V. Azure Virtual Machines
VM Monitoring
Introduced in Windows Server 2012 R2, it is used to monitor specific services within the VMs and reacts if there is a problem with a service. Consists of: a. Performance Counters b. Logs c. Insights
VM Storage
Just like any other computer, VMs in Azure use disks as a place to store an OS, applications, and data Azure VMs have at least 2 disks: 1. OS 2. Temporary Can also have 1 OR more data disks: All disks are stored as VHDs
VM Performance Diagnostics
The performance diagnostics tool helps you troubleshoot performance issues that can affect a Windows or Linux virtual machine. Supported troubleshooting scenarios include quick checks on known issues and best practices, and complex problems that involve slow VM performance or high usage of CPU, disk space, or memory.
URI/URL.URN
Uniform Resource Identifier - specifies how to access a resource on the Internet Uniform Resource Locator - a web address, is a reference to a web resource that specifies its location on a computer network and a mechanism for retrieving it. Uniform Resource Name - URNs are globally unique persistent identifiers assigned within defined namespaces so they will be available for a long period of time, even after the resource which they identify ceases to exist or becomes unavailable. URNs cannot be used to directly locate an item and need not be resolvable, as they are simply templates that another parser may use to find an item.
VM Availability Sets & Zones
You must designate your availability options (sets & zones) initially when you create the VM. You cannot choose these options after you create the VM.
VMSS (Virtual Machine Scale Sets)
allow you to create and manage a group of identical, load balanced VMs. *the number of VM instances can automatically be increased/decreased in response to demand or a defined schedule. *the advantage of cloud computing & MS Azure specifically is the ability to grow/shrink your resource usage depending on your actual needs.
ARM VHD
applies to: VMs (Linux/Windows) Flexible/Uniform Scale Sets -an alternative to using an ARM CSE you can use an existing VHD where you're basically passing in the URI of an existing VHD, so you're creating a disk that is an import of the VHDS and using the VHD as a StartUp drive.
Parameter File
are JSON (JavaScript Object Notation) files with a structure that is similar to your template. In the file, you provide the parameter values you want to pass in during deployment. Within the parameter file, you provide values for the parameters in your template.
An Azure instance
can be understood as a VM. When you use Azure VMs (also called Web Roles or Worker Roles), every instance equals a virtual machine whose specifications are determined by the instance size you selected when it was first created. *also known as cloud instances
ARM CSE
characteristics: a. Blob Storage access b. script location c. command to be run d. can store config (CSE) in the config file e. specify on CLI or ARM template f. store sensitive data in a protected configuration which is encrypted & only decrypted within the VM. g. secrets - such as passwords/SAS file reference *which should be protected
Azure Bastion Service
fully managed service that provides more secure and seamless RDP & SSH access to VMs with out any exposure through Public IP addresses. **In order to use the Bastion Service the bastion server itself must run on its own subnet.** Features: - RDP & SSH directly into Azure Portal - Remote sessions over TLS & firewall traversal for RDP & SSH - No Public IP addy required on Azure VM - No hassle of managing NSGs - Protection against port scanning - Protection against zero day exploits
ARM (Azure Resource Manager) Templates
is a block of code that defines the infrastructure and configuration for your project. These templates use a declarative syntax to let you define your deployment in the form of JSON (JavaScript Object Notation) files. Consists of 2 items: a. template file b. parameters file 4 Methodologies of Deployment 1. a PS file 2. Shell Script 3. template file 4. parameters file
Availability Sets
logical grouping of VMs that allow Azure to understand how your applications are built to provide for redundancy and availability. *Azure recommends 2 or more VM with in an availabiltiy set provide for a highly available app and meet the 99.95% SLA. **2 or more VMs that are IDENTICAL
Availabiltiy Zone
physically & logically separated datacenter with their own power, network & cooling connected with low latency network, they become a building block to delivery highly available applications
ARM Template Organization
the templates have properties. 1st property is the $schema property 2nd property is the content version 3rd property is the parameter 4th property is the variable 5th resources 6th output
Double encryption key
this method allows for a key pairing for encryption & decryption. -the customer and MS Azure both share encryption keys. Both are used to encrypt & decrypt the data or resource.
VM Size
when changing the size of a VM that is in production realize that it is a disruptive operation so you will incur some server down-time if the server/VM is currently running. - you will also incur changes in cost to your subscription
SLA for VMs
*When creating High Availability (sets & zones) you need to know MS SLAs for VMs. *The ONLY guarantee MS gives you to use the SLA option is for the Premium SSD agreement.
