Copyrighted Material

Index

Note to the Reader: Throughout this index boldfaced page numbers indicate primary discussions of a topic. Italicized page numbers indicate illustrations.

A advanced rules for Azure AD groups, 138 authentication AAD Connect (Azure AD Connect), 112–120, Advanced Threat Analytics (ATA), 158 Azure AD, 110, 128 113, 116–118, 120–121, 131 Advanced Threat Protection (ATP), 158, 1599, AD-joined machines, 136–137 abuse of cloud services, 403–404 350–352, 352 cloud, 129–130 accelerated networking, 177 agents confi guration selection, 134 access panel in Azure AD, 143 backups, 309–310 hybrid, 130–134, 131–133 access reviews in Azure AD, 108 federations, 98 single sign-on, 134–136, 135–136 Access Token Lifetime property, 364 VMs, 258–260, 259 Azure Stack, 281–282 access tokens (ATs), 103, 103 Windows fi le server, 233 cloud, 101–103, 102–103 Account icon, 45 alerts multifactor. See multifactor authentication accountability in cost management, 91–92, action groups, 342–343, 342 (MFA) 92–93 action rules, 349, 349 Authentication Service, 110 accounts cost, 92 authorization, cloud, 101–103, 102–103 break glass, 119 creating, 344–348, 345–348 automation hijacking, 405–406 smart groups, 349–350, 350 alerts, 341 Run As, 377–378, 378 sources, 343, 344 Azure Automation, 376–380 storage targeting, 341–342 Automation Runbook action group, 92 Azure Monitor, 333, 333 altsecid attribute, 125 autonomous system (AS), 1877, 187 Azure Storage, 215–216 antivirus function in VM Agent, 259 autonomous system numbers (ASNs), 1877, 187 Azure Storage keys, 219–220, API apps application services, 278 availability. See high availability (HA) 2199, 221 App Service Environment (ASE), availability sets acquisitions, workload migration for, 319 196, 278 high availability, 311 ACS (Azure Container Service), 275 App Service plans, 275–278, 277 managed disks, 240 action groups append blobs, 223 proximity placement groups, 262 alerts, 342–343, 342 Append effects in Azure Policy, 77 resiliency, 20–22, 21, 23, 239, 240 budgets, 92 Application Insights, 329, 339–341 availability zones (AZs) action rules for alerts, 349, 349 Application Map, 329, 340 high availability, 311 actions, custom, 370 Application Proxy, 140, 158–160, 159 managed disks, 239, 240 Active Directory (AD) Application Proxy Connectors, 159–160, 159 proximity placement groups, 262 AD-joined machines, 136–137 application security groups, 196–199, 197 resiliency, 22, 23 Azure. See Azure AD Application/Service pattern for AzCopy, 224 capabilities, 977–98 subscriptions, 54 Azure AD in cloud, 162–163 applications Application Proxy, 140, 158–160, 159 domain controller considerations, Azure AD, 140–142, 141–142 applications, 140–142, 141–142 165–167 conditional access, 151 authentication, 128 domain controller placement, 164–165 on-premises disaster recovery, 313 AD-joined machines, 136–137 Domain Services, 1677–169 user experience, 142–144, 143–144 cloud, 129–130 site confi guration, 163–164 archive tier for blob storage, 225 confi guration selection, 134 Enterprise Admin accounts, 115 Archive to a storage account option, 154 hybrid, 130–134, 131–133 Active Directory Authentication Library ARM. See Azure Resource Manager (ARM) single sign-on, 134–136, 135–136 (ADAP), 160 AS (autonomous system), 1877, 187 Azure Stack authentication, 281–282, 283 Active Directory Federation Services (AD FS), ASE (App Service Environment), 196, 278 B2B, 122–128, 123, 1277–128 99, 104, 105 ASNs (autonomous system numbers), B2C security, 160–162, 161 activity logs, 328 COPYRIGHTED1877, 187 MATERIALCloud App Discovery, 403 AD. See Active Directory (AD) ASR (Azure Site Recovery), 314–317 Connect Health, 119–120, 120–121 AD FS (Active Directory Federation Services), assertions in SAML, 100 Domain Services, 1677–169 99, 104, 105 assessment phase in workload migration, entitlements, 138–139, 139 AD-joined machines, 136–137 321–322 fundamentals, 103–104, 105 ADAP (Active Directory Authentication ATA (Advanced Threat Analytics), 158 groups, 1377–138, 138 Library), 160 ATP (Advanced Threat Protection), 158, 1599, Identity Protection, 153–154 Add-AzAccount cmdlet, 362 350–352, 352 monitoring with, 3277–328 Add-AzureRmAccount cmdlet, 377 ATs (access tokens), 103, 103 multifactor authentication, 145–149, admin consent in Azure AD, 142, 142 Audit effects in Azure Policy, 76 146–148 administrators, RODC rights, 167 audit logs, 154 obtaining, 109–110, 109–110 Advanced Data Security, 351 auditIfNotExists effects in Azure Policy, 76 populating, 108–110, 109–110

