Discover Databases:

In the Recovery Services vault, navigate to "Backup items" and select "SAP HANA in Azure VM." Select "Discover DBs" to initiate the discovery of unprotected SAP HANA databases on your registered VMs.

Select the VMs running the SAP HANA workloads and click on Discover Dbs.

Configure DB via Backint:

  • Create Backup Policy:

Create a new backup policy specifically for "SAP HANA in Azure VM (DB Instance via snapshot)" or use an existing one. Define the backup schedule (e.g., daily full backups) and retention settings within this policy.

 

  • Enable Backup:

Associate the discovered SAP HANA databases with the created backup policy and enable backup for them. Azure will validate permissions and prompt for assignment of missing roles/identity if necessary.

Click on add to add the system and Tenant DB’s and click on Enable Backup

 

Once the backup is enabled, the backup status will be Warning as initial backup pending until the first full backup is completed.

To Verify the backup registration status , In recovery services vault > Backup Infrastructure > Work load in Azure VM , Ensure the status is registered

 

In recovery services vault > Backup items > SAP HANA in Azure VM, Ensure the status is healthy.

To Check the status of backup jobs, Go to Recovery services vault and click on Backup Jobs of both system and tenant DB primary nodes.

Changing the nodes for SAP HANA DB in Azure backup.

If your SAP HANA database is configured with HANA System Replication (HSR) and you want to maintain continuous backup after a failover to a new primary node, you need to run the preregistration script and create the same hdbuserstore keys on the new primary node

Steps to manually register the master node and Enable backup;

Go to Business Continuity center >SAP HANA in Azure VM > Protection Status

Search for the SAP SID and click on View details

Stop the backup for Slave nodes and enable backup for Master nodes

System backup should be stopped first and verify the slave node backup are in Protection stopped state.Once you stop the backup of slave node ,click on view protected item to resume backup of master node.

Systemdb backup should be resumed then tenant backup

Run the on-Demand backup by clicking ‘Backup Now” for the master node (System DB and Tenant backup)

Verify the progress and status in business continuity center > Jobs

Chapter 9:           

SLES 12 SP5 to SLES 15 SP5 Upgrade of Azure Systems:

                       To upgrade an SLES 12 SP5 Azure VM to SLES 15 SP4, perform an offline upgrade using the SLES 15 SP5 installation media, or an online migration if a direct patch path is available, though an offline upgrade is the standard method from SLES 12 to 15. Before starting, take a complete backup or snapshot of the Azure VM and ensure the system is fully updated and has sufficient disk space. Install the suse-migration-sle15-activation package or use the run_migration utility to begin the process, followed by a reboot to initiate the automatic migration sequence. You can also use tools like SUSE Manager or perform an online or offline migration by following specific commands in the zypper tool. 

Pre-Checks:

Ø  Verify the serial console is accessible

Ø  Ensure enough disk space is available

Ø  Request application team to stop APP/DB services

Ø  Take OS and Data disks backup

 

Step-By Step procedure to upgrade SLES 15 SP4:

Perform Sanity reboot of the VM to ensure there is no outstanding booting isssues

Unregister the VM from SUSE Manager

Refresh the zypper repositories and register VM to external SUSE and validate SUSEConnect Status.

1.      zypper ref

2.      registercloudguest –force-new

3.      SUSEConnect --status

Clear zypper cache and refresh zypper repository

4.      zypper clean –all

5.      zypper ref

Update the system to the latest patch of SLES12 SP5 and reboot the system

6.      zypper up

Once the server is up install migration activation package

   7 . zypper install suse-migration-sle15-activation

   8 . Run Migration Pre-checks

               /usr/bin/Suse-migration-pre-checks

 

9 . Take backup of zypper conf file and fix the reported issues in zypper configuration file and run pre-check again to verify

   cp /etc/zypp/zypp.conf /etc/zypp/zypp.conf-bkp

10 . Run the pre-check command

                 /usr/bin/suse-migration-pre-checks

11. Initiate Migration to SLES15 SP1 using command run_migration and monitor the progress via serial console in Azure portal as the ssh will not work at this moment

12 . Post migration completion system will auto restart. Validate the OS version to ensure it is SLES15 SP1.

      Cat /etc/os-release

13 .Next step is to take new snapshot of OS disk of the VM

14. Reboot the system once and run “zypper migration” to upgrade to SLES15 SP3 . I will ask for the SP version to update the system to. Select the appropriate version and accept the license agreement to proceed.

15.  Reboot the system after completion and validate the OS version of SLES15 SP3.

16.  Now take new snapshot of OS disk of the VM

17 . Reboot the VM again and run “zypper migration” to upgrade to SLES15 SP4 . I will ask for the SP version to update the system to

 

18. Once the system is up , validate the OS version (Cat /etc/os-release) and it should be SLES15 SP4. Also Verify the kernel version

19. Update the /etc/motd file to update the version details which are displayed at login.

20 . Reboot the System and run “zypper migration” to upgrade to SLES15 SP5

 

21 . Cross verifies the version in Azure portal.

