Category Archives: Azure

Quick Tip- Azure SQL Server Connectivity

Symptoms

  1. An application server in Azure can’t connect to an IaaS SQL Server on Windows (also in Azure).
  2. The Connection Troubleshoot utility in the Azure Portal says network connectivity between the App server and SQL server on port 1433 is allowed:
    image
  3. PowerShell Test-NetConnection on the App server shows that communication with the SQL Server is blocked on port 1433
    image

Cause

Windows Firewall on the SQL Server is blocking communications from the App Server

Solution

Add a rule to the Windows Firewall on the SQL Server to allow SQL Traffic. See Microsoft Docs for details on how to do this.

AZ-104 Azure Administrator Associate

azure-administrator-associate BadgeLast week the Microsoft AZ104 exam went live and all those who took the test during the beta period (myself included) were issued with their results. The good news is I Passed!

This post will discuss the exam and some of the learning resources I used. Just in case your looking for a brain-dump, sorry- I’m not going to be giving out example questions I remembered from my test paper, or even “I had 7 questions on PowerShell, 4 on Application Gateways, and 3 on Custard Flavours”. That’s not allowed, and it’s not really helpful for anyone honestly trying to pass the exam.

Stepping up from Fundamentals

MS Certifications, Click for Full SizeUnsurprisingly the questions were definitely a natural step-up from the AZ900 Fundamentals exam I took last year– and the content here felt more focused on admin tasks- less of the general “Cloud Computing” viewpoint.

This is to be expected as the exam is for the next level up on the qualification ladder, but it also fit’s in with Microsoft’s role-based qualification mentality. In the past there were more product based exams – “Learn everything about Windows Server 2012” for example – but this has been replaced with a “Learn everything you need to be an Infrastructure Admin” or a “Security Engineer” or “Data Engineer” approach. Check out this chart for details of the current certification offerings and how they fit these roles.

Preparation Materials

Earlier in June I sat the official 4-day course (M-AZ104), hosted by Global Knowledge. The trainer, myself, and the 17 other students, were all connected online as the in-person classroom options are not available at the moment. This method works- and I took plenty of notes – but it’s not quite the same as all being together in-person. For starters, we had to provide our own biscuits!

In post-exam hindsight I think the course probably covered all the material, but perhaps not all of the topics were covered to the depths of the exam. So in addition to hands on experience, I supplemented my notes from the training with lab work and using other materials to reinforce areas I felt weaker on. I used some of the following:

The Questions

My exam had a couple of case study type questions, where you’re given a number of questions around a common environment/problem description. This was followed by a big “normal” multiple-choice section in the middle, and then an extra surprise case study bit at the end (I guess for about the last 10 questions or so). There’s plenty of time to do the test, but watch out and manage your time carefully as you can’t go back to the previous sections once you move on.

From memory, all of my questions were multiple choice, or “put these items in order” kind of questions. There is no lab environment in this exam.

Content wise, it was a real spread across everything on the syllabus. In particular make sure you know the proper Azure terms and where they apply- your Availability zones vs Availability sets for example. It would be easy to lose marks by picking the wrong one in a given situation, or even choosing an answer containing a term that doesn’t even exist.

AZ104 succeeded AZ103 as the exam for this qualification and the main points of new content on the syllabus I spotted were around Containers (Azure Container Instances and Kubernetes Service) and Web Apps (including App Services and App Service Plans). Most of the AZ103 learning material is therefore still valid, but make sure you check the updated list of skills required. I think a basic generic understanding of Kubernetes/Docker/Containers would also be worthwhile for that section.

Online Exam

Thanks to the COVID-19 situation, I took this exam from home- not something I’ve done before as I’ve usually gone along to the local testing centre. Here’s a few tips if you’re planning on doing the same:

  1. Find a space at home that’s nice and free of clutter. You can’t have your “Azure for Dummies” poster on the wall and techie books lying around. Also, remember no-one can walk into, or be overheard in, your exam space during the test.
  2. Ensure you have a stable network connection- so you might want to kick the kids off Netflix. I also ran a long ethernet cable out from my broadband router to the room I was taking the test in to avoid wi-fi hiccups.
  3. Prior to the exam (with Pearson) you’re offered a chance to test your environment. It makes sense to do this on the day of your exam, but be aware that it takes some time as you’re not only testing the network/ webcam/ microphone but also going through the process of taking and uploading photos of your testing space – you’ll have to repeat that bit prior to the exam itself.