bindex.indd 1:58:34:PM/09/18/2019 Page 415 416 | AZURE AD CONNECT • BACKUPS

Privileged Identity Management, 156–158, Azure Functions role-based access control, 64 157 alerts, 343 templates. See JSON (JavaScript Object provisioning to, 121–122, 122 automating with, 376–377 Notation) replicating to, 111–119, 113–114, 116–118 cost management, 92 Azure Security Center (ASC), 79, 351, SKUs, 106–108 description, 279 353–355, 354 user experience, 142–144, 143–144 overview, 380–383, 381–382 Azure Sentinel, 155, 355–3577, 356 user roles, 144 Azure Hybrid Benefi t, 39–40, 39 Azure Service Manager (ASM) Azure AD Connect (AAD Connect), 112–120, Azure Identity Converter, 112 vs. ARM, 40 113, 116–118, 120–121, 131 Azure Import/Export, 242 replacement, 26 Azure AD Connect Health, 119–120, 120–121 Azure Key Vault, 3577–358, 358, 378 Azure Site Recovery (ASR), 314–317 Azure AD Global Admin accounts, 115 Azure Kubernetes Service (AKS), 275 Azure SQL ATP, 351, 352 Azure AD Privileged Identity Management - Azure Load Balancer, 203–204 Azure SQL Database, 243–245 Azure Resources, 68 AZURE_LOADBALANCER tag, 198 Azure Stack Azure Advisor, 94 Azure Migrate, 321–322 Azure Stack HCI, 296, 296 Azure Application Gateway Azure Monitor interacting with, 288–290 high availability, 311 alerts, 344 marketplace syndication, 290–292, 291 overview, 204–206, 205 cost management, 92 offers, 292–294 Azure Application Services Event Hub, 333 overview, 281–284, 283 App Service plans, 275–278, 277 fundamentals, 329–331, 330–332 plans, 292–294 environments, 278 Log Analytics, 333–334 privileged endpoint and support session functions, 279 storage accounts, 333, 333 tokens, 295 Logic Apps, 279 Azure Monitor Logs, 329 purchasing, 285–287 serverless, 278–279 alerts, 347–348 services, 284–285 Azure Automation, 376–380 Application Insights, 339–341 subscriptions, 292–294 Azure Backup, 232, 3077–310, 308 Azure Network Watcher, 338–339 updating, 294, 295 Azure Backup Server (ABS), 310 description, 334 uses, 2877–288 Azure Bastion host, 393–394, 395 monitoring solutions, 3377, 338 Azure Stack Development Kit (ASDK), Azure blog, 413 workspaces 287, 289 Azure Blueprints, 76, 76 data, 334–335, 335 Azure Stack HCI, 296, 296 Azure Cloud Shell querying, 336–3377, 336 Azure Storage ATP, 351 Azure portal, 44 Azure NetApp Files, 228 Azure Storage Explorer, 223 for management, 393, 393 Azure Network Watcher, 338–339 Azure Storage services, 213 working with, 371–376, 372–373 Azure Networking blog, 413 architecture, 213–215 Azure Compute Units (ACUs), 257 Azure overview Azure Files, 2277–234, 231–234 Azure Container Instances (ACI), 274 access, 30 Azure Queues, 227 Azure Container Service (ACS), 275 enterprise enrollments, 33–377, 34, 36 Azure Tables, 226, 227 Azure Cosmos DB, 24, 246–2477, 2477, free trials and Pay-as-You-Go, 31 blob storage, 221–226 304, 305 Visual Studio subscriptions, 31–33 replication, 2177–218 Azure Cost Management (ACM), Azure Hybrid Benefi t, 39–40, 39 storage account keys, 219–220, 89–91 Azure portal, 41–46, 42–44, 46 2199, 221 Azure Data Box, 242 Azure Resource Manager, 26–30, 277, 29 storage accounts, 215–216 Azure Data Box Disk, 242 datacenters, 15 Azure Tables, 226, 227 Azure Data Box Edge, 242–243, 296 limits, 40–41 Azure Traffi c Manager, 23, 206–208, 206 Azure Data Box Gateway, 242–243 Microsoft network, 24–26, 26 Azure Virtual WAN, 193–194, 194 Azure Data Box Heavy, 242 money buckets, 31 Azure VM documentation, 413 Azure Disk Encryption, 259, 407 regions and clouds, 16–18 AzureStackStampInformation.json fi le, Azure DNS confi guration options, reserved instances, 37–39, 38 289, 295 1777–178 resiliency, 18–24, 199, 21, 23–24 Azure Drive, 374 servers, 14–15 Azure Event Hub, 333 Azure Policy, 75–80, 76–78, 80 B Azure Files, 2277–228 Azure portal, 41 B2B. See business-to-business (B2B) in Azure Azure File Sync, 232–234, 233–234, basics, 42–45, 42–44 AD 310 dashboards, 45–46, 46 B2C (Business to Consumer) security, backups, 310 description, 359 160–162, 161 permissions, 229 Azure Queues, 227 backups security, 229–232, 231 Azure Resource Graph, 76, 76, 86–88 Azure Backup, 3077–310, 308 snapshots and backups, 232, 232 Azure Resource Manager (ARM) Azure Files, 232, 232 Azure Firewall, 199 vs. ASM, 40 considerations, 305–307 Azure Front Door, 23–24, 24 Azure Policy, 76, 76 importance, 406 multi-region application deployments, overview, 26–30, 277, 29 overview, 297–298 302–303, 304 Privileged Identity Management, 157, 157 VM Agent, 259 working with, 208–210, 209–210 resource groups, 62 Windows Admin Center, 397

bindex.indd 1:58:34:PM/09/18/2019 Page 416 BARRIERS TO AZURE • CUSTOMIZATION IN AZURE STACK | 417

barriers to Azure Cloud Drive, 374 ExpressRoute Global Reach, 193–194, 194 overview, 399–400 cloud endpoints, 233 gateways and coexistence, 191–192 risks. See risks cloud overview, 16–18 PaaS VNet integration, 194–196 trust building, 400 datacenter evolution, 1–2 user-defi ned routing and forced tunneling, Basic Load Balancer, 204 introduction, 2–4, 3 192–193 best effort vs. reliability, 21 private, 4–6, 4 virtual networks BGP in ExpressRoute, 186, 188–192 public, 6–10, 8 adding VMs to, 174 BitCoin, 403 service types, 10–13, 10 NICs, 174–176 Blackforest cloud, 18 Cloud Shell overview, 171–173, 173, 178–181, 180 blob storage Azure portal, 44 VM reserved IP addresses, 176, 177 append blobs, 223 for management, 393, 393 VPNs block blobs, 222 working with, 371–376, 372–373 point-to-site, 182–183 capabilities, 223–224 CloudAdmin accounts, 283 site-to-site, 181–182 description, 221–222 Cloudyn solution, 89 connector groups in Application Proxy, 160 page blobs, 222–223 clusters, 14–15 consent in Azure AD, 142, 142 storage accounts, 333 coexistence in connectivity, 191–192 consistency tiering and lifecycle management, 2244–226, 225 command bar in Azure portal, 44, 44 Azure Stack, 284–285 block blobs, 222 Complete deployment for templates, 82 databases, 246–247, 247 blueprints, 83–86, 84–85 Complete Mode for JSON templates, 385 replication, 111 boot diagnostics for VMs, 260–261, 261 compliance session, 304 bounded staleness in databases, 247 Azure Security Center, 353 Container as a Service, 274 break glass accounts, 119 governance. See governance container runtime, 271 Bring Your Own IT (BYoIT), 402–403 monitoring, 326 containers in PaaS brownouts, 405 workload migration for, 319 Docker, 271–273, 272 budgets, 91–92 Compliance Manager tool, 50–51, 51 fundamentals, 2677–271, 2699, 271 bulk data storage, 242–243 composition fi les for containers, 269 Kubernetes, 273–274 bursting, 8, 8 compute capacity in cloud, 2 need for, 266–267 business-to-business (B2B) in Azure AD compute services, 249 services, 274–275 licensing, 128 PaaS, 266 contentVersion attribute, 386 one-time passcodes, 126, 1277–128 Azure Application Services, 275–279, 277 contexts overview, 122–124, 123 containers, 266–275, 2699, 271 CLI, 371 users, 124–126 VMs, 249 PowerShell, 363–367 Business to Consumer (B2C) security, agent and extensions, 258–260, 259 sessions, 362 160–162, 161 boot diagnostics, 260–261, 261 Contributor roles, 64–65 BYoIT (Bring Your Own IT), 402–403 dedicated hosts, 264–265 controllers in Microsoft network, 26 ephemeral OS disks, 261–262 controls in conditional access, 150 C IaaS, 249–252, 250–251 cool tier in blob storage, 225 caching VMs, 236 low-priority, 264 Core Store, 110, 110 CAP theorem, 246–247 processor provisioning, 254–2577, 256 Cosmos DB, 24, 246–2477, 2477, 304, 305 capacity proximity placement groups, 262–263 Cost Management Contributor role, 91 Azure Files, 228–229 scale sets, 263 Cost Management Reader role, 91 Azure Stack, 286–287 series, 253–254 costs and cost management compute, 2, 7 variants and processor specifi cs, 257–258 accountability, 91–92, 92–93 low-priority VMs, 264 VMware, 265–266 enterprise enrollments, 35–37 managed disks, 237–238 Windows Virtual Desktop, 265 ExpressRoute, 183 monitoring, 326 conditional access (CA), 150–152 IaaS, 250–252, 251 performance considerations, 238–239 Conditional Access function for multifactor monitoring, 326 reserved instances, 37 authentication, 148–149 optimization, 93–94, 94 workload migration for, 319 confi guration overview, 88–89, 88 certifi cates for Azure Stack, 282, 287–288 Azure AD authentication, 134 virtual machines, 6 China, regions in, 16–18 NICs, 174–175 visibility, 89–91, 90–91 circuits in ExpressRoute, 186, 188 VM Agent, 259 CPUs in VMs, 254–258, 256 Classless Interdomain Routing (CIDR), 172 Connect-AzAccount cmdlet, 362, 365 Create REST API, 92 CLI, 359 connections creation times, checking, 370 Azure Cloud Shell, 371–376, 372–373 Azure Network Watcher, 339 credentials working with, 370–371 ExpressRoute limits, 183 automation accounts, 378–379, 379 cloud PowerShell, 362–3677, 363 Azure AD, 140 Active Directory in, 162–169 connectivity CSE (Custom Script Extension), 259–260, 259 authentication and authorization, 101–103, accelerated networking, 177 custom controls for conditional access, 150 102–103, 129–130 Azure Virtual WAN, 193–194, 194 custom roles, 66–68, 68 governance. See governance DNS, 1777–178 Custom Script Extension (CSE), 259–260, 259 Cloud Critical bugs, 402 ExpressRoute, 183–191, 184, 190 customization in Azure Stack, 282

