certification, again i made a simplelink to get you to about this exam. we're not gonna spend as muchtime as we used to in the past. i used to spend 20 minutestalking about exam stuff. it's all on aka.ms/70-533. that second link i willprobably update that. that is the last ignite. a lot of things have changed, that'swhy i said this has been updated. particularly, we're now more inthe arm mode, right, versus asm. and hopefully you know what that is,if not, you will when i'm done.
and the shortcuts in the is op guys,we talked about. i think i can use this thing, right? q and a, quite honestly idon't see a mike and b, i don't have time for it. my idea here is to tell you what youneed to know, if you have questions afterward please come up andi'll be glad to help you out. i like that better. so there is a road map to,i didn't put the short, i think put the shortcut in the other.
i made a short cut forak.ms/azure/mcsa is what this is. so if you have both goodinfrastructure skills, architecture, and developer andtake all three of these exams, you actually will get an mcp,mcsa on azure. so that's pretty coolit came out last year. study resources. this deck is about, in my opinion,because i worked hard at it, is to give you prettymuch everything you need. at the end of each section,
i've tried to highlightthree to five things. again if i can get youthree to five questions, that's usually about the pointwhere most people miss exams. about three or five questions. you really wanna get your hands on. so this morning i even went in, i updated some things ihadn't dabbled with before. media services i don't do. actually i think i did itin the architecture one.
i don't do media services. but now that's its in the newportal, you click on it and you can see every thing in there. look at all the options,click around. you don't have to be uberdeep in these things but you need to know what the heck itis, why would i care about using it and what are the optionsthat i can configure? if you get that much you'reprobably 90% there if not more. this exam is gonna diveinto azure command line.
if you're like me i'ma big power shell person, my new customer,they hate power shell. they do everythingazure command line, i guess that's what i'm doing now. azure command line. so install it, when you installthe sdk is in everything else, get your hands in there. there is an exam reference guidewishing by that has a 20% discount here but here is my tips, i, thisis a new slide i made this week,
actually this morning i've beenwanting to do this for a long time. i always give this spielabout how to prepare and get ready for an exam. so do i buy a book or not? in my opinion, everything that youneed is out there on azure.com. i've always said this backto nt 4.o, it's on technet. what are these books doing? they're taking it,they're just redigesting it, right. it's all out there.
so, if you want to buya book on like the paper. i get that, i scribble andhighlight all over the place, too. but its all out there on the web. and of course now, if you gota nice surface tab and everything, you can put it in onenote andcopy and paste that stuff. so, the caveat emptor about that,that i want to warn you about, caveat emptor, buyer beware aboutgoing to azure.com are these three things here. so let me highlight this.
anything that is not the examobjectives, you don't care about, so that link takes you there. that's the ek.ms/70-533. you don't wanna fallinto that stuff. also anything that says preview. real good chance that's notgonna be on the exam, right? preview or just can what? ga. it's gonna take a fewmonths to hit the exam.
or they're alwaysevaluating updating. but anything's previewyou wanna do that. or on asm so let me give you that overviewreally quick if you don't know. when azure first came out it wascalled azure service manager and that was based on xml. now when you go in the newportal and it says, you have resource manager orclassic, classic means asm, resource manager means arm orazure resource manager which means
everything's basedon a json template. anything andeverything you make now, if you haven't seen this you canexport that template out, reuse it, tweak it. whenever you say new something, there's alwaysan template with that too. so that's when the directive theyhad made in the last six months and then they did the summer. where there's more stuff on it.
okay. here's another tip,when doing a prep exam, so they've got the examsacross the street. across the street. rather you can take andwalk through. here's my strategy, it may work foryou and it may not, but here's what i do. i pick a category that i thinki'm weak in, like maybe paas. and i pick the paas section.
i go, give me all the questions. i just jack up the number 120,it'll give me 50 questions. and i click end. i click end and then i go throughand i read why the answers were right andwhy the wrong answers were wrong. and that's what i study. that is exactly what i study. now, here's a little bonusto you in this deck. so it's nothing that i'm stealingthat's confidential to them but
i actually went through and grabbed their links in thosepractice exams and i have them here. so you can just hit thoselinks on my deck, right. i'd say, most of those linksare on the deck on my website, but i'll try to get this one uploadedat the end of today for you. i'll put it on my blog. >> okay. other things. so, to get you hands on.
if you don't have access,get a free trial account. super easy. guess what, aka.ms/azure/free,it's my short cut for there. also you can dothe hands on workshops. at the end of this deck, i listed out every azurehands on workshop you can do. there's a bunch. microsoft virtual academy. a lot of us have been towe've done recordings.
a whole bunch of architects wentout there about a year ago and they did little sessions. and the other thing i'llwarn you about that. they were done a year ago. we know what a yearago means in azure. it's probably old. so some of it's pretty good butyou just gotta be careful. make sure you're in the arm world. next tip, when you take an exam, youcannot walk in with anything, but
they give you a blankpiece of paper, and before you click that start buttonyou can do a brain dump and put all your little stupidmnemonics and tricks. all people seem toknow data processing. you all remember that one, right? osi model there's gotan open network exam. binary charts, yes. i'm gonna quiz you on binary. i'll teach you how to do binary andfive fingers.
okay, yeah, there's a chance you'llsee some binary, believe it or not. so what you do is, when you'restudying you make this little cheat sheet at home andyou kind of learn it, memorize it. and then right beforeyou click start, you jot down those little thingsthat will help you remember, little stupid tricks, okay? all right, so let's go through it. watch my time here. so these are categorically thesections that we'll be looking at.
web apps, andeverything's about one-fifth. virtual machines, cloud services,storage, azure active directory, virtual networks. and web apps if you didn't know,hadn't heard, used to be websites. that's the new name. a little bit of everything. our resource groups. and we talk about arm andas your resource manager. first thing you got to have isa resource group, all right?
this is how we organize things. i always use the examplewith my customers now when you have a resource group forthose of you who are old school act director like myself wehave organizational units. what do i useorganizational units for? delegation and group policy. well we don't have grouppolicies in azure. what we can delegate. we have built in roles.
this is one thing i was thinkingabout and i don't know how change in new exam but i can see thisis a type of question. if i'm a network admin and you wantto give least amount of privileges for someone thatcontrol the resources. i'd think you you'd want to use thatbelton rule for network resources. so little tip,when you're in the portal and you're looking at a thing, go to. now here's the, i got totalk to the resource people, i got to talk tothe product group on this.