21. Finally unregister the VM from SUSE external servers and register in SUSE manager.

 

De-Register and Register in SUSE Manager:

De-registering and then re-registering a SUSE Manager client system is a common administrative task that serves several important purposes:

1. Troubleshooting and resolving registration conflicts

Ø  Duplicate client entries: If a client system, especially a cloned one, gets registered multiple times or incorrectly with the same machine ID, it can create duplicate entries in SUSE Manager. De-registering the duplicated client (and deleting associated files like the system ID and machine ID) and then re-registering it with a unique ID helps resolve these conflicts.

Ø  Failed registration attempts: If initial registration attempts are unsuccessful, de-registering can be a useful troubleshooting step to restart the process and ensure a clean slate, particularly when dealing with issues like incorrect repositories or configuration issues.

Ø  Corruption of client data: In rare cases, the client's registration or configuration files might become corrupted. De-registering and then re-registering can help clear out the corrupted data and re-establish a healthy connection with the SUSE Manager server. 

2. Server or subscription migrations

Ø  Moving clients to a new SUSE Manager server: If you need to move a client system to a different SUSE Manager server, you must first de-register it from the old server and then re-register it with the new server.

Ø  Changing organizations or subscriptions: De-registering and re-registering is necessary if you need to associate the client with a different organization within SUSE Manager or if there are changes to the subscriptions associated with the client.

Ø  Migrating from other registration services: If the client was previously registered with another service like SUSE Customer Center (SCC), SUSE Manager Traditional (SMT), or Retail Management Tool (RMT), you must de-register from those services before migrating the client to SUSE Manager, and potentially remove associated modules or cleanup old registration information. 

3. Configuration cleanup and fresh start

Ø  Removing unnecessary configurations: De-registering can be part of a cleanup process, particularly for Salt clients, where SUSE Manager can attempt to remove associated configuration files.

Ø  Applying new configurations or policies: Re-registering after de-registering ensures that the client starts with a fresh configuration and applies any new configurations or policies defined in SUSE Manager. 

4. Other scenarios

Ø  System re-imaging or rebuilds: If a client system needs to be re-imaged or rebuilt from scratch, it will need to be de-registered from SUSE Manager and then re-registered after the re-image or rebuild is complete.

Ø  Network or DNS changes: Changes in network configuration or DNS settings might necessitate de-registration and re-registration to ensure proper communication between the client and the SUSE Manager server. 

In essence, de-registering and re-registering provides a clean way to manage SUSE Manager clients and address various issues or administrative tasks, ensuring accurate registration, proper communication, and consistent configuration management.

Login to Suse Manager :

https://suse_register.example.com/

Navigate to System > System List > then search for that server name and open it.

 

 

Here on this page, you fill find the options “Remove SSM” and “Delete System”

Note – Always remove SSM First and then Delete the system.

Once the system is deleted from the SUSE Manager, go back to the system and login with Sudo mode and run the following commands

mv /etc/SUSEConnect /tmp

mv etc/zypp/credentials.d/SCCrendtials /tmp

mv /etc/zypp/credentials.d/* /tmp/

rm -rf /etc/machine-id

rm-rf /var/lib/dbus/machine-id

rm-rf /etc/salt/minion_id

dbus-uuidgen - -ensure

system-machine-id-setup

Go back to SUSE Manager again to approve the system.

Navigate to overview and wait for tasks to load as shown below then click on the “Manage Pending Minions”

Now search for the system name and will find option to approve.

 Login to the server with sudo mode and run zypper ref and zypper up command again, now you should be able to retrieve the repositories.

 

Changing the Swap Space for Cloud-init Virtual Machines:

In Linux, swap memory acts as an extension of your computer's physical RAM (Random Access Memory) by using a dedicated portion of your hard drive or SSD. When the system runs out of available RAM, it moves less frequently used data (inactive pages) from RAM to the swap space, freeing up RAM for active processes.

Step to change the swapfile size for Cloud init Linux VM’s

Set the parameters as follows:

1 .Open directory /etc/waagent.conf and disable /comment (# it ) below entries

ResourceDisk.Format=y

ResourceDisk.MountPoint=/mnt/resource

ResourceDisk.EnableSwap=y

ResourceDisk.SwapSizeMB=256000

2.Restart waagent service

# systemctl restart waagent

3.Copy the following scripts into /var/lib/cloud/scripts/per-boot/swap.sh and save.

Ex: Here below 128GB may vary depend upon the vm /mnt disk space. If the disk is 512 GB, we can give 256 GB as swap. If the disk space is 256 GB, we can give 128 GB as swap space.

#!/bin/sh

If [ ! -f ‘mnt/swapfile’];then

fallocate  - - length 128GiB /mnt/swapfile

chmod 600 /mnt/swapfile

mkswap /mnt/swapfile

swapon /mnt/swapfile

swapon -a

else

swapon /mnt/swapfile;fi

4.Provide execute permission to new script file

# chmod+x /var/lib/cloud/scripts/per-boot/swap.sh

Stop and start the VM from the Azure portal to take effect.

 

Ref Doc : https://learn.microsoft.com/en-us/troubleshoot/azure/virtual-machines/linux/swap-file-not-recreated-linux-vm-restart

 

                                                                         

Thank you !!

 

 

 

 

 

 

 

 

 

 

 

Comments

Post a Comment