Skip to content

Tasks

Cloud APIs are equivalent to Azure resource providers . Unlike Azure, which automatically registers resource providers on use, Cloud APIs must be enabled per project.

GCP

gcloud services enable container.googleapis.com

Azure

az provider register -n Microsoft.ContainerService

Display all available regions

GCP

gcloud compute regions list

Install CLI utility

GCP

apt install apt-transport-https ca-certificates gnupg

Azure

apt install apt-transport-https ca-certificates curl  lsb-release gnupg

GCP

curl https://packages.cloud.google.com/apt/doc/apt-key.gpg | 
sudo apt-key --keyring /usr/share/keyrings/cloud.google.gpg add -

Azure

curl -sL https://packages.microsoft.com/keys/microsoft.asc | gpg --dearmor |
sudo tee /etc/apt/trusted.gpg.d/microsoft.gpg > /dev/null

GCP

echo "deb [signed-by=/usr/share/keyrings/cloud.google.gpg] https://packages.cloud.google.com/apt cloud-sdk main" | 
sudo tee -a /etc/apt/sources.list.d/google-cloud-sdk.list

Azure

echo "deb [arch=amd64] https://packages.microsoft.com/repos/azure-cli/ $(lsb_release -cs) main" |
sudo tee /etc/apt/sources.list.d/azure-cli.list

GCP

sudo apt-get update && sudo apt-get install google-cloud-sdk

Azure

sudo apt-get update && sudo apt-get install azure-cli

Kubernetes

Clusters

GCP

gcloud container clusters create $name --num-nodes=1    # Standard mode
gcloud container clusters create-auto $name             # Autopilot mode

Azure

az aks create -g $group -n $name --node-count 1 --enable-addons monitoring --generate-ssh-keys

GCP

gcloud container clusters describe $name

Azure

GCP

gcloud container clusters list

Azure

az aks list

GCP

Azure

GCP

gcloud container clusters delete $name

Azure

az aks delete -g $group -n $name

Add context to kubeconfig

GCP

gcloud container clusters get-credential $name

Azure

az aks get-credentials -g $group -n $name

Get-AzAKSCredentials

Storage

Create a 10GB disk

GCP

gcloud compute disks create my-disk --size=10GB --zone=us-east1-a

Azure

AWS

🛠️ Administration

Display subscription ID

Get-AzSubscription

az account show

🖥️ CLI

Initialize CLI utility

gcloud init

IAM

Add guest user

New-AzureADMSInvitation 
    -InvitedUserEmailAddress $EMAIL 
    -SendInvitationMessage $True 
    -InviteRedirectUrl "http://myapps.onmicrosoft.com"

Assign a role

# At the organization level
gcloud organizations add-iam-policy-binding 
    $ORG_ID
    --member="user:$EMAIL"
    --role="roles/compute.xpnAdmin"

# At the folder level
gcloud beta resource-manager-folders add-iam-policy-binding 
    $FOLDER_ID
    --member="user:$EMAIL"
    --role="roles/compute.xpnAdmin"

💰 Cost management

To view resource quotas for a subscription, go to the subscription in Azure Portal and open the Usage + quotas blade. From there you can select resources and then click the Request Increase button.

View current usage of vCPU quotas

Get-AzVMUsage

View current usage of storage service

Get-AzStorageUsage

Create a budget

To create a budget, open Cost Management + Billing, then Subscriptions, select a subscription, then click Budgets. Then click + Add, which produces a Create budget blade. The created budget can be seen in the Budgets blade. PowerShell commands used with budgets:

  • Get-AzResourceGroup retrieve Resource Group object
  • Set-AzResourceGroup apply a tag to a resource group with no preexisting tags
  • .Tags method that retrieves Tag collection from a resource group
  • .Add() method used to add tags to a resource group that already has tags.