have you noticed this,well, depending where you're at,the roles are different. some places it's called user, someit's called iam, some actually still have the little head iconif you go to subscriptions. they used to be there everywhere,and now it's not. they're not talking to each other. i'm gonna smack them over the headover there if you're listening. [laugh] but my point is, if yougo to that thing like web apps, look andsee if there is a web app role.
right, there probably is. you should also know that ifthat role doesn't work for you. for example, my current customer,they're doing devtest labs. really cool stuff. depth test labs thereis no custom role. i take it back. there's a couple custom roles, but it only works if someone elsealready made the depth test lab. my customer wanted a role to makedepth test lab from scratch.
so we went in with azure cli,or powershell, or rest api by the way everythingends up with rest api, and we are able to make a custom role. resource groups can span so if you've got stuff in therein the resource group, you put azure resources,it can span the regions. nesting is not supported. i've brought this upjust a real world tip for those of you thatare azure advisors.
there is a resourcegroup section in there. and i posted a post inthere just last week. i want to be able tonest resource groups, but you cannot do that right now, soyou need to know that for the exam. cannot do that yet, but. i haven't got any word. [laugh] if you tell them, the morepeople we get to scream and shout. i went to a 5000 user groupin microsoft and i go, let them know because largeglobal companies want this to
distribute out theircontrol of art knack. i think it's very profitable, solet them know .that's your job. they'll listen to you before they'lllisten to me the more customers say. i'm always have this pushedout through arm templates, repeatable, consistent patterns. they're json. json is java script object notation. it's pretty human readable. and, of course i have short cut foreverything you wanna know,
aka.ms/azure/farm. implementing webapps. so, these are kind ofthe things you need to know. and notice, i actually highlightedfrom the portal there the different types of support we have for.net, php, nodejs, python, java, andof course the marketplace app. and i got a website for that. that was, that was the beach. beach picture there.
so, the plain web apps. i actually added this because, i think it is something that youprobably wanna take a look at. there are web apps, andthen there's apps service. and i don't know if i havethis picture in this one or the next session, butwhen you look at app services, there are different thingsyou can do within it. they usually show this little box. you can do logic apps, web apps,api, functions, right?
all those things are partof the app services. but then there's web apps, but then you can't dothat without the service. and then, there's a larger containerwhich gives you kind of your own private instance called ase,applications service environment. so you should knowabout the differences, particularly when you go from appservices to app service environment. it's a pretty big paradigm shift inthe fact that, the big difference is if you do an app services, you arein a pure multi-tenant world, right?
you're in with everyone elsesharing these resources. when you go app services, this iswhy it takes two to three hours. it puts it in your own vnet, which real world that'sa good thing, right? it's probably what you wanna do. so take a look at that. they all run on managed vms. of course, most this stuffis all on managed vms. and this is really kind ofa more architectural point, but
knowing the difference between appservices verses service fabric, about how they run on managed vms,there's some differences there. we'll talk about inthe next session. pricing tiers,you should know those. there's four tiers. and this is the firsttime i did azure. this kinda confused me because, if you're in a vm,you'll have two tiers. well, those are pricing tiers forthe vms.
but if your in web apps,you have different types of tiers. it's not based on a vm,it's based on this paas service. so free, shared, standard, basic. generally, all the goodness thatyou get with things, is standard. so generally, if they're saying whatlevel do you need to be, standard's kind of a good guess cuz it gets youlots of things like availability sets that we'll talk about,load balancing, things like that. no slots.so, there are these thingscalled deployment slots.
anyone dealt with deployment slots,seen those, know what they are? some really cool stuff. you could have a deployment slot fordev test, right? and then when it's ready,you actually swap the slot and make that dev environmentgo into production. so if i have a basic,i cannot do that. so, i gotta move up to, i thinki actually did standard on that. okay? and that's actually showing.
so, and i did try to dopictures of the new portal, so you actually see when i go to basic,there's no slots. but standard, i get up to five,and premium, i get up to twenty. we get traffic manager, right? when we go from standard to premium. we get more scale ability, so. i don't need to know the,i don't need to worry about dtl numbers on these things, butkinda categorically, where do i get traffic manager, where do iget slots, that sort of stuff.
okay, also when you are scaling, there's different methodsthat you can do by. so again, looking in the interface, so i can scale these vmsby an instance count, by cpu percentage, orby schedule and performance rules. and i can change up the number ofinstances i want to use as well. different methodsto deploy web apps. we have three differentmethods we're gonna look at. one is we use cloud sync.
so, my current customer is doingthis, we're looking at kudu for deployment. it's a deployment engine, and thenyou can select different options like onedrive ordropbox as a deployment source. continuous deployment. this is really popularwith web apps and app services using github,bitbucket, vsts. so it a continual process. and then,
the third option is you couldactually do a local git deployment. so if i'm a developer, andi have my own work station, i can actually do this here. on this particular one, i'm notgoing to read through all this, but this is a very typical exam typething where they'll say, okay, we wanna do a local deployment. what are the steps? and put them in the right order. so, you have to drag and
drop these things in the exam, verytypical type of question they do. so again,you can read through that later on. check the time. okay, so we saw that the deploymentslots need standard or premium. you get staging. we talked about swapping. deployment source fromthe cloud folder or azure app service uses kudu. web jobs,you can upload with git or ftp.
if you do ftp, you actually put in the passwordin the portal to secure that. and i actually made thisgrid the last time. i did this internally. again, some things thatare that you get, or don't' get, with swapping the slots. so what i'd focus on, and that's whyi kinda highlighted these things in red, so all the things thatare swapped, that's nice. but what i really kinda
care about from an exam perspectiveare what things are not swapped. my custom domains, ssls andbindings, and scale settings. so those are some bigones to know about. configuring the general settings. we talked about the frameworks,we had that picture. that's actually an old picture,but and i had it in the first one. also, for webapps, free orshared, 32-bit basic or standard, you get 64-bits. you got diagnostics logs.
and again, all the logs and things,if you get in the interface and see it, you can see the optionsthat you can configure in there, and how they're saved, anddifferent types of trace logs. and there's a pictureof it right there. just show you in the newportal what all you get. so another little tip. when you get this deck,and you go through it, make sure you gothrough in full screen. otherwise, the pictures will blocka lot of the stuff that's there.
