Microsoft Azure® Infrastructure Services for ArchitectsDesigning Cloud Solutions

John Savill

Microsoft®Azure® Infrastructure Services for Architects

Microsoft®Azure® Infrastructure Services for Architects Designing Cloud Solutions

John Savill

Copyright © 2020 John Wiley & Sons, Inc., Indianapolis, Indiana

Published simultaneously in Canada

ISBN: 978-1-11959657-8 ISBN: 978-1-119-59653-0 (ebk.)ISBN: 978-1-119-59660-8 (ebk.)

Manufactured in the United States of America

No part of this publication may be reproduced, stored in a retrieval system or transmitted in any form or by any means, electronic, mechan-ical, photocopying, recording, scanning or otherwise, except as permitted under Sections 107 or 108 of the 1976 United States Copyright Act, without either the prior written permission of the Publisher, or authorization through payment of the appropriate per-copy fee to the Copyright Clearance Center, 222 Rosewood Drive, Danvers, MA 01923, (978) 750-8400, fax (978) 646-8600. Requests to the Publisher for per-mission should be addressed to the Permissions Department, John Wiley & Sons, Inc., 111 River Street, Hoboken, NJ 07030, (201) 748-6011, fax (201) 748-6008, or online at http://www.wiley.com/go/permissions.

Limit of Liability/Disclaimer of Warranty: The publisher and the author make no representations or warranties with respect to the accuracy or completeness of the contents of this work and specifically disclaim all warranties, including without limitation warranties of fitness for a particular purpose. No warranty may be created or extended by sales or promotional materials. The advice and strategies contained herein may not be suitable for every situation. This work is sold with the understanding that the publisher is not engaged in rendering legal, accounting, or other professional services. If professional assistance is required, the services of a competent professional person should be sought. Neither the publisher nor the author shall be liable for damages arising herefrom. The fact that an organization or Web site is referred to in this work as a citation and/or a potential source of further information does not mean that the author or the publisher endorses the information the organization or Web site may provide or recommendations it may make. Further, readers should be aware that Internet Web sites listed in this work may have changed or disappeared between when this work was written and when it is read.

For general information on our other products and services or to obtain technical support, please contact our Customer Care Department within the U.S. at (877) 762-2974, outside the U.S. at (317) 572-3993 or fax (317) 572-4002.

Wiley publishes in a variety of print and electronic formats and by print-on-demand. Some material included with standard print versions of this book may not be included in e-books or in print-on-demand. If this book refers to media such as a CD or DVD that is not included in the version you purchased, you may download this material at http://booksupport.wiley.com. For more information about Wiley prod-ucts, visit www.wiley.com.

Library of Congress Control Number: 2019947400

TRADEMARKS: Wiley, the Wiley logo, and the Sybex logo are trademarks or registered trademarks of John Wiley & Sons, Inc. and/or its affiliates, in the United States and other countries, and may not be used without written permission. Microsoft and Azure are registered trademarks of Microsoft Corporation. All other trademarks are the property of their respective owners. John Wiley & Sons, Inc. is not asso-ciated with any product or vendor mentioned in this book.

10 9 8 7 6 5 4 3 2 1

For my wife, Julie, and my children, Abby, Ben, and Kevin

AcknowledgmentsI could not have written this book without the help and support of many people. First, I need to thank my wife, Julie, for putting up with me for the last 6 months being busier than usual and for picking up the slack and for always supporting the crazy things I want to do! My children, Abby, Ben, and Kevin always make all the work worthwhile and can always make me see what is truly important with a smile.

Of course, the book wouldn’t be possible at all without the Wiley team: Kenyon Brown, the acquisitions editor; Janet Wehner, the project editor; Christine O’Connor, the production editor; John Sleeva, the copyeditor; and Nancy Carrasco, the proofreader.

