Becoming a Cloud Expert - Microsoft Azure IaaS - Level 1 | Idan Gabrieli | Skillshare

Becoming a Cloud Expert - Microsoft Azure IaaS - Level 1

Idan Gabrieli, Pre-sales Manager | Cloud and AI Expert

Play Speed
  • 0.5x
  • 1x (Normal)
  • 1.25x
  • 1.5x
  • 2x
46 Lessons (5h 44m)
    • 1. Course Promo v2

      2:04
    • 2. Welcome!

      2:19
    • 3. Course Objectives and Structure

      3:17
    • 4. Section Overview - Introduction to Microsoft Azure

      1:39
    • 5. Cloud Computing Definition

      11:28
    • 6. Microsoft Azure

      7:00
    • 7. Global Footprint

      11:13
    • 8. Global Footprint_old

      11:17
    • 9. Demo - Azure Portal Review

      15:48
    • 10. Azure Resource Manager (ARM)

      13:03
    • 11. Demo Azure ARM

      12:22
    • 12. Azure RBAC

      5:53
    • 13. Azure RBAC_old

      6:05
    • 14. Demo Azure RBAC

      9:14
    • 15. Demo - Azure RBAC_old

      9:44
    • 16. Section Overview - Azure IaaS Networking

      2:22
    • 17. Virtual Networks

      7:12
    • 18. Virtual Network Setting

      8:03
    • 19. Demo Creating a Virtual Network

      4:48
    • 20. IP Address Types

      6:36
    • 21. VM, NICs and IP Configuration

      1:51
    • 22. Demo Network Interfaces and IP Configuration

      9:49
    • 23. Network Security Group (NSG)

      7:11
    • 24. Application Security Group (ASG) 

      4:21
    • 25. Demo - Configuring NSG and ASG

      16:40
    • 26. Section Overview - Azure IaaS Storage

      1:54
    • 27. The Power of a Cloud Storage

      6:17
    • 28. Types of Cloud Storage

      11:36
    • 29. Azure Storage Services

      4:23
    • 30. Storage Accounts

      6:47
    • 31. Storage Replication Options

      7:42
    • 32. Demo - Creating a Storage Account

      12:49
    • 33. Azure VMs Disks

      8:52
    • 34. Demo - Creating and Attaching Data Disks

      14:23
    • 35. Encryption Data at Rest

      9:48
    • 36. Section Overview - Azure IaaS Compute

      2:48
    • 37. Virtualization

      5:22
    • 38. Virtual Machines

      6:19
    • 39. VM Types and Sizes

      4:16
    • 40. Demo Creating VMs

      12:38
    • 41. Demo VMs Setting

      7:28
    • 42. Demo VMs Operations

      14:40
    • 43. Demo VMs Monitoring

      6:56
    • 44. Quick Mission Briefing v2

      0:56
    • 45. Let's Summarize

      5:30
    • 46. What Next?

      0:56

About This Class

438eda34

Are You Looking to Become a Cloud Expert?

Cloud computing is one of the biggest technology revolution in the IT industry spreading at the speed of light all over the world. More and more business companies are looking for ways to migrate their applications into the cloud or to build new web-scale applications from scratch atop a cloud infrastructure.

The demand for more skilled people in the area of cloud computing is increasing every day across multiple industries. Starting from IT Expert, DevOps Engineers, Developers, Consultants, Security Experts and more.

This course is part of a larger training program called "Becoming a Cloud Expert" and it is the first important cornerstone for learning how to migrate applications into the cloud while using the Infrastructure As a Service model inside Microsoft Azure. We will learn how to create, set up and manage virtual networks, private/public IPs, storage accounts, virtual machines, virtual disks, security rules, access control and much more.   

Join us and start to pave your way as a Cloud Expert!