so you can see these differentoptions for diagnostics logs. ssl, again, basic or standard mode. you have to upload your certs. if you upload your certs,it has to be in a pfx format. prior to the private key. different monitoring options again,in basic or standard. and you have https endpoints, up to three geo distributedlocations, okay? this is a new slidei put in last time.
just showing, because there's a lotof exam questions that will talk about powershell. so powershell, its new. it's just verb noun. so you don't need tolearn all the things, but when i tell peopleif there's a noun or a verb that doesn't make sense,that's what i'd focus on. otherwise, a lot of powershell stuffis pretty self-explanatory, right? you have to do something.
okay, i look for the verb, i look for the matchingnouns that goes with it. but i actually have a linkat the bottom that also for all the azure website, or i shouldsay web app cmdlets as well. here's some example. if you've never dealt withazure cli, so it works a little bit differently in that with azure cliyou don't have the dashes. it's pretty much just spacecommand space noun space noun. like that.
so you can actually listthem out in the app. xplat is calleda cross-platform cli. that's why they call it xplat. and you get azure site -h, and you can actually geta help file in there. and again, link down there soyou can look at more of those. so you should be familiar withsome command line options and how command lineworks if you haven't. play around with it.
it's actually pretty easy. so these are just somequestions i put in here. and again, i don't wannatake the time because i will fill up the time. but you can kinda test yourselflater on with these questions about things to know about web apps,how to run web jobs. the connection stringsi didn't highlight. it was in my kind of hidden notes. but if you're doingconnection strings, if you use .net,
it uses connectionstrings. everything else will useenvironment variable. and we talked about the scales andthe hosting plans. free, shared, andbasic and standard. there's something interesting,though. it just kind of hit me. so i think i may actually standcorrected on this because we had the picture, you notice onthe host plan it didn't have four. i think this,the shared is out in arm.
the four was in asm, soi think i'm gonna go with that. it's just free, basic, and standard. so, shared was in asm. i need to update that. pretty duck picture. these are the categories for implementing virtual machines,aka.ms/azure/vm. get you all kind of stuff on there. that compare link is really good.
i actually have thatpicture in this or the next session, i forget whichone, but they have a great chart that talks about doing web appsversus cloud services versus vms. where the pro's cons. and it's really the initialdiscussion i have when i walk in on new customers. do i do iaas or paas, right? how much do you wanna manage? how much do you want us tomanage and control, right?
and how's that scale slide aswe go from iaas to paas, and everything in between? all right, so different workloads that we cando when we push this stuff out. we wanna use arm templates,all right? i got links in there. i have some sample powershell. again, just to show whatsome of the options are. and, again, sample azure cli,sql, sharepoint.
and it really, a good way to findout to look at options about what the work loads are,just go to market place, right? so if you go to market place,or click the little plus, here's a little, here's two freetips i bet you didn't know. how many people havebeen to the new portal? keep you hands up, keep your handsup, how many of you pressed b or n while doing that? put your hands down,most people do it. b is browse will open up a menu likewhen you add new things to your
menu, n will take you tothe market place directly. and it actually if you pressed thequestion mark then you get the help bar on the right hand side and see everything in the portal,like no one knows that. so yeah. so that's a quick way to find whatkind of workloads we support. so just press n when you're in thenew portal and then you'll see in there, you know the different typesof stuff you can add in there. so this is a chart i've had, and
again this is a hard one to keep upto date, i've got the link for this. so what do you need to know? do i want to memorizeall this stuff? i don't got thatmuch brain space but what i would say are categorically. if there's one area that i kindof want to focus on it's kind of the odd exclusions. come on, click. like right here.
so the a8 and a9s,the compute intensive. and these in particular getyou the infiniband networking, right so that's a requirement. they'll give you a little scenario,blah, blah, blah, blah. we need high network capabilities soa8, a9 is going to be an option. and i actually did updatea picture in here. not that one. one more. there we go.so that's what it looks like in
the new portal. and actually, even since i've donethis, i did this in july in turley. now they have the f-series, right? it just keeps on changing, growing. so i don't know how theypick their letters, but they're all over the place. but the key thing from a realworld and both in this exam and the next one, this is the gotcha. is a couple of times i've throwna vm out there and it was like we're
gonna build a sql server in azureand then we want to have five disks. and i had a disk, a vm size thatonly supported you know, two or four disks, right? so those are kind ofreal world things you have to be aware ofwhen you're doing this. is it gonna support autoscale, is it gonna support premiumdisk support or not? those are kind of categories, butdo i wanna know all the disk sizes? i don't know.i think from the exam point,
i'm gonna make a prettygood guess on this, they're probably looking ata-series, c-series, d, e. that's primarily it, i think. they might be talking aboutthe ds series now, but. all right, this is a new slidei did since the last ignite. how to deploy andconnect to linux vm. i did not bring this up atthe beginning of the session. but, tomorrow, it's pretty new. i tell people to be kind.
it's very very newcompared to this one. we actually are doing lfcs. linux foundation certifiedsystem administrator. hey, i got two fists up back there. so if you take andpass this exam and you take and pass the lfcs which is outsideof the whole microsoft world, that tells you how muchwe're invested in linux. they're bringing that here forthat training. you actually will getmcsa on azure for linux.
so you have to take both of those. so this stuff i don't thinkwould be on the lfcs exam, but i'm sure they'll cover it inhere for this very reason. so i go to the portal,i add a linux machine, if you've never done linux before. it's a little bit, you know a little more trickto getting it going right. do i have the right clientto make the ssh connection? do i got putty?
do i got the public key? i have to click creator site,the resource group, which i gotta do that with anything. but this was just a greatpicture i found somewhere on the website that reallykinda breaks down. and this picture's actuallynot just good for this, but it's kinda breaking down whetheryou're looking at windows or linux. the big box. we have our research group.
then you have yourvirtual network and within that you haveyour virtual machine. then you have your disks, whichwe'll talk about how those work, what you get by defaultversus which you have to add. do we have a public ip address or are we gonna havea private ip address? are we gonna use azure dns or aregonna have to bring your own dns? what kind of storage youcount with limitations? this box, conceptually, is a lot ofgood stuff related to this exam.
