Implement and Monitor Azure Infrastructure (AZ-303)
Whether you are aiming to take the AZ-303 exam, or simply wanting to develop your solution architecture and implementation skills, this course can help you.
Throughout this course, we cover several important and foundational Azure services. We provide experience implementing and architecting Azure infrastructure and monitoring.
This course provides:Understanding of important Azure services Hands-on implementation experience Important design and implementation tips
Once you've completed this course, you'll have experience in implementing a range of Azure technologies, including:Azure Active Directory Identity security and access control Virtual networking and compute Azure storage services Foundational security Monitoring and diagnostics
Please be aware that this course is part of a learning path. If you are interested in passing the AZ-303 exam, see the lesson on Learning Paths.
This course will help you learn more about implementing and monitoring Azure solutions and help you on your way to becoming an Azure Solution Architect. Through a range of video lessons, hands-on labs, and additional content, we cover:Selecting the right service for the right job. Implementing fundamental Azure services. Implementing advanced solutions, including integrated, highly-available, and automated deployments. Leveraging Azure AD identity. Monitoring Azure solutions.This course can be consumed by itself or as part of the AZ-303 learning path. Important Note This course is structured to build on fundamentals up to more complex topics. However, this is a professional level course, and as such, it is expected that students are already familiar with Azure concepts, technologies, and tools.
About Learning Paths
This course is one of several that make up a learning path for the AZ-303 Microsoft Azure Architect Technologies exam. Students are welcome to take this course by itself, but for those interested in going on to take the AZ-303 exam, it's a good idea to follow the learning path below:Implement and Monitor Azure Infrastructure Implement Management and Security Solutions in Azure Implement Solutions for Apps in Azure (coming soon) Implement and Manage Data Platforms in Azure (coming soon) Preparing for the AZ-303 Microsoft Azure Architect Technologies Exam (coming soon)
Course Support and Feedback
We are very passionate about providing everything needed to be successful on this learning journey. In this lesson, we provide a quick overview of the many tools available to access support as well as provide feedback. If you experience any issues with the content, please contact me directly with the details. Course Support: Linux Academy Support: firstname.lastname@example.org James Lee: email@example.com Course Feedback: Are you enjoying the content? Please leave a thumbs-up*! Have concerns or suggestions? Please contact me directly or leave comments with a *thumbs-down, and I will reach out to address any issues!
About the Training Architect
Azure Active Directory
Azure Active Directory (AD)
Azure Active Directory (AD) provides us with a range of identity and access management (IAM) functionality, through a fully managed cloud service. Cloud-based identity management is increasingly important as our users now work from a variety of locations and personal devices, and access applications in the cloud. Traditionally, all access has been from organization-controlled devices, at fixed locations, to applications that we manage. In this new world, Azure AD helps us to centralize identity management, provides our users with simplified experiences (for example, single sign-on), and so on.
Implementing Azure AD
In this lesson, we'll walk through:The relationship between Azure AD and Azure Subscriptions Creating an Azure AD tenant Managing and changing Azure AD tenants Configuration a custom domain for Azure AD
Virtual networks (VNets) are a core part of many modern cloud solutions. They provide an isolated networking space for private connectivity. In this lesson, we will discuss:The purpose of a VNet Configuration of a VNet and subnets Important configuration and connectivity considerations
Configuring Virtual Networks
In this lesson, we'll use PowerShell to configure a new virtual network. PowerShell Script
$rgName = "vnet1-rg" $location = "Australia Southeast" # Create a resource group New-AzResourceGroup -Name $rgName -Location $location # Create the virtual network $vnet1 = New-AzVirtualNetwork -Name "vnet1" ` -ResourceGroupName $rgName ` -Location $location ` -AddressPrefix "10.1.0.0/16" # Create a subnet, and add it to the new virtual network Add-AzVirtualNetworkSubnetConfig -Name "subnet1" ` -AddressPrefix "10.1.1.0/24" ` -VirtualNetwork $vnet1 Set-AzVirtualNetwork -VirtualNetwork $vnet1
Virtual Network Routing and Connectivity
An important part of working with virtual networks (VNets), is understanding and managing the pathways between networks. In this lesson, we'll discuss:Default routes Custom routes (user-defined routes) Important considerations