Transcripts

1. Course Promo v2: Cloud computing is one of the biggest technology revolutions around us, spreading at a speed of flight. Of course, multiple industries and the demand for more skilled people in that area is increasing every day. Companies are looking for cloud experts. This course is part off a larger training program called Becoming a Cloud Expert, and it's the first cornerstone for learning how to me great application into the cloud while using the in for such as a service model. Inside Microsoft Zoop Willan, the tree mail building blocks off a cloud solution, meaning compute storage and networking. The training is based on a step by step approach with many demonstration, including an end to end student project toe practice and get some experience. My name is he done teaching online courses for several years now. I really believe that cloud computing is very important subject and also an interesting subject. If you're planning to become an expert in cloud computing, I would like to help you with that interesting journey. So see you inside and let's get started with your first cloud computing deployment 2. Welcome!: hi and welcome. Thanks for joining a discourse. Sure, you're excited to start planning and building your knowledge and skills around cloud computing. It is an amazing and very interesting piece of technology. But even more important, it can help you with your existing job or maybe the next interesting position around the corner. I'm sure you know that going out off companies are exploring the business options while using cloud computing, and this industry trend is actually getting stronger. Every eel cloud skills are becoming a very valuable assets, and it is a smart move to invest in developing your skills in that direction a little bit about myself. My name is Don a Gabrielli, teaching online courses for several years now I really enjoy building courses while trying to explain complex subjects in a more simple and organized way are mainly focused on technical topics. And in my opinion, cloud computing is a great interesting topic just to let you know my first course about cloud computing A called getting started with cloud computing Level one is mainly focused on the theoretical fundamentals off cloud computing, and it is a great place to start if you don't have any knowledge about a cloud computing. Now this course is mainly focused on the practical side. How to start building solutions using cloud computing. There are multiple cloud providers out there, like Amazon AWS, Google Cloud and Microsoft Azure. In this training program, I decided to focus on Microsoft Azure as a framework to present cloud computing before presenting the content or learning objectives. Off this course, I would like to wish you the best learning experience and feel free to ask me question before and after joining my course. 3. Course Objectives and Structure: this course has several objectives. And let's review them a quickly, starting with a quick refresh about a cloud computing understanding. High level the building blocks and cloud services provided by Microsoft as a public cloud a provider and then specifically focused on infrastructure as a service model. Meaning how to create and manage virtual machines. What kind of virtual machines types are available and how to select between them. Creating virtual networks. Set up and configure security whose allocates storage capacity for virtual machines as needed. Utilize encryption features, resize and VM on a vertical scaling M extension and more. We'll do all of that while using the Web a portal just to set the expectation. Okay, becoming an expert in cloud computing is not going to happen overnight. Okay, in a single course, it is a journey, and you just started there many topics to cover, and I'm planning to do that in the future levels while raising the complexity in every level and covering more advanced topics. Let's see how we are going to do all of that in a smart and organized way. Our first learning section will be an introduction to Microsoft as a public cloud platform getting to know the capabilities in high level now because this level level one is focused on infrastructure as a service. Then we will follow the same building blocks. Okay, A meaning network am stolid and compute. The network section OK will help us toe plan set up and secu the underlying village Jewel network communication label in a cloud environment. Next, I will present the cloud storage services, but with the focus on allocating storage capacity for virtual machines. The last building block compute. It will be used to plan, create and manage virtual machines in a variety of design. Parton's it abused as they infrastructure for application workload. Finally, it will be your turn. Okay, as knowledge is only achieved by practicing things by yourself like a did a small project toe help you exercise and apply the things that we will learn doing this course. Don't worry, it's not so complicated, and I would provide you with a detailed guidelines in any way. Just remember that in a few months, click, you can send me a question. Okay, I think we are ready to start, and it's a great time to pause for a minute, bring some coffee or tea, whatever you like, and see you in the next section. 4. Section Overview - Introduction to Microsoft Azure: hi and welcome toe First Learning Section way are almost ready to start our journey before jumping ahead and start configuring things in Microsoft Azure. We need to have some high level overview about Microsoft Asia as a cloud platform and as a starting point. Let's review the topics for this introduction section. Our first topic will be a quick refresh about the basic definition off cloud computing. What is cloud computing as well as what are the main characteristic services and deployment models? Next, we will start zooming on Microsoft Asia as a public cloud solution and specifically talk about Asia infrastructure as a service, as this is the main topic for this level. Understand the global footprint off Asia worldwide. Okay, how data centers in regions are divided into additional logical groups. Then I will perform a high level demonstration about the azure portal just to get the feeling it. We will learn two important concept in Asia Asia Resource Manager, A lamp in Asia will based access control and finally I would perform a demonstration off those to last a topics 5. Cloud Computing Definition: Let's start by defining the concept off cloud computing. And I like the following very simplified explanation. Cloud computing is the transformation off computer hardware, software and Net books in tow, a utility service just like our electric water or gas services. Our electric power is produced by a utility provider. We as cause customers consume electric power and pay for what we actually used or consumed in some time period. We can, of course, try to produce electrical power by ourselves and is always the disadvantages and advantages were each approach. Probably it is much more effective when a centralized company will produce electrical power and distribute it. To many customers, it is simple principle off economy of scale Now going back to cloud computing. Cloud computing is basically a more modern alternative to the traditional on Premise. Data Center. Instead of buying and operating ITV Exhausts is for running application. We can rent those resources and services. Former public cloud provider like Amazon AWS, Microsoft, Azure, Google Cloud and many others. The public cloud provider is responsible for how they were purchasing ongoing maintenance and basically provide a wide variety off cloud services that we can consume some of them are very simple, like renting a storage capacity or maybe computing power. And some of them are more sophisticated, like using a P eyes that utilizing advanced machine learning capability. Okay, the spectrum off service types is quite large and it keep going all the time. And this is actually what makes cloud computing so interesting the variety off services that can be provided. Now let's use a more detailed official definition of cloud computing coming from the National Institute Off Standard and Technology. A Cloud computing is a model for enabling convenient on demand. Network access toe a shared pull off configurable computing resource that can be rapidly provisioned and released with minimal management effort or service provider interaction. I think this official definition encapsulate in a very nice way the essence of cloud computing. There are shared pull off resource is managed by a cloud provider, and those resources can be allocated or the allocated dynamically on the bend by users with minimum support from the provider. Another important dimensions that we can categorize and define cloud computing is by saying that the cloud model is composed off five essential characteristics. Three types off service models and four deployment models. Let's explore those options, starting with the five characteristics Off Cloud Computing. Let's assume this is a public cloud provider here in the middle, where the sauces are divided into small units. Every second new customers are accessing this huge global public cloud services and allocate resource is inside on demand, using a self service portal or maybe using some AP eyes in any given time, multiple users are led using all kind of cloud services. They elope, allocated the one minutes ago two weeks ago, and they can access their allocated resources inside a cloud using multiple operations system and multiple platform the cloud supposed a broad network access options. And this is the second characteristics in case a specific user would like to allocate more resources to scale out or maybe release some I needed. Resource is, it can be done quickly. This is the rapid elasticity. We can allocate resources according to the needed war clothes right now, without over provisioning capacity. In addition, every second there are uses that leaving the cloud terminating resources they allocated for specific usage. Those resources will be available again as part off the pool of resource is any allocated resource is measured from the moment it was created until it was released back to the pool of resources. All those calculations are being done automatically by the club A system. And now we got the two last characteristic measured services and resource pulling. There are several flavors off cloud deployment models. We have public, private hybrid and community. A public cloud is a cloud infrastructure offered toe anyone worldwide that is willing to pay with a credit card. I guess you have more about the public cloud deployment model. As this is what is proposed today by the main providers like Amazon, Google, Microsoft and others. Our main focus in this training program is about public cloud deployment. A private cloud is basically the desire to imitate a some off the public cloud characteristics in a smaller scale. Okay, meaning inside and regular on premise, data center operated and used by specific organization. In other words, a cloud that belongs it waas okay to the organization. However, it is not operated by a the traditional on premise model. It must support the characteristic off a cloud computing solution and provide a similar experience that is already provided by a public cloud providers. Private clouds by the nature are very limited. Okay. For example, you can't get the same level off scaling and data availability that are part off a global a public cloud infrastructure. Now, not every application can be easily moved to the cloud or it It's not making sense commensurately. Okay, no business level. There is no clear business case. This is why many organization on selecting the hybrid cloud option use their existing private data centers and connect them toe a public cloud solution, enabling them to leverage the advanced capabilities and flexibility coming with the public cloud. Okay, enjoy the two words. And the last one, community cloud is a cloud solution that was built for a specific community. Okay, for example, Microsoft Azure operates several data center in the U. S. Just for the government. Okay, get the government as a community. Now, there is no single winning deployment that is perfect for everything. Each one of the deployment model has advantages and disadvantages. Eventually, each company or organization will choose the most relevant deployment options based on the business requirement. Business needs internal policy regulation constrained off the whole budget it said. Moving toe the last definition of cloud computing. The service models also called as a service all cloud services can be grouped in tow. Three types infrastructural service, platformer, the service and software as a service infrastructure as a service is the topic off this course and it can be described in a single world host. We can host our application inside the cloud by allocating and renting ICTY resources. This is the easiest and fastest immigration strategy. While moving application to the cloud it offer many benefits. However, it still means that we are responsible for managing the servers like we're managing in in irregular private data center. For many organizations, that will be the starting point or the preferred way for specific use case when they need a more control on the underlying resources platform. As a service is the next group of services in that service model, we can focus on building application without handling the underlining. For such a, the cloud provider will be responsible for many a IittIe ongoing operation like a braiding operation system, installing pitches, handling, scaling and availability and many other task. It is basically a question off responsibility breakdown okay. A simple example will be a developer that would like to use an SQL database, and he or she can start to use an SQL database as a service without actually allocating virtual machines. Resource is for the database or performing any software installation in tuning the database for best performance. All those activities will be done by the cloud provider. In our example, the developing is using the database as a platform to develop inbuilt application without spending time on any I T activities, and the last one is software. The service. This is widely used model for many applications running on the Internet. Today we basically event or consume application features like our Gmail account, Dropbox file sharing, Microsoft Office 365 and many others. We basically consume software features. Okay, I think that enough to summarize in high level the definition off cloud computing. 6. Microsoft Azure: Michael's of a Jew is bowling the biggest transformation and on a business level that happens toe Microsoft as a vandal. In the last decade, Microsoft, as a company was used to sell many software products, is license and was dominating the PC market with popular Windows operating system as a huge strategic move. They released Microsoft Azure back on 2000 and tell and started to compete with Amazon AWS that was already dominating the market and also with other new place on that time, like a Google cloud that was officially released on a 2000 and 11. Now those giants know what they are doing. The cloud as a market, he's going very fast, and more companies are looking for ways toe explode the benefits while moving their application toe. The club, Microsoft Azure, provides the services to build, manage and deploy application on a global scale. Will using multiple data centers, connected wit, superfast network, the whole hardware and software orchestration off the cloud infrastructure is done using a specialized cloud operating system called Microsoft Azure, developed by Microsoft as a side note, this software is also offered by Microsoft is a cloud platform toe managed private clouds? No. If we will review the list off, new products or services will find hundreds off options to select something that can be a little bit confusing and overwhelming. You can easily get lost with the vast amount off options, the products I'll divided into categories. As you can see here, I mean, this is categories compute Web database, Internet, off things, storage, etcetera. Those categories are useful to help us navigate to specific needed products, and some products will actually be presented in more than one a category. If I will zoom on one category like Compute, then I will find multiple options to select, and the list is going all the time. Some off the products are related toe infrastructure as a service, and some of them are related to platform of the service. Okay, virtual machines are related for infrastructure of the service, but where applications are related to platform as a service. Actually, most of the products here are related to blood. Former the service. Now, if you will open another category like storage again, some product will be related to infrastructure and services, and some of them will be a letter to platform of the service in the context, off azure infrastructures of service is the topic off this course I will present in use some products from those three main category. Compute storage and networking. Compute is the place that will select, configure and manage virtual machines and servers for our application. Very similar to the way will deploy servers, a virtual service in our private data centers. There are multiple types in a variety of size that that unavailable for selection on a billing to deploy virtual machines with more granola parameters that are needed for our will specific application, like processing power and amount of memory. And this is, of course, enabling users toe better. Optimize a cost and performance. Even though the cloud infrastructure is managed by Public cloud provider, we have a great flexibility to design that the required overall detector. Okay, this is being done by coping virtual machines under something that is gold availability sets for increasing the overall system availability, like deploying to virtual machines for the same functionality in different physical location and preventing a single point of failure, or maybe setting some automatic cools that will be used to scale out virtual machines when the load own virtual machine is reaching some threshold and other important capability is the azure marketplace. Microsoft Azure provide us with a variety off pre configured images toe quickly deploy a new virtual machines. For example. We can select the specific distribution off Lee looks sever that would be used as the virtual machine operating system, or maybe a complete bundle of preparation system and application like and Apache Web Server or my sequel database Next building block. The storage is used to support the deployment off virtual missions via must use some storage area for the operating system storage application and actual later. That's the place we can attach village jewel disk, toe a virtual machine or use shared files location that will be used for multiple virtual machines. The last building block is networking. We need a secure communication layer to connect between the virtual machines that we created, and the first step will be to create virtual network. Visual networks are used for defining our own private I P address space, and to connect between resource is under the same virtual network. We have the ability to configure security rules on different levels being used toe filter traffic is needed. Lastly, Azure provides additional networking services like a domain name. Service load balance L firewalls, creating a VPN for connecting a virtual network inside the cloud toe, a remote network in a private data center. So those three building blocks are creating the main topics. A four discourse. Okay, compute storage and networking. We will start with networking, then moved to storage and lastly will be compute. 7. Global Footprint: the cloud services are supposed Toby available on a global scale, and this is one off the most impressive thing about a public cloud provider like Microsoft , Amazon, AWS or Google Cloud. Those players are building and running a huge a global infrastructure, and every year they announce on additional regions that are being covered by their solution . Now going back to Microsoft Azure is a global cloud platform that is available in multiple regions around the world. This number 45 regions is a belated two. Q full. 2000 and 18 and it will probably go up. You should always check that online because things are always changing. When we provisioned a service an application of a single resource like a virtual mission, we can select a specific region. Okay, the selected region represents a specific group off data centers where we can run our obligation. No, this is important because the location we deploy our application will affect the performance for the end users that are using our application. It will be more optimal to choose and select the region that is closer to most off our end user, reducing things like network latency and by doing that enhancing off of all user experience . In addition, the global infrastructure provides a lot of flexibility in the context. Off availability data can be implicated into multiple location. We can create a group of resources for the same functionality and deployed them in a separated data centers to prevent a single point of failure. There is a specific breakdown about regions and data centers that is important to understand. As we saw in the previous light. A zoo is based on multiple data centers located in multiple places around the world. Those data centers are connected using superfast private network. It's part of the ah Zhu, a network backbone. At the lowest level. We have the data centers, data centers 123 etcetera. Those data centers are grouped under something that is called availability zones. Availability zones are a group off physically separated location within an azure region. Each availability zone is made up off one. Okay, one single. All multiple data centers equipped with independent power, well cooling and networking availabilities on ah, a solution for protection form a data center failure. So in this example, data center one in two under the same availability zone number one, They are running on the same power cooling or maybe networking for structure. If I would like my application toe one on a separated independent data center, then I will create a resource in availability Zone number one and another similar resource in a different availability zone. In in that case, in availability zone number two If zone number one will fail, the application will continue running the resource in different zone. Next level is regions. Okay. Region is a group off availability zones over a group of data centers that are located in a single gay a graphical area. Okay, all data centers under the same regions are connected with the super fast dedicated regional network for providing low latency and network connection. So in that example, on the region one we have those two availabilities on that composed from those data centers and they performance between them will be great because they are connected with this low latency regional network. And the last level is geography. As your regions are organized into high level Joe graphics like United States, Europe, United Kingdom, Asia, Pacific, Africa, it said, Uh, OK, the idea behind that is that a single geography is like a discreet market, typically containing two or more regions that preserve something that is gold data resiliency and compliance boundaries. Okay, this is useful when some customers would like the sensitive data and resource is Toby limited to specific physical boundaries due to some gula toey requirement imposed on the data. So imagine that you are a customer sitting in the US and you're creating resources and data using your application. But you would like that the resources will be limited only to data center that regions that are sitting in the United States. So this is the way to use those constraints. We saw that data centers are grouped together into regions based on the physical proximity . When we Kate a source okay, many types off. Resource is the selection is on a regional level and not on specific data centers. Now there are a few things to keep in mind. While selecting the best region performance. The performance, often application or specific resource is correlated directly to the network loud. That was taken by request and response for end users. Okay, if the selected region is Neil toe the end users off the application than usual. We get better performance now in some cases that are users that I'll spread around in multiple allegiance. And in that case, we need to makes a smart selection by deploying the application in a region with the majority off users, or maybe deployed application in multiple agents, that will be more cost, a solution. Availability. Well, it may surprise you, but not all the sauces are available in every Asia region. And this is true or so for other cloud providers, not just for Microsoft Azure. They usually focus their investment in specific location and then glow according to market demands. Okay, you should always check online which resource is, or products or services you need, and make sure they are available on the selected a region that you would like to use security, security compliance. In each country, there are usually specific legal requirements about the data. Where are we storing the data and what kind of encryption imetal being used in other stuff that should be taking into account when we are selecting a specific region? Cost. This may also surprise you, or maybe not. The cost off services va rise from region to region so while looking on some system tco total cost of ownership for a long period. This is definitely an important parameters to consider. We would like to reduce cost while balancing other parameters like performance. We can use the online pricing calculator to compare prices off the same products between different regions. High availability is a huge concept to take into account while designing a system solution . We learned about regions and how to overcome a complete data centers disaster while using availability zones. However, most off the failure or war blames will happen due to somehow the failure inside the data center or some planned maintenance activity. So another aspect off availabilities related toe things that can happen inside a specific data centers. A data center is basically collection off Rex Mountain toe the flow in some big room each rack as a power unit used to distribute power supply. And it's which, as a network for little connection. Multiple nodes will be installed in each wreck, one on top of feed off each other, and it wreck is conceded, separated full domain. Okay, this is a concept in Asia full domain If, for example, the power unit on wreck number one will fail. Then all cell vers under that specific wreck will go down. It's the same full domain. In the next level, we will learn the concept off building availability sets Toby ableto deploy resource is in multiple and four domains. Another concept in Asia is update domains. Sometimes we need toe update our obligation or Microsoft needs toe update the host on which our virtual machines are running. Update Domains are similar concept off four domains. But here it is used toe overcome planned maintenance activities. Okay, don't worry. This is just an introduction. We will talk about full domains and after domains in much more details in the next level that will cover such advanced topics. 8. Global Footprint_old: the cloud services are supposed Toby available on a global scale, and this is one off the most impressive thing about a public cloud provider like Microsoft , Asia, Amazon, AWS or Google Cloud. Those players are building and running a huge a global infrastructure, and every year they announce on additional regions that are being covered by their solution . Now going back to Asia Asia is a global cloud platform that is available in multiple regions around the world. This number 45 regions is a belated two. Q fall 2000 and 18 and it will probably go up. You should always check that online because things are always changing. When we provision a service an application of a single resource like a virtual mission, we can select a specific region. Okay, the selected region represents a specific group off data centers where we can run our obligation. No, this is important because the location we deploy our application will affect the performance for the end users that are using our application. It will be more optimal to choose and select the region that is closer to most off our end user, reducing things like network latency and by doing that enhancing off of all user experience . In addition, the global infrastructure provides a lot of flexibility in the context. Off availability data can be implicated into multiple location. We can create a group off resources for the same functionality and deployed them in a separated data centers to prevent a single point of failure. There is a specific breakdown about Asia regions and data centers that is important to understand. As we saw in the previous light. Asia is based on multiple data centers located in multiple places around the world. Those data centers are connected. Using superfast private network is part of the Asia A network backbone. At the lowest level, we have the data centers, data centers 123 etcetera. Those data centers are grouped under something that is called availability zones. Availability zones are a group off physically separated location within an Asia region. Okay, each availability zone is made up off one. Okay, one single. All multiple data centers equipped with independent power cooling and networking availabilities on ah, a solution for protection form a data center failure. So, in this example, data center one in two under the same availability zone number one, They are running on the same power cooling or maybe networking for structure. If I would like my application toe one on separated independent Data Center, then I will create a resource in availability Zone number one and another similar resource in a different availability zone. In in that case, in availability zone number two If zone number one will fail, the application will continue running the resource in different zone. Next level is regions. Okay. Region is a group off availability zones over a group of data centers that are located in a single gay a graphical area. Okay, all data centers under the same regions are connected with the super fast dedicated regional network for providing low latency and network connection. So in that example, on the region one we have those two availabilities on that composed from those data centers and they performance between them will be great because they are connected with this low latency regional network. And the last level is geography. Okay, Asia regions are organized into high level Joe graphics like M, United States, Europe, United Kingdom, Asia, Pacific, Africa, etcetera. OK, the I d behind that that a single geography is like a discreet markets get typically containing two or more regions that preserve something that is gold data resiliency and compliance boundaries. Okay, this is useful when some customers would like the sensitive data and resource is Toby limited to specific physical boundaries due to some gula toey requirement imposed on the data. So imagine that you are a customer sitting in the US and you're creating re sources and data using your application. But you would like that the resources will be limited only to take the center that religions that are sitting in the United States. So this is the way to use those constraints. We saw that data centers are grouped together into regions based on the physical proximity . When we Kate a resource in Asia, okay, many types off resource is the selection is on a regional level and not on specific data centers. Now there are a few things to keep in mind While selecting the best region performance. The performance, often application or specific resource is correlated directly to the network loud. That was taking by request and response for end users. Okay, if the selected region is Neil, toe the end users off the application than usual. We get better performance now in some cases that are users that I'll spread around in multiple allegiance. And in that case, we need to makes a smart selection by deploying the application in a region with the majority off users or maybe deployed application in multiple agents that will be more cost a solution. Availability. Well, it may surprise you, but not all resources are available in every Asia region. And this is true or so for other cloud providers, not just for Microsoft Azure. They usually focus their investment in specific location and then glow according to market demands. Okay, you should always check online which resource is, or products or services you need, and make sure they are available on the selected a region that you would like to use security, security compliance. In each country, there are usually specific legal requirements about the data. Where are we storing the data and what kind of encryption imetal being used in other stuff that should be taking into account when we are selecting a specific region? Cost. This may also surprise you, or maybe not the cost off services of arise from region to region. So while looking on some system TCO total cost of ownership for a long period, this is definitely an important parameters to consider. We would like to reduce cost while balancing other parameters like performance. We can use the online pricing calculator to compare prices off the same products between different regions. High availability is a huge concept to take into account while designing a system solution . We learned about regions and how to overcome a complete data centers disaster while using availability zones. However, most off the failure or poor blames will happen due to somehow the failure inside the data center or some planned maintenance activity. So another aspect off availabilities related toe things that can happen inside a specific data centers. A data center is basically collection off Rex Mountain toe the flow in some big room each rack as a power unit used to distribute power supply. And it's which, as a network for little connection. Multiple nodes will be installed in each wreck, one on top of feed off each other, and it wreck is conceded, separated full domain. Okay, this is a concept in Asia full domain. If, for example, the power unit on wreck number one will fail. Then all cell vers under that specific wreck will go down. It's the same full domain. In the next level, we will learn the concept off building availability sets Toby ableto deploy resources in multiple and four domains. Another concept in Asia is update domains. Sometimes we need toe update our obligation or Microsoft needs toe update the host on which our virtual machines are running up. They domains are similar concept off four domains. But here it is used toe overcome planned maintenance activities. Okay, don't worry. This is just an introduction. We will talk about four domains and after domains in much more details in the next level that will cover such advanced topics. 