bindex.indd 1:58:34:PM/09/18/2019 Page 417 418 | DASHBOARDS • GEO-REDUNDANT STORAGE

D on-premises exchange providers for ExpressRoute, 185 dashboards to Azure, 314–3177, 315 exposed software, 402 Azure portal, 45–46, 46 Azure to Azure, 3177–318, 318 ExpressRoute, 25 Azure Sentinel, 355–356 overview, 313–314, 313 ExpressRoute Direct, 191 Data Box Edge, 242–243 overview, 297–299, 312 fundamentals, 183–186, 184 data breaches, 4077–408 workload migration, 318–323 gateways and coexistence, 191–192 data in Microsoft network, 26 disconnected scenarios, Azure Stack for, 287 Global Reach, 193–194, 194 data loss, 406 distributed denial-of-service (DDoS) multiple circuits, 186, 188 Data Protection Manager (DPM), 310 attacks, 202 overview, 183 data security in ExpressRoute, 183 DNS peering, 188–191, 190 Database Transaction Unit (DTU), 244 Active Directory, 163 ExpressRoute Direct FastPath capability, 191 databases, 243 confi guration options, 1777–178 ExpressRoute Local capability, 191 Azure Cosmos DB, 246–247 on-premises disaster recovery, 316 extensions in VMs, 258–260, 259 Azure SQL Database, 243–245 Do Not Delete option for blueprints, 84 extents in Azure Storage, 214–215 datacenters Docker containers, 269, 271–274, 272 external templates, 389–390 cloud infrastructure, 2–3 Docker Engine, 272, 272 evolution, 1–2 domain controllers (DCs) F considerations, 165–167 overview, 15 fabric elements, 2 placement, 164–165, 412 David Chappell and Associates, 400 fail fast strategy, 8–9 read-only, 167 DDoS Protection Basic, 202 Federal Information Processing Standard Domain Services in Active Directory, 1677–169 DDoS Protection Standard, 202 (FIPS), 407 Don’t Lock option for blueprints, 84 declarative templates, 385 federations, 96 DoS (Denial of Service) attacks, 404–405 dedicated hosts for VMs, 264–265 applications, 140 DPM (Data Protection Manager), 310 Defender ATP, 158, 351 Azure AD authentication, 132–134, 132–133 DR. See disaster recovery (DR) deleting blob storage, 223 overview, 98–101, 99 DSC (Desired State Confi guration), 380 delivery in networking, 202–203 Feedback icon, 45 DSR (Direct Server Return), 203 inter-region load balancing, 206–210, 206, Field-Programmable Gate Arrays (FPGAs), 14 DTU (Database Transaction Unit), 244 209–210 fi lters due diligence, 402–403 intra-region load balancing, 203–206, 205 action rules, 349, 349 DVM (Deployment VM), 287 Denial of Service (DoS) attacks, 404–405 Azure AD, 117, 117 Dynamic Host Confi guration Protocol Deny effects in Azure Policy, 77 ExpressRoute, 188–191, 190 (DHCP), 173 Department pattern for subscriptions, 54 RODC attributes, 167 dynamic IP addresses, 176 dependencies visibility, 89, 90 dynamic routing gateways, 181 containers, 267–270 fi nd-module cmdlet, 362 dynamic rules for Azure AD groups, 138, 138 determining, 300 FIPS (Federal Information Processing migration, 318–319, 321 Standard), 407 monitoring, 326 E fi rewall virtual appliances, 199–201, 201–202 DeployIfNotExists effects in Azure EA portal in cost management, 89 fl oor space for datacenters, 3, 3 Policy, 77 elastic DTU (eDTU), 244 forced tunneling, 192–193 deployment slots in App Service plans, elastic pools, 244 Forced Unit Access (FUA), 166 276–2777, 277 elastic workloads, 9 FPGAs (Field-Programmable Gate Arrays), 14 Deployment VM (DVM), 287 elasticity in private clouds, 6 frameworks, monitoring, 329 deprovisioning virtual machines, 6 email action groups for budgets, 92 free trials, 31 Desired State Confi guration (DSC), 380 email alerts, 342 frontends in multi-region application desktop mode in Windows Admin encryption deployments, 301–302, 302 Center, 395 Azure Disk Encryption, 259, 407 FUA (Forced Unit Access), 166 device code fl ow, 362 data breaches, 407 DevOps site-to-site VPNs, 182 templates, 392 SMB, 227–228 G workfl ows, 24 storage accounts, 218 gaming resource requirements, 2 DHCP (Dynamic Host Confi guration endpoints Gartner quadrants, 408–410, 409–410 Protocol), 173 Azure Stack, 295 gateway mode installation in Windows Diagnostic settings for logs, 154–155, 155 Storage Sync Service, 233 Admin Center, 395 Direct Server Return (DSR), 203 enterprise enrollments, 33–377, 34, 36 Gateway Transit Routing, 180–181 Directory + Subscription fi lter icon, 44 Enterprise State Roaming feature, 137, 137 gateways in connectivity, 191–192 Disable-AzContextAutosave entitlements in Azure AD, 138–139, 139 GDPR tags, 72 cmdlet, 367 environment-based management groups, 56 generations of datacenters, 15 Disabled effects in Azure Policy, 77 ephemeral OS disks, 261–262 Generic Routing Encapsulation (GRE), 173 disaster recovery (DR) European Free Trade Association, 17 geo-redundant storage (GRS), 406 ASR, 314–317 Event Hub, 333 Azure Storage, 217–218 cloud for, 9 eventual convergence in databases, 247 for data loss, 406

