Microsoft Azure Architect Technologies: Exam Guide AZ-300 E-Book

Microsoft Azure Architect Technologies: Exam Guide AZ-300

Copyright © 2020 Packt Publishing

All rights reserved. No part of this book may be reproduced, stored in a retrieval system, or transmitted in any form or by any means, without the prior written permission of the publisher, except in the case of brief quotations embedded in critical articles or reviews.

Every effort has been made in the preparation of this book to ensure the accuracy of the information presented. However, the information contained in this book is sold without warranty, either express or implied. Neither the author, nor Packt Publishing or its dealers and distributors, will be held liable for any damages caused or alleged to have been caused directly or indirectly by this book.

Packt Publishing has endeavored to provide trademark information about all of the companies and products mentioned in this book by the appropriate use of capitals. However, Packt Publishing cannot guarantee the accuracy of this information.

Commissioning Editor: Vijin BorichaAcquisition Editor: Rahul NairContent Development Editor: Ronn KurienSenior Editor: Richard Brookes-BlandTechnical Editor: Mohd Riyan KhanCopy Editor: Safis EditingProject Coordinator: Anish DanielProofreader: Safis EditingIndexer: Pratik ShirodkarProduction Designer: Jyoti Chauhan

First published: January 2020

Production reference: 1160120

Published by Packt Publishing Ltd. Livery Place 35 Livery Street Birmingham B3 2PB, UK.

ISBN 978-1-83855-353-1

www.packt.com

Packt.com

Subscribe to our online digital library for full access to over 7,000 books and videos, as well as industry leading tools to help you plan your personal development and advance your career. For more information, please visit our website.

Why subscribe?

Spend less time learning and more time coding with practical eBooks and Videos from over 4,000 industry professionals

Improve your learning with Skill Plans built especially for you

Get a free eBook or video every month

Fully searchable for easy access to vital information

Copy and paste, print, and bookmark content

Did you know that Packt offers eBook versions of every book published, with PDF and ePub files available? You can upgrade to the eBook version at www.packt.com and as a print book customer, you are entitled to a discount on the eBook copy. Get in touch with us at [email protected] for more details.

At www.packt.com, you can also read a collection of free technical articles, sign up for a range of free newsletters, and receive exclusive discounts and offers on Packt books and eBooks. 

Contributors

About the author

Sjoukje Zaal is a management consultant, Microsoft cloud architect, and Microsoft Azure MVP with over 15 years' experience of providing architecture, development, consultancy, and design expertise. She works at Capgemini, a global leader in consulting, technology services, and digital transformation.

She loves to share her knowledge and is active in the Microsoft community as a co-founder of the Dutch user groups SP&C NL, MixUG, and the Global Mixed Reality Bootcamp. She is also a board member of the Global Azure Bootcamp and Azure Thursdays. She is a public speaker and is involved in organizing events. She has written several books, writes blogs, and is active in the Microsoft Tech Community. She is also part of the Diversity and Inclusion Advisory Board.

About the reviewers

Sander Rossel is a Microsoft-certified professional developer and author with experience and expertise in .NET and .NET Core, Azure, Azure DevOps, SQL Server, JavaScript, and other technologies. With his company, JUUN Software, he builds cloud-native applications and brings companies to the cloud. You can always reach Sander Rossel on LinkedIn (/in/sanderrossel/).

Stephane Eyskens is a cloud and cloud-native architect and digital transformation activist. He is a blogger, author, and speaker, and has a particular interest in hybrid architectures, modern authentication, and security in general, as well as artificial intelligence.

Packt is searching for authors like you

If you're interested in becoming an author for Packt, please visit authors.packtpub.com and apply today. We have worked with thousands of developers and tech professionals, just like you, to help them share their insight with the global tech community. You can make a general application, apply for a specific hot topic that we are recruiting an author for, or submit your own idea.

Table of Contents

Title Page

Copyright and Credits

Microsoft Azure Architect Technologies: Exam Guide AZ-300

About Packt

Why subscribe?

Contributors

About the author

About the reviewers

Packt is searching for authors like you

Preface

Who this book is for

What this book covers

To get the most out of this book

Download the example code files

Download the color images

Conventions used

Get in touch

Reviews

Section 1: Deploying and Configuring Infrastructure

Analyzing Resource Utilization and Consumption

Understanding Azure Monitor

Creating and analyzing metrics and alerts

Metrics

Multi-dimensional metrics

Creating a metric

Alerts

Creating an alert and an action group

Creating a baseline for resources

Configuring diagnostic settings on resources

Enabling diagnostic settings

Viewing alerts in Log Analytics

Utilizing log search query functions

Querying logs in Azure Monitor

Summary

Questions

Further reading

Creating and Configuring Storage Accounts

Technical requirements

Understanding Azure Storage accounts

Storage account types

General-purpose v1 (GPv1)

Blob storage

General-purpose v2 (GPv2)

