├── README.md ├── compute ├── availsets.md ├── extensions.md ├── lis-waagent.md └── vms.md ├── concepts ├── auth.md ├── cli.md ├── debugging.md ├── environments.md ├── regions.md ├── resources.md ├── subscriptions.md └── templates.md ├── iaas.md ├── network ├── dns.md ├── gateways.md ├── ips.md ├── lbs.md ├── nics.md ├── nsgs.md └── vnets.md ├── storage ├── accessibility.md ├── accounts.md ├── local.md ├── types.md └── vhds.md └── wrapup.md /README.md: -------------------------------------------------------------------------------- 1 | An Introduction to Microsoft Azure 2 | ================================== 3 | Gaining technical proficiency with Azure, starting from scratch, can be a 4 | daunting challenge. Azure has been growing at a fast pace, in both breadth 5 | and depth, since its inception - with documentation at the same scale. Not 6 | only do new features arrive frequently, but existing ones have changed and 7 | continue to do so. Finding your way through the very detailed 8 | documentation online can feel like working on a jigsaw puzzle without knowing 9 | in advance what the picture on the box is. 10 | 11 | This introduction is designed to hit the Goldilocks point: fine-grained enough 12 | so as to give you the technical grounding you need, but not so much that you're 13 | getting lost in the weeds. The major concepts are presented in a logical 14 | order, covering all the prerequisites for working with linux virtual machines, 15 | with short hands-on examples that demonstrate the material, but callouts to 16 | the detailed docs if you want a deeper dive on that topic. 17 | 18 | # Bootstrap 19 | Azure is a remote distributed collection of virtualized 20 | [resources](concepts/resources.md), and the interfaces and tools that 21 | allow you to securely manage and interact with them. 22 | 23 | Fundamentally, these interfaces are REST APIs - HTTP requests are made to 24 | initiate an operation, and the results are communicated back from Azure in 25 | the consequent HTTP response. While the REST APIs 26 | are great, they're not great for most humans to use directly, so various 27 | other abstractions have been built on top of them. There are SDKs and tools 28 | for various languages, such as 29 | [Java](https://azure.microsoft.com/en-us/develop/java/), 30 | [Node.js](https://azure.microsoft.com/en-us/develop/nodejs/), and 31 | [Python](https://azure.microsoft.com/en-us/develop/python/), 32 | and more importantly for our purposes here, two command-line 33 | interfaces: one in Powershell (now [open source and available for linux] 34 | (https://azure.microsoft.com/en-us/blog/powershell-is-open-sourced-and-is-available-on-linux/)), and a cross-platform (xplat) CLI written in 35 | Node.js. All of these ultimately communicate with Azure via REST, though. 36 | 37 | Throughout this introduction, we will use the xplat CLI for the examples, 38 | so you'll want to have that [installed] 39 | (https://azure.microsoft.com/en-us/documentation/articles/xplat-cli-install/) 40 | before proceeding. We assume you have already been set up with a subscription 41 | (by your organization, or a [free personal one](https://azure.microsoft.com/en-us/free/)) as well. 42 | 43 | # Flow 44 | 45 | The example code in the sections that follow build on each other and are 46 | meant to be executed in the sequence below. If you skip around, you may 47 | run into errors from unmet dependencies. If that's your style, don't let 48 | that stop you! Figuring out why some example code doesn't work, and how 49 | to fix it, is a great way to learn. If you get stuck, though, you should 50 | be able to start over from the beginning with a clean slate and make it 51 | all work. 52 | 53 | # Table of Contents 54 | 55 | ## Concepts 56 | * [xPlat CLI](concepts/cli.md) 57 | * [Environments](concepts/environments.md) 58 | * [Authentication & Authorization](concepts/auth.md) 59 | * [Subscriptions](concepts/subscriptions.md) 60 | * [Regions](concepts/regions.md) 61 | * [Resources, Resource Providers, and Resource Groups](concepts/resources.md) 62 | * [ARM Templates](concepts/templates.md) 63 | * [Idiosyncracies, Gotchas, and Debugging Tips](concepts/debugging.md) 64 | 65 | ## Infrastructure as a Service 66 | * [The Iaas "Big Three": Network, Storage, and Compute](iaas.md) 67 | 68 | ## Network 69 | * [Virtual Networks & Subnets](network/vnets.md) 70 | * [Gateways](network/gateways.md) 71 | * [IP Addresses](network/ips.md) 72 | * [NICs](network/nics.md) 73 | * [Network Security Groups](network/nsgs.md) 74 | * [Load Balancers](network/lbs.md) 75 | * [DNS](network/dns.md) 76 | 77 | ## Storage 78 | * [Types](storage/types.md) 79 | * [Accounts](storage/accounts.md) 80 | * [Accessibility](storage/accessibility.md) 81 | * [VHDs](storage/vhds.md) 82 | * [Temporary/Local](storage/local.md) 83 | 84 | ## Compute 85 | * [Availability Sets](compute/availsets.md) 86 | * [Virtual Machines](compute/vms.md) 87 | * [Linux Integration Services & the Azure Linux Agent](compute/lis-waagent.md) 88 | * [Extensions](compute/extensions.md) 89 | 90 | ## Wrap-up 91 | * [Install Apache httpd, and Test](wrapup.md) 92 | -------------------------------------------------------------------------------- /compute/availsets.md: -------------------------------------------------------------------------------- 1 | Availability Sets 2 | ================= 3 | 4 | Outside of a VM itself, there are two kinds of events that might cause a VM 5 | to go down: planned events, such as maintenance, and unplanned events, such 6 | as a hardware failure. In order to ensure that your services remain highly 7 | available despite such events, Azure allows grouping VMs into [availability 8 | sets](https://docs.microsoft.com/en-us/azure/virtual-machines/virtual-machines-linux-manage-availability). 9 | 10 | An availabilty set comprises two different kinds of domains: 11 | update domains and fault domains. Scheduled maintenance is rolled out 12 | in waves, across update domains: VMs in two different update domains will 13 | not be taken down and rebooted at the same time. Similarly, fault domains 14 | encapsulate single points of hardware failure for a VM's host: power, network, 15 | etc. VMs in two different fault domains will not both be affected by the 16 | failure of hardware within a given rack. 17 | 18 | When you create an availability set, you specify the number of update 19 | domains (default 5) and fault domains (default 3) that it should span. New 20 | VMs are added round-robin to these domains. 21 | 22 | ```bash 23 | # azure availset create -g -n -l -a -b 24 | 25 | $ azure availset create -g intro-rg -n intro-availset -l westus 26 | info: Executing command availset create 27 | + Looking up the availability set "intro-availset" 28 | + Creating availability set "intro-availset" 29 | info: availset create command OK 30 | ``` 31 | 32 | ```bash 33 | $ azure availset show -g intro-rg -n intro-availset 34 | info: Executing command availset show 35 | + Looking up the availability set "intro-availset" 36 | data: id "/subscriptions/11111111-1111-1111-1111-111111111111/resourceGroups/intro-rg/providers/Microsoft.Compute/availabilitySets/intro-availset" 37 | data: name "intro-availset" 38 | data: type "Microsoft.Compute/availabilitySets" 39 | data: location "westus" 40 | data: platformUpdateDomainCount 5 41 | data: platformFaultDomainCount 3 42 | data: virtualMachines 0 id "/subscriptions/11111111-1111-1111-1111-111111111111/resourceGroups/INTRO-RG/providers/Microsoft.Compute/virtualMachines/INTRO-VM-BE1" 43 | info: availset show command OK 44 | ``` 45 | 46 | Note that there is a difference between having a single VM in an availability 47 | set, and not having that VM in one at all. If the VM is not in an availability 48 | set, then Azure will attempt to notify (e.g. via email) the owner before 49 | maintenance. If it is in an availability set, then Azure assumes that such 50 | notification is not necessary. 51 | 52 | Also: fault domains represent single points of failure in the racks where 53 | the VM host hardware operates, including networking hardware. VMs require 54 | access to their [VHDs](../storage/vhds.md) as well, though, and these are not mapped to fault 55 | domains. Make sure VHDs for the VMs in an availablity set are on different 56 | [storage accounts](../storage/accounts.md) for the highest availability. 57 | -------------------------------------------------------------------------------- /compute/extensions.md: -------------------------------------------------------------------------------- 1 | VM Extensions 2 | ============= 3 | 4 | [VM extensions](https://docs.microsoft.com/en-us/azure/virtual-machines/virtual-machines-windows-extensions-features) 5 | are small applications that run at boot and provide services such as 6 | configuration management, or features related to other Azure services 7 | such as monitoring or security. Management of extensions is provided 8 | through the Azure Linux Agent and a variety of clients, such as the CLI. 9 | 10 | ```bash 11 | # azure vm extension set -g -m -n -p -o version --public-config-file 12 | # azure vm extension set -g -m -n -p -o version --public-config 13 | ``` 14 | 15 | Extensions are removed with the -u or --uninstall option: 16 | 17 | ```bash 18 | # azure vm extension set -g -m -n -p -o version -u 19 | ``` 20 | 21 | The [VMAccess extension](https://docs.microsoft.com/en-us/azure/virtual-machines/virtual-machines-linux-using-vmaccess-extension) 22 | is installed by default. You can use this to reset access to a VM from which 23 | you've been inadvertently locked out, for example by updating an SSH key. 24 | 25 | ```bash 26 | # azure vm extension set -g -m -n VMAccessForLinux -p Microsoft.OSTCExtensions -o * --public-config '{"username":, "ssh_key":}' 27 | ``` 28 | 29 | These functions are so useful, in fact, that they've been baked right into 30 | the CLI. The above is exactly equivalent to: 31 | 32 | ```bash 33 | azure vm reset-access -g -n -u -M 34 | ``` 35 | 36 | Another very useful extension is [CustomScript](https://docs.microsoft.com/en-us/azure/virtual-machines/virtual-machines-linux-extensions-customscript). 37 | Within the configuration, you specify a file to run, and optionally a URN 38 | from which to retrieve it at boot. 39 | 40 | ```bash 41 | # azure vm extension set -g intro-rg -m intro-vm -n CustomScript -p Microsoft.Azure.Extensions -o 2.0 --public-config '{"fileUris": ["https://www.example.com/example.sh"],"commandToExecute": "./example.sh"}' 42 | ``` 43 | -------------------------------------------------------------------------------- /compute/lis-waagent.md: -------------------------------------------------------------------------------- 1 | Linux Integration Services (LIS) 2 | ================================ 3 | 4 | Azure VMs run on Microsoft's Hyper-V virtualization hypervisor. In order 5 | to operate smoothly and provide the best performance, these VMs need 6 | Hyper-V-specific code in the Linux Kernel. This codebase is open source, 7 | but actively contributed to by Microsoft, and is called Linux Integration 8 | Services. 9 | 10 | LIS goes through the regular process of being submitted to the linux kernel 11 | maintainers, and newer kernels will thus contain newer versions of LIS. 12 | Microsoft also works with the major distros to backport LIS to the kernel 13 | versions that they are shipping. Thus, depending on the source and age 14 | of the boot image and its kernel, [different versions of LIS](https://blogs.technet.microsoft.com/virtualization/2016/07/12/which-linux-integration-services-should-i-use-in-my-linux-vms/) 15 | may be in play in different VMs. 16 | 17 | As later versions of LIS both enable new features, improve existing ones, 18 | and correct defects, it's important to keep LIS in mind when troubleshooting 19 | a linux VM in Azure. 20 | 21 | Azure Linux Agent (waagent) 22 | =========================== 23 | 24 | The [Azure Linux Agent](https://docs.microsoft.com/en-us/azure/virtual-machines/virtual-machines-linux-agent-user-guide) 25 | is another important part of the integration of Linux VMs into Azure. It 26 | has several important roles at provisioning-time, boot-time, and run-time, 27 | including setting up the initial user account and ssh access, mounting 28 | [local storage](../storage/local.md), configuring swap, redirecting the serial port for diagnostics, 29 | and setting up [VM extensions](extensions.md). 30 | 31 | It is configured in /etc/waagent.conf. Note that Ubuntu images use 32 | [cloud-init](https://docs.microsoft.com/en-us/azure/virtual-machines/virtual-machines-linux-using-cloud-init) for many provisioning-time tasks, and this 33 | requires particular settings in waagent.conf. 34 | -------------------------------------------------------------------------------- /compute/vms.md: -------------------------------------------------------------------------------- 1 | Virtual Machines 2 | ================ 3 | 4 | Azure VMs come in several different [series](https://docs.microsoft.com/en-us/azure/virtual-machines/virtual-machines-linux-sizes?toc=%2fazure%2fvirtual-machines%2flinux%2ftoc.json), 5 | and a variety of configurations within each. 6 | 7 | _A-series_ 8 | 9 | The A-series actually comprises two distinct classes of VM. A0-A7 are 10 | value-prices, entry-level, general purpose VMs, offering from 1-8 CPU cores, 11 | .75-56 GiB of RAM, 20-605 GiB of local storage, 1-16 data disks, and 1-4 12 | NICs. 13 | 14 | A0-A5 correspond to special keywords in the CLI, they are ExtraSmall, Small, 15 | Medium, Large, and ExtraLarge respectively. 16 | 17 | A8-A11, however, are optimized for [compute intensive](https://docs.microsoft.com/en-us/azure/virtual-machines/virtual-machines-linux-a8-a9-a10-a11-specs?toc=%2fazure%2fvirtual-machines%2flinux%2ftoc.json) workloads. There are 18 | basically two kinds: 19 | 20 | * 8 cores, 56 GiB RAM, 2 NICs 21 | * 16 cores, 112 GiB RAM, 4 NICS 22 | 23 | Each has 382 GiB local storage, and can take 16 data disks. This splits into 24 | 4 SKUs because A8 and A9 are RDMA-capable; A10 and A11 mirror those but 25 | without RDMA. 26 | 27 | _Av2-series_ 28 | 29 | A later version of the A-series, with more performant hardware but otherwise 30 | similar to the A-series A0-A7. Local disk on the Av2 is SSD. This series 31 | uses the new size nomenclature based on CPU cores, so are named A1_v2, A2_v2, 32 | A4_v2, A8_v2, etc. 33 | 34 | _D/DS-series_ 35 | 36 | The D-series is for more demanding workloads, with more performant CPUs and 37 | more RAM per core than the A-series. A DS designation is the same as its 38 | corresponding D SKU, but with access to Premium storage. 