Many people have helped me over the years with encouragement and technical knowledge, and this book is the sum of that. The following people helped with specific aspects of this book, and I want to call them out for helping make this book as good as possible: Alex Shteynberg, Alexander Frankel, Ali Mazaheri, Anavi Nahar, Andrew Mason, Anuj Chaudhary, Ashish Jain, Bala Natarajan, Brian Tirch, Charles Joy, Christina Compy, Cosmos Darwin, Daniel Savage, David Berg, David Browne, David Powell, Derek Martin, Doug Lora, Elisabeth Olson, Gunjan Jain, Jason Hendrickson, Jeff Cohen, Jeff Peterson, Jim Benton, Jose Rojas, Kiran Madnani, Klaas Langhout, Larry Claman, Marc Kean, Maria Lai, Markus Hain, Mark Russinovich, Mike Stephens, Mutlu Kurtoglu, Rajat Luthra, Ramiro Calderon, Randy Haagens, Raphael Chacko, Reed Rector, Rena Shah, Rich Thorn, Rimma Nehme, Rochak Mittal, Sadie Henry, Satya Vel, Simon Gurevich, Sibonay Koo, Steve Espinosa, Steve Linehan, Sujay Talasila, Thomas Weiss, Trinadh Kotturu, Tyler Fox, Varun Shandilya, Yugang Wang, Yunus Emre Alpozen, Yves Pitsch, and Zif Rafalovich. If I’ve missed anyone, I’m truly sorry.

About the AuthorJohn Savill is a technical specialist who focuses on Microsoft core infrastructure technologies, including Microsoft Azure, Windows, Hyper-V, and anything that does something cool. He has been working with Microsoft technologies for over 20 years and was the creator of the highly popular NT FAQ website. He has written eight previous books, covering Azure, Hyper-V, Windows, and advanced Active Directory architecture. When he is not writing books, he regularly writes magazine articles and whitepapers, creates a large number of technology videos, which are available on his YouTube channel, https://www.youtube.com/ntfaqguy, and regularly presents online and at industry-leading events. John has a large library of technical learning materials available via Pluralsight

(https://www.pluralsight.com/authors/john-savill), including entire tracks focused on identity, infrastructure, data, and more in the Microsoft cloud.

Outside of technology, John enjoys fitness training, including weightlifting and cardio to help prepare for his full IRONMAN triathlon events. John has completed 12 full IRONMAN events and while writing this book is busy training for IRONMAN Texas, Canada, and Maryland, for which he has signed up to complete in 2019 (hopefully).

John tries to update his blog at https://savilltech.com/ with the latest news of what he is working on and tweets at https://twitter.com/NTFAQGuy.

Contents at a GlanceIntroduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .xix

Chapter 1 • The Cloud and Microsoft Azure Fundamentals . . . . . . . . . . . . . . . . . . . . . . 1

Chapter 2 • Governance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 47

Chapter 3 • Identity . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 95

Chapter 4 • Identity Security and Extended Identity Services . . . . . . . . . . . . . . . . . . 145

Chapter 5 • Networking . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 171

Chapter 6 • Storage . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 213

Chapter 7 • Azure Compute . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 249

Chapter 8 • Azure Stack . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 281

Chapter 9 • Backup, High Availability, Disaster Recovery, and Migration . . . . . . . . 297

Chapter 10 • Monitoring and Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 325

Chapter 11 • Managing Azure. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 359

Chapter 12 • What to Do Next . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 399

Index . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 415

ContentsIntroduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .xix

Chapter 1 • The Cloud and Microsoft Azure Fundamentals . . . . . . . . . . . . . . 1The Evolution of the Datacenter. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1

Introducing the Cloud . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2The Private Cloud and Virtualization . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4Types of Service in the Cloud . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10

Microsoft Azure 101. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13Microsoft Datacenters and Regions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14Microsoft Network . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24Azure Resource Providers. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26

Getting Access to Microsoft Azure . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30Free Azure Trials and Pay-as-You-Go . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31Azure Benefits from Visual Studio Subscriptions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31Enterprise Enrollments for Azure . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33

Reserved Instances and Azure Hybrid Benefit . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37Reserved Instances . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37Azure Hybrid Benefit . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39

Increasing Azure Limits . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 40The Azure Portal . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41

Portal Basics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 42Azure Portal Dashboards . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 45