Storage replication types

Locally redundant storage

Zone-redundant storage

Geo-redundant storage

Geo-zone-redundant storage

Read-access geo-redundant storage

Azure Blob Storage

Access tiers

Hot access tier

Cool access tier

Archive

Azure file storage

Azure disk storage

Standard disk storage

Premium disk storage

Ultra disk storage

Unmanaged versus managed disks

Creating and configuring a storage account

Installing and using Azure Storage Explorer

Configuring network access to the storage account

SAS and access keys

Managing access keys

Generating an SAS

Implementing Azure Storage replication

Summary

Questions

Further reading

Implementing and Managing Virtual Machines

Technical requirements

Understanding VMs

VM series and sizes

Managed disks

Understanding Availability Sets

Fault domains and update domains

Understanding provisioning VMs

Deploying a Windows VM from the Azure portal

Deploying a Windows VM from PowerShell

Understanding VM scale sets

Deploying and configuring scale sets

Modifying and deploying ARM templates

Modifying an ARM template

Saving a deployment as an ARM template

Configuring Azure Disk Encryption for VMs

Creating an Azure Key Vault

Encrypting the disk

Summary

Questions

Further reading

Implementing and Managing Virtual Networking

Technical requirements

Understanding Azure VNet

Understanding IP addresses

Public IP address

Private IP addresses

Configuring virtual networks and subnets

Configuring private and public IP addresses

User-defined routes

Creating user-defined routes

Summary

Questions

Further reading

Creating Connectivity between Virtual Networks

Technical requirements

Understanding VNet peering

Creating and configuring VNet peering

Understanding VNet-to-VNet

Creating and configuring VNet-to-VNet

Planning IP ranges

Creating PacktVNet1

Creating PacktVNet2

Creating connections

Verifying virtual network connectivity

VNet peering versus VNet-to-VNet connections

Summary

Questions

Further reading

Managing Azure Active Directory (Azure AD)

Understanding Azure AD

Creating and managing users and groups

Creating users in Azure AD

Creating groups in Azure AD

Adding and managing guest accounts

Performing bulk user updates

Configuring a self-service password reset

Understanding conditional access policies

Working with Azure AD join

Managing device settings

Adding custom domains

Summary

Questions

Further reading

Implementing and Managing Hybrid Identities

Understanding Azure AD Connect

Azure AD password hash synchronization

Azure AD pass-through authentication

Installing Azure AD Connect

Managing Azure AD Connect

Password writeback

Managing password writeback

Enabling password writeback in Azure AD Connect

Enabling password writeback in the Azure portal

Password synchronization

Summary

Questions

Further reading

Section 2: Implementing Workloads and Security

Migrating Servers to Azure

Understanding Azure Migrate

Azure Migrate tools

Azure Migrate Server Assessment tool

Azure Migrate Server Migration tool

Database Migration Assistant

Database Migration Service

Web App Migration Assistant

Offline data migration

Migrating on-premises machines to Azure

Create an Azure Migrate project

Downloading and installing the appliance

Configuring the appliance and starting continuous discovery

Creating and viewing an assessment

Prepare Hyper-V host

Replicating the Hyper-V VMs

Replicating for the first time

Migrating Hyper-V VMs to Azure

Running a test migration

Migrating VMs to Azure

Summary

Questions

Further reading

Configuring Serverless Computing

Technical requirements

Creating and managing objects

Azure Functions

Creating an Azure Function

Azure Logic Apps

Deploying the Logic App ARM template

Managing a Logic App resource

Monitoring, logging, and alerts

Viewing runs and trigger history

Setting up alerts

Accessing on-premises data

Understanding Azure Event Grid

Event domains

Understanding Azure Service Bus

Azure Service Bus geo-disaster recovery

Setting up geo-disaster recovery

Summary

Questions

Further reading

Implementing Application Load Balancing

Technical requirements

Understanding Azure Application Gateway

Configuring an application gateway

Creating network resources

Creating the backend servers

Implementing frontend IP configurations

Creating the backend pool

Creating the application gateway

Testing the application gateway

Configuring load balancing rules

Managing application load balancing

Health probes

Monitoring

Turning on the web application firewall

Understanding Azure Front Door

Summary

Questions

Further reading

Integrating On-Premises Networks with Azure Virtual Network

Technical requirements

Understanding Azure VPN gateway

S2S VPNs

Multi-site VPNs

P2S VPNs

ExpressRoute

Creating and configuring an Azure VPN gateway

Creating and configuring the on-premises VPN device

Creating a virtual network

Creating an Azure VPN gateway

Creating and configuring the S2S VPN

Creating the local network gateway

Configuring the on-premises VPN device

Verifying on-premises connectivity

Summary

Questions

Further reading

Managing Role-Based Access Control (RBAC)

Technical requirements

Understanding RBAC

Built-in roles

Custom roles

Configuring access to Azure resources by assigning roles

Configuring management access to Azure

Creating a custom role

Azure Policy

Implementing and assigning Azure policies

Summary

Questions

Further reading

Implementing Multi-Factor Authentication (MFA)

