Wednesday, August 16, 2017

Microsoft Azure

usually we have three tier application

generally they called as the 

UI   <=>     Service    <=>    Database 
web role  <=> worker role  < =>  DB
Application tier  <=> Job Agent  <=>  DB
(AT)                               (JA)                    DB
Azure called as 
we called all UI   as web role 
we called all  Service as Worker role
we called all DB as DB only 

  Admin/Devops  called as 
we called all UI   as Application tier
we called all  Service as  Job agent
we called all DB as DB


Azure resources 

All the resources are divided in to some of the key categories.



The complete resources are divided in to four basic categories 

Compute
Data services
App services
Network services



Portal is the place where,we can manage all our azure resources 

Webapp is part of APP SERVICE.

When you click on Compute > we can create the virtual machines and create Cloud services.

Virtual machines and Cloud services will come under the Compute.



As part of Data Service:  ----


We have  umbrella term for web app  => web app + logic app + Mobile app + API management.(all these four  together we called it as App service).

Whenever,we have an application  we can host it on a Cloud service/VM or a Service fabric  or  on a app service.


As part of Data Service: 

We have SQL DATABASE and STORAGE.

As a part of APP SERVICES:

Service Bus +  CDN  + Active Directory  (we will learn)

Azure Devops  >>   Visual Studio team service.

Network Services:

 Virtual network  

Lets create some of the resources:

As discussed before,we have to deploy all these resources and it should be available to all mu users.
Develop, package, and deploy powerful applications and services to the cloud with Azure Cloud Services, and the click of a button. Scale from 1 to 1000 in minutes. Once your application is deployed, that's it—from provisioning and load balancing, to health monitoring, Azure handles the rest.

Target:I need to deploy three tier architecture in Azure,such that it is available to all my users.



Cloud service is a kind of tag,or we call it as an umbrella,as a part of cloud service it has a part of worker role and web role.



We can host our worker role and web role 


How to create a Virtual machine?

I want this machine,from any of the listed datacenter.

Whenever we are creating the virtual machine,it will be creating in the cloud service.

(Whenever we are creating the virtual machine,it creates the cloud service also).

(virtual machine cannot be accessed individually,as someother means  Whenever we are creating the virtual machine,it creates the cloud service also).

Virtual machine is a kind of single component,which will be under a cloud service umbrella.



Core is the measuring unit of  our Azure resource.

All the Azure resources measured in terms of the cores.

Whenever we create a subscription,we will be getting a fixed number of cores.

When we create a free subscription,it will be coming with 20 cores

Don’t get confused with this core with the machine core.

My machine cores are not related to my azure resource cores.

When I say cores,every core will be coming up with certain configuration.

This core is not equal or similar to the machine core.

So,we have different families,




I can create my VM with different configuration.

There are divided in to few families,like A,D,Ds,F,G.

We are planning to create the vm with the D family.

Note:
My free subscription always comes with 20 cores.

If you go for a pay subscription,you can request as many as you want.but the maximum number of cores,they will allow is  10,000 cores.

How we can see core information?

You need to deploy something,inorder to get the core information.




when I go here,I can actually see how many cores we have and how many cores we have used.

Depending upon how many cores you used,the cost will depend.

For  example:

If you requested for 100 cores and you used only 20 cores,then you will  be charged for 20 cores.

when you say,we can actually request for the storage account.

In that storage account,you can see all the files.

And that file and is stored in different category.

You will be having different categories in the storage.


When I say categories it is a kind of buckets.

In my storage I have three kinds of buckets.
If I want to store any kind of tables,blobs,queues (these are three kinds of buckets or categories).

If you want to store any kind of tables.
Queues is for something like queues.(we can called it as message queues or something like that).
Anyother files we will be storing it in the blobs.



If you want to replicate this storage account,you can select the replication option as Geo-redundant.

For example,I will create the storage account some where in Mumbai.


May be some catastopical region or any other region,lets imagine  some earth quake.
The entire datacenter got collapsed,may be there is power failure.due to power failure I cannot access my data,at that point of time ,how can I access my data?

This is the purpose of the replication.it is better to having a copy of  same data.




Local redundant means having a copy of your data,in the same datacenter.

Geo-Redundant means having a copy of entire data in different data center.

Azure recommendation always go for the local redundant. 
(Azure promises,whatever the situation may be,your data does not get lost).
(whatever happens your data will be still persistent and no harm to your data).




whenever your dealing with the azure resources,atleast creates one storage account.which we called it as the default storage account.

The default storage account is actually,when we created the virtual machine.(this is only for the first time).




initially it is providing around 120 GB (local Disk © ) + Temporary storage (50 GB (D)).

We will be using the public ip and the internal ip,when we are using the networking stuff.

We got one machine created in cloud service.