Monitoring

VM extension

Set-AzVMExtension -ResourceGroupName ExamRefRG -Location "West Europe" -VMName VM1 -Name networkWatcherAgent -Publisher Microsoft.Azure.NetworkWatcher -Type NetworkWatcherAgentWindows -TypeHandlerVersion 1.4

az vm extension set --vm-name VM1 --resource-group ExamRefRG --publisher Microsoft.Azure.NetworkWatcher --version 1.4 --name NetworkWatcherAgentWindows --extension-instance-name NetworkWatcherAgent

Start packet capture

$nw = Get-AzResource | Where ResourceType -eq "Microsoft.Network/networkWatchers" -and Location -eq "WestEurope"
$networkWatcher = Get-AzNetworkWatcher -Name $nw.Name -ResourceGroupName $nw.ResourceGroupName
$storageAccount = Get-AzStorageAccount -Name examref-storage -ResourceGroupName ExamRefRG

$filter1 = New-AzPacketCaptureFilterConfig -Protocol TCP -RemoteIPAddress "1.1.1.1-255.255.255.255" -LocalIPAddress "10.0.0.3" -LocalPort "1-65535" -RemotePort "20;80;443"
$filter2 = New-AzPacketCaptureFilterConfig -Protocol UDP
$vm = Get-AzVM ` -Name VM1 -ResourceGroupName ExamRefRG

New-AzNetworkWatcherPacketCapture -NetworkWatcher $networkWatcher -TargetVirtualMachineId $vm.Id -PacketCaptureName "PacketCaptureTest" -StorageAccountId $storageAccount.id -TimeLimitInSeconds 60 -Filter $filter1, $filter2

filter='[ { "protocol": "TCP", "remoteIPAddress": "1.1.1.1-255.255.255.255", "localIPAddress":"10.0.0.3", "remotePort":"20" } ]'
az network watcher packet-capture create --name PacketCaptureTest2 --resource-group ExamRefRG --vm VM1 --time-limit 300 --storage-account examref-storage --filters $filter

Check status of packet capture

Get-AzNetworkWatcherPacketCapture -NetworkWatcher $networkWatcher -PacketCaptureName "PacketCaptureTest"

az network watcher packet-capture show-status --name PacketCaptureTest --location WestEurope

Stop packet capture

Stop-AzNetworkWatcherPacketCapture -NetworkWatcher $networkWatcher -PacketCaptureName "PacketCaptureTest"

az network watcher packet-capture stop --name PacketCaptureTest --location WestEurope

Use IP Flow Verify to test outbound connectivity from source VM and port to destination. If any configured filtering rules block traffic between the endpoints, it will return the name of the offending NSG.

Test-AzNetworkWatcherIPFlow

az network watcher test-ip-flow

Next Hop

Get-AzNetworkWatcherNextHop

az network watcher show-next-hop

Use Network Topology

Get-AzNetworkWatcherTopology

az network watcher show-topology

Capture SFTP traffic

$r = Get-AzResource | where ResourceType -eq "Microsoft.Network/networkWatchers" -and Location -eq "EastUS"
$nw = Get-AzNetworkWatcher -Name $r.Name -ResourceGroupName $r.ResourceGroupName
$s = Get-AzStorageAccount -ResourceGroupName "Diagnostics-RG" -Name "Diagnostics-Storage"
$filter = New-AzPacketCaptureFilterConfig -Protocol TCP -RemoteIPAddress "1.1.1.1-255.255.255.255" -LocalIPAddress "10.0.0.4" -LocalPort "1-65535" -RemotePort "22"

New-AzNetworkWatcherPacketCapture -NetworkWatcher $nw -TargetVirtualMachineId $vm.ID -PacketCaptureName "Capture SFTP traffic" -StorageAccountId $s.Id -TimeLimitInSeconds 60 -Filter $filter

Resources

Create resource group

New-AzGroup -Location $location -Name $rgName

az group create -l $location -n $rgName

Register resource provider in subscription 

az provider register --namespace 'Microsoft.PolicyInsights'

Move resources

$webapp = Get-AzResource -ResourceGroupName OldRG -ResourceName ExampleSite
$plan = Get-AzResource -ResourceGroupName OldRG -ResourceName ExamplePlan

Move-AzResource -DestinationResourceGroupName NewRG -ResourceId $webapp.ResourceId, $plan.ResourceId

webapp=$(az resource show -g OldRG -n ExampleSite --resource-type "Microsoft.Web/sites" --query id --output tsv)
plan=$(az resource show -g OldRG -n ExamplePlan --resource-type "Microsoft.Web/serverfarms" --query id --output tsv)

az resource move --destination-group newgroup --ids $webapp $plan

Create lock on a resource

New-AzResourceLock 
    -LockName LockSite
    -LockLevel CanNotDelete 
    -ResourceGroupName $rg 
    -ResourceName $r 
    -ResourceType Microsoft.Web/sites 

az lock create 
    --name LockSite
    --lock-type CanNotDelete 
    --resource-group $rg 
    --resource-name $r 
    --resource-type Microsoft.Web/sites