Chapter 2 • Governance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .47What Is Governance?. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 47Understanding Governance Requirements in Your Organization . . . . . . . . . . . . . . . . . 49Azure Subscriptions and Management Groups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 52

Subscriptions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 52Management Groups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 55

Resource Groups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 62Role-Based Access Control . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 63Naming Conventions. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 69Using Tags . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 70Azure Policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 75Azure Templates. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 80Azure Blueprints . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 83Azure Resource Graph . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 86Cost Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 88

Visibility . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 89Accountability . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 91Optimization . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 93

xiv | Contents

Chapter 3 • Identity . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .95The Importance of Identity. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 95A Brief Refresher on Active Directory . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 97Using Cloud Services, Federation and Cloud Authentication . . . . . . . . . . . . . . . . . . . . . 98

Federation. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 98Cloud Authentication and Authorization. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 101

Azure Active Directory Fundamentals . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 103Azure AD SKUs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 106Populating Azure AD . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 108Azure AD B2B . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 122Azure AD Authentication Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 128Azure AD Groups. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 137Azure AD Entitlements and Application Publishing . . . . . . . . . . . . . . . . . . . . . . . . . 138

Chapter 4 • Identity Security and Extended Identity Services . . . . . . . .145Azure AD Security. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 145

Multi-Factor Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 145Password Policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 149Azure AD Conditional Access . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 150Azure AD Identity Protection. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 153Azure AD Log Inspection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 154Azure AD Privileged Identity Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 156Azure Advanced Threat Protection. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 158Azure AD Application Proxy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 158

Azure AD B2C . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 160Active Directory in the Cloud . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 162

Active Directory Site Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 163Placing a Domain Controller in Azure . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 164Azure AD Domain Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 167

Chapter 5 • Networking . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .171Connectivity . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 171

Virtual Networks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 171Adding a VM to a Virtual Network. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 174NIC IP Configurations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 174Reserved IPs for VM. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 176Accelerated Networking . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 177Azure DNS Services and Configuration Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . 177Connecting Virtual Networks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 178Connectivity to Azure . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 181Azure Virtual WANs and ExpressRoute Global Reach . . . . . . . . . . . . . . . . . . . . . . . 193PaaS VNet Integration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 194

Protection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 196Network Security Groups and Application Security Groups . . . . . . . . . . . . . . . . . . 196Firewall Virtual Appliances . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 199Distributed Denial-of-Service Protection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 202

Contents | xv

Delivery . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 202Intra-Region Load Balancing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 203Inter-Region Load Balancing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 206

Monitoring . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 210

Chapter 6 • Storage . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .213Azure Storage Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 213

Azure Storage Architecture . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 213Using Storage Accounts and Types of Replication . . . . . . . . . . . . . . . . . . . . . . . . . . . 215Storage Account Keys. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 219Azure Storage Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 221

Storage with Azure VMs. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 235VM Storage Basics. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 235Temporary Storage . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 236Managed Disks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 237

Bulk Data Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 242Azure Import/Export and Azure Data Box Disk . . . . . . . . . . . . . . . . . . . . . . . . . . . . 242Azure Data Box . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 242Azure Data Box Gateway and Data Box Edge . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 242

Azure Database Offerings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 243Azure SQL Database . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 243Azure Cosmos DB. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 246

Chapter 7 • Azure Compute . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .249Virtual Machines . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 249

Fundamentals of IaaS. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 249Types of Virtual Machines . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 252Azure VM Agent and Extensions. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 258Boot Diagnostics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 260Ephemeral OS Disks. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 261Proximity Placement Groups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 262Virtual Machine Scale Sets . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 263Low-Priority VMs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 264Azure Dedicated Host . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 264Windows Virtual Desktop. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 265VMware in Azure? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 265

Platform as a Service Offerings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 266Containers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 266Azure Application Services. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 275Azure Serverless Compute Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 278

Chapter 8 • Azure Stack . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .281Azure Stack Foundation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 281