bindex.indd 1:58:34:PM/09/18/2019 Page 418 GEO-REDUNDANT ZONE-REDUNDANT STORAGE • IP ADDRESSES | 419

geo-redundant zone-redundant storage connector, 160 ICMP latency, 207 (GZRS), 217–218 management, 55–61, 56, 58–599, 61–62 idempotent templates, 385 Geography option in Azure Traffi c network security, 163, 196–199, 1977, 353 identity, 95 Manager, 208 Privileged Identity Management, 157 Active Directory, 977–98 Germany, regions in, 16–18 proximity placement, 262–263 Azure AD. See Azure AD Get-ADSyncAutoUpgrade cmdlet, 117 resource, 62–63 cloud authentication and authorization, Get-AutomationPSCredential cmdlet, 378 security, 196–199, 197 101–103, 102–103 Get-AzContext cmdlet, 365–366 GRS (geo-redundant storage), 406 federations, 98–101, 99 Get-AzContextAutosaveSetting cmdlet, 367 Azure Storage, 217–218 importance, 95–96 Get-AzKeyVaultSecret cmdlet, 368 for data loss, 406 Identity Protection in Azure AD Get-AzManagementGroup cmdlet, 60 GZRS (geo-redundant zone-redundant multifactor authentication, 146, 148 Get-AzProviderOperation cmdlet, 66 storage), 217–218 overview, 153–154 Get-AzResourceGroup cmdlet, 74 Sign-in Risk, 128 Get-AzResourceProvider cmdlet, 17, 28 SKUs, 108 Get-AzRoleDefi nition cmdlet, 66 H identity providers (IdPs) in federations, Get-AzStorageAccountKey cmdlet, 368 HA. See high availability (HA) 99–101 Get-AzSubscription cmdlet, 366 Halo game, 2 Image2Docker tool, 274 Get-AzureADGroup cmdlet, 123 hardware for virtualization, 5 images, managed, 241 get-azureaduser cmdlet, 124–126 Hardware Lifecycle Host (HLH), 287 ImmutableID attribute, 111–112, 112 Get-AzureRmEnvironment cmdlet, 17–18 hashes in Azure AD, 129–130, 168 Incremental deployment for templates, 83 Get- AzVMSize cmdlet, 258 HDDs in VMs, 237 Incremental Mode for JSON templates, 385 Get-CloudDrive cmdlet, 372 health monitoring, 326 Infrastructure as a Service (IaaS) Get Function URL, 382 heat dissipation in datacenters, 3, 3 fundamentals, 249–252, 250–251 Get-Module cmdlet, 362 Help icon, 45 Gartner quadrants, 408–410 get-psprovider cmdlet, 374 high availability (HA) overview, 10–12, 10 Get-SupportSessionToken cmdlet, 295 application structure and requirements, Infrastructure as Code (IaC) GitHub 299–301, 300 description, 391–392 ACS-Engine, 275 databases, 246–247 templates, 81 Azure Policy, 78–79, 334 multi-region application deployments, insecure interfaces, 405 Azure Stack, 289 301–303, 302–303 instance size fl exibility, 37–38 B2B partners, 124 overview, 297–299, 311 instances Custom Script Extension, 260 virtualization for, 5 Azure AD, 109–110, 109–110 log views, 155 hijacking accounts, 405–406 reserved, 37–39, 38 secrets, 357 HLH (Hardware Lifecycle Host), 287 Integrated Scripting Environment (ISE), 360 templates, 389, 391 home tenants in Azure AD B2B, 123 inter-region load balancing, 206–210, 206, Global Reach in ExpressRoute, 193–194, 194 Honolulu project, 395 209–210 Global VNet peering, 180 hot tier in blob storage, 225 Inter-Site Topology Generator (ISTG), 163 governance HRM (Hyper-V Recovery Manager), 314 inter-stamp replication, 215 Azure Policy, 75–80, 76–78, 80 Human Resource Management (HRM) interfaces, insecure, 405 Azure Resource Graph, 86–88 system, 121 internal AD in Azure Stack, 282 blueprints, 83–86, 84–85 hybrid authentication, 130–134, 131–133 international DMZs, cloud for, 9 cost management, 88–94, 88, 90–91, 93–94 Hype Cycle tool, 409–410, 409 Internet Protocol Security (IPsec), 182, 407 description, 47–49 hyper-converged storage, 2 INTERNET tag, 198 management groups, 55–61, 56, 58–599, Hyper-V intra-region load balancing, 203–206, 205 61–62 containers, 270–271, 271 intra-stamp replication, 214 naming conventions, 69–70 VMs, 258 IOPS requirements, 49–51, 51–52 Hyper-V Recovery Manager (HRM), 314 storage accounts, 215, 218, 229 resource groups, 62–63 Hyper-V Replica feature, 313–316 VMs, 237–239 role-based access control, 63–69, 655, 68–69 hyperthreading, 255 IP addresses subscriptions, 52–55, 53 hypervisors Active Directory, 163–164, 166 tags, 70–75, 72 on-premises disaster recovery, 313 Azure Firewall, 199 templates, 80–83 in virtualization, 4–5 Azure Stack, 283–284 granular retention policies, 307, 308 BGP, 187 GRE (Generic Routing Encapsulation), 173 I ExpressRoute, 189–190 Group Policy, 135 Identity Protection, 153 IaaS (Infrastructure as a Service) groups intra-region load balancing, 203–205 fundamentals, 249–252, 250–251 alerts, 342–343, 342, 349–350, 350 named locations, 150 Gartner quadrants, 408–410 Azure AD, 1377–138, 138 NICs, 174–176 overview, 10–12, 10 applications, 140 NSGs, 197–198 IaC (Infrastructure as Code) entitlements, 138–139, 139 NVAs, 200–201 description, 391–392 conditional access, 151 on-premises disaster recovery, 316 templates, 81

bindex.indd 1:58:34:PM/09/18/2019 Page 419 420 | IPSEC • MULTIFACTOR AUTHENTICATION

