Azure-in-bullet-points

Deployment

• Deployment tools: Azure portal, Azure Cloud Shell, Azure PowerShell, Azure CLI v2.0, Azure SDKs, ARM templates
• You can create from
  • User images
    • Uses unmanaged disks
  • Marketplace images

Create VM Image

• As first step, generalize VM
  • Generalization resets server-specific data: Computer name
    • Security identifiers (SIDs)
    • Local administrator/root identity
    • Device driver cache
    • Event logs
  • How to generalize
    • On Windows use sysprep, “System Preparation Tool”
    • On Linux run sudo waagent -deprovision+user
    • Take a VM backup first, because generalization is destructive and permanent
  • Create VM image from Azure VM
    • Managed Disk Concepts
      • Disks
        • No storage account (management) required
        • Pay for pre-allocated storage (P10 =128 GB SSD VHD)
      • Snapshots
        • Read-only full copy of a managed disks
        • You can create new VM’s based on snapshots
      • Images
        • Generalized VM disk images
        • Snapshots can be converted into images
    • Flow
      1. Get an image:
         • Get a snapshot image
           1. Go to Disks -> Select OS disk -> Create snapshot
           2. In snaphot -> Click on Export -> You’ll get SAS url -> Download VHD
           3. Generalize the image
         • Or capture an image
           • VM -> Overview -> Capture
           • ❗ Not generalized
           • It appears in images
      2. Go to Images in portal, select the image, from there click on Deploy and it’ll navigate you

VM Connection

• You have different levels of security NSG, host firewall, options to have public IP or not
• Just-in-time VM Access
  • Recommended to enable
  • Requires Azure Security Center Standard tier
  • Locks down all administrator ports as default, when admin requests admin session then session is bounded by time limit and IP address restriction while granting access.
  • No need to have management port open all the time

Deploying Linux Server VM

• Around 40% of workloads in Azure runs on Linux
• Endorsed in Azure: CentOS, CoreOS, Debian, Oracle Linux, Red Hat Enterprise Linux, SUSE Enterprise Linux, openSUSE, Ubuntu
• Connection
  • Secure Shell (SSH)
    • A popular client is PuTTy for SSH or you can install subsystem for Linux or git tools on Windows 10 to get SSH.
  • Remote Desktop Protocol (RDP)
    • You can install RDP on Linux.
    • Some do not believe in graphical shell:
      • Presents security vulnerability possible
      • Needlessly consumes CPU
    • Windows team ported RDP into linux.
  • Serial Console
    • COM1 serial port connection to VM
    • Low-level access
    • Helpful when e.g. your VM doesn’t boot up
• Authentication
  1. SSH Public Key
     • You keep private key and share public key with Azure.
  2. Password
     • You can reset those after deployment in VM -> Reset password

Deploying Windows Server VM

• Windows Server 2019, 2016, 2012, 2008, Windows 10 Pro or Enterprise (for e.g. load testing, client-side testing, jump-box)
• Connect
  • Remote Dekstop Protocol (RDP)
    • Uses TCP 3389
    • You can connect directly from Overview -> Connect
  • WinRM (PowerShell) Remoting
    • TCP 5985, 5986
  • Serial Console
    • Text console into VM
    • Can get to VM’s that can’t boot

VM Monitoring

• Enable a single Azure VM or virtual machine scale set by selecting Insights directly from the VM or virtual machine scale set.
• Install Azure monitor extension through a policy
• You can monitor Azure VMs in any region. The VMs themselves aren’t limited to the regions supported by the Log Analytics workspace.

Prepare environment with Azure Policy

• RBAC vs Azure Policy
  • RBAC
    • Focuses on user actions at different scopes
    • VM Contributor can manage only VM
    • Built-in custom roles
  • Azure Policy
    • Focuses on resource properties during deployment for already existing resources
    • Uses default allow and explicit deny access system
  • Difference
    • You’re not going to be able to create VM unless you have read & write abilities by RBAC
    • Azure Policy in contrast constrains what that RBAC can do when she/he attempts to create VM
• Some built-in Azure Policy definitions are e.g. allowed locations, VM SKU, ensure MMS extension is deployed
• You can create also own policies, or initiatives which are collections of policies.
• Example:
  • Policy -> Assign Policy
  • Policy defination: E.g. allowed locations
  • Parameters: Select which regions are allowed

Deploy with ARM templates

• ARM templates are infrastructure as code foundation of automation and DevOps in Azure
• 💡 Visual Studio is a good ARM template editor
  • Visual Studio Code can also be used.
• Different ways to work with templates
  1. You can go to Portal -> Templates -> Usage existing usages or add a new template
  2. In Visual Studio -> Cloud -> Azure Resource Group -> You can select template location (e.g. github) -> Select a template
  3. Deploy a VM then in the last step click on “Download template and paremeters”
• You can deploy with PowerShell, Cloud Shell, Azure CLI, or directly from Visual Studio
• You can automate deployment actions such as VM access
• Files
  • azuredeploy.json
    • Deployment template.
    • Defines resources and property such as Allowedvalues, defaultvalues
    • You can refactor some values in variables and reuse in the file
    • copy element block in deployment script allows you to create e.g. 3 storages.
  • azuredeploy.parameters.json
    • Deployment parameters (required for deployment) to depoy azuredeploy.json

This site is open source. Improve this page.