Create lock on a resource group

New-AzResourceLock 
    -LockName LockGroup 
    -LockLevel CanNotDelete 
    -ResourceGroupName $rg

az lock create 
    --name LockGroup 
    --lock-type CanNotDelete 
    --resource-group $rg

Display resource lock

Get-AzResourceLock -ResourceName $r -ResourceType Microsoft.Web/sites -ResourceGroupName $rg

az lock list --resource-group $rg --resource-name $r --namespace Microsoft.Web --resource-type sites --parent ""

Delete resource lock

$lockId = (Get-AzResourceLock -ResourceGroupName $rg -ResourceName $r -ResourceType Microsoft.Web/sites).LockId

Remove-AzResourceLock -LockId $lockId

lockid=$(az lock show --name LockSite --resource-group $rg --resource-type Microsoft.Web/sites --resource-name $r --output tsv --query id)
az lock delete --ids $lockid

Sources

Tags

List all resources by tag

(Get-AzResource -Tag @{ CostCode="1001"}).Name
# List all resources by tag name, with no value
(Get-AzResource -TagName CostCode).Name

az resource list --tag Dept=Finance

List resource groups by tag

(Get-AzResourceGroup -Tag @{ CostCode="1001" }).ResourceGroupName

az group list --tag CostCode=1001

Enumerate a resource's tags

$r = Get-AzResource -Name $resourceName -ResourceGroup rg
Get-AzTag -ResourceId $r.id

# Resource group
$rg = Get-AzResourceGroup -Name $rgName
Get-AzTag -ResourceId $rg.ResourceId

# Subscription
$s = (Get-AzSubscription -SubscriptionName "Example Subscription").Id
Get-AzTag -ResourceId "/subscriptions/$s"

az resource show -n $resourceName -g $rgName --query tags

# Resource group
az group show -n $rgName --query tags

Tag resource

$r = Get-AzResource -ResourceName hrvm1 -ResourceGroupName rg
$r.Tags.Add("Owner", "user@contoso.com")
Set-AzResource -Tag $r.Tags -ResourceId $r.ResourceId -Force

Resource group

$tags = @{"Dept"="Finance"; "Status"="Normal"}
$rg = Get-AzResourceGroup -Name demoGroup
New-AzTag -ResourceId $rg.ResourceId -tag $tags

$tags = (Get-AzResourceGroup -Name rg).Tags
$tags.Add("Owner", "user@contoso.com")
Set-AzResourceGroup -Tag $tags -Name rg

jsonrtag=$(az group show -n rg --query tags)
rt=$(echo $jsonrtag | tr -d '"{},' | sed 's/: /=/g')
az group update -n rg --tags $rt Owner=user@contoso.com

Remove specific tags

$tags = @{"Project"="ECommerce"; "Team"="Web"}
Update-AzTag -ResourceId $resource.id -Tag $tags -Operation Delete

Remove all tags

$s = (Get-AzSubscription -SubscriptionName "Example Subscription").Id
Remove-AzTag -ResourceId "/subscriptions/$s"

# Alternatively
Set-AzResourceGroup -Tag @{} -Name rg

Apply tags to resource, overwriting

$tags = @{"Dept"="Finance"; "Status"="Normal"}
New-AzTag -ResourceId $resource.id -Tag $tags

Set-AzResource -ResourceId $r.ResourceId -Tag @{ CostCode="1001"; Environment="Production" } -Force


az resource tag --tags 'Dept=IT' 'Environment=Test' -g $rgName -n examplevnet --resource-type "Microsoft.Network/virtualNetworks"

Apply tags to resource group

Set-AzResourceGroup -Name rg -Tag @{CostCode=1001; Environment=Production}

az group update -n $rgName --tags 'Environment=Test' 'Dept=IT'

# Alternatively
az group update -n $rgName --set tags.Environment=Production tags.CostCode=1001

Compute

⚓ Kubernetes

Create Kubernetes cluster

New-AzAKS -ResourceGroupName $g -Name $n
    -NodeCount 2
    -NetworkPlugin azure
    -NodeVmSetType VirtualMachineScaleSets
    -WindowsProfileAdminUserName azureuser
    -WindowsProfileAdminUserPassword $Password
    -KubernetesVersion 1.16.7 
    # PowerShell does not offer an option to generate SSH keys for access to the cluster; `ssh-keygen` must be used.
- Create a Windows Server container on an AKS cluster

az aks create -g $g -n $n
    --node-count 2 
    --network-plugin azure 
    --vm-set-type VirtualMachineScaleSets 
    --windows-admin-username azureuser 
    --windows-admin-password $PASSWORD
    --generate-ssh-keys 
    --enable-addons monitoring
- Create a Windows Server container on an AKS cluster

