Microsoft Azure Fundamentals (AZ-900 Exam)
Service Catalogue
Pricing
SLAs
Cloud Deployment Models
Cloud Service Types
Architechture
Security
Monitoring
Policy and Compliance
Support
Benefits of Cloud Computing
Subscriptions
Management
Public cloud
Private cloud
Hybrid cloud
Availability Zone
Physically separate datacenter within a region. Protects against DC failure
Regions Geographical area containing at least 1 or more data centers
Resource Management
Resource Groups
RBAC
Soverign Clouds
Azure US Govt
Available to US government and US contractors
Azure Germany
Isolated instance to meet EU data residency, security and compliance needs.
Azure China
Operated by 21Vianet
Governanace & Resource Management
Azure Blueprint - Orchestration: Packages ARM templates + policies + definitions + RBAC
Compute
Azure App Services
Containers
Virtual Machines
Serverless
Cognitive Services (AI)
Storage
Disk storage
Blob storage
Azure Files
Queue storage
Over 200 t-shirt sizes
Networking
Load balancer
Scale sets
Runs behind a load balancer
Unlimited horiizonal scaling
Give your code to Azure, they will run it.
Promise of performance, no access to hardware
PaaS
Functions
Serverless code based micro services
Container image
Azure Container Instance (ACI)
Azure Kubernetes Service (AKS)
Enterprise grade
Runs on cluster of servers
Single instance, quick
Benefits
Data backups, restore, disaster recovery and archiving
Data for analysis
Types
Constraints
Azure Free
Emulates an OS, lightweight, popular
Small bits of event triggered code to run in the cloud
Consumption
Fixed price models
Known as pay-as-you-go
Certification
Compliance
Azure Advisor
Provides recommendations on HA, Security, Performance and Cost
Azure Monitor
Collects and analyse data from your Azure services
Service Health
Azure Cost Management
Less access than PAAS
No need to worry about plan or servers
No worry about scaling
Costs as low as £0 for no activity
Azure Functions, Serverless Kubernetes, SQL, Cosmos DB
Region is a Pair of DCs
Every regions has multiple DCs
Software rolled out to one of the pair
IAAS
PAAS
SAAS
Internet of Things (IoT)
Azure Sphere
Azure Bot Service
Physical hardware device designed to work with Azure
DevOps
GitHub
GitHub Actions
Automations
Continuous Integration
Push into Azure Web Apps
Mobile Apps to manage Azure
Cost effective
Capex vs Opex
Secure
Reliable
Scalable
Elastic
Less management overhead
Global
1 bill generated each month per subscription
Multiple subscriptions per account
Hard limits e.g 10 express route circuits per subscription
Spending limits can be set
Azure Pay-As-You-Go
Azure Enterprise Agreement
Azure for Students
Firewalls
Azure Firewall
Azure Application Gateway
Network Virtual Appliance
DDOS Protection
Azure DevOps
Azure Dev Test Labs
Mobile
Notification Hub
Language
Speech
Vision
Web search
Big Data
Azure Databricks
Azure Machine Learning
Azure Data Share
Azure Data Factory
Azure Data Lake Storage
Power BI
Azure Synapse Analytics
Azure HDInsights
IoT Edge
IoT Hub
Basic tier
Standard tier
Azure Machine Learning
Azure Machine Learning Studio (SAAS)
Azure Machine Learning Service - Coding Required
Identity
Azure AD
Web
Azure Notification Hubs
Azure SignalIR Service
Azure API Management
Azure Cognitive Search
Web Apps
Databases
Azure Database for MySQL
Azure SQL Data Warehouse
Azure Database Migration Service
Azure Database for PostgreSQL
Azure Cosmo DB
Azure SQL Database
Azure Database for MariaDB
Azure Cache for Redis
SQL Server on VMs
Azure Communication Services
Azure Spring Cloud (Vmware)
Azure Maps
Content Delivery Network
Xamarin
Azure Cognitive Search
Azure Maps
Visual Studio App Centre
Mixed Reality
Azure Digital Twins
Kinect DK
Spatial Anchors
Remote Rendering
Table Storage (NoSQL)
Solution Accelerators
IoT Central
Azure RTOS
Azure Blockchain
Azure Blockchain Service
Azure Blockchain Tokens
Azure Blockchain Workbench
Azure Dedicated Host
Windows Virtual Desktop
Batch (Cloud scale scheduling)
Citrix VAD
VMware Horizon
Azure Information Protection
Azure AD External Identities
Azure Active Directory Domain Services
Performance Targets
Uptime and Connectivity Guarantees
Service Credits
APIs
Azure Cloud Shell
Azure Portal
Management & Governance
Application Insights
Security & Compliance
Cost Management
Azure Advisor
Azure Monitor
Billing
Azure Service Health
Savings
Factors
Purchasing Options
Enterprise
Commitment to spend a negotiated amount annually.