Understanding Azure MFA

Enabling MFA for an Azure AD tenant

Configuring user accounts for MFA

Configuring verification methods

Configuring trusted IPs

Configuring fraud alerts

Configuring bypass options

Summary

Questions

Further reading

Section 3: Creating and Deploying Apps

Creating Web Apps by Using PaaS

Technical requirements

Understanding App Services

Understanding App Service plans

Creating an Azure App Service web app

Creating documentation for the API

Understanding Web App for Containers

Creating an App Service Web App for Containers

Understanding WebJobs

Creating an App Service background task using WebJobs

Deploying the WebJob to Azure App Services

Understanding diagnostic logging

Web server diagnostics

Application diagnostics

Enabling diagnostic logging

Summary

Questions

Further reading

Designing and Developing Apps That Run in Containers

Technical requirements

Understanding Azure Container Instances

Implementing an application that runs on an ACI

Creating a container image using a Dockerfile

Publishing an image to the Azure Container Registry

Pushing the Docker image from ACR to ACI

Understanding AKS

Creating an AKS

Connecting to the cluster

Deploying the application

Testing the application

Monitoring the health and logs of the application

Summary

Questions

Further reading

Section 4: Implementing Authentication and Secure Data

Implementing Authentication

Technical requirements

Understanding Azure App Service authentication

Implementing Windows-integrated authentication

Deploying the web app

Enabling authentication and authorization

Implementing authentication by using certificates

Understanding OAuth2 authentication in Azure AD

Implementing OAuth2 authentication

Registering the application in Azure AD

Implementing tokens

Refreshing tokens

Understanding managed identities

Implementing managed identities for Azure resources service principal authentication

Summary

Questions

Further reading

Implementing Secure Data Solutions

Technical requirements

Understanding data security in Azure

Protecting data

Azure encryption models

Client-side encryption

Server-side encryption

Encrypting and decrypting data at rest

Encrypting and decrypting data at rest

Azure Disk Encryption 

Azure Storage 

Azure SQL Database

Encrypting and decrypting blobs in Microsoft Azure Storage using Azure Key Vault

Creating a storage account with a blob container

Creating an Azure Key Vault

Creating a service principal

Creating a SymmetricKey 

Creating an application to encrypt and decrypt files

Encrypting and decrypting data in transit

TLS/SSL encryption in Azure

Azure Storage transactions

SMB encryption over Azure virtual networks

In-transit encryption in VMs

Azure VPN encryption

Encrypting data with Always Encrypted

Understanding Azure confidential computing

Creating, reading, updating, and deleting keys, secrets, and certificates by using the Key Vault API

Summary

Questions

Further reading

Section 5: Developing for the Cloud and for Azure Storage

Developing Solutions That Use Cosmos DB Storage

Technical requirements

Understanding Cosmos DB

Create, read, update, and delete data by using appropriate APIs

Creating a Cosmos DB

Creating the sample application

Connecting to the Cosmos DB account

Creating a new database

Creating a container

Adding items to the container

Querying Azure Cosmos DB resources

Updating a JSON item

Deleting an item

Understanding partitioning schemes

Setting the appropriate consistency level for operations

Summary

Questions

Further reading

Developing Solutions That Use a Relational Database

Technical requirements

Understanding Azure SQL Database

SQL Server Stretch Database

High availability

Provisioning and configuring an Azure SQL database

Creating a server-level firewall rule

Creating a table in the database

Creating, reading, updating, and deleting data tables by using code

Connecting to the Azure SQL database

Adding items to the database

Querying Azure SQL Database items

Updating an Azure SQL Database row

Deleting an item

Configuring elastic pools for Azure SQL Database

Understanding Azure SQL Database managed instances

Summary

Questions

Further reading

Message-Based Integration Architecture and Autoscaling

Technical requirements

Understanding Azure Integration Services

Azure Relay service

Hybrid connections

WCF Relays

Azure Notification Hubs

Azure IoT Hub

Azure Event Hubs

Routing events using Event Grid

Designing an effective messaging architecture

Implementing autoscaling rules and patterns

Azure Monitor autoscaling

Application design considerations

Summary

Questions

Further reading

Mock Questions

Mock Answers

Assessments

Chapter 1: Analyzing Resource Utilization and Consumption

Chapter 2: Creating and Configuring Storage Accounts

Chapter 3: Implementing and Managing Virtual Machines

Chapter 4: Implementing and Managing Virtual Networking

Chapter 5: Creating Connectivity between Virtual Networks

Chapter 6: Managing Azure Active Directory (Azure AD)

Chapter 7: Implementing and Managing Hybrid Identities

Chapter 8: Migrating Servers to Azure

Chapter 9: Configuring Serverless Computing

Chapter 10: Implementing Application Load Balancing

Chapter 11: Integrating On-Premises Networks with Azure Virtual Networks

Chapter 12: Managing Role-Based Access Control (RBAC)

Chapter 13: Implementing Multi-Factor Authentication (MFA)

Chapter 14: Creating Web Apps by Using PaaS

Chapter 15: Designing and Developing Apps That Run in Containers

Chapter 16: Implementing Authentication

Chapter 17: Implementing Secure Data Solutions

Chapter 18: Developing Solutions That Use Cosmos DB Storage

Chapter 19: Developing Solutions That Use a Relational Database

Chapter 20: Message-Based Integration Architecture and Autoscaling

Another Book You May Enjoy

Leave a review - let other readers know what you think

Preface

This book is the successor of Architecting Microsoft Azure Solutions – Exam Guide 70-535, the book that I wrote only 2 years ago. I've noticed while writing this book that not only have most Azure resources got more functionalities, many more features have also been added to the Azure platform. This indicates how fast Azure is changing and how extremely difficult it is for professionals to keep up to date with this ever-evolving platform.