One virtual machine created in Azure subscription.




if we want to integrate anyother service to the present vm we need to open the port related to that,inorder to setup the connection.

RDP (Remote Desktop PROTOCOL WILL BE ALWAYS OPEN WITH THE PORT 3389).

And the powershell is for the 5986.
HTTP is always the port 80
HTTPS is always the port 443.

SSH is always the port 22.


click on the right mark,it will be creating a vm for you.

While this is creating,we will create one sql database also.

Why we are creating sql database?
Because for the  Database or for the DB.according to the three tier architecture.

For example,on google I created one gmail service and I wanted to host it in the azure.

How can I host it?

I create one cloud service,then by creating that I can have my worker role and web role.
My database will be going under the SQL databases.

We are creating a SQL database,

1)when we are going to the SQL database,basically it is creating the server.
In that server,it is creating the Database.
2)choose the server as the New SQL database server.
(because  previously we don’t have the server).

Goal :  three tier architecture = worker role + web role + SQL database.

If we need to connect the SQL database service, from our local machine ,we need to install sql server locally.

>  SQL Server 2014 Management Studio (Desktop app).

When we are connecting to the Microsoft SQL Server 2014.

Server type : Database Engine
Server name  :  6letterword.database.windows.net
Authentication : SQL Server Authentication
   Login : user@xxxxxx
   Password : xxxxxxxxx

 CONNECT

Note: we have to open the port on the server, to connect to the SQL database.


--------------------------------------------------------------------------------------------------------------------------
IIS (Internet Information service) is the important one to generate the certificates.


Inorder to connect to your storage account,you require two things :

Storage account name 
My access key 

We have to add an account.


Where we can get this :

Goto storage account  >  click on the Manage Access key

When you click on the Manage access key we have two keys in that:

Every storage account have two access keys:
Primary Access key and secondary access keys.

Note: 
Azure storage explorer will work better with the secondary access key rather than the primary access key.

from here we got the storage account name and the access key (always try to use the secondary access key for azure storage explorer).


Test Access

Once we got the test access successful and save it


we can see three categories  here:

Blob containers (0)
Queues (0)
Tables (0)

Since it don’t have anything,it is a kind of empty storage account

we can create a container in Blob:
Under the storage account > azure storage explorer (in local machine,after it got connected to the azure storage account).


while we are creating container in blob,there are three security options:
(New Blob container).

Public container: Anonymous clients can read blob and container content/metadata
Public Blob:Anonymous clients can read blob content/metadata but not container.
Off no anonymous access.Only the account owner can access resources in this cor.

Create

Meaning for the above one:
(People can access my entire container).
(People cannot access the complete container,only the blob).
and I can choose for no anonymous access.


Successfully we created one container (i.e we keep option for the public container).

Create one container here and let me go for my storage account:

Under storage account > we can see one container here.


we can also create the container from the GUI,if you want:


Once the container is created from the portal,we can see 2 containers from the azure storage explorer.

How can I upload a file or download a file?

Upload option:I am uploading the image


what is the main advantage of connecting the storage account externally?

Imagine a case that,you have your production deployment.


Let  us understand some of the environments

whenever an application is running in azure:

sometime applications may create the tables or sometime azure framework may create the tables.

In this tables,they will be having some debugging information.

If the developer want access to the portal,instead of giving access to the portal,they will be giving the storage account name and the access key.

We will be learning about the authentication:

How we can get authenticated with the particularly services:

Authetication:
     -Username & password
     - Certificates (you can get authenticated by using the certificates).
     (In azure if you want to make use of the powershell scripts to handle the azure resources,then we will make use of the certificates).

    -Service identity – we will be using this service identity for service to service communication.   --à   abcd.

Restend point,it is a kind of a end point for the service.

Whenever you request the url from the Restend point with some  PNR number it gives the status code.

Will it give for all the guys.

Irctc we need to purchase the service.

If I am creating a client name abc,I need to call this guy(https://irctc.com/GetPnr/pnrid=xxxxxxx)


    
Before calling IRCTC with some pnrid,I need to pay them and using this particular RESTENDpoint.when I pay that amount and get provisioned with irctc.

Irctc will software will get registered with some service identity.

That service identity will be something like abcd some string

And whenever we call to that irctc service from any particular client.I need to embedded this call by using some particular service identity.

IRCTC internally,whenever it receives the request,basically it checks that whether this guy provisioned with me or not.


(how it checks whether this guy,got provisioned or not,it checks basically through service identity).

It needs IRCTC database,it will maintain one table with all customer details.

(customer details may be : Customer name,custid and serviceidentity and some validation period).

when we call Irctc from our client machine,the irctc will checking for the service identity.


https://irctc.com/GetPnr/pnrid=xxxxxxx/xxxxx)decrypted )

decrypted will be the abcd and the it will verify the customer id also.then it will check it is provisioned or not.