we'll dive more into those as well. if you're gonna do this, like mycurrent customer that loves linux, they have a lot of cli stuff, you need to know how to getazure cli up and running. well, you've gotta have the latest,greatest version. if you go to the azure site, i think they have a downloadsbutton up there and that's where you get all the latestpowershell, the latest cli. there's a command toswitch the arm mode and
you have a quick test in setup. also real world tip,how many people have used azure or quick start templates? wow not many, so just do a searchfor azure quick start templates. there's a milliontemplates out there and half of them have beencreated by the product group. so for example, one that i was veryexcited about for my old world, i don't think they've done it yetbut they're working on it. is they're working on a template foradfs and
web application proxy deploymentthrough an arm template. boom, in the cloud. wouldn't that be nice? so, [laugh] if they don't do it,i will but i just don't have the time andenergy. but they told me, they actually wrote a whitepaper on it that's out there. okay? create and upload custom vhds, i get in this discussionwith a lot of customers.
should we do it, or should we not? you can do it. i had a previous customer, it wasn't you guys,it was someone else way before. and it kept breaking. they were trying to upload andthey had so much security and network bandwidth issues that theyjust couldn't get it uploaded right. so they just kinda scratched it andi said, well here's what you do. if that doesn't work,you could always make a new vm.
kill the vm, save the disk, right? and then configure your diskthere and reuse that disk. that's another option. but you can upload it. you need to know these keypoints though if you do it. it's a good littleexercise to do and try. you can make your own little box. if i'm a developer andi want to have visual studio and all my favorite tools and everythingon there, i could do that right?
and actually you could do this samesort of thing in dev test labs. so you have a box with all mygoodies built right into it. but in order to do this foruploading the windows server i got to sysprep it, i got to dooobe out-of-box-experience, i have to select generalized,i have to select a storage account. storage accounts have containers,little real world tip, possibly exam tip also,containers is the only thing, you still can't script withan arm template, right? [laugh] you could script the storageaccount, but the only way you could
do it is through a rest api,to create a container. then you upload it, you give itthe source file, you put it in blob storage cuz that's whereyou gonna put all your vms. and then you can addthat to your custom list. same thing for linux. gotta have a resource group,gotta have a storage account, gotta have the access keys. upload the vhd to container. you can use either qemu or kvm and
you have to convert it is not, ineither case, it is not vhdx support. they do not support that yet. it's vhd. so, another option i've done,i have a hyper-v on my laptop, you gotta save it as a vhd format orelse you have to convert it. and the same thing with linux,i have to convert it. and we can do this all witharm templates or by azure cli. time check. okay, we talked about disks.
so by default,i make a new disk machine. i get an os disk anda temp disk by default. the temp disk is really,really temporary. so you don't want toput anything on there. when you build a sql server,finding a temp disk. i'm gonna make a separatephysical disk and add it to it. and actually, forthe real world folks. if you ever do a sql in is. there is very very specificguidance about how to do that, and
make it work properly. if i'd log into that vm andlook into disk manager. it's gonna look likea real physical disk. it just shows itself like itwould in a virtual machine. the next section, configurationmanagement, so some of the things we can do again categorically i don'thave to be an expert in these. i don't have to deep dive in dsc. which if you don't know dsc,dsc came out windows server 2012. it was kind of an updatedmodified enhanced.
i don't want say it'schanged powershell, but it's kind of related to powershell. so its desired state configuration. if you haven't seen jeffrey snoverspeak here, he's amazing. he's the guy who created powershell. and here's here at the conference,and he does a lot of talks. but he always says, the desired state configuration is,it avoids configuration drift. right you have a build,you want to stay and
maintain that exact same way. dsc will go,that changed okay let's put it back. right, it's gotta go back. prevents configuration drift. we also have third party tools thathave been out there probably longer, and there's a lot of reuse outthere for chef and puppet. so again, don't need no details forthis exam. just they exist, they do the samething that i can do with tsc, just different tool.
chef uses recipes, a lot of recipes out thereto do these various things. also, in the picture here,you notice, and this is an old picture butyou actually can do this in the new portal as well, you probablywant to have the vm agent. to make these things happen oryou have to enable chef or puppet. you have to add these vm extensions. and yay, they finally put the vmextensions in the new portal. cuz just a few months ago, thatwasn't there, you had to script it.
but you can actually see allthe vm extensions now for the armed deploymentsin the new portal. and here's another load tip fordoing the exam, you know when you go into any window and a lot of timesthere's a little blue eye thing? you know, highlight it, andit will tell you about that thing. that's how you study for it too. i passed, believe it or not, an isexam without ever reading a book, and i just installed it, andlooked at every help file, and clicked every option andthat's how i learned it, right,
just seeing how it is. that's what they wonder. have you been there, done that? and if you haven't, fake it. [laugh] all right,configuring vm networking. there are a lot of things, i think in the keynote, theytalked about some of these things. great networking session. lots of great networking sessions,and
there's more coming up thursday andfriday. yushun wang and [inaudible],some really good stuff coming, you wanna check those out. but we can do reserved ip addresses, of course the typical rc 1918address is 10.0, the 172.16.192.168. each have multiple subnets, the smallest port subnet /29 whichtypically you use for an nva. network virtual clients, right? if you're gonna do it, that's, a lotof times, the recommendation or
a slash 28. all right,here's your subnetting lesson. i used to teach five days on[laugh] dns and ip addressing. believe it or not, in almost everywindows and every azure exam, i've seen at least onequestion somewhere about this. here's how it works. you have a network. you need to support 27 hosts,what would be the cidr notation? so, if you know how an ip addressworks, part of this network address,
the rest of it is a host address,right? how many bits in an ip address? help me out.>> 32 >> 32 bits, yeah, 32 bits, right? it's four octets,eight bits each, right? okay, so here's the math. i taught my eight-year-oldhow to do this. so we need 27 networks, soeach finger is a multiple of 2. 2 times 2 is 4, 8, 16, 32, yeah,32 is bigger than 27, right?
so i'm gonna borrow 5 host pits. if i take 5 and 32, what do i got? 27, that's my cidr imitation. that's what i need, a slash 27. sorry, that doesn'tshow in the video, but [laugh] that's the way it works. thing to know, i don't know thatthey'd catch you this on the exam, but definitely, in real world,you better know. so the old formula was2 to the n minus two,
take away this network and all. how many do we takewhen we're in azure? five total. yeah, so whatever your number is,you take away five. so it's those two plusthree more on the top end. yeah, so that could getyou in the real world. it's like if you're doinga really tight network. network security groups. we used to have, in asm,it was predominantly first acls,
access control list. we all know what those are,hopefully. but now we have nsgs,network security groups. and we have udrs, which they actually called itwhat it is in the portal now. what's it called? >> route tables?>> route tables. [laugh]. that's all it is.