PaaS, 194–196 lifecycle management in blob storage, MFA. See multifactor authentication (MFA) user-defi ned routing, 192 224–226, 225 microservices, containers for, 270 virtual networks, 171–173, 173 Lifecycle pattern for subscriptions, 54 Microsoft Authentication Library (MSAL), 161 VMs, 176, 177 limits, increasing, 40–41 Microsoft Authenticator application, 146–147 IPsec (Internet Protocol Security), 182, 407 linearizability in databases, 246 Microsoft Azure Recovery Services (MARS) ISE (Integrated Scripting Environment), 360 load balancing agent, 310 ISTG (Inter-Site Topology Generator), 163 high availability, 311 Microsoft Enterprise Edge (MSEE) IT Service Management (ITSM) inter-region, 206–210, 206, 209–210 routers, 184 alerts, 343 intra-region, 203–206, 205 Microsoft Identity Management (MIM), cost management, 92 multi-region application deployments, 112, 119 301–302, 302 Microsoft Management Console (MMC), 395 J local DNS server (LDNS), 206 Microsoft Monitoring Agent (MMA) JavaScript Object Notation. See JSON locally redundant storage (LRS), 217–218 Azure Monitor Logs, 334 (JavaScript Object Notation) lock options for blueprints, 84 Azure Security Center, 353 JEA (just-enough-administration) Log Analytics, 86 VM metrics, 329 Privileged Identity Management, 156, 157 application dependencies, 300 Microsoft network, 24–26, 26 role-based access control, 68 Application Insights, 329 Microsoft peering in ExpressRoute, 189–191, JIT (just-in-time) administration Azure AD logs, 155, 156 190 risk mitigation, 404 Azure Sentinel, 355–3577, 356 migration, workload, 318–319 role-based access control, 68 overview, 333–334 approaches, 320 joiner/mover/leaver (JML) fl ow, 121 Logic Apps, 279 benefi ts, 319–320 JSON (JavaScript Object Notation) LogicApp phases, 320–323 Azure Policy, 78–79 alerts, 343 MIM (Microsoft Identity Management), blueprints, 83 cost management, 92 112, 119 role-based access control, 66 Login-AzureRmAccount cmdlet, 293 Minasi, Mark, 402 tags, 72 logs minions in containers, 274 templates, 80–82, 359 inspection, 154–156, 155–156 MMA (Microsoft Monitoring Agent) overview, 383–386, 384 monitoring, 328–329 Azure Monitor Logs, 334 sections, 386–389 loss, data, 406 Azure Security Center, 353 tips, 389–393, 390–391 low-priority VMs, 264 VM metrics, 329 JSON Web Tokens (JWTs), 102 LRS (locally redundant storage), 217–218 MMC (Microsoft Management Console), 395 just-enough-administration (JEA) mobile apps, 278 Privileged Identity Management, 156, 157 M Mobile Device Management (MDM), 136 monitoring role-based access control, 68 Magic Quadrant, 409–410, 409 alerts. See alerts just-in-time (JIT) administration malicious insiders, 404 Azure Monitor, 329–334, 330–333 risk mitigation, 404 man-in-the-middle attacks, 407 Azure Monitor Logs, 334–341, 335–336, 338 role-based access control, 68 managed disks, 237 networking, 210–211 just-in-time-redemption, 124 availability set and availability zone purpose, 325–326 just-in-time tenants, 126 resiliency, 240 telemetry, 326–329, 327 just-in-time VM access, 353, 354 images, 241 VM Agent, 259 performance, 238–239 Windows Admin Center, 397 K SKUs, 2377–238 Mooncake cloud, 18 Kerberos Constrained Delegation (KCD), 160 snapshots, 241 moving VMs, 174 Key Vault, 3577–358, 358, 378 Write Accelerator, 240 MPLS (Multiprotocol Label Switching), 2 keys for Azure Storage accounts, 219–220, managed identities, 3577–358, 358 mS-DS-ConsistencyGuid value, 111 2199, 221 managed instances in Azure SQL Database, MSAL (Microsoft Authentication Library), 161 Kubernetes containers, 273–274 244 MSEE (Microsoft Enterprise Edge) routers, Kusto Query Language (KQL), 334 management groups, 55 184 basics, 55–577, 56, 58 Multi-Factor Refresh Token Max Age working with, 58–61, 599, 61–62 L property, 364 management in Microsoft network, 26 latencies multi-instance services, scaling, 20 MAREA cable, 25 ExpressRoute, 183 multi-region application deployments, market position, 408–410, 409–410 ICMP, 207 301–303, 302–303 marketplace images, 370 Latency option in Azure Front Door, 210 multifactor authentication (MFA) marketplace syndication in Azure Stack, LDNS (local DNS server), 206 Azure AD, 108, 133, 143, 145–149, 146–148 290–292, 291 licensing conditional access, 152 MARS (Microsoft Azure Recovery Services) Azure AD B2B, 128 identity, 96 agent, 310 compliance, 152 importance, 405–406 MDM (Mobile Device Management), 136 multifactor authentication, 147 role-based access control, 68 measured service in clouds, 6 Video Studio subscriptions, 31 third-party integration, 149 metrics for resources, 328–329 virtualization, 5 Windows Hello for Business, 149

