The journey to Azure Administrator - AZ 104: Monitor & Backup Azure resources

The AZ-104 study course and examination represent an advanced and comprehensive exploration of Azure, offering complex and broad content.

In this weeks session, I will delve into the last module of this course, focusing on "Monitor and Backup Azure resources."

This module covers an examination of aspects, including files & folders backup, VM's backup, Azure Monitor, Azure alerts, Log Analytics, Network Watcher, improving incident response with Azure alerting, Azure Infrastructure analysis with Azure Monitor Logs and Monitor Azure VM's with Azure Monitor.

Our discussion will enlighten on the intial details of these components, providing a solid foundation for mastering Monitor & Backup in the Azure environment.

1. Files & Folders backup

Azure Backup

Azure Backup is the Azure-based service you can use to back up (or protect) and restore your data in the Microsoft cloud. It offers multiple components that you download and deploy on the appropriate computer, server, or in the cloud. The component, or agent, that you deploy depends on what you want to protect. All Azure Backup components (no matter whether you're protecting data on-premises or in the cloud) can be used to back up data to a Recovery Services vault in Azure.

Backup Center for Azure Backup

Azure Recovery Services vault backup

Recovery Service Vault: a storage entity in Azure that stores data. Recovery Services vaults make it easy to organize your backup data, while minimizing management overhead.        

• Backup Azure Files file share or on-prem files and folders
• Various Azure Services: VM's Azure SQL,...
• Supports System Center Data Protection Manager, Windows Server, Azure Backup Server,...

Azure Backup Storage replication

• No configuration for Azure Files file shares (snapshot-based)
• 3 storage replications: GRS, LRS and ZRS
• Enable Cross Region Restore: restore data in secondary Azure paired region

Microsoft Azure Recovery Services (MARS) agent

MARS agent: used to back up files, folders, and system data from your on-premises machines and Azure virtual machines. The MARS agent is a full-featured agent that offers many benefits for both backing up and restoring your data.        

• MARS agent need to be installed on Windows Client/Server for backup of files and folders
• Backup data where MARS agent is installed
• Backup files and folders on Windows VM's or physical machines (on-prem or Azure)
• No seperate backup server needed for MARS agent
• MARS agent restores files and folders from backups or volume-level restore. It is not application-aware

On-premises file and folder backups

• Create Recovery Services vault
• Download MARS agent and credentials file
• Install and register MARS agent
• Configure backups for your files and folders on-premises

2. Virtual Machines backup

Protect VM data

Backup options for VMs

Images versus snapshots

• Images: managed custom image (OS + data disks), bulk create same VM's
• Snapshots: Copy of disk at point in time of snapshot. Only 1 disk
• Operating disk backups: snapshot or image of disk. Create VM from snapshot of disk

VM snapshots in Azure Backup

Azure backup job: creates a snapshot for your virtual machine in two phases.        

• Take snapshot of VM data
• Transfer snapshot to Azure Recovery Services vault

Snapshots and recovery points

• Snapshots: retention of 2 days to reduce backup and restore times.
• Default snapshot retention from 1 to max 5 days
• Incremental snapshots stored as Azure page Blobs (Azure Disks)
• Recovery point only available if backup job has executed both phases
• Recovery points are labeled with recovery point type
• 1st snapshot identifies with the snapshot recovery point type
• Recovery point type changes after transfer to Azure Recovery Services vault

Azure Recovery Services vault

a storage entity in Azure that houses data. The data is typically copies of data, or configuration information for virtual machines, workloads, servers, or workstations.

Organize backup data and minimize management overhead.        

Backup VM's

Restore VM's

• Select recovery points for your VM snapshots
• Azure creates backup jobs to track the restore operation
• Temporarily displays notifications about restore operation
• Track restore operation by monitoring job notifications

System Center DPM and Azure Backup Server

• Local disk for short-term storage
• Azure for online protection
• On-prem? instance must be located on-premises
• Azure VM? MABS instance must run on Azure VM
• Protection agent installed on every machine you want to protect
• Must be added to System Center DPM protection group

Advantages

• Optimized app-aware backups
• Simplified backups for on-prem machines
• Flexibility and scheduling
• Consolidated management

MARS agent versus Azure Backup Server

Soft deletion of VM's

Soft deletion: easily recover your data when it's modified or deleted. It protects backups of your virtual machines from unintended deletion and keeps the baclups in soft delete state for 14 days.        

