Microsoft Azure Questions - Cloud Noob

[Dan~]

So i'm stuck in a horrible situation, almost 18 months searching for a job, yeah it's mental... I've got years and years of experience but it's all been on prem and everyone in the world seems to be cloud based (or so it seems).

 

BTW if anyone knows of some great free training material for Azure-900 that would be fantastic.

 

My main question is, which I can't get my head around is, say you have traditional servers hosted in Azure (File&Print, WSUS as an example) how does a corporate laptop connect to these resources?  I'm assuming the laptop would have a VPN client which you connect to which then goes to Azure side and then you can connect to the File server by UNC? And for Windows updates it would get pushed out as per normal once connected to the VPN?

 

Thanks

[grunger106]

If you have on-prem experience that's the main thing, the cloud is no different, you're doing the same stuff just in a different place in your example

 

Create a VNET or VNETs, put your VMs in them and then create a VPN endpoint into the VNets and everything will work as it would with on-prem kit in a co-lo.

I've not attempted it for a road-warrior style VPN, only a site to site from the offices into Azure.
It would potentially work with a laptop and an always on VPN, but I'd argue that isn't the way to handle it.

 

One thing to remember though is a 1:1 lift and shift from on-prem to Azure is rarely, if ever, cheaper.

We tend to migrate users to SharePoint/OneDrive, Exchange Online, and Intune (meaning less fileservers, no WSUS etc) and have the road warriors as AzureAD only devices.
Then we have a couple of DCs, a pair of DFS for a few LOB apps that need traditional file-shares and AzureVirtualDesktop replacing RDS for the LOB apps that require it.

The big bit to get your head around is OnPremAD, AzureAD, AzureAD Connect, and AzureActiveDirectoryDomainServices in which mode to config AzureADConnect (PassThrough, Password Hash, SSO, machine joins etc) as that's the magic that lets you hybrid your on-prem deployment into Azure.

I'd recommend spinning up a few VMs with a DC, and a file server at home, and then building a tunnel and standing up a DC in Azure and then replicating your on-prem DC up to that, then deploy AzureVirtualDesktops - not because you'll need it but because deploying it means you naturally have to learn about AzureAD Connect, Azure Files, and all the authentication mechs - it's a good chunk of stuff that will make sense if you've got the underlying on-prem knowledge (You'll be saying 'ah this is what we did on prem just in a different place' a lot)
Its a good little project that takes you through all the major steps.

M365 is the other side of the coin, and it uses AzureAD (and by extension your AD if you have it setup to do so) so there are a good chunk of things to learn there too - CondtionalAccess and Intune would be the two that it would sound like you'd be interested in - Intune replaces WSUS and MDT/SCCM, C/A is how you set conditions on how users can access a resource - MFA must be used, or machine must be complaint or in a certain location or whatever.

 

AZ-900, there is a exam ref book, there are some free MS training sessions and if you do them you get a free exam credit too.
(I *think* this is that - https://www.microsoft.com/en-us/trainingdays but not sure if the offer is still on for the credit)
AZ-900 is pretty basic and also pretty wide IIRC, so there is stuff in there about machine learning, data lakes etc which wasn't relevant to me in an infrastructure role.
AZ-104 is probably the one to aim for as a 'proper' cert.

 

If I had to pick a couple of Certs to go for in your position, I'd aim for MS-500 and AZ-104 for a good all-rounder set.

Edited October 15, 2021 by grunger106

[Dan~]

  On 15/10/2021 at 12:00, grunger106 said:

If you have on-prem experience that's the main thing, the cloud is no different, you're doing the same stuff just in a different place in your example

 

Create a VNET or VNETs, put your VMs in them and then create a VPN endpoint into the VNets and everything will work as it would with on-prem kit in a co-lo.

I've not attempted it for a road-warrior style VPN, only a site to site from the offices into Azure.
It would potentially work with a laptop and an always on VPN, but I'd argue that isn't the way to handle it.

 

One thing to remember though is a 1:1 lift and shift from on-prem to Azure is rarely, if ever, cheaper.