it's just in a route table addition,right? you're modifying that. know what these are, andwhen and why i'd use them. and there's some specificthings about them. an nsg, can i go inbound? yes. outbound? yes. what about udrs, inbound? no, it's outbound only.
udr is outbound only. so, think about it. why would i do it,typical used case. i want to point to an mva andvirtual appliance. i've got a barracudasome waf out there right. and i'm gonna tell my traffic, you're going to that waf,you've gotta go through that. you've gotta go to the f5 appliance. so you're forcing the traffic.
there's a built in table thatbasically says, within a vnet, guess what, anyone can talk to anyone theywant unless you control it, right? so udrs is a route table sothat's only controlling by ip and nsg controls port traffic,flow in and out. and there's some basicsettings in there. it's only tcp and udp. now this is one i foundagain this summer. this was a new one ihad never seen before. so probably, both exam-worthy andreal world-worthy.
so there is a specificmicrosoft ip address that's owned, 168.63.129.16. i don't have that memorized yet. i think it's used,i forgot what it's used for, it's used for probes, i think. and also, a port 1688,which is reserved for key management services. so you have to make sureyou don't block those out. could be problematic.
load balancing endpoints, againthis has been an evolving story. so here's an interesting thingif you didn't know this or realize this. we have ilbs and actually,in the interface, i should update the picture,they changed it. so it used to be eitherinternal load balancer or internet load balancer, butwhen you go in the interface now, you actually will see internal orpublic. so, the way they work andare configured are the same.
the only difference is, do i have a public ip addressreserved for it or not. that's the primary difference. it distributes basedon source address, protocols, source/destination port. if you go to the networking talks,you hear about five-tuple, that's your five. all right, that's how they do that. the endpoints are used forrdp, psremote, ssh.
yeah, and there's that specialaddress that we talked about for the firewall policies. here's one, they have this andi, of course, i couldn't tell you if i saw it or not, buti'll admit it, i didn't see it. i don't know if you will, butit's on the exam objectives, this direct server return. and i was scratching my head for thelongest time and i couldn't find it. and then i was going througha template and i found it. all i know is, when and why wouldi care about this and use this?
sql aoa. in sql aoa, there's actuallya little box there that says, do you wanna usedirect server return? and all i know and care about is that mitigatesload balancer bottlenecks. but there's a powershell you can dothat enable direct server return option also, butit's used for sql aoa. same thing that keep alive, so these are other options to keepthe connection from your client to
your load balancer openduring a long request. the availability set isa pretty important concept, so the idea here is. and actually, by the way, there's some really cool stuff instorage coming out related to this. so availability sets,imagine i've got a rack here and i got rack over here, look,physical racks, right? we don't want our vms to go down. we got a couple of web servers.
i don't want both web servers onone rack and the rack dies, and then i lose my whole web farm. so we create an availability set. what the availability set does is,we're going to distribute those vms across fault domains andupdate domains. so you need to knowwhat those are and i got a actually a picture on thenext one it'll steal the thunder. but a fault domain is the rack died. so if that rack died, my othervm is on the other rack, and
we're still good. the update domain isnot inside the box, not inside windows operatingsystem update, but azure updating. you ever get those emails,we're gonna update the services and you wanna make sure you havean availability set, and update. so in the event that we update,we update per update domain. so if you createan availability set and put a bunch of servers in there,you're pretty good. and that also buys you the mostimportant thing is an sla.
so if you put your serversin an availability set, and you typically do this by tiers. web tier, middle tier, backend tier,make an availability set for that, you'll get a 99.9%sla with that or 99.95. sorry about that. and i got a link there that takesyou right to it, about the stuff and then, of course, the picture,about the options. and they actuallychange this in asm. it used to be only be two faultdomains, now, it's three.
you go up to 20 updatedomains as well. and this is the picture. it can kinda show an availabilityset spanning across the rack. that how that works. so, yeah and again that shouldbe a minimum of 3 fault domains. anything else there. so it did it 4 to 5 and go up to 20, and only one of thoseis rebooted at a time. helps to preserve the integrityof your machines.
implementing storage,configuring disk caching, so just a couple of keyconcepts to note here. we'll highlight these,and blow it out for you. so we have host cachingthat you can set. host caching is off by default forread-write on data disk and it's on by default for os disks. and there's a couple powershelloptions to how to do that. if you didn't notice, i'm sure you probably heardthis in some of the talks.
by disk by default, we get redundancy optionsyou should know about. be familiar with things like lrs,grs, ragrs, and how those work. if we do lrs, which is non-geographic,we get three copies by default. if we do geographic, it goesacross two geographic regions, and then we'd get six copies of those. then another site greaterthan 400 miles away. and those are three option.
it's interesting too andi've noticed this, so actually in this picture,i've been in some areas and i haven't figured outwhat the criteria. but sometimes you don'tsee zrs is not available. but generally, and actually, everything defaults now toour ragrs in the new portal. so make sure you be careful. and also, notice, once selected,you can't change. here's another exam tipto know about also.
if you're gonna do raid discs andspan discs, it has to be lrs. it won't be supported orwork across grs. so, and also, i just dida mapping for my current customer. they wanted a map ofstorage account planning. so one of the strategiesthat we had is, so when you think about yourstorage accounts for disks. so you can have non premium and thena premium, cuz your storage account is for the entire, so it's premiumfor the entire storage account. and then we also hada separate one for lrs,
cuz they're gonna have some machinesthat can have stripe discs. and then,there's a whole other topic, i don't think this'llbe on the exam yet, but they're talking about cool storage,have you guys heard about that? so that's some pretty, soit's offline cheaper storage. and that would require a wholedifferent type of thing. storage count. monitoring, endpoint monitoring. there's all kind of metrics you cangather every hour and minute and
you can see these in the portal. different types ofalerts you can do, and i can highlight the helpfile you can take a look at. you pick the metricconditions thresholds. it's like perfmod, right? just like your oldperfmod stuff you can do. you can also configure diagnostics,get in there, get in the portal, look at themonitoring, look at the diagnostics, and see what you can do there.
