Automated backups of a standalone Cisco ASA

In 2019, i’m still staggered that an archive feature available in Cisco IOS isn’t available in Cisco ASA code.

That being said, it’s possible to craft some code to take the edge off Cisco ASA devices which may not normally receive frequent administrative attention.

Embedded Event Manager is your friend in this case. A generic use case for EEM can be found here.

In this case though, I want a backup that’s written to an SFTP server infrequently. I would prefer a weekly backup, but in the case of the EEM absolute timer parameters, the only choice is the hh:mm:ss format, so daily it is.

 
PBUKFW01(config)# event manager applet daily-backup-sftp01

PBUKFW01(config-applet)# event timer absolute time 23:50:00

PBUKFW01(config-applet)# action 0 cli command "copy /noconfirm running-config scp://username:password@1.1.1.1/PBUKFW01/PBUKFW01_Daily.cfg;int=inside"

PBUKFW01(config-applet)# output none

The file on the remote server will be overwritten each time by the process, but you’ll have a config file with the most recent running configuration off the ASA in the case that that ASA goes bad.

Hope this helps.
Take care.
Paul

Advertisements

Microsoft Azure Integration and Security exam AZ-101 – Resources Part 4 – Secure Identities

Secure identities (25-30%)

On 21st December 2018, MS published a minor change to the AZ-101 exam which removed “Enable MFA for an Azure Tenant” and replaced it with “Enable MFA by using bulk update”.

Implement Multi-Factor Authentication (MFA)

May include but not limited to:
Configure user accounts for MFA;

https://docs.microsoft.com/en-us/azure/active-directory/authentication/howto-mfa-userstates

Enable MFA by using bulk update

https://docs.microsoft.com/en-gb/office365/admin/security-and-compliance/set-up-multi-factor-authentication?view=o365-worldwide#bulk-update-users-in-mfa

Using the MFA portal for your tenant, choose the “Update in bulk” dialogue on the main screen. The portal then requests you upload a CSV file with the following format;

bulkupdate

Or you could iterate through a list of users using PoSh:

$users = "bsimon@contoso.com","jsmith@contoso.com","ljacobson@contoso.com"
foreach ($user in $users)
{
$st = New-Object -TypeName Microsoft.Online.Administration.StrongAuthenticationRequirement
$st.RelyingParty = "*"
$st.State = "Enabled"
$sta = @($st)
Set-MsolUser -UserPrincipalName $user -StrongAuthenticationRequirements $sta
}

Configure fraud alerts;

MS Docs state that Fraud Alerts are only specific to the on-premises MFA Server at the time of writing. I’m not 100% clear on this though, so treat with caution.

https://docs.microsoft.com/en-us/azure/active-directory/authentication/howto-mfa-mfasettings#fraud-alert

Configure bypass options;

One-time-bypass is specific to the on-premises MFA server at the time of writing.

https://docs.microsoft.com/en-us/azure/active-directory/authentication/howto-mfa-mfasettings#one-time-bypass

Configure trusted IPs;

The feature is available with the full version of Azure Multi-Factor Authentication (Azure AD P1/P2 SKUs), and not the free version for Global Administrators. This feature only works with IPv4 addressing as of January 2019.

https://docs.microsoft.com/en-us/azure/active-directory/authentication/howto-mfa-mfasettings#trusted-ips

Configure verification methods;

Nothing to do with Microsoft and their MFA service, but more for all services. Do consider that the tech community at large no longer considers text messaging as an okay verification method. The ability to compromise service providers SS7 protocols is widely known. Hardware tokens or smartphone apps like Microsoft, Google, LastPass or DUO authenticators are the most appropriate choices.

https://docs.microsoft.com/en-us/azure/active-directory/authentication/howto-mfa-mfasettings#selectable-verification-methods

Manage role-based access control (RBAC);

Duplication! See below.

Implement RBAC policies;

Duplication! See below.

Assign RBAC Roles;

Duplication! See below.

Create a custom role;

Duplication! See below.

Configure access to Azure resources by assigning roles;

Duplication! See below.

Configure management access to Azure;

Duplication! See below.

Manage role-based access control (RBAC)

Owner is a powerful role in Azure RBAC. The key thing is that Owners can also grant further access to a resource they are Owners of. This probably isn’t great for you as the person administering the Azure tenant.
As a Global Administrator, I would suggest it’s much more likely that you’ll be choosing the Contributor role for granting access to resources. It lets you manage everything except access to the resource.

https://docs.microsoft.com/en-us/azure/role-based-access-control/

May include but not limited to:
Create a custom role;

https://docs.microsoft.com/en-us/azure/role-based-access-control/custom-roles

When you create a custom role, it appears in the Azure portal with an orange resource icon.

