Azure Interview Questions Part #9

Questions


Q #1  Where does Site Recovery replicate data to?

Q #2 Can I change the vault in which the configuration server is registered?

Q #3 Can I keep the IP address on fail-over?

Q #4  How far back can I recover?

Q #5 Is the fail-over automatic ?

Q #6 How do you check if process server is actually pushing data ?

Q #7 Can I change the target VM size or VM type before fail-over?

Q #8 How to refresh config server from Azure portal

Q #9 How to check the Process server connection to Azure blob storage

Q #10 If there Is no connectivity from the process server to Azure , what all services we need to check ?

Q #11 How to add cred in ovf template machine if you forgot to add cred

Q #12 How to generate the passphrase





***************************** Answers ****************************************




Q #1  Where does Site Recovery replicate data to?

Site Recovery replicates on-premises VMware VMs and physical servers to managed disks in Azure.

·        The Site Recovery process server writes replication logs to a cache storage account in the target region.

·        These logs are used to create recovery points on Azure-managed disks that have prefix of asrseeddisk.

When failover occurs, the recovery point you select is used to create a new target managed disk. This managed disk is attached to the VM in Azure


Q #2 Can I change the vault in which the configuration server is registered?

No. After a vault is associated with the configuration server, it can't be changed. But you can de-register first and follow the registration steps like a new config server registration. During this process all protected virtual machines under the config server is stopped.

Q #3 Can I keep the IP address on fail-over?

Yes, you can keep the IP address on failover. Ensure that you specify the target IP address in the Compute and Network settings for the VM before failover

Q #4  How far back can I recover?

For VMware to Azure, the oldest recovery point you can use is 72 hours.

Q #5 Is the fail-over automatic ?

No its not, you can start fail-over from portal or via PS.

Q #6 How do you check if process server is actually pushing data ?

On process server >> under task manager >> performance tab >> resource monitor >> Network tab >> Process and network Activity

Check cbengine.exe is actively sending a large volume of data.

Q #7 Can I change the target VM size or VM type before fail-over?

Yes, you can change the type or size of the VM at any time before failover. In the portal, use the Compute and Network settings for the replicated VM.

Q #8 How to refresh config server from Azure portal

Navigate to the recovery vault >> under Manage >>  Site recovery infrastructure >> Click configuration server under VMware & physical machines >> select the configuration server and select the option refresh config server.


Q #9 How to check the Process server connection to Azure blob storage

On process server >> under task manager >> performance tab >> resource monitor >> Overview >> select cbengine.exe >>

Under TCP connections, check whether there is connectivity from the process server to Azure storage.

Q #10 If there Is no connectivity from the process server to Azure , what all services we need to check ?

1.      Verify that the following services are running:

o   cxprocessserver

o   InMage Scout VX Agent – Sentinel/Outpost

o   Microsoft Azure Recovery Services Agent

o   Microsoft Azure Site Recovery Service

o   tmansvc

2.      Start or restart any service that isn't running.

3.      Verify that the process server is connected and reachable

Q #11 How to add cred in ovf template machine if you forgot to add cred

you can add credential from the configuration server , log in to the config server and launch CSPSConfigtool.exe, click add


Q #12 How to generate the passphrase

1. Sign in to your configuration server, and then open a command prompt window as an administrator.
2. To change the directory to the bin folder, execute the command cd %ProgramData%\ASR\home\svsystems\bin
3. To generate the passphrase file, execute genpassphrase.exe -v > MobSvc.passphrase.
4. Your passphrase will be stored in the file located at %ProgramData%\ASR\home\svsystems\bin\MobSvc.passphrase.

Azure Firewall - Features (Brief)

Azure Firewall

Azure market place has so many images for NVA i.e network virtual appliance by which people usually control or filter or manages there network traffic but if you see these are 3^rd party and firewall on a VM means IAAS so you need to worry about a lot of things that we do in IAAS infrastructure right. But now we have something called Azure firewall which is recently become GA nd offers a lot of benefits along with native solution of Firewall offcourse.