and some pictures there,i need to update those. there we go, there's the new one. so when i show you these pictures,these are default settings also, which is always good to try to do. so i didn't configure or change anything, that's whatyou're getting out of the box. okay, and we'll save those for you for things you need to knowwhich we just talked about. that's your personal quiz.
there's mount hollilocku. they blow the conch shell towelcome you in the morning. we got there, we rode the bus takesyou up like at two in the morning. and the sun came, andyou couldn't even see, the clouds were everywhere,you couldn't even see your face. and that there brokethrough at the last minute. so things about cloud services,configure, deploy, manage, monitoring. and this part's getting kind ofsmaller, i mean when you think of
cloud service, you kind of think oftraditional in the old asm model. like when we used to deploy vm, and it would be in a cloud service, andit's kind of in its own container. but once we got to arm, we'veseparated out all those bits and pieces, the network card, the public ip address,everything is entirely separated. so now when we talkabout cloud services, we're really kind of talkingmore in the old world. but as we get in the conversationand the architecture design exam,
it's more about paths, which kindof spans, it's kind of like replace the cloud service, but i don'treally call that cloud service. i call it more paths. cuz in this section of the exam, when they're talkingabout cloud services, they're really talkingmore like asm type stuff. just for fyi. all right, so again,that's an old picture in there. so we can select instance count andsize, your os version or
family, different types of roles. you should know the difference. i would highlight this one andmark it for your memory banks. the difference between a webrole and a worker role. so when you think web role, gee,it sounds like an iis server, yeah? so it's instances of those spun up,worker roles can spin up processes. now, the interesting thing, you gointo portal and try to find this, you're not gonna see it. you'd have to go in visual studioand create a worker role, right?
and then it will surface itself,okay? other things we can do. and again, this is kind ofbleeding over in the newer world. we can configure multiple webapps within an app service. we can have multiple app serviceswithin an app service environment. so again, this is getting familiarwith those different worlds and environments. almost everything, whether it'sa blob, it's a vm, it's a cloud service, it's a pas service,you can make custom dns names.
if you've never done that,i'd recommend to try it. get a trial subscription, buya cheap domain name when they're on sale for a couple bucks and do it. it's not that hard. so you should know aboutthe process kind of step by step, that's kind of a categorytype thing to know. if you do, it's like an autoscale for this cloud services. you gonna have manual or automatic. can we do it by cpu,disk or network load and
other types of metrics likequeues or cpu or whatever. lots of different waysyou can configure that. before we do cloud services, to make this work,you need to have the azure sdk. you got to download that. and we talked about the certificaterequires a pfx file. and we used to talk aboutdiamond slides back in the old mct days when we deliver andthis would be a diamond slide. the diamond slide means this isreally important stuff that's
probably going to buy you a buck ortwo. things you need to know. so if i was gonna dothis in cloud services, you should be familiarwith these terms, just kind of take a look like whatthey are and when i would use them. so you have a servicedefinition file and a service configuration file. and the file extensions kindof matches, so it's .csdef for definition and .cscfg forthe configuration.
so, each them containdifferent parts and then they're all bundled up ina service package, .cspkg, which you can use a cs pack utility which comewith the azure sdk to deploy that. monitoring cloud services, so in order to do that you cancreate a storage account. enable diagnostics on there,get telemetry information, and i got a good link on that foryou, too. that's an old picture, so i wouldlook at it in the new portal. in the new portal,
you can actually collect, you canactually add in the old stuff, too. so you can add in vmsin the classic mode and see those metrics thatyou can do there as well. okay, all right, sothat's review for you later on. five things that we cando at the web role. deploying, worker role,diagnostics and service bus. where's that?that's waikiki, waikiki beach. implementing storage. so these are the topics in here,blobs and azure files, managing
access, diagnostics, implementingsql databases and recovery services. check here. okay, 60 minutes. all riight so, blobs. you should be familiar with blobs,what they are. they a rest based interface. we have block blobs andpage blobs, so know and understand the differencebetween those. so, if we have discs,we're talking about page blobs.
be familiar with this utilityif you've never seen it or used it before. it's pretty nifty. so we talked aboutuploading custom vhds. this is one of the waysyou can do it, all right? there's also another one, windows storage explorer,which is pretty cool. it's kind of a nice little utilityto upload images that you can do. azure files.
so this one's pretty straightforwardwhen you think about it. think about like a network share. i got a bunch of vms and i wantto share some stuff between them. i can make an azure file. and the one thing that it does thatthe other constructs within storage accounts don't dois it supports smb. and just recently, they upped itbecause it used to only support smb 2.0 and now it supports, whateverthe latest version is, 3 or 3.1. i forget the number is.
there was a talk on this. this is one of those things i wasmentioning earlier that i wanted to tell you about. this stuff, i'm gonna tell youright now, is not in the exam. this is just good real world stuff. there's gonna be a talk on thursdayabout discs and files you wanna see. and they're gonna talkabout managed disks, so it's gonna be a new premium sku. i'm not sure if it's gonna preview,public preview, what the status is.
but essentially,no more storage accounts. storage accounts willstill be there but you can get this premium option and now you actually willsee a disk object. so it's a one to one mapping,so it's really, really cool. so from an azure design exam andreal world, here's the thing to know about because it's happenedon very few occasions. but this is why they went thisdirection, is that when we talk about availability stats where youhave a vm going from one to another.
well, imagine if they are bothsharing the same storage count, the storage count fails,you just lost both nodes, right? so this is why they'regoing to the managed discs. and i saw that some the preliminarypricing, it looked really cheap. but if you got thousands of chains,i'm sure it adds up. but it was reallypretty cost effective. so files and discs sectioncoming on thursday or friday. okay, so i did have it, right? smb 3.0,we talked about that support.
lots of os apis andlibraries tools create, read, write, .net support for it. this is a new slidei made last summer. so i thought this is what ireally care about, for like, why use one thing versus the other. azure files versus blobsversus data disks. so if there's mention about smb, about sharing,azure files is my answer, all right? if we're talking about disks,definitely blobs.
diagnostics, probably a blob. azure data disks, soif we want to use lift and shift applications, store data thatis not required to be accessed from outside the virtual machine towhich the disk is attached. so the only difference is the datadisk is actually stored on a blob and a data disk would be a disk thatyou add after you create the vm. so i created a vm, run getthe os disk and the temp disk. and then i can addan azure data disk, again, which we stored as a page blob.