Configure access to Azure resources by assigning roles;

https://docs.microsoft.com/en-us/azure/role-based-access-control/role-assignments-portal

Configure management access to Azure;

https://docs.microsoft.com/en-us/azure/role-based-access-control/conditional-access-azure-management

It’s difficult to see a great deal of value in this objective. I think it’s still here because the policy forcing all Azure Administrators through MFA is not yet default and until that time it’s useful to know how to configure management access to Azure.

Something that’s not part of the exam objective, but is pertinent, is the “break glass” accounts you should have setup for your Azure tenant.

Troubleshoot RBAC;

https://docs.microsoft.com/en-us/azure/role-based-access-control/troubleshooting

Implement RBAC policies;

I can’t find anything about RBAC policies, but Azure Policy does supplement RBAC, so I can only assume this is the intention of the objective.

https://docs.microsoft.com/en-us/azure/governance/policy/overview

Here’s the 2018 Ignite session BRK3085 – Deep dive into Implementing governance at scale through Azure Policy

Assign RBAC roles

https://docs.microsoft.com/en-us/azure/role-based-access-control/role-assignments-portal

Implement Azure Active Directory (AD) Privileged Identity Management (PIM)

Ammar Hasayen has a course on Pluralsight all about PIM

https://app.pluralsight.com/library/courses/microsoft-azure-privileged-identity-management-implementing/table-of-contents

May include but not limited to:
Enable PIM;

PIM requires you to purchase Azure AD P2 or EMS E5 (which is a bundle which includes AAD P2) licenses for all the users which need to use PIM.
When enabling PIM, the Global Administrator that enabled PIM is the only user in the tenant who has PIM configuration access. It’s therefor critical that immediately after enabling PIM that you at least make all other Global Administrators eligible to be PIM administrator or assign them the role permanently. Again, though not an exam objective, consider your two “break glass” accounts to ensure you don’t lock yourself out of your tenant.

https://docs.microsoft.com/en-us/azure/active-directory/privileged-identity-management/pim-getting-started

Activate a PIM role;

https://docs.microsoft.com/en-us/azure/active-directory/privileged-identity-management/pim-how-to-activate-role

Configure just-in-time access, permanent access, PIM management access, and time-bound access;

https://docs.microsoft.com/en-us/azure/active-directory/privileged-identity-management/pim-how-to-give-access-to-pim

Create a Delegated Approver account;

https://docs.microsoft.com/en-us/azure/active-directory/privileged-identity-management/azure-ad-pim-approval-workflow

Process pending approval requests;

https://docs.microsoft.com/en-us/azure/active-directory/privileged-identity-management/pim-resource-roles-approval-workflow

Microsoft Azure Integration and Security exam AZ-101 – Resources Part 3 – Implement Advanced Virtual Networking

Implement Advanced Virtual Networking 30-35%

John Savill has a fantastic course on designing an Azure Networking Strategy here. I hold John in high regard and would recommend any of his courses.

Before approaching the following two load balancing objectives, I recommend giving this a read.

Implement application load balancing

Regarding the Application Load Balancer and Load Balancer, I find it useful to draw parallels bettween these features and the HAProxy project.

HAProxy can get involved in TCP and HTTP flows. The HTTP mode draws parallels to the Azure Application Gateway. The TCP mode to the Azure Load Balancer. There’s not feature parity, but for sake of discussion, these are my analogies from HAProxy to Azure services.

May include but not limited to:
Configure Application Gateway and load balancing rules;

The application gateway pricing can be found here. It has a per-hour charge depending on the type (size), nominal data processing and outbound data charges.

The application gateway relies on being deployed in a subnet in a VNet. The VNet doesn’t have to be one of your existing VNets. You can craft a unique VNet for the sole purpose of hosting the Application Gateway. But, if you intend serving data from Virtual Machines or Scale Sets in an existing VNet, the Application Gateway must be in the same VNet as those resources. Using either a new VNet or existing, the subnet used for the Application Gateway should be an empty subnet or a subnet with no other resource types besides Application Gateways.
Each V1 (V2s scale slightly higher but are in preview in Jan 2019) Application Gateway, standard or WAF (Web Application Firewall) can be between one and seventy five VMs (instances). Your subnet should be big enough to cope with each Application Gateway or Gateways and any private frontend IP addresses you’re might choose to deploy.

https://azure.microsoft.com/en-gb/services/application-gateway/

https://docs.microsoft.com/en-us/azure/application-gateway/application-gateway-ilb-arm

Implement front end IP configurations;

https://docs.microsoft.com/en-us/azure/application-gateway/tutorial-manage-web-traffic-powershell#create-an-application-gateway

Manage application load balancing;

https://docs.microsoft.com/en-gb/azure/application-gateway/quick-create-portal

Implement Azure load balancer

May include but not limited to:
Configure internal load balancer, load balancing rules, and public load balancer;

The Azure Load Balancer pricing only applies to the standard SKU, the basic SKU is free. But the features on basic are a little dissapointing.

