Design Microsoft Azure Infrastructure and Networking

6/23/2015

Contents

Answers

This section contains the solutions to the thought experiments and answers to the objective review questions in this chapter.

Objective 1.1: Thought experiment

There’s no single best way to explain how data is secured in the cloud. However, a simple analogy is quite effective: Ask if one would deposit money in a bank or keep cash under a couch cushion. Sure, the cash is closer to the owner when stored under the cushion, but the owner won’t be able to provide the level of protection a bank can offer. When you save data to Azure, your data is replicated at least three times for high availability. And Azure makes sure your data is accessible only by you.
Again, there’s no single correct answer. One possible approach is to talk about service recovery. Applications will fail, no matter where an application is deployed. The key to improving service availability is how quickly you can recover from errors. In traditional datacenters, MTTR is usually quite lengthy. Referring to previous service interruption cases if a good strategy to illustrate how reduced MTTR can help to dramatically increase service availability.

Objective 1.1: Review

Correct answers: A, B, C, and D
1. Correct: Sufficient training is the foundation of building up a high-quality team.
2. Correct: Automation is one of the most effective means to reduce human errors.
3. Correct: Just-in-time access ensures that there’s no standing access to Azure resources, reducing the risk of accidental operations being carried out on customer data.
4. Correct: Operation policies must be reinforced to ensure established workflows and practices are precisely followed.
Correct answers: A, B, C, and D
1. Correct: Azure is committed to annual certification against ISO/IEC 27001/27002:2013.
2. Correct: Azure has been granted a Provisional Authority to Operate (P-ATO) from the Federate Risk and Authorization Management Program (FedRAMP).
3. Correct: Microsoft currently offers HIPPA Business Associate Agreement (BAA) to customers who have an Enterprise Agreement (EA).
4. Correct: Microsoft offers customers European Union Standard Contractual Clauses.
Correct answers: B
1. Incorrect: Single-instance VMs don’t qualify for SLA.
2. Correct: Azure SLA requires at least two multi-instance VMs be deployed in the same Availability Set.
3. Incorrect: If an Availability Set only contains a single VM, the VM doesn’t qualify for SLA.
4. Incorrect: Two VMs must be in the same Availability Set to qualify for SLA.

Objective 1.2: Thought experiment

Although you can use both ACL and NSG to control network traffic to VMs, NSG is a better choice in this case because, 1) you can define rules that apply to a subnet instead of a VM, and 2) you can gain greater control by defining inbound rules and outbound rules independently.
One possible way to design the topology is to put Internet-facing resources, application servers, and database servers into different subnets. The Internet-facing resources can communicate only to application servers through specific ports. And only application servers can access database servers governed by another set of rules.

Objective 1.2: Review

Correct answers: A, B, C, and D
1. Correct: Each VM has an associated public virtual IP (VIP).
2. Correct: Each VM has one or multiple private IP addresses, one per NIC.
3. Correct: A static public IP can be associated with a VM.
4. Correct: A private static IP address can be associated to a VM on a virtual network.
Correct answers: A, B, and C
1. Correct: VIRTUAL_NETWORK denotes all IP ranges in the same virtual network, including connected networks.
2. Correct: AZURE_LOADBALANCER denotes the IP address of the Azure load balancer.
3. Correct: INTERNET denotes all IP addresses outside the virtual network.
4. Incorrect: VIRTUAL_MACHINE is not a default tag.
Correct answers: A, B, C, and D
1. Correct: An NSG rule defines traffic flow control from a source range to a destination range. The source range is defined by source IP and source port.
2. Correct: An NSG rule defines traffic flow control from a source range to a destination range. The destination range is defined by target IP and source port.
3. Correct: You can apply an NSG rule to TCP, UPD, or * for both protocols
4. Correct: Each NSG rule has an associated priority. Rules with lower priority can be overridden by rules with higher priorities.
Correct answers: A, B, C, and D
1. Correct: Each ACL rule has a rule number, which denotes the priority of the rule.
2. Correct: The remote subnet defines the IP range that the rule will be applied to.
3. Correct: An ACL rule is associated with a VM endpoint.
4. Correct: An ACL rule can be either a permitting rule or denying rule.