when we have access to storage, we have these thingscalled storage keys. you get two keys by default. for a good reason, because ifyou have to change the key, you don't want to change the onekey and you're locked out, so you change one key at a time. but also if i want to shareinformation with mike down there. so if i wanted to givehim temporary storage, i could actually give hima shared access storage key.
it's a uri string which istime-bound and limited and then he could get access to thatstuff i wanna share with them. we can also group thesethings together and make policies out of them. and to provideadditional restrictions, we've got five policies percontainer, queue or table. why do we regenerate keys,why do we regenerate passwords? same answer. security, really gooddeep dive articles.
i don't know if you want to gettoo deep, but for real qorld, pretty much this right here,if you know and understand these, what they're for,you're probably good on this exam. but, those links, there's two parts. there's somuch information on there. diagnostics. we can put retentive policies,one to 365. zero means no policy. logging levels.
minimal, verbose, and off. when you do analyzing logs, they're saved in a $logs blobcontainer in your storage account. and we can access them througha service api sql databases. so here's the operative word,the phrase that pays, the thing you want to makesure you know is right here. a dac package versusa bacpac package. so these are different scenarios. and here's my stupid littletrick to remember it.
bacpac is longer than dac soit contains more stuff, right? bacpac is longer then dac,it contains more stuff. so bacpac contains boththe schema and data. the dac package just containsonly the schema on there. okay, so just know those terms, knowthat they are tied to sql databases, know that they are used forimporting and exporting the schema. create a backup vault. so we do that for backup files forany windows server to azure, you can use azure backup.
pretty cool, think like ntbackup butfor the cloud. it's a nice littleservice you can do. backup and restore data, you can do server 2012 or 2008 r2. anything else in here? there's actually command lineutility, which most people if you don't do this would never see this,but start-obrecovery. that's the thing that'sgotten me on exams, for these little erroneous utilitiesthat i've just never seen or
used, andjust to know that that's real. so sometimes that's the way thatyou can rule out questions, is they'll give you something likethat and you'll it's not used for that, i know that. and, that's really aboutall you need to know. and here's another oneof those examples, this is the one that was in the backof my mind, i couldn't remember, this wabinstaller, the first time i saw it like,who would call it wabinstaller?
that's what it is, so it requireswif, window's identity framework and powershell andthe executable is wab installer. it's used to do that. and again you can goall the way back 2012, not even r2, and64-bit windows 7 on up. so really good stuff to know. if you're gonna tie it together withdata protection manager you have to have update roll up two forscdpm, system center data protectionmanager with service pack one.
and you have to select the age andtype between azure backup agent, windows server and system centerdata protection manager or windows server essentials, even. you've got 9 minutes and 20 slides. all right. [laugh] a slide every 30 minutes,so, we'll again leave these for you to review. i'll upload these tonight. so, ak.ms/mcgrans,you will be able to get these.
a pretty flower. my favorite topic. i'm an identity guy. azure active directory. so some things to know about here,again shortcut directory to it, aka.ms/azure/ad. this you've probably seen if you'vebeen into any identity sessions. it's kind of classic andtrue and tried. the main thing here is to know,
so how many people use dir syncright now, use dir sync? okay, that's old,you need to update. [laugh]it's been around, no but that's okay. so dir sync was replacedby azure ad sync. which has been updated by azure adconnect, right and azure ad connect, if you didn't know this here'sa cool thing i was talking to some other people here about,is that you can actually have two synchronization servers kindof working in tandem or
as a failover, it's a new option. yeah, yeah, yeah, very cool optionswith that you might check out. also, when you get azure ready toconnect, you get azure 80 help, which gives you diagnosticsabout your adfs servers. right, so a lot of good reasons, and there's a clear migration pathto go to azure 80 connect. but here's the point about this, soin the top part, we're looking at azure synchronizationwith azure 80 connect. it's a sync engine, it syncs a hasof the hash of the password.
people freak out, i'm notsyncing no password out there. well you're not!you're not even syncing the hash, it's the hash of the hashof the password. all right, soit's very, very secure. and this is what most ofour clients are doing. it's what they're recommendingunless you have specific scenarios. i've got a bunch offederated apps on premise. i love and use adfs, okay. we can go with that.
but if you don't let's go thesimpler solution is gonna be that. down here i'm doing adfswhich we now can deploy with azure ad connect,which will deploy both your adfs and your web application proxy farms,all right? down here, so the key point iswhere do i authenticate to? they're both called sso butsso means two different things. the top is same sign on, the bottom federation is singlesign on which means you go back to the source of the which is youron-premises active directory.
or now in server 2016 it couldbe an ldap server, woo hoo! that's cool. i'm very excited about that one. but that won't be on the exam. so, and azure ad connectwill support ldap as well. so that's the key point here. when and why would i chooseone versus the other? if i got nothing else,i want a quick easy set up, don't require a complex federationscenario, let's do sync.
otherwise, let's do federation. configure the application accesspanel, if you haven't been in there, done that, my gosh. well, if you azure setupyou can actually go to www.myapps.microsoft.com andthere will be something in there. whether they configure forit or not. if you have your own trial account,do it. www.myapps.microsoft.com and you can see what kind ofthings you can configure.
now they have yay, azure active directory previewin the new portal finally. if you haven't seen that so i don't have to go to the old portalanymore for azure active directory. that probably won't be an exam butthat just recently happen. so that's where you canfigure all these things. so we have saas applications. we can leverageazure active directory as the idp which stands for identity provider,
as opposed to the sp whichis the service provider. right, we're good. so azure active directory determinedhow to authenticate with federated or standard, mfa,if you have mfa installed. i don't think they'll get intodetails on this in the exam, because that's a wholedifferent console. i'm hoping they integratethat together, would be nice. know the protocols,know thy protocols that we use and what are supported.
saml-p, security search andmarkup language, openid connect. what kind of tokendid we typically use? it's called a jwt. jwt, json web token, right? so like people see that anddon't know what that is. in application panelwe can configure and allow to add users groups. there's the link to it. users once they havethey can change password,
reset mfa preferencesaccount details, launch apps. they just changed it, too. so they made a coolnew groovy interface. you have all your customcorporate apps in there. you can use marketplace apps. you can use your own apps. you can add them in there. and then they seethe little buttons and icons to launch thoseapplications from that one place.