39 | 40 | D-series VMs are available in 1-16 core SKUs, with 3.5-112 GiB RAM, 50-800 41 | GiB of local SSD storage, 2-32 data disks, and 1-8 NICs. There are two 42 | lines, D1-4 and D11-14. The latter mirrors the former, but with 4 times the 43 | RAM. 44 | 45 | _Dv2/DSv2-series_ 46 | 47 | A later version of the D-series, with more performant CPUs, and an extra SKU 48 | (D5_v2 & D15_v2) offering even more of everything. 49 | 50 | _F/Fs-series_ 51 | 52 | This series uses the same higher-performing CPU as the Dv2-series, but 53 | at RAM ratios more similar to the A-series. This is the best value for 54 | pure CPU performance. They offer 1-16 cores and 2-32 GiB of RAM. 55 | 56 | _G/GS-series_ 57 | 58 | The G-series has the highest RAM ratios. 2-32 cores, with 28-448 GiB 59 | of RAM. 60 | 61 | _H-series_ 62 | 63 | This series is designed to take over from the A8-A11 as the next generation 64 | of high-performance computing VMs. 65 | 66 | _N-series_ 67 | 68 | The N-series is GPU-enabled, with two lines based on the NVIDA M60 and K80. 69 | 70 | **Note** Because hardware varies from region to region, not all series/sizes 71 | are available everywhere. To see the list of VM sizes that are nominally 72 | available in a given region, use 73 | 74 | ```bash 75 | # azure vm sizes -l 76 | ``` 77 | 78 | Also, be aware that even if a size is nominally available, capacity may be 79 | limited and fully subscribed, making it possible that an attempt to provision 80 | a VM of certain sizes may fail. Coordinate with the Azure Capacity team in 81 | advance if you anticipate provisioning large numbers of cores, would like 82 | to use sizes not publically available in your target region, or your desired 83 | VM size is consistently failing to provision due to oversubscription. 84 | 85 | ## CLI 86 | 87 | Our first VM is the "jumpbox", a utility VM that allows us to service the 88 | rest of the environment. It doesn't need to be particularly performant. 89 | 90 | ```bash 91 | $ azure vm create -g intro-rg -n intro-vm -f intro-nic -l westus -y Linux -Q UbuntuLTS -u intro -M ~/.ssh/id_rsa.pub -z Standard_A1 -o intro20161122strg -d intro.vhd 92 | info: Executing command vm create 93 | + Looking up the VM "intro-vm" 94 | info: Verifying the public key SSH file: ~/.ssh/id_rsa.pub 95 | info: Using the VM Size "Standard_A1" 96 | info: The [OS, Data] Disk or image configuration requires storage account 97 | + Looking up the storage account intro20161122strg 98 | + Looking up the NIC "intro-nic" 99 | info: Found an existing NIC "intro-nic" 100 | info: Found an IP configuration with virtual network subnet id "/subscriptions/25b347b0-e6dd-45c1-bb11-529e36438d8f/resourceGroups/intro-rg/providers/Microsoft.Network/virtualNetworks/intro-vnet/subnets/intro-subnet-10-0" in the NIC "intro-nic" 101 | info: This NIC IP configuration has a public ip already configured "/subscriptions/25b347b0-e6dd-45c1-bb11-529e36438d8f/resourcegroups/intro-rg/providers/microsoft.network/publicipaddresses/intro-pip", any public ip parameters if provided, will be ignored. 102 | info: The storage URI 'https://intro20161122strg.blob.core.windows.net/' will be used for boot diagnostics settings, and it can be overwritten by the parameter input of '--boot-diagnostics-storage-uri'. 103 | + Creating VM "intro-vm" 104 | info: vm create command OK 105 | ``` 106 | 107 | Now we'll create the two VMs that will be behind the load balancer. Note that 108 | we're setting the boot diagnostics to be stored in the original strorage 109 | account. 110 | 111 | ```bash 112 | $ azure vm create -g intro-rg -n intro-vm-be1 -f intro-nic-be1 -l westus -y Linux -Q UbuntuLTS -u intro -M ~/.ssh/id_rsa.pub -z Standard_DS1 -o intro20161122strgprm -d intro-be1.vhd -r intro-availset --boot-diagnostics-storage-uri https://intro20161122strg.blob.core.windows.net/ 113 | info: Executing command vm create 114 | + Looking up the VM "intro-vm-be1" 115 | info: Verifying the public key SSH file: /Users/jastev/.ssh/id_rsa.pub 116 | info: Using the VM Size "Standard_DS1" 117 | info: The [OS, Data] Disk or image configuration requires storage account 118 | + Looking up the storage account intro20161122strgprm 119 | + Looking up the availability set "intro-availset" 120 | info: Found an Availability set "intro-availset" 121 | + Looking up the NIC "intro-nic-be1" 122 | info: Found an existing NIC "intro-nic-be1" 123 | info: Found an IP configuration with virtual network subnet id "/subscriptions/25b347b0-e6dd-45c1-bb11-529e36438d8f/resourceGroups/intro-rg/providers/Microsoft.Network/virtualNetworks/intro-vnet/subnets/intro-subnet-10-1" in the NIC "intro-nic-be1" 124 | info: This is an NIC without publicIP configured 125 | + Creating VM "intro-vm-be1" 126 | info: vm create command OK 127 | ``` 128 | 129 | ```bash 130 | $ azure vm create -g intro-rg -n intro-vm-be2 -f intro-nic-be2 -l westus -y Linux -Q UbuntuLTS -u intro -M ~/.ssh/id_rsa.pub -z Standard_DS1 -o intro20161122strgprm -d intro-be2.vhd -r intro-availset --boot-diagnostics-storage-uri https://intro20161122strg.blob.core.windows.net/ 131 | info: Executing command vm create 132 | + Looking up the VM "intro-vm-be2" 133 | info: Verifying the public key SSH file: /Users/jastev/.ssh/id_rsa.pub 134 | info: Using the VM Size "Standard_DS1" 135 | info: The [OS, Data] Disk or image configuration requires storage account 136 | + Looking up the storage account intro20161122strgprm 137 | + Looking up the availability set "intro-availset" 138 | info: Found an Availability set "intro-availset" 139 | + Looking up the NIC "intro-nic-be2" 140 | info: Found an existing NIC "intro-nic-be2" 141 | info: Found an IP configuration with virtual network subnet id "/subscriptions/25b347b0-e6dd-45c1-bb11-529e36438d8f/resourceGroups/intro-rg/providers/Microsoft.Network/virtualNetworks/intro-vnet/subnets/intro-subnet-10-1" in the NIC "intro-nic-be2" 142 | info: This is an NIC without publicIP configured 143 | + Creating VM "intro-vm-be2" 144 | info: vm create command OK 145 | ``` 146 | -------------------------------------------------------------------------------- /concepts/auth.md: -------------------------------------------------------------------------------- 1 | Tenants, Authentication, and Authorization 2 | ========================================== 3 | In order to interact with Azure, through whatever interface, you must first 4 | authenticate. With the xplat CLI, [logging in](https://docs.microsoft.com/en-us/azure/xplat-cli-connect) looks like this: 5 | 6 | ```bash 7 | # AzureCloud is the default, but you can login to another environment with -e 8 | # azure login -e 9 | 10 | $ azure login 11 | info: Executing command login 12 | info: To sign in, use a web browser to open the page https://aka.ms/devicelogin. Enter the code XXXXXXXX to authenticate. 13 | info: Added subscription Microsoft Azure Internal Consumption 14 | info: Added subscription Microsoft Azure Internal Consumption 15 | info: login command OK 16 | ``` 17 | 18 | But what is happening behind the scenes? When you open the web page indicated, 19 | you are prompted to enter the code, which is used to verify that this is a 20 | legitimate authentication request from the CLI. You are then redirected to 21 | a login page. 22 | 23 | ## Tenants 24 | 25 | On this page, your login (e.g. username@domain) is parsed into a username 26 | and domain. The domain is then used to lookup the appropriate Azure Active 27 | Directory (AAD) *tenant*. An AAD tenant is similar in some ways, but very 28 | different in others, from an on-premises instance of Active Directory. Most 29 | importantly for our purposes, it holds the Azure authentication and 30 | authorization information for an organization. 31 | 32 | There are occasions (such as creating a Service Principal, see below) 33 | when you will need to know your TenantId, a unique internal designator 34 | attached to every AAD tenant. You can find it via 35 | 36 | ```bash 37 | $ azure account show 38 | info: Executing command account show 39 | data: Name : Microsoft Azure Internal Consumption 40 | data: ID : 41 | data: State : Enabled 42 | data: Tenant ID : 43 | data: Is Default : true 44 | data: Environment : AzureCloud 45 | data: Has Certificate : No 46 | data: Has Access Token : Yes 47 | data: User name : jastev@microsoft.com 48 | data: 49 | info: account show command OK 50 | 51 | ``` 52 | 53 | Note that AAD tenants are specific to an [environment](environments.md). You 54 | will not be able to login to AzureChinaCloud, for example, using credentials 55 | from a tenant in AzureCloud. 56 | 57 | ## Authentication 58 | 59 | There are other ways to authenticate. For example, using the --tenant, 60 | -u, and -p switches, you can specify a different AAD tenant, username, and 61 | password. Service principals can use the --certificate-file to login using 62 | a private key. 63 | 64 | ## Authorization 65 | 66 | AAD supports [role-based access control (RBAC)](https://azure.microsoft.com/en-us/documentation/articles/role-based-access-control-what-is/) for resources, 67 | with three basic roles: Owner (full access), Contributor (as Owner, 68 | but can't grant rights to others) and Reader (read-only access). As we 69 | shall see later, resources are structured in a hierarchy, and authorization 70 | can be granted at any level of the resource tree. Unless specifically 71 | overridden at a lower level, authorization is inherited from higher levels. 72 | 73 | ## Service Principals 74 | 75 | Users are not the only objects managed by AAD. An application can be 76 | registered in AAD, and then a [service principal] 77 | (https://azure.microsoft.com/en-us/documentation/articles/resource-group-authenticate-service-principal-cli/) 78 | can be set up to act on that application's behalf. Service principals are 79 | authenticated and are granted authorizations within AAD exactly as are users. 80 | In fact, it is possible to login with the CLI as a service principal, rather 81 | than as a user. You can use this to verify that a service principal has been 82 | set up correctly. 83 | 84 | Note that the permission to register applications and create service 85 | principals is granted on a per-user basis within your Azure AD tenant. 86 | 87 | ## CLI 88 | 89 | After successfully authenticating, the CLI will obtain a time-limited token 90 | that will allow it access to Azure with your credentials. These tokens are 91 | cached in ~/.azure/accessTokens.json. Note that anyone who can access this 92 | file can interact with Azure with your credentials as well, until the token 93 | expires. 94 | 95 | The OS protects it with file permissions, but you may want to take further 96 | precautions as well, such as encrypting your disk or home directory. A 97 | best practice is to get in the habit of logging out of the CLI when you're 98 | finished with a session, as this deletes the tokens. 99 | 100 | ```bash 101 | # azure logout 102 | ``` 103 | 104 | You can also simply delete the file. 105 | -------------------------------------------------------------------------------- /concepts/cli.md: -------------------------------------------------------------------------------- 1 | Cross-Platform (xPlat) CLI 2 | ========================== 3 | 4 | ## Logging In 5 | 6 | Before you can begin interacting with Azure through the CLI, you will have to 7 | [login](auth.md). 8 | 9 | ```bash 10 | $ azure login 11 | info: Executing command login 12 | info: To sign in, use a web browser to open the page https://aka.ms/devicelogin and enter the code XXXXXXXX to authenticate. 13 | ``` 14 | 15 | For now, we just need to be logged in. More details will be presented a 16 | little later, when we talk about [authentication](auth.md). 17 | 18 | ## Setting ARM Mode 19 | 20 | Azure was originally designed around the concept of services. This 21 | is now deprecated, and new usage should be through Azure Resource Manager (ARM). 22 | However, legacy deployments require using service mode, so the CLI supports 23 | both. 24 | 25 | We will only cover ARM mode here, so set the CLI appropriately: 26 | 27 | ```bash 28 | $ azure config mode arm 29 | info: Executing command config mode 30 | info: New mode is arm 31 | info: config mode command OK 32 | ``` 33 | 34 | CLI configuration is preserved in ~/.azure/config.json. 35 | 36 | ## Syntax 37 | 38 | The CLI syntax is generally of the form 39 | 40 | ```bash 41 | $ azure 42 | ``` 43 | 44 | The noun-phrase is one or more ordered words that uniquely describe the 45 | particular Azure feature to be used. 46 | 47 | Most features support the following standard verbs: 48 | * list 49 | * create 50 | * show 51 | * set 52 | * delete 53 | 54 | Some features, though, introduce their own verbs that are feature-specific. 55 | 56 | The arguments list can usually be supplied in two different styles. In 57 | the positionally-dependent style, the optional arguments appear first in 58 | the list, followed by the mandatory arguments in a prescribed order. 59 | I prefer the explicit-argument style, where all of the arguments are preceded 60 | by switches telling the CLI what parameters they apply to. In this case, 61 | order is not important. 62 | 63 | ## Context-Sensitive Help 64 | 65 | You can add the "-h" or "--help" switch to get context-sensitive help. Added 66 | to the noun phrase, it will give you additional options for extending it. 67 | Added after the verb, it will give full usage information, including listing 68 | all of the parameters. 69 | 70 | ## Version 2.0 Preview 71 | 72 | [Version 2.0](https://github.com/Azure/azure-cli) of the CLI is in preview. 