Azure IaaS Operations Guidance aka.ms/Azure/IaaSOpsGuide

BOOKMARK THIS!   aka.ms/Azure/IaaSOpsGuide

This is a collection of Azure Infrastructure installation and operational guidance resources I provide to my customers.  By keeping these links up to date with each engagement, all of my customers may benefit.  Hopefully you can too!  The latest Azure updates will always be at Azure service updates.  Make it part of your operational procedure to review that monthly, if not weekly!  In 2015, there were over 500 updates. Wow!

The goal of this guide to highlight core installation and operational procedures for an Azure IaaS deployment which predominantly will consist of Compute, Network and Storage resources.  This article Azure Infrastructure Services Implementation Guidelines, gives a pretty good run down of what needs to be created and in what order. The resources I will keep updated below pretty much follow most of those resources in the last link. But for now, there is a very important piece of that puzzle missing.  For the newer Azure Resource Manager (ARM) model of deployment, we need to plan, design and create Azure Resource Groups. Once we have Resource Groups, we can delegate administration with Role Based Access Control (RBAC).

Besides all this, if you just need to ramp up and learn more on Azure, go to the Azure Learning Paths page.  Check it out and learn something new! I also have my Azure Certification resources (Slides and Videos) from MS Ignite, to get you certified and ready to go!

• Azure Learning and Certification resources at aka.ms/Azure/Learn

Azure Active Directory

Overviews

AzureAD a leader in the 2016 Gartner IDaaS MQ!

• How Azure subscriptions are associated with Azure Active Directory
  • This is an important link to read and understand.  Microsoft Azure does not equal Azure Active Directory. If you create a brand new Azure subscription, you will have an Azure Active Directory tenant by default. But, sometimes companies have Office 365 first, without an Azure Subscription. With Office 365, you get an Azure Active Directory tenant for free. That is your cloud directory.  It can be standalone. Or many companies will synchronize or federate with their on-premises identities.  But, an Azure AD tenant for Office 265 is not necessarily tied to an Azure Subscription.  An Azure subscription is just another service like Office 365.  If your company is going to have both, then the KEY goal is that both of those connect to the same Azure Active Directory tenant. So if you started Office 365 and made the primary domain name contoso.com, then when you login to create an Azure subscription, make sure to do so with a Global Admin account in the contoso.com Azure AD tenant that you use to administer Office 365. See Manage the directory for your Office 365 subscription in Azure.
• Azure Active Directory editions
  • Before you get too excited about everything you discover on the azure website, make sure you know what version you have.  There are many flavors and enterprise agreements. Depending on the version you have, you may have more or less services available to you. Azure Active Directory Premium will get you the whole kitchen sink.  But there are different ways to get that as well e.g. an Enterprise Mobility Suite license.
• You will need to read these!

  • Azure AD Connect user sign-in options:

    • Password Hash Sync (PHS)
    • Pass-through Authentication (PTA)
    • Active Directory Federation Services (AD FS)

  • Choosing the right authentication method for your Azure Active Directory hybrid identity solution - excellent decision tree :)
• The Four Pillars of Identity - Identity Management in the Age of Hybrid IT
• Azure Active Directory Authentication Protocols
• Authentication Scenarios for Azure AD
• Supported Token and Claim Types
• Azure Active Directory federation compatibility list: third-party identity providers that can be used to implement single sign-on
• Azure AD terminology
• Getting started with Azure Multi-Factor Authentication in the cloud
• Azure AD Privileged Identity Management

Cloud Architecture

There is quite a bit of guidance out there to help architect your cloud identity strategy.  Azure Active Directory provides the core Identity Management as a Service platform for all of the possbile hybrid and cloud scenarios. Here are some great resources to read up on.

• Azure Reference Architectures
• Microsoft cloud identity for enterprise architects
• Azure Active Directory Hybrid Identity Design Considerations
• Architecting Hybrid Cloud Environments
• Microsoft's Enterprise Cloud Roadmap - Sway with links to many other resources
• Example Azure Infrastructure Walk through
  • + Additional Guidance for Storage, Compute, Networking and more
• Microsoft Cloud IT architecture resources

Authentication & Authorization

• Authentication Scenarios for Azure AD
• Patterns and Practices:  Identity management for multitenant applications in Microsoft Azure
  • Role-based and resource-based authorization in multitenant applications
  • Authentication in multitenant apps, using Azure AD and OpenID Connect
  • Sample application to use for the entire series above
• Authentication and authorization in Azure App Service
  • Authentication and Authorization in Azure Mobile Apps
  • Authentication and authorization for API Apps in Azure App Service
• SQL Database Authentication and Authorization: Granting Access
• Service Bus authentication and authorization
• Event Hubs authentication and security model overview
• Developer’s guide to auth with Azure Resource Manager API
• Azure AD Token Lifetime
• ADAL, Windows Azure AD and Multi-Resource Refresh Tokens
• Using a Service Principal for Azure PowerShell Authentication
• Refresh Tokens for Multiple Resources
• Authorize access to web applications using OAuth 2.0 and Azure Active Directory