So

Azure Firewall is a managed, cloud-based network security service that protects your Azure Virtual Network resources.

It's a fully stateful firewall as a service with built-in high availability and unrestricted cloud scalability.

With Az Firewall – you can centrally create , enforce and log application and network connectivity policies across subscription and virtual networks.

Az Firewall uses a static public IP address for your virtual network resources allowing outside firewalls to identify traffic originating from your virtual network.

The service is fully integrated with Azure Monitor for logging and analytics.

Quick View

Lets check about all the features that Az firewall offers :-

#1 Built in HA , so no additional LB or instances required & there is nothing you need to configure. Az Firewall can be configured in multiple Az-Zones for increased availability & with Az-Zone you have 99.99% uptime SLA when 2 or more Av-Zone selected.

You can also associate Azure Firewall to a specific zone just for proximity reasons, using the service standard 99.95% SLA.

There's no additional cost for a firewall deployed in an Availability Zone. However, there are additional costs for inbound and outbound data transfers associated with Availability Zones.

#2 Unristricted Cloud Scalability  Azure Firewall can scale up as much as you need to accommodate changing network traffic flows, so you don't need to budget for your peak traffic.

#3 Application FQDN Filtering Rules You can limit outbound HTTP/S traffic to a specified list of fully qualified domain names (FQDN) including wild cards. This feature doesn't require SSL termination. For.e.g allow outbount access to www.Google.com

#4 Network Traffic Filtering Rules         You can centrally create allow or deny network filtering rules by source and destination IP address, port, and protocol. Azure Firewall is fully stateful, so it can distinguish legitimate packets for different types of connections. Rules are enforced and logged across multiple subscriptions and virtual networks.

E.g allow DNS for spoke Vnet resources which is in Hub vnet along with all the shared services. Or allowing web traffic on port 80

#5 FQDN TAGS   FQDN tags make it easy for you to allow well-known Azure service network traffic through your firewall. For example, say you want to allow Windows Update network traffic through your firewall. You create an application rule and include the Windows Update tag. Now network traffic from Windows Update can flow through your firewall.

#6 Service Tags  A service tag represents a group of IP address prefixes from a given Azure service. Microsoft manages the address prefixes encompassed by the service tag and automatically updates the service tag as addresses change, minimizing the complexity of frequent updates to network security rules.

service tags can be used in the network rules destination field.

#7 Threat Intelligence  Threat intelligence-based filtering can be enabled for your firewall to alert and deny traffic from/to known malicious IP addresses and domains. The IP addresses and domains are sourced from the Microsoft Threat Intelligence feed.

#8 Outbound SNAT Support   All outbound virtual network traffic IP addresses are translated to the Azure Firewall public IP (Source Network Address Translation). You can identify and allow traffic originating from your virtual network to remote Internet destinations. Azure Firewall doesn't SNAT when the destination IP is a private IP range or if vnet uses public Ip address range then Az-Firewall SNAT the traffic.

#9 Inbound DNAT Support   Inbound Internet network traffic to your firewall public IP address is translated (Destination Network Address Translation) and filtered to the private IP addresses on your virtual networks

Multiple public IP addresses

You can associate multiple public IP addresses (up to 100) with your firewall.

This enables the following scenarios:

·        DNAT - You can translate multiple standard port instances to your backend servers. For example, if you have two public IP addresses, you can translate TCP port 3389 (RDP) for both IP addresses.

·        SNAT - Additional ports are available for outbound SNAT connections, reducing the potential for SNAT port exhaustion. At this time, Azure Firewall randomly selects the source public IP address to use for a connection. If you have any downstream filtering on your network, you need to allow all public IP addresses associated with your firewall.

Azure Monitor logging

All events are integrated with Azure Monitor, allowing you to archive logs to a storage account, stream events to your Event Hub, or send them to Azure Monitor logs.

Azure Cost Saving Tips

TIPS 


Before we start the talking about saving money or cost optimization we should first know to the depth where actually money is going. You need to first figure out daily , monthly or may be resource and resource group basis cost and do some analysis to find out what is needed and where all you need the deep analysis to save cost. Once you have your resources handy you can utilize one of the below tips to save money and put it back in the business to expand or move more resources on Azure.