Azure Stack 101 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 281Services Available on Azure Stack. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 284How to Buy Azure Stack . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 285When to Use Azure Stack . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 287

xvi | Contents

Managing Azure Stack . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 288How to Interact with Azure Stack . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 288Marketplace Syndication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 290Plans, Offers, and Subscriptions. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 292Updating Azure Stack . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 294Privileged Endpoint and Support Session Tokens . . . . . . . . . . . . . . . . . . . . . . . . . . . 295

Understanding Azure Stack HCI. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 296

Chapter 9 • Backup, High Availability, Disaster Recovery, and Migration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .297Availability 101 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 297

Distinguishing High Availability vs. Disaster Recovery vs. Backup. . . . . . . . . . . . 297Understanding Application Structure and Requirements. . . . . . . . . . . . . . . . . . . . . 299Architecting for Multi-Region Application Deployments . . . . . . . . . . . . . . . . . . . . . 301

Backups in Azure . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 305Thinking About Backups. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 305Using Azure Backup . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 307

High Availability in Azure. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 311Disaster Recovery in Azure . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 312

On-Premises Disaster Recovery . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 313On Premises to Azure Disaster Recovery. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 314Azure to Azure . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 317

Migrating Workloads to Azure . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 318Migration Benefits. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 319Migration Approaches . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 320Migration Phases . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 320

Chapter 10 • Monitoring and Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . .325Azure Monitoring . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 325

Why Monitor? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 325Types of Telemetry in Azure. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 326Azure Monitor Fundamentals . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 329Azure Monitor Logs Fundamentals . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 334Alerting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 341

Security in Azure . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 350Advanced Threat Protection (ATP) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 350Azure Security Center (ASC) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 353Azure Sentinel. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 355Keeping Secrets with Azure Key Vault and Managed Identities . . . . . . . . . . . . . . . 357

Chapter 11 • Managing Azure . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .359Command Line, Scripting, and Automation with Azure . . . . . . . . . . . . . . . . . . . . . . . . 359

Using PowerShell with Azure . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 360Using the CLI with Azure . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 370Leveraging Azure Cloud Shell . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 371Automating with Azure Automation and Azure Functions . . . . . . . . . . . . . . . . . . . 376

Contents | xvii

Deploying Resources with ARM JSON Templates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 383Everything Is JSON. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 383Anatomy of an ARM JSON Template . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 386Template Tips. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 389

Additional Useful Technologies for Azure Management . . . . . . . . . . . . . . . . . . . . . . . . 393Azure Bastion Host. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 393Windows Admin Center . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 395

Chapter 12 • What to Do Next . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .399Understanding and Addressing Azure Barriers. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 399

Building Trust . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 400Understanding Risks for Azure . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 400

Why You Should Use Azure and Getting Started . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 408Understanding Azure’s Place in the Market . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 408First Steps with Azure IaaS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 411

Index . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 415

Introduction

The book you are holding is the result of my 25 years of experience in the IT world, including 20 years of virtualization experience, which started with VMware, Virtual PC, and now Hyper-V, and many years focusing on public cloud solutions, especially Microsoft Azure. My goal for this book is simple: to make you knowledgeable and effective architecting an Azure-based infrastructure. If you look at the scope of Microsoft Azure functionality, a single book would be the size of the Encyclopedia Britannia to cover it, so my focus for this book is the infrastructure-related services, including VMs in Azure, storage, networking, and some complementary tech-nologies. Additionally, the focus is on architecting a solution. I will also show how to automate processes using technologies such as templates and PowerShell/CLI, how to integrate Azure with your on-premises infrastructure to create a hybrid solution, and even how to use Azure as a disaster recovery solution.

There is a huge amount of documentation for each feature of Azure. The documentation walks through each feature’s basic functionality and provides step-by-step instructions for the basic deployment. When performed through the GUI, these steps often change, as interfaces continue to evolve. Additionally, as this book will show, while the portal is great for learning about the options, you won’t be using it for production deployments, preferring instead to use prescriptive technologies like templates. Therefore, the goal of this book is to help you understand the options, to understand how to use them as part of a solution to meet requirements, to enable architectures to be created using the right components, with best practices developed over years of working with many Fortune 500 organizations. Yes, this book will expose you to all the important Azure infrastructure services, but it will focus on providing real value to enable the most complete and optimal utilization of Azure. It will focus on walkthroughs only for more involved or complex scenarios where they really provide value. But don’t worry—the basic step-by-steps will still be referenced so that you can easily find them.

