Azure로 시스템 구축하기 [클라우드 Azure 자격증 대비]
1. 인프라 구현 및 모니터링
2. 데이터 플랫폼 구현 및 관리
3. 관리 및 보안 솔루션
4. 앱 솔루션
1. 인프라 구현 및 모니터링
Site to Site Connection
- Express Route
- BGP (Private AS)
- Microsoft Online(Public AS)
- if express route fail over → Multi-protocol label switching : VPN [fail-over group]
- BGP: BGP Configuration에서 network 또는 aggregate 명령을 통해 로컬에서 시작됨
- VPN Gateway
(gateway subnet 필요)
- VPN Gate way (Basic SKU …)
- local site VPN gateway
- Create a Connection
- Virtual Network Gateway[Resource] / Local Network Gateway[Virtual On-Premise VPN Appliance]
vNet To vNet [ Peering ]
- Address Space → connect the Peering Service
- Private endpoint
- Validate VM Router → Gateway Transit, Remote Gateway
Point to Site Connection
- Route based virtual network gateway [ On-premise ]
→ policy-based가 아니라 route-based GW가 필요
- Virtual Network
- Download and reinstall the VPN Client, configuration Package on Client
- Dynamic VPN Gateway → Public key for a root certificate → Client Certificate(root certificate) → VPN Client Configuration Package
- Install on-premise gateway → create on-premise gateway → app connector
- Migrate 하지 못하는 경우
- Bit Locker 가 Enabled 된 경우
- OS 가 2TB 보다 큰 경우
- Data 가 4TB 보다 큰 경우
- Site Recovery Vault를 통해 Migrate 중에 서비스가 끊기지 않게 함
- On-premise → Azure: Prepare virtual hard disk → fixed size disk → dynamically expanding disk
Application Gateway [ 7계층 HTTP, HTTPS 에 근거한 Proxy ]
- WAP(Web App Firewall — Injection Protection)
- SSL Offloading
- SLA 99.99%
Azure Front Door [ 7계층 HTTP, HTTPS 에 근거한 Proxy ]
- a global, scalable entry-point that uses the Microsoft global edge network to create fast, secure, and widely scalable web applications. (Internal Load Balancer)
- Front Door provides a range of traffic-routing methods and backend health monitoring options to suit different application needs and automatic failover scenarios.
- Refer AzureFrontDoor.Backend section in Azure IP Ranges and Service Tags for Front Door’s IPv4 backend IP address range or you can also use the service tag AzureFrontDoor.Backend in your network security groups.
- Virtual Appliance : typically runs a network application (Routing Table)
Virtual Network Gateway
Virtual network configuration — use VPN
Next hop type — Virtual Network gateway
Traffic Manager [DNS-based Proxy]
- This service allows you to distribute traffic to your public facing applications across the global Azure regions.
- Traffic Manager also provides your public endpoints with high availability and quick responsiveness. (automatic failover models)
- Traffic Manager uses DNS to direct the client requests to the appropriate service endpoint based on a traffic-routing method.
- Traffic manager also provides health monitoring for every endpoint.
Load Balancer [ 3계층 IP Address 에 근거한 Proxy ]
- Health Probe : 연결된 노드 모니터링
- Basic: TCP, HTTP
- Standard: TCP, HTTP, HTTPS
- Multi-site Listeners to direct different URLs.
- Session Persistence인 경우에, 같은 VM으로 계속 이동시킴
- ILB: Floating IP
- ELB: Public IP
- rule: HTTP, HTTPS 하나씩
- NSG는 VM의 Region 달라도 같으면 ip address 같으면 하나로 같이 사용할 수 있음
- 1) To allow the Load Balancer to monitor the status of your app, you use a health probe. The health probe dynamically adds or removes VMs from the Load Balancer rotation based on their response to health checks.
2) Add the network interfaces: To distribute traffic to the VMs, a backend address pool contains the IP addresses of the virtual (NICs) connected to the Load Balancer.
3) Add an outbound rule: A Load Balancer rule is used to define how traffic is distributed to the VMs. Only outbound traffic is allowed.