Lets get started with the Tips to get the best output of the money we are spending on the cloud.


1 # Power-Off VMs - 

This is applicable for the VMs that we dont need to run 24*7. We all have different environments like DEV , QA , TEST  or Prod . We may need prod VMs running 24*7 but not all the VMs inside Lab, Test or Dev environment So, you can save alot of money by Powering-off the VM or you can also utilize the Auto-shutdown the VM when your Dev team or QA team leaving the office, you can also place runbooks in place to power-off and on om schedule.

Essence of the story dont leave the VM running if you dont need it.


2 # VM Right Sizing 

You pay as per the compute power or VM size. People usually with the On-prem mind set of keeping it high but in cloud you don’t need to moreover you need to select the correct size as per the requirement for.e.g B2ms , D2s_v3 & DS2V_v2 Choose wisely and get the maximum output of he resources. As you can see the below highlighted VMs there isnt much difference in the power but in the cost and IOPS there is so select wisely.

3 # Region 

Region matters when you spin resources means you may have different prices for the same resource in the different region and we have Azure calculator to check that rather going through portal , Now you may or may not have the region restriction but as I said earlier we may have multiple environment so for dev, qa or test you can build in such a region where you need to pay less – Let me tell you this you may find minute difference like .108$/h or .099$/hour but remember its for single machine and for one hour , you may have multiple machine and running 24*7 and trust me it would make a huge difference in the bill ultimately.

4 # Reservation

Just like Azure reserve instances we have other services like Database, storage etc where you reserve the capacity for one or 3 year and save upto 70% , you can upfront or monthly as per your convinced and discount will be applied accordingly.

5 # Azure Hybrid Benefits 

If you have software assurance along with your licensing then you can utilize it on Azure and get the benefit. You can apply during the creation or after the creation of the VM from configuration under settings. Remember this is one the best tip to save money for the people who are migrating with existing licences and you need to apply it , it wouldnt apply automatically & you can save upto 40% with hybrid benefit.

6 # Azure Spot Instance

You can say this is in the moment pricing and mostly a lot lesser then usual pricing. Azure allows you to take advantage of our unused capacity at a significant cost savings only caveat is At any point in time when Azure needs the capacity back, Azure infrastructure will evict spot VMs. Therefore, spot VM are great for workloads that can handle interruptions like batch processing jobs, dev/test env, large compute workloads and more.

7 # Azure Advisor 

Azure Advisor is an inbuilt tool of Azure which provides recommendation for Cost, security, performance , HA and Operational excellence. Since we are talking about cost so Azure Advisor provides alot of recommendation to save money like :

• 1.      Optimize virtual machine spend by resizing or shutting down underutilized instances
• 2.      Reduce costs by eliminating unprovisioned ExpressRoute circuits
• 3.      Reduce costs by deleting or reconfiguring idle virtual network gateways
• 4.      Buy reserved virtual machine instances to save money over pay-as-you-go costs
• 5.      Delete unassociated public IP addresses to save money
• 6.      Delete Azure Data Factory pipelines that are failing
• 7.      Use Standard Snapshots for Managed Disks
• 8.      Utilize Lifecycle Management

8 # Delete VM along with resources

This is specifically for the test and dev environment where we spin VM and keep it there either running or off , if we dont need VM frequently - delete it or take snapshot of VM if you need configuration and delete it along with all the resources and whenever you need it may next week , next month just use snapshot to spin up same config VM. Whenever you delete VM , dont forget to delete the resources like PublcIP and disk which also cost you.


9 # Dev Test Lab

Azure DevTest Labs enables developers on teams to efficiently self-manage virtual machines (VMs) and PaaS resources without waiting for approvals.

DevTest Labs creates labs consisting of pre-configured bases or Azure Resource Manager templates. These have all the necessary tools and software that you can use to create environments. You can create environments in a few minutes, as opposed to hours or days.