9. Demo - Azure Portal Review: hi and welcome to our infested deposition. I'm planning to present Microsoft a zoo Web portal in high level. So we get some understanding about the U. Y building blocks and some of the capabilities that this powerful tool providers is users. As a first step, you need to create an account user name and password and use that to blogging into a. So Okay, we are inside. And what we can see is that they with you, why is actually divided to remain area on the left side. We have the Navigator with all kind off option to quickly access. What would like to do in the media is the dashboard. We can create all kind of dashboard presents, some useful information. And on the upper side, there is a menu, toe access, all kind of options. Let's start with the navigator on the left side, and I would click on this option all services. I'm actually getting the all available services in a zoo, and this is a very long list, and we can say is divided toe cut ago. There is a general category compute networking, storage and so on. I mean, there's a very long list off options. Each one will provide us some capability to maybe to create something of you. Some useful information. I can, of course, go into deception and filter something like I would like anything. Start with Woodville Jewel, and we get the options to create virtual machines, virtual networks and other stuff. Let's remove that. In addition, some off the services option. Mark tweet this stuff, okay, And that's actually bring me to the the list over here. This is the favorites on my selection, and you can choose what kind off options will be visible over here. OK, I mean, the list is very long, so it's not making sense to put everything on favorite. But essentially, I can go into that option That's, for example, called subscription. Click here, and it will be available as an option on my favorite. And of course, I can change the location of that and put that whatever I would like. Let's go. I go into this option all services and go to the category compute, and under that to virtual machines. I can access that. As I said from here. Oh, if I have that off her virtual machine under my favorite clicking on that. We'll bring me into the virtual machines, a option you can always see. Where are you located right now? Okay, started from the home and going to the adoption Virtual machines. And over here I will get the list off virtual machines that, like aided as the users in my account. For example, this specific Veum is called Wind 10 VN. We can see the type virtual machine. Of course, it's running right now, and it has all kinds off additional properties that will cover later doing the course, so we'll understand each one off this option. Basically, I can click, add and start to create a new virtual machine. There is a wizard that we will learn how to use to create a new virtual machine. Now the next option that I can do here is to click on that particular virtual machine is an instance clicking on that would provide me all kind off properties and setting options related to that specific virtual machine. Doing the section about virtual machine. We will review all the parameters and setting options and all kind of action we can do on a virtual machine level, but just for you, understand? Right now we are under specific instance. So again we can see that we started from the home we went to virtual machines is a list of cultural mission is. Then we clicked on a specific instance and this is the name of the instance and thus the screen that to receive right now again them look and feel is the same on the left side, there is some never Gator, okay, divided all kind of categories like money doings, performing operation and so on. There are, of course, many services that we can create by starting from this option or services. This is just one single option to create a new virtual machine. But essentially, if you would like to create a resource, you have this option create a resource clicking on that would provide us again some categories, like coming from the usual marketplace. If I would click, for example on Compute, I will get all kind off operation system that I can immediately start to use Azan. Example. Let's click on a boon to it is a little oaks operation system clicking on that and I will get the whistle toe gait, a new virtual machine and my selection. For example, this specific operation system will be selected automatically as an image, this brutally Linux server. And there is a complete process with divided two steps to create a new virtual machine. And we are doing that from this option. Create a resource. Now a source can be a virtual machine. A resource can be a virtual network and interface a public I'd be and many Moore's. Let's close it going back to the home page. Now. Another useful option is called All the Sources. Okay, clicking on that will show us the list off Resource is we provisioned under our account, okay and that many different type of resources. For example, I created two discs, and that's that. You see the type over here. I created something that is called Keyboard for Storing Keys, a storage account for managing my storage entities Virtual Network, the particular virtual machine that were just so in the network interface. A public I P address and something that is called notebook security Copal. Those option will cover doing our course from this list. We can access a particular instance that we allocated it could be a disk it can be a virtual machine. As an example, let's click on Individual Network. And again I will get on the left side, all kind off options to see all kind of properties related to that particular visual network. It or changing the setting and performing all kind off operation on that particular instance. Okay, let's close it, close off those option and go back to the home page and go into the upper layer and menu. The 1st 1 is a simple search for resource is services in all kind off useful document. For example, I can search for the name Don because some of the resource is that I created with this string. So it's very easy to find a kind of resources or maybe specific services. If I will surge view Jewel, I will get all kind off. Result is it may be a specific instance, like a resource and services with the world virtual inside something from the marketplace or maybe useful communication. Okay, that you can click on that and give you some useful information about that option moving forward in this menu. Okay, going into the next useful option, it's called notification anything that you're doing in Azure, you will get some feedback about the actions that you try to do. It is the place to see that all kind off a push notification to remind you about something . For example, here I'm getting some information about the amount of credits that I still ever under my A free trial. As an example, let's go to the virtual machines for a second and click on that wind. 10 vm instance and I would do something. For example, I will stop that virtual machine clicking on that. Okay. And prove that operation. Okay, Minutely, I can see it. Something pushed into the unification. Okay, there is a process going on stopping virtual machine. Basically, it take one or two minutes, and I skipped on that face. But at the end, I will get some notification, and here is successfully stopped the virtual machine. Okay, so that's the place to see that important feedback from the system that he closed that option. Go back to the home page Now the next option is called setting, where you can play a little bit with the look and feel of the portal, like the colores, the teams that you would like to use and all kind of option, and you can also, we stole the default setting. If you would like, there's a little trick you can do it also on the that boat itself, by just double click on a free area or kill it so that Okay, I will extol the default setting help and support accessing all kind off useful documentation, opening a ticket and maybe looking on the keyboard shortcuts that is also useful. Okay, so you can access some of the options directly from the keyboard as an example, Clicking on a G plus A will provide you the whole available resource options, meaning this options okay, all the sources and the last two option over here and the 1st 1 is feedback. It really is a nice option to send feedback directly toe Microsoft about some feature, and the last one is there on the count liver. Like changing your password. View your permission, submit some idea about something over your billing. Let's talk about the middle of the screen, the dashboard area, where you can overlay all kind off widget that will present some useful information. For example, this widget I can see all my resource is overhearing and directly clicking on some of the resource. Or maybe looking on some K p. I like it CPU utilization on a particular virtual machine. That's the name of the virtual machine. A cost by resource is breakdown, accessing specific services in Asia and so one we can easily add it an existing widget. Clicking on that and changing the size off that widget. And I will actually entering a customization capability the way I can play and change the location off the widget. As soon as I finish to customize a click done customization and this is updated, I can create a new dashboard that we'll display something useful for me. For example, I would like to present something related to costs and click done. Now it's empty. Now what I can do is go and start it all kind off a graphs directly to that dashboard clicking on subscription as an example. Okay, we learn what is subscription later, But what I would like to show you is if if I'm looking on some entity like a graph, I have this option over here that is called PIN, and it will just a that directly to the dashboard. Let's add another graph is an example. Okay, And go back to the home page and here you go. I have to this to graph to that specific dodgeball that is called Ghost, and I can switch and go back to the first dashboard. And, of course, that boat is a manage entity, so I can go to back toe this this one and click on the lit confirmed that, and it will be removed from the options. The last thing I would like to talk about in this overview is about the free trial when you open a new account that we go out from the for screen and go to this link. Okay, This is a webpage that provide you some explanation about the free account. When you open a new account in a Jew, you're getting something for free. And let's understand what exactly you're getting. First of all, you get one year, 12 months off, creating some popular free services without any cost. Secondly, you're getting $200 k edit toe, create any type of service 4 30 days. Okay, After those 30 days, you spend that $200 or didn't spend that $200 Doesn't matter. You're getting getting into the A 12 months period where you can create only a free services. And there are also some 25 plus services that are always free. Doesn't matter if you exited this 12 months. What I would like to recommend you is too wet a little bit with creating your account. Because as soon as you created and you enable that free trial okay, it will start to count 30 days for using that $200. So my suggestion is weight to the almost last section where you will create a project in to end and this is will be the place that you will start to practice in the system. But anyway, remember that when the steady days finished, okay, and you're getting into the 12 months a period off populus free services. So where those free services if we go back to the dashboard and such you free services. Here you go. I'm getting this option that is called for the services and now everything that I will Kate here. I can be sure that I will not be charged, you know, after the 1st 30 days. Okay. No. Will you actually used that option 10. Azure Resource Manager (ARM): Now we're starting to get a little bit deeper into the cloud. The azure cloud as part of the management layoff Asia. There is a central component that is Gold Asia Resource manager or we showed a of them. Okay, the Asia Resource Manager is usedto allocate and deploy. Resource is organized resources into groups control, access to resources and much more kids. They brain off the whole Asia and system. It's actually provides the same deployment and management experience, whether we're using the Web portal or any other options, like a command line interface or maybe rested, be I. Let's try to break it into smaller pieces and then build the whole picture as soon as we understand the building blocks the fasting that we need to know is the concept off a resource? Okay. In Asia, almost anything is a resource. It is a men illegible item that is available through Asia. For example, resource can be a virtual machine database, a virtual network network interface, public I P address storage account and much more. We need to separate between a resource type energy resource. Okay, Resource type is like a template, and a resource is the allocated instance, for that template, resources are created form resource types and that unavailability nature. For example, we can gate 10 virtual machines. Resource is from the village jewel machine resource type. The next level is a source group. A resource group is like a container that groups related resource is for particular management reasons. Users are responsible to create resource groups and decide how they want to group. The actual resource is okay into groups. When we gate a resource, it must be allocated under a single resource group. Resource group is a managed entity. Okay, meaning it can be configured with all kind off useful meta data attributes. For example, we can add tagging toe better categorise the group's M for searching. His sources can be provisioned on different Asia regions and still be part of the same visas group. And the last thing is that the resource groups have a security boundary. So if I'm not allowed toe access a resource group, I can't access any resource inside the specific group. Okay, a resource will inherit the security and access configuration form its parent resource group. Now, these inherited permission and roll assignment can be, of course, over reading if needed for each resource. And that's something that we learned a to do moving to the next concept, okay, or the next building blocks is part of the your name is the SOS providers Resource types. OK, not resource instances that we are groping by ourselves into resource group. I'm talking about resource types. They are grouped into the source providers. Okay, this is providers are internal components inside Asia and they are responsible for deploying and managing. The resource is so basically a RAM is actually walking with multiple resource providers. Each resource provider offers operation for walking with the resource that are deployed on the that specific time. Okay, As an example, the Microsoft dot compute resource provider supplies anything that is relevant to virtual machines. Okay, Resources and Microsoft dot storage supplies, the Storage account Resources and kating. They had these concern one and another example Microsoft key vote that is being used to store and handle encryption, ski and certificates. How can we access and configure services or resource is in a public cloud like the azure cloud. Well, Asia provides multiple ways to connect automate an interact okay with the platform. Those options are almost like a standard today. Of course, the industry and almost all cloud providers will provide the same access capabilities. The first option is a nice, user friendly Web portal. Asia Hotel is a great place to get started, and in this level, level one, we will only use deception. Using the portal user can log in and start creating and managing resources manually and then monitor the performance Bridge Resource AM costs associate ID While using those resources that up security options remove the sources that are not needed and much more Next option will be power. Shell Partial is an object based command line. Shell and scripting language used a for administration configuration and management off infrastructure environment. It's It's a quite popular option, used by many idea. Missed A Toes and automation developers breach resource provided there have hundreds off commands that can be used inside scripts toe automate the interaction with Asia Asia Command line interface cli the azure Stielike is Microsoft costs platform command line experience for managing Asia Resources. We can add it in our browser with some extension or install it in windows lean Oxo meco s and run it from the command line. It's the same concept as partial. We can use it to create automation scripts, and the last option is Asia. Rest api I All Asia resources are exposed to users. An application crew rest endpoints, meaning AP eyes that implement HDP operation method, providing the ability to create, retrieve, update or delete access to the services. And resource is. Basically, users can use this AP eyes to create and manage. Resource is the next building block. Is the concept off deployment templates? Okay, it is strongly related to the concept off automation. We can create an allocate. Our resource is manually Okay, that's useful for many cases. However, in some scenarios, it makes more sense toe automate that process to some level. Let's say that every few months I need to allocate a specific pre defined system in major for performing some testing. Okay with, you know, for one week, instead of performing all the steps off creating this system and manually every time I need it, I can create a deployment template off my system and quickly deploy a new system using a that a template. Okay, the template is actually based on Jason. Four months. That's described the Jessel syntax. The building blocks off the system deployment. Let's see an example. Here we have an example off a template in Jason. Four month we can see that it's actually defining a stolid Lisa's type called my storage account. This storage account has all kind off additional properties, like unique name, location, data application options, etcetera. Now this where the magic happened, the resource manager will process this template, passing the template and convert it syntax in tow. Html group off rest API I operation for the appropriate resource providers. In this example, the visas provider will be Microsoft dot storage. Okay, this is what you see in blue polo. Now, how to use deployment templates is not covered in this level. Level one, it will be covered in future levels. Still, I wanted to show you that this option is available and how it is part of the same concept. The last two building blocks on Asia A and M R Asia account and subscription. The first step before using the azure platform we need to create an angel account. This is like a global, unique entity enabling toe access Asia services. It's the same concept of creating account in many other systems. Inside an azure account, we can create a single or multiple Asia subscription. Okay, in Asia, subscription is the connection between allocated resources Toe the building site. Who is paying for those allocated? Resource is so basically inside a specific subscription. We can allocate and manage resources like a database, virtual network, virtual machine, etcetera, and we saw that those resources will be managed on the resource groups. This is useful when we want to separate the billing and management off different projects. Okay, different for different department, different environment. As an example, let's say we have a production system and also testing system like two separate environment . We can create a separated subscription for each environment, each system. And then we will be able to monitor billing and usage for which off this environment separately. Okay, this is just one example how we can use a subscription. Let's see the big picture now and how all those components or building blocks are related to each other. So this is our Asia Resource Manager layer. We can access Asia Resource is True Day and M layer using different options like the azure portal Seelye. Partial and arrest FBI. Any operation that will be done by the A M on specific resource type is translated toe a request to a specific resource provided using internally be eyes and there are multiple. This is providers in Asia as reality, so resource masticated and grouped under resourced groups, and we can Kate multiple vessels groups as needed. Let's quickly summarize the key features that are coming with azure resource manager. First of all, it is a management orchestration layer that reduces the complexity off interacting with multiple internal components inside Asia. So we are getting the same management experience, whether we're using the portal power shell command line interface or lest they be I. Secondly, we can organize Resource is under groups and control many things on the group level instead of doing that on each resource. So, for example, resource is that our plan to have the same life cycle should be handled in the same group. If a gating a testing system for two months, this is the life cycle of the system. It makes sense to group all resources needed for that testing system in a single unit, single resource group. We can manage our infrastructure through the clarity templates. Okay, rather than using a script, this is very useful for automation. Supporting develops and the developed development are faster, consistent and more predictable, with few mistakes. 11. Demo Azure ARM: we learned that the air them is like a management overlay. And actually, the Microsoft Web portal is just one way toe access the air them and let's see the building blocks that were getting as users while using the system. First of all, if I will go again to the all resource is OK under the Navigator, and I'm getting the least off instances that I provisions as user inside my account. Now what we can see here is that each line represent a resource, a single instance, and they're all kind off resource types. It can be a disk. It could be a key vote for stolen keys. It's going be storage account for managing storage entities, Virtual Network, AM networking, Toe Face and other entities. Now, when we create a new instance, form a particular type. For example, I'm creating a new virtual net book. Okay, New Virtual Network is an instance. First of all, at the first level, this resource must be a provisioned with specific parameters related to that specific type virtual network. Secondly, the A and M Aziz Management Lee will translate that to all kind off request form the specific relevant resource providers OK, that's another a component inside Asia. Okay, so there is a resource provider for handling requests related to virtual networks, the whole networking entities. Actually, it's transparent form user perspective for But from our understanding, it's important to see how those components are combined. So we have a resource instance. Okay, Each line here represents a resource. Instance that you poor vision and create is a user. Next is, of course, the that each resource instances related to a specific type. This is the resource type. It could be a disk. It could be a virtual network. It's ah, virtual machine. The next one is something that is called resource Group. Okay, you see that the resources that are created are actually sitting in some name Okay, called my algae, my group. And let's talk about it going to the navigator on the left side. I've option. It is called resource groups. Let's click on that, and I'm getting the races. Groups that I created is a user, For example. I created the reasons go that is called my G. I will click on that, and I'm getting all kind off properties here to tow that Israel's group for example, all resource is instances that are associated toe that resource group. Okay, The idea behind that is that you can Group resource is from different types under some A containing under some A group and manage all kind of things on the group level, and we can use it for many use cases. For example, I have a production system and I can you know, Keita Visas group for that production system. And all day he sources under that production system will be managed under the same resource group, and I will be able to provision access control, something that would discuss in the next lectures. I can control costs associated to that group V all kind off metrics set up all kind off alerts for money, toe rings and so one. Let's see what is the process to create a new resource group and then use that for allocating Hazel's instances inside that resource group clicking here on at and I will get simple without first of falling it up there. This is group name. Let's call it this thing system. Um, Liza's group. Now you need to select the subscription. We'll talk about it in few in few minutes and let's keep it like that in the Hazel's group location again, Let's keep the default and kids and click on Kate. It will take your wiles. Okay, this is group created. That's refresh. And there you go. I have a new Hey, so scoop right now. If we click on that will say that it's empty. There is no resource is that I allocated to that specific a resource new resource group. Now let's see an example. How can I am associate between resource instance and he says group Okay, this is the new is this group of dedicated testing other school system RG. And for the demonstration, I will create a new virtual networks clicking over here and clicking Ed. Now, all the parameters are not important right now because we will cover that. A much more details you in the talking section. But just as an example, let's create wien it okay on the school like that, Okay. And here this is the important that I would like to show you. Here you select that resource group and existing This was go black testing that the new whistle group that we just created, We keep all the different setting. Click Create deployment in progress. I can see the notification. Okay, I got the new ah virtual let pockets click on Refresh. And I have that Vinod under school is your one in this list. I can quickly see that this new instance Vinit 01 is belong to that particular resource group testing on the school system. RG now off course under resource Group can be many instances for many types. So again, what we'll do is go toe missiles groups clicking on that group testing system. And under the other view, I will see the list off. Resource is associated that virtual toe that races groping. And right now I have only one resource that I just added to that resource. Go. You remember that I also mentioned that a and then provide us other way to create resource is and not just using the Web portal. And as an example, if I would click on one of the resources I know will go to this option below. It's called automation script over. Well, I will get the A M templates that was used to create that particular a virtual network. Now this is not in the scope of this course, and we'll talk about it in a much more details in future course. But just for your understanding, the idea about automation script is that instead of creating instances using a wizard and typing all the needed barometers and sworn, you can create it one time and then use a template located many times using all kind off automation capabilities like cli power share all kind of development frameworks. And this is the place that you can download this template and redeploy that in all kind off options. The last thing I would like to talk about in the context off a of them is about subscriptions, and I can reach it here on my favorite or using our services. All such that over here, clicking on subscription, I will get the list off subscription on the my account. Right now I have only one a subscription that, actually it's a this free 30 days. A trial subscription is again an entity that enable us is uses Teoh manage costs. Okay, The end. Each resource that we are creating is monitored for particular time that we used it and it managed and aggregated upto the subscription level. Okay. As an example, in my free trial subscription, I used this amount off money vacating different type of resources. This subscription is active right now. Let's click on that line on that subscription free trial. So again, I'm getting all kind off information on the subscription level. Okay. The subscription name. And what will be the billing period, All kind off breakdown they cost. I'm also getting some notification that this free try it is going to be finished in one day . And I need to upgrade toe another type of subscription that is called Pay as you go. I have all kind off a useful information below spending rate forecast. What will be the spending and how usage is divided toe the instances that I'm using. Okay, Okay, that that's very useful. But in addition to that, you can control all kind of thing. For example, again, access control for the subscription level, get the cost analyses and perform all kind off settings related toe that a subscription now when we gave the resource, doesn't matter what kind of resource. Okay, let's go today, visual networks again and click on add. We need to create a resource that is associate ID toe a specific subscription. We can't create a resource without a specific subscription. Okay, doesn't matter if it's if it's a free resource is still, it will be managed in some containers, and the containers related to cost is subscription. Now, as the users also the subscription are very useful, toe a monitor and track ongoing cost. So we click again on your own subscription. Click on the only subscription that I m right now. This free trial clicking on that Going into this overview and click here on cost analysis Under cost analysis, I can apply all kind off additional frittering correct area. If the default I know will scald below, I will see the total cost spending for that subscription and the breakdown where each instance, each instance like this. Windows 10 VM cost me this amount of money for from the moment that I created that Pacific Resource and other nice option is to see is an example this one resource providers clicking on that I will see. And this is you remember that there are internal component inside Asia that are responsible for allocating the resources so I can see that the subscription is registered with Microsoft. The compute so I can create virtual machines on that subscription, if I will on register that option then from that subscription will not be able to create computing. Resource is from that this is provider. 12. Azure RBAC: we learned that area them is basically the focal point for any configuration. It is the management orchestration layer. Anything will do using the total or any other access method will be done through the area. But how the a lame decide if a specific user group off users or maybe an application, has the right access for a particular resource. That's the job off. The rule based access control Access Management for Resource Is is a critical function for any group of users organization that is using the cloud as administrator does. The whole based access control OK will be used to manage who has access to sources and what they can do with those resources. Let's define what is well based access control in more details. All based access control is an authorization system built on resource manager. It is used to provide or prevent access to resources. It will be used to define the following attributes, but each resource who has access to that resource, what they can do with the visas and what areas they have access to the best practice in the context off providing access to multiple users is very simple. Instead of giving everybody on restricted permission into azure subscription. It is those groups, or maybe specifically, sources. We should allow only certain actions at a particular scope. OK, the concept is to always grant users the least privilege they need to get the job done. Using rule based access control. We can segregate duties with Tina will team and grant only the amount off access to use is that they need to perform their job now, moving to the practical side on how it is actually being done. The way we control access to resources is by creating something that is called all assignments. It is how permission are enforced. Any all assignment consists off. Three element security, principal, all definition and scope. Let's quickly define each one of them and all assignment is the process off binding, locating a whole definition to a user group off users or something that is called service principal at the particle scope for the purpose off granting access, we have those three elements that are needed to define a whole assignment security principle, all definition in scope. The access will be granted by grating all assignments and, if needed, prevented by a moving a role assignment. Okay, How to define a role assignment We a letter? The three building blocks here. The 1st 1 is the security principle. This is the object that represent a user group or service principle that is requesting access to resources. A user is an individual who has a profile in Asia. Active Directory and group is a set off users. When we assign a little toe a group, all users within that group are getting that whole okay, and service principle is actually a security identity used for application or services that would like to access. Specific resource is OK. It's like a user name and password or certificates for an application. Next element is part of the whole assignment is the old definition. All definition is a collection of permissions to perform specific actions like a raid, right or delete. We can create our own customized walls, but Asia L. A deeper includes several off the shelf words that we can quickly start to use. For example, the following are some of the four fundamentals built in holes. 