Microsoft Azure AZ-800 — Section 13: Manage Azure Virtual Machines that run Windows Server Part 2
104. Configure continuous delivery for Azure Virtual Machines
So another feature that Azure has in regards to our virtual machines is a feature known as continuous delivery and continuous integration, sometimes referred to as a C.I continuous integration. And the goal here is if you are dealing with developers that are developing, let’s say, a web web application for your virtual machine, you want to make it where these developers can essentially utilize Microsoft’s dev ops system to develop their code and then have that code injected into your virtual machine continuously. This makes it really easy on the and so developers can develop the software that they need any time they need to. They can update the software and it can be continuously delivered to the virtual machine. That way, you’re not having to read, you know, FTP it or download it somehow into the virtual machine separately. This can still be a continuous process.
Now, in order to do this, the first step, of course, is you can set up your virtual machine. And then if you go to your virtual machine, I’m going to click on virtual machines here and go to Azure DC one, which I’ve created in a previous lesson. And then from there, I can click right here on continuous delivery. All right, so there’s a blade on your virtual machine called continuous delivery. We’re going to click on that and that point, you’re going to click the Configure button here. From there, you’re going to notice that I don’t have a dev ops configure DevOps component configured here, so, I’m just going to click to create one by clicking here. It’s going to bring me here, says, OK, you want to create a dev ops and says, I would like to information tips offers. I’m going to turn that off and then I’m going to hit continue. And then from there, it’s going to set me up, says name of your dev ops organization. I’m just going to go with this default name here. And then which? Where do you want to host this project at? So, I’ve got central U.S. East Asia, all that. I’m going to go with central U.S. and then I’m going to specify the capture information here.
So go ahead and put that in. It continue, and we’ll go ahead and let that process through. And once that’s done, I’m going to go to Dev Dot Azure .com. And at that point, it should detect my account here and then I can create a project. I’m just going to call this see, I demo continuous integration for delivery demo. All right. Will make this private. From there, I’m going to click to create the project. This not really a developer course, so you would be working with a developer here on this to create your code for you and all that. But this does get us started here. And then at that point where we’ve now got a little demo project to work with now, the next thing I’m going to do is click over here on pipelines and I’m going to hear two deployment group and we’re going to add a deployment room. As you can see a they tell you that a deployment group, this a logical group of basically target machines that you’re going to be deploying this code to that’s being created.
So, I’m going to click add a deployment group. I’m just going to give it a name, I’m going to call it Demo Deployment Group and I’m going to click Create. And it’s officially created the deployment group.
OK, so now that you’ve got your deployment group, you can see it’s set for windows because I’m going to be deploying this to Windows machines. Of course, if you want to go with Linux, you could actually do this with Linux. But in my case, it’s Windows.
So now that I’ve done that, my developers that I’m working with would be writing their code that they’re wanting to deploy out to the servers.
Now, as far as our side of things goes. What else we would need to do? We need to jump back over to Portal on Azure Akam. We’re going to click on the menu button here. We’re going to go down to our virtual machines, choose the virtual machine. We’re doing this on. Of course, I’ve got this set to Azure DC one, but we probably you would want to have a web server, right? Have a nice install. But from there? I would go down here to continuous delivery, click and figure again now that I’ve got the stuff set up, you’ll see that I’ve got an option here for my DevOps organization, the project. I’ve only got one project in my case. And then the Deployment Group Demo Deployment Group. I don’t have a pipeline build here that the developers can work with at creating a pipeline system if you want. And then I have a deployment strategy and there’s three different deployment strategies here. The first is called rolling and rolling is probably the common one that most everybody uses, essentially with rolling. It works very simply you. You deploy your software code out to the server at that point. If they need to update it, they can make an update in order to pull the update out there. Very easy. You create a like a staged version of your deployment that the developers are working on, and when they’re ready to go live with it, they deploy it. They roll it out to your virtual machines.
Now, the second one that you’ll see there is Canary. Canary is the concept of staging changes to a small group of people.
So what you might do is you might have a test group of users that are going to test out your web services. And so you use the Canary deployment to deploy up to the small group of users and then you eventually deploy out and go live with the full system. The last is called blue green.
OK, blue green is where you’re setting up a separate environment altogether.