This is basically about the service identity

Creating certificates and how to maintain the certificates?

Important task.

We have different environments 

Dev,QA,Production.


If everyone know the password and username,still they cannot do the deployment.

Only those who have the certificates can only do the deployment to the production.


     There are different ways to do a certificate:

One of them is creating through the IIS:

Internet information services 

If you have iis on your box,we can directly  access inetmgr.

click on that and run as a administrator.

Click on the control panel  > click on the windows the turn on or off feature.

such for the internet information services and click on tick button and click ok.


Since I already installed on my box,so I am ticking it and clicking on OK.


By this,we are enabling IIS on our box.


We have to click on the Internet information services > click on the  server certificate


we have to click on the Self-signed certificates.


Let us understand,how this certificate will be created at the personal store:

 I created the certificate,whenever I created the certificate,it will be created and stored.

We just created one certificate,and we can see the status of the certificate in the personal store.

So,every machine will have two accounts that is the(this is interms of certificate,every machine will have different accounts).

User account
Machine account.

One is machine account,which is specific to the machine and another one is the user account.

When I say user account,I can have more than one user.



Every user account will be maintaining its own store.

whenever we create a certificate,basically gets stored in our user account.


That certificate will be stored in the user account.

I want to make use of this certificate.

I cannot directly make use from my store account.(i.e user account).

What I need to do?
I need to extract out from this guy.
I need to extract out this certificate as a file.
(and the file can have the two formats,one is the .cer format and the other one is the .pfx format).

And we have to make use of .cer and .pfx.

If you want to export or import the certificates,we need to go to >   “mmc”

Which is helping to manage through the Microsoft management console.


Windows r > mmc > file > add/remove snap-in.



we have to select the Add/remove snap-in.



Once this pop’s up,select the certificates :

when you click on add,it will prompt you this pop-up:

I am going to the user account,when I created my certificate,it will actually gone to the user account .


we can see here,clearly the certificate is stored in my local computer.
(it should be actually stored in my current user).

Incase that certificate is not on the user account.we have to check the computer account (machine account)

this was copied to the machine account,that means it was successfully turned in to the .cer and .pfx format.

Click on All tasks and go to the export >>>

there are two ways,we can actually export this guy.


This certificate is stored in one of the accounts:

we are extracting as a file .cer and  .pfx

when we say,export with the private key

(actally we are trying to get the .pfx file).

If we don’t want with the private key,that means we are exporting with .cer file

(we need to do the both of the formats).

We selected the do not export the file:

I also need to give the path,where we want this key to be stored:

similarly we have to export it has a .pfx

Remember we want this two certificates and we cannot use that interchangeably.

There are some places ,where we want to make  use of the .cer and in some places as the .pfx.

when we are exporting as a .pfx 

we need to give the password.

we extracted the certificate as two formats.

That is the .cer and .pfx.

A certificate,should be there in the user account.

If you install the certificates in to the  .cer and .pfx in to my local box.

I can install any of this.

I am installing in my current user:

whenever we are actually installing the .pfx file,it will be asking for the password.


we need to select that guy as the,mark this key as exportable.This allow you to back up or transport your keys at a later time.

We are actually installing the .pfx file in the user account.


if you go to the mmc:

if you go to the Certificates – Current user
Ø  Personal
Ø  Certificates 

Then we can see the certificates.


Every certificate will be uniquely identified with its thumbprint.


if you see the certificate there is a Certificate Hash has been generated.
Whatever the hash we are having here,this is  called as the certificate thumbprint.

Whenever we want to make use of this certificate,we will be providing the thumbprint.

Remember the thumbprint will be same for the .cer file and the .pfx file.

Remember the statement:

In Azure subscription,we have tab settings >  we have the option called the Management certificates  >  we will  be installing the certificates  (whenever I want to talk to azure subscription via my machine).> we need to install a certificate  on this Azure subscription as well as my local computer > 
I installed on my local computer,now I need to install my certificate on my azure subscription.

Note:

Whenever you uploading the certificate to the azure subscription,you should always remember we  have to use the .cer extension certificate.


At subscription level we should always install  your .cer file.

What is the other place,we will make use of ?

Is the cloud service,

In cloud service,we need to install the certificate.I cloud service we need to always make use of .pfx file.

whenever you want to install the .pfx certificate,that means you need to give the password.

Steps:
We need to create the certificate by using the IIS (Internet information service).
Oce you go the IIS > goto server certificates >  create self signed certificate.
Once after creating the certificate,it should be in the users account.
Once it was there in the user s account and we should have the .cer file and .pfx file of your certificate.(we need to extract them to different formats).
At subscription always install the .cer file.
At cloud service always install your .pfx file.
Posted by at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)