Microsoft is one of only three vendors with a solution in the public cloud IaaS Gartner Magic Quadrant as a leader in addition to being used by many of the largest companies in the world and I will cover this in more detail in Chapter 12.

I am a strong believer that doing an action is the best way to learn something, so I encourage you to try out all the technologies and principles I cover in this book. Because Azure is a public cloud solution, you don’t need any local resources except for a machine to connect to Azure. You can even run command-line interfaces (CLIs) directly within the Azure portal environment. Ideally, you will also have an on-premises lab environment to test the networking to Azure and hybrid scenarios. However, you don’t need a huge lab environment; for most of the items, you could use a single machine with Windows Server installed on it and with 8 GB of memory to enable a few virtual machines to run concurrently. As previously mentioned, sometimes

xx | IntroductIon

I provide step-by-step instructions to guide you through a process; sometimes I link to an external source that already has a good step-by-step guide; and sometimes I link to videos I have posted to ensure maximum understanding.

This book was one of the most challenging I’ve written. Because Azure is updated so frequently, it was necessary to update the book while writing, as capabilities would change. The Microsoft product group teams helped greatly, giving me early access to information and even environments to enable the book to be as current as possible. To keep the content relevant, I will be releasing a digital supplement and updating it as required. This will be available, along with any sample code, video links, and other assets, on the books GitHub page at:

https://github.com/johnthebrit/MasterIaaS2019

As you read each chapter, look at the GitHub repository for videos and other information that will help your understanding, as I do not specifically call these references out in the text of the book. The main page shows how to get a local copy of the repository, which has the benefit of making it easy to get updates as they occur.

IntroductIon | xxI

Who Should Read This BookI am making certain assumptions regarding the reader:

◆ You have basic knowledge about and can install Windows Server.

◆ You have basic knowledge of what PowerShell is.

◆ You have access to the Internet and can sign up for a trial Azure subscription.

This book is intended for anyone who wants to learn Azure Infrastructure services, but it is really focused on exposing the options and offering guidance on architecting solutions. If you have basic knowledge of Azure, that will help, but it is not a requirement. I start off with a foun-dational understanding of each technology and then build on that to cover more advanced top-ics and configurations. If you are an architect, a consultant, an administrator, or really anyone who just wants a better knowledge of Azure Infrastructure, this book is for you.

There are many times I go into advanced topics that may seem over your head, in which case don’t worry. Focus on the preceding elements you understand, implement and test them, and solidify your understanding. Then, when you feel comfortable, come back to the more advanced topics, which will seem far simpler.

There are various Azure exams. The most relevant to this book are AZ-100 and AZ-101 (replacing the old 70-533 exam), which, when passed, give the participant the Azure Administrator Associate certification:

https://www.microsoft.com/en-us/learning/azure-administrator.aspx

Additionally, exams AZ-300 and AZ-301 (replacing the old 70-534 exam), when passed, give the Azure Solutions Architect Expert certification:

https://www.microsoft.com/en-us/learning/azure-solutions-architect.aspx

Will this book help you pass the exams? Yes, it will help. I took the exams for both certifica-tions cold, without knowing what was in the exams and without any study, and I passed. Since most of my Azure brain is in this book, it will help. However, I advise you to look at the areas covered in the exams and use this book as one resource to help, but also use other resources that Microsoft references on the exam site. This is especially true of the architect certification, which includes a significant amount of content of application and database concepts, which I cover in this book only at a very high level.

What’s InsideHere is a glance at what’s in each chapter.

Chapter 1, “The Cloud and Microsoft Azure Fundamentals,” provides an introduction to all types of cloud services and then dives into specifics about Microsoft’s Azure-based offer-ings. After an overview of how Azure is acquired and used, the Infrastructure as a Service (IaaS) will be introduced, with a focus on what is really the difference between a best-effort and a reliable service and why best-effort may be better!

xxII | IntroductIon

Chapter 2, “Governance,” focuses on the first item companies must consider and address before using any service, including the public cloud and Azure. This chapter focuses on key concepts around Azure Resource Manager, understanding core governance around structure, role-based access control, naming, policy, cost and more.