This book will prepare you for the AZ-300 exam, which is the most practical exam of the Azure Architect Expert series. By reading it, you will get updated with all those new functionalities, features, and resources. This book will cover all the exam objectives, giving you a complete overview of the objectives that are covered in the exam.

This book will start with deploying and configuring an infrastructure in Azure. You will learn how to analyze resource utilization and consumption. You will learn about storage accounts, Azure Virtual Networks, and Azure Active Directory (AD). Next, you will learn about implementing workloads and security in Azure, and how to create and deploy apps. Then, the focus in this book will switch to implementing authentication and securing data, and finally, how to develop for the cloud and for Azure storage.

Each chapter concludes with a Further reading section, which is a very important part of the book, because it will give you extra and sometimes crucial information for passing the AZ-300 exam. As the questions of the exam will change slightly over time and this book will eventually become outdated, the Further reading sections will be the place that provides access to all the updates.

Who this book is for

This book targets Azure solution architects who advise stakeholders and translate business requirements into secure, scalable, and reliable solutions. They should have advanced experience and knowledge of various aspects of IT operations, including networking, virtualization, identity, security, business continuity, disaster recovery, data management, budgeting, and governance. This role requires managing how decisions in each area affect an overall solution.

What this book covers

Chapter 1, Analyzing Resource Utilization and Consumption, covers how to use Azure Monitor, how to create and analyze metrics and alerts, how to create a baseline for resources, how to configure diagnostic settings on resources, how to view alerts in Log Analytics, and how to utilize Log Search Query functions.

Chapter 2, Creating and Configuring Storage Accounts, covers Azure storage accounts, creating and configuring a storage account, installing and using Azure Storage Explorer, configuring network access to the storage account, generating and managing SAS, and how to implement Azure storage replication.

Chapter 3, Implementing and Managing Virtual Machines, covers virtual machines, availability sets, provisioning VMs, VM scale sets, modifying and deploying ARM templates, and how to configure Azure Disk Encryption for VMs.

Chapter 4, Implementing and Managing Virtual Networking, covers Azure VNet, IP addresses, how to configure subnets and VNets, configuring private and public IP addresses, and user-defined routes.

Chapter 5, Creating Connectivity between Virtual Networks, covers VNet peering, how to create and configure VNet peering, VNet-to-VNet, how to create and configure VNet-to-VNet, verifying virtual network connectivity, and compares VNet peering with VNet-to-VNet.

Chapter 6, Managing Azure Active Directory (Azure AD), covers how to create and manage users and groups, adding and managing guest accounts, performing bulk user updates, configuring self-service password reset, working with Azure AD join, and how to add custom domains.

Chapter 7, Implementing and Managing Hybrid Identities, covers Azure AD Connect, how to install Azure AD Connect, managing Azure AD Connect, and how to manage password sync and password writeback.

Chapter 8, Migrating Servers to Azure, covers Azure Migrate, the different Azure Migrate tools, and migrating on-premises machines to Azure.

Chapter 9, Configuring Serverless Computing, covers how to create and manage objects, managing a logic app resource, Azure Event Grid, and Azure Service Bus.

Chapter 10, Implementing Application Load Balancing, covers Azure Application Gateway, how to configure an application gateway, implementing frontend IP configurations, configuring load balancing rules, managing application load balancing, and Azure Front Door.

Chapter 11, Integrating On-Premises Networks with Azure Virtual Network, covers Azure VPN gateway, how to create and configure an Azure VPN gateway, creating and configuring an S2S VPN, verifying on-premises connectivity, managing on-premises connectivity with Azure, and VNet-to-VNet.

Chapter 12, Managing Role-Based Access Control (RBAC), covers how to configure access to Azure resources by assigning roles, configuring management access to Azure, creating a custom role, Azure Policy, and how to implement and assign Azure policies.

Chapter 13, Implementing Multi-Factor Authentication (MFA), covers Azure MFA, how to configure user accounts for MFA, how to configure verification methods, how to configure fraud alerts, configuring bypass options, and how to configure trusted IPs.

Chapter 14, Creating Web Apps by Using PaaS, covers App Services, App Service plans, web apps for containers, WebJobs, and how to enable diagnostics logging.

Chapter 15, Designing and Developing Apps That Run in Containers, covers Azure Container Instances, how to implement an application that runs on an Azure Container Instance, creating a container image by using a Docker file, publishing an image to the Azure Container Registry, Azure Kubernetes Service, and how to create an Azure Kubernetes Service.

Chapter 16, Implementing Authentication, covers App Services authentication, how to implement Windows-integrated authentication, implementing authentication by using certificates, OAuth2 authentication in Azure AD, how to implement OAuth2 authentication, implementing tokens, managed identities, and how to implement managed identities for Azure resources' Service Principal authentication.

Chapter 17, Implementing Secure Data Solutions, covers data security in Azure, how to encrypt and decrypt data at rest, encrypting and decrypting data in transit, encrypting data with Always Encrypted, Azure Confidential Compute, and how to create, read, update, and delete keys, secrets, and certificates by using the Key Vault API.

Chapter 18, Developing Solutions that Use Cosmos DB Storage, covers how to create, read, update, and delete data by using the appropriate APIs, partitioning schemes, and how to set the appropriate consistency level for operations.