1st 1 is owner, meaning a full access to all the sources, including the right to delegate access to others contributor can allocate and manage all types off Asia resources but cannot grant access to others. Leader can on leave you existing age of resources, and there are many more other off the shelf or that we can use. And the last element off any role assignments is this scope. Scope is a boundary that the access applies to, and we have multiple scopes levels, for example, starting form the highest level the management group And under that subscription and then Hazel's group and down to a specific resource is the scops are structured in a parent child relationship, meaning If I configured permission on specific resource group level, then all underline resources will inherit this information. Or, if I couldn't configured permission on a management group level than all underline, subscriptions will inherit the same permission. 13. Azure RBAC_old: we learned that Asia area them is basically the focal point for any configuration in Asia. It is the management orchestration layer. Anything will do. Using the azure portal or any other access method will be done through the Asia Air them. But how? The age of a lame decide if a specific user group off users or maybe an application, has the right access for a particular resource. That's the job off. The azure rule based access control Access Management for Resource Is is a critical function for any group off users or organization that is using the azure cloud as administrator does. The whole based access control OK will be used to manage who has axes, Toe Asia resource is and what they can do with those resources. Let's define what is Asia role based access control. In more details, all based access control is an authorization system built on azure resource manager. It is used to provide or prevent access to resources in Asia. It will be used to define the following attributes, but each resource who has access to that resource, what they can do with the visas and what areas they have access to the best practice in the context off providing access to multiple users is very simple. Instead of giving everybody on restricted permission into azure subscription resource groups or maybe specific resources, we should allow only certain actions at the particular scope. Okay, the concept is to always grant users the least privilege they need to get the job done. Using rule based access control, we can segregate duties within a will team and grant only the amount off access to users that they need to perform their job. Now moving to the practical side on how it is actually being done. The way we control access to resources is by creating something that is called all assignments. It is how permission are enforced in Asia. Any all assignment consists off three element security principle, all definition and scope. Let's quickly define each one of them. They're all assignment. Is the process off binding, locating a whole definition to a user group off users, or something that is called service principal at the particle scope for the purpose off granting access, we have those three elements that are needed to define a whole assignment security principle, all definition in scope, the access will be granted by grating all assignments and, if needed, prevented by a moving a role assignment. Okay, How to define a role assignment We a letter. The three building blocks here. The 1st 1 is the security principle. This is the object that represent a user group or service principle that is requesting access to Asia. Resource is a user is an individual who has a profile in Asia. Active Directory and group is a set off users also created in ager active directories. When we assign a little toe a group, all users within that group are getting that whole okay. And service principle is actually a security identity used for application or services that would like to access specific azure Resource is OK. It's like a user name and password or certificates for an application. Next element is part of the whole assignment is the old definition. All definition is a collection of permissions to perform specific actions like a raid, right or delete. We can create our own customized walls, but Asia L. A deeper includes several off the shelf words that we can quickly start to use. For example, the following are some of the four fundamentals built in holes. 1st 1 is owner, meaning a full access to all the sources, including the right to delegate access to others. Contributor can allocate and manage all types off Asia resources but cannot grant access to others. Leader can on leave you existing age of resources, and there are many more other off the shelf or that we can use. And the last element off any role assignments is this scope. Scope is a boundary that the access applies to, and we have multiple scopes levels. For example, starting form the highest level the management group And under that subscription and then Hazel's group and down to a specific resource is the scops are structured in a parent child relationship, meaning If I configured permission on specific resource group level, then all underline Resource is will inherit the same permission. Or if I couldn't configured permission on a management group level than all underline, subscriptions will inherit the same permission 14. Demo Azure RBAC: all based access control. So how exactly? We are performing something that is gold. All assignment. Okay, We lived that a whole assignment is based on treat building blocks, a security principal meaning user or group. A wall itself can be only a raider contributor. Most of them are built in words that we can use out of the shelf. And the last one is scope. With those three building blocks, we can care something that is gold all assignment studying with the 1st 1 where I'm actually creating users and groups. The place that I'm doing that is something that is called active directory Clicking on that . And then I have options to manage users and groups. I can click on users and see what kind off users are currently provisioned in my directory . Okay, In my different director way right now, e can see my name. Ok, my using them. You don't really and also located some demonstration users. If I will go back to the default, the factory and Goto groups Okay. Over here I can also create a kind of groups and I created a group that is called Team One . Let's go back again to the default directory. Now let's say I would like to create a new user. Okay, Festival. I will copy my domain name. Okay, And click here on user. And let's call this new user John Green and the user name will be just Joan with my domain . Yeah, I can configure all kind off profile information and kind of for pity's. I can't decide that this user will belong to a specific group. If I created such go plates a ebb, this user to the sculpting one say like that And of course I can generate. I mean, there's some passport and Kate, that new user, that would be a process to create that new user. Let's go toe the least off users and here you go. I have a new user called John Green, so that's the first step. Kating users or group off users. The that would like to get access toe particular resource is in the cloud environment. The next building block ASUs part off. A whole assignment is their world, meaning a list off actions or permission that allowed okay. And for that, let's go to the available built in the walls or we go to subscription clicking on my subscription goto an option that is called access control and click here on wars. I'm getting a list off built in ALS, for example. Owner can do anything. I'm the owner off the account contributor, let you manage everything except access to their resources. Neither lets you view and everything but not make any change. And so one. Okay, many, many type off different types of fair walls, and probably that will be good enough for most off their activities. If not, you can vacate also custom doors. Let's set talk about the last building block off a whole assignment, meaning the scope. Right now I'm looking on the scope off subscription, so anything that I'm I will do here will be a little assignment on the subscription 11. If I will goto the resource groups and click on my one off the resource is, for example, this one again. I have an option that is gold access control. Okay, it is the same look and feel, and over here anything that I will create will be on the scope off a resource group. Not anymore. The subscription level. It will be on a resource group level, and I can do that also on a specific resource. So let's go to all the sources and click on one off. The resource is, for example, this one and again going toe access control and create a whole assignment that will be on a single resource. Now the next step will be to actually create a whole assignment. And for that let's go back to the resource group. I can do that again on the resource level on a on a resource group on subscription level. Let's do that on a resource group level. We goto the resource group. Click on my one of my resources, my hazel's groups away and over here Goto Access Control and I will click Add Now, this is the place that I'm performing the actual assignment. Okay, I'm selecting a role, and that will be, for example, only Leader and I would like to assign the access toe a particularly user or users group is we created those application or some other type of entity, but I have here in our case. I would like to do that on a specific user, and that's my user, and that's the user would like to provide the whole assignment. Okay, Clicking save head. Here you go. We got a new all assignment for this year's old John Green. Okay, The wall is real and the scope is in this level. This resource meaning the resource group level, if I will go to the resource, is under that group under that specific resource group. Let's open, for example, this one and again I will go to the access control where I can create or delete resource assignment. Now, immediately, you see that there is alot assignment leader for John Green, and the reason for that is that it's actually inherited from the resource group level off course, I can delete that Change that. But the idea is that anything that you create on A when a parent entity will be inherited by the Children by the underlying a bruising books. And this is actually a great example. Why using resource groups? Because if I would like to grant access for particular user or group off users to a group off resources instead of doing that, pair each resource instance that will be, you know, more, more walk. I can do that and manage that on a resource group level. This is the scope that I'm creating the whole assignment. Now let's do another all assignment. Okay? Quite similar. We Goto Vessels Group and now we go to another a resource group and do the same Goto ax control it. Click. Add on again, Select a wall for contributor, a different role. And I would like to do that again to the same user and click safe. Now let's say that you would like to check pair particular entity like a user or group off users. What kind off access do they have? So for performing this action, I will goto active directory, click on the entity. In that case, I would like to see what kind of permission a John Green can do. I will go to list off users, click on John Green and over there I will goto on option that is called Sources and hit. I can see that John Green has a low assignment for two groups This Groups Testing System and Laces Group and my school 15. Demo - Azure RBAC_old: Asia. A world based access control. So how exactly? We are performing something that is gold. All assignment. Okay, We lived that a whole assignment is based on trade building blocks, a security principal meaning user or group A. All itself can be own a radio contributor. Most of them are built in words that we can use out of the shelf. And the last one is scope. With those three building blocks, we can Kate something that is gold. All assignment, starting with the 1st 1 Well, I'm actually creating users and groups at the place that I'm doing. That is something that is called Asia Active Directory. Clicking on that. And then I have options to manage users and groups. I can click on users and see what kind off users are currently provisioned in my directory . Okay, In my different director way right now, e can see my name. Ok, my using them. You don't really and also located some demonstration users. If I will go back to the default, the factory and Goto groups Okay. Over here I can also create a kind of groups and I created a group that is called Team One . Let's go back again to the default directory. Now, let's say I would like to create a new user. Okay. Festival. I will copy my domain name. Okay, And click here on user. And let's call this new user John Green. And the user name would be just Joan with my ah domain. Yeah, I can configure all kind off profile information and kind of for pity's. I can't decide that. Ah, this user will belong to a specific group. If I created such go plates a head, this user to the sculpting one say like that And of course I can generate. I mean, there's some passport. And Kate, that new user there will be a process to create that new user. Let's go toe the least off users And here you go. I have a new user called John Green. So that's the first step gating users or group off users. The that would like to get access. Two particular resource is in the cloud environment. The next building block ASUs part off. A whole assignment is their world, meaning a list off actions or permission that allowed okay. And for that, let's go to the available built in a holes in em, Asia, or we go to subscription clicking on my subscription. Go to an option that is called access control and click here on wars. I'm getting a list off built in ALS, for example. Owner can do anything. I'm the owner off the account contributor. Let you manage everything except access to their resources. Neither lets you view and everything but not make any change. And so one, Okay, many, many type off different types of fare wars, and probably that will be good enough for most off their activities. If not, you can vacate. Also custom A yours. Let's said talk about the last building block off. A whole assignment. Meaning the scope. Okay, right now I'm looking on the scope off subscription, so anything that I'm I will do here. Okay. Will be a little assignment on the subscription. 11. If I will goto the resource groups and click on my one off the resource is, for example, this one. Okay, again, I have an option. That is gold access control. Okay. It is the same look and feel, and over here anything that I will create will be on the scope off a resource Group. Not anymore. The subscription level. It will be on a resource group level, and I can do that also on a specific resource. So let's go to all the sources and click on one off. The resource is, for example, this one and again going toe access control and create a whole assignment that will be on a single resource. Now the next step will be to actually create a whole assignment. And for that let's go back to the resource group. I can do that again on the resource level on a on a resource group on subscription level. Let's do that on a resource group level. We goto the resource group. Click on my one of my resources, my hazel's groups away and over here Goto Access control and I will click Add Now, this is the place that I'm performing the actual assignment. Okay, I'm selecting a role, and that will be, for example, only leader and I would like to assign the access toe a particularly user or users group is we created those application or some other type of entity, but I have here in our case I would like to do that on a specific user and that's my user. And that's the user would like to provide the whole assignment. Okay, Clicking save head. Here you go. We got a new all assignment for this year's old John Green. Okay, the wall is Riedel and the scope is in this level. This resource meaning the resource group level, if I will go to the resource, is under that group under that specific resource group. Let's open, for example, this one and again I will go to the access control where I can create or delete resource assignment. Now, immediately you see that there is alot, assignment leader for John Green, and the reason for that is that it's actually inherited from the resource group level off course, I can delete that change that. But the idea is that anything that you create on them when a parent entity will be inherited by the Children by the underlying a bruising books and this is actually a great example. Why using resource groups? Because if I would like to grant access for particular user or group off users to a group off resources instead of doing that, pair each resource instance that will be, you know, more, more walk. I can do that and manage that on the vessels on the resource group level. And that's the This is the scope that I'm kating. They're all assignment. Now let's do another all assignment. Okay? Quite similar. We Goto Vessels Group and now we go to another a resource group and do the same Goto ax control a click. Add on again, Select a wall for contributor, a different role. And I would like to do that again to the same user and click safe. Now let's say that you would like to check pair particular entity like a user or group off users. What kind off access do they have? So for performing this action, I will goto azure Active directory, click on the entity. In that case, I would like to see what's kind of permission John Green it can do. I will go to list off users, click on John Grin and over here we go toe on option that is called Azure Resource is and hit. I can see that John Green has a low assignment for two groups. This groups testing system and this is group and my Jesus 16. Section Overview - Azure IaaS Networking: hi and welcome to the first building block off azure infrastructure and service. The cloud Networking This cloud network is a village a let work. It is a village jewel because the configuration is being done on a physical network infrastructure managed by the cloud provider. We as end users are getting a logical virtual overly according to our specific needs. As part off any Asia infrastructure and service solution, we must first awful set up, configure and manage virtual networks, Virtual machines and many other resources in Asia must be created inside a virtual network , So this is the first step. The Cloud Network is also used to connect between the sources inside the cloud to resources outside the cloud located over the Internet or in some private data center. In this section, we will cover the following topics, starting with the simple definition off. What is virtual network? How to define a virtual network as an entity that we can manage, And then we go into what kind off settings are needed to create a virtual network, a configure, private and public I P addresses using submits to divide our virtual networking toe smaller segments, and then we'll talk about the relation between a he souls, like a virtual machine. Network interfaces and I pick configuration profiles and and the last topic will be about security. Okay, Networking is also about security. So in that context, we will learn how to use security rules for controlling the inbound and outbound traffic flow. Now, just to set the expectation this section is not going toe Covell all networking options and capabilities that are available by Asia. And we will cover the most important parts to get you started. And in the next level, I will cover more advanced topics, like using a load balancer, every peon get way and other stuff. 17. Virtual Networks: Our first topic is a virtual network in Asia. It is gold Vinit in AWS and in Google Cloud, it is Gold Village Jewel Private Cloud VPC. You can imagine that the cloud data centers in a network infrastructure provided by a public cloud provider is serving multiple customers, multiple organization, multiple application and multiple uses. Okay, traffic that is generated by the sources related toe. One specific customer must be separated from another customer. That's the whole idea about cloud computing. I don't care how many customers are lining on the cloud right now. I would like to know that my traffic is separated and secure. I would like to be built okay, according to my personal traffic usage. And secondly, I would like to have the flexibility to separate my own resource is as needed, connect them to the Internet or maybe to my private data center and control traffic flows. The basic building block for that separation is the virtual networks. Let's define the concept off. Virtual Network, A virtual network is basically in private isolated connectivity layer being used to connect between a group off cloud resource is okay. There's the simple definition. For example, a group of virtual machines that are the building blocks off some application. I mean, most real life implementation of application are based on multiple components, like a front end Web server connected to the Internet or a back end server connected to some database. Now those resources can be located on the same physical, several veil or maybe two separated server located on the same wreck or multiple servers located on different regions. Okay, the mutual networks created by end users will enable those these sources to communicate with each other like a group of devices sitting on the same local network. We can build a variety off networked apologies a the with additional and visual little functions, like a firewall load balancing, it said. In addition, virtual Network, he's a softer based administrative entity. Okay, meaning we as users can create, update or delete virtual networks is needed. If you're familiar with the concept off as the end software defined networking, then it is a great use case. All complex network configuration is being done quite easily, using a software obstruction lier. That's the cloud software in Microsoft. The clouds off the ease off course Asia in Amazon. It is AWS. Basically, we can configure village jewel networks inside a public cloud networks without any knowledge about the Underline network infrastructure that is probably very complex doing the introduction. You know, previous section we lived that Microsoft Azure is a huge collection of data centers located worldwide. Now, to be able to connect, resource is inside a data center, and resource is between data centers. Microsoft operates a global superfast wide area network. The traffic running between resource is being located on different data centers in different regions is actually running internally inside a zoo cloud backbone. Now that's very important because traffic performance capacity and availability cuticle factors for many application running inside the club. So when we create a virtual ed work inside a zoo cloud, we can basically harness and enjoy the capabilities off a global fast network. Assuming this great area is a zoo global network, with this cloud located worldwide in multiple location regions, then multiple customers are creating virtual networks that in that global network, Vienna at one of in a two minute tree and so one now under a specific virtual network. There are multiple virtual machines. Each virtual machine is connected to the virtual network via a virtual network interface. The network interface includes additional properties like I P addresses, Private I P and a Public I P. Let's take a look at this simple example off a vigil network. The Green Area on the Topside represents the global Internet and the public cloud infrastructure. In that case, the old Microsoft a zoo in blue polo is connected to the Internet. Now let's say that my application is a website that is using three components Front and silver beckoned server, and a database is the first step I need to create a virtual network and place those tree virtual machines in my virtual network. Another, even more advanced option will be to create multiple virtual networks and divide the virtual machines as needed. This can be used to reduce traffic, load on a single virtual network and also for security reasons. Because the future let talk is conceded as a security boundary. Okay, we'll touch that later. Here. In this example, I have a virtual network number one with those two virtual machines database in a back and several and another mutual network number two, with the VM running the front and Web application. I can't decide to connect between those two virtual networks. If needed, control the traffic flow from the Internet, toe each off those virtual networks. In this example, I will unable inbound traffic from the Internet only to visual network to where the front and server is actually located. Then the front and server will send request to the backend server, located in the second virtual network. 18. Virtual Network Setting: in Microsoft. A zoo, a visual network is a managed entity that users are creating with a group offsetting that a configure do indication process or added later when the virtual network entities are dedicated, some setting can be changed. Some setting cannot be changed. So what is needed to create a new virtual network, starting with the name the name off our new virtual network? The name should describe the purpose or main function off the visual network. The name must be unique in the resource group that we selected to created the virtual network, and we can't change the name after the virtual network is created. Address space. When creating a visual aid book, we need to decide the amount off available. Private I'd be addresses. This is the address space. The address space for virtual network is composed off one or more none overlapping undress ranges that are specified in a C i D. I o notation. Okay, it can be any I p address range defined by the famous LFC 1980. Okay, in Asia is using five addresses in each allocated address space. Okay, this is also something to remember. Subscription. It's basically trying to answer the simple question. Who is being okay? These sources usage is measured by the cloud management software and each resource should be associate ID to some subscription account. Any a zoo resource that we connect to the Village Jewel network must be in the same subscription as the village or let Walk. Resource Group will be talked about this. Those groups here. This is the place that we decide that the specific virtual network belongs to specific resource group now in a zoo is so that we connect to the virtual network can be in the same resource group as the virtual network or maybe in a different resource group. Okay, though, so there is no connection between resources that are sitting inside a virtual network in the context off resource, they can be separated if needed. Location. A virtual network can be in a single location, also called region if we need to. For some reason, toe allocator resource is in multiple different regions and connect between them. Then we create separated virtual networks but each region, and then create a connection between them. Submit Okay. Submits are used to split the virtual network into smaller segments and will speak about it in the next slides. We're moving applications to the cloud. One of the biggest security concern is related to distributed denial of service attacks. Okay, maybe you're familiar with that concept. Those attacks it can be targeted at any endpoint that is reachable through the Internet. And the idea is quite simple to generate massive amount off request and by doing that, prevent legitimate users toe accessed application. The good news is that a zoo provide some layoff protection that can be divided into two levels. Basic and standards. Basic level is automatically enabled a spot off the azure platform. So this protection we monitor the traffic and in real time, mitigate network level attacks. Next level is standard meaning higher level of protection provides additional mitigation capabilities over the basic service still that are tuned specifically to a zoo virtual network. For example, the protection policies will be tuned through a dedicated traffic monitoring and some sophisticated machine learning algorithm. Okay, ill time. A telemetry will be collected and available. True Zoo mon, It'll you I doing the NHL time doing the talking or four also for historical analysis. In any case, using this protection option is simple to enable. On the network level, it's part off the virtual network setting service. Endpoints and firewall are some more advanced features that will cover in future levels. In this course, we're not planning to use those specifics options. So at this point, we leave them empty. Splitting a network into small pieces is a common practice in that working to improve performance and security, it is called submitting. We basically take a larger other space and break it into a smaller space. Dodger. Space off a virtual network is represented here by the gain A Polo. This is the host. Identify where it is the group off bits that are used to define a unique private address for specific host. Now this address space can be segmented into one or mo submits a summit is a small segment off. The other space we allocated to the virtual network, for example, and submit can be represented by this orange polo here. Okay, each submit must have a unique address space. Arrange specifying classless inter domain routing notation for month within the address space of the virtual network. The address range cannot overlap with other subjects, of course, in the same virtual network. And other thing to know is that by default a zoo will route network traffic between all sub . It's individual network and this is something that can be changed if needed. Let's take a look at a simple example. Assuming we used for our virtual network the address space decider space, we tell the tree beats network mask. Okay, this is in a sea idea notation. In that case, the address range will be a 512 e eyepiece. Actually, when we typed the sea ideal number would show us automatically the address space size. In this example, we can have to SAB nets. Okay, one and two in each one off them. I allocated half off the virtual network address space using 24 beats a network mask as I dimension Azure reserve. Five addresses in each submit for internal use. So the usable range is always five less I p addresses, so he will get a total off 251 addresses a pair sublet. One important thing to remember is that by default there is no security boundary between submit, so traffic between submits can pass. Now we can set up something that is gold led broke security groups which allow us to control the traffic flow to and from submits and related to visual, which is and we will cover this concept later in the section. 19. Demo Creating a Virtual Network: I will first step while creating some system in a zoo and also in other platforms is about little networks. Virtual Network is basically some logical entity that we need to create in order to connect between the resources that we would like to implement for that specific system. So assuming I would like t o see the list off visual networks ALADI provision or create a new network, or to do some operation on a virtual network, and the option that I'm looking for is ritual networks over Hill, I will get the list off Visual Networks led provision in my account. Let's create a new virtual network from sketch we click Human at and I will get the Wizard . I need to a feeling all kind off barometers electric to that virtual network, starting with the name Let's give it V net on the school number two. The address space that I would like is we see the annotation off really a tree, and I will get immediately the amount off available addresses for that address space. Of course, under sub subscription, I'm still using the free trial. What kind of resource group? Let's put it under my Lisa's group location. Keep it Ah, in the US and I can create some it. Let's Kate submit number one and let's give it OK. It's the half off the address space from the Metro Network Address Space. I am, as we saw in the presentation, that all kind off options that you can select like the night off service protection. There is the basic in it and stand out option. And we didn't covered ah services in points and firewalls and isn't something that will talk about in future, of course, is. But this is enough for creating the virtual network clicking on create. Here you go, Um, I get the new ritual networks clicking Refresh. That's my new vision with Network Vinod under school, too. I can click on that new virtual network and review the kindof properties was like What is their resource group for that ritual network location, subscription address space? What kind of DNS a zoo provide some default at the end? A service I can go also to the sub nets and edit meaning. For example, I would like to add another submit. It's call it some it number two and can give it to the second half off the address space. Okay with the new sub knit and I get another subject. If you remember, I said that from the available addresses, the system is using five reserved other space pair each sub net marriage Virtual network. So if I managed to allocate 256 then five will goto Asia as reserved addresses and are all kind off additional AM properties and options related to a virtual network. Some of them are more advanced capability that we will hopefully and cover in future courses. But full I was scope. This is more than enough for creating virtual network. Let's open another individual network, meaning this one now under that specific virtual networks. If I would go toe overview, there is devices under the virtual network. Now the connected devices are always a network interfaces and network interfaces is associated to a virtual machine, for example. So I have a virtual machine with attend with the Windows Stand operation system, and that's actually the name off the network interface and the I P address that is being used by that network interface 20. IP Address Types: as soon as we have a new virtual network, we can create virtual machines as the sources inside that virtual network. Oh, inside a specific submit. Each resource must be assigned with at least one private I p address from the Virtual Network address range. We are located to the virtual network or toe that specific submit. In addition, if we want a least source inside the virtual network to access the outside Internet, then we need to use another type off I p address called a public I P address. Let's quickly verify that we fully understand the concept off I P addresses. I'm sure you already know those things, but I would like you to understand that in the context off a cloud environment, Let's out wheat private. I be addresses. Okay. A private eye P is used for communication between resource is within a virtually talk. As an example, those two virtual machines are sending data between each other while using their private. I be adverse is now. There are two methods in which private I P addresses are allocated. Dynamic and static. Dynamic is the default allocation metal. The Cloud network will assign the next available unassigned or unreserved i P addresses in the sub nets address range using the HDP service. This I P address can change when we stop and start a virtual machines. So the second option is to use static. And I guess many users will prefer this option we as user can select and a sign and available i p address in the sub IT address range. Keeping my that. An iPod configuration is always associate ID with a specific network interface and a little kiss. The interface is associate ID with specific a virtual machine. We'll talk about it in more details in the next lecture. In addition, for each virtual machine, we can configure a host name that is much easy to use compared to an I P address. In that case and Internal Cloud Theoneste, most name Resolution service will be used. Actually, virtual machines are configured with default managed. Deanna's several unless we explicit E Configure, a custom DNS server. So this is the service that provide the name resolution between the host name and the private I P address. The second type off I P address is a public. I'd be a public I P can be used for two communication options. Okay, so the 1st 1 is outbound communication off internally sources with the outside internet. So if this virtual machine would like to initiate the communication toe any server located outside over the internet that it must be based on a public I p Now for outbound communication, we basically don't need to configure anything we don't need to configure public. I pee on the network interface level when a virtual machine initiates an outbound flow toe a destination in the public i p address space. A zoo will dynamically maps the private. I'd be address to a public I p address. A zoo is using SOS destination address Translation toe. Perform this function. This is the blue building block. Okay, so this is for outbound communication. What about inbound communication? So this is the second type off communication meaning resource is located outside intimate will be able to access resources inside the club. In that case, we must create a public I p entity as a resource and associate ID to the network interface in a zoo. A public I p is a resource, an entity with its own properties and this public I p can be assigned dynamically or statically. Let's right to distinguish between dynamic and static allocation off a public. I be okay. Let's start from dynamic. So dynamic addresses are assigned only after a public I p address is associate ID to a specific resource, and the resource is started for the first time. Now, this dynamic addresses can change if virtual machine is stopped and the allocated and then they started. But we'll remains the same if a virtual machine is only a booted or stopped, but not the allocated. Another situation that the dynamic I public I P address will be released is when we the associate the connection between the public i p as a resource toe the associate ID element . In that case, the network interface. It took about static address a public static address assigned when a public i p address as the ISOS is created. It's not released until the resource is deleted. Now, one thing to keep in mind is that even with we set, the location mattered to static. We can't really specify the actual public i p address assigned to the resource okay, like we are doing in a private i p Instead the system we'll assign the i p address form the pull off available public I p addresses in a specific location where the resource is created in that location. This allocated public i p will be reserved for our resource until we release it. So take into account that allocation off a static public AP will be with additional cost compared toa dynamic allocation. 