Chapter 3, “Identity,” addresses the next consideration for service usage, understanding identity. This chapter walks through the importance of identity in the public cloud and how it becomes the key security perimeter for many services. Azure AD will be introduced, along with its population and authentication options.

Chapter 4, “Identity Security and Extended Identity Services,” builds on the previous chapter by looking at key security capabilities with Azure AD and how AD can be extended into the public cloud in a secure manner. Other identity services for custom applications will be explored.

Chapter 5, “Networking,” explores offering services running in Azure out to Internet-based consumers. It looks at key concepts such as endpoints to offer services and also providing load balanced services for greater service availability. Virtual Networks provide a construct to enable customizable IP space configurations that are used by many services in Azure. This chapter dives into architecting, configuring, and managing virtual networks. Finally, various types of connectivity between virtual networks and on premises are explored.

Chapter 6, “Storage,” examines the core capabilities of storage accounts in Azure and then walks through the storage capabilities used by infrastructure services in Azure, including managed disks. Services for large-scale data import and export are introduced.

Chapter 7, “Azure Compute,” starts by introducing virtual machines, the building block of nearly every Azure service, including their key capabilities, before moving on to more advanced concepts around availability and placement. An introduction to some of the Platform as a Service offerings is provided to provide a complete knowledge for architects for the key available options.

Chapter 8, “Azure Stack,” explores the on-premises Azure capability through partner appliances, including key scenarios and architecture considerations. Key concepts such as plans and offers will be covered, including how to manage the marketplace.

Chapter 9, “Backup, High Availability, Disaster Recovery, and Migration,” starts by looking at key requirements for disaster recovery and some of the key considerations to architect a successful disaster recovery plan. A number of technologies commonly used for disaster recovery will be explored, including types of replication and service provisioning. The orchestration of a failover is explored using recovery plans. Finally, the chapter examines the same technologies used for replication that can also be used in combination with other capabilities for migration purposes. Finally, the chapter introduces backup capabilities and discusses best practices for their usage.

Chapter 10, “Monitoring and Security,” dives into Azure services related to monitoring, enabling complete insight into the entire Azure-based solution. Key security services that are not covered elsewhere in the book are also covered.

IntroductIon | xxIII

Chapter 11, “Managing Azure,” looks at the right way to manage Azure. This includes command-line interfaces, scripting and automation, and using templates for resource provisioning. A number of management services to enhance the overall solution are covered, including some seamless options to connect to Azure-based virtual machines.

Chapter 12, “What to Do Next,” brings everything together and looks at how to get started with Azure, how to plan next steps, how to stay up-to-date in the rapidly changing world of Azure, and the importance of overall integration.

How to Contact the AuthorI welcome your feedback about this book or about books you’d like to see from me in the future. You can reach me by writing to john@savilltech.com. For more information about my work, visit my website at https://savilltech.com.

Sybex strives to keep you supplied with the latest tools and information you need for your work. Please check their website at www.wiley.com/go/sybextestprep, where we’ll post additional content and updates that supplement this book, should the need arise.

Chapter 1

Th e Cloud and Microsoft Azure Fundamentals This chapter focuses on changes that are impacting every organization’s thinking regarding infrastructure, datacenters, and ways to offer services. “As a Service” offerings—both on prem-ises and hosted by partners, and accessed over the Internet in the form of the public cloud—present new opportunities for organizations.

Microsoft’s solution for many public cloud services is its Azure service, which offers hun-dreds of capabilities that are constantly being updated. This chapter will provide an overview of the Microsoft Azure solution stack before examining various types of Infrastructure as a Service (IaaS) and how Azure services can be procured.

In this chapter, you will learn to:

◆ Articulate the different types of “as a Service.”

◆ Identify key scenarios where the public cloud provides the most optimal service.

◆ Understand how to get started consuming Microsoft Azure services.

