BOOKMARK THIS! aka.ms/Azure/IaaSOpsGuide
This is a collection of Azure Infrastructure installation and operational guidance resources I provide to my customers. By keeping these links up to date with each engagement, all of my customers may benefit. Hopefully you can too! The latest Azure updates will always be at Azure service updates. Make it part of your operational procedure to review that monthly, if not weekly! In 2015, there were over 500 updates. Wow!
The goal of this guide to highlight core installation and operational procedures for an Azure IaaS deployment which predominantly will consist of Compute, Network and Storage resources. This article Azure Infrastructure Services Implementation Guidelines, gives a pretty good run down of what needs to be created and in what order. The resources I will keep updated below pretty much follow most of those resources in the last link. But for now, there is a very important piece of that puzzle missing. For the newer Azure Resource Manager (ARM) model of deployment, we need to plan, design and create Azure Resource Groups. Once we have Resource Groups, we can delegate administration with Role Based Access Control (RBAC).
Besides all this, if you just need to ramp up and learn more on Azure, go to the Azure Learning Paths page. Check it out and learn something new! I also have my Azure Certification resources (Slides and Videos) from MS Ignite 2015, to get you certified and ready to go!
- aka.ma/Certification/70-533 | Microsoft Azure Infrastructure Certification Prep
- aka.ma/Certification/70-534 | Microsoft Azure Architecture Certification Prep
Azure Active Directory
- How Azure subscriptions are associated with Azure Active Directory
- This is an important link to read and understand. Microsoft Azure does not equal Azure Active Directory. If you create a brand new Azure subscription, you will have an Azure Active Directory tenant by default. But, sometimes companies have Office 365 first, without an Azure Subscription. With Office 365, you get an Azure Active Directory tenant for free. That is your cloud directory. It can be standalone. Or many companies will synchronize or federate with their on-premises identities. But, an Azure AD tenant for Office 265 is not necessarily tied to an Azure Subscription. An Azure subscription is just another service like Office 365. If your company is going to have both, then the KEY goal is that both of those connect to the same Azure Active Directory tenant. So if you started Office 365 and made the primary domain name contoso.com, then when you login to create an Azure subscription, make sure to do so with a Global Admin account in the contoso.com Azure AD tenant that you use to administer Office 365. See Manage the directory for your Office 365 subscription in Azure.
- Azure Active Directory editions
- Before you get too excited about everything you discover on the azure website, make sure you know what version you have. There are many flavors and enterprise agreements. Depending on the version you have, you may have more or less services available to you. Azure Active Directory Premium will get you the whole kitchen sink. But there are different ways to get that as well e.g. an Enterprise Mobility Suite license.
- The Four Pillars of Identity – Identity Management in the Age of Hybrid IT
- Azure Active Directory Authentication Protocols
- Authentication Scenarios for Azure AD
- Supported Token and Claim Types
- Azure Active Directory federation compatibility list: third-party identity providers that can be used to implement single sign-on
- Azure AD terminology
- Getting started with Azure Multi-Factor Authentication in the cloud
- Azure AD Privileged Identity Management
There is quite a bit of guidance out there to help architect your cloud identity strategy. Azure Active Directory provides the core Identity Management as a Service platform for all of the possbile hybrid and cloud scenarios. Here are some great resources to read up on.
- Azure Reference Architectures
- Microsoft cloud identity for enterprise architects
- Azure Active Directory Hybrid Identity Design Considerations
- Architecting Hybrid Cloud Environments
- Microsoft’s Enterprise Cloud Roadmap – Sway with links to many other resources
- Example Azure Infrastructure Walk through
- Microsoft Cloud IT architecture resources
Authentication & Authorization
- Authentication Scenarios for Azure AD
- Patterns and Practices: Identity management for multitenant applications in Microsoft Azure
- Authentication and authorization in Azure App Service
- SQL Database Authentication and Authorization: Granting Access
- Service Bus authentication and authorization
- Event Hubs authentication and security model overview
- Developer’s guide to auth with Azure Resource Manager API
- Azure AD Token Lifetime
- ADAL, Windows Azure AD and Multi-Resource Refresh Tokens
- Using a Service Principal for Azure PowerShell Authentication
- Refresh Tokens for Multiple Resources
- Authorize access to web applications using OAuth 2.0 and Azure Active Directory
Azure AD Operational Guidance
- Administer your Azure AD directory
- Assigning administrator roles in Azure Active Directory (Azure AD)
- Create or edit users in Azure Active Directory
- Azure AD Password Reset for Users and Admins
- Managing access to resources with Azure Active Directory groups
- Using AAD Credentials with Azure PowerShell Cmdlets
- View your access and usage reports which is part of
- Using Azure AD Connect Health with AD FS
- Using Azure AD Connect Health for Azure AD Sync
In the original Azure Portal, http://manage.windowsazure.com, the primary control of overall administration was at the subscription level. Now, in the new Azure Resource Manager (ARM) mode, there are fewer justifications for multiple subscriptions as there were before in the Azure Service Management (ASM) model e.g. administration only at the top level. Now in ARM, you can control administration at the subscription level, Resource Groups, and at the Azure Resources contained within. For more on those differences, see Understanding Resource Manager deployment and classic deployment. You can only create Azure Resources to leverage ARM deployments and RBAC by using http://portal.azure.com. So stop using that old portal; unless you just have to. For more on that, read Azure portal availability chart.