Add a pool of nodes

New-AzAksNodePool -ResourceGroupName $rgName -Name npwin -ClusterName $clusterName 
    -OsType Windows 
    -KubernetesVersion 1.16.7

az aks nodepool add -g $g -n $n --cluster-name $clusterName
    --os-type Windows
    --node-count 1

Persistent volume claim

apiVersion: v1
kind: PersistentVolumeClaim
metadata:
    name: azure-managed-disk
spec:
    accessModes:
    - ReadWriteOnce
    storageClassName: managed-premium
    resources:
        requests:
            storage: 5Gi
- Source

Provision Azure Disk

kind: StorageClass
apiVersion: storage.k8s.io/v1
metadata:
name: managed-disk-forapp
provisioner: kubernetes.io/azure-disk
reclaimPolicy: Retain
parameters:
storageaccounttype: default
kind: Managed

kind: StorageClass
apiVersion: storage.k8s.io/v1
metadata:
name: managed-disk-forapp
provisioner: kubernetes.io/azure-disk
reclaimPolicy: Retain
parameters:
storageaccounttype: Premium_LRS
kind: Managed

Functions

Deploy 

gcloud functions deploy hello_get --runtime python37 --trigger-http
Test 
gcloud functions describe hello_get

Storage

Create storage account

Click Create a resouce, then Storage, then Storage account. Choose a globally unique name for the account, containing lower-case characters and digits only.

New-AzStorageAccount -ResourceGroupName ExamRefRG -Name mystorage112300 -SkuName Standard_LRS -Location WestUS -Kind StorageV2 -AccessTier Hot

az storage account create --name $accountName --resource-group $resourceGroup -location $location --sku $sku

Change access tier of storage account

=== "Azure PowerShell

```powershell
Set-AzStorageAccount -ResourceGroupName RG -Name $accountName -AccessTier Cool -Force
```

Change replication mode of storage account

Set-AzStorageAccount -ResourceGroupName $resourceGroup -Name $accountName -SkuName $type

Renew storage account keys

=== "Azure 

```powershell
New-AzStorageAccountKey
```

az storage account keys renew

Create Azure Key Vault

New-AzKeyVault -VaultName $vaultName -ResourceGroupName $g -Location $location 
$key = Add-AzKeyVaultKey -VaultName $vaultName -Name $keyName -Destination 'Software' 
$storageKey = Get-AzStorageAccountKey -ResourceGroupName $g -Name $storageAccount 
$secretvalue = ConvertTo-SecureString $storageKey[0].Value -AsPlainText -Force
$secret = Set-AzKeyVaultSecret -VaultName $vaultName -Name $secretName -SecretValue  $secretvalue

az keyvault create --name $vaultName --resource-group $g --location $location
az keyvault key create --vault-name "$vaultName" --name $keyName --protection "software"
az keyvault secret set --vault-name "$vaultName" --name "$secretName" --value "$secretValue"

Create key in Azure Key Vault

$key = Add-AzKeyVaultKey -VaultName $vaultName -Name $keyName -Destination 'Software'
$storageKey = Get-AzStorageAccountKey -ResourceGroupName $g -Name $storageAccount 
$secretvalue = ConvertTo-SecureString $storageKey[0].Value -AsPlainText -Force

$secret = Set-AzKeyVaultSecret -VaultName $vaultName -Name $secretName -SecretValue $secretvalue

az keyvault key create --vault-name $vaultName --name $keyName --protection "software"
az keyvault secret set --vault-name $vaultName --name $secretName --value $secretValue

Create Azure sync group

Specify name of sync group in dialog after creating an Azure File Sync

Change storage class

$STORAGE_CLASS can be multi_regional, regional, nearline, or coldline 

gsutil rewrite -s $STORAGE_CLASS gs://$PATH_TO_OBJECT

File shares

Deploy Azure File Sync

# Create Storage Sync Service
$storageSync = New-AzStorageSyncService -ResourceGroupName $g -Name $storageSyncName -Location $l