• Stop backup job
• Apply soft-delete state
• View soft-delete data in the vault
• Undelete backup items
• Restore items
• Resume backups

Azure Site Recovery

A service that helps ensure business continuity by replicating workloads from a primary site to a secondary location. It enables failover from region A to region B.        

• Azure VM replication from region A to region B
• On-prem VMware VM replication, HyperV machines, physical servers (Windows and linux) and Azure Stack VM's to Azure
• AWS Windows instances replication to Azure
• VM's managed by System Center VMM to secondary site

Azure Site Recovery features

3. Azure Monitor

Azure Monitor provides you with a comprehensive solution for collecting, analyzing, and responding to telemetry data from your on-premises and cloud environments.        

Features and capabilities in 3 areas

• Monitor and visualize metrics
• Query and analyze logs
• Set up alerts and actions

Monitoring strategy

An effective monitoring strategy helps you understand the detailed operation of the components of your applications. Monitoring also helps you increase your uptime by proactively notifying you of critical issues.

Azure Monitoring

Monitoring is the act of collecting and analyzing data. The data can be used to determine the performance, health, and availability of your business applications and the resources they depend on.

• Monitoring categories: Core, Application, Infrastructure and Shared Capabilities
• Data stores: Azure Monitor Metrics & Azure Monitor Logs
• Various monitoring sources: Azure subscription and tenant, Service instances, Azure resources, ....

Azure Monitor Insights

Performs different functions with the collected data, including analysis, alerting, and streaming to external systems.

• Get insights
• Visualize
• Analyze
• Respond
• Integrate

Metric and logs

Metrics

Metrics are numerical values that describe some aspect of a system at a particular point in time. Metrics are lightweight and capable of supporting near real-time scenarios.

• Metrics are collected and displayed on the Overview page of Azure resources
• View metrics on the metrics explorer in Azure Monitor
• View and use Metric charts interactively

Logs

Logs contain different kinds of data organized into records with different sets of properties for each type. Data like events and traces are stored as logs along with performance data so all the data can be combined for analysis.

• Log data stored in Log Analytics
• Rich query langugage (KQL) for retrieving, consolidating and analyzing collected data
• Create and test querues in Log Analytics, save queries, visualize data, create rule alerts
• Data Explorer query language for simple or advanced queries

Monitoring data and tiers

Data Collection

• Collecting data since creation of Azure subscription and add resources
• Creating or modifying resources are stored in Azure Monitor activity logs
• Performance data and amount of resources consumed stored in Azure Monitor metrics
• Add Azure Monitor Agent to compute reources and extend data collection by enabling diagnostics
• Azure Monitor Agent used for collecting logs and metrics of different data sources from Windows and Linux OS
• Collect data from REST clients using Data Collector API (custom monitoring)

Activity log events

The Azure Monitor activity log is a subscription log that provides insight into subscription-level events that occur in Azure.        

• Understand status of resource operations and other properties
• What, who and when?
• Activity logs kept for 90 days
• Qeury any range of dates in activity log (max 90 days)
• Retrieve events from activity logs via Azure Portal, CLI, PowerShell and Azure Monitor REST API

Query activity log

Activity log filters

• Subscription
• Timespan
• Event severity
• Resource group
• Resource
• Resource type
• Operation name
• Event initiated by
• Text string in search box

Event Categories

Azure VM Monitoring

4. Azure Alerts

Azure Monitor Alerts

• Azure Monitor: capture telemetry data
• Create alerts
• Alert is alert rules consisting settings of resources, signals or telemetry, conditions to match
• Action groups with responsive steps
• Alert monitors telemetry and captures changes to resources
• Alert rule captures signal and check if condition criteria matches
• Alert triggers and triggers action groups after conditions are met
• Conditions and alerts triggered are evaluated seperately

Azure Alerts benefits

Azure Monitor alerts management

Alert types

• Metric alerts
• Log alerts
• Activity log events
• Smart detection alerts

Alert states

• New
• Acknowledged: review
• Closed

Alert state and Azure Monitor condition

• Initial trigger of alert is NEW, local admin changes the alert state after
• Updates to Azure Monitor conditons, system makes the changes
• Azure Monitor condition changes to fired when alert triggers
• Issue for alerts clears, condition changes to resolved

Stateless and stateful alerts

• Stateless alerts: each time your alert rule condition matches your data, even if the same alert already exists.
• Stateful alerts: doesn't trigger any more actions until the current alert rule conditions clear.