Azure AD Operational Guidance

• Administer your Azure AD directory
• Assigning administrator roles in Azure Active Directory (Azure AD)
• Create or edit users in Azure Active Directory
• Azure AD Password Reset for Users and Admins
• Managing access to resources with Azure Active Directory groups
• Using AAD Credentials with Azure PowerShell Cmdlets
• View your access and usage reports which is part of
  • Azure Active Directory Reporting Guide
• Using Azure AD Connect Health with AD FS
• Using Azure AD Connect Health for Azure AD Sync

Azure AD Tenant

• What is Azure AD Tenant?
• Assign a user to administrator roles in Azure Active Directory

In the original Azure Portal, https://manage.windowsazure.com, the primary control of overall administration was at the subscription level. Now, in the new Azure Resource Manager (ARM) mode, there are fewer justifications for multiple subscriptions as there were before in the Azure Service Management (ASM) model e.g. administration only at the top level.  Now in ARM, you can control administration at the subscription level, Resource Groups, and at the Azure Resources contained within. For more on those differences, see Understanding Resource Manager deployment and classic deployment. You can only create Azure Resources to leverage ARM deployments and RBAC by using https://portal.azure.com.  So stop using that old portal; unless you just have to.  For more on that, read Azure portal availability chart.

Subscription

Before you can do anything, you not only need an Azure subscription, but you also need to know how many, if more than one, and what the limits are. Simpler is always the best. In the ARM deployment model now, things like separation of billing and delegation of administration no longer require separate subscriptions.  Billing can be even more with tagging and RBAC gives even more flexibility to control administration across your portal.

• How many subscriptions is enough?
• How to sign up for, purchase, upgrade or activate an Azure subscription
  • If you don't have an Azure subscription, this is where to start before anything else below.
• Subscription Service Limits
• How Azure subscriptions are associated with Azure Active Directory
• Move resources to new resource group or subscription
• Transferring an Azure subscription
• Transfer ownership of an Azure subscription to another account
• How to create a support ticket for Azure billing and subscription issues
• I am unable to log in to manage my Azure subscription
• What do I do if my Azure subscription becomes disabled?

Azure Resource Manager (ARM) and Role Based Access Control (RBAC)

This content can now be found at https://aka.ms/Azure/ARM.

Network

Creating your virtual networks and subnets is very high on the priority list of things to do after the subscription and resource groups are created. One quick tip to note is that in traditional networking addressing, we take away 2 addresses (n-2) for all 1's and all 0's, when calculating hosts from networks.  In Azure, it gets a little hungry, using 3 additional addresses.  So remember this safety tip....figure (n-5) when you do your host calculations.  For an example, if you needed 30 hosts, on-premises, you would figure a /27 network would work, right? Don't believe me, just ask Cisco :) But in Azure, you would fall short as a /27 network would actually result in only 27 hosts per network. So I warned you! Also, if you make you VNet networks too small, if will haunt you, as it currently is not so easy to remove the VMs and recreate VNets, so plan them very, very carefully.  Been there, done that.  You don't want to go there.

Overviews

1. Azure Networking Series - a collection of topics
   • How Microsoft builds its fast and reliable global network
   • Networking innovations that drive the cloud disruption
   • SONiC: The networking switch software that powers the Microsoft Global Cloud
2. Azure Network Security - nice list of all the Azure resources for Networking
3. Azure Reference Architectures - Networking DMZ
4. Microsoft Cloud Networking for Enterprise Architects - This is a great soup to nuts overview!
5. Microsoft Cloud Services and Network Security - Read these top two docs, and you will see all the components to consider 
6. Microsoft Azure Network Security Whitepaper version 3 is now available This explains what Microsoft does to protect Azure
7. Virtual Network Overview
8. Network Resource Provider
9. IP Addresses in Azure Virtual Network
10. About secure cross-premises connectivity for virtual networks
    • Site-to-Site VPN
    • Point-to-Site VPN
    • Currently not support in Azure Resource Manager deployments….stay tuned!
    • ExpressRoute
11. User Defined Routes and IP Forwarding
12. What is Azure load balancer?
13. What is a Network Security Group (NSG)?
    1. See more Details on Network Security in the Networking section of aka.ms/Azure/Security