Internal Load Balancer;

To make use of the Internal Load Balancer, you first need to talk about the constructs it can back off to. The basic SKU can only back off to Availability Sets, VM Scale Sets and a single VM. The standard SKU does things more as you’d expect.

https://docs.microsoft.com/en-us/azure/load-balancer/tutorial-load-balancer-basic-internal-portal

https://docs.microsoft.com/en-us/azure/load-balancer/load-balancer-get-started-ilb-arm-ps

Public Load Balancer;

For me, a key thing to mention is that you must whitelist traffic in any NSGs associated with VNet Subnets and/or IaaS VMs Network Interfaces which are in the path of the flow from the Load Balancer (perceived from their perspective as the Internet) to IaaS VMs on the port the Load Balancer is sending traffic to.

https://docs.microsoft.com/en-us/azure/load-balancer/quickstart-create-basic-load-balancer-portal

https://docs.microsoft.com/en-us/azure/load-balancer/tutorial-load-balancer-standard-manage-portal

Manage Azure load balancing;

https://docs.microsoft.com/en-us/azure/load-balancer/tutorial-load-balancer-standard-manage-portal#remove-or-add-vms-from-the-backend-pool

Monitor and manage networking

Azure Network Watcher pricing is dependent on your log volumes.

Tim Warner’s course on Pluralsight helps plenty with this subject

https://app.pluralsight.com/library/courses/azure-network-watcher-troubleshooting/table-of-contents

May include but not limited to:
Monitor on-premises connectivity;

Network Watcher only really works if you’re using the native Azure VPN Gateway. Any Network Virtual Appliances (NVAs) won’t be diagnosed by the VPN Troubleshoot tool within Network Watcher.

You’ll need a storage account and container to drop the logs for the VPN Troubleshoot tool to start monitoring the connection of the gateway.

https://docs.microsoft.com/en-us/azure/network-watcher/network-watcher-diagnose-on-premises-connectivity

You could also stand up a connection monitor from an IaaS VM to an on-premises VM endpoint. This is dependent on the Azure Network Watcher Extension being installed and available on the source IaaS VM.

Use network resource monitoring and Network Watcher;

Network resources? I guess this could count as using a connection monitor instance to monitor to/from a couple IaaS VMs Network Interfaces? Strictly speaking an Azure Network Interface is a resource, and subsequently a network resource. Sorry I can’t bring more clarity on this one.

https://docs.microsoft.com/en-us/azure/network-watcher/network-watcher-diagnose-on-premises-connectivity

IP Flow verify can give you a bottom-up view on whether NSGs are getting in the way of a flow you’re troubleshooting.

https://docs.microsoft.com/en-us/azure/network-watcher/network-watcher-ip-flow-verify-overview

Effective Security Rules gives you a top-down view on what rules are in effect on any given IaaS VMs Network Interfaces.

Manage external networking and virtual network connectivity;

https://docs.microsoft.com/en-us/azure/network-watcher/view-relative-latencies

Integrate on premises network with Azure virtual network

May include but not limited to:
Create and configure Azure VPN Gateway;

From a real world perspective, I’ve operated an Azure Virtual Network Gateway on the “VpnGw1” SKU to an on-premises Cisco ASA running the latest ASA code. My experience wasn’t that pleasant in that we lost VPN connectivity a few times and that forced my hand into considering a Network Virtual Appliance (NVA). We now run a Cisco ASAv10 in Azure with a better track record. The VPN on the Azure side has remained stable with our on-premises ASAs causing us more trouble than the ASAv in Azure, now.

https://docs.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-howto-site-to-site-resource-manager-portal#VNetGateway

Create and configure site to site VPN;

The exam requires you to understand Azure’s own Virtual Nework Gateway (VNG) offering. This exam doesn’t cover any of the Network Virtual Appliances (NVAs) that are in the Virtual Machine marketplace and can be used instead of the VNG, such as Cisco ASAv/CSRv (BYOL) and PaloAlto VM-Series Next Generation Firewall (BYOL).
The Azure VNG is a pair of VMs for high availability that are spun up and invisible to you in the portal, abstracted away into the VNG resource. Whilst it’s possible to use a /29 “GatewaySubnet”, you should choose a /28 or /27 to support the possibility you may choose Azure ExpressRoute at a later date.
Do not apply any Network Security Groups to the “GatewaySubnet” resource.

https://docs.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-howto-site-to-site-resource-manager-portal

Configure Express Route;

ExpressRoute is available because in comparison to Site-to-Site VPNs, it offers;

  • Consistent latency
  • Predictable performance
  • An SLA
  • Redundancy
  • Higher throughput options (9Gbps maximum)

It doesn’t use the Public Internet to pass your internal traffic to the Azure Virtual Networks, so there’s no IPSec involved in the flow.

