Azure services
Se está descargando tu SlideShare.
×
Eche un vistazo a continuación
Más Contenido Relacionado
Presentaciones para usted (20)
Similares a 04 Azure IAAS 101 (20)
04 Azure IAAS 101
- 1.
- 2. Azure Templates can: • Ensure Idempotency • Simplify Orchestration • Simplify Roll-back • Provide Cross-Resource Configuration and Update Support Azure Templates are: • Source file, checked-in • Specifies resources and dependencies (VMs, WebSites, DBs) and connections (config, LB sets) • Parametized input/output Instantiation of repeatable config. Configuration Resource Group SQL - A Website Virtual Machines SQL-A Website [SQL CONFIG] VM (2x) DEPENDS ON SQLDEPENDS ON SQL SQL CONFIG
- 3.
- 4. Upgrade • complexity made simple • master template can be used to rollout upgrades • imperative APIs, Client tools support to update the resources Manageability, Auditing • operations can be tracked upto 90 days • management Locks to lock down resources from deletion
- 5. Wide range of Quickstart Templates Github Repo Indexed on Azure.com Community & Microsoft contributed Integration of IaaS with Azure Services
- 6. https://github.com/Azure/azure-quickstart-templates
- 7. Get-AzureRmResourceProvider -ListAvailable
- 8. Subscription Location Resource group Storage account Virtual network Subnet Availability set Load balancer Network security group Virtual machine LOB1 LOB2
- 9. US DoD West US DoD East
- 10. Subscription Location Resource group Storage account Virtual network Subnet Availability set Load balancer Network security group Virtual machine LOB1 LOB2
- 11.
- 12.
- 13. When you download the usage CSV for services that support tags with billing, the tags will appear in the Tags column.
- 14. Question: Should these resources be in the same group or a different one? Hint: Do they have common lifecycle and management? Answer: Up to you.
- 15. https://azure.microsoft.com/en-us/documentation/articles/azure-subscription-service-limits/
- 16. New-AzureRmResourceGroup -Name Azure101 -Location "West Europe"
- 17. Adding tags to the collection New-AzureRmTag -Name "Demo" -Value "azureworkshop"
- 18. • • • • •
- 19. BUILT-IN ROLE ACTIONS NOT ACTIONS Owner (allow all actions) * Contributor (allow all actions except writing or deleting role assignments) * Microsoft.Authorization/*/Write, Microsoft.Authorization/*/Delete Reader (allow all read actions) */Read
- 20. https://azure.microsoft.com/en-us/documentation/articles/role-based- access-control-manage-access-powershell/
- 21. Subscription Location Resource group Storage account Virtual network Subnet Availability set Load balancer Network security group Virtual machine LOB1 LOB2
- 22. Subscription Location Resource group Storage account Virtual network Subnet Availability set Load balancer Network security group Virtual machine LOB1 LOB2 OS Data
- 23.
- 24.
- 25.
- 26.
- 27. 1. 2. 3. 4. 5. 6. Web-based LOB application Intranet SharePoint 2013 farm
- 28.
- 29.
- 30. Name element Examples Environment or deployment role dev, stg, prd Azure location usw (West US), use (East US 2) Azure component, service, or product rg for resource group, vnet for virtual network, vm for virtual machine Role sql, ora, sp, iis Instance 01, 02, 03, etc.
- 31. Azure implementation guidelines
- 32.
- 33.
- 34. Secure site-to-site VPN connectivity • SMB, Enterprises • Connect to Azure compute Secure point-to-site connectivity • Developers • POC Efforts • Small scale deployments • Connect from anywhere ExpressRoute private connectivity • SMB & Enterprises • Mission critical workloads • Backup/DR, media, HPC • Connect to all Azure services Internet Connectivity • Consumers • Access over public IP • DNS resolution • Connect from anywhere
- 35. Microsoft Cloud Networking for Enterprise Architects
- 36. An Azure virtual network (VNet) is a representation of your own network in the cloud. It is a logical isolation of the Azure cloud dedicated to your subscription. You can fully control the IP address blocks, DNS settings, security policies, and route tables within this network. You can also further segment your VNet into subnets and launch Azure IaaS virtual machines (VMs) and/or Cloud services (PaaS role instances). Additionally you can connect the virtual network to your on-premises network using one of the connectivity options available in Azure
- 37. Virtual Network Benefits; Isolation. VNets are completely isolated from one another. That allows you to create disjoint networks for development, testing, and production that use the same CIDR address blocks. Access to the public Internet. All IaaS VMs and PaaS role instances in a VNet can access the public Internet by default. You can control access by using Network Security Groups (NSGs). Access to VMs within the VNet. PaaS role instances and IaaS VMs can be launched in the same virtual network and they can connect to each other using private IP addresses even if they are in different subnets without the need to configure a gateway or use public IP addresses. Name resolution. Azure provides internal name resolution for IaaS VMs and PaaS role instances deployed in your VNet. You can also deploy your own DNS servers and configure the VNet to use them. Security. Traffic entering and exiting the virtual machines and PaaS role instances in a VNet can be controlled using Network Security groups. Connectivity. VNets can be connected to each other, and even to your on-premises datacenter, by using a site-to-site VPN connection, or ExpressRoute connection.