bindex.indd 1:58:34:PM/09/18/2019 Page 420 MULTIPLE CIRCUITS IN EXPRESSROUTE • PRIMARY REFRESH TOKENS | 421

multiple circuits in ExpressRoute, 186, 188 New-StorageSyncNetworkLimit cmdlet, 234 risks from, 405–406 Multiprotocol Label Switching (MPLS), 2 NICs (network interface cards) RODCs, 167 Multivalue option in Azure Traffi c IP addresses, 174–176 self-service password reset, 147–148, 148 Manager, 208 VMs, 174 Pay-as-You-Go access, 31 My Apps Secure Sign-in extension, 144, 144 NIST (National Institute of Standards and peering MyApps portal, 143, 143 Technology) cloud description ExpressRoute, 183–184, 188–191, 190 account security, 108 site-to-site VPNs, 182 N cloud requirements, 5 virtual networks, 179–180, 180 cloud service defi nitions, 10–11 PEP (Privileged EndPoint), 295 named locations in conditional access, 150 No Caching option for VMs, 236 performance names notifi cations Application Insights, 340 Active Directory, 164 alerts, 341 managed disks, 238–239 naming conventions, 69–70 Azure portal icon, 45 monitoring, 326 resource groups, 62 Notorious Nine risks. See risks VMs, 255 National Institute of Standards and NSA (National Security Agency), 407 performance-based sizing, 321 Technology (NIST) cloud description NSGs. See network security groups (NSGs) Performance option account security, 108 Azure Front Door, 210 cloud requirements, 5 Azure Traffi c Manager, 207 cloud service defi nitions, 10–11 O permissions National Security Agency (NSA), 407 OATH tokens for multifactor authentication, Azure AD, 115, 142 nested templates, 389 146–147, 146 Azure Files, 229 network access in clouds, 5 OAUTH 2.0 protocol, 102, 141 role-based access control, 64–65, 65 network interface cards (NICs) objectGUID attribute, 111–112 PIM (Privileged Identity Management) IP addresses, 174–176 offers in Azure Stack, 292–294 overview, 156–158, 157 VMs, 174 Offi ce 365 Advanced Threat Protection, 351 role-based access control, 68, 68–69 network security groups (NSGs) OIDC (OpenID Connect), 102–103 pizza and Super Bowl, 7–8 Active Directory, 163 on-demand self-service, 5 plans Azure Security Center, 353 on-premises disaster recovery, 313–314, 313 Azure Stack, 292–294 fl ow logs, 328–329, 339 to Azure, 315–3177, 315 for services, 30 overview, 196–199, 197 Azure to Azure, 3177–318, 318 Platform as a Service (PaaS), 10, 10 network service providers in one-time passcodes (OTPs) in Azure AD B2B, compute services, 266 ExpressRoute, 185 126, 1277–128 Azure Application Services, 275–279, network virtual appliances (NVAs), 200–201, Open Compute Project, 14 277 201–202 OpenID Connect (OIDC), 102–103 containers, 266–275, 2699, 271 Network Watcher, 338–339 operating systems Magic Quadrant, 409 networking, 171 on-premises disaster recovery, 313 overview, 10–12, 10 connectivity. See connectivity virtual machines, 4 VNet integration, 194–196 delivery, 202–203 optimization in cost management, 93–94, 94 point-of-presence (POP) locations for Azure inter-region load balancing, 206–210, optimize phase in workload migration, Front Door, 209, 209 206, 209–210 322–323 point-to-site VPNs, 182–183 intra-region load balancing, 203–206, 205 organizational-based management groups, 56 policy-based VPNs, 181 monitoring, 210–211 OTPs (one-time passcodes) in Azure AD B2B, Policy management groups, 55 protection, 196 126, 1277–128 pooling clouds, 5 distributed denial-of-service attacks, 202 Owner roles, 64–65 POP (point-of-presence) locations for Azure fi rewall virtual appliances, 199–201, Front Door, 209, 209 201–202 P Portal settings icon, 45 security groups, 196–199, 197 PA (Provision i ng Agent), 258 Power BI Microsoft Azure Consumption networks PaaS. See Platform as a Service (PaaS) Insights application, 91 cloud, 2 page blobs, 222–223 power consumption in datacenters, 2–4, 3 virtual parameters section in JSON templates, power usage effectiveness (PUE), 3, 15 adding VMs to, 174 386–387 PowerShell, 359–360 connecting, 178–181, 180 partition layer replication, 215 connections, 362–3677, 363 overview, 171–173, 173 partition tolerance in databases, 246 overview, 360–362, 360 New-AzManagementGroup cmdlet, 59 pass-through authentication (PTA), 131–132, working with, 3677–370 New-AzPolicyAssignment cmdlet, 79 131 PowerShell Core, 360–361 New-AzPolicyDefi nition cmdlet, 79 passcodes in Azure AD B2B, 126, 1277–128 PPGs (proximity placement groups), New-AzRoleDefi nition cmdlet, 231 Password Reset Registration function, 148, 262–263 New-AzureADMSInvitation cmdlet, 124–125 148 predictable bursting, 8, 8 New-AzureRmResourceGroupDeployment passwords premium block blobs, 222 cmdlet, 383 Azure AD, 108, 118, 129 premium SSDs, 237 New-AzureRmRoleAssignment challenges, 96, 145 prescriptive templates, 385 cmdlet, 61 policies, 149–150 Primary Refresh Tokens, 137