Whilst I understand that there are organisations that might choose Express Route because of scale (attaching ExpressRoute to your existing MPLS cloud has benefits) or some other largesse, my steer, if you need access to Azure Virtual Networks, would be to use Site to Site VPN constructs using either the Azure VPN Gateway or Network Virtual Appliances (NVAs) where ever possible.

https://docs.microsoft.com/en-us/azure/expressroute/expressroute-howto-circuit-portal-resource-manager

Verify on premises connectivity;

My belief is that both these exam objectives assume you’re using Azure Virtual Network Gateway or Express Route to connect your on-premises network to Azure.

If you are to use Network Performance Monitor for your ExpressRoute circuits, a pre-requisite is to have Azure Log Anaylytics extensions installed at both the on-premises site and the Azure tenant in which the ExpressRoute circuit terminates to generate data for OMS to report on.

https://docs.microsoft.com/en-us/azure/network-watcher/network-watcher-diagnose-on-premises-connectivity

https://docs.microsoft.com/en-us/azure/network-watcher/diagnose-communication-problem-between-networks

Manage on-premises connectivity with Azure

This could mean either the Azure VPN Gateway or ExpressRoute. ExpressRoute is basically impossible to replicate in your own Azure tenant unless you have your organisation running ExpressRoute into your Managed WAN or on-premises environment.

https://docs.microsoft.com/en-us/azure/expressroute/expressroute-introduction

Microsoft Azure Integration and Security exam AZ-101 – Resources Part 2 – Implement and manage application services

Implement and manage application services (20-25%)

My background as an IT professional is infrastructure. With that in mind, the intention in this post is to help others with a similar background evolve their understanding of the PaaS or Serverless computing services in Azure.

I’ll start with a comparison of Azure Functions and Logic Apps from codit.eu

“A popular comparison states that Azure Functions is code being triggered by an event, whereas Logic Apps is a workflow triggered by an event. This is reflected in the developer experience. Azure Functions are completely written in code, with currently supports JavaScript, C#, F#, Node.js, Python, PHP, batch, bash and PowerShell. In Logic Apps, workflows are created with an easy-to-use visual designer, combined with a simple workflow definition language in the code view. Each developer has of course his/her personal preference. Logic Apps is much simpler to use, but this can sometimes cause limitations in complex scenarios. Azure Functions gives a lot more flexibility and responsibility to the developer.”

Azure Logic Apps took its inspiration from the on-premises tool “BizTalk Server”. Up until this point of my career, I’ve never known what BizTalk Server was intended for. Logic Apps operates in a similar iPaaS (Integration Platform as a Service) market space as Dell Boomi and Mulesoft. How well the Microsoft serverless applications perform compared to others, I can’t judge. All said, Logic Apps is Microsoft’s offering in the iPaaS market. If you listen to Steef-Jan Wiggers, he reckons it’s doing alright.

If Logic Apps as described above by codit.eu abstract the code away from  Function Apps by using a visual designer, Microsoft Flow takes that one step further and provides Software as a Service on top of Logic Apps. Flow operates in similar product space to ITTT, but with the ability to leverage Microsoft’s On-Premises Data Gateway.

Bringing it back to the exam subject matter, to allow your Azure Serverless applications to communicate with each other and pass data around, you can make use of the Azure messaging services; Azure Event Grid, Service Bus, and Event Hubs.  

Another comprehensive article about when to use Azure Functions or Logic Apps is available on DZone.

Here’s Sahil Malik’s Pluralsight course on Serverless Computing in Azure;

https://app.pluralsight.com/library/courses/microsoft-azure-serverless-computing-configuring/table-of-contents

Before we dive into the exam objectives, I’ve switched round the order that I approach them because it made more sense. Creating Azure Functions before the App Service Plan doesn’t feel like the right way round.
In the exam the learning matter is listed;

  • Configure serverless computing
  • Manage App Service Plan
  • Manage App Services.

To facilitate a more natural progression, I’ve listed the objectives;

  • Manage App Service Plan
  • Configure serverless computing
  • Manage App services

Manage App Service Plan

Here’s Neil Morrisey’s great course on Managing Azure App Service plans;

https://app.pluralsight.com/library/courses/microsoft-azure-app-service-plan-managing/table-of-contents

Azure Functions run inside/on top of App Service Plans (as do many other App Services).
App Service Plans are collections of Virtual Machines which are abstracted away from you creating a Platform as a Service (PaaS).
The plan tier determines the resources available and billing constructs associated with those resources, so you can get on and drop your app or code into Azure.
Azure Logic Apps do not run in App Service Plans and are billed on a consumption model which is based on connectors and integration accounts.