Managed Disks
- are managed by Microsoft Azure and you don't need any storage account while creating new disk. Since the storage account is managed by Azure you do not have full control of the disks that are being created. - Generally referred to as the disks associated with VMs.
VM Storage Options
- delivers high-performance, low-latency disk support for VMs - Premium Storage store data on SSDs - can migrate existing VM disks to Premium Storage - can attach several premium storage disks to a VM - multiple disks gives your applications up to 256 TB of storage per VM - can achieve 80k IOPs & disk throughput of 2k MBs/VM
OS disks
- every VM has an attached OS disk - OS pre-installed when VM created - registered as a SATA drive and labeled as drive C:\ by default
Un-managed Disks
- is something which requires you to create a storage account before you create any new disk. Since, the storage account is created and owned by you, you have full control over all the data that is present on your storage account. - Additionally, you also need to take care of encryption, data recovery plans etc.
Data Disks
- managed disk attached to a VM to store application data, or other data you need to keep - registered as SCSI drives and are labeled with a letter that you choose - size of VM determines how many data disks you can attach and the type of storage you can use to host the disks
Managed Disks
- managed disks are stored as page blobs, which are a random IO storage object in Azure *We call a managed disk 'managed' because it is an abstraction over page blobs, blob containers, and Azure storage accounts.
Temporary Disks
- may be lost during a maintenance event or when you redeploy a VM - data should persist during a standard reboot - data on the temp drive should not be data that is critical to the system
Unmanaged Disk
- you manage the storage accounts that you use to store the (VHD) files that correspond to your VM disks. - VHD files are stored as page blobs in Azure storage accounts.
BitLocker
A Windows feature that encrypts an entire drive
Azure Disk Encryption
A capability that helps you encrypt your Windows and Linux IaaS virtual machine disks. Azure Disk Encryption leverages the industry-standard BitLocker feature of Windows and the dm-crypt feature of Linux to provide volume encryption for the OS and data disks. *The solution requires the Azure Key Vault to help you control and manage the disk encryption keys and secrets (and you can use managed service identities for accessing Key Vault).
Load Balancer
An Azure load balancer is a Layer-4 (TCP, UDP) load balancer that provides high availability by distributing incoming traffic among healthy VMs. A load balancer health probe monitors a given port on each VM and only distributes traffic to an operational VM.
VM SSE (Server-Side Encryption)
Azure disk encryption available as an option when creating a VM.
Availability Sets Domains
1. Fault Domains - 3 domains the default is 2 - resources are assigned in physically different servers and racks. 2. Update Domains - 20 domains default is 5 - used to logically group resources to make sure a group of resources is updated (security patches or other updates) together instead of updating resources randomly.
Premium Storage Disks for VMs
1. Unmanaged 2. Managed
Customer managed key
MS Azure allows customers to manage their own encryption keys.
Platform managed key
MS Azure manages the encryption keys.
ARM Template resource property
NIC consists of: a.) tags b.) location c.) IP address d.) NSG ID e.) depends-on *the NIC relies/depends-on other resources created first, such as: 1. vNET 2. Public IP address 3. NSG
VM Disk Encryption
Options: a. (Default) encrypt @ rest w/ platform managed key. b. encrypt @ rest w/customer managed key. c. Double-encrypt w/both a platform & customer managed keys.
VM CSE (Custom Script Extensions)
The Custom Script Extension downloads and executes scripts on Azure VMs. This extension is useful for post deployment configuration, software installation, or any other configuration or management tasks. Scripts can be downloaded from Azure storage or GitHub, or provided to the Azure portal at extension run time. The Custom Script Extension integrates with Azure Resource Manager templates, and can be run using the Azure CLI, PowerShell, Azure portal, or the Azure Virtual Machine REST API.
VM Redeployment
VMs can be redployed. -Use Case: If a VM isn't cooperating such as: a. Won't startup correctly b. RDP won't respond c. Start/Stopping doesn't help
VM Nic Interfaces
VMs can have multiple NICs & they can be connected to multiple vNETs & vSUBs -before making changes to a VMs NIC the VM must be stopped - you can't have your additional NIC on a separate vNET when adding/creating a new NIC, but you can change the subnet to the new vSUB you just created. *This allows you to have/access your VM both Publicly/Privately.