bindex.indd 1:58:34:PM/09/18/2019 Page 421 422 | PRIORITY OPTION • SAAS

Priority option refactoring, workload migration for, 320 retention Azure Front Door, 210 Refresh Token Max Inactive Time backups policies, 307, 308 Azure Traffi c Manager, 208 property, 364 blob storage, 223 private clouds, virtualization in, 4–6, 4 regional network gateways (RNGs), 25 Revoke-AzureADUserAllRefreshToken private IP addresses for NICs, 175–176 regions cmdlet, 130 private peering in ExpressRoute, 183, 188 App Service plans, 275 RID (Relative ID) pool in Active Directory, 165 Privileged EndPoint (PEP), 295 Azure Stack, 282 right sizing, 321 Privileged Identity Management (PIM) datacenters, 15 RIs (Reserved Instances), 37–39, 38 overview, 156–158, 157 ExpressRoute, 186 risks, 400–401, 401 role-based access control, 68, 68–69 overview, 16–18 abuse, 403–404 privileged identity protection, 108 VMs, 174 data breaches, 4077–408 processor provisioning, 254–2577, 256 registration networks in Azure DNS, 178 data loss, 406 Project Natick website, 15 registration process for multifactor Denial of Service attacks, 404–405 Project Olympus, 14 authentication, 147–149, 1477–148 due diligence, 402–403 protection in networking rehosting, workload migration for, 320 exposed software, 402 distributed denial-of-service attacks, 202 Relative ID (RID) pool in Active Directory, 165 interfaces, 405 fi rewall virtual appliances, 199–201, reliability vs. best effort, 21 malicious insiders, 404 201–202 Remote Desktop Gateway, 160 Skynet, 408 security groups, 196–199, 197 Remote Spending Limit dialog box, 32 unauthorized access, 405–406 provisioning Rename-AzContext cmdlet, 365–366 RNGs (regional network gateways), 25 to Azure AD, 121–122, 122 replication RODCs (read-only domain controllers), virtualization, 4–5 to Azure AD, 111–119, 113–114, 116–118 166–167 VM processors, 254–2577, 256 Azure Files, 233, 234 role-based access control (RBAC) Provisioning Agent (PA), 258 Azure Storage, 214–215, 2177–218 Azure Resource Manager, 27 proximity placement groups (PPGs), 262–263 multi-region application deployments, management groups, 55–57 PTA (pass-through authentication), 131–132, 303–304, 303–304 overview, 63–69, 655, 68–69 131 on-premises disaster recovery, 316 resource groups, 62–63 public cloud, 6–10, 8 Windows Admin Center, 397 roles public IP addresses in NICs, 175 Reserved Instances (RIs), 37–39, 38 Azure AD, 144 PUE (power usage effectiveness), 3, 15 reserved IP addresses for VMs, 176, 177 conditional access, 151 Push action group for budgets, 92 resiliency creating, 3677–370 push alerts, 342 availability. See high availability (HA) Root Management Group, 57–58 Azure AD Connect, 119 route-based VPNs, 181 Q Azure SQL Database, 245 route fi lters in ExpressRoute, 188–191, 190 datacenters, 15–16 routers, 184 querying workspaces, 336–3377, 336 disaster recovery. See disaster recovery (DR) routing gateways, 181 ExpressRoute, 186 RPO (Recovery Point Objective) R infrastructure, 3 description, 297 RA-GRS (read-access geo-redundant storage), managed disks, 239, 240 in disaster recovery, 299 217–218 networking, 184, 200 on-premises disaster recovery, 316 RACI matrix for alerts, 341 overview, 18–24, 199, 21, 23–24 RTO (Recovery Time Objective) rapid elasticity in private clouds, 6 power, 4 description, 297 RBAC. See role-based access control (RBAC) regions, 25–26, 245 in disaster recovery, 299 read & write caching, 236 replication, 214–215, 217 on-premises disaster recovery, 316 read-access geo-redundant storage (RA-GRS), resolution networks, 178 rules 217–218 resource diagnostic logs, 328–329 alerts, 346–349, 347–349 read caching, 236 Resource Explorer, 29, 29 Azure AD groups, 138, 138 read-only databases, 167 resource groups Azure Firewall, 199 read-only domain controllers (RODCs), 166–167 overview, 62–63 Azure Security Center, 353 Read Only option for blueprints, 84 tags, 74 Azure Sentinel, 355 read-write domain controllers (RWDCs), 167 resource owners in cloud, 101 network security groups, 196–198 Reader roles, 64 resource panes in Azure portal, 42 Network Watcher, 339 rearchitecting, workload migration for, 320 resource servers in cloud, 101 Run As accounts, 377–378, 378 rebuilding, workload migration for, 320 resource tenants in Azure AD B2B, 123 runbooks, 343, 377–380, 378 Recovery Point Objective (RPO) resources Russinovich, Mark, 400, 408 description, 297 Azure, 413 RWDCs (read-write domain controllers), 167 in disaster recovery, 299 metrics, 328–329 on-premises disaster recovery, 316 pooling, 5 S Recovery Time Objective (RTO) virtualization, 4 S2D (Storage Spaces Direct), 296, 396, 396 description, 297 resources section in JSON templates, 388 S2S (site-to-site) VPNs, 181–182 in disaster recovery, 299 Retain Instance Recovery Snapshot(s) For SaaS (Software as a Service)., 10–12, 10 on-premises disaster recovery, 316 setting, 308

bindex.indd 1:58:34:PM/09/18/2019 Page 422 SAML • SYSTEM FOR CROSS-DOMAIN IDENTITY MANAGEMENT | 423

SAML (Security Assertion Markup Service Map tool, 300 SPs (service providers) in federations, 98–101 Language), 98–100, 99 service providers (SPs) in federations, 98–101 SQL Database ATP, 351 sandboxes, 268 service traffi c, hijacking, 405–406 SQL Server, 243–245 SANs (storage area networks), 2, 213–214 Service Trust Portal, 50 SQL (Structured Query Language), 243–245 SAS (shared access signatures), 220, 221 service types for cloud, 10–13, 10, 12–13 SSDs, 237 scale sets for VMs, 263 services, monitoring, 329 SSPR (self-service password reset), scaling and scalability Session Affi nity option, 210 147–148, 148 App Service plans, 276–277, 277 session tokens in Azure Stack, 295 stamps in storage, 14 managed disks, 238–239 sessions standard HDDs, 237 resiliency, 18–20, 19 consistency, 304 Standard Load Balancer, 204 scale units, 14 contexts, 362 standard SSDs, 237 SCIM (System for Cross-Domain Identity databases, 247 Start-ADSyncSyncCycle cmdlet, 118 Management), 140 Set-AzContext cmdlet, 366 Start-AzStorageBlobCopy cmdlet, 224 SDN (software-defi ned networking), 26 Shadow IT, 402–403 startups, cloud for, 8–9 seamless sign-on, 134–136, 135–136 shared access signatures (SAS), 220, 221 static IP addresses for VMs, 176 Search-AzGraph cmdlet, 87–88 SHiPS (Simple Hierarchy in PowerShell), 374 static routing gateways, 181 secrets, Azure Key Vault for, 3577–358 SIEM (Security Information and Event storage, 213 Secure Token Service (STS), 131 Management), 333–334, 355 Azure Storage. See Azure Storage services security, 145 sign-in logs, 154 bulk data, 242–243 Active Directory in cloud, 162–169 Simple Hierarchy in PowerShell (SHiPS), 374 cloud, 2 Advanced Threat Protection, 158, 1599, simple rules for Azure AD groups, 138, 138 databases, 243–2477, 247 350–352, 352 single databases in Azure SQL Database, 244 geo-redundant, 217–218, 406 Application Proxy, 158–160, 159 Single-Factor Refresh Token Max Age on-premises disaster recovery, 313 Azure AD B2C, 160–162, 161 property, 364 VMs, 235–241, 2355, 240 Azure Files, 229–232, 231 single sign-on, 134–136, 135–136, 140 storage account keys in Azure Storage, Azure Key Vault, 3577–358, 358 site confi guration in Active Directory, 219–220, 2199, 221 Azure Security Center, 353–355, 354 163–164 storage accounts Azure Sentinel, 355–3577, 356 site-to-site (S2S) VPNs, 181–182 Azure Monitor, 333, 333 balancing, 402 size in App Service plans, 276 Azure Storage, 215–216 conditional access, 150–152 SKUs storage area networks (SANs), 2, 213–214 encryption. See encryption Azure AD, 106–108 Storage Spaces Direct (S2D), 296, 396, 396 Identity Protection, 153–154 managed disks, 2377–238 Storage Sync Service, 233 log inspection, 154–156, 155–156 Skynet, 408 stream layer replication, 214 monitoring, 326 SLAs (service-level agreements) Stream to an event hub option, 155 multifactor authentication, 145–149, resiliency, 22 Structured Query Language (SQL), 146–148 virtual machines, 19 243–245 password policies, 149–150 smart groups for alerts, 349–350, 350 STS (Secure Token Service), 131 Privileged Identity Management, 156–158, SMB shares, 227–228 subnets 157 SMS action group for budgets, 92 Azure Traffi c Manager, 208 risks. See risks SMS alerts, 342 creating, 370 workload migration for, 319 snapshots VMs, 174 Security Assertion Markup Language Azure Files, 232, 232 subscriptions (SAML), 98–100, 99 backups, 306, 308–309, 308 availability zones, 22, 23 security function in VM Agent, 259 blob storage, 223 Azure portal, 43 security groups, 196–199, 197 managed disks, 241 Azure Stack, 282, 292–294 Security Information and Event Management SNAT (source NAT) services enterprise enrollments, 34–35 (SIEM), 333–334, 355 Azure Firewall, 199 management groups, 55–577, 56 Security Orchestration, Automation and virtual networks, 175–176 overview, 52–54, 53 Response (SOAR), 355 Snowden, Edward, 407 patterns, 54–55 segmentation in virtual networks, 178–179 SOAR (Security Orchestration, Automation and tenants, 44–45 self-service password reset (SSPR), 147–148, and Response), 355 Video Studio, 31–33, 33 148 soft deletes in blob storage, 223 subsea cable, 25 Send to Log Analytics option, 155 software, exposed, 402 Super Bowl and pizza, 7–8 server endpoints in Storage Sync Service, 233 Software as a Service (SaaS)., 10–12, 10 support session tokens in Azure Stack, 295 Server Manager, 395 software-defi ned networking (SDN), 26 suppressing alerts, 349 serverless Azure Application Services, source NAT (SNAT) services Switch-AzContext cmdlet, 365 278–279 Azure Firewall, 199 switches in Microsoft network, 26 servers overview, 14–15 virtual networks, 175–176 synchronization. See replication Service Health information, 330–331, 331 sources for alerts, 343, 344 System Assigned option for blueprints, 85 service-level agreements (SLAs) sparse storage for page blobs, 222 System Center Data Protection Manager, 310 resiliency, 22 special projects, 9 System for Cross-Domain Identity virtual machines, 19 split TCP, 209, 210 Management (SCIM), 140