- 38.
- 39.
- 40. Azure implementation guidelines
- 41. Blob storage stores file data. A blob can be any type of text or binary data, such as a document, media file, or application installer. Table storage stores structured datasets. Table storage is a NoSQL key-attribute data store, which allows for rapid development and fast access to large quantities of data. Queue storage provides reliable messaging for workflow processing and for communication between components of cloud services. File storage offers shared storage for legacy applications using the standard SMB 2.1 protocol. Azure virtual machines and cloud services can share file data across application components via mounted shares, and on-premise applications can access file data in a share via the File service REST AP
- 42. ZRS LRS
- 43. Azure Virtual Machine Storage
- 44. Standard Storage Capacity Planning IOPS Per Disk 300 for Basic Tier 500 for Standard Tier (60 Mbps) IOPS Per Storage Account: 20,000 Supports up to 40 data disks using maximum IOPS per disk Group disks into striped sets to for more IOPS • Example: 4-disk X 500 IOPS = 2000 IOPS
- 45. Azure Premium Storage Consistent low latency SSD based with predictable IO throughput Suitable for high-performance IO-intensive database workloads Single digit milliseconds latencies Supports up to 1 TB blob/disk size Stripe up to 32 disks for a total of 32TB and more than 80,000 IOPS Premium Storage Disks work in with DS and GS sizes Disk Types P10 P20 P30 Disk Size 128 GB 512 GB 1024 GB IOPS per Disk 500 2300 5000 Throughput per Disk 100 MB/sec 150 MB/sec 200 MB/sec
- 46. Azure Storage Capacity Planning Standard Storage 300 IOPs per Disk with Basic Tier and Standard Storage 500 IOPs per Disk with Standard Tier and Standard Storage Up to 20,000 IOPs per Azure Storage Account (Standard) ~40 disks Premium Storage Up to 5000 IOPs per disk with Standard Tier and Premium Storage Up to 32 disks per Premium Storage Account Note: On DS and GS instances you can mix standard and premium storage disks
- 47. #storageaccount $stName = “workshopbin123" $locName = "West Europe" $rgName = “Azureworkshop“ $storageAcc = New-AzureRmStorageAccount -ResourceGroupName $rgName -Name $stName -Type "Standard_GRS" -Location $locName Note: Storage account names must be between 3 and 24 characters in length and may contain numbers and lowercase letters only. Your storage account name must be unique within Azure. The Azure Portal will indicate if the storage account name you select is already in use
- 48. Storage account endpoints Every object that you store in Azure Storage has a unique URL address. The storage account name forms the subdomain of that address. The combination of subdomain and domain name, which is specific to each service, forms an endpoint for your storage account. For example, if your storage account is named mystorageaccount, then the default endpoints for your storage account are: Blob service: http://mystorageaccount.blob.core.windows.net Table service: http://mystorageaccount.table.core.windows.net Queue service: http://mystorageaccount.queue.core.windows.net File service: http://mystorageaccount.file.core.windows.net
- 49. New-AzureStorageContainer -Context $StorageContext -Permission Container -Name media -- Off, which restricts access to only the storage account owner. -- Blob, which provides read access to blob data within a container through anonymous request, but does not provide access to container data. Clients cannot enumerate blobs within the container via anonymous request. -- Container, which provides full read access to a container and its blobs. Clients can enumerate blobs within the container through anonymous request, but cannot enumerate containers within the storage account.
- 50.
- 51.
- 52. Azure implementation guidelines
- 53. Azure availability set Fault Domains Represent groups of resources anticipated to fail together i.e. Same rack, same server Fabric spreads instances across min 2 fault domains Update Domains Groups of resources that will be updated together Host OS updates honour service update domains Specified in service definition Default of 5 (up to 20) Availability Sets VMs in separate Fault Domains SLA 99.95 | HW SW | Windows & Linux
- 54. Virtual Machine C: OS Disk E:, F:, etc. Data Disks D: Temporary Disk Dynamic VHDLocal Disk Cache Azure Blobs On shared local disk • Performance can be variable • Contents can be lost Azure Blobs
- 55. https://azure.microsoft.com/en-us/documentation/articles/virtual-networks-multiple-nics/ The VM size determines the number of NICS that you can create for a VM!
- 56.
- 57.
- 58.
- 59. Azure identity management
- 60.
- 61.