Chapter 19, Developing Solutions that Use a Relational Database, covers Azure SQL Database, how to provision and configure an Azure SQL Database, create, read, update, and delete data tables by using code, how to configure elastic pools for Azure SQL Database, and Azure SQL Database Managed Instances.

Chapter 20, Message-Based Integration Architecture and Autoscaling, covers different Azure integration services, how to route events with Azure Event Grid, designing an effective messaging architecture, implementing autoscaling rules and patterns, and how to implement code that addresses the transient state.

Chapter 21, Mock Questions, consists of mock questions for the readers to test their knowledge. It tries to cover all the topics under the scope of the exam and challenges the reader's understanding of the topics.

Chapter 22, Mock Answers, contains the answers to the questions in the previous chapter.

To get the most out of this book

An Azure subscription is required to get through this book. Any other software and hardware requirements are mentioned in detail in the Technical requirements section of the respective chapters.

Download the example code files

You can download the example code files for this book from your account at www.packt.com. If you purchased this book elsewhere, you can visit www.packtpub.com/support and register to have the files emailed directly to you.

You can download the code files by following these steps:

Log in or register at

www.packt.com

.

Select the

Support

tab.

Click on

Code Downloads

.

Enter the name of the book in the

Search

box and follow the onscreen instructions.

Once the file is downloaded, please make sure that you unzip or extract the folder using the latest version of:

WinRAR/7-Zip for Windows

Zipeg/iZip/UnRarX for Mac

7-Zip/PeaZip for Linux

The code bundle for the book is also hosted on GitHub at https://github.com/PacktPublishing/Microsoft-Azure-Architect-Technologies-Exam-Guide-AZ-300. In case there's an update to the code, it will be updated on the existing GitHub repository.

We also have other code bundles from our rich catalog of books and videos available at https://github.com/PacktPublishing/. Check them out!

Download the color images

We also provide a PDF file that has color images of the screenshots/diagrams used in this book. You can download it here: https://static.packt-cdn.com/downloads/9781838553531_ColorImages.pdf.

Conventions used

There are a number of text conventions used throughout this book.

CodeInText: Indicates code words in text, database table names, folder names, filenames, file extensions, pathnames, dummy URLs, user input, and Twitter handles. Here is an example: "Create a new one and call it PacktVMGroup."

A block of code is set as follows:

"policyRule": { "if": { "allOf": [ { "field": "type", "equals": "Microsoft.Storage/storageAccounts" },

When we wish to draw your attention to a particular part of a code block, the relevant lines or items are set in bold:

"policyRule": { "if": {

"allOf": [

{

"field": "type",

"equals": "Microsoft.Storage/storageAccounts" },

Any command-line input or output is written as follows:

Connect-AzAccount

Select-AzSubscription -SubscriptionId "********-****-****-****-***********"

Bold: Indicates a new term, an important word, or words that you see onscreen. For example, words in menus or dialog boxes appear in the text like this. Here is an example: "In the Overview blade of Azure AD, in the left menu, select Groups | All groups. Select + New group from the top menu."

Get in touch

Feedback from our readers is always welcome.

General feedback: If you have questions about any aspect of this book, mention the book title in the subject of your message and email us at [email protected].

Errata: Although we have taken every care to ensure the accuracy of our content, mistakes do happen. If you have found a mistake in this book, we would be grateful if you would report this to us. Please visit www.packtpub.com/support/errata, selecting your book, clicking on the Errata Submission Form link, and entering the details.

Piracy: If you come across any illegal copies of our works in any form on the Internet, we would be grateful if you would provide us with the location address or website name. Please contact us at [email protected] with a link to the material.

If you are interested in becoming an author: If there is a topic that you have expertise in and you are interested in either writing or contributing to a book, please visit authors.packtpub.com.

Reviews

Please leave a review. Once you have read and used this book, why not leave a review on the site that you purchased it from? Potential readers can then see and use your unbiased opinion to make purchase decisions, we at Packt can understand what you think about our products, and our authors can see your feedback on their book. Thank you!

For more information about Packt, please visit packt.com.

Section 1: Deploying and Configuring Infrastructure

As this section's objective, you will learn how to deploy and configure an infrastructure in Azure.

This section will contain the following chapters:

Chapter 1

,

Analyzing Resource Utilization and Consumption

Chapter 2

,

Creating and Configuring Storage Accounts

Chapter 3

,

Implementing and Managing Virtual Machines

Chapter 4

,

Implementing and Managing Virtual Networking

Chapter 5

,

Creating Connectivity between Virtual Networks

Chapter 6

,

Managing Azure Active Directory (Azure AD)

Chapter 7

,

Implementing and Managing Hybrid Identities

Analyzing Resource Utilization and Consumption

This book will cover all of the exam objectives for the AZ-300 exam. When relevant, we will provide you with extra information and further reading guidance about the different topics of this book.

This chapter introduces the first objective, which is going to cover the Deploy and Configure Infrastructure. It will cover Azure Monitor and the various aspects of it. You will learn how to create and analyze metrics and alerts and how to create a baseline for resources. We are going to look at how to create action groups and how to configure diagnostic settings on resources. Finally, we are going to cover Azure Log Analytics and how to utilize log search query functions.

