Azure

Externi odkazy

docs.microsoft.com/en-us/learn/
docs.microsoft.com/en-us/azure/
docs.microsoft.com/en-us/azure/architecture/
azure.microsoft.com/en-us/solutions/architecture/
azureinteractives.azurewebsites.net/Azure101Cards
Migrace VM z ASM do ARM
Vice info k priprave
azureinteractives.azurewebsites.net/CloudDesignPatterns/default.html
MS Channel 9 … portal videi or vyvojaru z Microsoftu
Microsoft Virtual Academy
Cenova kalkulacka mezi datacentry
Omezeni a limitace predplatnych v ARM Azure
CCO Dashboard … Power BI dashboard s prehledem zdroju v predplatnych
https://feedback.azure.com/ … User voice - misto na zadavani novych napadu k Azure a k hlasovani o nich
https://play.google.com/store/apps/details?id=com.microsoft.azure … Androidi aplikace na sledovani udalosti z Azure
https://status.azure.com/en-us/status/history/ … historie stavu, problemu a vypadku Azure
https://www.azurenotes.tech/ … Novinky v Azure
https://azurecharts.com/ … Azure Heat Map - analyza nejcasteji se menicich funkci Azure

https://github.com/Azure-Samples/aci-helloworld … php hello world aplikace do App Service, repozitar obsahuje mnoho demonstracnich kodu
https://github.com/MicrosoftLearning … Microsoft learning cviceni
https://github.com/godeploy/ … Cviceni pro godeploy

Dodatecne nastroje

azcopy … nastroj na kopirovani do/z Azure Blob, File, Table

Interni odkazy

Komponenty, agenti

Webove nastroje

Nastroje na lokalni pocitac

SSMS … SQL Server Management Studio - graficke prochazeni MSSQL a Azure database
Microsoft Azure Storage Explorer … graficke prochazeni Account storage, tabulek, souboru atd Portal … lokalni aplikace s Azure Portalem

Funkcionalita

PIM - docasne prideleni vyssich prav uzivateli
Update management vcetne pre/post sckriptu na updatovani WIndows/Linux OS

PowerShell Az

Install-Module Az … Instalace Az modulu (Win, Lin, …) jede na vsech platformach
Login-AzAccount … pripojeni na Azure
Get-AzSubscription … seznam predplatnych
Get-AzSubscription … seznam predplatnych
Set-AzContext $(Get-AzSubscription -SubscriptionName AAA) … vyber predplatneho
Enable-AzAlias [-Module <string>] [-Scope Process | CurrentUser | LocalMachine] … nastaveni kompatibility Az a Az pomoci aliasu
Disable-AzAlias [-Module <string[]>] [-Scope Process | CurrentUser | LocalMachine] … vypnuti aliasu

PowerShell AzureRm

Login-AzureRmAccount … pripojeni na Azure
Add-AzureRmAccount
Get-AzureRmSubscription … seznam predplatnych
Set-AzureRmContext $(Get-AzureRmSubscription -SubscriptionName AAA) … vyber predplatneho
Select-AzureRmSubscription -SubscriptionId “yoursubscriptionid” … vyber subsciption

Resources a Resource groups (zdroje a skupiny/mnoziny zdroju)

Get-AzResourceGroup … seznam vsech Resource group
Get-AzResourceGroup | Export-AzResourceGroup -IncludeParameterDefaultValue … ulozi Resource groupy jako JSON template
Get-AzResource -ResourceGroupName ExampleGroup -ResourceType Microsoft.ClassicCompute/virtualMachines …

Virtualni stroje - Virtual Machine

Get-AzVm -ResourceGroupName RGtlipensky -name VMtlipensky … informace o VM
Get-AzVMDiagnosticsExtension -ResourceGroupName RGtlipensky -vmname VMtlipensky … ukaze diagnosticke rozsireni (skript na aktivaci rozsirenych metrik)
Get-AzPublicIpAddress -Name $publicIpName -ResourceGroupName $rgName … seznam verejnych adres
Invoke-AzVMRunCommand -ResourceGroupName RG -VMName VM -CommandId 'RunPowerShellScript' -ScriptPath 'C:\a.ps1' … spusti skript na serveru (z Azure agenta)
Set-AzVMCustomScriptExtension -ResourceGroupName az104-08-rg01 -VMName az104-08-vm0 -Location EastUS -ExtensionName “IIS” -FileURI 'https://raw.githubusercontent.com/godeploy/AZ104/master/Module08/az104-08-install_IIS.ps1' -Run 'az104-08-install_IIS.ps1' … prida custom script rozsireni a provede jim dany skrip

Audit - Activity log

Get-AzLog -StartTime 2018-10-10T10:30 | where-object { $_.HttpRequest.Method -eq “DELETE” } | select-object Caller,EventTimestamp,Authorization … vypis DELETE akci
Get-AzLog -StartTime (Get-Date).AddDays(-7) | Where-Object {$_.Authorization.Action -like 'Microsoft.sql/servers/*'} … vypis za posledni tyden na MSSQL serverech

Databaze

Find-AzResource -ResourceType 'Microsoft.Sql/servers' … seznam databazi
(Find-AzResource).ResourceType | Sort-Object -Unique … seznam vsech objektu v predplatnem

Automations

Find-WhoAmI.ps1 … zjisti jaky automatizacni account spustil Runbook a ktery runbook]]

Automatizace Azure prostredku, casovani. Vytvoreni noveho spojeni s jinym uctem popisuje blog.