73 | It is a complete rewrite (in Python rather than Node.js) and is not 74 | syntax-compatible with the current Azure xPlat CLI. 75 | -------------------------------------------------------------------------------- /concepts/debugging.md: -------------------------------------------------------------------------------- 1 | Idiosyncracies, Gotchas, and Debugging Tips 2 | =========================================== 3 | ## Versions 4 | Each of the REST APIs for the resource providers are [independently versioned] 5 | (https://docs.microsoft.com/en-us/azure/azure-resource-manager/resource-manager-supported-services), 6 | and applications (including the azure CLI) typically are hard-coded to use 7 | a particular version of each. It is likely the case with at least some of 8 | these APIs, therefore, that you are not using the latest version - the 9 | version described in the online documentation. It also happens that two 10 | different versions of an application (again, including the azure CLI) can 11 | be using two different versions of the REST API for a given resource provider, 12 | with accordingly different behavior. 13 | 14 | ## Quotas 15 | By default, an azure subscription has limits on the provisioning of certain 16 | kinds of resources. These [quotas](https://azure.microsoft.com/en-us/documentation/articles/azure-subscription-service-limits/) can be raised by 17 | [contacting Microsoft Support](https://ms.portal.azure.com/#create/Microsoft.Support). 18 | 19 | ## CLI 20 | There are several general switches to the Azure CLI which can be helpful: 21 | 22 | * _-h_ gives context-sensitive help, including many rarely-used but helpful 23 | options 24 | * _-v_ generates verbose output (also try -vv for even more verbosity) 25 | * _--json_ returns the results of the action as json, which often contains 26 | information which would not be included in the more conventional response 27 | text 28 | 29 | ## Local Logs 30 | The ~/.azure/ directory contains various log files related to the CLI, 31 | including most notably azure.details.log and azure.err, with additional 32 | information on successful and failed requests, respectively. 33 | 34 | ## ARM Activity Logs 35 | ```bash 36 | azure group log show -n 37 | ``` 38 | will give the history of the 39 | ARM operations on a given resource group. There are various other additional 40 | options for this command that give more or less detail. 41 | 42 | ## Resource Explorer 43 | https://resources.azure.com is an extremely powerful way to interact with 44 | your subscriptions and resources via REST and JSON. 45 | -------------------------------------------------------------------------------- /concepts/environments.md: -------------------------------------------------------------------------------- 1 | Environments 2 | ============ 3 | "Azure" is not one cloud, but many. Most people will be using the Azure 4 | Public Cloud, which is generally available around the world. 5 | However, because of issues such as data sovereignty and national security, 6 | "Azure" also comprises several sovereign clouds, each operating solely 7 | within their respective national boundaries. 8 | 9 | Microsoft is also introducing [Azure Stack](https://azure.microsoft.com/en-us/overview/azure-stack/), in which the underlying cloud 10 | software fabric can be run on private hardware within enterprise data 11 | centers. This makes possible the creation of arbitrary commercial Azure 12 | clouds. 13 | 14 | Each of these clouds must support being wholly self-contained. Everything 15 | from REST endpoints for [resource providers](resources.md) to 16 | [AAD tenants](auth.md) must be provided within the cloud. Each of these 17 | clouds is referred to generically as an "environment". 18 | 19 | Note that because each environment is under local control, not all [resource 20 | providers](resources.md) may be available, API versions may vary, the 21 | [Marketplace](https://azure.microsoft.com/en-us/marketplace/) may contain 22 | different offerings, etc. 23 | 24 | The list of environments can be seen like this: 25 | 26 | ```bash 27 | $ azure account env list 28 | info: Executing command account env list 29 | data: Name 30 | data: ----------------- 31 | data: AzureCloud 32 | data: AzureChinaCloud 33 | data: AzureUSGovernment 34 | data: AzureGermanCloud 35 | info: account env list command OK 36 | ``` 37 | 38 | You can obtain the technical details for a given environment, for example 39 | whether or not it is public, and its REST endpoints, as follows: 40 | 41 | ```bash 42 | # azure account env show 43 | # azure account env show --environment 44 | 45 | $ azure account env show AzureCloud 46 | info: Executing command account env show 47 | data: Name: AzureCloud 48 | ... 49 | data: isPublicEnvironment: true 50 | ... 51 | data: managementEndpointUrl: https://management. 52 | core.windows.net 53 | ... 54 | ``` 55 | -------------------------------------------------------------------------------- /concepts/regions.md: -------------------------------------------------------------------------------- 1 | Regions 2 | ======= 3 | Azure datacenters are distributed around the world in what are called 4 | ["regions"](https://azure.microsoft.com/en-us/regions/). Even when there 5 | are two datacenters in the same proximal geographic area (e.g. East US 6 | and East US 2, both in Virginia), they are considered separate regions. 7 | 8 | Some Azure resources are hardware-dependent, and this specialized hardware 9 | might not be available in all regions at any given time. But also, new 10 | resource providers and changes to existing ones do not roll out to 11 | all regions in the [Azure Public Cloud](environments.md) simultaneously. 12 | Similarly, [sovereign clouds](environments.md) might choose to delay adoption 13 | of an update, or an [enterprise cloud](environments.md) 14 | might incorporate a third-party [resource provider](resources.md) not generally 15 | available publicly. For all or any of these reasons, the [availability of 16 | Azure resources] (https://azure.microsoft.com/en-us/regions/services/) 17 | varies across regions. 18 | 19 | The Azure xplat CLI uses the label "location" instead of "region". 20 | You can find all of the regions/locations available for the environment 21 | of the currently active subscription with: 22 | 23 | ```bash 24 | $ azure location list 25 | info: Getting locations... 26 | data: 27 | ... 28 | data: Location : westus 29 | data: DisplayName : West US 30 | data: Providers : Microsoft.Batch, Microsoft.Compute, Microsoft.DocumentDB, Microsoft.Logic... 31 | ... 32 | ``` 33 | 34 | Note that regional names are formed by concatenating the country name, 35 | a geographic modifier, and a disambiguating numeric suffix (if required). 36 | However, the older the region, the more likely it is that the geographic 37 | modifier will precede the country name, rather than the reverse. Hence, 38 | we have regions like westus and westus2, but japaneast and japanwest. 39 | 40 | It makes sense that there would be an 'azure location show' command, but 41 | there isn't. 42 | -------------------------------------------------------------------------------- /concepts/resources.md: -------------------------------------------------------------------------------- 1 | Resources, Resource Providers, and Resource Groups 2 | ================================================== 3 | 4 | ## Resources 5 | 6 | An [Azure resource](https://docs.microsoft.com/en-us/azure/azure-resource-manager/resource-group-overview) is a discrete element of functionality that can 7 | be independently provisioned, managed, and released; it generates costs 8 | according to a specific metric, according to use, independently of other 9 | resources. In short, whatever you're building in Azure, resources are 10 | what you're building it with, and determine how much you'll pay for it. 11 | 12 | Every resource in Azure is provisioned as part of a [subscription] 13 | (subscriptions.md) within a specific [region/location](regions.md). 14 | 15 | ## Resource Providers 16 | 17 | The entire lifecycle of a resource, and all interactions with it, 18 | is governed by its resource provider (RP) and resource type. A single 19 | RP can expose multiple resource types, but a given resource can only be 20 | of a single type. The provider, version, and type exclusively determine the 21 | legal means and meaning for interactions with the resource. 22 | 23 | RPs are implemented as [REST APIs](https://docs.microsoft.com/en-us/azure/azure-resource-manager/resource-manager-rest-api). When a request to provision a new 24 | resource is received, the RP returns the resource's unique id on success. 25 | Subsequent manipulation of the resource goes through the RP's REST API, 26 | with the id as a parameter. Additional information associated with the 27 | request is typically passed in through JSON in the request body. Data 28 | in the response is also returned as JSON. 29 | 30 | The REST APIs for all RPs are versioned - the desired version is explicitly 31 | specified in the call. RP versions have their own lifecycle, arriving in 32 | a preview state, rolled out over time to various regions, being promoted 33 | to GA, then chosen as the default 34 | version by various interfaces, before being overtaken by newer versions, 35 | deprecated, and finally obsoleted. It is the normal case that [multiple 36 | versions](debugging.md) of a given RP are concurrently available. 37 | 38 | Each RP is registered in Azure with a namespace, which also uniquely 39 | identifies it. Because RPs can also be provided by third parties, these 40 | namespaces are hierarchical and begin with the vendor of origin. Thus, 41 | the first party RPs provided by Microsoft have namespaces such as 42 | Microsoft.Network, Microsoft.Storage, and Microsoft.Compute. 43 | 44 | ```bash 45 | $ azure provider list 46 | data: 47 | ... 48 | data: ProviderNamespace : Microsoft.Compute 49 | data: RegistrationState : Registered 50 | data: ResourceTypes : availabilitySets, virtualMachines, virtualMachines/extensions, virtualMachineScaleSets... 51 | data: Locations : East US, East US 2, West US, Central US... 52 | ... 53 | info: provider list command OK 54 | ``` 55 | 56 | For a specific provider, you can get the list of the resource types that 57 | it supports, and the regions where each is available. 58 | 59 | ```bash 60 | # azure provider show 61 | # azure provider show -n 62 | 63 | $ azure provider show -n Microsoft.Compute 64 | data: 65 | ... 66 | data: ProviderNamespace : Microsoft.Compute 67 | data: RegistrationState : Registered 68 | data: ResourceTypes : virtualMachines 69 | data: Locations : East US, East US 2, West US, Central US, North Central US, South Central US, North Europe, West Europe, East Asia, Southeast Asia, Japan East, Japan West, Australia East, Australia Southeast, Brazil South, South India, Central India, West India, Canada Central, Canada East, West US 2, West Central US, UK South, UK West 70 | data: Aliases : 71 | data: Microsoft.Compute/virtualMachines/sku.name 72 | data: Microsoft.Compute/virtualMachines/imagePublisher 73 | data: Microsoft.Compute/virtualMachines/imageOffer 74 | data: Microsoft.Compute/virtualMachines/imageSku 75 | data: Microsoft.Compute/virtualMachines/imageVersion 76 | ... 77 | data: 78 | info: provider show command OK 79 | ``` 80 | 81 | It would be helpful to be able to list all of the resource providers 82 | available within a given location, but the CLI doesnt support that currently. 83 | 84 | ## Resource Groups 85 | 86 | Resources are often so fine-grained that their value comes from 87 | being combined with other resources, and it is helpful to organize them 88 | accordingly. Because these resources are conceptually 89 | part of a single solution, they typically have the same lifecycle as well. 90 | For these reasons, Azure allows bundling arbitrary resources into a 91 | resource group. 92 | 93 | A resource group is itself a resource, and like all resources, it has to 94 | be created in a given location: 95 | 96 | ```bash 97 | # azure group create 98 | # azure group create -n -l 99 | 100 | $ azure group create -n intro-rg -l westus 101 | info: Created resource group intro-rg 102 | data: Id: /subscriptions/11111111-1111-1111-1111-111111111111/resourceGroups/intro-rg 103 | data: Name: intro-rg 104 | data: Location: westus 105 | data: Provisioning State: Succeeded 106 | data: Tags: null 107 | data: 108 | info: group create command OK 109 | ``` 110 | 111 | However, the resource group can contain resources that are **not** in the 112 | same region as the group itself. 113 | 114 | You can see all of the resource groups for the current subscription with 115 | 116 | ```bash 117 | $ azure group list 118 | info: Executing command group list 119 | + Listing resource groups 120 | data: Name Location Provisioning State Tags: 121 | data: --------- -------- ------------------ ----- 122 | data: intro-rg westus Succeeded null 123 | info: group list command OK 124 | ``` 125 | 126 | and all of the resources within a group in the current subscription with 127 | 128 | ```bash 129 | # azure group show 130 | # azure group show -n 131 | 132 | $ azure group show -n intro-rg 133 | info: Executing command group show 134 | + Listing resource groups 135 | + Listing resources for the group 136 | data: Id: /subscriptions/11111111-1111-1111-1111-111111111111/resourceGroups/intro-rg 137 | data: Name: intro-rg 138 | data: Location: westus 139 | data: Provisioning State: Succeeded 140 | data: Tags: null 141 | data: Resources: [] 142 | data: Permissions: 143 | data: Actions: * 144 | data: NotActions: 145 | data: 146 | info: group show command OK 147 | ``` 148 | 149 | or 150 | 151 | ```bash 152 | # azure resource list -g 153 | 154 | $ azure resource list -g intro-rg 155 | info: Executing command resource list 156 | + Listing resources 157 | info: No matched resources were found. 158 | info: resource list command OK 159 | ``` 160 | 161 | Finally, when you're done with all of the resources in a group, you can 162 | delete them together by deleting the group that contains them. 163 | 164 | ```bash 165 | # azure group delete 166 | # azure group delete -n 167 | ``` 168 | 169 | These commands also take the "--subscription " switch 170 | to specify an alternate subscription. 