Th e Evolution of the Datacenter When I talk to people about Azure or even the public cloud in general, where possible, I start the conversation by talking about their on-premises deployments and the requirements that drove the existing architecture. For most companies, needs have changed radically over recent years to meet both customer and employee requirements. Employees expect to be able to work anywhere, from anything, using a large number of cloud-based services. Customers are similar, wanting engaging digital experiences across devices that use existing social identities where practical. Organizations are looking to digitally transform and focus on creating only what helps differentiate themselves in the market through accelerated innovation. For organizations, this means more agility and the capability to Elastically scale, potentially globally. Additionally, these drivers often mean getting out of the datacenter business in favor of cloud service uti-lization, which enables a greater focus on the application and optimized IT spend, all while dealing with new security implications. As organizations embrace cloud services, a complete rethinking is required, as the network can no longer be a trusted boundary since many services will live outside the corporate network. Instead of thinking of the corporate network as this completely trusted area that is impenetrable at the network edge, the focus shifts to identity as the new security perimeter, while a zero-trust model is increasingly common for the network.

2 | CHAPTER 1 The Cloud and MiCrosofT azure fundaMenTals

But I am getting ahead of myself, and I like to start off with an interesting use case of the cloud that pre-cloud would have been very difficult.

Video gaming is a hugely popular industry. Many games today host massive, multiplayer environments that need additional resources, such as storage and compute, to deliver the best experience. These resources will have huge spikes in demand that vary around the world, and to enhance rather than degrade the user experience, they need to be close to the player to reduce latency. A great example of this is Halo, which I’ve been playing since its first version on the original Xbox. Gaming resource requirements are opposite to many other industries. Most services start out and grow over time, requiring more resources (that the cloud is great for); however, games are the opposite. When a game releases, it tends to require huge amounts of resources for the first few weeks and then sees a significant ramp down. Before the cloud, game services would have to build huge datacenters with a lot of resources that would sit largely idle after the first few weeks. With the cloud, 1000s of cores can be used for services then scale down to 100s. Halo game services use Azure for several services, including statistics, which are a huge part of gaming that track every activity the player performs, providing end of game summaries and overall player history. The elasticity of the cloud enables Halo to access the resources as required to provide an amazing player and community experience while optimizing their costs to only pay for what they need, when they need it.

Introducing the CloudEvery organization has some kind of IT infrastructure. It could be a server sitting under some-one’s desk, geographically distributed datacenters the size of multiple football fields, or some-thing in between. Within that infrastructure are a number of key fabric (physical infrastructure) elements:

Compute Capacity Compute capacity can be thought of in terms of the various servers in the datacenter, which consist of processors, memory, storage controllers, network adapters, and other hardware (such as the motherboard, power supply, and so on). These resources provide a server with a finite amount of resources, which includes computation, memory capacity, network bandwidth, and storage throughput (in addition to other characteristics). I will use the term compute throughout this book when referring to server capacity.

Storage A persistent method of storage for data—from the operating system (OS) and applications to pure data, such as files and databases—must be provided. Storage can exist within a server or in external devices, such as a storage area network (SAN). SANs provide enterprise-level performance and capabilities, although newer storage architectures that leverage local storage, known as hyper-converged, which in turn replicate data, are becoming more prevalent in datacenters. Additionally, non-persistent, aka ephemeral, storage is avail-able for most resources.

Network These components connect the various elements of the datacenter and enable client devices to communicate with hosted services. Connectivity to other datacenters may also be part of the network design. Options such as dedicated fiber connections, Multiprotocol Label Switching (MPLS), and Internet connectivity via a DMZ are typical. Other types of resources, such as firewalls, load balancers, and gateways, are likely used in addition to technologies to segment and isolate parts of the network—for example, VLANs.

Datacenter Infrastructure An often overlooked but critical component of datacenters is the supporting infrastructure. Items such as uninterruptable power supplies (UPSs), air

The evoluTion of The daTaCenTer | 3

conditioning, the physical building, and even generators all have to be considered. Each consumes energy and impacts the efficiency of the datacenter as well as its power usage effectiveness (PUE), which provides a measure of how much energy a datacenter uses for computer equipment compared to the other aspects. The lower the PUE, the more efficient the datacenter—or at least the more power going to the actual computing, reducing overall power consumption. An interesting point is that although power efficiency is important, there are other metrics starting to be discussed, such as water efficiency, which start to become more important when considering all the types of resources impacted by datacenters.