- 62. Virtual Machines-Security
- 63. Network security group (NSG) contains a list of Access Control List (ACL) rules that allow or deny network traffic to your VM instances in a Virtual Network. NSGs can be associated with either subnets or individual VM instances within that subnet. When a NSG is associated with a subnet, the ACL rules apply to all the VM instances in that subnet. In addition, traffic to an individual VM can be restricted further by associating a NSG directly to that VM Note: Endpoint-based ACLs and network security groups are not supported on the same VM instance. If you want to use an NSG and have an endpoint ACL already in place, first remove the endpoint ACL. For information about how to do this, see Managing Access Control Lists (ACLs) for Endpoints by using PowerShell
- 64. VIRTUAL_NETWORK AZURE_LOADBALANCER INTERNET
- 65.
- 66.
- 67. subscription Resourcegroup: HKTestRG Storageaccount: hk193testcsp Virtual Network virtualnet;: Subnet:10.0.0.0/24
- 68. #create the vm $stName = "hk193testcsp" $locName = "West Europe" $rgName = "HKTestRG“ New-AzureRmResourceGroup -Name $rgName -Location $locName $storageAcc = New-AzureRmStorageAccount -ResourceGroupName $rgName -Name $stName -Type "Standard_GRS" -Location $locName $singleSubnet = New-AzureRmVirtualNetworkSubnetConfig -Name singleSubnet -AddressPrefix 10.0.0.0/24 $vnet = New-AzureRmVirtualNetwork -Name TestNet -ResourceGroupName $rgName -Location $locName -AddressPrefix 10.0.0.0/16 -Subnet $singleSubnet $pip = New-AzureRmPublicIpAddress -Name TestPIP -ResourceGroupName $rgName -Location $locName -AllocationMethod Dynamic $nic = New-AzureRmNetworkInterface -Name TestNIC -ResourceGroupName $rgName -Location $locName -SubnetId $vnet.Subnets[0].Id -PublicIpAddressId $pip.Id $cred = Get-Credential -Message "Type the name and password of the local administrator account." $vm = New-AzureRmVMConfig -VMName WindowsVM -VMSize "Standard_A1" $vm = Set-AzureRmVMOperatingSystem -VM $vm -Windows -ComputerName MyWindowsVM -Credential $cred - ProvisionVMAgent -EnableAutoUpdate $vm = Set-AzureRmVMSourceImage -VM $vm -PublisherName MicrosoftWindowsServer -Offer WindowsServer -Skus 2012-R2- Datacenter -Version "latest" $vm = Add-AzureRmVMNetworkInterface -VM $vm -Id $nic.Id $osDiskUri = $storageAcc.PrimaryEndpoints.Blob.ToString() + "vhds/WindowsVMosDisk.vhd" $vm = Set-AzureRmVMOSDisk -VM $vm -Name "windowsvmosdisk" -VhdUri $osDiskUri -CreateOption fromImage New-AzureRmVM -ResourceGroupName $rgName -Location $locName -VM $vm
- 69. New-AzureRmResourceGroupDeployment -Name testDeployment -ResourceGroupName $rgname - TemplateUri https://raw.githubusercontent.com/Azure/azure-quickstart-templates/master/101-vm- simple-windows/azuredeploy.json -Mode Incremental
- 70. Cloud principles • Freedom of choice • Marketplaces • Cloud Inspired Infrastructure • Multi Vendor • Hybrid • Hyper scale • Self-service • Build in and on top of Security • Build in Compliancy • Automation Continuous Change Shared Software defined Scalable Pay per Use Build to fail Multi Vendor Lock in Reduction Open- and closed source Build in Security
- 71.
- 72.
- 73.
- 74.
- 75.
- 76.
- 77.
- 78.
- 79.
- 80.
- 81. Get-AzureRmVMImageSku – get the SKUs for a publisher and offer Get-AzureRmVMImagePublisher – get the available publishers Get-AzureRmVMImageOffer – get the avalailable offers from a publisher Get-AzureRmVMImage – get the image for a specific SKU The following ARM cmdlet get the details for a specific Windows Server source image: Get-AzureRmVMImage -Location “westus” ` -PublisherName “MicrosoftWindowsServer” ` -Offer “WindowsServer” -Skus “2012-R2-Datacenter” -Version “4.0.20150916”
- 82. -Verbose
- 83. Example template at https://github.com/Azure/azure-quickstart-templates/blob/master/checkpoint-single-nic/azuredeploy.json#L11
- 84. Example template at https://github.com/Azure/azure-quickstart-templates/blob/master/mysql-replication/azuredeploy.json#L68
- 85. https://azure.microsoft.com/en-us/documentation/articles/vpn-gateway- howto-site-to-site-resource-manager-portal/ https://technet.microsoft.com/en-us/library/dn641937(v=ws.11).aspx
- 86. Visualizing the security layers