171 | -------------------------------------------------------------------------------- /concepts/subscriptions.md: -------------------------------------------------------------------------------- 1 | Subscriptions 2 | ============= 3 | A subscription is the root node of a [resource](resources.md) tree. It is also the single 4 | point of billing information for usage associated with all resources in the 5 | tree. Each subscription is associated with only one [AAD tenant] 6 | (auth.md) (which represents the owning organization), but an organization 7 | may have any number of subscriptions. More on the relationship between 8 | AAD and subscriptions is available [here](https://azure.microsoft.com/en-us/documentation/articles/active-directory-how-subscriptions-associated-directory/). 9 | 10 | Because subscriptions form the root of resource trees, they are the highest 11 | level at which authorization can be granted to users. It is not uncommon 12 | for an organization to have users who are not granted authorization to all 13 | of its subscriptions - each user may see only a subset of all the subscriptions 14 | associated with their AAD tenant. 15 | 16 | You can see all of the subscriptions to which your currently-authenticated 17 | account has access as follows: 18 | 19 | ```bash 20 | $ azure account list 21 | info: Executing command account list 22 | data: Name Id Current State 23 | data: ------------------------------------ ------------------------------------ ------- ------- 24 | data: Microsoft Azure Internal Consumption 11111111-1111-1111-1111-111111111111 true Enabled 25 | data: Microsoft Azure Internal Consumption 22222222-2222-2222-2222-222222222222 false Enabled 26 | info: account list command OK 27 | ``` 28 | 29 | Note that because subscriptions are tied to single AAD tenants, which are 30 | in turn tied to specific [environments](environments.md), you will only 31 | see the subscriptions available to you within a specific environment. 32 | 33 | When you login, your cli session will be associatiated automatically with 34 | your default subscription. To change the default, use: 35 | 36 | ```bash 37 | # azure account set 38 | 39 | $ azure account set 22222222-2222-2222-2222-222222222222 40 | info: Executing command account set 41 | info: Setting subscription to "Microsoft Azure Internal Consumption" with id "22222222-2222-2222-2222-222222222222". 42 | info: Changes saved 43 | info: account set command OK 44 | ``` 45 | -------------------------------------------------------------------------------- /concepts/templates.md: -------------------------------------------------------------------------------- 1 | ARM Templates 2 | ============= 3 | A set of [Azure resources](resources.md) and their configured state can be 4 | represented in the form of a JSON file called a template. Templates are 5 | declarative rather than imperative - in other words, they describe *what* 6 | the resources should look like, rather than *how* to make them so. 7 | 8 | To retrieve a template that models the current state of an existing resource 9 | group, we use the azure CLI as follows: 10 | 11 | ```bash 12 | # azure group export 13 | # azure group export -n 14 | 15 | $ azure group export -n intro-rg 16 | info: Executing command group export 17 | + Exporting resource group as template intro-rg 18 | info: Template downloaded to ./intro-rg.json 19 | info: group export command OK 20 | ``` 21 | 22 | While this template has hard-coded values that correspond to the current 23 | state of its resources, the template can then be paramaterized to model 24 | these as variables. The template and associated parameter file can then 25 | be used to [deploy](https://docs.microsoft.com/en-us/azure/azure-resource-manager/resource-group-template-deploy-cli) similar systems of resources elsewhere. 26 | 27 | The resource group that the template is being deployed into must already 28 | exist. 29 | 30 | ```bash 31 | # azure group deployment create -g -f 32 | 33 | $ azure group deployment create -g intro-rg-2 -f intro-rg.json 34 | info: Executing command group deployment create 35 | info: Supply values for the following parameters 36 | + Initializing template configurations and parameters 37 | + Creating a deployment 38 | info: Created template deployment "intro-rg" 39 | + Waiting for deployment to complete 40 | + 41 | + 42 | data: DeploymentName : intro-rg 43 | data: ResourceGroupName : intro-rg-2 44 | data: ProvisioningState : Succeeded 45 | data: Timestamp : Mon Nov 21 2016 13:47:26 GMT-0800 (PST) 46 | data: Mode : Incremental 47 | data: CorrelationId : 5582ca2a-8b2c-442e-83a6-1ca2beb2dbff 48 | info: group deployment create command OK 49 | ``` 50 | 51 | Note the Mode line. Deployments can be made in two different ways, incremental 52 | and complete. The major difference between the two modes is that a complete 53 | deployment will ensure that the resulting state of the resource group matches 54 | the template completely, including deleting any previously existing resources 55 | in the group that are not specified in the template. 56 | 57 | The deployment will be given a default name unless it is specified with 58 | the -n switch. 59 | 60 | It is also possible to retrieve the template that was originally used to 61 | populate a resource group, even though the current state of the resources 62 | in the group may no longer match the original template. 63 | 64 | ```bash 65 | # azure group deployment template download -g -n 66 | 67 | $ azure group deployment template download -g intro-rg-2 -n intro-rg 68 | info: Executing command group deployment template download 69 | + Getting resource group deployment template intro-rg 70 | info: Deployment template downloaded to ./intro-rg.json 71 | info: group deployment template download command OK 72 | ``` 73 | 74 | -------------------------------------------------------------------------------- /iaas.md: -------------------------------------------------------------------------------- 1 | The IaaS "Big Three": Network, Storage, and Compute 2 | =================================================== 3 | Infrastructure as a Service (IaaS) deployments in Azure mirror 4 | their physical counterparts: computers to do the work, disks to boot them 5 | and hold their data, and networks to let them talk to you and each other. 6 | 7 | Azure IaaS implements these three general services as [Resource Providers] 8 | (concepts/resources.md), each offering a variety of [Resource Types] 9 | (concepts/resources.md) at a more granular abstraction layer. 10 | Instances of these [resources](concepts/resources.md) are provisioned and 11 | assembled together into whole solutions. 12 | 13 | Here are some great jumping-off points for documentation on each of these 14 | core services. 15 | 16 | * [Network](https://docs.microsoft.com/en-us/azure/#pivot=services&panel=network) 17 | * [Storage](https://docs.microsoft.com/en-us/azure/#pivot=services&panel=storage) 18 | * [Compute](https://docs.microsoft.com/en-us/azure/#pivot=services&panel=compute) 19 | 20 | -------------------------------------------------------------------------------- /network/dns.md: -------------------------------------------------------------------------------- 1 | Azure DNS Zones 2 | =============== 3 | Azure DNS lets you manage [zones and records](https://docs.microsoft.com/en-us/azure/dns/dns-zones-records). 4 | 5 | First, we need to [create a zone](https://docs.microsoft.com/en-us/azure/dns/dns-getstarted-create-dnszone-cli). Note that because DNS is a global service, 6 | unlike most other resources, you do not need to specify a location for the zone. 7 | 8 | ```bash 9 | $ azure network dns zone create -g intro-rg -n intro.on-azure.info 10 | info: Executing command network dns zone create 11 | + Creating dns zone "intro.on-azure.info" 12 | data: Id : /subscriptions/25b347b0-e6dd-45c1-bb11-529e36438d8f/resourceGroups/intro-rg/providers/Microsoft.Network/dnszones/intro.on-azure.info 13 | data: Name : intro.on-azure.info 14 | data: Type : Microsoft.Network/dnszones 15 | data: Location : global 16 | data: Number of record sets : 2 17 | data: Max number of record sets : 5000 18 | data: Name servers: 19 | data: ns1-01.azure-dns.com. 20 | data: ns2-01.azure-dns.net. 21 | data: ns3-01.azure-dns.org. 22 | data: ns4-01.azure-dns.info. 23 | data: Metadata : 24 | info: network dns zone create command OK 25 | ``` 26 | 27 | Once the zone has been created, you can see that the NS and SOA record sets 28 | are created by default: 29 | 30 | ```bash 31 | # azure network dns record-set list -g -z 32 | 33 | $ azure network dns record-set list -g intro-rg -z intro.on-azure.info 34 | info: Executing command network dns record-set list 35 | + Looking up the DNS Record Sets 36 | data: Name : @ 37 | data: Type : NS 38 | data: TTL : 172800 39 | data: Records: 40 | data: ns1-01.azure-dns.com. 41 | data: ns2-01.azure-dns.net. 42 | data: ns3-01.azure-dns.org. 43 | data: ns4-01.azure-dns.info. 44 | data: 45 | data: Name : @ 46 | data: Type : SOA 47 | data: TTL : 3600 48 | data: Email : azuredns-hostmaster.microsoft.com 49 | data: Host : ns1-01.azure-dns.com. 50 | data: Serial Number : 1 51 | data: Refresh Time : 3600 52 | data: Retry Time : 300 53 | data: Expire Time : 2419200 54 | data: Minimum TTL : 300 55 | data: 56 | info: network dns record-set list command OK 57 | ``` 58 | 59 | To add DNS records to our zone, we must first [create a new record set](https://docs.microsoft.com/en-us/azure/dns/dns-getstarted-create-recordset-cli): 60 | 61 | ```bash 62 | # azure network dns record-set create -g -z -n -y 63 | 64 | $ azure network dns record-set create -g intro-rg -z intro.on-azure.info -n www -y A 65 | info: Executing command network dns record-set create 66 | warn: using default TTL of 3600 seconds 67 | + Creating DNS record set "www" of type "A" 68 | data: Id : /subscriptions/25b347b0-e6dd-45c1-bb11-529e36438d8f/resourceGroups/intro-rg/providers/Microsoft.Network/dnszones/intro.on-azure.info/A/www 69 | data: Name : www 70 | data: Type : Microsoft.Network/dnszones/A 71 | data: TTL : 3600 72 | data: Metadata : 73 | info: network dns record-set create command OK 74 | ``` 75 | 76 | We can then add a record to this set. In this case, we'll use the PIP of 77 | the load balancer that we created earlier. 78 | 79 | ```bash 80 | $ azure network dns record-set add-record -g intro-rg -z intro.on-azure.info -n www -y A -a 104.45.233.180 81 | info: Executing command network dns record-set add-record 82 | + Looking up the dns zone "intro.on-azure.info" 83 | + Looking up the DNS Record Set "www" of type "A" 84 | + Updating record set "www" of type "A" 85 | data: Id : /subscriptions/1111111-1111-1111-1111-111111111111/resourceGroups/intro-rg/providers/Microsoft.Network/dnszones/intro.on-azure.info/A/* 86 | data: Name : www 87 | data: Type : Microsoft.Network/dnszones/A 88 | data: TTL : 3600 89 | data: Metadata : 90 | data: A records: 91 | data: IPv4 address : 104.45.233.180 92 | data: 93 | data: 94 | info: network dns record-set add-record command OK 95 | ``` 96 | 97 | Of course, your TLD (in this case, on-azure.info) will have to be updated to delegate to the new subdomain, as well. 98 | 99 | Other DNS Notes 100 | =============== 101 | When you create (or later, set) a public-ip, you can use the -d switch to 102 | specify the domain-label. The IP will then be reachable through the FQDN 103 | domain-label.location.cloudapp.azure.com. 104 | 105 | Within their vnet, VMs are resolvable by their resource name. 106 | -------------------------------------------------------------------------------- /network/gateways.md: -------------------------------------------------------------------------------- 1 | Gateways 2 | ======== 3 | A virtual network always has an implicit default gateway that connects 4 | it to the public Internet and provides NAT ([VIPs](ips_nics.md)). Similarly, 5 | subnets within a single vnet know how to route to each other as well. No 6 | additional resources need be provisioned or configured to use these features. 7 | 8 | Vnets within the same region can be connected using a [VPN Gateway](https://docs.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-about-vpngateways) or 9 | (in some cases) [vnet peering] (https://docs.microsoft.com/en-us/azure/virtual-network/virtual-network-peering-overview). 10 | However, to connect a vnet to an on-premises network, or to a vnet in a different region, you must go through a VPN Gateway. 11 | 12 | Azure supports these scenarios with system-defined routes. Some scenarios 13 | require [user-defined routes](https://azure.microsoft.com/en-us/documentation/articles/virtual-networks-udr-overview/). 14 | 15 | When a gateway is needed, they must be provisioned into a specially-named 16 | subnet. This subnet must be called "GatewaySubnet". Connections to other 17 | VPN Gateways or other IPSEC endpoints are then made. Note that these 18 | connections are one-way, so typically two connections are established between 19 | each pair of endpoints. 20 | -------------------------------------------------------------------------------- /network/ips.md: -------------------------------------------------------------------------------- 1 | IP Addresses 2 | ============ 3 | 4 | ## [Private vs. Public IPs](https://azure.microsoft.com/en-us/documentation/articles/virtual-network-ip-addresses-overview-arm/) 5 | 6 | Because Azure virtual networks are logicially isolated, their apparent 7 | address space is not directly publicly routable, even if it is not one of the 8 | RFC1918 spaces (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16). For this reason 9 | addresses on these networks are refererred to as _private_ IP addresses. When 10 | a private IP address is required, almost any address that is within the 11 | network/subnet space may be be specified. (Azure reserves the first and last, 12 | plus three more. Virtual networks do not support multicast or broadcast 13 | addressing.) These are assigned dynamically via DHCP, so these are called 14 | Dynamic IPs or _DIPs_. 