Once you have the physical infrastructure in place, you then add the actual software ele-ments (the OS, applications, and services), and finally the management infrastructure, which enables deployment, patching, backup, automation, and monitoring. The IT team for an organi-zation is responsible for all of these datacenter elements. The rise in the size and complexity of IT infrastructure is a huge challenge for nearly every organization. Despite the fact that most IT departments see budget cuts year after year, they are expected to deliver more and more as IT becomes increasingly critical. With digital transformation, the business expects more agility for IT resources, enabling new offerings to be created and deployed quickly with potentially highly elastic compute needs throughout the world.

Not only is the amount of IT infrastructure increasing but that infrastructure needs to be resil-ient. This typically means implementing disaster recovery (DR) solutions to provide protection from a complete site failure, such as one caused by a large-scale natural disaster. If you ignore the public cloud, your organization will need to lease space from a co-location facility or set up a new datacenter. When I talk to CIOs, one of the things at the top of the don’t-want-to-do list is write out more checks for datacenters—in fact, write out any checks for datacenters is on that list.

In the face of increased cost pressure and the desire to be more energy and water responsible (green), datacenter design becomes ever more complex, especially in a world with virtualization. If the three critical axes of a datacenter (shown in Figure 1.1) are not properly thought out, your organization’s datacenters will never be efficient. You must consider the square footage of the actual datacenter, the kilowatts that can be consumed per square foot, and the amount of heat that can be dissipated, expressed in BTU per hour.

Figure 1.1 The three axes of datacenter planning

Floor spacesq. ft. Heat dissipation

BTU/sq. ft.

Power usedkw/sq. ft.

4 | CHAPTER 1 The Cloud and MiCrosofT azure fundaMenTals

If you get any of these calculations wrong, you end up with a datacenter you cannot fully use because you can’t get enough power to it, can’t keep it cool enough, or simply can’t fit enough equipment in it. As the compute resources become denser and consume more power, it’s criti-cal that datacenters supply enough power and have enough cooling to keep servers operating within their environmental limits. I know of a number of datacenters that are only 50 percent full because they cannot provide enough power to fully utilize available space. It’s also critical to plan for the power resiliency as if you want resilient power, and then that may double the overall power requirements of a facility and if that is neglected, then once again you can only half fill the datacenter if you want to meet the power redundancy requirements. Not a good day!

The Private Cloud and VirtualizationIn the early 2000s, as organizations looked to better use their available servers and enjoy other benefits, such as faster provisioning, virtualization became a key technology in every datacen-ter. When I look back to my early days as a consultant, I remember going through sizing exer-cises for a new Microsoft Exchange server deployment. When sizing the servers required that I consider the busiest possible time and also the expected increase in utilization of the lifetime of the server (for example, five years), the server was heavily overprovisioned, which meant it was also highly underutilized. Underutilization was a common situation for most servers in a data-center, and it was typical to see servers running at 5 percent. It was also common to see provi-sioning times of up to 6 weeks for a new server, which made it hard for IT to react dynamically to changes in business requirements.

Virtualization enables a single physical server to be divided into one or more virtual machines through the use of a hypervisor. The virtual machines are completely abstracted from the physical hardware; each virtual machine is allocated resources such as memory and processor in addition to virtualized storage and networking. Each of the virtual machines then can have an operating system installed, which enables multiple operating systems to run on a single piece of hardware. The operating systems may be completely unaware of the virtual nature of the environment they are running on. However, most modern operating systems are enlightened; they are aware of the virtual environment and actually optimize operations based on the presence of a hypervisor. Figure 1.2 shows a Hyper-V example leveraging the VHDX virtual hard disk format.

Figure 1.2 a high-level view of a virtualization host and resources assigned to virtual machines

VHDX

VM1

OS

VM2

VHDX

Virtual Switch

OS