Before you can do anything, you not only need an Azure subscription, but you also need to know how many, if more than one, and what the limits are. Simpler is always the best. In the ARM deployment model now, things like separation of billing and delegation of administration no longer require separate subscriptions. Billing can be even more with tagging and RBAC gives even more flexibility to control administration across your portal.
- How to sign up for, purchase, upgrade or activate an Azure subscription
- If you don’t have an Azure subscription, this is where to start before anything else below.
- Subscription Service Limits
- How Azure subscriptions are associated with Azure Active Directory
- Move resources to new resource group or subscription
- Transferring an Azure subscription
- How to create a support ticket for Azure billing and subscription issues
- I am unable to log in to manage my Azure subscription
- What do I do if my Azure subscription becomes disabled?
Azure Resource Manager (ARM) and Role Based Access Control (RBAC)
Once you have your Azure Subscription, I think the planning and implementing Resource Groups should be first on your list. Because if this is not done, then when you go to deploy anything in the new Azure portal in ARM mode, then a default Resource Group will be created for you. If you pre-make a few to start with, then once you create storage, network and compute resources, then you can assign those resources to Azure Resource groups, per Azure Region, as you see fit. There are many ways to do this e.g. by dev/test environments or by resource types such as domain controllers or web servers. At a high level, most Azure pages will say to create these according to managed lifecycles of Azure Resources. By default the subscription administrators will have access to all of these, so if you make a bunch, then later, you can create groups to assign RBAC to delegate administration.
- Azure Resource Manager Overview
- Lock Down Your Azure Resources
- Authenticating a service principal with Azure Resource Manager
- Azure Resource Manager for DevOps and mere mortals
- World Class ARM Templates Considerations and Proven Practices | Download THE Whitepaper!
- Azure Resource Manager JSON Templates overview -understand them better!
- Azure Resource Manager DevOps Jump Start Microsoft Virtual Academy online class!
- Deploying, Organizing and Securing Applications with the Azure Resource Manager | Microsoft Ignite 2015
- Azure Resource Manager Templates | On Channel 9
- Azure Quick Start Templates! | As mentioned on Channel 9 above | Use the same template repeatedly
- ARM Template Visualizer
Task Name Task Link
- Determine Naming Convention | http://aka.ms/azure/naming
- Deploy a Resource Group through command line or the Azure Portal | http://aka.ms/Azure/RG
- Identity all existing RBAC roles available | http://aka.ms/Azure/Roles
- Manage access using the Azure portal | http://aka.ms/Azure/RBAC/Manage
- Manage Role-Based Access Control with Azure PowerShell | http://aka.ms/azure/rbac/ps
- Manage Role-Based Access Control with the Azure Command Line Interface | http://aka.ms/azure/rbac/cli
- Managing Role-Based Access Control with the REST API | http://aka.ms/Azure/RBAC/RestAPI
- Identify Role-based access control in Azure Automation | http://aka.ms/Azure/RBACA/Automation
- Using tags to organize your Azure resources | http://aka.ms/Azure/tags
- Use Policy to manage resources and control access | http://aka.ms/azure/policy
- Lock resources with Azure Resource Manager | http://aka.ms/Azure/Lock
Creating your virtual networks and subnets is very high on the priority list of things to do after the subscription and resource groups are created. One quick tip to note is that in traditional networking addressing, we take away 2 addresses (n-2) for all 1’s and all 0’s, when calculating hosts from networks. In Azure, it gets a little hungry, using 3 additional addresses. So remember this safety tip….figure (n-5) when you do your host calculations. For an example, if you needed 30 hosts, on-premises, you would figure a /27 network would work, right? Don’t believe me, just ask Cisco 🙂 But in Azure, you would fall short as a /27 network would actually result in only 27 hosts per network. So I warned you! Also, if you make you VNet networks too small, if will haunt you, as it currently is not so easy to remove the VMs and recreate VNets, so plan them very, very carefully. Been there, done that. You don’t want to go there.
- Microsoft Cloud Networking for Enterprise Architects – This is a great soup to nuts overview!