- Log [ query 가능 ] : Traffic Flow
- Performance Diagnostics: Capture network trace
Azure Run Book
- Alert Rule [Azure Monitor], Alert Action Group [Web Hook]
- Allows you to automatically performs standard remediations → in response to VM alerts.
- email per minute, SMS per 5 minutes
- cf. Logic App playbook, Sentinel notifications → Logic Apps Designer
- FIFO → Enable Session
- 안 읽은 경우 : Message will be retained until it is deleted manually
- 읽었으면 : 1시간 후 삭제
- Consume by Only consumer : Bus queue
Consume by Multiple Consumer : Service Bus Topic
- authenticate and authorize access to Azure Service Bus resources
1. Azure Activity Directory (Azure AD)
2. Shared Access Signatures(SAS)
(Each Service Bus namespace and each Service Bus entity has a Shared Access Authorization policy made up of rules)
- enabled dead lettering on message expiration: Expired messages can optionally be moved to a dead-letter queue by setting the Enable Dead Lettering On Message Expiration property.
- Enable Session: specific receive operation
- 만약에 duplicate가 Enabled되어 있으면, sender가 같은 메시지를 다시 보내고, queue나 topic 이 복사된 것을 폐기한다.
- Fully managed enterprise integration message broker. service Bus is most commonly used to decouple applications and services from each other, and is a reliable and secure platform for asynchronous data and state transfer.
- event backplane that enables event-driven, reactive programming
- publish subscribe model
→ SAS Token: Web Hook Event Delivery
→ Validation Code HandShake: Topic Publishing
- Big Data Pipeline
- Rapid data retrieval for real-time processing
- Azure Event Hubs enables you to automatically capture the streaming data in Event Hubs in Azure Blob storage or Azure Data Lake Storage Gen1 or Gen2 account of your choice.
- 한 개 이상의 조건을 충족할 때, scale out
- Machine Performance across identical VMs
- Modify the extension Profile Section of the Azure Resource Manager Template → Create a new VM scale set in Azure Portal.
sysprep.exeon VM → From Azure CLI, deallocate VM Image → Create VM Scale set
- create vm scale set → deploy application automatic horizontal scaling → custom auto-scale implementation
- With Azure Monitor, you can auto scale by custom metric for Virtual Machine Scale Sets.
- When an Azure Data Center fails
- manage disks
- Availability Set(1 Single Availability Zone) : 99.95%
→ at least 3 VMs
→ 같은 region, 같은 resource group
- Availability Zone : 99.99%
- Across different VMs.
- Maintain Application performance across different VMs
Recovery Service Vault
- 같은 Region
- On-Premise Site Recovery 경우 : Download the ASR Provider installation file → Vault Registration Key
- Disaster Recovery → Replication Settings → Select RSV as the recovery service vault
- recovery service vault, replication policy, hyper-v site
- 같은 Region
- Single Azure VM : VM settings
- Multiple Azure VMs : Recovery Service Vault and configure Back up
- Backup Pre-Check Status
→ if warning : not have the latest version of web app agent.exe installed
- Backup Policy Management
→ customers can manage backup policies and model them to met their changing requirements including deletion.
- .Net Core
- Automatically invoke a function in the node whenever new data is received in queue.
- Process a queue Item
- Manage all segments from the same DevOps Environment
- No code
- EX. time elapse code → run at least one
EX. settings configured in the Azure Portal
- Web job Type
→ Continuous: Run on all instances that the web app runs on optionally restrict the web job to an single instance
→ Triggered: Single Assistance
→ Debugging : support remote debugging
- Webjob Type Triggered
: Trigger / CRON Expression
: Ex. Event Grid Trigger: a condition control → action
- Webjob과 Function 비교
웹 작업으로 배포된 코드는 연결된 웹 사이트용 코드와 함께 개발 및 유지 관리할 수 있습니다. 웹 작업을 포함하는 웹 사이트는 단일 솔루션으로 함께 쉽게 패키징, 배포 및 관리할 수 있습니다. 반면에 Azure Functions는 App Service와 분리되며 따로 관리해야 합니다.