21. VM, NICs and IP Configuration: we have an I P address that can be public or private, created dynamically or with the static configuration in a zoo. We have virtual machines, network interfaces, and I put configuration profiles. And let's see how those different building blocks are connected and what kind of combination we can create while using them. The first building block at the top is the virtual machine resource, and a virtual machine must be attached toe, at least while network interface. Here we have two network interface attached to the same virtual machine. Usually we use a single network interface bear virtual machines, but in some cases it needed to configure more than one going next. Each network interface can be configured with a private I P address and also an optional public I P address. This configuration is encapsulated under something that is gold. I'd be configuration profile. This is what we see in the green Coehlo. Each network interface is assigned with one primary I p configuration and may have zero all more secondary I p configuration assigned to it. Here under network interface one, we have a primary and secondary. I'd be configuration and under that we're going to face number two only a primary, a configuration in each diaper configuration. We can assign one single private I P address and also an optional one public I p address if needed. 22. Demo Network Interfaces and IP Configuration: on the last demonstration, we learned a great virtual networks. If you remember freaking on virtual networks over here and we created a new virtual network called the Net zero to, it's actually just address space. From that point of time, we can create a resource is like virtual machines, and so one, now a virtual machine, must be associated tohave talk interface to be able to communicate with other entities inside the network. So I will. Next. Building blocks is all about network interfaces. Looking on the Navigator on the left side, allocated favorite that is called network interface. But you can easily find that on the whole services just search Net will in, uh, faces. In there you go network interfaces. It's clicking on that, and we will get again. A list off existing network interface is located in my demo system. For example, this interface it belonged to that virtual network. It's allocated with a primary private I peed. That's the I. P address can be dynamic or static. We can click on the in the target office and get more information, and what it's important is that it's attached to a specific virtual machine, a specific instance, and they're all kind of traditional barometers lessons group location subscription into one when we will learn how to create a virtual machine using this option called Virtual Machine . And let's click on that for for just a second, and I would click Ed without really covering the details of creating a new virtual machine . I would like to show you just one single top that is called Networking. Over here. It's saying that when creating a virtual machine and network interface will be created for you. So when you create a virtual machine, actually a zoo will automatically care some a network interface. But still, I would like to show you this flexibility off creating and network interface by yourself and, more importantly, toe configure properties related Toe Network interface like a hyper configuration. Okay, let's add a new interface from scratch. Clicking on Ed. Let's give you the name, not talking toe face. Okay, Number two. And let's keep it on the new virtual network that we created Vin. It's under school number two. Immediately we get the available submits under the virtual networking. If you remember, we had to submit, so I need to select. They're relevant. Submit. Let's keep it on subject number one. From here, I can decide if I would like to use dynamic I P addresses for the private AP or Static I P . Address and then type the I p by myself. Let's keep it dynamic will talk about that work security group in future lectures, but this is the place that you can associate that that will keep toe faced with particular and security group. Let's keep it empty right now. Again, you need toe a Kate. Such an entity under Subscription and Resource group. Let's elect some resource Group available vessels, Group keep and the location that's keeping the default quickly. Great. We have the new networking toe face called Network Interface Under School zero to First of all, we can see that Asia automatically allocated the primary private AP okay, because we selected dynamic allocation. If I will click on that resource. Okay, this is a resource right now. It's a network interface resource. Clicking on that will bring me all kind off setting and parameters like the relevant resource group, location, subscription, private eye, be address and the virtual little and the sublet that this network interfaces actually sitting inside now. Right now, this network interface is actually not attached to any network device. Like a virtual mission. If I will select another network interface, Okay. Distant talk interface. We can see that this little Krystle interface is attached to that virtual machine going back to that interface. I would like to overview the setting united toe I p configuration. Okay, so under Ieper configuration, we have some flexibility. First off, all we can configure profile saipi configuration profile. The profiles that was a created automatically is called I p config number one A using I P version for its the primary I P configuration And there is a private I P address are located dynamically. But there is no are located public i p address. I have the option to it and neither I p config Okay, let's call it. I'd be gone. Fig number two as we discussed, we have a primary and secondary. We have primaries, so it's gonna be only secondary and I can select again if the private eye be setting will be dynamic, static and also about the public i p address. In that case, let's enable that and other I p the public be address. I can click on that and select an existing public. I be address resource. Okay, it's That's a big different between Private I, p and public Be public I p is managed resource okay. And usually dealing some cost associated with allocating public, I'd be So let's click on, Create new and let's keep It is the name of the interface and let's use assignment dynamic assignment for the public. Be clicking OK and click OK here. Now what is happening is that the system is creating a new I p config and I have the new one i p config Number two vision for It's the secondary a configuration because I used the dynamical location, I'm getting the next available address Number five and I have also an option to use public I p. Now it's in unassigned mode right now because this specific network interface is not really associate ID right now toe any other device like a virtual machine when I will perform an association for between the virtual machine in the network interface. In that case, Asia will do that allocation and there will be an available public I P address to see a right over here. Actually, I have an example off a public Be on the this interface because this interface is associate id with with a hill virtual machine. And I configure that an i p address over the So in this say network interface, I have one single i p config. And that's the primary. Of course there is a private the i P address, and there is a public I p address I located. Now this I p is reachable through the public internet. So we created and unit walking toe face And inside that network interfaces we created also public i p As a resource, we can see all of that under the all resources option. Okay, All the resources that we created so far under will system And here you go I can see the new interfaces that dedicated and also the public i p address. As I explained the public, I p address is managed entity. Okay, that we need to great to be able to use it. And last thing I would like to show you is that okay? You created a new network interface that is right now not attached to any virtual machine. How toe perform this attachment is actually something that you're doing on the virtual machine level. So if I will go to the virtual machines and click on some existing virtual machine and I have an option that is called networking over here, I have the option that is called a touch network interface or detach network interface. Right now, the only network interface that is attached to that ritual machine is this one a winter and VM and 19 with the specific a private I p address in specific public i p address. 23. Network Security Group (NSG): the next important issue that we should learn is related to network security and specifically to traffic filtering a all public cloud. Providers provide an ability to filter traffic, and I'm planning to present how it's being done While using the platform in Microsoft Zoo, we can filter network traffic to and from resources in a virtual network with an entity that is gold, a network security group. If you ever configure the firewall. Also, some words being used by a foul. This will be familiar with Microsoft Azure. We can feel there network traffic inbound to an outbound from virtual network or the Visual Network submit using a configuration that is called Network Security Group and Network Security Group contains a group off security rules that filter network traffic. It is a layer off security that acts as a virtual firewall for controlling traffic. In and out. The network security group can be enforced in different levels. We can configure network security group on a virtual network and submit, and also in specifically talking to face. This is the tree options you see here below. Still, it is more recommended. Toe associate and network security group toe a submit level instead. For individual network interface, all security rules inside a network security group will be applied toe all his sources under a specific submit or specific ritual. Led work and network security group as an entity can be associate ID to multiple network interface and some Net and virtual network. But each network interface or particular summit or specific virtual network can be associate ID to only one network security group. In addition, when we create a new network security group, the system will create few default security rules within each network security group. We'll see that later. Doing the demo as a simple example. One default cruel allows all traffic to flow between all resources in the virtual network. We can't remove the default rules, but we can override them by creating goals with with higher priorities. Moving to the practical side on how to Kato edits security rules. Security words are divided to two main categories. Inbound security walls and outbound security holes. Now the following parameters are used to define a single security will. It will be priority name, source, destination service and actions. Let's start from priority. A security rules are evaluated in a priority order. Meaning, starting with the lowest number. Cool. It determined whether traffic is allowed or not allowed. This is a number between 104,000. A 96 once traffic matches and all the processing stops. Name is a unique name for the security pool within the network security group. I am so so destination. It can be the world any. Okay, we can write any insight. All we can put in individual I p address or maybe a classless in that domain routing block . Oh, or something that is called Selvi Star. All an application security group. Okay, application security groups is something that we discussed later and how we can use those groups within and network Security group. Just a small remark about that. If we specify a specific address Okay, you then we must specify the private I'd be addresses assigned to that resource because they took security groups. Alborz ist after a zoo, translate a public i p address toe a private eye, be address for inbound traffic and also the other way. All meaning before a zoo translate a private, I'd be address toe a public. I be address for outbound traffic. Okay, so just whatever that you should always use a private addresses. Here. Service is a port range. Okay. We can specify an individual. All arrange off port. It can be disappear you to be all again the world any which includes disip, you tippy. And also ICMP specifying range enables us to create off course fuel security rules. And the last one action is simple. Two options allow or deny allow the traffic to flow in or out, or the night. Okay, those are the setting for security rules. Let's review a simple example of using network security groups. Here in green color, we have the public Internet, then below we gated. A virtual network for our resource is that is divided into two sub knits. Up bled number one and submit number two other each submit. We have several virtual missions learning specific application. Okay, Front and server back and server in the database. Now, as I said, we can create and network security group for specific virtual machine on the network interface level. But this is Leslie commanded. It is better if possible to create it on this sub net level. Okay, so he we have NSG one and NSG to no people from the Internet would like Toa access our website so we will create a security you'll inside network security, too, for allowing inbound traffic like http or https into the front and server and in network security, a one we can configure that Onley specific a type of traffic that is requested by sudden. It, too, will be allowed as an infant trophic so will not allow trophic going into the back end server and a database service. 24. Application Security Group (ASG) : if we will create a network security group on a sub net. Okay, as we saw in the previous chapter, then all traffic related to the virtual machines landing inside that specific sub net will be evaluated using that network security group. Okay, that's clear is what we saw until now and network secure. The group can be enforced and the network clever. And then all resources inside that network will be affected by the security was defined for that network Security group. Now another useful option in Asia related to traffic filtering is using application security groups. The focus is moving to the function off the application. We can group virtual machines based on their functionality. To be clear. Application Security Group are not replacing network security group. It is actually simplifying the rules. We can Kate Inside and Network Security. Cool. Let's see how we can use them. Let's say that inside this sub, submit one. We have multiple workload. Okay, three Web servers and two database in a single bacon server. We created a network security group on the sublet, a level called NSG one. In many cases, we will want to apply more granola pools each type off workload, each type of application instead of looking at the Saban it. That is very useful. In some cases, we want to apply security holes on a group off workloads that share a common function. This is the concept off application security groups. An application security group enables us to group together virtual machines with a similar function, such as Web Server. And it makes sense. It's probably similar Web servers required a different set off schools than a group of similar database. So here in this example, I have the NSG one on the subject level. Then we have two application security. Group One is for grouping the data bases and one for grouping the whip service before jumping toe the demonstration. Let's quickly review the steps that are needed to create and network Security group together with application security groups. First step would be to create the needed application security groups. In our case, it will be the B seven application, security groups and Web server applications, security, then 38 and network Security group and associate this new network security group to the network. Submit okay. In our case, this is an SG one now we can create security rules inside the network security group while using the application security groups that we created. That's what is new here. Okay, using those applications security groups inside the rules, either as a source or destination off the wall next will be to create the virtual machines and associate those virtual machines network interface to the relevant application security groups. Okay, so you have the database, Elvir, and with the specific interface you need to associate that a network interface to the data service application security groups. Now all network interfaces used in an application security groups must be within the same ritual led work. If application security groups are used in the source and destination, they must be within the same virtual network. Last step will be to bring some be coffee and hope that everything is working while performing some testing 25. Demo - Configuring NSG and ASG: we reached a little bit more complex subject in the context off this section. Networking. And I'm talking about security. A rules. Let's see what kind off options do we have? What are the building blocks to great security holes? Under all services, we can search for application security groups and network security groups. I put them on my favorites and let's start form network security groups. Network security groups are managed entities. Okay? Meaning you can ki eight. It's such entity and a configured the setting off that entity and then associate that network security groups toe different levels. It's going be on an interface level on a sub net. Oh, virtual network. Now here in this least I have three and network security groups. Actually, those network security groups were created automatically when I created three virtual machines. Now you can, of course, create a new virtual networks from here, and we'll do that. Let's see some of the existing network security. So under that specific network security group, I can see basic information like this those group location, subscription and I could see the this specific security group is associate ID to only one network interface. Okay, a security group at the end is a template. It can be associate ID toe, multiple a network entities, multiple sub nets or multiple network interfaces. Right now it is associate to a single network interface. If you would like to see more details about the associate ID, a network interfaces, I can goto this option that Kato faces. And I will get the list off network interfaces that are associate ID toe that network security group and I can create more association or maybe delete some existing association . Let's go back to the overview, and the same concept is going. If you would like to see if this network security groups is associated to submit. So clicking here, we'll see which submit being associate ID toe that network security echo. Now let's go to the most interesting part. The actual security It was, we concedes divided too involved security wars and outbound security. Or let's start from inbound security rules. Inbound security words is all about incoming traffic, and we can see the allergy tree configured and security words over hill. Now some of them are created by us is uses. Some of them are default rules. Okay, if I will click here. I can remove the different holes. Let's say Bring them back now. But each security words That's all kind off field. So starting with the priority and lowest number is a higher priority name. Name of the security wool port, meaning some numbers or the arrange off numbers. Protocol is a recipe you d p o or any mean both of them source and destination. Okay, the source can be a specific I. P Range may submit virtual Net books in Application Security Group, and also the same goes for destination and the action itself, allowing the traffic or denying the traffic. As an example, it's analyzed the 1st 1 Okay, the first default rule. And so basically, that's the name. Allow Vinod inbound from any port to any type of protocol. And the source is the virtual network itself, meaning anything that is sitting in that virtual network and the destination is the same. Anything inside a virtual network and allowing this traffic and the idea behind that is to allow inbound traffic between network lamented are sitting on the same virtual metal now as an example. Let's create some security will, so I know that this network security group he's associate ID to that network interface. And that network interface belonged to a virtual machine. Now, I would like to access this virtual machine from remote using the global Internet. So I will goto inbound security rules. Okay, and click add. Okay. So the souls will be any the source sport. Range will be also any and there is an option toe put in Asterix toe. Allow traffic on any port, and the destination will be any. And this destination port range will be a tree tree. 89 I mean, this is being used for other DP. Okay, for where? If you would like to access a using remote desktop protocol so that will be on Mississippi and the action will be to allow that and I will keep it. Does this number that is actually the lowest number right now in this list? Let's call it be and like that, let's test this new a security, all that we just created for a most the stop connection. So I will go to a my virtual machines and click on that specific virtual machine. I copied the public i p address and try to connect. Okay, I'm getting exposed now. I need to type in my credential. Let's cancel that and go back to them. They took security groups again. So that specific network security World band in bone security their rules. And now I will click on that and removed that specific LTP. Okay, let's try to connect again, typing the publicly we connect. Now. Of course, I'm not getting any response because this traffic, as an inbound traffic is not allowed, had the truck security group level and specifically inside the inbound security horse. And the same process is true for outbound security words. Okay, I'm getting the list off. Security rules indicate additional security holes is needed. Let's move on. And I would close that and go back to the list off network security groups So we can off course create new, additional network security groups, and we'll do that in a few minutes. And now it's really depends how you would like toa build your specific solution where you would like to apply those entities on the interface level on a sub net level. On the network level. If I were click on on a specific network security group then I can, of course, associate that to specific network interface, and now it is associate to a single network interface or to submits as an example. Let's associate that toe a submit clicking on associate, and then I'm I'm getting without first of falling to select the virtual network. Let's elect a V in it Number two and then select sudden it Number one click OK, and it will be added as an entity over here. Off course, you can associate the same network security group toe additional sub nets. So let's go for second again. Clicking on virtual networks and then select the next is something. So this is the relationship between a network, security groups and entities that we are performing this association. So in some cases you Will Kate, a network security group that will be only for specific submit only for specific virtual network. But in some cases, maybe two sub knits, or maybe more, will share the same type of security rules that dominated so you can associate the same the talk security group for multiple submits or multiple network interfaces. Let's talk about more complex situation and how application security groups can walk together with network security groups, toe make our life a little bit more easy in some complex situation. And for that, I will open the existing virtual machines that I hear. Here. I have three virtual machines. The 1st 1 is a database server number one, and the 2nd 1 is dead. One are whips of a whip. So we're number one in Web seven. Number two. Now, imagine that I will tell you that I need security rules that are movable. Event for specific application. For example, I don't want to allow a inbound connection form Http from they out outside in turn it into the database. But for for my Web server, I would like to allow such security rules. Now, one option toe overcome Such situation is to create a several network security groups that will be relevant. Each server. Okay, this is option number one. Option number two is to use application security groups and let's see how exactly we can use them. Okay, I have you application security groups again. You can access that, using the whole services, everything. My favorite. So are we. Click on that right now. It's empty, and I will add a new application security group. Clicking at and the process is quite simple. I will select subscription and the release of school. Let's keep it there. This one. What will be the name? Let's call it a Web servers application security group. Okay, all the Web server will be under that. A group it could be. Two servers can be 100 servers and click on Create. Great. I have a new group that is gold Web server application, security work, and let's learn how to use it. Next step will be toe use that new application security group inside a network security group. So I will click on a talk Security, go okay and ignore all the existing security group and Kate a new one. Let's call it Little Security Group. Not one energy. Want subscription? Free trial. This is group my J. Keep it the location in the U. S. Click create. Okay, great. We have a new network security group called NSG. One next step will be toe edit that and talk security group. Now immediately. You can see, as I said, that there are different words that are catered automatically for inbound and also for outbound Now what we would like to do is go toe am inbound security wars and alot http traffic for our web server. Okay, so what we'll do is click on add Now, the source will be any. Anything from from the internet, also for the port. Okay. And the destination will be application security group, and we will choose are, well, web server applications, security groups that that we just created. And let's say we would like to allow a HDP 80 80. That will be the board name Disip E, and the action will be allowed that. And let's call it http Web server looking ed. Okay, now we get it. This is the first word, because we I mean, it's a higher priority with low number. That's the name http Web server. And you can see the interesting part is the destination. The destination is actually an application. Security go. And this is the way to use an application security group inside and network security group . But we didn't finished yet. The whole setting process. Let's continue next. We will associate that any SG one at the sub mitt. Liv. Okay. The relevant submit that those web seven database all sitting So I will click on Associate Select Vinit number two. So, like the sub knit clique, OK, and now this network security group is associate ID toe that particular submit. The last thing I need to do is to associate between the Web service today AM Application Security Group that we just created. They were we're doing that is going to virtual machines clicking on the relevant virtual machine. I will click on Web Server Number one and go to Networking and click here on this option application security group configured application Security groups. I'm clicking on that, and I will select that this virtual machine will be under that application Security group Web server. Underscore a SJ clicking save. And I need to do that also to the 2nd 1 the same process. Networking taking over here, selecting that thinking safe. And that's all. Now we have the whole process and 20 on the application security group. We created an entity that is called Web Server application security Go, and there are several virtual machines that we associate with at Application Security Group , next on the the network security group, and that in his G one we are using that. A Web server application security group inside the security holes that were kating is inside the network security group. Okay, that's the process and went 26. Section Overview - Azure IaaS Storage: hi and welcome back. Thanks for watching so far. I hope everything is clear by now in any way. Don't forget that. You can ask me question. We recommend something using the course dashboard. In the previous section, we covered the Cloud Network, how to connect virtual machines using virtual networks and how to control and limit traffic flow. Our next building block in the context off Asia ends for such as a service is all about storage and, in our specific case, mutual mission storage. Let's review the topics were planning to cover in this say section. We will start by presenting the key advantages related to a public cloud storage service and then review the cloud storage types will usually find in almost all public a cloud providers. It will help us to see the big picture in the context off a cloud storage. And from that point we will zoom on the solution provided by Microsoft Asia. What kind off a. JAL storage services are available. Understand the storage and application options we can select, and that is very useful for data availability. The concept off managing storage resources inside an entity cold storage account, creating and managing data disk for visual mission ed using features two in creep data addressed. Okay, let's stop 27. The Power of a Cloud Storage: the power off a cloud storage. Okay, that's a nice title. Data storage is one of the core building blocks off any club service. We all know that application are collecting, processing and generating data in a variety of ways. Now, cloud storage is basically the option to store data on the Internet through Cloud computing provider who will manage and operate data storage as a service. Let's take, for example, a website like Facebook that enables users to upload images. Okay, those images should be start some well and managed in a smart way, for fast and easy access. When we update our Facebook profile, it will be stored in some database. Now imagine how many people are connected every second to Facebook, accessing they data from multiple places worldwide. It may sound straightforward, and I understand that from a user perspective, and that's perfectly OK. But you can be sure that tremendous efforts are invested by Facebook to achieve such level off availability and flexibility. Any application running inside a public cloud environment like Microsoft Azure and also other providers can basically hollowness and utilize the power off the cloud and achieve the same level off storage flexibility that the giant like Facebook is achieving. Okay, we talked