- Microsoft Cloud Services and Network Security – Read these top two docs, and you will see all the components to consider
- Microsoft Azure Network Security Whitepaper version 3 is now available This explains what Microsoft does to protect Azure
- Virtual Network Overview
- Network Resource Provider
- IP Addresses in Azure Virtual Network
- About secure cross-premises connectivity for virtual networks
- Site-to-Site VPN
- Point-to-Site VPN
- Currently not support in Azure Resource Manager deployments….stay tuned!
- User Defined Routes and IP Forwarding
- What is Azure load balancer?
- What is a Network Security Group (NSG)?
- Get started configuring internal load balancer using Azure Resource Manager
- Get started configuring your Internet-facing load balancer
- How to set a static private IP address in the preview portal
- Configure a VNet-to-VNet connection for virtual networks in the same subscription by using Azure Resource Manager and PowerShell
- How to manage NSGs using the preview portal
- How to create NSGs in PowerShell
- Step-by-Step: Automate Building Outbound Network Security Groups Rules via Azure Resource Manager (ARM) and PowerShell
- SQL Server 2014 High-Availability and Multi-Datacenter Disaster Recovery with Multiple Azure ILBs
- Configuring the SQL Server AlwaysOn ILB for the Client Listener in Azure Resource Manager (ARM) deployment model
- Configure an ILB listener for AlwaysOn Availability Groups in Azure
- Line of Business Application Workload Phase 4: Configure web servers
Find ALL Storage Documentation e.g. Get Started, Designing, etc..
- SOSP Paper – Windows Azure Storage: A Highly Available Cloud Storage Service with Strong Consistency
- This explains how Microsoft Azure does storage
- Microsoft Azure Storage Performance and Scalability Checklist
- Azure Storage security guide
- Using Azure PowerShell with Azure Storage
- Azure Storage Explorer Graphical Tool
- Get Started with the AzCopy Command-line Utility
- Use Azure Automation with Storage
- Premium Storage: High-Performance Storage for Azure Virtual Machine Workloads
- Doing SQL Databases? High Performance workloads? Then look into premium storage.
- Create a Storage Account
- Monitor, diagnose, and troubleshoot Microsoft Azure Storage
- Monitor a storage account in the Azure portal
- Enable Storage metrics and viewing metrics data
- Troubleshooting Tutorial
- Configure a Custom domain for blob data in an Azure Storage Account
- Transfer blob data to Azure with Import/Export
- Upload a Windows VM image to Microsoft Azure for Resource Manager deployments
- Move Data to and from Azure Blob Storage using AzCopy
- Technical articles for Windows VMs in Azure
- About Azure virtual machines
- Virtual Machines Documentation
- Learning Paths for Virtual Machines
- Manage the availability of virtual machines
- Planned maintenance for Azure virtual machines
- Understand planned vs. unplanned maintenance
- Azure Quickstart TemplatesAzure Quickstart Templates
- Create a virtual machine running Windows in the Azure portal
- Different ways to create a Windows virtual machine with Resource Manager
- Create a Windows VM with Resource Manager and PowerShell
- Restore virtual machines in Azure
- How to Tag a Virtual Machine in Azure
- Azure Windows VM Extension Configuration Samples
- Authoring Azure Resource Manager Templates with VM Extensions
- Encrypting Azure Virtual Machines with CloudLink SecureVM
Below are some additional topics related to various deployments. These also provide other examples of deploying things like Windows Server Active Directory and SQL Always on clusters in an Azure Subscription. What will you put in your subscription?
Windows Active Directory Servers in IaaS
Many organizations now are moving their Domain Controllers into Azure as VMs in IaaS. Here are some links to help out!
- Extending Active Directory to Azure – Patterns and Practices
- Guidelines for Deploying Windows Server Active Directory on Azure Virtual Machines
- Install a new Active Directory forest on an Azure virtual network
- Or WATCH the videoHow to install a new Active Directory forest on an Azure virtual network
- Active Directory Domain Services (AD DS) Virtualization
- Understanding Active Directory Domain Services (AD DS) Functional Levels
If you want to have replica Domain Controllers in the cloud for on-premises domain controllers…
- Microsoft Trust Center and Compliance
- Azure Security – What we’ve done and where we are going
- Get started with threat detection
- Security considerations for Azure Resource Manager
- Microsoft Azure Network Security
- Azure App Service Security
- Securing your SQL Database
- Audit operations with Resource Manager
- Azure Active Directory audit report events
- Audit Logs in Azure Preview Portal
- Getting started with Operations Management Suite Security and Audit Solution
- View and analyze Azure Audit Logs in Power BI and more
- Use audit logs to send email and webhook alert notifications in Azure Insights
- Azure API Management service covered by Azure Service Organization Controls audits
- New features for Azure diagnostics and Azure Audit logs
- How to use the audit log in Azure AD Privileged Identity Management