# Create Azure File Share
$storageKey = Get-AzStorageAccountKey -ResourceGroupName $g -Name $storageAccount 
$context = New-AzStorageContext -StorageAccountName $storageAccount -StorageAccountKey $storageKey.Value[0]

New-AzStorageShare -Name $shareName -Context $context

# Creating a Storage Sync Service resource is only possible in PowerShell or Portal
constring=$(az storage account show-connection-string -n $storageAccountName)
az storage share create --name $shareName --quota 2048 --connection-string $constring

Create sync group

$syncgroup = New-AzStorageSyncGroup -Name $syncgroupname -ParentObject $storageSync

Create cloud endpoint

New-AzStorageSyncCloudEndpoint -Name $shareName -ParentObject $syncgroup -StorageAccountResourceId $storageAccount.Id -AzureFileShareName $shareName

Network access

Display the status of the default NetworkRule for a storage account

Get-AzStorageAccountNetworkRuleSet -ResourceGroupName $rgName -AccountName $n | Select-Object DefaultAction

az storage account show -$rgName -n $n --query networkRuleSet.defaultAction

Set default rule

Update-AzStorageAccountNetworkRuleSet -ResourceGroupName $g -Name $n -DefaultAction Deny
Update-AzStorageAccountNetworkRuleSet -ResourceGroupName $g -Name $n -DefaultAction Allow

az storage account update -g $g -n $n --default-action Deny
az storage account update -g $g -n $n --default-action Allow

Networking

Create virtual network with a specific prefix and subnet

$subnet = New-AzVirtualNetworkSubnetConfig 
    -Name $subnetName 
    -AddressPrefix "10.0.0.0/24"
$vnet = New-AzVirtualNetwork -Name $name -ResourceGroupName $rgName -Location $l 
    -AddressPrefix "10.0.0.0/16" 
    -Subnet $subnet

az network vnet create -g $rgName -n $name
    --address-prefix "10.0.0.0/16"
    --subnet-name $subnetName
    --subnet-prefix "10.0.0.0/24"

gcloud networks create $name --subnet-mode=custom
gcloud beta compute networks subnets create $subnetName
    --network=$name
    --region=$l
    --range="10.0.0.0/16"
    --enable-private-ip-google-access
    --enable-flow-logs

Create peering

Add-AzVirtualNetworkPeering 
    -Name 'peering1' 
    -VirtualNetwork $net1 
    -RemoteVirtualNetworkId $net2.Id

Add-AzVirtualNetworkPeering 
    -Name 'peering2' 
    -VirtualNetwork $net2 
    -RemoteVirtualNetworkId $net1.Id

az network vnet peering create 
    -n 'peering1' 
    -g $g 
    --vnet-name net1 
    --allow-vnet-access 
    --remote-vnet net2

az network vnet peering create 
    -n 'peering2' 
    -g $g 
    --vnet-name net2 
    --allow-vnet-access 
    --remote-vnet net1

gcloud compute networks peerings create "peering1"
    --network net1
    --peer-project $p
    --peer-network net2
    --auto-create-routes

gcloud compute networks peerings create "peering2"
    --network net1
    --peer-project $p
    --peer-network net1
    --auto-create-routes

Check peering

Get-AzVirtualNetworkPeering -ResourceGroupName $rg -VirtualNetworkName $vnetName

az network vnet peering list --resource-group $rg --vnet-name VNet1
az network vnet peering list --resource-group $rg --vnet-name VNet2

User-defined routes

# Create the route table resource
$routeTable = New-AzRouteTable -Name $routeTableName -ResourceGroupName ExamRefRG

# Add a route to route table object
Add-AzRouteConfig 
    -RouteTable $routeTable 
    -Name $routeName 
    -AddressPrefix 10.3.0.0/16 
    -NextHopType VirtualAppliance 
    -NextHopIpAddress 10.2.20.4
Set-AzRouteTable -RouteTable $routeTable

# Associate route table with subnet
Set-AzVirtualNetworkSubnetConfig -VirtualNetwork $vnet -Name Default -AddressPrefix $subnet.AddressPrefix 
    -RouteTable $routeTable

# Commit changes
Set-AzVirtualNetwork -VirtualNetwork $vnet

# Get effective routes for a NIC
Get-AzEffectiveRouteTable -NetworkInterfaceName $nicName -ResourceGroupName $rgName

# Create route table resource
az network route-table create --name $routeTableName --resource-group $rgName 

# Add route to route table
az network route-table route create 
    --resource-group $rgName 
    --route-table-name $routeTableName 
    --name $routeName 
    --address-prefix 10.3.0.0/16 
    --next-hop-type VirtualAppliance 
    --next-hop-ip-address 10.2.20.4