So, I might have a separate set of virtual machines all together that are configured for blue green, and I’m going to test out and go live with those servers first and then eventually deploy it out to my production virtual machine.
So to do this new blue green, you’re generally going to have a separate set of virtual machines for testing purposes as opposed to always going live with production. Again, most commonly, most people are going to go with rolling. That’s usually the default, right? And at that point, I’m going to go ahead now and click, OK.
OK, So, it’s going to now go ahead and process through and all Paul’s video wall, that’s process it. All right, so as you can see, it did complete successfully, just kind of a forewarning also. One thing I have seen is the first time you try to do the continuous delivery.
Sometimes it’ll fail on you the first time, just try it again if it if you were to get an error. But ultimately, if the machine’s been booted up for a while and there’s no services or anything that’s that’s in the process of being updated, it should go through successfully the first time. But if not, you can try try again. But we’ve officially now set up the continuous delivery again. You would work with your developers on the code and stuff like that. That’s not really something we cover here, nor is it something you need to worry about. Test was you’re not learning how to program here, but you would work there, developers on what code they want to be updated into the server in as long as the servers got web services and all that on it. You can have the website updated and all that frequently, and that is what the continuous delivery integration feature does for you.
105. Configure connections to VMs
Now, when working with Azure virtual machines, obviously one of the important concepts that we need to keep in mind is how we go about connecting into that virtual machine.
Now, depending upon the kind of virtual machine you’re working with, whether it’s Windows or whether it’s Linux, there’s a couple of different ways you’re going to, you’re going to make that happen. Generally speaking, if you’re using a Windows virtual machine, you’re going to connect and using RTP Remote Desktop Protocol, which uses Port 389. Alternatively, you can install the S.H. server secure server on that which uses Port 22, which is command line with with Linux. You generally will use a command line to interact with your Linux virtual machine with the help of S.H, which again is Port 22.
So let’s take a look at how we can actually connect into our virtual machines.
Now I’m going to click on the menu button here, and I’m going to go to virtual machines and I have this Azure DC one. First thing I want to do is make sure that it’s started, which it is. All right, next thing is the question would be, does the Azure virtual machine, does it have a public IP address, which it does? All right. If it if it does not have a public IP address and and were connecting it, we could potentially still connect into the virtual machine with a private address as long as our on-premise network was was either a connected in through a VPN gateway connection or be what’s called express route. If we had a connection in there, we could. We could get in without having to have that public IP address. That way, we can directly connect. But in this case of a public IP address right here, and if I actually go to the resource group where this at the VM Test Resource Group, I can click on that here. I can see that all of the ingredients that make up the virtual machine or make the virtual machine possible, you can say I have a public address. It’s associated with that. That public address is what’s going to let me connect into it. Right? So let’s come back over to the virtual machine. Click on the Connect blade, and you can see that already is the default method here that Windows based virtual machines are going to use. From there, I can click download RTP and I can make my connection that way.
So going right here? Putting in the credentials. At that point, it’s going to make the connection. All right, so the virtual machine is loading up. No problem, everything’s good there. All right.
So that’s that’s me connecting into the virtual machine using RTP. They also kind of warn you, though, that says to improve security, enable just in time access on the VM.
So, if I can click on that, we can we can do what’s called just in time, just in time access on the VM. And what this will basically do is it allows me to limit how, when, where, who can get it and I can click on Enable just in time. I can open the Azure Security Center. And as you can see, it’s turned on right here for this, this machine.
So just in time allows me to control who, when, where and how somebody is going to get into this look right here. It even tells you gives you a little bit of information about it. All right. Basically tells you that this going to enable you to lock your virtual machine down at the network level. What’s going to block inbound traffic to the specific ports that you’ve got and try to prevent somebody from connecting and it shouldn’t get in? It also corresponds to our vac, which is role based access control. And if your company is using something known as defender for cloud, then you can restrict who can get it in that way.
OK. The other thing to consider here is that if we go back over to the virtual machine Azure DC one here and click on our resource group, we need to make sure there’s an object called an NSG, a network security here. We need to make sure that the ports that we’re allowing in to that that virtual machine are open on this resource could see the virtual machine has a virtual network adapter. The virtual network adapter is connected to a virtual subnet.