10 # Free Services

Azure provides Free services for the Free Account for 12 months utilize that and keep learning.

Azure Interview Questions Part #8

Questions :

Q #1  My version of the Mobility services agent or configuration server is old, and my upgrade failed. What do I do?

Q #2 What does the configuration server do?

Q #3 What does process server do ?

Q #4 Tell few pre-requisite of the Configuration server ?

Q #5 Can a config server replicate to more than one region ?

Q #6 Where can I download the Passphrase for config server ?

Q #7 Where can I download vault registration keys?

Q #8 What access to VMware VMs does Site recovery needs ?

Q #9 Is Replication data sent to the Site Recovery ?

Q #10  Where can I find the Mobility service installers?

Q #11 Where do I set up the configuration server?

Q #12 Can I use the configuration server VM for anything else?




*********************** *****ANSWERS ************************************


Q #1  My version of the Mobility services agent or configuration server is old, and my upgrade failed. What do I do?

Update can be seen in the portal and applied from there . Reboot not needed but recommended.


Q #2 What does the configuration server do?

The server coordinates communications between on-premises components and Azure, and manages data replication.

Q #3 What does process server do ?

Process server acts as a replication gateway

1.      Receives replication data.

2.      Optimizes the data with caching, compression, and encryption.

3.      Sends the data to Azure Storage. The process server also does a push install of the Mobility Service on VMs and performs automatic discovery of on-premises VMware VMs.

Q #4 Tell few pre-requisite of the Configuration server ?

• CPU -8
• RAM 16gb
• Free disk space 600gb for process server cache and additional 600gb for retention disk or fail-back.
• OS – server 2012 R2 and 2016
• Static IP
• Ports 443 and 9443
• Internet access or no. of urls access
• MYSQL gets installed

Q #5 Can a config server replicate to more than one region ?

No , to replicate to more than one region you need separate server in each region.


Q #6 Where can I download the Passphrase for config server ?

In the Recovery Services vault, select Configuration Servers in Site Recovery Infrastructure > Manage. Then, in Servers, select Download registration key to download the vault credentials file.

Q #7 Where can I download vault registration keys?

In the Recovery Services vault, select Configuration Servers in Site Recovery Infrastructure > Manage. Then, in Servers, select Download registration key to download the vault credentials file.

Q #8 What access to VMware VMs does Site recovery needs ?

• To replicate , a VMware VM must have the site recovery Mobility service installed and running.
• VM’s communicate with config server on HTTPS port 443 for replication management.
• VM’s send replication data to the process server on HTTPS port 9443 (can be modified)
• If you enable the multi-VM consistency , VM communicate with each other over port 2004.

Q #9 Is Replication data sent to the Site Recovery ?

No, Site Recovery doesn't intercept replicated data and doesn't have any information about what's running on your VMs. Replication data is exchanged between VMware hypervisors and Azure Storage. Site Recovery has no ability to intercept that data. Only the metadata needed to orchestrate replication and failover is sent to the Site Recovery service


Q #10  Where can I find the Mobility service installers?

The installers are in the %ProgramData%\ASR\home\svsystems\pushinstallsvc\repository folder on the configuration server


Q #11 Where do I set up the configuration server?

You need a single, highly available, on-premises VMware VM for the configuration server. For physical server disaster recovery, install the configuration server on a physical machine.

 

Q #12 Can I use the configuration server VM for anything else?

No. Use the VM only for the configuration server.

Azure Interview Questions Part #7

Questions : 


Q #1 What all RBAC roles does ASR provide for the management.

Q #2 Can I use a guest OS server license on Azure?

Q #3 Pre-requisite of ASR on Azure ?

Q #4 What access to VMware VM’s does Site Recovery need ?

Q  #5  What are the components of ASR ?

Q #6 Is replication data sent to Site Recovery?

Q #7 What is mobility agent or service ?

Q #8 Where can I find the Mobility service installers?

Q #9 ASR replicated machine says unable to take app consistent snapshot hence health is critical 

Q #10 What happens when you hit enable replication on recovery service ?