Virtual machines (VMs) are much more than just a replacement for traditional on-premises computing. They can be used in high-performance-compute, scalable modern solutions, and much more. Within this lesson, we'll get started with VM fundamentals, and will create a VM within the Azure portal. We'll discuss:Purpose of a virtual machine Key properties and components Creation of a virtual machine
Virtual Machine Sizes
In this lesson, we'll discuss:Purpose of virtual machine sizes Less obvious considerations (such as NIC/storage performance) Virtual machine size families
Virtual Machine Storage
In this lesson, we'll discuss the different types of storage available to use with virtual machines. This lesson will cover:Operating System (OS) disks Temporary disks Data disks Ephemeral OS disksWe'll wrap things up by using Azure CLI to create and attach a disk for a virtual machine. Azure CLI Script
# Add a data disk to an existing VM using Azure CLI rgName="vm1-rg" vmName="vm1" diskName="vm1-data1-disk" # Create a new disk az disk create --name "vm1-data1-disk" --resource-group $rgName --location "Australia Southeast" --size-gb 10 # Add disk to existing VM az vm disk attach --vm-name $vmName --name $diskName --resource-group $rgName
Virtual Machine Storage Performance
When implementing storage for virtual machines, it's important to understand the factors which can influence performance. In this lesson, we'll discuss:Disk caching Performance tiers
Azure Storage: Part 1
This is a two-part lesson on Azure storage, where we will gain an understanding of Storage Accounts, and the core Azure storage services. Within this first part, we'll discuss:Azure storage services (Files, Tables, Queues, Blobs) The hierarchy of Azure storage services Properties of a storage account
Azure Storage: Part 2
In this final part of our two-part lesson on Azure storage, we will discuss:How to create a storage account with PowerShell Storage account propertiesPowerShell Script
# Create an Azure Storage Account using PowerShell $rgName = "store1-rg" $storeName = "jlabstore01" $location = "Australia Southeast" # Create a resource group New-AzResourceGroup -Name $rgName -Location $location # Create a new Storage Account New-AzStorageAccount -Name $storeName ` -ResourceGroupName $rgName ` -Location $location ` -Kind StorageV2 ` -SkuName Standard_GRS ` -AccessTier Hot
Storage Account Connectivity
Storage accounts are built for public accessibility by default, and so it is important to understand how that connectivity works, and how it can be changed. Within this lesson, we'll discuss:Public endpoints Storage account firewalls Network integration
Storage Account Security
Storage accounts can be secured at the network, management, and data layer. Within this lesson, we will focus on:Storage account access controls Using and managing access keys Configuring shared access signatures (SAS)
Azure Blob Storage: Part 1
Azure blob storage is an object-oriented storage solution built for scale. Within part 1 of this lesson, we'll discuss:The purpose of blob storage Blob storage architecture Blob types (block, append, page)
Azure Blob Storage: Part 2
In this second part of our two-part lesson on blob storage, we take a hands-on look at several important considerations, including:Folder hierarchy Container access levels Static websites Custom domains Access tier
Azure Files is a file-level sharing solution, fully managed by Microsoft. Within this lesson, we'll discuss:The purpose of Azure files Azure Files hierarchy Azure Files connectivity (SMB and REST)
Virtual Network (VNet) Peering is a purpose-built service that supports connectivity between VNets. In this lesson, we'll discuss:How VNet Peering works Benefits and limitations of VNet Peering How to configure VNet Peering
When working with virtual network connectivity, it's important to understand that there are different methods for establishing interconnectivity, as well as more advanced configuration. Within this lesson, we will discuss:VNet Peering vs. VPN Gateways Advanced VNet Peering configuration: Allow forwarded traffic Allow gateway transit Use remote gateway
Service Endpoints help provide secure connectivity between resources within a virtual network and Azure platform services. Within this lesson, we will discuss:Service endpoint connectivity Key considerations and limitations Service endpoint configuration using Azure CLIAzure CLI Script
# Configure service endpoints using Azure CLI rgName="vnet1-rg" vnetName="vnet1" subnetName="subnet1" # List services that support service endpoints az network vnet list-endpoint-services -o table --location "Australia Southeast" # Add a service endpoint for Microsoft.Storage az network vnet subnet update --name $subnetName --vnet-name $vnetName --resource-group $rgName --service-endpoints "Microsoft.Storage"
Private Link is a service which helps to provide secure connectivity between resources in a virtual network, and others on the Microsoft platform. In this lesson we'll discuss:The core features of Private Link Private Link architecture: Private Endpoints Connected Resources Private Link ServiceKey features and capabilities
Virtual Machine High Availability
This lesson covers several concepts on the architecture of highly available solutions, which leverage virtual machines. We'll discuss:Outage scenarios Microsoft global infrastructure Highly available virtual machines
Virtual Machine Availability Sets