OK. And the virtual subnet, of course, is connected to something called a virtual network.
So, I can see the address that the machine is connected to right here. You can see it using the IP for.
So ultimately, though, what happens is, is your network adapter has an NSG associated with it, which stands for Network Security Group, and that Network Security Group is almost I don’t want to call it a firewall because it’s not technically a firewall. It does what’s called packet filtering. Packet filtering means it’s going to it’s going to have inbound rules and outbound rules that decide who and who gets it.
So, if I go back over to the resource group, which is VM test, and if I click on the inner SG Azure Disk one in MzGee, we can look at inbound rules here and you can see that we got a couple of rules right here. We got a security center just in time. A rule that was created just a minute ago. They can basically say, Hey, we want to if we want to deny specific people we can and we’ve got an RTP rule that’s basically saying for 433, do not allow anybody in.
OK, so, If I close out of my virtual machine right now. And I’m going to jump back over and try to make a connection again here.
OK, connect at that point, I want you to notice that something’s changed here, says request access so, I can click Request Access and you can see it’s requesting just in time access and it says access has been approved from the selected IPS. At that point, I can download RTP, open up the file and put my credentials back in. And it’s now granted me access, which is this a more secure way of allowing connections. In either way, though, you are still allowing RTP from the outside world and there is a better way to do this. The better way to do this to use what’s called a bastion. A bastion is going to essentially allow me to utilize HD TPS through my web browser to connect directly into the virtual machine instead of connecting directly into RTP over 30 or 30 389. As you may know, hackers can do what’s called a port scan. If a hacker does a port scan against my IP address, they would discover that Port 30 389 is open, and at that point, they could start trying to attack and log onto that virtual machine.
So with with Avast, and we can use Port 443, and it basically does a translation between HTTPS in RTP. And I would actually be able to close RTP coming directly into that public IP address if I wanted to. Case of the next thing I’m going to do is go ahead and click on Use Bastion. All right, so there’s a few steps here. Basically tells you step one is to choose your virtual network only have one virtual network here that the virtual machine is connected to.
So nothing else I need to do there than it’s asking me about the bastion.
So now it’s going to create a little subnet to allow this connection. And if I wanted to associate this with a specific security group, I could, but I’m going to seek to create the subnet.
So as you can see there, going to go ahead and create the subnet. And then from there, this, all right, what’s the best you’re going to be called? The default name here is going to be called VM Test, which is a research group -and Vignette Bastion. And then I can choose between basic and standard. If you go out there, you can actually look at some of the information in regards to what you get here. You can read a little bit about the SKU number, the SKU. You’re going to get the stock keeping unit on cost and all that, but I’m not getting into cost or any of that right now.
So but you can you can choose standard or you can choose basic. And as you can see right out of the gate, if you look at basic versus standard, you get a couple of options here. Mostly if I go with standard, I’m going to support different instances of this. I have multiple instances.
So, if something was to happen to the, let’s say, the equipment that the Bastiaan is associated with in the data center, there’s another instance of it available.
OK.
So then it says, All right, to work with the Bastiaan, you’re going to need another public IP address you and go ahead and create another public IP address. Do you want to start in this research group? It’s almost like, Yeah, that’s fine. I’m going to say, create the Bastiaan here using those defaults and it’s going to go ahead and start processing that through.
So, we’ll go ahead and let that get created.
OK, so after just a couple of minutes, the bastion here should be created. And now what I’m going to do is put in the credentials. To log in it, if you’re going to be seen with credentials, you would use to connect into the machine. Notice that I get a pop up blocker, that’s just my Web browser doing that, so you know, you can go ahead and allow that it connect and it should now open up a new Tab and it’s going to start remote desktop into that machine. And we’re going to go ahead and drum roll. Here we go. We are now connected into the virtual machine using the bastion, which of course, is just using HTTPS. All right.
So those are the different ways that you could get into this again of not really demonstrating SSA, but you could install SSA on the server and connect into association as well. If you have Linux, that would be the way that you would connect in is without basis age. But ultimately, that is how we can connect into our virtual machines in Azure.
106. Visualizing Azure networking
I’d like to take a moment now and explain a little bit about Azure networking kind of help you visualize how it works.
