Exam Ref 70-534 7E Architecting 0x Prepare for Microsoft Exam 70-534—and help demonstrate your Architecting Microsoft -a 5m real-world mastery of Microsoft Azure solution design and Azure Solutions 3 architecture. Designed for experienced IT pros ready to advance 4R their status, Exam Ref focuses on the critical-thinking and e Microsoft Azure decision-making acumen needed for success at the Microsoft About the Exam f Specialist level. Exam 70-534 focuses on the skills and knowledge needed to design effective AA Microsoft Azure public and hybrid cloud Focus on the expertise measured by these zr objectives: solutions. u ch Solutions r ei • Describe Microsoft Azure infrastructure and networking About Microsoft te S • Help secure resources Certification oc t • Design an application storage and data access strategy Passing this exam earns you a Microsoft luin Specialist certification in Microsoft tg • Design an advanced application i Azure, demonstrating your expertise o • Design websites with the Microsoft Azure enterprise- nM • D esign a management, monitoring, and business continuity grade cloud platform. sic strategy You can earn this certification by passing ro Exam 70-532, Developing Microsoft s Azure Solutions; or Exam 70-533, Imple- o This Microsoft Exam Ref: f menting Microsoft Azure Infrastructure t Solutions; or Exam 70-534, Architecting • Organizes its coverage by exam objectives Microsoft Azure Solutions. • Features strategic, what-if scenarios to challenge you See full details at: • Assumes you have experience designing Microsoft Azure microsoft.com/learning cloud or hybrid solutions and supporting application life cycle management Exam Ref 70 534 About the Authors Haishi Bai, Senior Technical Evangelist at Microsoft, focuses on the Microsoft Azure compute platform, including IaaS, PaaS, networking, and scalable comput- ing services. Bai Steve Maier, Senior Technical Evangelist Maier Stolts at Microsoft, specializes in Microsoft Azure. microsoft.com/mspress Dan Stolts, Senior Technical Evangelist at Microsoft, is a technology expert proficient in datacenter technologies. Haishi Bai ISBN 978-0-7356-9744-7 U.S.A. $39.99 5 3 9 9 9 Canada $45.99 Steve Maier [Recommended] Dan Stolts 9 780735 697447 Certification/Microsoft Azure 9780735697447_ER70_534_cover.indd 1 5/4/2015 1:39:43 PM Architecting Microsoft Azure Solutions Exam Ref 70-534 Haishi Bai Steve Maier Dan Stolts 669977444477__EERR7700--553344..iinnddbb ii 55//55//22001155 11::5599::2233 PPMM PUBLISHED BY Microsoft Press A division of Microsoft Corporation One Microsoft Way Redmond, Washington 98052-6399 Copyright © 2015 by Microsoft Corporation All rights reserved. No part of the contents of this book may be reproduced or transmitted in any form or by any means without the written permission of the publisher. Library of Congress Control Number: 2014958516 ISBN: 978-0-7356-9744-7 Printed and bound in the United States of America. First Printing Microsoft Press books are available through booksellers and distributors worldwide. If you need support related to this book, email Microsoft Press Support at [email protected]. Please tell us what you think of this book at http://aka.ms/tellpress. This book is provided “as-is” and expresses the author’s views and opinions. The views, opinions and information expressed in this book, including URL and other Internet website references, may change without notice. Some examples depicted herein are provided for illustration only and are fi ctitious. No real association or connection is intended or should be inferred. Microsoft and the trademarks listed at http://www.microsoft.com/about/legal/en/ us/IntellectualProperty/Trademarks/EN-US.aspx are trademarks of the Microsoft group of companies. All other marks are property of their respective owners. Acquisitions Editor: Karen Szall Developmental Editor: Karen Szall Editorial Production: Dianne Russell, Octal Publishing, Inc. Technical Reviewer: Roberto Freato; Technical Review services provided by Content Master, a member of CM Group, Ltd. Copyeditor: Bob Russell, Octal Publishing, Inc. Indexer: Ellen Troutman, Octal Publishing, Inc. Cover: Twist Creative • Seattle 669977444477__EERR7700--553344..iinnddbb iiii 55//55//22001155 11::5599::2266 PPMM Contents at a glance Microsoft certifi cations xv Preparing for the exam xviii CHAPTER 1 Design Microsoft Azure infrastructure and networking 1 CHAPTER 2 Secure resources 63 CHAPTER 3 Design an application storage and data access strategy 129 CHAPTER 4 Design an advanced application 189 CHAPTER 5 Design Web Apps 251 CHAPTER 6 Design a management, monitoring, and business continuity strategy 305 Index 381 669977444477__EERR7700--553344..iinnddbb iiiiii 55//55//22001155 11::5599::2266 PPMM 669977444477__EERR7700--553344..iinnddbb iivv 55//55//22001155 11::5599::2266 PPMM Contents Introduction xv Microsoft certifi cations xv Acknowledgments xvi Free ebooks from Microsoft Press xvi Microsoft Virtual Academy xvi Errata, updates, & book support xvi We want to hear from you xvii Stay in touch xvii Preparing for the exam xviii Chapter 1 Design Microsoft Azure infrastructure and networking 1 Objective 1.1: Describe how Azure uses Global Foundation Services (GFS) datacenters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .2 Azure’s global footprints 2 Designing cloud-scale datacenters 4 Designing for the cloud 8 Objective summary 11 Objective review 12 Objective 1.2: Design Azure virtual networks, networking services, DNS, DHCP, and IP addressing confi guration . . . . . . . . . . . . . . . . . . . . . .12 Creating a cloud-only virtual network 13 Understanding Access Control Lists and Network Security Groups 18 Objective summary 22 Objective review 22 What do you think of this book? We want to hear from you! Microsoft is interested in hearing your feedback so we can continually improve our books and learning resources for you. To participate in a brief online survey, please visit: www.microsoft.com/learning/booksurvey/ v 669977444477__EERR7700--553344..iinnddbb vv 55//55//22001155 11::5599::2266 PPMM Objective 1.3: Design Azure Compute . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .23 Selecting VM sizes 24 Managing images 31 Managing VM states 33 Capturing infrastructure as code 36 Scaling applications on VMs 40 Objective summary 44 Objective review 44 Objective 1.4: Describe Azure virtual private network (VPN) and ExpressRoute architecture and design . . . . . . . . . . . . . . . . . . . . . . . .45 Designing hybrid solutions with Virtual Network and ExpressRoute 45 ExpressRoute 48 vNet-to-vNet VPN 49 Multi-site VPN 50 Understanding other hybrid solution options 51 Objective summary 52 Objective review 52 Objective 1.5: Describe Azure Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .52 Using Azure Traffi c Manager 53 Using CDN 54 Objective summary 55 Objective review 55 Answers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .56 Objective 1.1: Thought experiment 56 Objective 1.1: Review 56 Objective 1.2: Thought experiment 57 Objective 1.2: Review 57 Objective 1.3: Thought experiment 58 Objective 1.3: Review 58 Objective 1.4: Thought experiment 59 Objective 1.4: Review 59 Objective 1.5: Thought experiment 60 Objective 1.5: Review 60 vi Contents 669977444477__EERR7700--553344..iinnddbb vvii 55//55//22001155 11::5599::2266 PPMM Chapter 2 Secure resources 63 Objective 2.1: Secure resources by using managed identities . . . . . . . . . .63 Understanding claims-based architecture 64 Understanding basic authentication and authorization workfl ow 66 Working with native clients and multitiered applications 67 Working with multitiered applications 68 Additional scenarios 69 Azure Active Directory 69 A sample scenario with ADAL and Visual Studio 71 Azure AD Graph API 74 Objective summary 76 Objective review 76 Objective 2.2: Secure resources by using hybrid identities . . . . . . . . . . . . .77 Setting up directory synchronization with AD FS 77 Confi guring Azure AD Application Proxy 82 Objective summary 85 Objective review 86 Objective 2.3: Secure resources by using identity providers . . . . . . . . . . . .86 Understanding Azure ACS 87 Using Azure ACS with AD FS 89 Using Azure ACS with social networks 90 Using identity providers with ASP.NET applications 90 Using external identity providers with Azure Mobile Services 94 Objective summary 94 Objective review 95 Objective 2.4: Identify an appropriate data security solution . . . . . . . . . . .95 Understanding data protection technologies 96 Implementing effective access control policies 98 Using data reliability and disaster recovery services 102 Understanding Azure Rights Management Services 106 Managing security keys with Azure Key Vault 107 Objective summary 108 Objective review 108 Contents vii 669977444477__EERR7700--553344..iinnddbb vviiii 55//55//22001155 11::5599::2266 PPMM Objective 2.5: Design a role-based access control strategy . . . . . . . . . . .109 Understanding access control challenges faced by large enterprises 109 Implementing RBAC 110 Using RBAC for Azure resources 111 Empowering users with self-service 112 Using Azure AD Access Panel 115 Managing devices with Azure AD Device Registration Service 116 Improving security policies over time 117 Objective summary 120 Objective review 120 Answers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .122 Objective 2.1: Thought experiment 122 Objective 2.1: Review 122 Objective 2.2: Thought experiment 123 Objective 2.2: Review 123 Objective 2.3: Thought experiment 124 Objective 2.3: Review 124 Objective 2.4: Thought experiment 125 Objective 2.4: Review 126 Objective 2.5: Thought experiment 127 Objective 2.5: Review 127 Chapter 3 Design an application storage and data access strategy 129 Objective 3.1: Design data storage . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .129 Designing storage options for data 130 Designing security options for SQL Database or Storage 136 Identifying the appropriate VM type and size for the solution 137 Objective summary 139 Objective review 140 Objective 3.2: Design applications that use Mobile Services . . . . . . . . . .141 Azure Mobile Services 141 Consuming Mobile Services 143 viii Contents 669977444477__EERR7700--553344..iinnddbb vviiiiii 55//55//22001155 11::5599::2266 PPMM Offl ine Sync 145 Implementing Mobile Services 147 Secure Mobile Services 148 Extending Mobile Services by using custom code 150 Objective summary 151 Objective review 151 Objective 3.3: Design applications that use notifi cations . . . . . . . . . . . . .153 Implementing push notifi cation services in Mobile Services 153 Sending push notifi cations 155 Objective summary 157 Objective review 157 Objective 3.4: Design applications that use a web API . . . . . . . . . . . . . . . .158 Implementing a custom Web API 159 Scaling by using Azure App Service Web Apps 161 WebJobs 163 Securing a Web API 165 Objective summary 167 Objective review 168 Objective 3.5: Design a data access strategy for hybrid applications . . .168 Connect to on-premises data by using Azure Service Bus Relay 169 Azure App Service BizTalk API Apps Hybrid Connections 170 Web Apps virtual private network capability 171 Identify constraints for connectivity with VPN 172 Identify options for domain-joining Azure Virtual Machines and Cloud Services 172 Objective summary 174 Objective review 174 Objective 3.6: Design a media solution . . . . . . . . . . . . . . . . . . . . . . . . . . . . .175 Azure Media Services overview 175 Key components of Media Services 176 Objective summary 179 Objective review 179 Contents ix 669977444477__EERR7700--553344..iinnddbb iixx 55//55//22001155 11::5599::2266 PPMM