about it in the introduction course about cloud computing, but this is the power of the cloud. It's a public infrastructure enabling companies that a small, very small or very big toe build application that can scale on a global level without the limitation off a single private data center. Let's see the key capabilities that are coming when we stole data inside a cloud service. The 1st 1 is that public cloud providers like Microsoft Asia, Google Cloud or Amazon AWS and using a global infrastructure, this deluded multiple data center worldwide. This global infrastructure provide storage services that can be massively skill as needed, and hair, and also help to look. Locate the data much closer to the end. Users that are accessing the data an application can stole a little amount of data serving a small number off user and scale up to a huge data volume serving millions off users. Any I T expert is, well, a well that later bake up load balancing and disaster recovery is is an important part off many ICTY system for keeping the system running and available. A second major benefit is high availability. The same data can be replicated and stored in multiple servers. Multiple data centers on even more even multiple regions. All of that to prevent a situation off a data loss or system downtime because off a Hubble failure, scheduled maintenance process or some site level disaster, we can choose to replicate away later at multiplication across the globe, Cloud providers typically provide multiple storage services for different data types, and a building to fulfill a variety of application is We can stole on structure data like text file by Nuri files or structural data like a tables in your database and Kate Virtual disk for virtual machines, something that will touch later in this section. Kate and file show Toby. Used by multiple application or users, the variety off services help us toe combine them while building the most optimized storage solution that is needed for our specific application. Highly accessible users and also applications are expecting toe access data from any well while using a simple Internet connection. And by using multiple platforms like a desktop computer, a tablet or mobile phone, a cloud storage providers are providing, it stands out way toe access the data, for example, by exposing rest a P I as an end point. So multiple application types running on multiple platform will be able to access the data over the standard HDB or https protocols. And the last one is about money pay as you go with cloud storage. There is no hardware toe purchase or storage to provision. We can allocate a very small storage space and adjust the capacity on demand is needed. So we're basically paying for what is being used without allocating Sperry sources for future usage. The capability to scale up and down in and out provides an appealing paying options for some companies that would like to move for upfront capital investment into ongoing operational expenses. Now they're off course, a few more advantages, but I think this is enough to understand in high level. What kind off that, of course, a few more advantages. But I think this is enough to understanding high level what kind off horsepower or advantages we can have with the cloud storage solution 28. Types of Cloud Storage: Okay, so we reviewed the kid vintages off a cloud storage service. And this is true for all the big giants like I must on AWS, Google Cloud and Microsoft Azure. Now let's understand what kind of storage types will be provided by those cloud providers. Now there are three main storage types block storage, file storage, an object, a storage. Each storage type has advantages and disadvantages compared toa other type and will be more suitable for specific use case. If you will evaluate any storage services provided by a public cloud provider, it will fall into one off those storage a categories or storage types. The most common enterprise data storage model is block storage, and I'm talking about private data centers being operated by many organization. Block storage is basically a method to provide a virtual storage space or volume over the network. I'm sure you're familiar with the concept off son. Okay, Storage Area network. The main idea is that instead off using directly attached storage devices like Hard Wife, a service can share a centralized large storage. This is why it is gold block storage. You can allocate a block off the needed size and touch it to a specific server. The same concept is used in public cloud providers, a sparked off the infrastructure As a service model. We can allocate the native block size or volume and attach it toe our virtual machine. From that point, we can treat it like a normal disk. We can form other days, quit specific file system and still filing it, or configure a database to write directly to the virtual block device while avoiding any file system overhead. One of the key advantages off a block storage is low latency, so it very suitable to be used by heavy duty workloads, some market example off products that are a block storage A, for example, Amazon Elastic Block Store, E. B s and Microsoft Azure disk disks. And that we will learn how to use and Google Cloud resistant a disk. The next type of storage service is file storage. File storage is simply a way to provide a standard file system interface over the cloud. Because it is earning in the cloud, it can be elastic and highly accessible service. Now, this compatibility makes cloud file storage ideal for workload. That rely own should file system and provide simple integration without, you know, changing the code off. Those application users can create, delete, modify, read and write files and can organize them logically in director history and so on. There are many use case for a cloud file storage. First off all, it can be used as a shared file storage between multiple virtual machines, so application that scale behind a single instance can access a file system. It can be used for application immigration. Many existing on premises applications require a standard file system interface toe data, some industry example, Amazon Elastic File System, Asia File storage and Google's Cloud file store. Okay, now we get to the interesting balt object. Storage is a relatively new storage type designed for handling on structural data and to fulfill the requirement for storing going him out of data in the context off scalability as a big surprise in object storage data is organized as flexible entities called objects. But each object. We'll have the data itself a valuable amount off mater data and a global unique identifying Let's understand that in more details, I would like to use a simple example. Imagine a picture uploaded to a website by users. The picture itself is the data. The website can process the image in key eight tags about the image content, like a least off people. Face is recognized in that image. This contextual information will be stored as dynamic meta data under the same object and will be used by multiple use. Case of this capability to combine data and dynamic meta data is a key advantage in object storage. If we will compare it with the regular file system, you know, in your computer over there, the metadata describing the data is fixed. Okay, Like the file name, education dates, owner, etcetera. It is much more limited compared toa object storage in addition to the meta data that we just so But each object will have a unique global identify being used toe identify where the object is thought and this is an extremely useful method in a distributed storage. Using this global I d. We can access the data while using a simple you are yellow using standard rest a p I, as a result off using this global a i d Placing data items in object storage is very simple , like putting item in a bucket. Okay, that's the picture that you see on the left. This is why you will find the term bucket as a generic term for describing a volume, often object storage instead. Off organizing files in directory Iraqi that by using in file system Objects store, which is time store fight in a flat organization off containers. Those containers are called bucket in Amazonas Tree and also in Google Cloud in Microsoft Azure. They are called containers. We can place multiple objects inside a single container or a bucket. Okay, the same the same thing. Basically, we control an object inside a bucket. Get an idea Global i D. And from now we can access the object for many location using the public Internet. This is an example off Asia object storage called blub a storage. All data access in azure storage happens true, An entity called storage account. This is in blue polo, and we will talk about it in more details in later lectures. Now, inside a storage account, we can create containers or, as I said, also called back. It's a container is used toe organize a set off objects or so called blabs similar to the way we are using folder in a file system. So in this example, I ever storage account called my account and inside toe containers one for storing images in their 2nd 1 for storage videophiles. And lastly, the images and video files data all objects or blobs. Today there are many use case for object storage. Okay, like serving images. Video document directly toe where? Browser. When. When we are using Web application. I am like a content delivery network, stowing look files, a streaming videos and audio until one. Now. Some well known industry example are Amazon s tree Google Cloud Storage, an azure blob storage. This is an example off object storage. As always, nothing is perfect and there are a few disadvantages we need to take into account before using an object storage 1st 1 is that true? Put will be much slower compared to a traditional a file system AOA Azaz. We compared toa a block storage. Your file storage, reading and writing data will be slower and for specific use case, it's not goingto be an opt in my solution. Running a heavy database workload on an object storage will not be a smart decision. Secondly, and is a major aerobic an object storage data. Consistency is achieved. Onley eventually. And let me explain this this meaning when we stole data in object storage, the data will be implicated according to our definition to increase their overall data availability. Okay, replicating the later toe multiple servers, multiple location. And this is indeed very useful. The problem is, what happens if we need toe ab the an object in an object storage. Okay. In that case, we will need to wait until the change will be propagated Toe all the replicas before a request will deter the latest version. Okay, so if you have several replicas off the same data, it will take sometimes until everything will be aligned to the same version. Now, this makes object storage unsuitable for they that that change frequently. But it's a great feat for all the data that doesn't change so much like backups, archive video and audio files, and also cultural mission images 29. Azure Storage Services: there are many types of publication or what clothes that can in a cloud environment. One application may require a relational database to store transaction or profile information about users like Facebook. Other Web application may require to store and process images in video clips, or maybe some analytics application that's supposed to store a massive amount of flogs for a long retention time. This is why the storage services provided by public cloud providers are basically a mix off multiple options to fulfill the storage needs off a variety of application. Let's review the storage services provided by Microsoft Azure. Assuming that you reviewed my introduction course about cloud computing, you know that there are two types off service models provided by a public cloud provider infrastructure and a service and platform of the service. This level is about infrastructural service, but let's understand the big picture. In the context. Off stored services under infrastructural service will have two types off storage service, disk storage and file storage. This storage is basically a service to create virtual disk used by virtual machines for storing the operation sustain application in data, as we saw before. This is a block storage type, and we have multiple options to select. Like stand out hard drive preview misses the disc managed unmanaged disk and more. We will put most off our focus on this option as this is part of the solution for virtual machine storage. Next option is file storage. This is fully managed file shares that can be used for Cloud Lee deployment, where application running in Asia can easily share file between virtual machines or even resource is and sparked off an on premise deployment. Okay, virtual machines that are sitting on on premise and are using the file share a service inside the cloud. The next service category is platform is the service. You will find three types off storage. It services blobs, tables in queues, blob, Stanfel, binary, large objects. I don't know why it's called large, because you can stole whatever object size that you would like. But anyway, it is used to provide a highly scalable object storage for unstructured Later. If you would like to store a combination off text file images, video files that are not changed frequently than this will be the best option. Next one is tables big, useful, storing, structured, none relational data meaning data without a pre defying schema, as we have in a relational database. It is useful for storing terabytes off structure data capable of serving Web scale application, and the last one is accused. This is a cloud messaging solution being used to exchange a large number off messages between application or between different components off the same application. Okay, this is a little bit mind shift in how developers can build application and based on the couple ing component. This is useful because each component can be scaled independently, and in that scenario, the Q storage provides a mechanism and a scheme corners message queuing for their communication between the company in future levels are planning to explain blob storage table storage in Q storage in much more details. 30. Storage Accounts: before we can start creating or using storage services, we need to understand the concept off storage accounts, any type off storage service like Bloods, files, disc tables and queues that would like to use must be allocated inside a logical entity called a storage account, a storage account and that he can be created and managed by us. Or in some cases, it will be created and managed by Microsoft. A zoo starting with the simple question What is a storage account and why do we need a story to come? OK, storage account provides a unique name space. Okay, this is the key word. A unique name. Space in the cloud to store and access our data objects get the key words Here are unique name space. All storage resource is our accessed, violate and using your l. So each storage account name must be unique among all customers worldwide, not war. It's very easy to select something unique. Now. All resource is entities below that storage account group. I'll actually local to that storage account s so they don't have to be unique across all a zoo club. You can imagine that it's much easier to look for one single unique name instead of looking for multiple you nicknames for each storage resource is okay Now, the second advantage off a storage account will be Toe Group. Several allocated storage resource is with similar properties or attributes. It can be the data application strategy would like to use. Something will discuss in the next lecture the location off the resource is the type off required performance, etcetera. In addition, we will be able tow access monitor track a cost in troubleshoot issues on the storage account level, So this is also a single entity toe manage. Let's review quickly the properties we need to define while gating a new storage account festival. Any resource must be allocated on their specific subscription. Who is paying for that resource? So instead of setting it paid each story, Genesis will be able to do it at the storage account a level. Secondly, we will create a new storage account on a specific resource group as a logical container toe. Better manage related resource is so If we created 10 virtual machines and then a storage account to hold the storage for that group of virtual machine, then it makes sense to manage all off them under the same resource group as we already discussed. We need to define a name, a unique name that should be globally unique and make contains only numbers and lower case letters. Next one will be location. Define where the stowed data will be a located Performance steals okay. That that can be stored in irregular how Dr or Solid State drives that provide better speed and performance. Next, a setting will be account kind. Just keep the default setting to storage fee to all others are just all the compatibility version that are not relevant anymore. And in the next lecture, we will talk about the four different options for data application. But this is the place to define the required strategy. Okay, when you would like to a defining strategy application strategy, This is the place that we're doing. That all the storage account level access to Okay, this is a nice option to optimize the cost off our storage by organizing our data based on frequency off access on also a planned retention period. Let me explain that in many cases, the data stored can be quite different in terms off how it is generated, processed and access over. It's a lifetime. Let's take a few examples. Some data is actively accessed and modified frequently. For example, a system that collect and process flights tickets reservation tickets as original change frequently, and this is example that it would better to choose an access still hot. Another example would be that some data is accessed frequently any early in its lifetime, with access dropping drastically as the data ages. For example, when you upload the picture to Facebook and share that link okay at for the first few hours , many people will access that image. But after a while, after a few days, few weeks the image will be less accessed by your friends, and some data even remains idle. And nobody access those later. For example, a collection off fare logs from a Web server. The chance that someone will analyze it is low. This is why we can define two main categories optimized for particular access. Parton and separated pricing models hold storage is optimized for storing data that is accessed frequently. Cool storage is optimized for storing data that is infrequently accessed and stored for at least at 30 days. and the last option is about security. We can enforce that any access toe of easels inside the storage account must be secured using a secure collection. For example, when using arrested P I to access the data, we will need to use http s and not HDP. So this is a place that you can disable or unable such constraint. 31. Storage Replication Options: storage application options. One of the most valuable features in a public cloud is high data do ability. We know that data can be damaged because of many things like Hubble failure, networking, power outage or maybe some massive site disaster. I hope you didn't encounter such situation, but a few years ago I lost some important personal data because of a hard drive failure, and I was beating myself for a while for not creating backups. I learned my lesson the hard way. So there's a great tip for you. Try to back up your personal data now imagine business companies that are heavily relying on data to do ongoing business. Can you imagine that Amazon website will be down for 24 hours because of some database problem or the Google search engine will not access request for a few hours? We can't even imagine such a situation. System availability is a critical factor, and data is a critical component in almost all system. This is why Microsoft, and also other cloud providers are replicating our data and enable us to configure the best application option for our application. We a cover that in the introduction, but let's have a quick reminder about regions in data centers, as this is directly related to the storage application options. Microsoft Azure is based on multiple data centers, located in multiple places on the world. Those data centers are connected using a private network. It's part off a zoo, big boned at the lowest level. We have many data centers later center 123 etcetera. Those data centers can be grouped under something that is called availability zones. Availability zones are group off physically separated location within a specific region. Each availability zone is made up off one almost data centers equipped with independent power cooling in networking, it is a protection from data center fail. So in this example, data center one and two are actually under the same availability zone. They are running on the same power cooling. Oh, maybe network infrastructure. Next level is regions. Okay, A J region is a group of availability zones or group off data centers that are located in a single geographical area. Okay, all data center under the same regions are connected with superfast dedicated regional network for providing low light and see, and it'll connection when we select a location toe resource. We basically select a region and the last level. Okay, The highest level is geography. Regions are organized into Geographics. And like the United States, I m Europe, United Kingdom, etcetera. Moving next data center data center is basically a collection off Rex Mountain to the flow in some big giant room multiple nodes. Okay, will be installed in each wreck. Okay. Note can be silver and gold can be a storage device networking device. Each wreck is considered a separated full domain. Eso If, for example, the power unit on wreck number one will fail, then all servers in that specific wreck will go down now, going back to the storage service at the basic level. Desist. Replicate our data it to three separated full domains. An update domains. And that's actually a great solution to mitigate problems inside the data center. Now, in addition to that basic level, we have also other options to consider. Let's review those options. Microsoft Azure provide us with four storage application options to be selected on the storage account level. Okay. You remember the storage account level when we Kate a new storage account, we have the flexibility to define the needed data application and all storage resource is under that storage account will be protected according to that, a selection. As I mentioned, the first stand adoption is LS locally redundant storage. The data will be replicated three times in separated four domains and separated update domains, but all of them will be on the same data center. It will ensure that our later will be available if a hardware failure impacts a single wreck or when Asia infrastructure nodes are upgraded doing a rollout in case off a complete data center. Ah, disaster like a fire or flooding. The data will not be available. And with the risk off off losing the data to mitigate a such risk, we have more options to consider. And the next one is Zettel s zone. Redundant storage data will be replicated three times like LRs, but now across three storage class tres in a single region, each storage plaster is physically separated from the others and reside in its own availability zone. So, in case a complete data center is down, then we'll have a to least one replica off the daytime in a nearby data center, located in the same geographic region. But what about if a complete region is them? What will happen in that scenario? So for mitigating such risk, we can use the GLS jail redundant storage. The data will be replicated toe a second region that is maybe hundreds off miles away from the primary region. The data in the second region will be available toe. We'd only if Microsoft initiate. It's a fail over from the primary agent to the second region. In case we would like to be ableto access the data in the second region. Regardless off whether Microsoft initiate a fail over, we can do it by selecting the last option that that's called a GRS. The Access Gil. Redundant storage. Now this option provides read only access to the data in the secondary location. In addition to Gil replication across two regions 32. Demo - Creating a Storage Account: At this point, we covered enough political information about a storage accounts. And now I would like to show you, on the practical side how to create the storage account and what kind offsetting properties and things that we can do in the storage account level to create a new storage account. And we use this option storage accounts. You can access this option in any other option, using the old services. Clicking on storage account will provide me the least off all existing storage account. Right now it's empty, and what would like to do is to create a new storage account from scratch. That's great. The new storage account clicking add. And I have all kind of information that I need toe selecting type, first of all, on the project level. Hey, I need to select a subscription now. In my case, I let the finished my free trial, So I'm using a subscription that is called Pay As You Go a resource group. Okay, you can associate the storage account to a particle resource group and let's elect something that I dedicated my wrestles group and next thing we will be elected toe the specific instance. Details starting with the storage account name. As you recall from the presentation, it's must be unique. Course all existing storage account names in Asia. So to make my life easier will take my name Don storage count and the location of the storage account. Let's keep the default right now performance, and this is related to ah, disk performance. Let's keep it stand out count kind what kind of information we're going to stall and probably you will use the storage version. Two. Because this is a general purpose account, a application is very important. We have the four options. L address that, the less GRS and Ali G arrests. Let's keep it the most simple one. A locally redundant storage and the last thing is related to cost optimization. So if the data in that storage account will be accessed infrequently, we can use this option. If it's going to be accessed frequently, then we need to use the hoat option moving next toe advanced and I can enforce that access to this information. We go only via secure transfer okay, it can be disabled or enabled and allow access from any networks or maybe specific network . And let's create that new storage account. Okay, finished. I have the deployment. Let's go toe the storage account and now I have a new storage account they can start to use . Clicking on the new storage account will bring me an overview, like the races group and location subscription performance on access Steer. So it stand out and access Terry's hot the obligation it's using locally redundant storage . Now, under a storage account, we can managed all kind of services like blobs, files, tables, cues and also data disk that we will talk later in this section. Now if I will, ah, look on the left side. They're all kind off options that I can manage. On the account living, for example, I can click on access Control and perform all assignment on the storage account level. Now imagine that you have several storage entities and I can apply some security words on the storage account level. Let's go to this option called storage Exploit. Now it's divided to the category. Block containers file shares, cues and tables. Right now it's empty. Now what I would like to do is to school below on the blob service. Okay, click on this option Blood and I. From here I can start Kate containers that they are like the buckets and place all kind off objects inside those containers. So, as an example, it's two containers first containing will be images. Oh, click. OK, get another one. The video. Now I have two containers, and they are like a logical group. If I would click on one of the container. Okay, I have an option toe upload blobs that can be any type of files. OK, it's any type of beina refile. Let's upload a few files clicking on upload here, and I would select something for my computer image. One. Upload. It's elected, not very image image. Do a blow that great. Now those two files are objects inside the image container. Now each one is an object. And as you recall, if I will Zuman one off the object, I have an option toe ed dynamic meta data. So let's said some meta data. For example, let's say that the key is sky and the value is look okay. Blue sky. Okay, and that's a new meta data that will be added to that specific object image. Zeal one and the idea behind that is that application will be able to easily search thousands off objects using this a useful metadata. Now we have done this process manually, OK, meaning adding the metadata and adding the objects. Now, of course, in real life scenario, application will actually manage those containers. OK, uploading objects and updating all kind off information like a meta data. Let's go back to the storage account level and we go again. Now into this option Storage Explorer and now under blood containers, I will see those two containers, a dedicated images and videos. And of course, I can click on some container, and I will get more detailed information about that container under the certain category. We have some flexibility to change the configuration off that storage account. I mean, those are options that we selected doing the storage account creation we can change, for example, the secure transferred option disabled, the neighborhood, the access Teoh and the application strategy we would like to use looking on the monitoring option on the metrics here. We can Kagel kind off Charles own, for example, on the storage account level. Maybe a specific service like blood fires, que Tabor's and so one. Basically, we can add the metric and like used capacity or maybe select something else, like the transactions on that storage account. And like any graph, I can pin that to the dashboard and see that in real time some more advanced capabilities is related toe alerts. And before using that, let me show you some K p I. That is called availability. Okay, this one availability measure at the end that the services are available for users for application, and right now I can see that it's always on 100% from the moment that I, Kate that storage account now going into a let's let's say that I would like to get notification if something is happening or the storage account level, like the availability is less than 100%. So I'm going into alerts. Let's create a new alert rule clicking on that I have some and like a wizard 123 The 1st 1 is to define the alert condition. I would like to do something on the storage account level. I can select another target. If I would like the 11 criteria, I would like to do something on their availability. KP I. So let's create some criteria. So that's a key p I availability as the metric. And I would like a simple condition if the KP I key performance indicator is less than 100% . Okay, anything below 100% availability. So and please check that every over the last one hour every hour. Click done, and I have a new alert criteria. Yeah, please a note that it costs some money. Get nothing, is free and go to the define A Let details. Let's call it my Ehlert. Let's give some description. I can select one will be the civility off that alert click on Define Action group does the last step. Okay, what to do with this information? And let's say I would like to send an email, so I need to create something That's Gold New Action Group. Let's call it Group One, like a group of people that will get ah, some modification and the action name will be email and the action type will be a send email. And then it will ask me two types, some email address. Okay, this is not really my email, but just for this example. Let's click. Okay, it's choose another name. Okay? Have a new group. And that's all I can create this new alert world. Here you go. This is my new alert. Now, this option is very powerful, and we can apply the capability to create alerts on different entities in Asia and to trigger all kind off simple stuff. Like sending email. Oh, it's a mess. So they get some more sophisticated option, like scaling. And he's so size running some, maybe I into one. Okay, that's some automation capability that we can add into the system. 