So Azure networking is really not too different from a real on-premise network. WI on on-premise. We have TCP IP based networks. We have equipment that allows us to handle IP addressing, such as routers and with the help of switches, we can connect our computers together a wireless access points or whatever. But ultimately our routers are going to allow us to transmit information across the network and communicate with network adapter cards utilizing different subnet.
So, in TCP IP, we have an address space, a certain set of IP addresses, and we can break those IP addresses up into different subnet. Well, the same kind of thing happens in Azure.
So, I want to talk a little bit about that with you right now.
So the first thing that you have in Azure is you have what is called a vignette. A vignette is a block of IP addresses.
So, for example, I might call this, I might call this vignette one. All right. And the address space for vignette one might be will say 10 dot one zero zero slash 16.
Now I’m not here to teach you TCP IP subheading here. You kind of expected to understand a little bit about subnets coming into this, but you know the idea of TCP IP, at least if you do the math on that, you would get sixty five thousand five hundred thirty six possible combinations on that total address space right there.
OK. Because these two zeros in binary would be 16 bits two to the power of sixteen, that’s where you’re getting the number. All right. But that would be the whole address space. All right. And as a whole, from there, I could break this into subnets.
OK. And so, I might have a subnet here. Let’s call this what’s called this subnet. I’ll call it the subnet one. And I would give it 10.1 or say dot one dot zero slash twenty four.
Now that would actually give us two hundred and fifty four combinations, although Azure does reserve a few a couple of IP addresses for itself. But that would be that subnet right there. And then I could create, you know, another subnet if I wanted. This could be subnet to. The subnet to 10 Dot one Dot 2.0 slash 24 that would give me 254 roughly addresses for this subnet. And then same thing here I could create another. You know, another subnet here. Just to kind of go along with the same strategy here will say this v subnet three ten point one Dot 3.0 slash twenty four. And then just to cap it off or create one more, and that will be our fourth and final one listed here. All right. And so that will be subnet v subnet four. All right. Ten point one Dot 4.0 slash twenty four.
OK. And then so from there, I now have one vignette and I have a virtual subnet between and that are part of that. And I could then I could create virtual machines and I could place them. Remember that virtual machines have what are called virtual nix v neck.
OK, I’m going to outline in green here in the Vinick’s would be connected to your virtual machines, European machines of index would then be connected to the subnet. And at that point, you could have different virtual machines on each one of the subnets. If you wanted, you could have some virtual machines on the same subnet.
So, if you want by default, routing in regards to Venus is automatic. That means that any subnet. That is part of the same vignette routing is automatic, that means that, you know, this subnet can communicate with this subnet and vice versa. They can all communicate with each other because they’re part of the same vignette.
Now you can also police traffic on Venus as well. Using something called an NSG in NSG is a network security group. A network security group allows you to do what’s called packet filtering so, I can block inbound or outbound traffic if I want in. FSG’s can either be placed directly on a subnet or directly on a V neck. That’s it. You can’t attach it to the entire vignette. You can attach it to either the subnet or the vignette itself, not the vinik itself.
Sorry, the virtual network adapter on the machine.
So NSG is going to let you police it. Traffic inbound and outbound for either the network of network adapter card never earned V-neck or the actual subnet itself.
OK, so that is the idea of what a NSG does, and you can pretty much create as many of those you want. The good news is this doesn’t really cost any money as you as you’re working with vignettes and virtual subnets and all that. Microsoft isn’t charging you for any of that.
OK. Obviously, virtual machines and all that’s going to cost you money. But, you know, in ECGs and Vinick’s and subnets and all that stuff doesn’t really cost any money.
So you can also, with the help of that, you could you know, you create one vignette, but you could create multiple vignettes if you want to.
So, I could have more than more than one vignette here.
So let me just expand my drawing a little bit here, and let’s go a little deeper with it so, I could go down here and I could have. We’ll call this vignette one. And it’s 10, one zero zero slash 16 as the whole entire thing, OK? And then maybe I’ve got. Smooth this over here, and then maybe I’ve got, let’s say, three other vignettes. Like so. This another option, another way we could do it ten point two zero zero. Slash 16. It’s going to be the address space there. Make this up a little bit. All right. Move this down a little bit.