Objective 1.3: Thought experiment

Reliability, availability, security, and performance are all valid concerns. Especially, because Azure provides SLAs only if there are at least two VMs in an Availability Set, to ensure availability, you’ll need to deploy the application to at least two VMs and join them behind a load balancer. This might immediately cause some problems because not all applications are designed for such deployment. For instance, some of the legacy systems are designed to have a single central server that handles all user transactions. When the transactions are distributed to multiple instances, you might have two centers of truth that can’t be reconciled. Data replication and customer partition are two effective approaches in some cases.
To take full advantage of the cloud, you should explore the possibility of moving the application to PaaS. With VMs, you are still responsible for managing the virtualized infrastructure. With PaaS, you can focus almost entirely on implementing your business logics and leave the rest to Azure.

Objective 1.3: Review

Correct answer: C
1. Incorrect: A-series is designed for generic workload, with A8 through A11 designed for HPC.
2. Incorrect: D-series is designed for applications with high CPU and high temporary data IO.
3. Correct: DS-series is designed for applications with high persisted data IO.
4. Incorrect: G-series is for application with high CPU and memory demands.
Correct answer: D
1. Incorrect: 8 is below limitations of any series.
2. Incorrect: 16 is the limit of A-series.
3. Incorrect: 32 is the limit of D-series and DS-series.
4. Correct: G-series supports up to 64 data drives.
Correct answer: A
1. Correct: Azure Resource Template uses JSON format.
2. Incorrect: Azure Resource Template doesn’t support XML format.
3. Incorrect: Azure Resource Template doesn’t support YAML format.
4. Incorrect: Azure PowerShell is a scripting language, it’s not used to describe an Azure Resource Template.
Correct answers: A, B, C, and D
1. Correct: Custom Script Extension downloads and runs configuration scripts such as DSC to designated VMs.
2. Correct: Chef and Puppet are both integrated third-party solutions.
3. Correct: Azure Automation can periodically check and fix your resource states so they don’t drift away from standard settings.
4. Correct: Containerization is an effective way to pack applications as consistently deployable unit.

Objective 1.4: Thought experiment

Common techniques include introducing cache to reduce accesses to databases, using asynchronous IO operations, compressing data, sending deltas and only required data instead of complete data sets, and paging.
You can use queues to decouple components to break hard dependencies among services so that they can run at different paces. You can also consider SOA and Microservices to decompose complex applications into smaller services that can evolve separately.

Objective 1.4: Review

Correct answers: A, B, C, and D
1. Correct: Use Point-to-Site connections to connect local compute to Azure Virtual Networks.
2. Correct: Use Site-to-Site connections to connect on-premises network to Azure Virtual Networks.
3. Correct: Use vNet-to-vNet VPN to connect two Azure virtual networks.
4. Correct: Use Multi-site VPN to connect multiple on-premises networks to the same Azure virtual network.
Correct answers: D
1. Incorrect: 80 Mbps is roughly the bandwidth a standard Azure Virtual Network gateway provides.
2. Incorrect: 200 Mbps is roughly the bandwidth a high-performance Azure Virtual Network gateway provides.
3. Incorrect: 1 Gbps is the maximum ExpressRoute bandwidth when a network service provider is used.
4. Correct: 10 Gbps is the maximum ExpressRoute bandwidth when an exchange provider is used.

Objective 1.5: Thought experiment

In this case, the Traffic Manger policy will use the failover method, with a primary endpoint pointing to on-premises deployment and a secondary endpoint pointing to cloud deployment.
As the maintenance begins, the on-premises site is brought down. Some customers will still be redirected to the on-premises endpoint, leading to service interruption. As DNS records expires, new customer requests will be redirected to the cloud endpoint. You should note that this is not a zero-downtime solution.

Objective 1.5: Review

Correct answers: A, B, and C
1. Correct: Traffic Manager supports the round-robin method that distributes traffic evenly to endpoints.
2. Correct: Traffic Manager supports the failover method that routes traffic to the primary endpoint and then to the secondary endpoint when the primary is unavailable.
3. Correct: Traffic Manager supports performance-based routing that picks the endpoint with the least response time.
4. Incorrect: Traffic Manager doesn’t support random routing.
Correct answers: A and B
1. Correct: CDN reduces response time by serving content directly from CDN locations.
2. Correct: With static contents served from CDN locations, the traffic to the original service nodes can be greatly reduced.
3. Incorrect: With CDNs serving cached contents, data could be out-of-sync with server versions and will eventually become consistent with server when local cache expires.
4. Incorrect: CDN has nothing to do with your application server upgrades. On the other hand, because older static contents are served from CDNs, it will take time for the new static content to propagate to all CDN nodes.