33. Azure VMs Disks: back to our virtual machines as they are part of infrastructure in service, in addition to allocating computer power that we will learn how to do it in the next section and setting network connectivity. As we learned in the previous section, we also would like the capability to allocate storage capacity as virtual disk. So first of all, let's review the types of disc we have been a virtual machine and how to create a touch Those data disk, just like any other computer or server. Virtual Machines uses disks as a place to store data. All disks are stored as something that is called V HD Files Village. Well, hard drive files. Now there are three types off virtual machine, and this the 1st 1 is operating system disk. Every virtual machine has one attached operation system disks created automatically from an image file. When the image is created. For example, in Windows Virtual Machine, it will be labeled as C drive, with a maximum capacity off two gigabyte. Another type of disk that will be allocated automatically for the virtual machine is a temple disk. It will be used for a short term storage for application and processes, and the purpose is does only store data such as pages or swap files. You know, with those virtual machines. The tempo in disc is labeled as a three D drive by default and the size of the temple disk . It will varieties based on the size off the are located virtual machine. We are not supposed to store data in a temporary disc unless we don't care that the data will be erased. For example, when we are using it for where storing and running installation files. Last type of disc is data disk, and this is actually the most relevant disk type for end users. A data disk is a V H D files that attached to a virtual machine to store application in data. Multiple data disk can be attached to a single virtual machine, and the maximum number will variety by the selected virtual machine size. So after creating a virtual machine, the next step will be to create in a touch data disk has neither. A zoo provides two options toe Hindle, a data disk, unmanaged disk and manage disk and manage disk. I mean, his disk are the traditional type of disc week eight the storage account and then specify that storage account when creating the disc. The disks are handled manually by us all the storage account level in case off scaling up like getting more disk toe a storage account. We are responsible to monitor thresholds on the storage account level. For example, when scaling up while adding more data disk, we need to make sure that the storage account is not exceeding the maximum, I hopes. A limit. Basically, with unmanaged a disk, we have to figure out how toe maximize the use off one or more storage accounts to get the best performance from our virtual missions. Second option is managed disk managed. A disc handles the storage account creation and ongoing management automatically, so we don't have to worry about the scalability limits off the storage account. We simply specify the disc, size and the needed performance. Still, that will talk in a few slides and a zoo, create the managed a disk for us. In addition, deception will automatically handle something that is called availability sets, meaning, making sure that the data disk off multiple virtual machines that are walking in a high availability will be separated I. So, for most of the use cases, it will be better to use them. Managed a description. Microsoft Azure offers a four performance steals for the data disk that we are creating standard HDD. Standard is the premium is ISTEA and ultra SSDI. Those performance steals are coming with different storage performance capabilities and, of course, a cost associated with each option. Storage performance is usually described by three terms crew boots, I hopes and latency. Okay, let's start from my apps, I hopes is input output operations per second. This is the amount off eight and write operations that could be done in one second time. Higher I ops is higher performance. The operation are measured in kilobytes and the underline a technology determines the maximum amount off data that the volume died counts Is a single eye ops a true put a measures they data size successfully transferred pair second. So it will be this simple equation average Ayob size Okay, determined by the technology multiplied by the eye ops. And we get true put in megabytes and the last one is latency. Let us see is the time to complete and I o request measured in milliseconds. Lower latency number is better performance now that we have a common language about storage performance. Let's review the types off disk. First option is standout HDD disks Startup HD Disk. Allegra How Disk Drive Storage Media. This is the cheapest option from all the options that will see as a low cost solution to be used for workloads or application that are less necessity for latency and and performance variability. For example, these great options for development and testing involvement Okay, not for production. Next performance. T is stand up SS. The discs data will be stored in a solid state drive, meaning much better performance and reliability compared toa stand on edge duty disk. It is a cost effective solution for applications like Web servers, which do not really needs high, I hopes on disk and probably any entry level production. Workloads should start with this performance deal, moving to more expensive options with higher performance. The premium as the disc are high performance solid states Dr. Designed to support intensive Io workload with high throughput in low latency Oltra, SS Day is currently the fastest performance options designed for data intensive workloads. Top tier database transaction heavy workload. It's provide a dynamic performance configuration. This quite new capabilities, allowing to dynamically change the performance, meaning the Iot ups and throughput off the disc, along with the war clothes. A new requirement without having to restart the virtual machine. No. One thing I'm really trying to avoid it would be to present here actual numbers like maximum I ops for a particular performance. Still, because those things are constantly changing and you should always check them online. 34. Demo - Creating and Attaching Data Disks: getting a little bit more practical in the context. Off storage. Okay, we saw blobs, cues, tables and so one. But at the end, a. The scope of this level is about virtual machines, and virtual machines are using virtual disk to stole information. And we learned that they are actually treat type off disk, the operating system disk A created from an image and off course. We'll see that in the next section how to create a virtual machine and then the operations disc will be educated automatically. The second type of disc is a temporary disk. We don't need to do anything in the context of the temple list, and the last one that is the most relevant one is data disks. Okay, we can create a virtual machine without data disk and then a touch multiple data disk that is allowed for that particular virtual machine size that we selected so as a population for presenting the concept of data disk like ated virtual machines and just to show you the concept off the skin, a virtual machine. Let's click on, add for second on virtual machine and just focus on one top over here that is called disks . Okay. Overview. You can select what will be a performance off the operation system. Disk type. Okay, now, few options that we already talked about. Premium Mrs Day. Stand up. This is the standard H t D. Now, assuming that you selected something, then you can Kate over here. Data disk. Oh, leave it empty. Or maybe attached any existing disk? No, no. One important configuration is actually under advanced. And as you remember, the two options to manage a disc, okay, unmanaged disk or manage disk, and by default, the managed ist would be enabled. And most chances that for most of the use case manage disk is is there a way to go? But we will see both options going back to the list off. They told machines the 1st 1 vm 01 I grated with the setting off managed disk and the 2nd 1 vm zero to educated with the option off unmanaged disk. And we will see the difference between them now at the first level. If I would like to see for particular virtual machine what kind off disk are available for that virtual machine? I can click on that and go to a category that is called disks and I will say information. What is the operation System disk? This is the instance that it was created automatically by Asia. When I, when I created the virtual machine, can see the size, we can see the storage account type and I can add additional data disk. Right now, there are no data disk for that specific virtual machine. Now I can click here, add data disk. If I have an existing data disc, I would like to attach. I can do it over here from the selection. Right now it's empty, or I can click on Create Disc over Hill. This will bring me toe a wizard to create a data disk. I can also do that from a service that is gold disc. Okay, you can find it off course under or services. I put it on my favorites clicking on that deception. We show me all available managed disk in my system right now. Let's create a new data disk clicking on add. Let's call it disk number one subscription because you go with the group. Okay. Did some races go coldly done? This was groped location and what kind off a common type. Okay, again, I need to select something based on the performance I would like to get. Let's keep it The simple one. Standout A G Day. What will be the source? I can take a snap short or some existing storage blab or keep it empty. Let's keep it empty right now and decide on the size. Let's keep it 10. Ah, gigabyte. We can see some estimated performance for that and virtual disk. Okay, input and output per second. Throughput and click rate. Okay. Successfully created a disc. Let's do a refresh. And I have a new instance called disc 01 Now, as I said, anything that we create here in this category disk is actually managed. Disc. Okay. It's not the option off unmanaged disco. Meaning I don't deal with the storage account issue. Okay, remember for my will previous demonstration about storage account if he When? When? When I'm using managed disk. The whole storage account creation and management is done is a transparent layer by Microsoft Asia. Okay, I don't do anything that related to the storage account level. Now we four will click on that instance risk number one I will say the name and I will see the disc state. Right now it's untouched. I have also an option to change the account type and get a different performance if I would like now what I would like to do is tow attached that disk to some village jewel machine. Let's do that Great to virtual machines. Clicking on an instance. Let's click on VM 01 because this is a VM that I created with an option to handle managed disc. Okay, and we go toe the disk option a click on add, and I will chose the disk that I just created, this 01 clicking on that. I can see some information about that, and I can click safe, and it will touch the virtual disk to that virtual machine. Now, if a visual disk is at the end, some blub file sitting in some container that is related to dump toe a specific storage account that is being handled by Microsoft because this is an managed disk, okay, successfully updated the virtual machine. And if we do somewhere fresh okay, now we can see that this is this day they disk is attached. If I will go again to the disk right now and click on that instance. I can see that the disc state changed toe attached. Okay, now allocated the connection between a virtual disk toe, virtual machine. And, of course, I can create virtual multiple. I dated this can touch that toe single virtual machine. I can, of course, a the touch that data disc from the virtual machine. And also we move that disk. Let's do that quickly, going to the virtual machines this click edit over here. And I have this option, the touch clicking on that save. And now I forming a separation between the data disk toe, the virtual machine off course I can attached out again toe another virtual machine if needed. And the last step will be to remove these new data days. So clicking on the list of disk and I have an option that is called the late that's all. The process is very simple, and this is full managed a disk. Now let's go toe more complex option that is called unmanaged disk. Okay, second option the virtual machine number two. I created that virtual machine with the setting off unmanaged disk So if we click on that and go to the discs, anything that I'm creating, it is unmanaged disk. Let's click on add data Disk. Okay, first step. Let's give you the name for the U disk. The M zero toe these CEO one. Now I can create an empty disk or form existing blood. Okay, at the end. And I'll manage disk is a blood file that is sitting on a storage account that we are managing. Okay, unlike manage this. That is also a blob file. But we are not managing the storage account. The next thing will be to select in account type and it influence at the end the storage container, the storage account that you can use because if you would like to create and data disk on premium Mrs D, then also the storage account should be in the same level the same set of premium Mississippi. Now, the storage accounts that I created in this demo actually standard age HDD. So let's say choose this option that will be the size and then select a storage container. Now those are storage account that I dedicated. Let's choose this one. He done storage account and the container will be this one, the HDs. I can create new containers, but there I have led some containers that is called Ph DS. And that's what that will be. The name off the blood. Five. Okay, this is a virtual how dr Type of Fire click. OK, and click save. Okay. Finished. We created a data disk. Unmanaged data disks for that, a virtual emission. Let's say this data disk as a VH defiles inside the storage account. So I would go to the storage account and I put it over here in this storage account, and I will go to Storage Explorer and on the the WLUP Containers, I have containers. It's called the HDs. And now we can see the name off that this this is actually an object, a file in that containers that is am being used. And this is the virtual storage capacity for that virtual machine. Now the process to the touch and remove such unmanaged disk is using the following process . First off, all going to the virtual machine. Veum number two disks click. Add it And the touch that a virtual disk click safe. It's the same as we are doing for a managed this? No, for make a politic. Okay, moving there. Unmanaged disk. We can't really find it under this category under this, because this list Onley represent manage disk. So the only place that you can remove that a file is actually form the storage account level going into the storage account and to them storage, exploit oil. Okay, selecting this file, click you and the lit. Okay, great. Now, the file that I'm I'm seeing right now is also a V h D file on the storage account level, but this is being used for the SE virtual machine Veum number two. But is an toys a disk? Another thing that I would like to emphasize. Um, when compared between unmanaged Iskan manage disk is that when you are using managed disk, then the disc is an entity in this list, so you can apply all kind of configuration for that entity. And as an example, if I would click like a did some additional disk that is called disk A number two and if I will go to a access control okay, is an any other entity here in Asia? You can provision some all assignment for that particular disk so that the granularity is on the disc level now, unlike am unmanaged disk, that the granularity will be on the on the storage account level. So this is also something to keep in mind while choosing between these two options. 35. Encryption Data at Rest: security is a critical part off any solution, including the storage during the section about networking. We talked about encryption data in transit. I mean, what kind off options? We have to protect the information when it is traveling between servers and today the most acceptable protocols is TLS a cell. But what about storage? Customers are storing sensitive data, and the question is, how can we make sure that our were valuable data will not fall into the wrong ends? So our next topic is encryption data addressed, meaning data that is told in Microsoft Stores services Encryption at rest is a very common security requirement by many organization while following industry and government regulation. Let's see what kind off option we have when it comes to encryption data dressed. And then we'll talk about specific features in Asia. The first option is called several side encryption. Just look on this diagram on the left side, we have some application running on a virtual machine inside the cloud, or maybe remotely on a known premise deployment. Now this application is using some storage service to store and handle and read data. Now, in a Selva side encryption, the whole process off encryption and decryption is performed internally inside the cloud service. Okay, that's it's not being handled by the application, and it's being done using encryption Kiss. Let's pick on keys for two minutes. As you know, encryption is all about kiss. They are the shed, sick, it toe encrypt and decrypt. The data encryption data at rest is based on symmetric encryption, meaning the same key is used to encrypt and decrypted data. Okay, I like the regular well known TLS Protocol is actually using isometric encryption. There is a public and a private keys. No, those keys should be created stowed, as well as replaced in some rotation. Using a centralized key management system, keys must be stored in a secure location with access control policy and also looking Q such in some cases, the symmetric encryption keys are encrypted again with S a metric encryptions toe. Further limit the access. What I would like to say here is that key management is usually some serious overhead. Hey, toe handle and Microsoft provide us few options to consider when it comes to key managements. First option is gold service managed keys. They're a zoo, performs the encryption and decryption operation, as this is a server side encryption. Well, they mentioned that, but more importantly, it will also manage the keys. All key management aspect will be done automatically. This option is very useful for customers that would like to use encryption without the overhead associate ID with handling keys. In case some customers would like to manage the keys by themselves, they can use the second option customer managed keys. A zoo will still perform the encryption and decryption operation. However, the customer will control the keys. It can be done using Zoo Ki volt. It's a service. Oh, using some customer controlled the hardware solution located even outside the club. Let's define another company that is related to security. This is there a zoo keyboard and it is used for several purposes. The 1st 1 is it. Like a secure secret management. It's can be used toe securely, store and in tightly control access to things like tokens, password certificates, a B, I's kids and other secrets in the context. Off this lecture as a joke, evil can be used as a key management, meaning it can also be used to create and control the encryption keys used to encrypt our data and lasting is it can be. But also as a certificate management solution. Let us toe provisioned, manage and deploy certificates to be useful, different purposes. If I will summarize the concept off Keeve old at the end, we are going to use encryption at rest, for different resource is told us also storage services. And this is the place that all the keys we've been managed okay, using this key vote, it can be managed automatically, meaning it's a service managed keys in that. In that scenario, we're not really handling the key vote, and the second option is that we will manage the keys by ourselves, and then we can use that component to be able to perform the soul. A key management in a centralized location grant they accessed is needed to application to user into one. Until now, we talked about the first option several side encryption. Now let's talk about the second option for performing encryption date. I trust this is the client side encryption. In this model, the encryption is performed outside off the Azzouz service by the service, all the calling application. We're liberating this encryption model that resource provider receives an encrypted data without ability to decrypt it in any way or to have access to the encryption keys. This option, of course, reduce some of the cloud functionalities and probably less Customer will actually use this option. Maybe some government organization or companies with highly sensitive data that would like to have a full control on the whole encryption a life cycle. Now let's see how those options are reflected in a zoo. The 1st 1 is gold stored service encryption, S S. E. By using this option, SSE is encrypting anything we stole in a so storage and it's actually can't be disabled. This is the default encryption. This is a service side encryption based on service managed keys. So the whole process is completely transparent to users. It's actually using the 256 bit advance encryption standard a protocol and all later with in the storage account, whether they are blob accused neighbors and fires, I'll encrypted and it is managed at the storage account level. It's a great service without additional cost to secure our data, but it has some a limitation. Let's say we have 10 virtual machines on the same storage account. All of them will be accessed using the same key, the storage account key. So if someone has access to that storage account, he or she can access any data on those 10 virtual machines. Okay, they are like one group. Now, in some cases, we may want to limit that on the village Jewel machine 11. The solution for that will be to provide a more granular control related to the encryption access something on the virtual machine living. Okay. In that case, we can use the zoo disk encryption option. It is used to in creep windows or Linux. Virtual machine disks used by an infrastructure, the service virtual machine. Okay, they're all kind off standard related to Lee Knox and also for a Windows. Each virtual machine will have a separated keys used to encrypt the data stored in the virtual machine disk. If you remember, a disc is basically a VH defy located on the storage and the disk encryption processes Basically walking on that file. This feature is, of course, only relevant for the infrastructure as a service options. When we handle the virtual machines, we can protect windows and lean Nox virtual machines by using as though disk encryption, which use with those big local technology. And Lee knocks the encrypt toe, protect both operation system disk and also data disk with full volume encryption. 36. Section Overview - Azure IaaS Compute: hi and welcome back. Thanks for watching so far were planning to start the dead and last building block off Asia infrastructure as a service. A solution meaning compute Compute is basically all about virtual machines. That's the computing power toe. One War clothes is relatively mentioned in the course introduction section. When using the infrastructure as a service option, we have full control over the allocated resource is that will be needed to one our applications. In this section, we will cover the following topics. It's starting with a quick review about the concept off utilization and how it is used in a cloud environment. Understand the concept off virtual machines and virtual machines, types and sizes that are like templates to create a virtual machines and how to create and Windows Orly next based virtual machines with all the needed setting that are available for us and then connect to those virtual machines remotely. We will also a few additional setting at available when a victim she's a dedicated like the options toe touch. Additional network interfaces and data disks scale up or down the size off the virtual machines to save coast or overcoming performance issue a review different security recommendation from major enable extension on a VM toe, add additional functionalities, and lastly, under the dystopic, we will see how to configure access control on a VM level. The next and last topic will be about operation and monitoring activities on the virtual machine level, like how to configure and use their out of shutdown option and scheduling backups for the data and the context off. Money towing will see how to analyze activity logs, a view metrics or K p I Key performance indicator on the virtual machine configured alerts and configured the diagnostics setting that we have and lastly, review the Microsoft The Asia Adviser a commendation. As you can see, we have quite comprehensive list off topics to cover in this section, and we will do it by putting more focus on practical demonstration. 37. Virtualization: The main topic in this section is about virtual machines. So I would like to present in high level the concept off utilization even before anyone started to offer public cloud services brutalization as the technology was used in many private data centers worldwide, creating virtual machine is not something new. It will be probably hard to find today any I t environment that is not using mutualization at the coal technology value off utilization. We can say that utilization is a great way to divide and optimize physical ICTY. Resource is in tow. Logical entities, also called virtual resource, is it is an obstruction management lay off physical objects into logical objects. Now going back to the cloud. A public cloud environment is all about utilization, but off course in a much larger scale than a single private data center. As a quick reminder, let's see how the layers are forming the logical entity off a virtual machine. The first layer is the physical machine, a server Toby ableto one an application. Inside that server, we need an operating system like windows. Orlean Oaks. This is gold host operation system. It is the always running on the host physical machine. Next, we can install multiple application on that most always like you are doing today on your desktop or laptop computer. But this is not relieve utilization to be able to create separated virtual environment on that physical several, we need another layer called hyper visor. This hyper visor application will be installed on top off the Coast operating system as a single application. By the way, there are actually two types of hyper visor type one and type two. Type two is what we see right now, meaning hyper visor running inside a host. A host operating system Type two is called bare metal Ieper Visor, meaning it is running directly on the physical machine without using a host operating system. So now we have a Hypo Veysel, and we can use it to create multiple virtual machines. Well, in each village jewel machine, we can install a separated and dedicated operating system. This is called guest us. Using the hyper visor, we can divide the silver Resource is the physical resource is like memory CPU and storage between the virtual machines and finally, on each guest toys related to a specific virtual machine. We can run single or multiple applications. The guest OS contains also whatever is needed to run the application, meaning all kind off system binaries and libraries. That's the building blocks off heavy neutralization technology in a regular private data center. Now the same concept is similar to some level for a public cloud provider. Imagine visiting one off Microsoft, Google or Amazon data centers. Over there, we will see thousands off service sitting on top of each other in giant rooms. Each physical several is part off a very large computing fabric managed by the cloud provider. And of course, the scale is much bigger. So in a public cloud environment, a special management layer is used toe. Obstruct the complex infrastructure and provide ability to create and manage visual resources that can span across multiple geographic location. That's the cloud management software. We can create virtual networks, virtual storage space as well as virtual machines, taking again the previous dagger with the layers. The club infrastructure is a complex combination Off compute storage and network resource is located in multiple data centers worldwide. On top, we will find a cloud management software solutions off the system. This is like the cloud operating system. Now this layer is, of course, much more than a hyper visor in a private data center. By the way, the software can be an open source to like open stock. If you would like to build a cloud and solution in our case, it is Microsoft a zoo software. And again it is the same concept. We can create and manage virtual machines with guest, always an application running inside each VM, as we are doing in a regular private data sent within hyper visor. 38. Virtual Machines: Now, after reviewing the layers in the context of liberalisation, we can focus on virtual machines as resource is in a cloud environment and specifically in this lecture on the multiple settings options we can select while creating a new virtual machine. If this is our village jewel machine, then it will be an allocated virtual resource inside the public cloud Pull off resource is like this small blue box in this grade. This virtual machine, as a source can be allocated on the mend while using the flexibility comes with a cloud environment. We can define the required virtual machine from a variety of virtual machine types and sizes. Toby used for different Application. War Club in the next lecture will talk about the available virtual machine types, as we already covered in previous section. But each virtual machine. We can attach the needed storage capacity using data disk, and it must be part often underlined virtual network where we can apply all kind off. Additional security was to allow a limit traffic flow moving to the practical side when we would like to create a new virtual machine, there are a few setting toe feeling close to select Let's review them quickly. Project details. Subscription. Who is paying for that new virtual machine and which resource group this virtual machine should be? Associate id Instance. Details. Okay, we have the ritual machine name. Try to use something useful, like maybe the function off that virtual machine like Web server number one. A. Region is the location off that resource availability options. We can keep it empty or select the option called Availability Zone or availability sets. In this course, we will keep it empty. Okay, we're not using the availability option. Image is basically the base operating system or application. It's part of the A zoo marketplace. There are a variety of operating system, and application will see it in doing the demo if we that we can also use our own customized image. VM size. What will be the computing power? Like CPU memory, Microsoft Azure offers a wide variety of sizes to support many types. Off workload will see that in the next lecture admin accounts, meaning user name and password and inbound poets who is actually related to the network setting. But this is a quick way to allow specific boats like all the Pio a sage. Hey, watch DPH GPS. A full remote connection. Those security setting will be translated to the network security group being used by the network. Submit Administrator account. Selecting the authentication type using a password over ssh Public E. This is more related to Lennox. A virtual machine disk. The type off, always disco. Okay, bring you Mrs the Stand Up. This is the standard HDD. Okay, it's not about data disk. It's about always disk. And also here we can create new data disk or a touch existing data disk and, lastly, networking. Selecting the virtual network and sub net. Will a D created AM KATING or using public appears a resource and a touching and network security group toe the submit or network. They're all kind off optional feature we can enable if needed. For example, monitoring boot diagnostic always guessed the agnostic for collecting metrics. KP eyes Using out to shut down is actually a very useful feature to save cost a schedule. When the VM will automatically shut down, we'll see how to use it in the demo and backup service for the data and lastly, using extension, a ritual mission extension, give us additional capabilities for post deployment configuration and automated task. We are basically performing an agent installation. This is the extension on the VM, and they're all kind off off the shelf extension we can install install to use. This is a table for a soda communication. Basically, when creating a view, we need few. Resource is as building blocks. The 1st 1 is a resource group. The virtual machine must be contained in a resource group like any other resource. Okay, when we cover that in the introduction section, How to create a resource group? Next is the storage account. The Village jewel machine needs a storage account to store its virtual hard life. Okay, again, we cover that doing the storage section now here. If we use the managed a disk option enabled by default, we don't need to specify storage account because Microsoft performing all the management automatically virtual networks. That's straightforward. The virtual machine must be a member off a virtual network public I p address. This is optional. If you are planning to access this ritual machine form the Internet, then you need such a public I p or for any other purpose network interface again, the virtual machine. It's the network interface to communicate inside the network, and it will be created automatically when we are creating there. Virtual machine off course. You can create a manually also additional network interface and touch them toe that new virtual machine and, lastly, data disk. This is an optional. The VM can include data disk toe expand storage capabilities. 