OK. And this will be, we’ll say, vignette three, 10, three zero zero slash 16. And this will be a vignette for so these vignettes, if you wanted, you could have different virtual machines that have different jobs involved, and in fact, this actually a pretty common scenario. This known as a hub and spoke this being it being like a hub type of scenario and these being spoke vignettes. And then the other thing that a lot of companies will do is they’ll have like the internet connection, this little cloud here going to represent my internet connection. Let me just kind of clean that up a little bit. All right. The internet connection, you’re going to have what’s known as a public IP address that connects out everything, right? So, if I want. I’ve got I could set up what is known as a virtual firewall. Azure supports virtual firewalls and I can set up a virtual firewall here. And then, of course, we’ve got a public IP address, also known as a pick, a public IP address that gets us out to the internet there. And. You could connect the vignettes all together, now we’ll see this subnets like here are all connected together. If they’re part of the same vignette, but vignettes themselves are not connected together. You actually have to do what’s called vignette peer appearing so, we can peer these vignettes together. If we walked. By using what’s called peering.
OK. But that doesn’t happen by default, you have to enable that in Azure.
So, we might do peering here, peering here and that way we can control traffic and we can make it where let’s just add some virtual machines here. And we get some virtual machines here. All right. And I didn’t specify subnets, but we could say that this going to represent a subnet. This a subnet. This a subnet. This a subnet. And from there, we can make it where to get out to the internet. These virtual machines have to go through the firewall and out, and then things coming in have to go through the firewall in. We could even set up a load balancer and all that. The other thing is we could have, you know, in on Prem network here. On Christmas.
OK. Actually, I need to move that over there, because that’s where the internet is, isn’t it? Let’s break this down a little bit.
OK, so you have an on-premise network. The on-premise network is connected to the internet, and then what you could do is you could also set up what is called a VPN gateway and the VPN Gateway. Let me just make that orange here. The VPN gateway is a way in which you could connect. You can esTablish a connection through the internet into your on-premise network, and so your on-premise network can have a direct connection into azure and communicate. That’s one way you can do it, another way you can do it, as you can do what’s called Express Route, where your company works with a service provider and that uses a very high speed connection directly into Azure itself.
So a VPN Gateway Express route, which we don’t really get deep into this course at all what all that is. But you can research it a little bit, and those are options that you could use for connecting it. But ultimately, hopefully that gives you now a good visualization as to what vignettes are subnets, the concept of peering and the fact that we can control the flow of traffic within SDGs, as well as connecting our vignettes together, allowing them to go through a hub and spoke type scenario. This being hub, these means folks, and I would say that’s a pretty common strategy that people use. You can even utilize a load balancer if you want it, so you could implement. What is called a virtual load balancer, if you had like a bunch of web servers or something set up? So let me just show you what I’m talking about here. Let’s copy this. All right. Let’s say that you have. Let’s say that this going to represent three Web servers.
OK. You could actually have a load balancer where when people connect in, they first have to connect through the firewall.
OK, and then the firewall transitions them when you use this. Hold on.
So, they first connect into the firewall. The firewall transitions to the virtual load balancing load. Balancer would then load balance the traffic going between the different virtual machines.
So this also very common in dealing with things like web servers. But hopefully that now gives you a good understanding of at least the visual visualization side of understanding azure networking.
107. Manage Azure Virtual Machines network configuration
And I will go ahead and finish that up or click on Go to resource now. And you can see that it hasn’t shown up yet. The subnet hasn’t. Oh, actually, I’m sorry. I’m not looking at it. Here it is, subnet. And sometimes, though, I do want to warn you that when you go into into things, sometimes things haven’t shown up. You do have to refresh.
So sometimes if you go to your research group and you click on Vignette Demo, you may not see it immediately. Show up here and you have to reset.