A guiding factor in these App Service Plans is the ACU or Azure Compute Units. You should choose the right plan for you with sufficient compute units and features to achieve your outcome. For exam objectives the S1 tier is the cheapest tier because of the later feature requirements covered in “Manage App Services”.

May include but not limited to:

Configure application for scaling;

Scaling up (larger VM) versus scaling out (more of the same VMs) is the choice you need to make for scaling, for your scenario.

https://docs.microsoft.com/en-us/azure/app-service/web-sites-scale

Enable monitoring and diagnostics;

https://docs.microsoft.com/en-us/azure/architecture/reference-architectures/app-service-web-app/app-monitoring

https://docs.microsoft.com/en-us/azure/app-service/web-sites-enable-diagnostic-log

Configure App Service plans;

https://docs.microsoft.com/en-us/azure/app-service/azure-web-sites-web-hosting-plans-in-depth-overview

Configure serverless computing

May include but not limited to:

Manage a Logic App resource;

Stephen Thomas’ courses on Logic Apps could be really helpful

https://app.pluralsight.com/library/courses/azure-logic-apps-getting-started/table-of-contents

https://app.pluralsight.com/library/courses/azure-logic-apps-fundamentals/description

Logic Apps are defined in JSON using the Workflow definition language.

https://docs.microsoft.com/en-us/azure/logic-apps/logic-apps-workflow-definition-language

Maybe use this Logic App as a demo to get you warmed up on what the hell a Logic App is!

https://docs.microsoft.com/en-us/azure/logic-apps/tutorial-build-schedule-recurring-logic-app-workflow

Then you have both a VS Code and Visual Studio guide for managing the Logic App. This seems like a poor choice to me as Logic Apps lends itself less towards the “developer experience” and more towards a graphical workflow.

https://docs.microsoft.com/en-us/azure/logic-apps/quickstart-create-logic-apps-visual-studio-code

https://docs.microsoft.com/en-us/azure/logic-apps/manage-logic-apps-with-visual-studio

Manage Azure Function App settings;

https://docs.microsoft.com/en-us/azure/azure-functions/functions-how-to-use-azure-function-app-settings

There’s only one mention of Function Apps in these objectives, but do not underestimate the requirement for understanding them. Here’s an old but great use case of Function Apps by Troy Hunt.

Function Apps are created from the Azure Portal, by choosing either “Create a Resource” or “App Services” and choosing “Serverless Function App”. You can’t visit the Function App blade and add a Function App from the blade, strangely

To move data in and out of your Function App using FTP or FTPS, within your Function App, from the Function App blade, navigate through;

Platform Features | Deployment Center | FTP | Dashboard

You are then presented with your FTPS endpoint, app credentials and user credentials for moving content to/from the Function App using FTPS with a client like WinSCP.

Manage Event Grid;

An overview of Azure messaging services; Event Grid, Service Bus and Event Hub here; https://docs.microsoft.com/en-us/azure/event-grid/overview

Event Grid pricing, like Logic App pricing, is based on a consumption model.
For Event Grid, the first 100,000 operations per month are free.

There are five concepts in Event Grid that get you going, with the bold items being the Event Grid services you configure in Azure.

Events – What happened.
Event sources – Where the event took place.
Event Topics – The endpoint where publishers send events.
Event subscriptions – The endpoint or built-in mechanism to route events, sometimes to more than one handler. Subscriptions are also used by handlers to intelligently filter incoming events.
Event handlers – The app or service reacting to the event.

Manage Service Bus;

Azure Service Bus is another consumption based pricing model. There are certain volumes of use which are included in the base price, and then tiers of charges thereafter.

https://docs.microsoft.com/en-us/azure/service-bus-messaging/service-bus-messaging-overview

Manage App services

Again, Neil Morrisey has a great course, this time on Managing App Services

https://app.pluralsight.com/library/courses/microsoft-azure-app-services-managing/table-of-contents

May include but not limited to:

Assign SSL certificates;

SSL Certs are charged per year, per domain. For four times the cost, you can choose a wildcard certificate.

For me, assigning an SSL cert makes the most sense if you’ve configured a custom domain. Please Microsoft, can you develop your services take advantage of LetsEncrypt? It feels like rent extraction of a captive audience that certificates cost money in the Azure portal. Delivering HTTPS everywhere is a solved problem. Please?!

https://docs.microsoft.com/en-us/azure/app-service/web-sites-purchase-ssl-web-site

Configure application settings;

There’s absolutely no guidance about which settings are pertitinent to the exam, but knowing things like Java is mutually exclusive to the other frameworks, 64bit is only available in the paid tiers, and knowing how to configure the default document settings, seems important.

https://docs.microsoft.com/en-us/azure/app-service/web-sites-configure

Configure deployment slots;

Deployment slots are about to change (January 2019) but for now, continue to use whatever is not preview for the context of the exam.

https://docs.microsoft.com/en-us/azure/app-service/web-sites-staged-publishing

Configure Azure content delivery network (CDN) integration;

Azure CDN is a consumption or usage pricing model.