Resource Type
Azure Billing Zones
Web Direct
General public princing
Cloud Solution Provider
Third party cloud seller
Location
Pricing Calculator
Export to Excel
Share Link
Infrastructure Costs
Licensing
Spending Limits
Reserved Instances
Low-cost Locations / Regions
VM Sizing
Shutdown VMs
Migrate to PAAS/SAAS
Constrained Instance size
Bring your own license (BYOL)
Choice of OS (Windows Linux)
Azure Hybrid Benefit (Re-use existing Windows & SQL License)
SQL Server Developer edition
Feature Preview
Dashboards
Blades
Export JSON
Share Publish as Resource
1,000,000 execution free per month, $0.20 for next 1m
Geography
Discrete market typically containing two or more regions that preserve data residency and compliance boundaries.
Availability Set
Grouping of VMs in a single data centre, protects against server or rack failure.
Fault Domain
Update Domain
Azure CLI
Powershell
Different language to CLI
Single VM Std HDD Uptime 95%
Single VM Std SSD Update 99.5%
Single VM in availability set with with prem SSD 99.9%
Assigned an update domain and a fault domain by the underlying Azure platform
Fault domains define the group of virtual machines that share a common power source and network switch
Virtual machines configured within your availability set are separated across up to three fault domains
It does limit the impact of potential physical hardware failures, network outages, or power interruptions.
Managed Disks
Unmanaged disks
Managed disks provide better reliability for Availability Sets by ensuring that the disks of VMs in an Availability Set are sufficiently isolated from each other to avoid single points of failure.
Ideal for images, docs, videos, audio
Block blobs
Block blobs are optimized for uploading large amounts of data efficiently.
Append blobs
An append blob is comprised of blocks and is optimized for append operations.
Page blobs
Page blobs are a collection of 512-byte pages optimized for random read and write operations.
Managed disk provides enhanced manageability and high availability
Eliminates the need to manage storage accounts for IaaS VMs.
Secure by default – Role based access control, storage encryption by default and encryption using own keys.
Storage account limits do not apply – No throttling due to storage account IOPS limits
Big scale - 20,000 disks per region per subscription.
Better Storage Resiliency - Prevents single points of failure due to storage Supports both Standard and Premium Storage disks
Less availability: Unmanaged disks do not protect against single storage scale unit outage
Upgrading process is complex
Owner need ti take care of encryption, data recovery plans etc.
Must create a storage account before you create any new disk.
Is not an ARM resource, but a file (.vhd) residing on a Azure Storage Account.
Is an ARM (Azure Resource Manager) object (resource)
A maximum of 40 disks per standard storage account is recommended, otherwise disks can be throttled
Simple and inexpensive
Azure Queue Storage is a service for storing large numbers of messages.
You access messages from anywhere in the world via authenticated calls using HTTP or HTTPS
Queues are commonly used to create a backlog of work to process asynchronously
Accessible via the industry standard Server Message Block (SMB) protocol or Network File System (NFS) protocol
Azure file shares can be mounted concurrently by cloud or on-premises deployments.
Can be used to completely replace or supplement traditional on-premises file servers or NAS devices.
Azure file shares can be used as persistent volumes for stateful containers
Microsoft Defender for Identity (formerly Azure Advanced Threat Protection)
Microsoft Azure Information Protection
Shared Security Model
Azure Security Center
Azure Key Vault
Centralised store for secrets
Encryption
Identity Access Management
Network
Tags
Resource Locks
Read-Only
Delete
Inherited
Naming Conventions
Use common names, org wide
Applies to subscription, resource group, or resource
A read-only lock on a subscription prevents Azure Advisor from working correctly.
Some Azure services, such as Azure Databricks, use managed applications to implement the service.
Monitor and profile user behavior and activities
Leverages your on-premises Active Directory signals
Protect user identities and reduce the attack surface
Identify suspicious activities and advanced attacks across the cyber-attack kill-chain
Reconnaissance
Compromised credentials
Lateral movements
Domain dominance
Investigate alerts and user activities
Enables organizations to discover, classify, and protect documents and emails by applying labels to content.
AIP is part of the Microsoft Information Protection (MIP) solution,
On-premises scanner enables administrators to scan their on-premises file repositories for sensitive content that must be labeled, classified, and/or protected.
Division of responsibility
Retained by customer
Data
Endpoints
Account
Access management
Unified infrastructure security management system
Security Center assesses your environment and enables you to understand the status of your resources, and whether they are secure.