Virtual machine Availability Sets help us to protect against outages within an Azure datacenter. Within this lesson, we'll discuss:How Availability Sets work Fault domains and update domains Configuration of an Availability Set with virtual machines Distribution of virtual machines within an Availability Set
Virtual Machine Scale Sets: Part 1
Virtual Machine Scale Sets (VMSS) provide us with the ability to automatically scale out a solution based on demand. Within this first lesson of this two-part series, we will discuss:Functionality of VMSS Key configuration items
Virtual Machine Scale Sets: Part 2
In this second part of our two-part series on VMSS, we will focus on the configuration of VMSS within the portal. We'll cover off:Configuration Autoscale profiles Autoscale scale-in policy
Virtual Machine Dedicated Hosts
Virtual machine (VM) dedicated hosts are a feature within Azure, which enables greater control and isolation for virtual machines you deploy. Within this lesson, we'll discuss:VM dedicated host features and benefits Dedicated hosts, and host groups Configuration of dedicated hosts within the Azure Portal
Azure Disk Encryption
Azure Disk Encryption (ADE) is a boot and data volume-level encryption that helps protect your data from theft. In this lesson we will discuss:Benefits and features of ADE Architecture and key services Configuration of ADE and Key Vault using PowerShell
# Configure Azure Disk Encryption using PowerShell $rgName = "vmencrypt1-rg" $kvName = "jlabkeyvault01" $location = "Australia Southeast" # Create and configure a Key Vault $keyVault = New-AzKeyvault -Name $kvName ` -ResourceGroupName $rgName ` -Location $location -EnabledForDiskEncryption # Enable Azure Disk Encryption Set-AzVMDiskEncryptionExtension -VMName "vm01" ` -ResourceGroupName $rgName ` -DiskEncryptionKeyVaultUrl $keyVault.VaultUri ` -DiskEncryptionKeyVaultId $keyvault.ResourceId
Storage Account Replication
This lesson builds upon previous discussions by taking a more detailed look at storage account replication. We'll cover important details such as:Replication considerations (synchronous/asynchronous and read-access) Failure scenarios for storage Storage account failoverWe'll also perform a manual storage account failover within the Azure Portal.
Azure AD Authentication for Storage Accounts
Using Azure AD authentication for storage, we're able to provide better security for our solutions. Within this lesson we'll discuss:How Azure AD authentication is used Registration of applications within Azure AD OAuth 2.0 token exchange User Delegation SAS
Azure Resource Manager (ARM) Templates
Working with ARM Templates
In this lesson, we're going to discuss how to use ARM Templates. We'll cover topics such as:Deploying with Azure CLI Deployment modes ARM Templates and Parameters files Managing deployments Exporting templates Template management within the Azure PortalAzure CLI Commands
# Standalone deployment az deployment group create --name "deployvm" --resource-group “prod-vm1-rg” --template-file “vmdeploy.json" # With parameters file az deployment group create --name "deployvm" --resource-group "dev-vm1-rg" --template-file "vmdeploy.json" --parameters "@devparams.json"
Managed VM Images
Creating your own custom virtual machine image can be a powerful tool in various solutions you build. Whether for simple standardization and governance or advanced autoscaling solutions. Within this lesson we'll discuss:The purpose of managed virtual machine images How to create a custom image Configuring a custom Windows image within the Azure Portal
Azure Automation Runbooks
Part of the powerful Azure Automation service, Automation Runbooks provides the ability to automate scripts and workflows. Within this lesson we'll discuss:Process orchestration and automation with Runbooks Key components of the Azure Automation service Configuration of a sample workbook within the Azure Portal
Azure Active Directory Services
Azure AD Self-Service Password Reset
Azure AD Self-Service Password Reset (SSPR) is a powerful tool to help improve identity security and minimize administrative overheads of user password management. In this lesson we'll discuss:The purpose of Azure AD SSPR Key configuration requirements Configuration within the Azure Portal Considerations for hybrid environments
Azure Multi-Factor Authentication
Azure has advertised that multi-factor authentication (MFA) can prevent 99.9 percent of attacks on accounts. So it is safe to consider this an important service. In this lesson we'll discuss:How Azure MFA works Configuration of Azure MFA, including: Enabling MFA Enrollment for end-users Verification methods Trusted IPs Fraud alerts Bypass optionsHelpful Links:Features and Licenses for Azure MFA
Azure AD Identity Protection
There can be many threats against the security of identities we manage, including leaked credentials, remote hackers, etc. Within this lesson, we'll discuss how Azure AD Identity Protection is a great tool to protect against these various threats. We will cover:Azure AD Identity Protection overview Licensing requirements Protected risk events Sign-in risk policies User risk policiesWe'll take a look at the configuration of risk policies within the Azure Portal.