Azure CDN feels not entirely dissimilar operationally to how DNS works with its TTL, caching and clearing of cache/purging.

A CDN profile is a collection of endpoints within the same pricing tier.
An endpoint is a name within <endpointname>.azureedge.net that caches your resources.

https://docs.microsoft.com/en-us/azure/cdn/cdn-add-to-web-app

https://azure.microsoft.com/en-gb/blog/enabling-azure-cdn-from-azure-web-app-and-storage-portal-extension/

Manage App Service protection;

Benjamin Culbertson’s course on protecting your Azure App service here;

https://www.pluralsight.com/courses/microsoft-azure-app-service-protection-managing

You can protect access to your Web Apps very easily by choosing Azure Active Directory as your identity source. Google, FB etc, don’t look tough either as they are all choices in the turnkey Authentication/Authorisation service blade.

https://docs.microsoft.com/en-us/azure/app-service/app-service-mobile-how-to-configure-active-directory-authentication

https://docs.microsoft.com/en-us/azure/security/security-paas-applications-using-app-services

Backing up your app requires you to choose where and when. The where is which storage account to backup to and the when is either manually at your leisure or via a schedule.

https://docs.microsoft.com/en-us/azure/app-service/web-sites-backup

Manage roles for an App service;

https://docs.microsoft.com/en-us/azure/architecture/multitenant-identity/app-roles

Create and manage App Service Environment

It’s weird this objective comes under “Manage App Services”. I can’t think why it isn’t under the first subject in this post “Manage App Service Plan”.
Anyway. App Service Environments (ASEs) are for when things get serious. You could be subject to governance that determines that you must run your workload in an isolated environment with worker VMs that are in no way shared with other Azure customers. ASEs can have Virtual IPs that are Internal or External. The language is that “Isolated” App Service Plans and ASEs are the same thing. Currently if I choose an App Service Plan and select Isolated as the pricing tier, I’m told that’s not supported. I’ve tried multiple regions and OSs but can’t select Isolated.
My take is that you get the outcome intended for the Isolated App Service Plan tier from going through the ASE blade and choosing the External Virtual IP.

ASEs, like VPN Gateways and Application Gateways require their own subnet. Having spent the time authoring these AZ-10x posts, it now seems critical that one understands upfront that there’s quite a few scenarios where single use subnets are required for Azure services. Don’t make your Azure VNet a /24 address space!

https://docs.microsoft.com/en-us/azure/app-service/environment/intro

Microsoft Azure Integration and Security exam AZ-101 – Resources Part 1 – Evaluate and perform server migration to Azure

After a friend on Reddit posted the recent Ignite video for the AZ-100 exam, I went looking for the AZ-101. As before, it would be a good idea to start here and hear from the horses mouth before starting on your journey.

Also, please consider this guide from Skylines Academy for your PowerShell skills to bolster your competency on Azure and for the AZ-10x exams.

Evaluate and perform server migration to Azure (15-20%)

From an Azure service perspective, this module is three services;
Evaluate = Azure Migrate
Perform = Azure Site Recovery into an Azure Recovery Services Vault

Azure Migrate does the cost and technical analysis about how much your invoice for the workload will be once it’s in Azure and whether the chosen workloads are compatible with Azure.
Azure Site Recovery is the (source) which is used to protect the workload and facilitate the migration piece, which is a failover operation executed from the Recovery Services Vault (destination) blade which never fails back to the source site.

Evaluate migration scenarios by using Azure Migrate

Azure migrate is focused on analyzing workloads for migration into Azure and is currently constrained to VMware vSphere analysis. Azure Site Recovery Deployment Planner is used for other workloads.