We tend to migrate users to SharePoint/OneDrive, Exchange Online, and Intune (meaning less fileservers, no WSUS etc) and have the road warriors as AzureAD only devices.
Then we have a couple of DCs, a pair of DFS for a few LOB apps that need traditional file-shares and AzureVirtualDesktop replacing RDS for the LOB apps that require it.

The big bit to get your head around is OnPremAD, AzureAD, AzureAD Connect, and AzureActiveDirectoryDomainServices in which mode to config AzureADConnect (PassThrough, Password Hash, SSO, machine joins etc) as that's the magic that lets you hybrid your on-prem deployment into Azure.

I'd recommend spinning up a few VMs with a DC, and a file server at home, and then building a tunnel and standing up a DC in Azure and then replicating your on-prem DC up to that, then deploy AzureVirtualDesktops - not because you'll need it but because deploying it means you naturally have to learn about AzureAD Connect, Azure Files, and all the authentication mechs - it's a good chunk of stuff that will make sense if you've got the underlying on-prem knowledge (You'll be saying 'ah this is what we did on prem just in a different place' a lot)
Its a good little project that takes you through all the major steps.

M365 is the other side of the coin, and it uses AzureAD (and by extension your AD if you have it setup to do so) so there are a good chunk of things to learn there too - CondtionalAccess and Intune would be the two that it would sound like you'd be interested in - Intune replaces WSUS and MDT/SCCM, C/A is how you set conditions on how users can access a resource - MFA must be used, or machine must be complaint or in a certain location or whatever.

 

AZ-900, there is a exam ref book, there are some free MS training sessions and if you do them you get a free exam credit too.
(I *think* this is that - https://www.microsoft.com/en-us/trainingdays but not sure if the offer is still on for the credit)
AZ-900 is pretty basic and also pretty wide IIRC, so there is stuff in there about machine learning, data lakes etc which wasn't relevant to me in an infrastructure role.
AZ-104 is probably the one to aim for as a 'proper' cert.

 

If I had to pick a couple of Certs to go for in your position, I'd aim for MS-500 and AZ-104 for a good all-rounder set.

Expand  

A few things there I don't understand, but generally very informative.  I still much prefer on prem but impossible to find anyone these days

 

I did recently find out about the Microsoft training days, but the main azure-900 fundamentals doesn't run often and gets booked immeditately, as soon as I get offered a job I'll do some training from my own money but not something I can do now as being out of work so long paying the mortgage with little money I have left is priority covid certainly hasn't helped with finding jobs as no one is moving, so no positions available.

[grunger106]

I'd try something like this

 

Learn about AzureAD and integrating it with AD via AADC.

Then deploy some stuff!

1. https://azurescene.com/2020/04/17/how-to-deploy-a-domain-controller-in-microsoft-azure/

(Setup a Site2Site VPN, and deploy some DCs in Azure and configure AzureAD Connect)

Covers VNets, and VPN Gateways in Azure and gets an on-prem and Azure DC working as you would with on-prem DCs.
If you're running AD services on-prem and looking migrate services that rely on AD into Azure you still need AD!
Yes you don't see the boxes, but the principles are exactly the same.
 

2. Deploy AzureVirtualDesktop
https://www.rebeladmin.com/2020/07/step-step-guide-windows-virtual-desktop-spring-2020-release/
If you use RDS this is the replacement, and deploying it allows you to get your hands dirty with more VMs, and Storage needing to be set up

Then using it you can start to see how much is very much, same stuff different place.

 

You can get trial subs for Azure and M365 for free so assuming you have the ability to spin up a couple of VMs to be your on-prem lab you're good to go.

If you know AD and how the on-prem systems work you won't find it as much of a change as you think, the principles are the same, a DC is still a DC, a VNET basically a VLAN and VPN is a VPN - you just can't walk up and look at the boxes.
Its much worse when you meet people who only know 'cloud' as I often find that they know what to do to make things work, but they don't know WHY they make things wor

 

If you have specific questions fire away, M365, Azure IaaS and hybrid cloud deployments pretty much all I do these days.....

 

 

[Sulphy]

If you are looking for free self paced training, this helped me hugely when i started down the Azure path! : Browse Certifications and Exams | Microsoft Docs