Azure AD Conditional Access
When architecting solutions that protect identity security, we know that there is always a balance to strike. To help get the balance right, we can use Azure AD Conditional Access. This provides us the ability to configure different security policies for different scenarios. Within this lesson, we'll discuss:What Azure AD Conditional Access is used for The key components, including signals, decisions, and enforcement Configuration of a Conditional Access Policy
Hybrid Identities with Azure AD Connect
In this lesson, we will discuss Azure AD Connect and the three core authentication methods:Password hash synchronization (PHS) Pass-through authentication (PTA) Active Directory Federation Services (AD FS)Helpful linksMicrosoft: Choose the right authentication method
Implementing Azure AD Connect
As we discussed in the previous lesson, Azure AD Connect is a Microsoft solution that allows us to configure hybrid identities.
In this lesson, we'll walk through a demonstration installation of Azure AD Connect using password hash sync (PHS).
In this lesson, we will cover:Requirements for using Azure AD Connect
Configuring Azure AD Connect with PHS
How staging mode is configuredImportant tools and tips:Failing to use a routable domain for the user principal name (UPN) can result in login issues.
Synchronization Service Manager allows management of the connectors and synchronization profiles.
Synchronization can be triggered using:
PolicyType Initial option is for the initial sync
PolicyType Delta is for differential syncIn staging mode, synchronization will run (both automatically or if you use the command) but will not do an actual export to Azure AD.
Monitoring in Azure: Part 1
As a solution architect, we need to understand that monitoring within Azure is possible through various different services. Within this lesson, we'll discuss:Azure Monitor capabilities Monitoring data (metrics and logs) Using monitoring data Diagnostic settings Differences in monitoring different sourcesThis is a two-part lesson. In the second part, we'll focus more on configuration and features within the Azure Portal. Helpful LinksSources of monitoring data in Azure Monitor Overview of the Azure Monitor agents
Monitoring in Azure: Part 2
In this final lesson of our two-part series on monitoring in Azure, we'll cover:Metrics explorer within Azure Monitor Diagnostic settings Archiving to storage Routing to Log Analytics Streaming to event hubsConfiguring monitoring for virtual machines Diagnostic settings Log Analytics agent
Activity Log is a platform log that provides us with the ability to review different operations and activities occurring across our subscription. Azure AD audit logs are also platform logs; however, these are focused on AD tenant operations, such as service principal events and sign-ins. Within this lesson, we'll discuss:Activity Log Azure AD audit logs Diagnostic settings
Alerts and Action Groups
Azure Monitor provides a very versatile set of monitoring and alerts capabilities. Within this lesson, we will learn about:Action groups Alert managementWe'll walk through a demonstration alert rule that triggers an automation runbook.
Monitoring Service Health
Microsoft provides a range of detailed help information for you to help monitor and plan for Azure service issues. Within this lesson, we'll discuss:Azure status Azure service health Azure resource health Planned maintenance Alerts and monitoring
Log Analytics Workspace
As a core part of the Azure Monitor solution, Log Analytics (also known as Azure Monitor Logs) provides a way to centralize log information from various sources to help provide deep diagnostics. Within this lesson, we will discuss:The key capabilities of Log Analytics How to create a Log Analytics Workspace How to connect data sources Log Analytics workbooks and queries Log Analytics query alertsHelpful LinksSources of data in Azure Monitor Overview of Azure Monitor agents
Expanding upon previous lessons, we're now going to take a look at monitoring solutions. These are pre-packed solutions that include service-specific monitoring and diagnostics information. Within this lesson, we'll discuss:Azure Monitor for virtual machines Azure Monitor for networks Azure Monitor for containers Application InsightsWe'll also take a look within the portal at several of these, plus the Network Watcher service for network monitoring.
When architecting monitoring solutions for infrastructure, it's important to be aware of two key security monitoring services as well. Within this lesson, we'll walk through a high-level overview of the key features and implementation requirements for:Azure Security Center Azure SentinelHelpful LinksAZ-500: Microsoft Azure Security Technologies
Azure AD Connect Health
With hybrid identities often a critical service within many enterprises, it's important we understand how to monitor Azure AD Connect. Within this lesson, we'll discuss:Licensing requirements Synchronization monitoring AD FS monitoring AD DS monitoringHelpful LinksMonitoring AD FS with Azure AD Connect Health Monitoring AD DS with Azure AD Connect Health
The Next Course
Congratulations! Please pat yourself on the back, and have some celebratory cake (or your treat of choice). You've earned it. What's Next? If you're looking to take the remaining AZ-303 learning path courses, you can find them below:Implement Management and Security Solutions in Azure (coming soon) Implement Solutions for Apps in Azure (coming soon) Implement and Manage Data Platforms in Azure (coming soon) Preparing for the AZ-303 Microsoft Azure Architect Technologies Exam (coming soon)Some other courses you may find helpful:Azure CLI Essentials Azure PowerShell Essentials
Take this course and learn a new skill today.
Transform your learning with our all access plan.Start 7-Day Free Trial