As I write this, I cannot see any PowerShell that drives Azure Migrate using the AzureRM module. The new AZ module may include commands but for the exam in the early part of 2019, I don’t believe the AZ command set will be in scope, yet. See the AzureRM to AZ annoucement here.

https://app.pluralsight.com/library/courses/microsoft-azure-migration-assessing-planning/table-of-contents

May include but not limited to:

Discover and assess environment;

Azure Migrate projects are now available in Europe and Asia, rather than just the US. The Azure Migrate project isn’t “where your VMs go”, it’s just where the analysis of your assessment is done.

https://docs.microsoft.com/en-us/azure/migrate/tutorial-assessment-vmware

Identify workloads that can and cannot be deployed;

Recent changes to Azure Site Recovery allow Windows 2012R2 and later VMs that are using a UEFI boot type to be converted to BIOS as part of the migration. Sadly though, everything else is still unsupported if the VM boot type is UEFI, for now.

https://docs.microsoft.com/en-us/azure/migrate/tutorial-assessment-vmware#create-and-view-an-assessment

https://docs.microsoft.com/en-us/azure/migrate/concepts-assessment-calculation

https://docs.microsoft.com/en-gb/azure/migrate/troubleshooting-general#troubleshoot-azure-readiness-issues

Identify ports to open;

This is very simple in that TCP/443 is your friend, unless you’ve configured custom ports on your on-premises vSphere vCenter server.

https://docs.microsoft.com/en-us/azure/migrate/migrate-overview#what-are-the-port-requirements

Identify changes to network;

This is tough to interpret and the only text that works for me is the work that you might do in the migration stage around changes to the VMs network interfaces or Windows Firewall. Can you imagine doing all the work and the Windows Firewall is blocking RDP requests from the Internet on the “Public” profile? It’ll all be there, it’s just there’s some local config rejecting your connection attempts. In addition, the previous link about opening ports should suffice.
https://docs.microsoft.com/en-us/azure/site-recovery/site-recovery-manage-network-interfaces-on-premises-to-azure#select-the-target-interface-type

Identify if target environment is supported;

This is really difficult to interpret, but my assumption is that this page best fits.
https://docs.microsoft.com/en-us/azure/migrate/how-to-modify-assessment

Setup domain accounts and credentials;

https://docs.microsoft.com/en-us/azure/site-recovery/vmware-azure-tutorial-prepare-on-premises#prepare-an-account-for-mobility-service-installation

Migrate servers to Azure

Recovery Services Vaults provide data services for protection and recovery. Azure Site Recovery, which gets deployed in the environment where the workload resides, includes technology that was part of an acquisition by Microsoft in 2014.

May include but not limited to:

Migrate by using Azure Site Recovery (ASR);

There are many PowerShell commands for the Azure Site Recovery service. The current module for the AzureRM seems to be AzureRM.SiteRecovery.

https://docs.microsoft.com/en-us/azure/site-recovery/

Migrate using P2V;

https://docs.microsoft.com/en-us/azure/site-recovery/migrate-tutorial-on-premises-azure

Configure storage;

https://docs.microsoft.com/en-us/azure/site-recovery/tutorial-prepare-azure#create-a-storage-account

Create a backup vault;

https://docs.microsoft.com/en-us/azure/site-recovery/tutorial-prepare-azure#create-a-recovery-services-vault

Prepare source and target environments;

https://docs.microsoft.com/en-us/azure/site-recovery/vmware-azure-set-up-source

https://docs.microsoft.com/en-us/azure/site-recovery/vmware-azure-set-up-target

Backup and restore data;

https://docs.microsoft.com/en-us/azure/backup/tutorial-backup-windows-server-to-azure

https://docs.microsoft.com/en-us/azure/backup/tutorial-backup-restore-files-windows-server

Deploy Azure Site Recovery (ASR) agent;

https://docs.microsoft.com/en-us/azure/site-recovery/vmware-azure-install-mobility-service

Prepare virtual network;

https://docs.microsoft.com/en-us/azure/site-recovery/tutorial-prepare-azure#set-up-an-azure-network

Microsoft Azure Infrastructure and Deployment exam AZ-100 – Resources Part 5 – Manage Identities

Part 5 of 5 linking to the most appropriate documentation for learning how to achieve the objectives set in the new Azure AZ-100 exam.

SafariBooksOnline.com content that matches the objectives

https://www.safaribooksonline.com/videos/azure-active/0422018AZURE1F

Manage identities (15-20%)

Manage Azure Active Directory (AD)

May include but not limited to:
Add custom domains;

https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/add-custom-domain

configure Azure AD Identity Protection, Azure AD Join, and Enterprise State Roaming;

https://docs.microsoft.com/en-us/azure/active-directory/active-directory-identityprotection-enable

configure self-service password reset;

https://docs.microsoft.com/en-us/azure/active-directory/authentication/quickstart-sspr

implement conditional access policies;

https://docs.microsoft.com/en-us/azure/active-directory/active-directory-conditional-access-untrusted-networks

manage multiple directories;

https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/active-directory-administer#how-can-i-add-and-manage-multiple-directories

perform an access review

https://docs.microsoft.com/en-us/azure/active-directory/active-directory-azure-ad-controls-access-reviews-overview

Manage Azure AD objects (users, groups, and devices)