Get-AzAutomationAccount … seznam automatizacnich uctu
Get-AzureRmAutomationConnection … seznam Automatizacnich spojeni (na jiny ucet v predplatnem)
Get-AzureRmAutomationCertificate … seznam Automatizacnich certifikatu
Get-AzureAutomationCredential
… Manazovane kredence automatizacniho uctu
Get-AzureRmAutomationVariable … seznam promennych automatizacniho uctu
Get-AzAutomationRunbook RG AutomationAccount … seznam runbooku
Get-AzAutomationSchedule RG AutomationAccount … seznam naplanovanych uloh
Get-AzAutomationJob RG AutomationAccount -StartTime ( (Get-Date).AddHours(-1)) … ukoly za posledni hodinu
New-AzureRmAutomationCertificate … Vytvoreni noveho certifikatu
Connect-AzAccount -ServicePrincipal -ApplicationId “http://my-app” -Credential $pscredential -TenantId $tenantid … pripoji se jako Service Principal
Register-AzAutomationScheduledRunbook -ResourceGroupName RG -AutomationAccountName AutomAccount -RunbookName cisteni_db -ScheduleName kazdou_hodinu … Nastaveni schedule (casovani) pro runbook v automatizacnim uctu
Unregister-AzAutomationScheduledRunbook -ResourceGroupName RG -AutomationAccountName AutomAccount -JobScheduleId 123143 … zruseni casovani pro runbook
Get-AzAutomationScheduledRunbook -ResourceGroupName RG -AutomationAccountName AutomAccount … seznam casovani runbooku (Vice o schedulingu)
Get-AzAutomationJob … seznam jobu (provedeni runbooku)

Certifikaty

Vygenerovani korenoveho certifikatu:
New-SelfSignedCertificate -Type Custom -KeySpec Signature -Subject "CN=P2SRootCert" -KeyExportPolicy Exportable `
-HashAlgorithm sha256 -KeyLength 2048 -CertStoreLocation "Cert:\CurrentUser\My" -KeyUsageProperty Sign -KeyUsage CertSign
Vygenerovani klientskeho certifikatu:
New-SelfSignedCertificate -Type Custom -DnsName P2SChildCert -KeySpec Signature `

-Subject “CN=P2SChildCert” -KeyExportPolicy Exportable -HashAlgorithm sha256 -KeyLength 2048 ` -CertStoreLocation “Cert:\CurrentUser\My” -Signer $cert ` -TextExtension @(“2.5.29.37={text}1.3.6.1.5.5.7.3.2”)

Role

Get-AzRoleDefinition | FT Name, Description … seznam roli
Get-AzRoleAssignment -ResourceGroupName pharma1 … seznam prirazeni roli v resource grupe pharma1
Get-AzRoleAssignment -SignInName tomas@example.com … seznam prirazenych roli pro cloveka
Get-AzRoleAssignment | where {$_.RoleDefinitionName -eq “User Access Administrator” -and $_.Scope -eq “/”} … vypis globalnich roli
New-AzRoleAssignment -SignInName tomas@a.b -RoleDefinitionName “Reader” -ResourceGroupName RG … priradi parvo Reader uzivateli na resource grupu RG
Remove-AzRoleAssignment -SignInName tomas@aaa.bbb -RoleDefinitionName “User Access Administrator” -Scope “/” … odebrani globalni role

Azure Active Directory

Get-AzADApplication … seznam AAD aplikace
Get-AzADServicePrincipal -SearchString “aad”… seznam AAD Service Principal s podretezcem aad ve jmene
Get-AzureADServicePrincipal -All $true … seznam vsech SP
Get-AzADGroup -SearchString admins … seznam skupin s podretezcem “admins”
Get-AzADUser -SearchString Tomas … seznam uzivatelu s podretezcem Tomas ve jmene nebo ID
Get-AzADGroupMember -GroupObjectId 792dac6f-12bc-4f40-a9e0-ea58e795d0324 … seznam clenu skupiny
New-AzRoleAssignment -ObjectId 7777 -RoleDefinitionName “Reader” -Scope /subscriptions/00000 … prida aplikaci ID 7777 nebo skupine ID 7777 roli Reader v subscription 0000
New-AzRoleAssignment -SignInName tomas@example.com -RoleDefinitionName “Virtual Machine Contributor” -ResourceGroupName pharma1 -ResourceName TomasVM … prida prava uzivateli
Remove-AzRoleAssignment -SignInName tomas@example.com -RoleDefinitionName “Virtual Machine Contributor” -ResourceGroupName pharma1 … odebere roli