The following topics will be covered in this chapter:

Understanding Azure Monitor

Creating and analyzing metrics and alerts

Creating a baseline for resources

Configuring diagnostic settings on resources

Viewing alerts in Log Analytics

Utilizing log search query functions

Understanding Azure Monitor

Azure Monitor is a monitoring solution in the Azure portal that delivers a comprehensive solution for collecting, analyzing, and acting on telemetry from the cloud and on-premises environments. It can be used to monitor various aspects (for instance, the performance of applications) and identify issues affecting those applications and other resources that depend on them.

The data that is collected by Azure Monitor fits into two fundamental types: metrics and logs. Metrics describe an aspect of a system at a particular point in time and are displayed in numerical values. They are capable of supporting near real-time scenarios. Logs are different from metrics. They contain data that is organized into records, with different sets of properties for each type. Data such as events, traces, and performance data are stored as logs. They can then be combined for analysis purposes.

Azure Monitor supports data collection from a variety of Azure resources, which are all displayed on the overview page in the Azure portal. Azure Monitor provides the following metrics and logs:

Application monitoring data

: This will

consist

of data about the

functionality

and performance of the application and the code that is written, regardless of its platform.

Guest OS monitoring data

:

This will consist of data about the

operating system on which your application is running. This could be running in any cloud or on-premises environment.

Azure resource monitoring data

:

This will consist of data about the

operation of an Azure resource.

Azure subscription monitoring data

:

This will consist of data about the

operation and management of an Azure subscription, as well as data about the health and operation of Azure itself.

Azure tenant monitoring data

:

This will consist of data about the

operation of tenant-level Azure services, such as

Azure Active Directory.

The following diagram gives a high-level view of Azure Monitor. On the left, there are the sources of monitoring data, in the center are the data stores, and on the right are the different functions that Azure Monitor performs with this collected data, such as analysis, alerting, and streaming to external systems:

Now that we have some basic knowledge about Azure Monitor, we are going to look at how to analyze alerts and metrics across subscriptions.

Creating and analyzing metrics and alerts

To analyze alerts and metrics across Azure Monitor, we need to go to the monitoring resource inside the Azure portal. In the upcoming sections, we will set up metrics and alerts and show you how to analyze them.

Metrics

Metrics describe an aspect of a system at a particular point in time and are displayed in numerical values. They are collected at regular intervals and are identified with a timestamp, a name, a value, and one or more defining labels. They are capable of supporting near real-time scenarios and are useful for alerting. Alerts can be fired quickly with relatively simple logic.

Metrics in Azure Monitor are stored in a time-series database that is optimized for analyzing timestamped data. This makes metrics suited for the fast detection of issues. They can help to detect how your service or system is performing, but to get the overall picture, they typically need to be combined with logs to identify the root cause of issues.

You can use metrics for the following scenarios:

Analyzing

: Collected metrics can be analyzed using a chart in Metric Explorer. Metrics from various resources can be compared as well.

Visualizing

: You can create an Azure Monitor workbook to combine multiple datasets into an interactive report. Azure Monitor workbooks can combine text, Azure metrics, analytics queries, and parameters into rich interactive reports.

Alerting

: Metric alert rules can be configured to send out notifications to the user. They can also take automatic action when the metric value crosses a threshold.

Automating

: To increase and decrease resources based on metric values that cross a threshold, autoscaling can be used.

Exporting

: Metrics can be streamed to an Event Hub to route them to external systems. Metrics can also be routed to logs in the Log 

Analytics workspace, to be analyzed together with the Azure Monitor logs and to store the metric values for more than 93 days.

Retrieving

: Metric values can be retrieved from a command line using PowerShell cmdlets and the CLI, and from custom applications using the Azure Monitoring REST API.

Archiving

: Metric data can be archived in Azure Storage. It can store the 

performance or health history of your resource for compliance, auditing, or offline reporting purposes.

There are four main sources of metrics that are collected by Azure Monitor. Once they are collected and stored in the Azure Monitor Metric database, they can be evaluated together regardless of their source:

Platform metrics

: These metrics give 

you visibility of the health and performance of your Azure resources. Without any configuration required, a distinct set of metrics is created for each type of Azure resource. By default, they are collected at a one-minute frequency. However, you can configure them to run on a different frequency as well.

Guest OS metrics

: These metrics are c

ollected from the guest operating system of a virtual machine. To enable guest OS metrics for Windows machines, the Windows Diagnostic Extension agent needs to be installed. For Linux machines, the InfluxData Telegraf Agent needs to be installed.

Application metrics

: These metrics are created by Application Insights. They can help to detect performance issues for your custom applications and track trends in how the application is being used. 

Custom metrics

: These are metrics that you define manually. You can define them in your custom applications that are monitored by Application Insights or you can define custom metrics for an Azure service using the custom metrics API.

Multi-dimensional metrics

Metric data often has limited information to provide context for collected values. This challenge is addressed by Azure Monitor using multi-dimensional metrics. The dimensions of the metrics are name-value pairs that store additional data that describe the metric value. For example, a metric called available disk space could have a dimension called Drive with the values C:, D, stored inside. This value would allow the viewing of available disk space across all drives, or for each drive individually.

In the next section, we are going to create a metric in the Azure portal.

Creating a metric

To display the metrics for the various Azure resources in Azure Monitor, perform the following steps: 

Navigate to the Azure portal by opening 

https://portal.azure.com

.

In the left-hand menu, select

Monitor

to open the

Azure Monitor

overview

blade.