If you’re planning on taking AZ-104 soon I hope this all helps, and good luck!

Check Azure WebApps have Backup Configured

Azure WebApps (depending on tier) come with an optional native backup service. This quick PowerShell snippet looks at all the WebApps in the current subscription and reports back on whether Backup has been set up. This should be helpful for spotting where a configuration has been missed.

Use Set-AzContext to set the subscription in advance, and to restrict to an individual Resource Group use the –ResourceGroupName on the Get-WebApp cmdlet in the first line.

foreach($WebApp in Get-AzWebApp ){
  if (Get-AzWebAppBackupConfiguration `
      -ResourceGroupName $WebApp.ResourceGroup `
      -Name $WebApp.Name `
      -ErrorAction SilentlyContinue) {
  $WebApp.Name+" Backup Configured"
  } else {
  if( (Get-Error -Last 1).Exception.Response.Content `
      -like "*Backup configuration not found for site*")
    {$WebApp.Name+" Backup Not Configured"}
 }
}

Using New-AzureFirewallRule with multiple ports or IP ranges

When creating an Azure Firewall rule with multiple ports or IP ranges using the PowerShell “New-AzureFirewallRule” cmdlet, you may get an error like this:

Invalid IP address value or range or Service Tag 192.168.64.0/18,10.1.0.0/16.
StatusCode: 400
ReasonPhrase: Bad Request
ErrorCode: AzureFirewallRuleInvalidIpAddressOrRangeFormat

or

Invalid port value or range. User ports must be in [1, 65535]
StatusCode: 400
ReasonPhrase: Bad Request
ErrorCode: AzureFirewallRuleInvalidPortOrRangeFormat

The incorrect code causing these messages refers to the Source Address or Destination Port as a comma-delimited string as you would use in the Azure Portal, as shown here:

#Incorrect Code
$netRule = New-AzFirewallNetworkRule `
     -Name "FirewallRule1" `
     -Description "Rule for HTTP,SMB traffic" `
     -Protocol "TCP" `
     -SourceAddress "192.168.64.0/18,10.1.0.0/16" `
     -DestinationAddress "172.20.1.1/28" `
     -DestinationPort "139,445,80"

However, the cmdlet wants an array of strings to be passed here rather than a comma-delimited string value, so (“192.168.64.0/18″,”10.1.0.0/16”) rather than “192.168.54.0/18,10.1.0.0/16”. The correct version of the above code snippet is as follows:

#Corrected Code
$netRule = New-AzFirewallNetworkRule `
     -Name "FirewallRule1" `
     -Description "Rule for HTTP,SMB traffic " `
     -Protocol "TCP" `
     -SourceAddress ("192.168.64.0/18","10.1.0.0/16") `
     -DestinationAddress "172.20.1.1/28" `
     -DestinationPort ("139","445","80")

Checking Hybrid Benefits in Azure with PowerShell

When using Windows-based Virtual Machines on Microsoft Azure, there’s an option to use “Azure Hybrid Benefit” to re-use existing Windows licenses you own on-premises for workloads now running in the public cloud.

image

If you don’t select this option then your Azure bill will include the cost of a new Windows license for that virtual machine, so it’s important to ensure it is used where you are entitled to do so. If you have a site license, or campus agreement, you may find that you are allowed Hybrid Benefit on all your workloads in Azure.

This PowerShell snippet will list all the Windows Virtual machines (in the current subscription- use Set-AzContext to change that) which are not making use of the Hybrid Benefits- giving you a quick list of VMs to check the settings on.

Get-AzVM | Where-Object {$_.OSProfile.WindowsConfiguration -and !($_.LicenseType)}