- Container Image
App Service Plan Linux Docker Plan
- app name ~
- az webapp create
- az webapp config hostname add
- az webapp config container set
- FROM ~
- WORK DIR
- kubectl apply -f app1.yaml
Virtual Network Service Endpoint
- Secure direct connectivity to Azure Service over an optimized route over the Azure Backbone network. [ vNet 의 Traffic 은 언제나 Azure Backbone을 거침 ]
- Web Traffic arrives at the appropriate Server : Path-Based redirection and Web Sockets.
- Replicate [additional objects] : Hyper V-Site, Azure Recovery Service Vault, Replication Policy
- Collect Errors: Monitoring & Data Collection settings for Workspace
- Endpoint Status Enabled: Always
- A version of application updated → deployed without casing application downtime : managed disks auto scale [ VM Scale Set ]
- Public Access to all VMs → Standalone VMs that has public IP address.
- Number of Subnet → Download the Usage Report.
- Convert generation 1 VM → from the VHDX file system to VHD → dynamically expanding disks to ~ [Run Add-Az VHD]
- Appropriate Size VM
1) From Azure Portal, create an Azure Migrate Project
2) Download an OVA File
3) From VM1, deploy OVF Template
4) Connect the collector VM and run the Azure Migrate Collector
5) From the Azure Portal, create an azure migrate Assessment
- On Permise VM to Azure
1) ASR V1 Blade in the Azure portal, select a protection goal
2) From VM1, Download the OVF File
3) From VM1, deploy a VM
4) From VM1, register the configuration Server
- Generate Vm 1 → Run Add-Azure Rm VHDx→ Convert type to VHD
- IoT Solution using Azure Time Series Insights → all data current year is available → reference data set / optimize query performance: Use Reference data
- DNS Port: 53
SMB port: 445
- Connect Synchronization : Domain Users
- default sign-in tenant → From the Azure portal, change the directory
- Azure Confidential Compute: protects data while it’s in use(the code is processed)
2. 데이터 플랫폼 구현 및 관리
- General purpose version 2 (GPv2): File Share
→ You cannot create Azure file shares from Blob storage accounts or premium general purpose (GPv1 or GPv2) storage accounts. Standard Azure file shares must created in standard general purpose accounts only and premium Azure file shares must be created in FileStorage storage accounts only. Premium general purpose (GPv1 and GPv2) storage accounts are for premium page blobs only.
- LRS: 3 copy [ hardware ]
- GRS: 4 copy → Geo-redundant storage (GRS) copies your data synchronously three times within a single physical location in the primary region using LRS. It then copies your data asynchronously to a single physical location in the secondary region.
→ Geo-redundant storage (GRS) brings additional redundancy to the data storage over both LRS or ZRS. Along with the three copies of your data stored within a single region, a further three copies are stored in the twinned Azure region. So using GRS means you get all the features of the LRS storage within your primary zone, but you also get a second LRS data storage in a neighbouring Azure region.
- LRS, ZRS, GRS: same region or same resource group
- Migrate: GPv1 OS ~ 2048 GB , GPv2 OS ~ 300GB
- Blob Storage: Azure Blob Storage was designed to serve specific needs. → Back up, blue print, key vault
cf. Page Blobs are optimized for writes at random location with blob. → support unmanaged disks.
→ video, random read/write, data from anywhere
protection: storage advanced threat protection(ATP) → ATP alert generate
- File Storage: File Storage can be used with standard File extensions like *.docx, *.png and *.bak.
Azure SQL Database
- a fully managed platform as a service (PaaS) database engine that handles most of the database management functions such as upgrading, patching, backups, and monitoring without user involvement.
- Azure SQL Database is always running on the latest stable version of the SQL Server database engine and patched OS with 99.99% availability.
- Transparent Data Encryption(TDE): at rest, in transit, and in use must be encrypted
Azure Storage Account
- Backup of storage Account [automate the backup of the databases]
→ Meet a recovery point objective (RPO) of 15 minutes.
→ Retain the backups for 30 days.
→ Encrypt the backups at rest.
An Azure storage account is used for storing Automated Backup files in blob storage. A container is created at this location to store all backup files. The backup file naming convention includes the date, time, and database GUID.
- SQL API: ACID Semantics isolated from other community executing code: JSON
- Gremlin(Graph): JSON
- MongoDB: BSON (up to three throughout provisioned collections for subscription)
- Cassandra: CQL
- Allow traffic for private endpoints of a storage account.