First, we're going to look at

metrics. Therefore, in the left-hand menu, select 

Metrics

 or select the

Explore Metrics

button from the overview blade.

In the

M

etrics

overview

blade, click on the 

+ Select a scope 

button. A new blade will open up where you can select the subscription, the resource group, and the resource type. Select the subscription that is used for the Linux VM, select the resource group, and then select the VM. You can filter by other resource types, as well:

Click on 

Apply

.

Then, you can select the

metric

type. Select 

CPU 

Credits Consumed

, 

for instance:

You can select a different type of aggregation as well, such as the count, average, and more, in the filter box. At the top-right of the blade, you can select a different time range for your metric as well:

You can also pin this

metric

to the overview dashboard in the Azure portal. Therefore, click on the 

Pin to dashboard

button, and then choose to pin it to the current dashboard or create a new dashboard for it. For now, select 

Pin

to current dashboard

:

If you now select 

Dashboard

from the left-hand menu, you'll see that this metric is added to it. This way, you can easily analyze this metric without the need to open Azure Monitor.

In the next section, we're going to look at how to set up and analyze alerts in Azure Monitor.

Alerts

With alerts, Azure can proactively notify you when critical conditions occur in the Azure or on-premises environment. Alerts can also attempt to take corrective actions automatically. Alert rules that are based on metrics will provide near real-time alerting, based on the metric. Alerts that are created based on logs can merge data from different resources together.

The alerts in Azure Monitor use action groups, which are unique sets of recipients and actions that can be shared across multiple rules. These action groups can use Webhooks to start external actions, based on the requirements that are set up for this alert. These external actions can then be picked up by different Azure resources, such as Runbooks, Functions, or Logic Apps. Webhooks can also be used for adding these alerts to external IT Service Management (ITSM) tools.

You can also set alerts for all of the different Azure resources. In the following sections, we are going to create an alert.

Creating an alert and an action group

To create an alert, perform the following steps:

From the

Azure Monitor

overview blade, in the left-hand menu, select 

Alerts

. You can also go to the alerts settings by clicking on 

Create alert

to create an alert directly.

In the

Alerts

blade, click on 

+ New alert rule

in the top menu:

The 

Create rule

blade is displayed. Here, you can create the

rule

and action groups. To create a new rule, you need to first select the resource. Click on the 

Select

button under the

RESOURCE

section:

In the next blade, you can filter

by the subscription and resource type. Select

Virtual machines

:

Select the VM from the list and click 

Done

.

Now that we have a resource selected, we're going to set up the condition. Click on 

Add condition

.

The condition blade is open, and so we can

filter

by a certain signal. Select

Percentage CPU

 and click 

Done

:

Next, you can set the alert logic for this alert. You can choose multiple operators, set the aggregation type, and set the threshold value for this alert. Set the following:

Threshold

:

Static

 (in the next section, we are going to cover the difference between static and dynamic thresholds)

Operator

:

Greater than

Aggregation type

:

Average

Threshold Value

:

90%

Leave 

Evaluated based on

 with its default settings.

This alert will notify you when the CPU of the virtual machines is greater than 90% over a 5-minute period. Azure

Monitor

will check this every minute:

Click on 

Done

to create this condition.

Now, we have to create an action group to send the alert to. This is then responsible for handling the alert and taking further action on it. The action group that you create here can be reused across other alerts as well. So, in our case, we

will

create an email action group that will send out an email to a certain email address. After its creation, you can add this existing action group to other alerts. Under 

Action group

, select the 

Create new

button.

In the

Action Group

blade, add the following settings:

Action group name

: Type

Send email

.

Short name

:

 Type 

email

.

Subscription

: Select the subscription where the VM is created.

Resource group

: Select

Default-ActivityLogAlerts

(to be created).

Then, we have to provide the actual action. Add the following values:

Action name

:

email

Action type

:

Email/SMS/Push/Voice

Then, select

Edit details

 and select the

Email

checkbox. Provide an

email

address and click on the 

OK

button:

Click on 

OK

again.

Finally, you have to specify an

alert

name, set the severity level of the alert, and click on 

Create alert rule

:

We have now created an alert and an action group that will alert a user via email when the CPU goes over 90%. In the next section, we're going to create a baseline for resources.

Creating a baseline for resources

To create a baseline for your resources, Azure offers Metric Alerts with Dynamic Thresholds. Using Dynamic Thresholds, you don't have to manually identify and set thresholds for alerts, which is an enhancement to Azure Monitor Metric Alerts. Advanced machine learning capabilities are used by the alert rule to learn the historical behavior of the metrics while identifying patterns and anomalies that indicate possible service issues. With Dynamic Thresholds, you can create an alert rule once and apply it automatically to different Azure resources during the creation of the resources.

In the following overview, you will find some scenarios when Dynamic Thresholds to metrics alerts are recommended:

Scalable alerting

: Dynamic Thresholds are capable of creating tailored 

thresholds for hundreds of metric series at a time. However, this is as easy as creating an alert rule for one single metric. They can be created using the Azure portal or

Azure Resource Manager (ARM)

templates and the ARM API. This scalable approach is useful when applying multiple resources or dealing with metric dimensions. This will translate to a significant time-saving on the creation of alert rules and management.