Protect against threats: Security Center assesses your workloads and raises threat prevention recommendations and security alerts.
Manage organization security policy and compliance
Continuous assessments
Optimize and improve security by configuring recommended controls
Protect against threats
Integration with Microsoft Defender for Endpoint
Protect PaaS, block brute force attaches, protect data services
Automatically discover and onboard Azure resources
At rest
Transport
Azure Active Directory
Pricing
RBAC
MFA
SSO
B2B / B2C
Identities
Identity - Thing to protect
Principal - Identity acting in a certain role
e.g. standard user vs admin user
Service Principal - Identity used by a service
Firewalls
DDOS Protection
Basic
Standard
Network Security Groups (NSG)
Firewall
ExpressRoute
Virtual Private Network (VPN)
Azure Firewall
Managed, cloud based network security service. No packet filtering
Azure Application Gateway
Load balancing including Web Application Firewall (WAF). Packet filtering
Network Virtual Appliances (NVAs)
Suited to custom configurations. Similar to hardware firewalls
Azure Resource Health
Provide you details about the current and past state of your resources
Azure Status
Global view of health of Azure services
Azure Service Health
Budget alerts
Budgeting
Alerts
Targets and resources (scope and signals)
Alerts into action groups
Finds critical conditions
Collects logs and alerts
Data to be analysed with queries (Log Analytics)
Regions such as UK South, EU West, CH North
Data transfer out of region: charged
Data transfer within region: free
Deployed within a latency-defined perimeter
-Every component must reside in a resource group container.
-Centralised RGs contain core networks, subnets and storage accounts.
-Individual RGs for VMs, network interfaces, and load balancers
-Cannot be nested
-Container for resources
-Organisation billing, security and logical management.
Can contain resources from any region
UK Govt G Cloud
Services Org Control SOC 1, 2 and 3
Cloud Star Alliance
GDPR
EU Model Clauses
HIPAA
ISO
IES 27018
Multi-tier cloud security MTCS Singapore
National Institute of Standards and Technology (NIST) CyberSec Framework (CSF)
JSON Configuration files
Azure Policy - Create and manage standards for resources in Azure
Azure Initiative - Group of policy definitions
Management Groups - Define policies across multiple subscriptions
Azure Stream Analytics
Stream Analytics ingests data from Azure Event Hubs (including Azure Event Hubs from Apache Kafka), Azure IoT Hub, or Azure Blob Storage.
Query, which is based on SQL query language
Each job has one or several outputs for the transformed data
Send data to services such as Azure Functions, Service Bus Topics or Queues to trigger communications or custom workflows downstream.
Runs on IoT Edge or Azure Stack.
Azure Stream Analytics is a fully managed (PaaS) offering on Azure
Azure Logic Apps
Workflow without coding
Connects apps together with logic
Used in cloud and on-prem
Pay per what you use
Compliance Manager
Dashboard showing your level of compliance, and recommendations for improvements.
Microsoft Online Services Privacy Statement
Explains what, why and how data is processed
Trust Center
Contains resources regarding Microsoft Security, Privacy, Compliance and transparency practices.
Service Trust Portal
Central portal for compliance management
Maintenance status of VMs visible from Azure VMs page
Not all regions have availability zone
Not all regions have availability zones.
Provides a personalized view of the health of the Azure services and regions you're using
Customisable dashboard to track the state of your Azure services
Azure Feedback Forum
Azure Knowledge Center
Paid
Uses sensors
Developer
Standard
Professional Direct
Premier
15 min response
< 1 hour response
< 1 hour response
< 8 hour response
Request Support for..
Quota limit increase
Claim on SLA drops
Resources can only exist in 1 RG
at a time
General purpose v2, you pay for storage & disk I/O
Reservations for 1 to 3 years
80% savings for a VM
80% saving for SQL
Azure Sentinel
Security log analysis
Collect, detect, investigate, respond
Cloud-native SIEM
Uses AI to analyse large volumes of data across an enterprise
Users, applications, servers and devices running on-premises or in any cloud
Separates out services to allow updates without loss of service
All services available
200USD limit, can't be changed
Limit can be removed
12 month, then expires
Can be upgraded to pay-as-you-go
Multiple locks at multiple levels
CapEx
Storage Options
Hot
Cool
Archive
Lowest cost
High data retrieval costs
Data takes several hours to retrieve
Blob must be rehydrated to an online tier to be read
Replication
LRS (local redundant, same region)
ZRS (zone redundant, multi DC)
GRS (Global, two regions)
GZRS (Global zone redundant , 6 copies)