Operational Guidance

• Create a virtual network using the Azure preview portal

• Get started creating an Internet facing load balancer in Resource Manager using PowerShell

• Get started configuring internal load balancer using Azure Resource Manager
  • Using the Internal Load-Balancer with Azure Virtual Machines
• Get started configuring your Internet-facing load balancer
• How to set a static private IP address in the preview portal
• Configure a VNet-to-VNet connection for virtual networks in the same subscription by using Azure Resource Manager and PowerShell
• How to manage NSGs using the preview portal
• How to create NSGs in PowerShell
• Step-by-Step: Automate Building Outbound Network Security Groups Rules via Azure Resource Manager (ARM) and PowerShell
• SQL Server 2014 High-Availability and Multi-Datacenter Disaster Recovery with Multiple Azure ILBs
• Configuring the SQL Server AlwaysOn ILB for the Client Listener in Azure Resource Manager (ARM) deployment model
• Configure an ILB listener for AlwaysOn Availability Groups in Azure
• Line of Business Application Workload Phase 4: Configure web servers

Storage

Find ALL Storage Documentation e.g. Get Started, Designing, etc..

Managing Storage

• SOSP Paper – Windows Azure Storage: A Highly Available Cloud Storage Service with Strong Consistency
  • This explains how Microsoft Azure does storage
• Microsoft Azure Storage Performance and Scalability Checklist
• Azure Storage security guide
• Using Azure PowerShell with Azure Storage
• Azure Storage Explorer Graphical Tool
• Get Started with the AzCopy Command-line Utility
• Use Azure Automation with Storage
• Premium Storage: High-Performance Storage for Azure Virtual Machine Workloads
  • Doing SQL Databases? High Performance workloads? Then look into premium storage.

Operational Guidance

• Create a Storage Account
• Monitor, diagnose, and troubleshoot Microsoft Azure Storage
• Monitor a storage account in the Azure portal
• Enable Storage metrics and viewing metrics data
• Troubleshooting Tutorial
• Configure a Custom domain for blob data in an Azure Storage Account
• Transfer blob data to Azure with Import/Export
• Upload a Windows VM image to Microsoft Azure for Resource Manager deployments
• Move Data to and from Azure Blob Storage using AzCopy

Compute

Overviews

• Technical articles for Windows VMs in Azure
• About Azure virtual machines
• Virtual Machines Documentation
• Learning Paths for Virtual Machines
• Manage the availability of virtual machines
• Planned maintenance for Azure virtual machines
• Understand planned vs. unplanned maintenance

Operational Guidance

• Azure Quickstart TemplatesAzure Quickstart Templates
• Create a virtual machine running Windows in the Azure portal
• Different ways to create a Windows virtual machine with Resource Manager
• Create a Windows VM with Resource Manager and PowerShell
• Restore virtual machines in Azure
• How to Tag a Virtual Machine in Azure
• Azure Windows VM Extension Configuration Samples
• Authoring Azure Resource Manager Templates with VM Extensions
• Encrypting Azure Virtual Machines with CloudLink SecureVM
  • CloudLink site

 

Below are some additional topics related to various deployments.  These also provide other examples of deploying things like Windows Server Active Directory and SQL Always on clusters in an Azure Subscription.  What will you put in your subscription?

Windows Active Directory Servers in IaaS

Many organizations now are moving their Domain Controllers into Azure as VMs in IaaS.  Here are some links to help out!

• Extending Active Directory to Azure - Patterns and Practices
• Not in IaaS - but an honorable mention here! Use Azure Site Recovery to protect Active Directory and DNS
• Guidelines for Deploying Windows Server Active Directory on Azure Virtual Machines
• The Ultimate Guide to Windows Server on Azure!
• Install a new Active Directory forest on an Azure virtual network
  • Or WATCH the videoHow to install a new Active Directory forest on an Azure virtual network
• Active Directory Domain Services (AD DS) Virtualization
• Understanding Active Directory Domain Services (AD DS) Functional Levels

If you want to have replica Domain Controllers in the cloud for on-premises domain controllers...

• Install a replica Active Directory domain controller in an Azure virtual network

Comments

• Anonymous
  October 07, 2016
  Thanks so much for putting this page together - fantastic resource!
• Anonymous
  February 17, 2017
  This is a very nicely written Blog, thanks for developing this, it is very helpful . I have noticed that there is a typo on the URLS aka.ma/Certification/70-533 and aka.ma/Certification/70-534 | Microsoft Azure Architecture Certification Prep, looks like it has to be aka.ms/Certification/70-533 and aka.ms/Certification/70-534