Nastaveni nove aplikace a uctu Service Principal

Add-Type -Assembly System.Web … Iniciuje modul na generovani hesla
$password = [System.Web.Security.Membership]::GeneratePassword(16,3) ### vyganeruje heslo
$securePassword = ConvertTo-SecureString -Force -AsPlainText -String $password … vytvori zakodovany retezec
$ap = new-AzADApplication -DisplayName “AAD:perf-monitoring-stgasia” -IdentifierUris “http://localhost/AADperf-minitoring-stgasia” -Password $securePassword ### vytvori novou aplikaci
$sp=New-AzADServicePrincipal -ApplicationId $ap.ApplicationId -Password $securePassword ### vytvori noveho Service Principal (SP)
New-AzRoleAssignment -ObjectId $sp.Id -RoleDefinitionName “Reader” -ResourceGroupName RG ### Priradi roli na resource grupu pro SP
$s = Get-AzSubscription -SubscriptionId a-b-c-d ### ziska tenantID z predplatneho
$mycreds = New-Object System.Management.Automation.PSCredential ($ap.ApplicationId, $securePassword) ### vytvori promennou s kredencemi
Connect-AzAccount -ServicePrincipal -Credential $mycreds -TenantId $s.TenantI ### pripoji se jako service principal

Nastaveni nove role a prav

Nastaveni nove role

$role = Get-AzRoleDefinition "Virtual Machine Operator"

$role.Actions.Add(“Microsoft.Insights/diagnosticSettings/*”)

Set-AzRoleDefinition -Role $role

$svcprincipal.AppRoles | FT ID, DisplayName … ukaze aplikacni prava
$svcprincipal.Oauth2Permissions | FT ID, UserConsentDisplayName … ukaze delegovana prava
$reqGraph = New-Object -TypeName “Microsoft.Open.AzureAD.Model.RequiredResourceAccess” … Objekt reprezentujici pristup k Microsoft Graph
pekny clanek o nastaveni prav

Storage account

$storageAccount = Get-AzStorageAccount -ResourceGroupName RG -Name SA … najde storage account
Install-Module AzStorageTable … Nainstaluje modul pro Storage table
Install-Module AzStorageTable.TravisEz13 … to same pro AZ. Ostatni moduly nejedou
$storageTable = Get-AzureStorageTable –Name TABULKA –Context $storageAccount.Context … Vybere tabulku
Get-AzureStorageTableRowAll -table $storageTable … vsechny zaznamy z tabulky
Get-AzureStorageTableRowByColumnName -table $storageTable -columnName “jmeno” -value “Tomas” -operator Equal … zaznamy kde hodnota sloupce “jmeno” je “Tomas”
Get-AzureStorageTableRowByCustomFilter -table $storageTable -customFilter “(roky eq 1)“… zaznamy kde hodnota sloupce “roky” je 1
$ctx=New-AzureStorageContext -StorageAccountName STORAGEACCOUNT -StorageAccountKey 'KEY'
Set-AzureStorageBlobContent -Container BLOBKONTEJNER -Context $ctx -Blob CESTA_V_BLOBU -File SOUBOR … nahrani souboru na Blob

Metriky, statistiky VM, Logy a Alerty

Get-AzActionGroup … seznam skupin akci
Get-AzActivityLogAlert … seznam log alert resources
Get-AzAlertHistory … historie alertu
Get-AzAlertRule … seznam alertovych pravidel
Get-AzAutoscaleHistory … historie automatickeho skalovani
Get-AzAutoscaleSetting … Nastaveni automatickeho skalovani
Get-AzDiagnosticSetting … ziska logovaci kategorie a casovani
Get-AzLog … zobrazeni logu
Get-AzLogProfile … logovaci profily
Get-AzMetricDefinition –ResourceId (Get-Azvm RG VM).Id … seznam metrik pro dany resource
Get-AzMetric -ResourceId (Get-AzVM RG VM).Id -DetailedOutput -StartTime (get-date).AddMinutes(-5) -MetricName “Network In” | Select-Object -expand data … Vypis metriky Network In za poslednich 5 minut
Get-AzDiagnosticSetting … zobrazi nastaveni Diagnostiky (boot diagnostika, logy …)
Set-AzDiagnosticSetting -ResourceId x/y/z … zobrazi nastaveni Diagnostiky (boot diagnostika, …) pro x/y/z VM
$actionEmail = New-AzAlertRuleEmail -CustomEmail me@contoso.com … vytvoreni noveho emailu pro alertovaci pravidla
Add-AzLogAlertRule -Name StartAlert -Location 'East Asia' -ResourceGroup myRG -OperationName Microsoft.Compute/virtualMachines/start/action -TargetResourceGroup myRG -Actions $actionEmail … nastaveni alertu pri startu VM
Add-AzMetricAlertRule -Name “Cpu_pres_90” -Location westus -ResourceGroup RG -Description “CPU > 90” -SendToServiceOwners -RuleType Metric -Operator GreaterThan -Threshold 90 -WindowSize 00:05:00 -ResourceId '/sub/a/resGr/RG/prov/aaa/VM' -MetricName '\Processor(_Total)\% Processor Time' -TimeAggregationOperator Average … … vytvoreni alertu na CPU pres 90%