# Associate route table with subnet
az network vnet subnet update --name defualt --vnet-name Vnet1 --resource-group $rgName 
    --route-table rt

# Get effective routes for NIC
az network nic show-effective-route-table --name $nicName --resource-group $rgName

Create NSG

$nsgRules = @()
$nsgRules += New-AzNetworkSecurityRuleConfig -Name "AllowingWinRMHTTP" -Description "To Enable PowerShell Remote Access" -Access Allow -Protocol Tcp -Direction Inbound -Priority 103 -SourceAddressPrefix Internet -SourcePortRange * -DestinationAddressPrefix * -DestinationPortRange 5985
$nsgRules += New-AzNetworkSecurityRuleConfig -Name "AllowingWinRMHTTPS" -Description "To Enable PowerShell Remote Access" -Access Allow -Protocol Tcp -Direction Inbound -Priority 104 -SourceAddressPrefix Internet -SourcePortRange * -DestinationAddressPrefix * -DestinationPortRange 5986
$nsg = New-AzNetworkSecurityGroup -Name "wscore-nsg" -ResourceGroupName "RG" -Location "East US" -SecurityRules $nsgRules

View rules

Get-AzEffectiveNetworkSecurityGroup -NetworkInterfaceName $nicName -ResourceGroupName $rgName

az network nic list-effective-nsg --name $nicName --resource-group $rgName

Create Bastion

Connecting to a VM requires at least Reader role privileges on the VM, its NIC, and on the Bastion itself.

New-AzBastion -ResourceGroupName $rgName -Name $n -PublicIpAddress $pip -VirtualNetwork $vnet

az network bastion create -g $rgName -n $n -l $l --public-ip-address $pip  --vnet-name $vnetName

Create virtual appliance

IP forwarding must be enabled on the VM's NIC, then applications installed on the VM can begin accepting packets destined for other IP addresses.

CDN

Create new profile

  1. Click Create a resource
  2. Click Web
  3. Click CDN, opening the CDN profile blade
  4. Specify name for the profile, name of the resource group, region, and pricing tier.
  5. Click Create

AZ-103: p. 140

Create endpoint

Add an endpoint to a CDN profile (Portal) 1. Open the CDN Profile 2. Click + Endpoint button 3. Specify unique name, configuration for origin settings such as type, host header, and origin port for HTTP and HTTPS. 4. Click Add button

AZ-103: p. 141

Publish content in a CDN endpoint

  1. Create a new CDN profile
  2. Add an endpoint to the profile

DNS

Create DNS zone

New-AzDnsZone 
    -Name examref.com 
    -ResourceGroupName ExamRefRG

az network dns zone create 
    --name examref.com 
    --resource-group ExamRefRG

Create empty A record

New-AzDnsRecordSet -Name www -RecordType A -ZoneName examref.com -ResourceGroupName ExamRefRG -Ttl 3600 -DnsRecords (New-AzDnsRecordConfig -IPv4Address "1.2.3.4")

az network dns record-set a create --name www --zone-name examref.com --resource-group ExamRefRG --ttl 3600

Create multiple records

$records = @()
$records += New-AzDnsRecordConfig -IPv4Address "1.2.3.4"
$records += New-AzDnsRecordConfig -IPv4Address "5.6.7.8"
New-AzDnsRecordSet -Name "@" -RecordType A -ZoneName examref.com -ResourceGroupName ExamRefRG -Ttl 3600 -DnsRecords $records

az network dns record-set a add-record --record-set-name www --zone-name examref.com --resource-group ExamRefRG --ipv4-address 1.2.3.4
az network dns record-set a add-record --record-set-name www --zone-name examref.com --resource-group ExamRefRG --ipv4-address 5.6.7.8

Remove record

$recordset = Get-AzDnsRecordSet -Name www -RecordType A -ZoneName examref.com -ResourceGroupName ExamRefRG
Add-AzdnsRecordConfig -RecordSet $recordset -IPv4Address "5.6.7.8"
Remove-AzDnsRecordConfig -RecordSet $recordset -IPv4Address "1.2.3.4"
Set-AzDnsRecordSet -RecordSet $recordset

az network dns record-set a remove-record --record-set-name www --zone-name examref.com --resource-group ExamRefRG --ipv4-address 1.2.3.4