Intuitive Configuration

: You can set up metric alerts using high-level concepts with 

Dynamic Thresholds, so you don't need to have extensive domain knowledge about the metric.

Smart Metric Pattern Recognition

: By using a unique machine learning technology, Azure can 

automatically detect metric patterns and adapt to metric changes over time. The algorithm used in Dynamic Thresholds is designed to prevent wide (low recall) or noisy (low precision) thresholds that don

'

t have an expected pattern.

In the next section, we're going to configure diagnostic settings on resources. 

Configuring diagnostic settings on resources

You can also configure diagnostic settings on different Azure resources. There are two types of diagnostic logs available in Azure Monitor:

Tenant logs

: 

These logs consist of all of the tenant-level services that exist outside of an Azure subscription. An example of this is the Azure Active Directory logs.

Resource logs

: 

These logs consist of all of the data from the resources that are deployed inside an Azure subscription, for example, virtual machines, storage accounts, and network security groups.

The contents of the resource logs are different for every Azure resource. These logs differ from guest OS-level diagnostic logs. To collect OS-level logs, an agent needs to be installed on the virtual machine. The diagnostic logs don't require an agent to be installed; they can be accessed directly from the Azure portal.

The logs that can be accessed are stored inside a storage account and can be used for auditing or manual inspection purposes. You can specify the retention time in days by using the resource diagnostic settings. You can also stream the logs to event hubs to analyze them in Power BI or insert them into a third-party service. These logs can also be analyzed with Azure Monitor. Then, there will be no need to store them in a storage account first.

Enabling diagnostic settings

To enable the diagnostic settings for resources, perform the following steps:

Navigate to the Azure portal by opening 

https://portal.azure.com

.

Go to the VM again. Make sure that the VM is running, and in the left-hand menu, under 

Monitoring

, select 

Diagnostic settings

. 

The

Diagnostic Settings

blade will open up. You will need to select a storage account where the metrics can be stored.

Click on the 

Enable guest-level monitoring

button to update the diagnostic settings for the virtual machine:

When the

settings

are updated, you can go to

Metrics

in the top menu to set the metrics that are collected. The

syslog

blade is used for setting the minimum log level.

New metrics will be available from the metrics blade after enabling diagnostic logging in Azure Monitor. You can analyze them in the

same

way that we did earlier in this chapter, in the 

Metrics

section.

In the next section, we're going to look at the Azure Log Analytics service, which is now a part of Azure Monitor as well.

Viewing alerts in Log Analytics

Azure Log Analytics is a service that collects telemetry data from various Azure resources and on-premises resources. All of that data is stored inside a Log Analytics workspace, which is based on Azure Data Explorer. It uses the Kusto query language, which is also used by Azure Data Explorer to retrieve and analyze the data. 

Analyzing this data can be done from Azure Monitor. All of the analysis functionalities are integrated there. The term Log Analytics now primarily applies to the blade in the Azure portal where you can analyze metric data.

Before we can display, monitor, and query the logs from Azure Monitor, we need to create a Log Analytics workspace. For that, we have to perform the following steps:

Navigate to the Azure portal by opening 

https://portal.azure.com

.

Click on

Create a resource

.

Type 

Log Analytics

in the search box and create a new workspace.

Add the following values:

Log Analytics workspace

: Type 

PacktWorkspace

 (the name for this Log Analytics workspace needs to be unique; if the name is already taken, specify another name).

Subscription

: Select a subscription.

Resource group

: Create a new one and call it 

PacktWorkspace

.

Location

:

 Select 

West US

.

Pricing tier

: Keep the default one, which is

per GB

.

Click on the 

OK

button to create the workspace.

Now that we have created a Log Analytics workspace, we can use it inside Azure Monitor to create some queries to retrieve data. We will do this in the next section.

Utilizing log search query functions

Azure Monitor is now integrated with the features and capabilities that Log Analytics was offering. This also includes creating search queries across the different logs and metrics by using the Kusto query language.

To retrieve any type of data from Azure Monitor, a query is required. Whether you are configuring an alert rule, analyzing data in the Azure portal, retrieving data using the Azure Monitor Logs API, or being notified of a particular condition, a query is used.

The following list provides an overview of all of the different ways queries are used by Azure Monitor:

Portal

: From the Azure portal, interactive analysis of log data can be performed. In there, you can create and edit queries and analyze the results in a variety of formats and visualizations.

Dashboards

: The results of a query can be pinned to a dashboard. This way, results can be visualized and shared with other users.

Views

: By using the View Designer in Azure Monitor, you can create custom views of your data. This data is provided by queries as well.

Alert rules

: Alert rules are also made up of queries. 

Export

: Exports of data to Excel or Power BI are created with queries. The query defines the data to export.

Azure Monitor Logs API

: The Azure Monitor Logs API allows any REST API client to retrieve log data from the workspace. The API request includes a query to retrieve the data.

PowerShell

: You can run a PowerShell script from a command line or an Azure Automation runbook that uses 

Get-AzOperationalInsightsSearchResults

to retrieve log data from Azure Monitor. You need to create a query for this cmdlet to retrieve the data. 

In the following section, we are going to create some queries to retrieve data from the logs in Azure Monitor.

Summary

In this chapter, we covered the first objective of the Deploy and Configure Infrastructure objective. We covered the various aspects of