Tagy

Get-AzVm | Where-Object { $_.tags['tagkey'] -eq 'aaa' } … filtrace VM podle tagu
Get-AzTag … seznam objekty s danym tag name
$VM-AzVm -Name Server -ResourceGroupName RG
$VM.Tags.Add(“jmeno”, “hodnota”)
$VM.Tags['jmeno'] = “jina hodnota”
Set-AzResource -Tag $VM.Tags -ResourceId $VM.Id -Force .. ulozeni

Analytic Log Workspace

Get-AzOperationalInsightsSavedSearch … Vylistovani/informace o ulozenych hledanich (log dotazech)
Set-AzOperationalInsightsSavedSearch … vytvoreni/uprava ulozenych dotazu - nepodporuje nove Kusto query. Podpora Kusto query je v API verzi 2017-03-10-preview

Webove sluzby - App service

skripty of Octavie van Haaften pro manipulaci s Webovymi sluzbami
azverify.subdomena.domena.naddomena … DNS zaznam, ktery umozni vytvorit Custom Domain pro App Service bez outage

CDN sluzby

cdnverify.subdomena.domena.naddomena … DNS zaznam, ktery umozni vytvorit Custom Domain pro CDN endpoint

Managed Identity

Invoke-RestMethod -Uri 'http://169.254.169.254/metadata/identity/oauth2/token?api-version=2018-02-01&resource=https%3A%2F%2Fmanagement.azure.com%2F' -Headers @{Metadata=“true”} … ziskani tokenu pro System assigned identity
$content=Invoke-RestMethod -Uri 'http://169.254.169.254/metadata/identity/oauth2/token?api-version=2018-02 -01&client_id=aaaabbbb-cccc-dddd-eeee-111122223333&resource=https%3A%2F%2Fmanagement.azure.com%2F' -Headers @{Metadata=” true”} … ziskani tokenu pro jinou identitu - user assigned identity
$access_token = $content.access_token … ziskani bareer kodu
Invoke-WebRequest -Uri 'https://management.azure.com/subscriptions/<SUBSCRIPTION-ID>/resourceGroups/<RESOURCE-GROUP>/providers/Microsoft.Compute/virtualMachines/<VM-NAME>?api-version=2017-12-01' -Method GET -ContentType “application/json” -Headers @{ Authorization =“Bearer $access_token”} … pouziti bareer kodu

response=$(curl 'http://169.254.169.254/metadata/identity/oauth2/token?api-version=2018-02-01&resource=https%3A%2F%2Fmanagement.azure.com%2F' -H Metadata:true -s)
access_token=$(echo $response | python -c 'import sys, json; print (json.load(sys.stdin)[“access_token”])') … curl priklad

Vault

https://contoso-vault2.vault.azure.net/URL pro Vault
$secretvalue = ConvertTo-SecureString 'hVFkk965BuUv' -AsPlainText -Force
$secret = Set-AzKeyVaultSecret -VaultName 'Contoso-Vault2' -Name 'ExamplePassword' -SecretValue $secretvalue
(Get-AzKeyVaultSecret -vaultName “Contoso-Vault2” -name “ExamplePassword”).SecretValueText

Role

$scope = (Get-AzRoleAssignment -RoleDefinitionName 'Support Request Contributor (Custom)').Scope …. najde role Supprot Request Contributor
Remove-AzRoleAssignment -ObjectId '[object_ID]' -RoleDefinitionName 'Support Request Contributor (Custom)' -Scope $scope … odstrani role
Remove-AzRoleDefinition -Name 'Support Request Contributor (Custom)' -Force

Scaling Sets

Virtual Network

P2S spojeni

apt-get install -y strongswan libcharon-extra-plugins libcharon-standard-plugins libstrongswan-standard-plugins libstrongswan-extra-plugins
https://docs.microsoft.com/en-us/azure/storage/files/storage-files-configure-p2s-vpn-linux