Read records

Get-AzDnsRecordSet -ZoneName examref.com -ResourceGroupName ExamRefRG

az network dns record-set list --zone-name examref.com --resource-group ExamRefRG -o table

Create a virtual network with custom DNS settings

New-AzVirtualNetwork -Name VNet1 -ResourceGroupName $rgName -Location $location 
    -AddressPrefix 10.1.0.0/16 -Subnet (New-AzVirtualNetworkSubnetConfig -Name Default -AddressPrefix 10.1.0.0/24)
    -DNSServer 10.0.0.4,10.0.0.5 

az network vnet create --name VNet1 --resource-group $rgName 
    --address-prefixes 10.0.0.0/16 
    --dns-servers 10.0.0.4 10.0.0.5

Modify the DNS server configuration of an existing VNET

$vnet = Get-AzVirtualNetwork -Name $vnetName -ResourceGroupName $rgName
$vnet.DhcpOptions.DnsServers.Clear()
$vnet.DhcpOptions.DnsServers.Add("10.10.200.1")
$vnet.DhcpOptions.DnsServers.Add("10.10.200.2")
Set-AzVirtualNetwork -VirtualNetwork $vnet

az network vnet update --name $vnetName --resource-group $rgName 
    --dns-servers 10.10.200.1 10.10.200.2

Restart the VMs in the VNet to pick up the DNS change

$vm = Get-AzVM -Name VNet1-VM -ResourceGroupName ExamRefRG
Restart-AzVM -ID $vm.Id

Update the DNS settings on a NIC

$nic = Get-AzNetworkInterface -Name VM1-NIC -ResourceGroupName ExamRefRG
$nic.DnsSettings.DnsServers.Clear()
$nic.DnsSettings.DnsServers.Add("8.8.8.8")
$nic.DnsSettings.DnsServers.Add("8.8.4.4")

Commit the DNS change, causing the VM to restart

Set-AzNetworkInterface -NetworkInterface $nic

Remove custom DNS servers from a VNET

az network vnet update --name VNet1 --resource-group ExamRefRG --remove DHCPOptions.DNSServers

Set custom DNS servers on a NIC

az network nic update --name VM1-NIC --resource-group ExamRefRG --dns-servers 8.8.8.8 8.8.4.4

Load balancing

Create public load balancer

Creating a load balancer in PowerShell requires defining objects which are all passed to New-AzLoadBalancer as objects: - Frontend IP - Public Ip Address resource (if public) - Private IP address specified as a string (if internal) - Backend address pool - Health probe - Load balancing rule

By contrast, in Azure CLI, the load balancer can be defined first with az network lb create before adding a probe and rule, passing the name of the load balancer to --lb-name.

$publicIP = New-AzPublicIpAddress -Name ExamRefLB-IP -ResourceGroupName $g -Location $location -AllocationMethod Static 
$frontendIP = New-AzLoadBalancerFrontendIpConfig -Name frontend -PublicIpAddress $publicIP
$beAddressPool = New-AzLoadBalancerBackendAddressPoolConfig -Name backend
$healthProbe = New-AzLoadBalancerProbeConfig -Name -RequestPath '/' -Protocol http -Port 80

$lbrule = New-AzLoadBalancerRuleConfig -Name -FrontendIpConfiguration $frontendIP -BackendAddressPool $beAddressPool -Probe $healthProbe -Protocol Tcp -FrontendPort 80 -BackendPort 80
$lb = New-AzLoadBalancer -ResourceGroupName -Name -Location -FrontendIpConfiguration $frontendIP -LoadBalancingRule $lbrule -BackendAddressPool $beAddressPool -Probe $healthProbe

az network public-ip create --name ExamRefLB-IP --resource-group ExamRefRG --location --allocation-method Static
az network lb create --name ExamRefLB --resource-group ExamRefRG --location --backend-pool-name backend --frontend-ip-name frontend --public-ip-address ExamRefLB-IP
az network lb probe create --resource-group ExamRefRG --name HealthProbe --lb-name ExamRefLB --protocol http --port 80 --path / --interval 5 --threshold 

az network lb rule create --name ExamRefRule --lb-name ExamRefLB --resource-group ExamRefRG --protocol Tcp --frontend-port 80 --backend-port 80 --frontend-ip-name ExamRefFrontEnd --backend-pool-name backend --probe-name HealthProbe