May include but not limited to:
Create users and groups;

https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/add-users-azure-active-directory
https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/active-directory-groups-create-azure-portal

manage user and group properties;

https://docs.microsoft.com/en-us/powershell/azure/active-directory/using-extension-attributes-sample?view=azureadps-2.0

(Get-AzureADUser -ObjectId $UserId).ToJson()
Set-AzureADUserExtension -ObjectId $UserId -ExtensionName "extension_0380f0f700c040b5aa577c9268940b53_MyNewProperty" -ExtensionValue "MyNewValue"

manage device settings;

https://docs.microsoft.com/en-us/azure/active-directory/device-management-azure-portal#configure-device-settings

perform bulk user updates

https://docs.microsoft.com/en-us/powershell/module/azuread/set-azureaduser?view=azureadps-2.0

Implement and manage hybrid identities

May include but not limited to:
Install and configure Azure AD Connect;

https://docs.microsoft.com/en-us/azure/active-directory/connect/active-directory-aadconnect-get-started-express

configure federation and single sign-on;

Federation

https://docs.microsoft.com/en-us/azure/active-directory/connect/active-directory-aadconnect-azure-adfs

Single Sign On

https://docs.microsoft.com/en-us/azure/active-directory/connect/active-directory-aadconnect-sso

manage Azure AD Connect;

https://docs.microsoft.com/en-us/azure/active-directory/connect/active-directory-aadconnect-whats-next

manage password sync and writeback

Password Sync

https://docs.microsoft.com/en-us/azure/active-directory/connect/active-directory-aadconnectsync-implement-password-hash-synchronization#enable-password-hash-synchronization

Password Writeback

https://docs.microsoft.com/en-us/azure/active-directory/authentication/howto-sspr-writeback

Microsoft Azure Infrastructure and Deployment exam AZ-100 – Resources Part 4 – Configure and Manage Virtual Networks

Part 4 of 5 linking to the most appropriate documentation for learning how to achieve the objectives set in the new Azure AZ-100 exam.

There’s a an addition I’d like to make for this objective and that is service endpoints.

https://docs.microsoft.com/en-gb/azure/virtual-network/virtual-network-service-endpoints-overview

It seems important to grasp this concept if your posture is one of using Azure services without exposing them to the Public Internet.

The new Azure Firewall – which deserves a post in its own right is also in preview as of August 2018.

https://docs.microsoft.com/en-gb/azure/firewall/overview

As does the Azure VirtualWAN – or SD-WAN to everyone else in the world.

https://azure.microsoft.com/en-us/services/virtual-wan/

Configure and manage virtual networks (20-25%)

SafariBooksOnline.com content which matches the objectives for virtual networks.

https://www.safaribooksonline.com/videos/azure-networking/0422018AZURE1H

Create connectivity between virtual networks

May include but not limited to:
Create and configure VNET peering;

https://docs.microsoft.com/en-us/azure/virtual-network/virtual-network-manage-peering

create and configure VNET to VNET;

https://docs.microsoft.com/en-us/azure/virtual-network/tutorial-connect-virtual-networks-portal

verify virtual network connectivity;

https://docs.microsoft.com/en-us/azure/virtual-network/virtual-network-peering-overview#troubleshoot

https://docs.microsoft.com/en-us/azure/network-watcher/network-watcher-connectivity-portal?toc=%2fazure%2fvirtual-network%2ftoc.json

create virtual network gateway

https://docs.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-howto-site-to-site-resource-manager-portal

Implement and manage virtual networking

May include but not limited to:
Configure private and public IP addresses, network routes, network interface, subnets, and virtual network

https://docs.microsoft.com/en-us/azure/virtual-network/quick-create-portal

Configure name resolution

May include but not limited to:
Configure Azure DNS;

https://docs.microsoft.com/en-us/azure/dns/dns-getstarted-portal

configure custom DNS settings;

https://docs.microsoft.com/en-us/azure/dns/dns-custom-domain

configure DNS zones

https://docs.microsoft.com/en-us/azure/dns/dns-operations-dnszones-portal

Create and configure a Network Security Group (NSG)

May include but not limited to:
Create security rules;

https://docs.microsoft.com/en-us/azure/virtual-network/manage-network-security-group#work-with-security-rules

associate NSG to a subnet or network interface;

Subnet
https://docs.microsoft.com/en-us/azure/virtual-network/virtual-network-manage-subnet#change-subnet-settings
Interface
https://docs.microsoft.com/en-us/azure/virtual-network/virtual-network-network-interface#associate-or-dissociate-a-network-security-group

identify required ports;

https://docs.microsoft.com/en-us/azure/network-watcher/network-watcher-nsg-flow-logging-portal

evaluate effective security rules

https://docs.microsoft.com/en-us/azure/virtual-network/diagnose-network-traffic-filter-problem