bindex.indd 1:58:34:PM/09/18/2019 Page 423 424 | TAGS • ZONE REDUNDANT STORAGE

T ultra SSDs, 237 virtualization, 4–6, 4 tags unauthorized access, 405–406 visibility in cost management, 89–91, 90–91 overview, 70–75, 72 Unlock-SupportSession cmdlet, 295 Visual Studio subscriptions, 31–33 resource groups, 62 unmanaged tenants, 126 Visual Studio (VS) Code, 360–361 telemetry, monitoring, 326–329, 327 unpredictable bursting, 8, 8 VM Agent, 258–260, 259 templates, 80–83, 359 update domains (UDs) for availability sets, 22 VM-GenerationID attribute, 165–166 overview, 383–386, 384 updating VM per Series Cores per Subscription sections, 386–389 Azure Stack, 294, 295 setting, 41 tips, 389–393, 390–391 Windows Admin Center, 397 VM scale sets (VMSS), 199, 311 temporary storage for VMs, 236–237 User Access Administrator role, 58–59 VM Total Cores per Subscription setting, 40 Tenant Root Group, 57 User Access Control (UAC), 156–157 VMs. See virtual machines (VMs) tenants user agents in federations, 98 VMSS (virtual machine scale set) technology, applications, 140–141, 141 user consent in Azure AD, 142, 142 199, 311 Azure AD, 109–110 user-defi ned routing (UDR), 192–193 VMware, 265–266 Azure AD B2B, 123, 126 user experience in Azure AD, 142–144, VNet integration, 194–196 and subscriptions, 44–45, 53, 53, 55–57, 143–144 VNet peering, 180 58–59 user roles in Azure AD, 144 Voice action group for budgets, 92 terms of use for conditional access, 150 users voice alerts, 342 Terraform technology, 385 Azure AD B2B, 124–126 Volume Shadow Copy Service (VSS), 309 test and development, cloud for, 9 conditional access, 151 VPNs (virtual private networks) Test-AzResourceGroupDeployment cmdlet, 389 point-to-site, 182–183 site-to-site, 181–182 Test-AzureStack cmdlet, 294 V Test-NetConnection cmdlet, 229 VS Code, 392 vanity domains, 207 thin provisioning for page blobs, 222 VS (Visual Studio) Code, 360–361 variables third parties VSS (Volume Shadow Copy Service), 309 Azure Automation, 379 multifactor authentication, 149 JSON templates, 3877–388 provisioning to Azure AD, 121–122, 122 VCPP partner program, 266 W threats. See risks vCPUs in VMs, 254–2577, 256 Web apps, 278 ticket generation for alerts, 341 VHDs (virtual hard disks), 174 Webhook action group, 92 tiers VHDX format, 4, 4 webhooks, 343, 377–380 applications, 300 video gaming, 2 Weighted option blob storage, 224–226, 225 Video Studio subscriptions, 33 Azure Front Door, 210 time-to-live (TTL) value viral tenants, 126 Azure Traffi c Manager, 207 Azure Traffi c Manager, 208 virtual hard disks (VHDs), 174 Windows Admin Center, 395–3977, 396 disaster recovery, 316 virtual machine scale set (VMSS) technology, Windows fi le server, 233 TLS (Transport Layer Security), 407 199, 311 Windows Guest Agent (WinGA), 258 tokens in Azure Stack sessions, 295 virtual machines (VMs) Windows Hello for Business, 149 topology viewer, 338 adding to virtual networks, 174 Windows Management Framework, 396 Traffi c Analytics, 339 backups, 305–306 Windows Remote Desktop services, 265 Traffi c Manager, 23, 206–208, 206 compute services. See compute services Windows Server Storage-Defi ned program, transmission speed in ExpressRoute, 183 deploying, 370 296 Transport Layer Security (TLS), 407 IP addresses, 176, 177 Windows Virtual Desktop, 265 Trust Center, 404 managed disks, 2377–241, 240 WinGA (Windows Guest Agent), 258 trust in Azure, 400 metrics, 329 workload migration, 318–319 TTL (time-to-live) value NICs, 174–176 approaches, 320 Azure Traffi c Manager, 208 reliability vs. best effort, 21 benefi ts, 319–320 disaster recovery, 316 reserved instances, 37–39, 38 phases, 320–323 types scaling, 18–20, 19 workplace joins, 136 App Service plans, 275 storage, 235–241, 2355, 240 Write Accelerator, 240 application services, 278 turning off, 6 WS-Fed (WS-Federation), 98 types, 252–258, 256 U VIRTUAL_NETWORK tag, 198 Z UAC (User Access Control), 156–157 virtual private networks (VPNs) Zone Redundant Storage (ZRS) UDR (user-defi ned routing), 192–193 point-to-site, 182–183 Azure Storage, 217–218 UDs (update domains) for availability sets, 22 site-to-site, 181–182 for data loss, 406

bindex.indd 1:58:34:PM/09/18/2019 Page 424