15 | 16 | If the DIPs are not externally routable, how can they [commnicate with the 17 | public Internet](https://docs.microsoft.com/en-us/azure/load-balancer/load-balancer-outbound-connections)? Via a _public_ IP address, of course. These 18 | addresses are not part of a virtual network, even if the public IP address 19 | were to fall within an address space assigned to a vnet. Public IPs are 20 | allocated from a pool maintained within Azure - you cannot specify a 21 | particular address. 22 | 23 | When a DIP initiates a connection to an external address, it 24 | undergoes source network address translation (SNAT) within Azure. If it 25 | is not behind a [load balancer](lbs.md), it is mapped 26 | to a temporary public IP address - a virtual IP address, or _VIP_, 27 | borrowed from its host. A DIP that is behind an Internet-facing load 28 | balancer is SNATted to the PIP of the load balancer. 29 | 30 | Another option is to request a more lasting assignment of a public IP address 31 | from the Azure pool. These instance-level public IPs (_ILPIP_ or just _PIP_), 32 | unlike DIPs or VIPs, are represented as resources that you must 33 | allocate and manage. 34 | 35 | ## Dynamic vs. Static IPs 36 | 37 | By default, both private and public IP addresses are allocated dynamically 38 | and can change periodically (they are allocated when a resource is started, 39 | and released when a resource is stopped or deleted). To specify that an 40 | address is static, use the -a switch. For private IP addresses, the 41 | argument to -a is the address itself. For public IP addresses, the argument 42 | to -a is the allocation method: "Dynamic" (the default) or "Static". 43 | 44 | ```bash 45 | # azure network public-ip create -a Static|Dynamic 46 | # azure network public-ip create -g -n -l -a Static|Dynamic 47 | 48 | $ azure network public-ip create -g intro-rg -n intro-pip -l westus -a Static 49 | info: Executing command network public-ip create 50 | warn: Using default --idle-timeout 4 51 | warn: Using default --ip-version IPv4 52 | + Looking up the public ip "intro-pip" 53 | + Creating public ip address "intro-pip" 54 | data: Id : /subscriptions/25b347b0-e6dd-45c1-bb11-529e36438d8f/resourceGroups/intro-rg/providers/Microsoft.Network/publicIPAddresses/intro-pip 55 | data: Name : intro-pip 56 | data: Type : Microsoft.Network/publicIPAddresses 57 | data: Location : westus 58 | data: Provisioning state : Succeeded 59 | data: Allocation method : Static 60 | data: IP version : IPv4 61 | data: Idle timeout in minutes : 4 62 | data: IP Address : 13.91.100.127 63 | info: network public-ip create command OK 64 | ``` 65 | 66 | We'll need another PIP later for our load balancer, so we'll create that now 67 | as well. 68 | 69 | ```bash 70 | $ azure network public-ip create -g intro-rg -n intro-pip-lb -l westus -a Static 71 | info: Executing command network public-ip create 72 | warn: Using default --idle-timeout 4 73 | warn: Using default --ip-version IPv4 74 | + Looking up the public ip "intro-pip-lb" 75 | + Creating public ip address "intro-pip-lb" 76 | data: Id : /subscriptions/25b347b0-e6dd-45c1-bb11-529e36438d8f/resourceGroups/intro-rg/providers/Microsoft.Network/publicIPAddresses/intro-pip-lb 77 | data: Name : intro-pip-lb 78 | data: Type : Microsoft.Network/publicIPAddresses 79 | data: Location : westus 80 | data: Provisioning state : Succeeded 81 | data: Allocation method : Static 82 | data: IP version : IPv4 83 | data: Idle timeout in minutes : 4 84 | data: IP Address : 104.45.233.180 85 | info: network public-ip create command OK 86 | ``` 87 | 88 | ```bash 89 | # azure network public-ip list -g 90 | 91 | $ azure network public-ip list -g intro-rg 92 | info: Executing command network public-ip list 93 | + Getting the public ip addresses 94 | data: Name Location Resource group Provisioning state Allocation method IP version IP Address Idle timeout, minutes FQDN 95 | data: ------------ -------- -------------- ------------------ ----------------- ---------- -------------- --------------------- ---- 96 | data: intro-pip westus intro-rg Succeeded Static IPv4 13.91.100.127 4 97 | data: intro-pip-lb westus intro-rg Succeeded Static IPv4 104.45.233.180 4 98 | info: network public-ip list command OK 99 | ``` 100 | 101 | ```bash 102 | # azure network public-ip show -g -n 103 | 104 | $ azure network public-ip show -g intro-rg -n intro-pip 105 | info: Executing command network public-ip show 106 | + Looking up the public ip "intro-pip" 107 | data: Id : /subscriptions/25b347b0-e6dd-45c1-bb11-529e36438d8f/resourceGroups/intro-rg/providers/Microsoft.Network/publicIPAddresses/intro-pip 108 | data: Name : intro-pip 109 | data: Type : Microsoft.Network/publicIPAddresses 110 | data: Location : westus 111 | data: Provisioning state : Succeeded 112 | data: Allocation method : Static 113 | data: IP version : IPv4 114 | data: Idle timeout in minutes : 4 115 | data: IP Address : 13.91.100.127 116 | data: IP configuration id : /subscriptions/25b347b0-e6dd-45c1-bb11-529e36438d8f/resourceGroups/intro-rg/providers/Microsoft.Network/networkInterfaces/intro-nic/ipConfigurations/default-ip-config 117 | info: network public-ip show command OK 118 | ``` 119 | -------------------------------------------------------------------------------- /network/lbs.md: -------------------------------------------------------------------------------- 1 | Load Balancers 2 | ============== 3 | 4 | An Azure [load balancer](https://docs.microsoft.com/en-us/azure/load-balancer/load-balancer-overview#load-balancer-features) 5 | maps incoming network connections from its front end to a back end pool of 6 | VMs. Typically the traffic is mapped so as to distribute the load 7 | equally, enabling scale out. The load balancer monitors the health of 8 | its back-end pool, and will manage the pool accordingly, ceasing to 9 | distribute new connections to VMs that no longer respond suitably to health 10 | probes. 11 | 12 | ```bash 13 | # azure network lb create 14 | 15 | $ azure network lb create -g intro-rg -n intro-lb -l westus 16 | info: Executing command network lb create 17 | + Looking up the load balancer "intro-lb" 18 | + Creating load balancer "intro-lb" 19 | data: Id : /subscriptions/25b347b0-e6dd-45c1-bb11-529e36438d8f/resourceGroups/intro-rg/providers/Microsoft.Network/loadBalancers/intro-lb 20 | data: Name : intro-lb 21 | data: Type : Microsoft.Network/loadBalancers 22 | data: Location : westus 23 | data: Provisioning state : Succeeded 24 | info: network lb create command OK 25 | ``` 26 | 27 | Load balancers can either be internet-facing, in which case we need a PIP 28 | for its front end, or internal, in which case they are attached to a vnet 29 | and subnet, and acquire a DIP normally. 30 | 31 | Here we'll use the second PIP we created earlier to create the load 32 | balancer's front end. 33 | 34 | ```bash 35 | $ azure network lb frontend-ip create -g intro-rg -l intro-lb -n intro-lb-front -i intro-pip-lb 36 | info: Executing command network lb frontend-ip create 37 | + Looking up the load balancer "intro-lb" 38 | + Looking up the public ip "intro-pip-lb" 39 | + Updating load balancer "intro-lb" 40 | data: Name : intro-lb-front 41 | data: Provisioning state : Succeeded 42 | data: Private IP allocation method : Dynamic 43 | data: Public IP address id : /subscriptions/25b347b0-e6dd-45c1-bb11-529e36438d8f/resourceGroups/intro-rg/providers/Microsoft.Network/publicIPAddresses/intro-pip-lb 44 | info: network lb frontend-ip create command OK 45 | ``` 46 | 47 | Now, we create the backend pool... 48 | 49 | ```bash 50 | $ azure network lb address-pool create -g intro-rg -l intro-lb -n intro-lb-back 51 | info: Executing command network lb address-pool create 52 | + Looking up the load balancer "intro-lb" 53 | + Updating load balancer "intro-lb" 54 | data: Name : intro-lb-back 55 | data: Provisioning state : Succeeded 56 | info: network lb address-pool create command OK 57 | ``` 58 | 59 | And add the two NICs we created previously to it. 60 | 61 | ```bash 62 | $ azure network nic ip-config set -g intro-rg -c intro-nic-be1 -n default-ip-config -d /subscriptions/25b347b0-e6dd-45c1-bb11-529e36438d8f/resourceGroups/intro-rg/providers/Microsoft.Network/loadbalancers/intro-lb/backendAddressPools/intro-lb-back 63 | info: Executing command network nic ip-config set 64 | + Looking up the network interface "intro-nic-be1" 65 | + Updating network interface "intro-nic-be1" 66 | data: Id : /subscriptions/25b347b0-e6dd-45c1-bb11-529e36438d8f/resourceGroups/intro-rg/providers/Microsoft.Network/networkInterfaces/intro-nic-be1 67 | data: Name : intro-nic-be1 68 | data: Type : Microsoft.Network/networkInterfaces 69 | data: Location : westus 70 | data: Provisioning state : Succeeded 71 | data: MAC address : 00-0D-3A-35-0F-E1 72 | data: Internal domain name suffix : heksuhpgkrnefhty1fwul5dpla.dx.internal.cloudapp.net 73 | data: Enable IP forwarding : false 74 | data: Virtual machine : /subscriptions/25b347b0-e6dd-45c1-bb11-529e36438d8f/resourceGroups/intro-rg/providers/Microsoft.Compute/virtualMachines/intro-vm-be1 75 | data: IP configurations: 76 | data: Name : default-ip-config 77 | data: Primary : true 78 | data: Provisioning state : Succeeded 79 | data: Private IP address : 10.1.0.4 80 | data: Private IP version : IPv4 81 | data: Private IP allocation method : Dynamic 82 | data: Subnet : /subscriptions/25b347b0-e6dd-45c1-bb11-529e36438d8f/resourceGroups/intro-rg/providers/Microsoft.Network/virtualNetworks/intro-vnet/subnets/intro-subnet-10-1 83 | data: Load balancer backend address pools: 84 | data: Id : /subscriptions/25b347b0-e6dd-45c1-bb11-529e36438d8f/resourceGroups/intro-rg/providers/Microsoft.Network/loadBalancers/intro-lb/backendAddressPools/intro-lb-back 85 | data: 86 | info: network nic ip-config set command OK 87 | ``` 88 | 89 | ```bash 90 | $ azure network nic ip-config set -g intro-rg -c intro-nic-be2 -n default-ip-config -d /subscriptions/25b347b0-e6dd-45c1-bb11-529e36438d8f/resourceGroups/intro-rg/providers/Microsoft.Network/loadbalancers/intro-lb/backendAddressPools/intro-lb-back 91 | info: Executing command network nic ip-config set 92 | + Looking up the network interface "intro-nic-be2" 93 | + Updating network interface "intro-nic-be2" 94 | data: Id : /subscriptions/25b347b0-e6dd-45c1-bb11-529e36438d8f/resourceGroups/intro-rg/providers/Microsoft.Network/networkInterfaces/intro-nic-be2 95 | data: Name : intro-nic-be2 96 | data: Type : Microsoft.Network/networkInterfaces 97 | data: Location : westus 98 | data: Provisioning state : Succeeded 99 | data: MAC address : 00-0D-3A-33-B4-77 100 | data: Internal domain name suffix : heksuhpgkrnefhty1fwul5dpla.dx.internal.cloudapp.net 101 | data: Enable IP forwarding : false 102 | data: IP configurations: 103 | data: Name : default-ip-config 104 | data: Primary : true 105 | data: Provisioning state : Succeeded 106 | data: Private IP address : 10.1.0.5 107 | data: Private IP version : IPv4 108 | data: Private IP allocation method : Dynamic 109 | data: Subnet : /subscriptions/25b347b0-e6dd-45c1-bb11-529e36438d8f/resourceGroups/intro-rg/providers/Microsoft.Network/virtualNetworks/intro-vnet/subnets/intro-subnet-10-1 110 | data: Load balancer backend address pools: 111 | data: Id : /subscriptions/25b347b0-e6dd-45c1-bb11-529e36438d8f/resourceGroups/intro-rg/providers/Microsoft.Network/loadBalancers/intro-lb/backendAddressPools/intro-lb-back 112 | data: 113 | info: network nic ip-config set command OK 114 | ``` 115 | 116 | Now, we tell the load balancer to distribute incoming HTTP traffic on port 80 117 | across the back end pool. 118 | 119 | ```bash 120 | $ azure network lb rule create -g intro-rg -l intro-lb -n intro-lb-rule-http -p tcp -f 80 -b 80 -t intro-lb-front -o intro-lb-back 121 | info: Executing command network lb rule create 122 | + Looking up the load balancer "intro-lb" 123 | warn: Using default --idle-timeout 4 124 | warn: Using default --enable-floating-ip false 125 | warn: Using default --load-distribution Default 126 | + Updating load balancer "intro-lb" 127 | data: Name : intro-lb-rule-http 128 | data: Provisioning state : Succeeded 129 | data: Protocol : Tcp 130 | data: Frontend port : 80 131 | data: Backend port : 80 132 | data: Enable floating IP : false 133 | data: Load distribution : Default 134 | data: Idle timeout in minutes : 4 135 | data: Frontend IP configuration id : /subscriptions/25b347b0-e6dd-45c1-bb11-529e36438d8f/resourceGroups/intro-rg/providers/Microsoft.Network/loadBalancers/intro-lb/frontendIPConfigurations/intro-lb-front 136 | data: Backend address pool id : /subscriptions/25b347b0-e6dd-45c1-bb11-529e36438d8f/resourceGroups/intro-rg/providers/Microsoft.Network/loadBalancers/intro-lb/backendAddressPools/intro-lb-back 137 | info: network lb rule create command OK 138 | ``` 139 | 140 | And we add a [health probe](https://docs.microsoft.com/en-us/azure/load-balancer/load-balancer-custom-probe-overview) that will ensure that VMs not responding 141 | to HTTP requests are removed from the pool: 142 | 143 | ```bash 144 | $ azure network lb probe create -g intro-rg -l intro-lb -n intro-lb-probe-http -p tcp -o 80 -f / 145 | info: Executing command network lb probe create 146 | warn: --path will be ignored when probe protocol is TCP 147 | + Looking up the load balancer "intro-lb" 148 | + Updating load balancer "intro-lb" 149 | data: Name : intro-lb-probe-http 150 | data: Provisioning state : Succeeded 151 | data: Protocol : Tcp 152 | data: Port : 80 153 | data: Interval in seconds : 15 154 | data: Number of probes : 2 155 | info: network lb probe create command OK 156 | ``` 157 | 158 | Finally, let's review the load balancer as we've set it up so far: 159 | 160 | ```bash 161 | $ azure network lb show -g intro-rg -n intro-lb 162 | info: Executing command network lb show 163 | + Looking up the load balancer "intro-lb" 164 | data: Id : /subscriptions/25b347b0-e6dd-45c1-bb11-529e36438d8f/resourceGroups/intro-rg/providers/Microsoft.Network/loadBalancers/intro-lb 165 | data: Name : intro-lb 166 | data: Type : Microsoft.Network/loadBalancers 167 | data: Location : westus 168 | data: Provisioning state : Succeeded 169 | data: 170 | data: Frontend IP configurations: 171 | data: Name Provisioning state Private IP allocation Private IP Subnet Public IP 172 | data: -------------- ------------------ --------------------- ----------- ------ ------------ 173 | data: intro-lb-front Succeeded Dynamic intro-pip-lb 174 | data: 175 | data: Probes: 176 | data: Name Provisioning state Protocol Port Path Interval Count 177 | data: ------------------- ------------------ -------- ---- ---- -------- ----- 178 | data: intro-lb-probe-http Succeeded Tcp 80 15 2 179 | data: 180 | data: Backend Address Pools: 181 | data: Name Provisioning state 182 | data: ------------- ------------------ 183 | data: intro-lb-back Succeeded 184 | data: 185 | data: Load Balancing Rules: 186 | data: Name Provisioning state Load distribution Protocol Frontend port Backend port Enable floating IP Idle timeout in minutes 187 | data: ------------------ ------------------ ----------------- -------- ------------- ------------ ------------------ ----------------------- 188 | data: intro-lb-rule-http Succeeded Default Tcp 80 80 false 4 189 | info: network lb show command OK 190 | ``` 191 | -------------------------------------------------------------------------------- /network/nics.md: -------------------------------------------------------------------------------- 1 | NICs & IP Address Binding 2 | ========================= 3 | 4 | IP addresses can be assigned to some Azure resources directly (e.g. load 5 | balancers). Virtual machines, however, require that the address be assigned 6 | to a virtual [Network Interface Card (NIC)](https://azure.microsoft.com/en-us/documentation/articles/virtual-network-network-interface-overview/), which is then assigned to the VM. *This takes place at the time of 7 | NIC creation and cannot be changed later via the xplat CLI.