AZ-104 Notes

Azure VNET

Creating VNET's

When creating VNET's, you need:

  • Subscription ID

  • Resource Group

  • Virtual Newtork name

  • Prefix Address

When creating Virtual Subnets, you need:

  • Subscription ID

  • Resource Group

  • Virtual Network name

  • Subnet name

  • Prefix Addresses

If creating your subnet in the same sequence as your vnet:

  • subscription id

  • resource group

  • name (of your vnet)

  • address-prefix (for your vnet)

  • subnet-name

  • subnet-prefix

  • location of your vnet

az network vnet create \
    --resource-group learn-87aef787-e166-4b23-8514-58f8467dd7d6 \
    --name ResearchVNet \
    --address-prefix \
    --subnet-name Data \
    --subnet-prefix \
    --location westeurope

VNet Peering

az network vnet peering create \
    --name ResearchVNet-To-MarketingVNet \
    --remote-vnet MarketingVNet \
    --resource-group learn-87aef787-e166-4b23-8514-58f8467dd7d6 \
    --vnet-name ResearchVNet \
az network vnet peering list \
    --resource-group learn-87aef787-e166-4b23-8514-58f8467dd7d6 \
    --vnet-name MarketingVNet \
    --output table

Discover IP's for items in a resource group:

az vm list \
    --resource-group $rg \
    --query "[*].{Name:name, PrivateIP:privateIps, PublicIP:publicIps}" \
    --show-details \
    --output table

Name PrivateIP PublicIP

AppServer DataServer

Control access to Azure Storage with shared access signatures

Authorization options for Azure Storage

Public access

Azure Blobs / Containers

There are two separate settings that affect public access:

The Storage Account. Configure the storage account to allow public access by setting the AllowBlobPublicAccess property. When set to true, Blob data is available for public access only if the container's public access setting is also set.

The Container. You can enable anonymous access only if anonymous access has been allowed for the storage account. A container has two possible settings public access: Public read access for blobs, or public read access for a container and its blobs. Anonymous access is controlled at the container level, not for individual blobs. This means that if you want to secure some of the files, you need to put them in a separate container that does not permit public read access.

Azure Active Directory

Use the Azure AD option to securely access Azure Storage without storing any credentials in your code. AD authorization takes a two-step approach. First, you authenticate a security principal that returns an OAuth 2.0 token if successful. This token is then passed to Azure Storage to enable authorization to the requested resource.

Use this form of authentication if you're running an app with managed identities or using security principals.

Configure Azure App Service

Secure an App Service

Logging and tracing If you enable application logging, you will see authentication and authorization traces directly in your log files. If you see an authentication error that you didn’t expect, you can conveniently find all the details by looking in your existing application logs. If you enable failed request tracing, you can see exactly what role the authentication and authorization module may have played in a failed request. In the trace logs, look for references to a module named EasyAuthModule_32/64.

Configure Azure Container Instances

Implement Container Groups

Common scenarios

Multi-container groups are useful in cases where you want to divide a single functional task into a small number of container images. These images can then be delivered by different teams and have separate resource requirements. Example usage could include:

  • A container serving a web application and a container pulling the latest content from source control.

  • An application container and a logging container. The logging container collects the logs and metrics output by the main application and writes them to long-term storage.

  • An application container and a monitoring container. The monitoring container periodically makes a request to the application to ensure that it's running and responding correctly, and raises an alert if it's not.

  • A front-end container and a back-end container. The front end might serve a web application, with the back end running a service to retrieve data.

Review the Docker Platform

Useful Docker terminology

You should be familiar with the following key terms before using Docker and Container Instances to create, build, and test containers:

  • Container. Container is an instance of a Docker image. It represents the execution of a single application, process, or service. It consists of the contents of a Docker image, an execution environment, and a standard set of instructions. When scaling a service, you create multiple instances of a container from the same image. Or a batch job can create multiple containers from the same image, passing different parameters to each instance.

  • Container image. Container image refers to a package with all the dependencies and information required to create a container. The dependencies include frameworks and the deployment and execution configuration that a container runtime uses. Usually, an image derives from multiple base images that are layers stacked on top of each other to form the container's file system. An image is immutable once it has been created.

  • Build. Build refers to the action of building a container image based on the information and context provided by the Dockerfile. The build also includes any other files that are needed. You build images by using the Docker docker build command.

  • Pull. Pull refers to the process of downloading a container image from a container registry.

  • Push. Push refers to the process of uploading a container image to a container registry.

  • Dockerfile. Dockerfile refers to a text file that contains instructions on how to build a Docker image. The Dockerfile is like a batch script. The first line identifies the base image. The rest of the file includes the build actions.

Manage Virtual Machines with the Azure CLI

Creating VM's

  • Resource Group

  • Name

  • Location

  • vnet-name

  • subnet

  • image

  • admin username

  • admin password

az vm create \
    --resource-group learn-87aef787-e166-4b23-8514-58f8467dd7d6 \
    --no-wait \
    --name ResearchVM \
    --location westeurope \
    --vnet-name ResearchVNet \
    --subnet Data \
    --image UbuntuLTS \
    --admin-username azureuser \
    --admin-password <password>