6-infrastructure.md

Design an infrastructure strategy (15-20%)

Design a storage strategy

• Choose managed storage over unmanaged storage

• Know differences between Premium and Standard storage (disks)

• Different storage access tiers: premium, hot (standard), cool, archive

• design a storage provisioning strategy

  • Go through Azure portal, create storage account and see what options are available during the account creation

  • Storage (as most resources in Azure) can be alos provisioned via ARM templates, calling directly RESTful API or using 3rd party tools like Terraform or Pulumi

• design storage access strategy

  • Plularsight - Storage tiers

  • Azure Blob storage: hot, cool, and archive access tiers

• identify storage requirements

  • Capacity

    • US & EU: 2 PB
    • UK & other: 500 TB

  • Thruput: 20k RW/s (read and writes per second)

  • Networking speed (inbound)

    • US: 20 Gbps local storage, 10 Gbps global storage
    • Other: 10 Gbps local storage, 5 Gbps global storage

  • Networking speed (outbound) V1

    • US: 30 Gbps local storage, 20 Gbps global storage
    • Other: 15 Gbps local storage, 10 Gbps global storage

  • Networking speed (outbound) V2

    • all: global and local 50 Gbps

  • Limits

    • 250 storage accounts per subscription per region

• recommend a storage solution

  • Storage account

    • Standard: Uses HDD, cheapest, charge by usage, supports cool and hot tiers
    • Premium: SSD, low latency, supports only hot tier

  • Unmanaged disks

  • Managed disks

    • High availabiliy: 99.999%
    • Disk types: Ultra SSD, Premium SSD, Standard SSD, Standard HDD

  • High Durability mechanism

    • Local Redundant Storage or Zone Redundant Storage: 3 copies of a file
    • Globally Redundant Storage: 6 copies of a file

• recommend storage management tools

  • Azure portal

  • PowerShell via Cloud Shell or installed as Powershell Module on Windows or Linux (requires PowerShell Core)

  • Use Azure CLI with bash/zsh. Use az intractive command to get autocompletion and command line help. Azure CLI can be installed on Windows (including WSL) and of course Linux

Design a compute strategy

Plularsight - Design a Compute Strategy for Microsoft Azure

• design a compute provisioning strategy

  • Automate provisioning and de-provisioning of compute resources by using Infrastructure as Code (Terraform or ARM templates)

  • VMs can also have extensions installed as well as using Azre Blueprints and init scripts to install components at startup

• design a secure compute strategy

  • There are several tools available for securing compute resources and managing access to them in Azure such as
    • RBAC to manage access and rights
    • Azure Policies
    • Tagging resources for better organization
    • Azure Blueprints
    • Resources locking

• determine appropriate compute technologies

  

  • Overview of Azure compute options

• design an Azure HPC environment

  • High Performance Computing (HPC) on Azure

• identify compute requirements

• recommend management tools for compute

  • Azure portal

  • PowerShell via Cloud Shell or installed as Powershell Module on Windows or Linux (requires PowerShell Core)

  • Use Azure CLI with bash/zsh. Use az intractive command to get autocompletion and command line help. Azure CLI can be installed on Windows (including WSL) and of course Linux

Design a networking strategy

If you have previously passed AZ-300 exam, you should be able to easily pass any networking related questions as most of the AZ-300 conntent is about VNEts and VMs. Separate repo with learning notes preparing for AZ-300 exam here

• design a network provisioning strategy

  • Go through Azure portal, create VNET, Virtual GateWay or other virtual network components and see what options are available during the creation

  • Virtual networking components (as most resources in Azure) can be alos provisioned via ARM templates, calling directly RESTful API or using 3rd party tools like Terraform or Pulumi

• design a network security strategy

  • Use Network Security Groups and create Inbound and Outbound traffic rules to govern traffic from and into your VNET

  • Use Appication Security Group to create and manage network security on an application level

  • Limit access to resources by placing them on VNEt and useing Virtual Network service endpoints to allow access only from predefined Azure services

  • Change Azure default routing rules by creating Route Table

• determine appropriate network connectivity technologies

Iterating throught options, details are in the AZ-300 repo.

• Virtual network peering

• VPN (site-to-site, point-to-site)

• Application Gateway

• ExpressRoute

• identify networking requirements

• recommend network management tools

  • Azure portal

    • Use Network Watcher to visualize VNets and connectivity between them. Network Watcher can also be used to troubleshoot networking issues

  • PowerShell via Cloud Shell or installed as Powershell Module on Windows or Linux (requires PowerShell Core)

  • Use Azure CLI with bash/zsh. Use az intractive command to get autocompletion and command line help. Azure CLI can be installed on Windows (including WSL) and of course Linux

• recommend network security solutions

  • Reuse network security groups

  • Follow Principle of least priviledge

  • Use Application Gateway with WAF

  • Follow Zero Trust Network Security Architecture Guidelines

  • Take adventage of Just-in-Time VM Access to open SSH and RDP ports only when needed

Design a monitoring strategy for infrastructure

• design for alert notifications
• design an alert and metrics strategy