39. VM Types and Sizes: one of the key features in a public cloud environment is all about ritual machine types and sizes. Every application or better call it workload will have a different resource consumption profile. Some application require most CPU power and less memory capacity, and in other cases it will be the other way around, meaning more memory and less CPU power. So Microsoft provides us with the variety of visual machine types and sizes that will be more optimized to the resource. Is consumption profile off our application anyway? Just remember, the bigger size is more cost, and the system will charge on hourly prices based on the virtual machine size and the type off the operating system being used a zoo as a variety of different choices. When it comes to the size off the VM, we will select and deploy. This is an example off the different virtual machine types available for Lee Knox virtual machines. We can see that they are grouped on the left side in tow categories under the first column , like general purpose, computer optimized memory optimized, etcetera, a specific group type. He's supposed to handle specific application much more effectively. For example, the memory optimized group can be used for relational database servers, as memory is a great factor for such application. For relational database, we want a VM, which with much more memory capacity than a sippy capacity, so it has a higher memory to CPU Russia. Secondly, each group type contains a variety off virtual machines sites. Okay, this is the connection between types and sizes. So under the memory optimized group, as a type, we can select virtual machines size, according toa our specific requirement. Let's take another example storage, optimized storage, optimized virtual machines size offer, high disk throughput and input output and are a great selection for application like Big Data sequel and no sequel database. Such application. You require a high memory CPU rescue okay and most storage capacity. Last thing that is important to remember is that this list off types and sizes. He's updated from time to time. So my best advice is to check it online, using the website off the public cloud provider you're planning to use if we zoom or specific virtual machines size from the table that we just so then we'll see several factors that are used to define it. It can be the processing power okay called virtual CPU memory size measured in gigabyte A the size of the local temple. The storage. A maximum amount of data disk that can be attached to the virtual machine maximum. A disk throughput is actually measured in in i ops, input and output operation per second max room network interfaces that can be attached to the virtual machine. Expected network bandwidth in megabytes. Actually expected that would bend with is the maximum aggregated bend with allocated pair of virtual machine types, of course, all network interfaces for destination. It is called expected network Bend with, as this number is not some upper layer guaranteed bend wit, and it would be used as only as guidelines for selecting the right virtual machine types and size when we are taking into account also natural traffic that is going into that virtual machine 40. Demo Creating VMs: Until now, we covered how to create a virtual network and submit and I p configuration network interfaces am storage account. And they that disk that I can be managed unmanaged security wasn't so one. Finally, in this section, we will learn how to create virtual machines that actually using all those building blocks to create a new virtual machine. We will use this option virtual machines that we can find also under or services clicking on that. And I'm getting the list off virtual machines that I have right now in my system. Now it's empty because I removed all virtual machines and I would like to start from scratch. I will click on Add, and I will get the Wizard where I can set up all the settings that are needed to create a virtual machine. I know the first up basic. I need to provide the project details, as always, what will be my subscription? I'm using the pay as you go subscription because I don't have any more. The free trial, a resource group I created in advance a resource group that is Gold Eden Whistles Group. You can also create that from here and the next will be to provide the instance details. And let me put some name VM 01 Okay, next will be the region. Okay. The location where the virtual machine will be located. And we talked about in the presentation. We talked about the things that we need to take into account while selecting the region like performance, cost and all kind of stuff. Let's keep it right now in the US and move on to the availability options. Now, I'm not using any availability option, so I'm choosing no infrastructure. Redundancy required just for your knowledge. There is in an advanced capability that is called availability set that I'm planning toe cover in future. Course how to use a such more advanced capability. Next selection is the operation system. Okay? And they're all kind off images that we can use directly form a zoo. Marketplaces click on that, and you can see all kind off available operation system. But you can also click on browse all images and disk, and you will get the marketplace where you can search specific type off operation, system and even application. So, as an example, I can go to a database and then it will be a bundle, often SQL Server, together with Operation System. Or, if I will goto Web, I can directly install a lump stuck for Web development all together. So those are the marketplace? A. In my case, I would like to select him just Windows. I am client for our example. I will click on that selection. Next will be the size okay, the size off the virtual machine. And let's clicking on that change size and they'll actually few barometers toe select a template. Okay, the VM size. So first off, all you can a filter. And I mean, there are many, many types off virtual missions that you can select. So let's it's, um, filter. For example, I would like family off memory optimized. Okay, let's cancel the general purpose at the filter, and I will get virtual machines that are related to this family. Okay, meaning the high ratio off memory compared to CPU. So let's take an example. I have a virtual machine size dot has a low number off visual Cebu, but high number off and memory. Now, before we go to another type of family, it's removed that and then another filter family. Now I would like the other way around. I mean, computer optimized and that field there. And then I will get templates VM size with better ratio of CPU to memory. So we have many option to select. But it is not just the amount of virtual CPU and the amount off a memory you need also to take into account the maximum data disk that we can attach to such VM type the maximum. I mean, what kind of performance parameters like the maximum my hopes and the size of the temple. The storage is actually coming together with the type off the VM size. Can I support premium disk? Is it supported or not? And of course, the cost. How much such Veum size will cost for a month? You're such many some estimation that will help you to optimize cost is this is just a simple demo. I will go to some a default filters and select this one be one s. It's pretty small virtual machine one a virtual CPU one. Um and I can attach maximum toe data disks and it more than enough to present a disc operability. Let's elect that and continue user name and password. Okay, great. Have also a the credential for that mystery toe account. We'll use it toe logging into the system to the virtual machine. And I can from here to set up a quickly inbound boats, a rules and, for example, I can allow specific airport. Okay, Like, I'll be be GPS there, for example, Like he will click on Rdp because I would like to looking into that a virtual machine for remote. There is also issue related to license, and then we can continue to the next stop disks. Okay, we talked above that doing this storage section, but this is the place that first awful You need to select what type off performance you would like to get for the always disc. OK, that will be generated automatically together with the virtual machine. So premium misses the standard. This is the standard 80 D. Let's use the standard HDD and I can create a touch data this we'll do that later. Really? The cover that also and under the advanced we can select if I would like to use manage disc yes or no. My recommendation is that probably you can use manage disk and it will make your life much easier moving on to networking. So hey, I can't it. A virtual network called Venus 01 of course, is the one time process to create a virtual network and submit for a group off virtual machines. I would like to create also public I p s a resource to be ableto remotely logging into the virtual machine. And I am here I can actually select if I would like Teoh, quickly get some words letter toe inbound ports and will be selected that in the basic I mean getting rdp connection. And that's all the under management we can enable and those monitoring capabilities that we show you how they are being used. There are also additional capabilities, like adding extension, that we'll talk about it later. But this is enough. We can go into review and create. Or could there be some validation process? And now I can click on Click. Now, this is something that will take 23 minutes, and I will skip about how to save you time. After a few seconds, you will say that under the virtual machines there is a new instance that is called VM 01 but it's still under status off creating, and we'll eat. Wait. Ah, a couple of minutes until it will finish. And then the studies will be a change to one. Okay, so the virtual machine is ready. I mean, the statuses, Ronnie, let me show you a few things that happened in the background while we waited until the virtual mission will be ready. And for that, I will go to all of these sources. What we can see here is that in addition to the virtual machine, okay, VM 01 virtual machine. There are zoo cloud. We create all kinds of additional building blocks and automatically, for example, Ah, disc for the operation system off course network interface that is automatically attached to that virtual machine. A public I p addresses a resource and finally and network security group. Now, all those building blocks being used as a default. Ah, the source for the Villager mission. And we can add an additional or change some of the setting off those resources. Let's go back to the virtual machine. Click on that virtual machine is just take a look on the overview. So here we can see all the setting that we use, like the vessels go location, subscription, computer name, operation system The size off that virtual machine is quite small. Virtual machine once a pew, one giga memory, the public eye progress and all kind off metrics that money towing the health off that virtual machine like CPU, ever rage, network conception and disk Ah, usage this traffic disk usage. Answer one. Now there are many option. We can change and settle kind, offsetting operation and monitoring capabilities that we have on a virtual machine and recover that in the coming demonstration session that just after this after decision, the last thing that I would like to show you is to how to connect to a virtual machine. And this is a Windows based virtual machine. So I'm clicking on Connect, and I have the options to download an rdp file. Let's download that clicking on that file, and it will open the remotest connection Click Connect, put my credentials and connect. Okay, this is a public I p address for that individual machine, and I'm getting with a big surprise virtual windows, then interface. And that's what this is a way to connect to a virtual machine. Now there's some small changes when you're creating Lennox based Sever. Nothing dramatic, but the whole process is the same. 41. Demo VMs Setting: Okay, let's see what kind off setting available on virtual machine level clicking on the specific virtual machine on specific instance on the left side, I have all kind off option that some of them will well, lately. So in the previous section and let's out form networking. So basically, over here, I can see that this virtual machine is associate toe a particular network interface. This is the name of the interface that was created automatically by Asia when I created the virtual machine. And this network interface is under a specific virtual network. This is the name of the virtual network in a specific submit. It has a private eye, be address and there is also public. I'd be from here, I can attach additional network interfaces and the touch and existing that went interfaces . I guess this is more their situation that you lied to create another in network interface. In addition to the network interfaces that was created by a zoo for the virtual machine, I am You can associate the Virtual Machines Application Security group. We saw that again under the networking section. Now over here it This network interface is associate ID to a specific network security group. Well, you can customize that. Meaning, Ed. Additional inbound port will also add additional out bond potables. Okay, this is being done directly from here. Or you can edit the network security group by clicking over here, moving to disks again. Here, I can see the operations system disk that was created automatically with all kind of properties. And I can add additional data disk. And from here, Okay. As we saw in the context, off handling, storage next important setting his size can. This is ah, great capabilities that get cup of flexibility that I can scale up all skill down The virtual machine size that I provisioned when I created the virtual machine Now is an example. Let's change the size to this one. Okay, We'd be is two s meaning to visual and Scipio and additional a memory and click Select. Okay. Criticizing the virtual machine. Okay, finished. Now I have a new size. Okay, Standard beat us. And this is the new properties to Villagers, CPU and four gigabyte memory. Off course, The process takes a little bit times and I skipped on that process. But this is the way toe scale up or skill down, and this is a great option toe optimize cost and performance altogether. The next option under setting is security Over A. We will get a list off a commendation generated automatically on all kind off security issue on the VM level. As an example, there is a recommendation to apply disk encryption on the VM. If I will click on that, I can take action to resolve that issue. Oh, for example, there is a commendation to install monitoring agent on the vein. Before we click on that, I have the option and to enable something that is called automatic provisioning, meaning a zoo dramatically will take action to resolve some off the security issue automatically the next. A option under settings is extension okay, extension all kind off agent that we can install on individual machine for different use cases. For example, when I Katie that specific virtual machine, I there was an option to mark that I would like to get the agnostic data so it's part of the process. The platform installed such agent or individual machine to be able to collect such the agnostic data for reading and your extension. We click add and we'll get air from the marketplace or kind of option toe ed an extension each one off them will come with different setting. So they are not the same as an example. If I would click on Network Church agent okay for Windows, Okay, this will help me to better monitor in the agnostic all kind off network performance problems. So let's click on create. Okay, New extension was headed Asia Network Watcher Extension. It's still in transition starters. It will take a few minutes until this extension will be installed. But essentially, I will get more options under the monitoring capability. By using this extension, it will and will reach that options. Okay, the last thing I would like to show you in the context, offsetting is actually deception right over here. Access control is your remember we discussed about that in the introduction section of the old capability off all based access control. Over here you can a gate all assignments on the virtual machine level. Therefore, different use cases for limit the access for that Rachel mission for specific users for specific groups, there's a simple example. Let's er than and not the whole assignment clicking on add, and the wall that I would like to use is a contributor, and I would like to assign it to a specific A user. And this one John Green Clicking Save and it will add a new hole assignment is a new line. Over here we go. OK, John Green and that's a user. And the wall itself is contributor. And the scope is related only for this virtual machine. As a reminder. There are higher scope definition and for it is an example. My name it Anger really is an owner, and I got my scope is actually inherited from the subscription level. Okay, and on the subscription level, I have an owner of all assignment, and because this virtual machine is sitting under that subscription it's inherited on each resource is that will be created under that subscription. 42. Demo VMs Operations: Let's see what kind off operation we can perform on a virtual machine. So here in the list off virtual machine. I'm selecting some instance on virtual machine, and I have all kind off option over here right now. The status is running. I can, for example, click on stop. Of course, it will take a while. It's jumped to the final result. There are different power states related toe virtual machine. So the 1st 1 is starting. Okay, The VM is starting up. Okay? Meaning in this location in the whole life cycle, after finishing starting, it will be on a running mode. This is the normal walking state off virtual machine. And from that point of time, these races will be built. Okay, there will be cost associate ID toe that resource. Next, we have two branches. One option is toe. Stop the virtual machine. OK, but the hardware is still are located it to the virtual machine. And when I'm saying stopping there is some transition point that is called stopping. Okay. And then the VM will be stopped. Okay? Doing the stopping a transition state. There are still cost associated to that face. And only when the virtual machine is stopped. I am meaning the VM is in shut down mode. No, we can go form and stopped the em into two states. We can start the VM. Okay, so we can d I locate they hard with the sources for that? I am virtual machine. Okay, this is the the allocating transition mode until it will be completely the allocated. Okay, this is the I am situation that the virtual machine is, of course, stopped. And there is no hard were allocated for that virtual machine anymore. Okay, we pressed on stop, and the final result is that this virtual machine is, of course, stopped. But it's also the allocated from the underline infrastructure. It's not using the sources anymore, just to be clear on that issue in this important, because we stopped the virtual machine. Virtual machine is a computing power, CPU and memory. But there are other resources that are still allocated for that virtual machine. Like always this can data disk. Oh, where's some may public I p a resource and all those resources are still allocated for that virtual machine and may be associated with additional cost. Even though we stop that ritual mission. Okay, let's bring it back to life clicking on start, and this will take a while. But the final result is going into the learning a status spot off the life cycle of a virtual mission. And after a while, this new visual machine is now in a running a mode. That's the normal operating status off a virtual machine. Now you can do that. Of course, manually. I mean, stop virtual machine to save cost at the end. We need toe optimize Costa's as much as possible. I mean, there's the whole flexibility off a cloud computing system. Now, a nice feature that you have inside on the operation. Okay, on that operation cut ago is called out to shut down. So, for example, you created some virtual machine for testing system whatever. And you're walking on that virtual machine when you're regula hours and you can set up that we this viene will automatically shut down, Okay, at 6 p.m. Okay, you need to select, of course, your time zone and you can also gets notification before and now to shut down. So maybe some email address and that's all saved that and it will be a scheduled job that will automatically shut down your virtual machine. Very useful feature. Another nice feature is back up on the virtual machine level. We can create policy that will use the service, the recovery services. The information will be stored A on some M recovery service vault and it will be stored on a specific resource group. And I can choose some default. Becca Policy all, maybe manually set up the policy. So it will have been on a daily basis of specific time, specific time zone And what exactly the retention I would like a to save. This is a very easy way to create some bake up and policy for the for our data after enabling the backup service. This is the screen that we will get first awful under backup status, we will see the last backup status. Okay, And we could see there was some success back of job that happened today, and I can see that restoration point over here. And of course, I can use that to restore my VM using this backup data now, most probably if we just enabled that backup service. Let's say toe happened every day or every week. There is a high chance that this the first initial backup didn't happened yet, and you will see that as a pending job over here. Now you can click on backup right now, locate the first initial backup or at any point of time to click backup and to create some restoration point without any relation to the backup policy. Now, if I would like to a view, there is a samarie, the backup jobs that were done in the system or any lining job backup job. Right now I can click on view all jobs, and it will provide me Osama Lee off all kind off jobs that were running or running right now and the start off off each one off those job now just to understand the big picture, we can cage those a bigger policy people each virtual machines. Okay, I can have multiple virtual machines, each one with different back, a policy with different become data. Everything at the inch must be stored in this entity Recovery service volt. Okay, It's a resource like any other resource with an entity. It's actually being used to stow the backup data from each virtual machine and also the backup policy configuration. The next option I would like to show you in the context off operation is this one object management. This is a service that you can enable on the virtual machine. And it will provide you a better control on all kind off operations system updates. Okay. On a windows operation system, Orly knocks operation system. We just need toe enable that service and from that point of time, will be able to manage the updates on the virtual mission. So after enabling the update management that specific virtual machine, I'm getting a nice summary off all missing updates right now. Okay, we can see all kind off updates for the Windows stain operation system that is installed on that virtual machine. Some man updates related toe, the anti virus, a definition and all kind off additional updates over there on the ups upper side. I will get some nice dashboard with some useful information. First of all, if this virtual machine is standing toe some compliance, if the any missing a critical and security updates and also some breakdown for the missing updates. If there was some failed updates deployment for that virtual machine. In addition, I can also schedule updates deployments. Let's do that four seconds. All click on schedule, updates deployment and let's say I would like to perform automatic update for security updates. Let's call it security and I will select this classifications for updates only for security updates. And I would like that it will happened every day on every currents, inter while everyone day click. OK, and there will be some mental and swing, though, and reboot the visual machine only if it's required. Click Create. Now, before we go to the scheduled updates deployment tab, I can see that the scheduled policy that I just created okay for security and Skopje is a particular virtual machine and the recurrence everyday and so one still under the privation menu. We have also another nice, useful service that is called inventory. And the first thing that we need to do is tow. Unable is such a service on that virtual machine and then there are some prerequisite, like choosing the location. I will keep it the different. All my sources are located in this location, Then you need to create only for the first time, something that is called logs Analytics. A workspace select Also the automation account. Oh, this is also one time process toe great and automation account. So if you created something like that for one VM, you will be able to use that for all the other Veum in your system. Let's click Unable. Okay. And this is going to take a while now. I've been away. You can take maybe one. I will even more. You will get that current situation on an inventory level. In the context off that particular virtual machine. Every line here represent a software component installed on that virtual machine. We can see the version of that A items, What is the publisher? And when was the last time this information was refreshed? So it's acting like a list off inventory bell specific virtual machine. Now in the context off inventory management that we can also click on change tracking, clicking on that and this is coming together. When you are neighborhood, the inventory service, you will get also the deceptions to click on change tracking and again it will be like a summary off different change types For so I can select is an example to see all the software change over the last 24 hours, whatever time range I would like to select and I will see those change. Okay, I can click on a particular change and get a much more details information. And I can also select different type off for change. For example, I would click on registry to see any change elected toe the urgency. Right now, there is no change on the last 24 hour for the registry. So this is it changed, trekking and at the end, the updated status related toe. The list off software actually reflected in the inventory option and the last option I would like to show you under the operation is there on command? This is more related to troubleshooting. Basically, we have off the shelf script that we can ran directly inside the virtual machine. So there's an example. It's click on. I picked config. It will bring me this A options to see the script. It's a simple command. Ibeacon fix. See all this information I can click run and get that information. Okay, this can take Ah, sometimes depends on the on the script that you're running, but basically we just on the i P conflict to get information about the all relevant type of configuration on that virtual machine. Okay. Very simple to use some script for getting information and some script for changing setting . Okay, so we need to be a little bit careful while learning those creeps. 43. Demo VMs Monitoring: on the last two demonstration recovered all kind off settings options on the virtual machine level. And on the last one, a lot kind off options. A little cooperation. Now, I would like to talk about morning toe wing, and the first option is actually not sitting here is sitting over here and I would like to talk about activity. Looks the list will see you are basically records, logs. Okay, Each line here, present some activity log, for example. In on the last section, we learned some command on the virtual machine. We can see that and I changed some all assignment and the deleted role assignment. All those actions are the coded, and we can see the the person, the user that initiate that particular event. In addition, we can quickly change the more kind of filter correct area like the time span would like to see. Right now, it's coming on the last six hours. The type off events would like to see and the particular resource group. I'm looking right now on that vmc one. But you can also apply and create all kind off filter. This is a useful way to truck what's going on on different activity on that particular resource moving on to their money towing section over here. First of all, on the overview, we were getting all kind off metrics. Okay, this is an information that is being collected. As metrics is, counters form the virtual machine, indicating all kind off performance indicator like a sip you network that operation per second or kind off metrics. And I can easily change the scale. I'm looking right now on one hours. I can change that 12 hour and all the graph will be updated according to my selection, If you would like additional metrics or play a little bit with more customized graph, I can goto this under monitoring toe this option metric. And over there, I have full flexibility to select a resource. Okay, I'm selecting right now the virtual machine and based on my selection, or we get all kind off available metrics for that virtual machine. Let's elect as an example the CPU utilization. Okay, I'm looking on the last 24 hours and the aggregation is on average. Okay? I mean, those counters are being collected pair each intervals and summarized by the system I can analyze and investigate if there is a CPU performance issue on that virtual machine. Of course, there is some spike on a particular time interval because I initiate that virtual machine and then perform some installation. But ah, never age. DISIP utilization is, of course, quite low because again installed any application on that virtual machine. Yet. In addition, I can change the look and feel and choose other option, like a bar chart, to see that in a different way. Hey, I can pin that to my dashboard or create some alerts. Additional alerts based on KP eyes moving next to this option called the Agnostics. It's setting over here. You can set up what kind of performance counters will be collected. You see that the performance counter CPU is being collected every 62nd 1 minute and also in the context, off logs, a different type of flogs that we can select to collect or not to collect. And look on that in the overview. What kind of information will be collected? Next option under monitoring is called adviser recommendation. It's actually a nice service or feature in nature. It's like an aggregation off all kind off the commendation after analyzing the situation right now would provide your some feedback. And it's divided two categories, like high availability of two recommendation security, six accommodation under performance, zero recommendation and also on the cost. The local recommendation. Yet if I will goto this stop high availability, we get more details about what should I do in the context of high availability. For example, I didn't enabled availability, said something that we learned in future level. Oh, I didn't use some backup to protect the data under security. They're all kind off commendation. And we saw that under the Security Center recommendation and so on. Now the last thing I would like to say in the context of morning towing, morning towing performance metrics and analyzing logs, it's a little bit more complex subject okay, presented that in very high level in the context off a virtual machine. But we can look on that also on the big picture on the whole system, and so one and I'm planning to cover that in a dedicated section in future level. So we get much deeper understanding about those options That's all have for this section. Thank you for watching so far. I mean we covered many topics, many features and options in the context off a virtual machine. First off, allowed to create a virtual machine and use the building blocks off virtual network interface and happy configuration data. This concern. And then, after the virtual machine is ready and deployed, we can perform all kind off additional setting. On top of that, like ending extension a formal kind of actions operation on the virtual machine learning, stopping a virtual machine and also monitoring the health off the virtual machine. Using metrics, setting alerts and analyzing a logs off all kind of activities perform on a virtual machine level. It's time to let you practice a little bit. So in the next section is all about you as a vacated some project with a detailed documentation. How to create some system and help you to practice all the features and functionality will earn doing the last sections 44. Quick Mission Briefing v2: 45. Let's Summarize: hi and welcome back. Thanks for watching so far. I hope you managed to locate the project and play a little bit with Microsoft Azure Platform. At this point, I would like to have a quick summary for the things we learned doing this course. We started with simple definition off cloud computing, saying in simple words that cloud computing is basically a utility service for ICTY. Resource is now cloud computing is defined by five essential characteristics. Three service models and four deployment A models. Then I started to introduce the Microsoft a zoo cloud solution. What kind of products and services are available and focus specifically on a zoo infrastructure. The services is the topic for this course, the global footprint off a public cloud provider. How the data centers are divided toe availability zones and regions and what kind of things we need to take into account while selecting a region for resource. We would like to create the concept off resource managers for managing the variety off entities and using the zoom role based access control for limiting the access to resources is needed as a first step to create any virtual machines, we learned to create a the underlying communication. Lille, using virtual networks at what kind offsetting I needed to create a virtual network. How to divide the virtual networks to sub nets are locating private and public I P addresses at the network interface level, vacating different I'd be configurations. And then we moved also to security, many creating network security groups and combine it with application security groups to limit and control traffic flows. Moving toe the storage part I started with the more high level introduction. It were public clouds, stored service, presenting the main benefits like scalability availability by as you go. And so one stay. Looking on the big picture, I introduced the tree types off cloud storage services, meaning block fi, an object storage, and I put a little bit more focus on object storage. Next, we saw how the storage services in a zoo I actually divided into infrastructural service and platform of the service. And, for example, kating disks, if for virtual machines, are actually part off the first category in for sexual service. Still, on the ritual machines storage, moving toe, the practical side we covered the concept off storage accounts is they are used to group storage resources under the same roof, using a single unique name space and helping to set up similar properties for multiple resources. And I used a single entity to manage. We covered in great details the storage application options, helping to make sure we don't lose important data. And the last very important topic was about virtual disks. How to great and manage more storage capacity, pair each virtual machine and using managed or unmanaged a disk and also selecting the types off this a we different storage performance. And we also talked about encryption data dressed as any data stored in a zoo is actually encrypted at the account storage level. The last a learning section was about virtual machines, and we started with a quick overview about digitalization in the regular private data center. And then we moved on to a public cloud where utilization is the key technology toe build complex computing fabric while using a cloud management software focusing on the practical side. We land anything that is needed to create virtual machines while combining the whole other building blocks like virtual networks, security rules, data centers and more, and extend some for actualities by aiding, which are machine extension monitor, metrics off a virtual machine, scaling a VM size and utilize other features like out toe shut down and scheduled a breakup . Okay, that's all the main topics we covered in this level. And now let's talk about your next step moving forward. 46. What Next?: the becoming a cloud expert. A training program is playing Toby, a collection off few courses divided two levels and a billing is student understand, and I just the possibilities related to cloud computing in step by step. We cover the first level in this program, and I will release new levels going forward. You can also send me a message if you'd like to get more information about the next available level. Small request for my side. Please spend a to three minutes and sherry. Oh, feedback and experience inside the course dashboard. It's super important for me. Thanks again for watching good luck, and I hope to see you again.