Q #11 How do I install the Mobility service?

Q #12  what is asrseeddisk ?




************************Answers************************ 

Q #1 What all RBAC roles does ASR provide for the management.

ASR provides 3 basic roles to perform the various ASR related tasks ans these are :

Site Recovery Contributor -  This role has all permissions required to manage Azure Site Recovery operations in a Recovery Services vault. A user with this role, however, can't create or delete a Recovery Services vault or assign access rights to other users.

Site Recovery Operator - This role has permissions to execute and manage Failover and Failback operations. A user with this role can't enable or disable replication, create or delete vaults, register new infrastructure or assign access rights to other users.

Site Recovery Reader - This role has permissions to view all Site Recovery management operations. 

https://docs.microsoft.com/en-us/azure/site-recovery/site-recovery-role-based-linked-access-control#permissions-required-to-enable-replication-for-new-virtual-machines

Q #2 Can I use a guest OS server license on Azure?

Yes, Microsoft Software Assurance customers can use Azure Hybrid Benefit to save on licensing costs for Windows Server machines that are migrated to Azure, or to use Azure for disaster recovery.

Q #3 Pre-requisite of ASR on Azure ?

Azure recovery vault - A vault holds metadata and configuration information for VMs, and other replication components.
Azure virtual network - When Azure VMs are created after failover, they're joined to this network.
Storage account - Holds the replication logs


Q #4 What access to VMware VM’s does Site Recovery need ?

• To replicate , a VMware VM must have the site recovery Mobility service installed and running.
• VM’s communicate with config server on HTTPS port 443 for replication management.
• VM’s send replication data to the process server on HTTPS port 9443 (can be modified)
• If you enable the multi-VM consistency , VM communicate with each other over port 2004.

Q  #5  What are the components of ASR ?

Configuration server
Process server
Mobility service 
Master Target Server


https://youtu.be/v3oGAgclojw


Q #6 Is replication data sent to Site Recovery?

No, Site Recovery doesn't intercept replicated data and doesn't have any information about what's running on your VMs. Replication data is exchanged between VMware hypervisors and Azure Storage. Site Recovery has no ability to intercept that data. Only the metadata needed to orchestrate replication and failover is sent to the Site Recovery service.

Q #7 What is mobility agent or service ?

Mobility agent is responsible for the data replication and needed to be installed on all the VM’s that you are protecting. Replication of data is block level and near continuous using Mobility service.

Mobility agent is pushed by the process server on VM’s you want to replicate.

Mobility agent coordinates communications between your protected machine, configuration server/scale-out process server and manages data replication. 

Q #8 Where can I find the Mobility service installers?

The installers are in the %ProgramData%\ASR\home\svsystems\pushinstallsvc\repository folder on the configuration server.

You can also download it from internet and install but to register you need config servers IP address and Passphrase

Q #9 ASR replicated machine says unable to take app consistent snapshot hence health is critical ?

Azure Site Recovery VSS provider is required on the source machine to generate application consistency points. If the installation of the provider didn't succeed through push installation, follow the below given guidelines to install it manually.

1.      Open admin cmd window.

2.      Navigate to the mobility service installation location. (Eg - C:\Program Files (x86)\Microsoft Azure Site Recovery\agent)

3.      Run the script InMageVSSProvider_Uninstall.cmd . This will uninstall the service if it already exists.

4.      Run the script InMageVSSProvider_Install.cmd to install the VSS provider manually.

Q #10 What happens when you hit enable replication on recovery service ?

Site Recovery will install the Mobility service when replication is enabled &  initial replication to Azure storage begins

Q #11 How do I install the Mobility service?

Push installation by Process server
Manuall installation by the installer on config server and registration required where we need to provide the config server IP address and passphrase.
Deploy by tool like SCCM


Q #12  what is asrseeddisk ?

It is prefix of Azure managed disk where recovery point created.

For every source disk, data is replicated to a managed disk in Azure. This disk has the prefix of asrseeddisk. It stores the copy of the source disk and all the recovery point snapshots.