single sign on right there. lots of good stuff in there. we talked about authentication. more links for you. and there was a picture just kindof showing through an example of that other company out therethat where you can add that in. you enable single sign-on. you enable automatic userprovisioning to google apps and then you assign users orgroups to that application.
that's exactly how it walks through. integrating with azure ad we cando web apps, we can do ws-fed, soap clients,ws-trust specification desktop apps. we use oath forrestful http methods. we like stateless,it's the preferred approach. graph api,you should be familiar with that. so that's how we programmaticallyaccess azure active directory, then create operations. create read, update, delete.
stuff like that. or back, i think to the image. that was the back ofthe resource script, but i think it taught a little aboutresource based access control. right. that's the rules that we can assign to things. and we can use graph apito also do that. there's some quick questions. save those for the slide.
get you to the end here. we're getting close folks. virtual networks, ho-ho, big topic. you'll wanna check out the network. there was a session yesterday onnetworks and they showed this slide. so we think about virtual networks. this is really the big picture. how do we get in the front door,that's the left side. we have virtual networks.
once you create yournetwork inside of azure, we have multi-tier topology. i don't think this'llbe on the exam, but you should know about peering,if you've haven't heard about that. cool new feature, right? so typically in vnetslike we said before, everything can talk to everything,unless you do what? what are the two things i doto control traffic in a vnet? nsgs, and?
edrs, he's ready to go. [laugh] but now we take a virtualnetwork, virtual network. before we had to makea vnet to vnet gateway. which was not too difficult butnot too easy to make it happen. but now you can do peeringwhich is really simple because you do it in the portal. but peering probablywon't be in the exam. then you have hybrid connectivity. so that's the third option.
and you should know whatthe options are there. and i'm gonna show you thatin a slide coming up here. real quick. should be familiar with if you'venever used traffic manager, think global dns load balancing. so, also note at the bottom here,actually i got a better picture i uploaded these pictures here,i'll show you some stuff here. so, when i do this wehave the endpoints, we have three differenttypes of endpoints.
an azure endpoint,an external endpoint, a nested. no, you need to go back cuz ididn't get that point i wanted to highlight to you. this is a thing you need to know. so in the load balancing policiesmake sure you know these are three ways i can do it. performance based, round robin,or failover, we can configure. very important point. and this was in.
i just did this the other day. because i hadn't been in the new anddone this. so three types of endpoints. azure and external nested. nested's really cool. so i can have traffic managerroute to europe. route to the united states,or let's say. no. the americas. and then, within the americas,
i could have a profile fornorth america and south america. right. so it can say, you know, i can have a base on traffic orwhatever. i can route it sortof kind of messy. i think you can do multiplelevels on that, as well. and then also,if you choose add your endpoint. this was something i noticedthat i thought was worthy. there's four differenttarget resource types. cloud service, app service, appservice, slot or public ip address.
so that's a new update foryou there. public ip addressnow it's an object. where it didn't used tobe in cloud services. it was integrated andbaked in and built in. you can use your own ip address. or, you can let azure dnsdo the work for you. you can assign to the vm,ilb, internet load balancers, vpn gateways, application gateways. dynamic or static windows orlinux, private ip address.
of course, the key rule of thumb isdon't overlap your address scheme. write what you have onpremise into the cloud. and again, then complythat to vm's gateways, or application gateways, or ilb's or. bring your own network. we talked about the ten one 168 and172/16 addresses. we talked about nsgs. we're good there. internal load balancing.
actually, we talked aboutinternal load balancing. you can do multi-tier applicationswith internal facing. so typically froma design standpoint, we have a public ilb on the outside. then, as we go down our tiers, then we have ilbs withinternal private ip address. so, why would i dothat virtual appliance? typical reason and answer. the mac ip address persistthrough the vm life cycle.
and now we actually knowit is really persistent. they just announced thatat the kick off there. we can separate from andback end traffic and the data plains by the ipaddressing and multiple niche.. static ips, we talked about that. again, tried to throw in some samplepowershell commands to get familiar with seeing those. because again, you'll probably seesomething, somewhere, on some topic. i can't tell you what they are.
but that's just an example ofhow it would work to do that. and i got some powershellexamples in there. i'm going there making an ilb. right, just fire one up. got one on, okay. we're almost there. that's my name there. okay, we're almost there folks,hang on. modify the subnet.
so once i make a vnet,i'm going to have subnets within it. the i click the add subnet button. or i could doa powershell azure cli rest api. and add additional subnets in there. import a network configuration,that's actually an old picture, but i just updated it. also i forgot to takeaway the old picture. this is what i wastalking about before. with anything you create now,you get this automation as script.
there's the rm template. i can take that, i can modify it. here's another one, another freebieyou probably don't know about. remember when i did the n and the b? right, when you click b,type template deployment. anyone use that? no one. template deployment, yeah very good. you grab this,paste it in there, boom.
you can test it out. it's the coolest little thing. try that out. do three things. b, n, and ten. and the template deploymentbutton it's really cool. but this is where you see it. i can then take that out and i can import it in into thattemplate deployment and
re-modify the whole network. much much easier thanthe xml files before. appliances bring appliances. this is just in the marketplace. lots of appliancesyou can select from. gateway enhancements. so high performance gateways forsite to site tunnels. i will talk more aboutthat in the next session. so these are the questions forreview.
and i just want to get to a coupleof real quick review things to let you know about. and i'll be done. so the objectives were i gave you,i basically built the slide deck folks, if you don't know,by the exam objectives. each one i broke down sections togive you some tips and tricks. so hopefully, that helps. i'll get this deck uploadedat the end of the day. there's a lot of breakoutsessions on cert.
so i put the ones that i thoughtwere most relevant down here at the bottom. these are the hands onworkshops that are all. says azure, just jump in there,you can do whatever you want. clickety click. you don't have to follow the script. you've never done traffic manager,fire one up. take a look at all the optionsyou can configure in it. and folks, there we go.
so hopefully,you learned a couple trips. i've got you three to fivequestions, i did my job. you got some tipsabout taking the exam. you got a deck iwill provide to you. if it's not on their site, it willbe on my site at the end of today. and i wish you a lot of great luck. and have a great ignite this year,thank you. >> [applause]