- database management system and client are under the same ownership.
- transactions are available and the lock duration can be controlled
- EX. the app must guarantee transactional consistency for change across several different sharding key values : Elastic database transactions with horizontal partitioning.
Azure File Sync
centralize your organizations file shares in Azure File
→ keeping flexibility, performance, compatibility of an on-premise file server
- Install the Azure File Sync agent on Server → Register server → Server endpoint
- Same Region, Same Resource Group
- the database in an elastic pool are on a single Azure SQL DB Server. [DB Server 1개 ] 같은 region, RG아님 주의!!
- EX.On-Premise file Server named Server1 than run Windows Server 2019.
→ manage Server1 by using Windows Admin Center.
→ Server1 fails, you can recover the data from Azure.
→ → Azure Storage Sync Service and configure Azure File.
- Azure Blob, Azure File Storage
- Attach an External disk to Server 1 and run waimportexport.exe
- Azure Portal, create an import job
- Detach the external disk / ship the disks to an Azure Center
- From the Azure portal update the import job
Azure Disk Encryption
- Virtual Machine Generation
- Recovery Service Vault (같은 Region)
- Premium and standard, but not basic, account types support disk encryption. → Disk Encryption requires manage disks.
- Azure SQL Database, Azure SQL Managed Instance(SQL Server)
- Higher Compute, memory, I/O, and storage limits
- Control over the hardware generation
- Pricing Discount AHB, R1
- Unmanaged Standard Storage for the hard disks of the VM.
- SQL Server Data File in MS enable native support for SQL.
- Storage Threat Detection is available for Blob Storage.
- Unmanaged Standard Storage for the hard disks of the VMs.
- all backup data to Azure Blob Storage for long term archival (30TB)
→ All backup data must be sent within seven days
→ back up data to local disk and use the azure import/export service[big amount of data] to send backups to Azure blob Storage.
- query editor : configure the firewalls and virtual networks settings for SQL Server.
3. 관리 및 보안 솔루션
Privileged Managed Identity
- manage, control, and Access Reviews
- Provision Certificates automatically from an external.
- Obtain the root CA certificate → certificate signing requests(CSR)
SSPR(Self Service Password Reset)
- phone call
- Short Message Service
- Security Question
- Authenticator App
- Conditional access policy that requires all users to use MFA when they access the Azure Portal → users and groups, cloud apps[Assignments], Grant [Access Controls]
- App Password
- Short Message Service
- Authenticator App
- Trusted IP → a managed or federated tenant.
- EX. another company (usage model has been set to Per Authentication) → Create a new MFA provider with a backup from the current MFA provider data. (reactivate existing server with activation credentials form the new provider)
- RBAC manages who has access to Azure resources, what areas they have access to and what they can do with those resources. RBAC can be used to assign duties within a team and grant only the amount of access. (Hierarchical namespace)
- Azure Policies focus on resource properties during deployment and for already existing resources.
Resource Manager Template
- Custom Role Based Definition: Name, Id, IsCustom, Description, Actions, Assignable Scopes
- VM depends on Storage Account, Network Interface
- Network Interface depends on public IP Address, Virtual Networks.
- Move existing resources across the Resource Group.
→ Move Azure-RM Resource cmdlet
An Azure Blue Print
- The service is designed to help with environment setup. This setup often consists of a set of resource groups, policies, role assignments, and ARM template deployments.
- move Blue Print to Azure: To mount an Azure File Share, Primary Storage Key (SAS Keys are not currently supported for mountings.)
Enterprise State Roaming
- 같은 Group 의 User
- AD Premium or Enterprise Mobility + Security License
- Unified experience across the Windows Device and Azure.
- Reduce time needed for configuring new device.
통합 솔루션 [ On-Premise AD / Azure AD ]
Azure AD SSO automatically signs users in when they are on their corporate devices connected to your corporate network. This feature provides your users easy access to your cloud-based applications without needing any additional on-premises components. [Federation 의 경우에는 해당되지 않음]
- Staging Mode: Import O / Export X
→ Server is active for import and synchronization (password write back)
- password write back이 없으면, cannot reset the password
Seamless SSO works with any method of cloud authentication → Password Hash Synchronization or Pass-through Authentication, and can be enabled via Azure AD Connect.