* While the CLI does 8 | incude an 'azure network nic set' command, it does not support changing 9 | the associated IP address. 10 | 11 | ```bash 12 | # azure network nic create -g -n -l -m -k -a 13 | # azure network nic create -g -n -l -p 14 | 15 | $ azure network nic create -g intro-rg -n intro-nic -l westus -m intro-vnet -k intro-subnet-10-0 -p intro-pip 16 | info: Executing command network nic create 17 | + Looking up the network interface "intro-nic" 18 | + Looking up the subnet "intro-subnet-10-0" 19 | + Looking up the public ip "intro-pip" 20 | + Creating network interface "intro-nic" 21 | data: Id : /subscriptions/25b347b0-e6dd-45c1-bb11-529e36438d8f/resourceGroups/intro-rg/providers/Microsoft.Network/networkInterfaces/intro-nic 22 | data: Name : intro-nic 23 | data: Type : Microsoft.Network/networkInterfaces 24 | data: Location : westus 25 | data: Provisioning state : Succeeded 26 | data: Internal domain name suffix : heksuhpgkrnefhty1fwul5dpla.dx.internal.cloudapp.net 27 | data: Enable IP forwarding : false 28 | data: IP configurations: 29 | data: Name : default-ip-config 30 | data: Primary : true 31 | data: Provisioning state : Succeeded 32 | data: Private IP address : 10.0.0.4 33 | data: Private IP version : IPv4 34 | data: Private IP allocation method : Dynamic 35 | data: Public IP address : /subscriptions/25b347b0-e6dd-45c1-bb11-529e36438d8f/resourceGroups/intro-rg/providers/Microsoft.Network/publicIPAddresses/intro-pip 36 | data: Subnet : /subscriptions/25b347b0-e6dd-45c1-bb11-529e36438d8f/resourceGroups/intro-rg/providers/Microsoft.Network/virtualNetworks/intro-vnet/subnets/intro-subnet-10-0 37 | data: 38 | info: network nic create command OK 39 | ``` 40 | 41 | Note that while at present each NIC can have only one IP address assigned to 42 | it, some types of VMs can have multiple NICs. However, in order to enable this feature, the VM must be assigned at least two NICs at creation. A VM that is 43 | created with a single NIC will not support adding a second one later, even if 44 | its type allows this in general. 45 | 46 | You can set various properties of a NIC, including its [Network Security 47 | Group](nsgs.md), its [DNS](dns.md) name, and IP forwarding, with 48 | 49 | ```bash 50 | # azure network nic set 51 | ``` 52 | 53 | Other properties of the NIC are stored within an IP configuration. A NIC can 54 | have more than one IP configuration. These are not top-level resources; they 55 | exist only within their parent NIC. The IP configuration includes not only 56 | the information shown above, but also what [load balancer](lbs.md) pool the 57 | NIC is part of. An IP configuration is created for you if you don't create 58 | one yourself. You can set properties on the IP configuration with 59 | 60 | ```bash 61 | # azure network nic ip-config set -g -c -n 62 | ``` 63 | 64 | Let's create two more NICs, with DIPs rather than PIPs. We'll use these 65 | later. Note that these are in the other subnet. 66 | 67 | ```bash 68 | $ azure network nic create -g intro-rg -n intro-nic-be1 -l westus -m intro-vnet -k intro-subnet-10-1 69 | info: Executing command network nic create 70 | + Looking up the network interface "intro-nic-be1" 71 | + Looking up the subnet "intro-subnet-10-1" 72 | + Creating network interface "intro-nic-be1" 73 | data: Id : /subscriptions/25b347b0-e6dd-45c1-bb11-529e36438d8f/resourceGroups/intro-rg/providers/Microsoft.Network/networkInterfaces/intro-nic-be1 74 | data: Name : intro-nic-be1 75 | data: Type : Microsoft.Network/networkInterfaces 76 | data: Location : westus 77 | data: Provisioning state : Succeeded 78 | data: Internal domain name suffix : heksuhpgkrnefhty1fwul5dpla.dx.internal.cloudapp.net 79 | data: Enable IP forwarding : false 80 | data: IP configurations: 81 | data: Name : default-ip-config 82 | data: Primary : true 83 | data: Provisioning state : Succeeded 84 | data: Private IP address : 10.1.0.4 85 | data: Private IP version : IPv4 86 | data: Private IP allocation method : Dynamic 87 | data: Subnet : /subscriptions/25b347b0-e6dd-45c1-bb11-529e36438d8f/resourceGroups/intro-rg/providers/Microsoft.Network/virtualNetworks/intro-vnet/subnets/intro-subnet-10-1 88 | data: 89 | info: network nic create command OK 90 | ``` 91 | 92 | ```bash 93 | $ azure network nic create -g intro-rg -n intro-nic-be2 -l westus -m intro-vnet -k intro-subnet-10-1 94 | info: Executing command network nic create 95 | + Looking up the network interface "intro-nic-be2" 96 | + Looking up the subnet "intro-subnet-10-1" 97 | + Creating network interface "intro-nic-be2" 98 | data: Id : /subscriptions/25b347b0-e6dd-45c1-bb11-529e36438d8f/resourceGroups/intro-rg/providers/Microsoft.Network/networkInterfaces/intro-nic-be2 99 | data: Name : intro-nic-be2 100 | data: Type : Microsoft.Network/networkInterfaces 101 | data: Location : westus 102 | data: Provisioning state : Succeeded 103 | data: Internal domain name suffix : heksuhpgkrnefhty1fwul5dpla.dx.internal.cloudapp.net 104 | data: Enable IP forwarding : false 105 | data: IP configurations: 106 | data: Name : default-ip-config 107 | data: Primary : true 108 | data: Provisioning state : Succeeded 109 | data: Private IP address : 10.1.0.5 110 | data: Private IP version : IPv4 111 | data: Private IP allocation method : Dynamic 112 | data: Subnet : /subscriptions/25b347b0-e6dd-45c1-bb11-529e36438d8f/resourceGroups/intro-rg/providers/Microsoft.Network/virtualNetworks/intro-vnet/subnets/intro-subnet-10-1 113 | data: 114 | info: network nic create command OK 115 | ``` 116 | 117 | ```bash 118 | $ azure network nic list -g intro-rg 119 | info: Executing command network nic list 120 | + Getting the network interfaces 121 | data: Name Location Resource group Provisioning state MAC Address IP forwarding Internal DNS name Internal FQDN Internal domain name suffix 122 | data: ------------- -------- -------------- ------------------ ----------------- ------------- ----------------- ------------- --------------------------------------------------- 123 | data: intro-nic westus intro-rg Succeeded 00-0D-3A-32-37-1C false oo1wlrzw0jmelof2yc4p53kbnf.dx.internal.cloudapp.net 124 | data: intro-nic-be1 westus intro-rg Succeeded 00-0D-3A-34-FE-26 false oo1wlrzw0jmelof2yc4p53kbnf.dx.internal.cloudapp.net 125 | data: intro-nic-be2 westus intro-rg Succeeded 00-0D-3A-33-70-5B false oo1wlrzw0jmelof2yc4p53kbnf.dx.internal.cloudapp.net 126 | info: network nic list command OK 127 | ``` 128 | -------------------------------------------------------------------------------- /network/nsgs.md: -------------------------------------------------------------------------------- 1 | Network Security Groups 2 | ======================= 3 | Security in a virtual network is managed at the subnet and NIC level through 4 | [Network Security Groups](https://azure.microsoft.com/en-us/documentation/articles/virtual-networks-nsg/), or nsgs. An nsg works like a firewall: it comprises 5 | a collection of ACL rules, each of which matches traffic against a pattern and 6 | allows or denies it. Inbound traffic passes through an nsg bound to the subnet 7 | first, then through the nsg bound to the receiving NIC. The reverse is true 8 | for outbound traffic. 9 | 10 | While a single nsg can be bound to any number of subnets and/or nics, 11 | each subnet or nic can be bound to only a single nsg. This ability to reuse 12 | nsgs is important in large deployments, because the default quota for them is 13 | 100 per subscription per region. 14 | 15 | ```bash 16 | # azure network nsg create [options] 17 | # azure network nsg create -g -n -l 18 | 19 | $ azure network nsg create -g intro-rg -n intro-nsg -l westus 20 | info: Executing command network nsg create 21 | + Looking up the network security group "intro-nsg" 22 | + Creating a network security group "intro-nsg" 23 | data: Id : /subscriptions/25b347b0-e6dd-45c1-bb11-529e36438d8f/resourceGroups/intro-rg/providers/Microsoft.Network/networkSecurityGroups/intro-nsg 24 | data: Name : intro-nsg 25 | data: Type : Microsoft.Network/networkSecurityGroups 26 | data: Location : westus 27 | data: Provisioning state : Succeeded 28 | data: Security rules: 29 | data: Name Source IP Source Port Destination IP Destination Port Protocol Direction Access Priority 30 | data: ----------------------------- ----------------- ----------- -------------- ---------------- -------- --------- ------ -------- 31 | data: AllowVnetInBound VirtualNetwork * VirtualNetwork * * Inbound Allow 65000 32 | data: AllowAzureLoadBalancerInBound AzureLoadBalancer * * * * Inbound Allow 65001 33 | data: DenyAllInBound * * * * * Inbound Deny 65500 34 | data: AllowVnetOutBound VirtualNetwork * VirtualNetwork * * Outbound Allow 65000 35 | data: AllowInternetOutBound * * Internet * * Outbound Allow 65001 36 | data: DenyAllOutBound * * * * * Outbound Deny 65500 37 | info: network nsg create command OK 38 | ``` 39 | 40 | The default rules shown above allow inbound traffic from within the vnet 41 | or from an attached [load balancer](lbs.md), but deny from all other sources. 42 | Rules are checked in order of priority, and terminate with the first 43 | matching rule. 44 | 45 | We can extend the rules, for example allowing ssh (tcp port 22) like this: 46 | ```bash 47 | # azure nsg rule create -g -a -n -c Allow/Deny -r Inbound/Outbound -p Tcp/Udp/* -u -y 48 | 49 | $ azure network nsg rule create -g intro-rg -a intro-nsg -n allow-ssh-in -c Allow -r Inbound -p Tcp -u 22 -y 1000 50 | info: Executing command network nsg rule create 51 | warn: Using default --source-port-range * 52 | warn: Using default --source-address-prefix * 53 | warn: Using default --destination-address-prefix * 54 | + Looking up the network security group "intro-nsg" 55 | + Looking up the network security rule "allow-ssh-in" 56 | + Creating a network security rule "allow-ssh-in" 57 | data: Id : /subscriptions/25b347b0-e6dd-45c1-bb11-529e36438d8f/resourceGroups/intro-rg/providers/Microsoft.Network/networkSecurityGroups/intro-nsg/securityRules/allow-ssh-in 58 | data: Name : allow-ssh-in 59 | data: Type : Microsoft.Network/networkSecurityGroups/securityRules 60 | data: Provisioning state : Succeeded 61 | data: Source IP : * 62 | data: Source Port : * 63 | data: Destination IP : * 64 | data: Destination Port : 22 65 | data: Protocol : Tcp 66 | data: Direction : Inbound 67 | data: Access : Allow 68 | data: Priority : 1000 69 | info: network nsg rule create command OK 70 | ``` 71 | 72 | Showing the NSG or listing the rules will verify that the rule has been added: 73 | 74 | ```bash 75 | $ azure network nsg show -g intro-rg -n intro-nsg 76 | info: Executing command network nsg show 77 | + Looking up the network security group "intro-nsg" 78 | data: Id : /subscriptions/25b347b0-e6dd-45c1-bb11-529e36438d8f/resourceGroups/intro-rg/providers/Microsoft.Network/networkSecurityGroups/intro-nsg 79 | data: Name : intro-nsg 80 | data: Type : Microsoft.Network/networkSecurityGroups 81 | data: Location : westus 82 | data: Provisioning state : Succeeded 83 | data: Security rules: 84 | data: Name Source IP Source Port Destination IP Destination Port Protocol Direction Access Priority 85 | data: ----------------------------- ----------------- ----------- -------------- ---------------- -------- --------- ------ -------- 86 | data: allow-ssh-in * * * 22 Tcp Inbound Allow 1000 87 | data: AllowVnetInBound VirtualNetwork * VirtualNetwork * * Inbound Allow 65000 88 | data: AllowAzureLoadBalancerInBound AzureLoadBalancer * * * * Inbound Allow 65001 89 | data: DenyAllInBound * * * * * Inbound Deny 65500 90 | data: AllowVnetOutBound VirtualNetwork * VirtualNetwork * * Outbound Allow 65000 91 | data: AllowInternetOutBound * * Internet * * Outbound Allow 65001 92 | data: DenyAllOutBound * * * * * Outbound Deny 65500 93 | info: network nsg show command OK 94 | ``` 95 | 96 | ```bash 97 | $ azure network nsg rule list -g intro-rg -a intro-nsg 98 | info: Executing command network nsg rule list 99 | + Looking up the network security group "intro-nsg" 100 | data: Security rules: 101 | data: Name Source IP Source Port Destination IP Destination Port Protocol Direction Access Priority 102 | data: ----------------------------- ----------------- ----------- -------------- ---------------- -------- --------- ------ -------- 103 | data: allow-ssh-in * * * 22 Tcp Inbound Allow 1000 104 | data: AllowVnetInBound VirtualNetwork * VirtualNetwork * * Inbound Allow 65000 105 | data: AllowAzureLoadBalancerInBound AzureLoadBalancer * * * * Inbound Allow 65001 106 | data: DenyAllInBound * * * * * Inbound Deny 65500 107 | data: AllowVnetOutBound VirtualNetwork * VirtualNetwork * * Outbound Allow 65000 108 | data: AllowInternetOutBound * * Internet * * Outbound Allow 65001 109 | data: DenyAllOutBound * * * * * Outbound Deny 65500 110 | info: network nsg rule list command OK 111 | ``` 112 | 113 | Once the NSG has been created, it can be applied to a subnet or NIC. 114 | 115 | ```bash 116 | $ azure network nic set -g intro-rg -n intro-nic -o intro-nsg 117 | info: Executing command network nic set 118 | + Looking up the network interface "intro-nic" 119 | + Looking up the network security group "intro-nsg" 120 | + Updating network interface "intro-nic" 121 | data: Id : /subscriptions/25b347b0-e6dd-45c1-bb11-529e36438d8f/resourceGroups/intro-rg/providers/Microsoft.Network/networkInterfaces/intro-nic 122 | data: Name : intro-nic 123 | data: Type : Microsoft.Network/networkInterfaces 124 | data: Location : westus 125 | data: Provisioning state : Succeeded 126 | data: Internal domain name suffix : heksuhpgkrnefhty1fwul5dpla.dx.internal.cloudapp.net 127 | data: Enable IP forwarding : false 128 | data: Network security group : /subscriptions/25b347b0-e6dd-45c1-bb11-529e36438d8f/resourceGroups/intro-rg/providers/Microsoft.Network/networkSecurityGroups/intro-nsg 129 | data: IP configurations: 130 | data: Name : default-ip-config 131 | data: Primary : true 132 | data: Provisioning state : Succeeded 133 | data: Private IP address : 10.0.0.4 134 | data: Private IP version : IPv4 135 | data: Private IP allocation method : Dynamic 136 | data: Public IP address : /subscriptions/25b347b0-e6dd-45c1-bb11-529e36438d8f/resourceGroups/intro-rg/providers/Microsoft.Network/publicIPAddresses/intro-pip 137 | data: Subnet : /subscriptions/25b347b0-e6dd-45c1-bb11-529e36438d8f/resourceGroups/intro-rg/providers/Microsoft.Network/virtualNetworks/intro-vnet/subnets/intro-subnet-10-0 138 | data: 139 | info: network nic set command OK 140 | ``` 141 | 142 | -------------------------------------------------------------------------------- /network/vnets.md: -------------------------------------------------------------------------------- 1 | Virtual Networks & Subnets 2 | ========================== 3 | An Azure [virtual network](https://azure.microsoft.com/en-us/documentation/articles/virtual-networks-overview/) 4 | (or "vnet") is a resource that provides a logical IP communication space for 5 | other resources. It comprises one or more IPv4 address spaces. 6 | 7 | By default, vnets are independent of each other and the public Internet - you 8 | can have the same or overlapping address space in two different vnets, or in 9 | a vnet and the public Internet. Even if the address space in a vnet is 10 | nominally in routable IP space, by default it will not be reachable from the 11 | public Internet. 12 | 13 | If vnets are interconnected, or to on-premises networks, however, 14 | the address spaces cannot intersect each other, because of routing constraints. 15 | 16 | Note that like any other resource, vnets must be created in a region, 17 | and cannot span regions. 18 | 19 | ```bash 20 | # azure network vnet create -g -n -l -a 21 | 22 | $ azure network vnet create -g intro-rg -n intro-vnet -l westus -a 10.0.0.0/8,192.168.0.0/16 23 | info: Executing command network vnet create 24 | + Looking up the virtual network "intro-vnet" 25 | + Creating virtual network "intro-vnet" 26 | data: Id : /subscriptions/25b347b0-e6dd-45c1-bb11-529e36438d8f/resourceGroups/intro-rg/providers/Microsoft.Network/virtualNetworks/intro-vnet 27 | data: Name : intro-vnet 28 | data: Type : Microsoft.Network/virtualNetworks 29 | data: Location : westus 30 | data: Provisioning state : Succeeded 31 | data: Address prefixes: 32 | data: 10.0.0.0/8 33 | data: 192.168.0.0/16 34 | info: network vnet create command OK 35 | ``` 36 | 37 | ```bash 38 | # azure network vnet list -g 39 | 40 | $ azure network vnet list -g intro-rg 41 | info: Executing command network vnet list 42 | + Looking up virtual networks 43 | data: Name Location Resource group Provisioning state Address prefixes DNS servers Subnets number 44 | data: ---------- -------- -------------- ------------------ ------------------------- ----------- -------------- 45 | data: intro-vnet westus intro-rg Succeeded 10.0.0.0/8,192.168.0.0/16 46 | info: network vnet list command OK 47 | ``` 48 | 49 | ```bash 50 | # azure network vnet show -g -n 51 | 52 | $ azure network vnet show -g intro-rg -n intro-vnet 53 | info: Executing command network vnet show 54 | + Looking up the virtual network "intro-vnet" 55 | data: Id : /subscriptions/25b347b0-e6dd-45c1-bb11-529e36438d8f/resourceGroups/intro-rg/providers/Microsoft.Network/virtualNetworks/intro-vnet 56 | data: Name : intro-vnet 57 | data: Type : Microsoft.Network/virtualNetworks 58 | data: Location : westus 59 | data: Provisioning state : Succeeded 60 | data: Address prefixes: 61 | data: 10.0.0.0/8 62 | data: 192.168.0.0/16 63 | info: network vnet show command OK 64 | ``` 65 | 66 | ## Subnets 67 | 68 | Virtual networks are themselved composed of subnets, which each have a single 69 | address space expressable in CIDR notation that must be within that defined 70 | by its parent vnet. Network resources always exist within a subnet, rather 71 | than the parent vnet itself. 72 | 73 | ```bash 74 | # azure network vnet subnet create 75 | # azure network vnet subnet create -g -e -n -a 76 | 77 | $ azure network vnet subnet create -g intro-rg -e intro-vnet -n intro-subnet-10-0 -a 10.0.0.0/16 78 | info: Executing command network vnet subnet create 79 | + Looking up the virtual network "intro-vnet" 80 | + Looking up the subnet "intro-subnet-10-0" 81 | + Creating subnet "intro-subnet-10-0" 82 | data: Id : /subscriptions/25b347b0-e6dd-45c1-bb11-529e36438d8f/resourceGroups/intro-rg/providers/Microsoft.Network/virtualNetworks/intro-vnet/subnets/intro-subnet-10-0 83 | data: Name : intro-subnet-10-0 84 | data: Provisioning state : Succeeded 85 | data: Address prefix : 10.0.0.0/16 86 | info: network vnet subnet create command OK 87 | ``` 88 | 89 | ```bash 90 | $ azure network vnet subnet create -g intro-rg -e intro-vnet -n intro-subnet-10-1 -a 10.1.0.0/16 91 | info: Executing command network vnet subnet create 92 | + Looking up the virtual network "intro-vnet" 93 | + Looking up the subnet "intro-subnet-10-1" 94 | + Creating subnet "intro-subnet-10-1" 95 | data: Id : /subscriptions/25b347b0-e6dd-45c1-bb11-529e36438d8f/resourceGroups/intro-rg/providers/Microsoft.Network/virtualNetworks/intro-vnet/subnets/intro-subnet-10-1 96 | data: Name : intro-subnet-10-1 97 | data: Provisioning state : Succeeded 98 | data: Address prefix : 10.1.0.0/16 99 | info: network vnet subnet create command OK 100 | ``` 101 | 102 | ```bash 103 | # azure network vnet subnet list 104 | # azure network vnet subnet list -g -e 105 | 106 | $ azure network vnet subnet list -g intro-rg -e intro-vnet 107 | info: Executing command network vnet subnet list 108 | + Looking up the virtual network "intro-vnet" 109 | + Getting virtual network subnets 110 | data: Name Provisioning state Address prefix 111 | data: ----------------- ------------------ -------------- 112 | data: intro-subnet-10-0 Succeeded 10.0.0.0/16 113 | data: intro-subnet-10-1 Succeeded 10.1.0.0/16 114 | info: network vnet subnet list command OK 115 | ``` 116 | 117 | ```bash 118 | # azure network vnet subnet show 119 | # azure network vnet subnet show -g -e -n 120 | 121 | $ azure network vnet subnet show -g intro-rg -e intro-vnet -n intro-subnet-10-0 122 | info: Executing command network vnet subnet show 123 | + Looking up the virtual network "intro-vnet" 124 | + Looking up the subnet "intro-subnet-10-0" 125 | data: Id : /subscriptions/25b347b0-e6dd-45c1-bb11-529e36438d8f/resourceGroups/intro-rg/providers/Microsoft.Network/virtualNetworks/intro-vnet/subnets/intro-subnet-10-0 126 | data: Name : intro-subnet-10-0 127 | data: Provisioning state : Succeeded 128 | data: Address prefix : 10.0.0.0/16 129 | info: network vnet subnet show command OK 130 | ``` 131 | 132 | There is a special subnet that does not exist by default, called 133 | "GatewaySubnet", that holds a vnet's [VPN Gateways](gateways.md). 134 | -------------------------------------------------------------------------------- /storage/accessibility.md: -------------------------------------------------------------------------------- 1 | Accessibility 2 | ============= 3 | 4 | In order to manipulate a storage account (as opposed to data 5 | contained within it), you must have its [connection string](https://docs.microsoft.com/en-us/azure/storage/storage-configure-connection-string). 6 | 7 | ```bash 8 | # azure storage account connectionstring show -g 9 | 10 | $ azure storage account connectionstring show -g intro-rg intro20161122strg 11 | info: Executing command storage account connectionstring show 12 | + Getting storage account keys 13 | data: connectionstring: DefaultEndpointsProtocol=https;AccountName=intro20161122strg;AccountKey=7l1tnfBNXsSv9jmdAsdvC1x0PMz9/jQNaAiyDTUuT94unQcdB/lOeksNYwDTOj9iKWErYA4WISbh0gV74qPu9w== 14 | info: storage account connectionstring show command OK 15 | ``` 16 | 17 | The connection string includes an account key; this is similar to a root 18 | password. The storage account has both a primary and a secondary account 19 | key. Anyone who has one of these keys has full access to the account. If 20 | either key is exposed, it should be replaced immediately: 21 | 22 | ```bash 23 | # azure storage account keys renew -g --primary|--secondary 24 | 25 | $ azure storage account keys renew -g intro-rg --primary intro20161122strg 26 | info: Executing command storage account keys renew 27 | + Renewing storage account key 28 | data: Name Key Permissions 29 | data: ---- ---------------------------------------------------------------------------------------- ----------- 30 | data: key1 FNZLj/RyQkMB9aqnJn1iZf0HvBxj194TzyI4XlzG+5K2wG+7vbXwKlqGKQpB+vdXjTF72HFJ6yGR5E/6Xww2Ew== Full 31 | data: key2 Ecj0Kvh1e2JIvvkalJD1sKlwOIQAObA0kNa0xL6MIZzeaFIiLp0c0di1sNCcqYS4U8y6ybF+8QJpF52Ly2hhtQ== Full 32 | info: storage account keys renew command OK 33 | ``` 34 | 35 | Instead of specifiying the storage account details on the command line, they 36 | can also be put into environment variables. This is convenient if you'll be 37 | using the same storage account repeatedly. You can either use the pair 38 | AZURE_STORAGE_ACCOUNT and AZURE_STORAGE_ACCESS_KEY, or you can use 39 | AZURE_STORAGE_CONNECTION_STRING. 40 | 41 | Instead of keys, access can also be managed using [shared access signatures] 42 | (https://docs.microsoft.com/en-us/azure/storage/storage-dotnet-shared-access-signature-part-1). 43 | These are more fine-grained, and provide access to one or more service 44 | endpoints within the account, rather than to the account as a whole. 45 | 46 | It is also possible to set public accessibility at the container or the blob 47 | level: 48 | 49 | ```bash 50 | # azure storage container set -c -p Container|Blob 51 | ``` 52 | 53 | The "Container" setting allows access to the container metadata, including the 54 | list of blobs contained within. To allow access to a blob only if the URL is 55 | known, use "Blob". 56 | 57 | At present, however, blob containers in premium storage accounts do not support 58 | public accessibility. 59 | 60 | -------------------------------------------------------------------------------- /storage/accounts.md: -------------------------------------------------------------------------------- 1 | Storage Accounts 2 | ================ 3 | 4 | To use the service, you must first create one or more storage accounts 5 | within your subscription. There are different [kind of accounts](https://azure.microsoft.com/en-us/documentation/articles/storage-introduction/), and 6 | each has various subtypes and configuration options. Many of these are 7 | mutually incompatible, and cannot be changed after the account has been 8 | created, so it is important to be aware of the design impact of your choices 9 | from the beginning. 10 | 11 | ## General-Purpose Accounts 12 | 13 | By default, a storage account is general purpose and can be used to store 14 | any of the four kinds of data. This kind of storage account has two 15 | performance tiers, standard and premium. 16 | 17 | Standard accounts are backed by mechanical disks, and support fewer (20k) "I/O 18 | Operations Per Second" ([IOPS](https://docs.microsoft.com/en-us/azure/storage/storage-scalability-targets)). The specs for standard accounts are not 19 | guaranteed; as they are approached the storage service will begin returning 20 | HTTP status codes of 503 (Server Busy) or 500 (Operation Timeout). 21 | 22 | At creation time, you can choose the kind of data replication you need for 23 | the standard account: locally redundant storage (LRS) makes multiple copies 24 | within the same data center; zone redundant storage (ZRS) makes copies in 25 | two paired datacenters that are usually geographically "close"; globally 26 | redundant storage (GRS) makes copies in datacenters around the world. 27 | Note that ingress/egress bandwidth is always greatest for LRS, and greater 28 | in the US than in Europe/Asia. 29 | 30 | [Premium](https://azure.microsoft.com/en-us/documentation/articles/storage-premium-storage/) accounts, on the other hand, are 31 | backed by SSDs and have a higher IOPS limit. However, currently, premium 32 | accounts are not truly "general purpose" - they *only support Azure VHDs 33 | (page blobs) for VMs*. And additionally, not every [size of Azure VM](../compute/vms.md) can 34 | use a premium image - only DS, DSv2, GS, or Fs. Premium accounts also only 35 | support LRS, and do not support [public accessibility](accessibility.md). 36 | 37 | Unlike standard accounts, which have the same stats regardless of the data they contain, 38 | premium accounts come in three sizes: P10 (128GiB), 39 | P20 (512GiB), and P30 (1024GiB). Your actually used size is rounded up to 40 | the nearest Premium level (there's no need to explicitly provision a certain 41 | level, or move from one to another). Each comes with fully committed 42 | performance specs, graduated with those levels. 