Create alert rules

The alert rules consist of resources, action groups, and monitor conditions that represent the target and criteria for your alert operation.        

• Several key attributes: target resource, alert signal, rule criteria, issue severity, name and description
• Target resource defines scope and signals for your alert operation
• Target resource alerts is signal based on selected resource type (Metric, Activity log, Application Insight or Log)
• Criteria for alert rule and applied to target resource
• Severity level for alert rule, from 0 to 4
• System invokes actions for alert rule, responsive steps
• New alert rule is default enabled, manullay put on disabled if you don't want the alert rule to trigger
• Alert can only be triggered when alert rule is in enabled state

Create action groups

An action group is a collection of notification preferences that you define as an Azure subscription owner.        

• Multiple alerts can use same action group
• Notifications say how to notify when action group triggers
• Actions specify defined action when action group trigger

Notifications

• Email Azure Resource Manager Role
• Email/SMS message/Push/Voice

Actions

• Automation runbook
• Azure Functions
• ITSM
• Logic Apps
• Webhook

5. Log Analytics

Log Analytics is a tool for Azure Monitor. Edit and run log queries for the data collected in Azure Monitor Logs.        

• Query features and tools that help you answer virtually any question about your monitored configuration.
• Supports Kusto Query Language (KQL)
• Use Log Analytics to perform detailed analysis and problem solving.

Log Analytics Workspace

Azure stores the collected information in a Log Analytics workspace. It is the basic management environment for Azure Monitor Logs.        

• Name
• Subscription
• Resource Group
• Region
• Pricing

Kusto (KQL) queries

KQL: The KQL syntax helps you quickly and easily create simple or complex queries to retrieve and consolidate your monitoring data in the repository.        

• View table data in the Azure Monitor Logs repository
• Create simple and complex queries
• Filter and summarize search results
• Add visualizations for search results

Structure Log Analytics queries

Each of your selected data sources and solution stores its data in dedicated tables in your Log Analytics workspace.

Documentation for each data source and solution includes the name of the data type that it creates and a description of each of its properties.

The basic structure of a query is a source table followed by a series of commands (referred to as operators).

A query can have a chain of multiple operators to refine your data and perform advanced functions.

Each operator in a query chain begins with a pipe character |.

Many queries require data from a single table only, but other queries can use various options and include data from multiple tables.

6. Network Watcher

Provides tools to monitor, diagnose, view metrics, and enable or disable logs for resources in an Azure virtual network. Network Watcher is a regional service that enables you to monitor and diagnose conditions at a network scenario level. Azure Network Watcher is ideal for diagnosing network traffic filtering problems to or from a virtual machine.        

IP Flow verify diagnostics

Checks connectivity from or to the internet, and from or to your on-premises environment. This feature helps you identify if a security rule is blocking traffic to or from your virtual machine or the internet.        

IP Flow verify functionality

• Configure with following properties: VM and network interface, source port number, destination IP address and remote port number, TCP or UDP and traffic direction (inbound or outbound
• Communication with machine succeeds or fails
• Returns the name of security rule if target machines denies the packet because of an NSG

Next hop diagnostics

Checks if traffic is being directed to the intended destination. Next hop tests the communication between the source and destination, and reports the type of next hop in the traffic route.        

Next hop configuration properties

• Propterties: subscription and resource group, VM and network interface, source IP address, Destination IP address
• Test next connection point in your network route configuration
• Next hop test returns 3 items: next hop type, IP address of next hop and route table for next hop
• Next hop examples: Internet, Virtual Network and Virtual Network Service Endpoint
• If next hop is UDR, process returns UDR route, otherwise system route is returned
• Next hop is type None then no next hop exist to route the traffic to target

Visualize network topology

Azure Network Watcher provides a network monitoring topology tool to help administrators visualize and understand infrastructure.

• Visual diagram of resources in a VNet
• Shows resources in network, interconnections and relationships with each other
• View subnets, VM's, network interfaces, public IP addresses, NSG's, route tables, etc..
• Need a Network Watcher in same region as VNet to generate topology

For a complete & comprehensive overview of the learning path and examination details for AZ-104 Azure Administrator - Monitor & Backup Azure resources, the Microsoft Learn platform offers an extensive resource. You can explore the specifics via the following link: AZ-104 Monitor & Backup Azure resources