So there is a vignette, one that has been created successfully and there is the subnet that’s been created. If I wanted to add another one, I could. You’ll notice that there’s 231 addresses instead of 254. That’s because Azure reserves a few for its internal data center routing, but I could go right there. Click New Subnet if I want to create another one will say, you know, the subnet to. Right. And then when you do 10 or 10, 10 2.0 slash 24, right click Save. And we’re just creating our second subnet, so that’s pretty easy to create a subnet, create a vignette, create a subnet. If I wanted to create another vignette, I’ll just go back over to my Vena Demo Resource Group, click to create search for virtual network again. All right. Click Create. And I’ll just call this vignette to. All right. And they will click next on addresses, and we’re going to call this, let’s call it, 10 dot, 20.00 slash 16.
So that will be the address space. Keep in mind and I forgot to say this a minute ago, but make sure that you always when you work with address spaces, you use unique address spaces. This should even be unique from what it is on-premise. You never want to use the same IP address subnet that you’re using anywhere else. That’s very important.
OK.
So, we’ll go right here and we’ll say, add a subnet and I’m going to call this subnet three. For lack of a better name, virtual subnet three. And will say 10 dot, 20 Dot 1.0 slash 16 because I have to have unique, sorry, such 24, I have to have a unique address spaces. All right. Four names my address spaces, so, we’ll click, review and create. All right. And then we will click to create. All right.
So, it doesn’t take very long, just like before to create that vignette. As you can see, it’s processed through now I can go to resource and subnet. There it is, the subnet. All right. And right now, vignette one, a vignette two are not up here, but you can create appear right here. You can add, and you can actually add a connection between the two. The other thing that I could do is if I wanted to add an NSG, I could to this. I can go over here to resource groups vignette demo and there’s my two minutes I could click create and I will put Network Security Group. If I could type, that would be helpful. Network Security Group. There it is. We’ll click to create a network security group. I’ll just call this in S.G. Demo one review and create. It’s validating and we’re now creating the industry, so don’t forget, the industry is like a packet filtering concept that is not a full blown firewall or any of that not getting any deep right now, but it’s going to allow you to control inbound and outbound traffic to either a virtual NEC or B, the virtual subnet.
So, I’ll click on Go Good Resource, and it’s got some default rules. I can click on inbound security rules. And the first rule is a rule that basically says Allow vena inbound on any port. Any protocol in basically any virtual network can talk to any other virtual network. You’re saying allow. And then it says Allow load balancer. This allowing load balancers and then you have the default rule at the bottom called denial. That basically means if there’s not an allow rule, then you’re not going to let anything in. Right now, if somebody tried to connect from the outside world into one of your subnet using a public IP address, you would need to allow that because right now everything is denied as far as like coming in from the internet.
So, I could click add and I could say, well, source any port range source. Any destination is destination port is what matters, and that would be 389 if I was going to allow RTP, for example. All right. Destination could be any or it could be a specific IP address if I wanted. And then as far as service goes, I’m going with RTP Remote Desktop Protocol, so, I’ll just leave that up to custom RTP uses TCP. I’m going to allow it now priority. The lower the number, the higher the priority.
So you’ll notice these these are rules over here. 65000 something, right? So this rule is going to be at the top. And I was going to say, allow RTP. You’ll notice that it doesn’t allow spaces.
So, we’ll just take away that space and then we’re going to click Add. And we’ve now created an allowance at the top. And the rules do get processed in order.
So, if you had another rules that deny RTP and it was above the allow RTP, then deny would would take effect.
OK.
So at that point, you could then associate this in MSG either to a network interface or to a subnet. Let’s associate it to our vignette one subnet.
So there is vignette one and all associated subnet one.
OK. And just like that, we’ve now officially got our MSG associated to our subnet. All right.
So all that works very well, and that allows me to have better control over the traffic flowing in and out of my virtual networks. As you can see here, there’s the NSG that is has officially been created and I’m able to control the traffic flowing in and out. Based on that, I don’t have any virtual machines, but I could now. If I wanted to, I could add a virtual machine to that. I could also create a virtual public IP address so, I could click Add and if I wanted to add a public IP. Right. I could do this right here, and I could actually add a public IP address and I could attach the public IP address to a virtual machine if I wanted to. Granted, when you create a virtual machine, it’ll ask you if you want to do that. But ultimately, all in all, I think you’ll find a working with Azure’s networking is actually pretty straightforward. Of course, the interface changes constantly, so don’t be surprised if your interface looks a little different than mine. But other than that, it’s actually pretty easy to use.