Deployment

Deployment tools: Azure portal, Azure Cloud Shell, Azure PowerShell, Azure CLI v2.0, Azure SDKs, ARM templates
You can create from
- User images
  - Uses unmanaged disks
- Marketplace images

Create VM Image

You have different levels of security NSG, host firewall, options to have public IP or not
Just-in-time VM Access
- Recommended to enable
- Requires Azure Security Center Standard tier
- Locks down all administrator ports as default, when admin requests admin session then session is bounded by time limit and IP address restriction while granting access.
- No need to have management port open all the time

Around 40% of workloads in Azure runs on Linux
Endorsed in Azure: CentOS, CoreOS, Debian, Oracle Linux, Red Hat Enterprise Linux, SUSE Enterprise Linux, openSUSE, Ubuntu
Connection
- Secure Shell (SSH)
  - A popular client is PuTTy for SSH or you can install subsystem for Linux or git tools on Windows 10 to get SSH.
- Remote Desktop Protocol (RDP)
  - You can install RDP on Linux.
  - Some do not believe in graphical shell:
    - Presents security vulnerability possible
    - Needlessly consumes CPU
  - Windows team ported RDP into linux.
- Serial Console
  - COM1 serial port connection to VM
  - Low-level access
  - Helpful when e.g. your VM doesn't boot up
Authentication
1. SSH Public Key
  - You keep private key and share public key with Azure.
2. Password
- You can reset those after deployment in VM -> Reset password

Windows Server 2019, 2016, 2012, 2008, Windows 10 Pro or Enterprise (for e.g. load testing, client-side testing, jump-box)
Connect
- Remote Dekstop Protocol (RDP)
  - Uses TCP 3389
  - You can connect directly from Overview -> Connect
- WinRM (PowerShell) Remoting
  - TCP 5985, 5986
- Serial Console
  - Text console into VM
  - Can get to VM's that can't boot

RBAC vs Azure Policy
- RBAC
  - Focuses on user actions at different scopes
  - VM Contributor can manage only VM
  - Built-in custom roles
- Azure Policy
  - Focuses on resource properties during deployment for already existing resources
  - Uses default allow and explicit deny access system
- Difference
  - You're not going to be able to create VM unless you have read & write abilities by RBAC
  - Azure Policy in contrast constrains what that RBAC can do when she/he attempts to create VM
Some built-in Azure Policy definitions are e.g. allowed locations, VM SKU, ensure MMS extension is deployed
You can create also own policies, or initiatives which are collections of policies.
Example:
- Policy -> Assign Policy
- Policy defination: E.g. allowed locations
- Parameters: Select which regions are allowed

ARM templates are infrastructure as code foundation of automation and DevOps in Azure
💡 Visual Studio is a good ARM template editor
- Visual Studio Code can also be used.
Different ways to work with templates
1. You can go to Portal -> Templates -> Usage existing usages or add a new template
2. In Visual Studio -> Cloud -> Azure Resource Group -> You can select template location (e.g. github) -> Select a template
3. Deploy a VM then in the last step click on "Download template and paremeters"
You can deploy with PowerShell, Cloud Shell, Azure CLI, or directly from Visual Studio
You can automate deployment actions such as VM access
Files
- azuredeploy.json
  - Deployment template.
  - Defines resources and property such as Allowedvalues, defaultvalues
  - You can refactor some values in variables and reuse in the file
  - copy element block in deployment script allows you to create e.g. 3 storages.
- azuredeploy.parameters.json
  - Deployment parameters (required for deployment) to depoy azuredeploy.json