43 | 44 | ## Blob Accounts 45 | 46 | Instead of a general purpose account, you can choose to create 47 | a blob storage account. As the name implies, these accounts can only store 48 | blobs - however, they can *only store block and append blobs, not page 49 | blobs*. As a result, they are *not able to store disk images*. 50 | 51 | Similar to the performance tier of a general purpose storage account, blob 52 | storage accounts expose two [access tiers](https://azure.microsoft.com/en-us/documentation/articles/storage-blob-storage-tiers/): hot and cool. Hot is the 53 | default, and is optimized for frequently accessed data. Cool is optimized 54 | for infrequent accesses - storage costs themselves are cheaper, but access 55 | costs are more expensive. 56 | 57 | ## CLI 58 | 59 | ```bash 60 | # azure storage account create -g --kind --sku-name --access-tier -l 61 | $ azure storage account create -g intro-rg --kind Storage --sku-name LRS -l westus intro20161122strg 62 | info: Executing command storage account create 63 | + Checking availability of the storage account name 64 | + Creating storage account 65 | info: storage account create command OK 66 | ``` 67 | 68 | A few tips to note... First, be aware that unlike other resource names, 69 | storage account names must be globally unique, contain only lower case letters 70 | and digits, and be between 3 and 24 characters long. One good way to help 71 | satisfy this is to use a datestring of the form YYYYMMDD within the name. 72 | Second, note that unlike many CLI commands, the -n switch to specify the name 73 | of the account is not supported. 74 | 75 | Premium accounts are created using the 'PLRS' sku: 76 | 77 | ```bash 78 | $ azure storage account create -g intro-rg --kind Storage --sku-name PLRS -l westus intro20161122strgprm 79 | info: Executing command storage account create 80 | + Checking availability of the storage account name 81 | + Creating storage account 82 | info: storage account create command OK 83 | ``` 84 | -------------------------------------------------------------------------------- /storage/local.md: -------------------------------------------------------------------------------- 1 | Local (Temporary) Storage 2 | ========================= 3 | Azure VMs are provisioned with access to local disk. This is available 4 | for linux VMs under /dev/sdb1 and mounted by default to /mnt/resources. 5 | The size of the temporary storage begins at 20Gb for the smallest VMs and 6 | increases with VM size. Local storage is high-throughput, low-latency, 7 | and free. 8 | 9 | Unlike the Azure Storage service, the local disk has no guarantee of 10 | persistence across VM reboots (where it might move to a different host). 11 | It is well-suited to high-throughput, low-latency needs that are transient. 12 | One common use is for swap (in fact, the [Azure Linux Agent](../compute/lis-waagent.md) does this by default); another is for intermediate state on restartable 13 | tasks (e.g. locally caching source code and compiling it). 14 | -------------------------------------------------------------------------------- /storage/types.md: -------------------------------------------------------------------------------- 1 | Blobs, Tables, Queues, and Files 2 | ================================ 3 | Storage comes in four basic types: Blobs, Tables, Queues, and Files. 4 | Roughly speaking, these correspond to unstructured data, key/value data, 5 | ordered messages, and SMB filestores. 6 | 7 | It's helpful to have an overview of these types before designing your 8 | storage solution, because many high-level design decisions will impact 9 | low-level functionality in ways that are difficult to describe otherwise. 10 | 11 | ## Blobs 12 | Blobs are simply unstructured binary data. They come in three different 13 | subtypes: block blobs, append blobs, and page blobs. Block and append 14 | blobs are similar, in that they are composed of blocks of up to 4Mb in size, 15 | and are ideal for storing files. Block blobs are optimized for sequential 16 | reads, and append blobs are optimized for trailing writes. 17 | 18 | Page blobs are composed of 512-byte pages, and are optimized for 19 | random read/write operations. All virtual hard disks (vhds) in Azure are 20 | constructed with page blobs. 21 | 22 | Blobs are stored within structures called containers. A container can 23 | hold blobs of any type. 24 | 25 | ## Tables 26 | Tables are collections of entities stored by unique key, where each entity 27 | is a collection of up to 252 name/value pairs (properties) totalling up to 28 | 1Mb in size. Like other NoSQL data stores, tables do not enforce a schema 29 | on their entities, are not relational, and are optimized for retreiving entities 30 | by key. 31 | 32 | Note that Storage Tables are similar to, but more limited than, Azure 33 | DocumentDb. 34 | 35 | ## Queues 36 | Queues are FIFO sequences of messages, which can be up to 64Kb each. A 37 | queue can have any number of readers and writers, but each message is 38 | intended to be processed by a single reader. 39 | 40 | Note that Storage Queues are similar to, but more limited than, Azure 41 | ServiceBus. 42 | 43 | ## Files 44 | Fileshares are SMB-accessible filesystems. Within a share you can create 45 | arbitrary directory structures, and read and write files within them. 46 | -------------------------------------------------------------------------------- /storage/vhds.md: -------------------------------------------------------------------------------- 1 | # Virtual Hard Disks 2 | ==================== 3 | 4 | [Virtual hard disks](https://docs.microsoft.com/en-us/azure/virtual-machines/virtual-machines-linux-about-disks-vhds) 5 | in Azure are in a fixed-size VHD format, but the sparsity 6 | of the original image is preserved - therefore, the actual size of the disk 7 | file (e.g. during a copy) may be significantly less than the formatted capacity 8 | of the VHD. The VHDX format is not supported. 9 | 10 | Every VM needs an operating system disk, at a minimum. Before the VM is run 11 | (before or during vm creation) a source image for this disk must be copied 12 | into a local storage account blob container. This page blob must have the 13 | .vhd suffix. 14 | 15 | If using a standard Azure image, it's most convenient to do this during VM 16 | creation, when Azure will take care of this copy for you. It's also possible 17 | to use a custom image, though, in which case the source image will need to be 18 | prepared in advance and copied into the storage account. 19 | 20 | The default container for VHDs is, not surprisingly, called "vhds". Azure 21 | will create it for you automatically if it's missing, if you're using a 22 | standard OS image, but we'll create it ourselves here: 23 | 24 | ```bash 25 | $ azure storage container create -c 'DefaultEndpointsProtocol=https;AccountName=intro20161122strgprm;AccountKey=7sKhyLqDk8J5pSsloNrfU4MVohK7uu3qFwKJBX3ZT37UsI8WsH/FnRE7JmPskqXb2yBkHdalXJV5EqBKx17o3Q==' --container vhds 26 | info: Executing command storage container create 27 | + Creating storage container vhds 28 | + Getting storage container information 29 | data: { 30 | data: name: 'vhds', 31 | data: metadata: {}, 32 | data: etag: '"0x8D417379EAB3A69"', 33 | data: lastModified: 'Mon, 28 Nov 2016 02:38:21 GMT', 34 | data: lease: { status: 'unlocked', state: 'available' }, 35 | data: requestId: 'd7c02823-001c-000d-3220-49dfa4000000', 36 | data: publicAccessLevel: 'Off' 37 | data: } 38 | info: storage container create command OK 39 | ``` 40 | 41 | Note that when a VM is using a VHD, it places a lease on the VHD so that 42 | it cannot be deleted. The reverse is not true, however: when you delete 43 | a stopped VM, the resources it has been using, including VHDs are not 44 | deleted (because they might be re-used subsequently by a new VM). As a 45 | result, be careful to check whether or not VHDs from deleted VMs need to 46 | be kept, and delete them manually if need be. 47 | 48 | VMs can also have data disks, of course. The number of data disks that 49 | can be mounted is a function of VM size. 50 | 51 | ## VHDs, Storage Accounts, IOPS, and Ingress/Egress Bandwidth 52 | 53 | Generally, VHDs in Standard storage accounts have an [IOPS limit](https://docs.microsoft.com/en-us/azure/storage/storage-scalability-targets) of 500. 54 | These accounts have a total limit of 20k IOPS, and dividing the latter by 55 | the former gives the standard guidance of no more than 40 VHDs per account. 56 | It's also true, however, that the 500 IOPS is not guaranteed - performance 57 | degrades as this limit is approached. Another wrinkle is that most disks 58 | are not taxed at close to 500 IOPS most of the time. So... the actual 59 | number of VHDs that you can successfully put in a standard account has as 60 | much to do with your usage patterns as it does with technology. If you're 61 | booting a lot of VMs simultaneously, you'll want fewer VHDs in those accounts. 62 | 63 | When VMs are I/O bound against a VHD, they may block and become unresponsive. 64 | If that VM is providing network services, these connections may correspondingly 65 | lag or fail. Keep in mind that when debugging what looks like a network 66 | issue, you may actually be looking at a storage issue. 67 | 68 | One way to mitigate an IOPS limit is to use a technique such as logical 69 | volume management, to map a logical disk across several VHDs. This is 70 | recommended only for data disks, though, not boot disks. 71 | 72 | VHDs in Premium storage are a different story. They have IOPS and storage 73 | bandwidth (ingress+egress) [limits](https://docs.microsoft.com/en-us/azure/storage/storage-premium-storage) that change by the size of the disk. As a 74 | result, it's not possible to give useful general guidance on the number of 75 | VHDs that can be put into a Premium account. 76 | Because there is also a total IOPS and storage bandwidth limit based on the 77 | [type/size of the VM](https://docs.microsoft.com/en-us/azure/virtual-machines/virtual-machines-linux-sizes), 78 | it is very possible with Premium storage for the VM to be the I/O bottleneck, 79 | rather than the storage account. 80 | 81 | ## Fault-Tolerance and VHDs 82 | 83 | A storage account is mapped to a single storage "stamp". Even if your VMs 84 | are in an availability set and mapped across fault domains, if their VHDs 85 | are all in a single storage account, its stamp is a single point of failure. 86 | For maximum fault tolerance, make sure VMs in availability sets have their 87 | VHDs in separate storage accounts. 88 | -------------------------------------------------------------------------------- /wrapup.md: -------------------------------------------------------------------------------- 1 | Wrap Up 2 | ======= 3 | 4 | While SSH is allowed between subnets in the vnet, our jumpbox will need 5 | our private key in order to establish a connection to the VMs serving HTTP. 6 | 7 | ```bash 8 | $ scp ~/.ssh/id_rsa intro@13.91.100.127:.ssh/id_rsa 9 | ``` 10 | 11 | Now, ssh to the jumpbox, and then to the first HTTP server: 12 | 13 | ```bash 14 | $ ssh intro@13.91.100.127 15 | The authenticity of host '13.91.100.127 (13.91.100.127)' can't be established. 16 | ECDSA key fingerprint is SHA256:MTE9DjK2YvxCvwFURsqjcjHQv29/YRaAV9NoNGpJOjs. 17 | Are you sure you want to continue connecting (yes/no)? yes 18 | Warning: Permanently added '13.91.100.127' (ECDSA) to the list of known hosts. 19 | Welcome to Ubuntu 14.04.4 LTS (GNU/Linux 3.19.0-65-generic x86_64) 20 | 21 | * Documentation: https://help.ubuntu.com/ 22 | 23 | System information as of Thu Dec 1 22:07:25 UTC 2016 24 | 25 | System load: 0.3 Memory usage: 2% Processes: 80 26 | Usage of /: 39.6% of 1.94GB Swap usage: 0% Users logged in: 0 27 | 28 | Graph this data and manage this system at: 29 | https://landscape.canonical.com/ 30 | 31 | Get cloud support with Ubuntu Advantage Cloud Guest: 32 | http://www.ubuntu.com/business/services/cloud 33 | 34 | 0 packages can be updated. 35 | 0 updates are security updates. 36 | 37 | 38 | 39 | The programs included with the Ubuntu system are free software; 40 | the exact distribution terms for each program are described in the 41 | individual files in /usr/share/doc/*/copyright. 42 | 43 | Ubuntu comes with ABSOLUTELY NO WARRANTY, to the extent permitted by 44 | applicable law. 45 | ``` 46 | 47 | ```bash 48 | $ ssh intro@10.1.0.4 49 | Enter passphrase for key '/home/intro/.ssh/id_rsa': 50 | Welcome to Ubuntu 14.04.4 LTS (GNU/Linux 3.19.0-65-generic x86_64) 51 | 52 | * Documentation: https://help.ubuntu.com/ 53 | 54 | System information as of Thu Dec 1 22:20:50 UTC 2016 55 | 56 | System load: 0.23 Memory usage: 2% Processes: 80 57 | Usage of /: 39.6% of 1.94GB Swap usage: 0% Users logged in: 0 58 | 59 | Graph this data and manage this system at: 60 | https://landscape.canonical.com/ 61 | 62 | Get cloud support with Ubuntu Advantage Cloud Guest: 63 | http://www.ubuntu.com/business/services/cloud 64 | 65 | 0 packages can be updated. 66 | 0 updates are security updates. 67 | 68 | 69 | 70 | The programs included with the Ubuntu system are free software; 71 | the exact distribution terms for each program are described in the 72 | individual files in /usr/share/doc/*/copyright. 73 | 74 | Ubuntu comes with ABSOLUTELY NO WARRANTY, to the extent permitted by 75 | applicable law. 76 | ``` 77 | 78 | For each of the two servers (at 10.1.0.4 and 10.1.0.5) use apt-get to bring 79 | the VM up to date, and install the Apache httpd server. 80 | 81 | ```bash 82 | $ sudo apt-get update && sudo apt-get upgrade 83 | ``` 84 | 85 | ```bash 86 | $ sudo apt-get install apache2 apache2-doc apache2-utils 87 | ``` 88 | 89 | You should now be able to point a web browser from anywhere at the PIP 90 | of the load balancer (104.45.233.180 in our example) and see the standard 91 | Apache splash page. 92 | --------------------------------------------------------------------------------