- pass-through authentication: the on-premises passwords are never stored in cloud in any form.
gradually roll out Seamless sSO → autologon.microsoftazuread-sso.com → you start by adding the following Azure AD URL to all or selected users’ intranet zone settings by using Group Policy in AD.
- Synchronization Rule
Azure AD Connect
- AD (Enterprise Admins) , Azure AD (Global Administrator)
- need domain Controller
Azure AD Domain Service
- managed domain services such as domain join, group policy, lightweight directory access protocol (LDAP), and Kerberos/NTLM authentication. You use these domain services without the need to deploy, manage, and patch domain controllers (DCs) in the cloud.
- Add a custom domain → Add record to the public contoso.com DNS Zone → Verify the domain
Implement AD to Azure
- Extend AD runs AD DS(AD Domain Service) as a Domain Controller [Site-to-Site Connection]
- VPN Connectivity
Azure AD Joined Device
- deploy YAML APP manifest file for a container → users resetting their password receive an email notifying them that their password receive an email
- Primary Refresh Token (not automaatically)
- It is not possible to Change the partition key for Container. → create new cosmos DB account.
Secure the Data used by VMs
- Boot and Data Volume → Azure Disk Encryption
- Data written to Azure Storage → Azure Storage Service Encryption
- Encryption keys and secrets → Azure Key Vault
- Database → Azure KeyVault
- Development → Azure KeyVault
- Security → Azure Managed Identity
- Inbound and Outbound security rules
- Cost Analysis Blade → filter by tag
- Download the usage report.
- You can opt in and configure additional recipients to receive your Azure invoice in email
- Bastion : RDP(3389)
- contoso.local → contoso.com (Azure AD Connect) : Sync account [Synchronization Rule]
- verification code → only from on Premise Network
- Get-AzureRmRoleDefinition -Name “Reader” | ConvertTo-Json
4. 앱 솔루션
- Basic: up to 3
- S1[standard]: Scalable up to 10
- P1v2 Premium v2[Premium]: Scalable to 20
TLS (Transport Layer Security) [ WebApp ]
- Client Certificate: HTTP Request Header
- Encoding Type: Base64
App Service Plan
- In App Service (Web Apps, API Apps, or Mobile Apps), an app always runs in an App Service plan. ex) Backup the Function APP
- App Service Endpoint
- App Service API
→ service Extracts the data : Modify the API to use queue.
→ scale, handle requests : Extraction, logic into Azure Function (triggered Function)
- Back up App Service : Plan → The Backup and Restore feature requires the App Service plan to be in the Standard, Premium or Isolated tier.
→ enabled feature [always on]
- Standard App Service: Enable autoscaling → Add a scale rule → configure a scale condition
- Simplify microservices development and application lifecycle management
- Reliably scale and orchestrate containers and microservice
→ Create a service Fabric Cluster with a stateless Reliable Service for Routing Service
→ Create stateful Reliable Services for all other components
- App Package
1) App Package.zip
2) Upload App Package to an external store
3) Register App Package in the Azure Subscription
4) Repackage the application in a file named App.sfpkg
- Exposed via available slot
- different environment
- easy fall back
You can move an app to another App Service Plan, as long as the source plan and the target plan are in the same resource group and geographical region.
You cannot change an App service plan’s region.
- automatically detect and flag potentially offensive contact → Computer Vision API
- Bot Framework REST API → conversation operations to send the user’s voice
- Speech API → to recognize intent
- Create intents for the LUIS(Language understand Intelligence Services) app that correspond to knowledge bases → Train the LUIS application → Publish the LUIS application → configure the bot app to link LUIS intents to the knowledge bases.
=> improve: web chat channel and speech priming using a Bing speech Service and LUIS App.
- using Visual Studio: Durable functions
use a collection of ready-made actions: Logic Apps
Deploy the component by using Visual Studio Team services: Durable functions
- QnA Maker management Service(add, update and train)→ runtime(insights resource for analytics)
- API error → implement exponential backoff by using the Enable Retry on Failure feature of Entity Framework