Professional Documents
Culture Documents
Azure Fundamentals (AZ-900)
Azure Fundamentals (AZ-900)
Index
Appendix
Part 1 – Describe core Azure concepts
Module 1: Introduction to Azure Fundamentals
Cloud computing is the delivery of computing services over the internet by using a
pay-as-you-go pricing model.
You typically pay only for the cloud services you use, which helps you:
• Lower your operating costs;
• Run your infrastructure more efficiently;
• Scale as your business needs change.
To put it another way, cloud computing is a way to rent computer power and
storage from someone else’s datacenter.
Private cloud
Computing services are used exclusively by users from one business/organization.
Hybrid cloud
It combines a public cloud and a private cloud by allowing data and application to
be shared between them.
WHAT IS AZURE?
Azure is a continually expanding set of cloud services that help your organization
meet your current and future business challenges.
What happens behind the scenes:
Azure use a technology known as Virtualization, that separates the tight coupling
between a computer’s hardware and its operating system, using an abstraction
layer called a hypervisor.
Hypervisor emulates all the functions of a real computer and its CPU in a VM.
Each datacenter has mini racks filled with servers and each server includes a
hypervisor to run multiple VM and then they connect to the Internet by using a
switch.
In short words:
• CapEx requires significant up-front financial costs, as well as ongoing
maintenance and support expenditures;
• OpEx is a consumption-based model.
So, cloud services are categorized as on OpEx.
Important facts:
• 10.000 management groups can be supported in a single directory;
• A management group tree can support up to 6 levels of depth excluding the
root level or the subscription level;
• Each management group and subscription can support only 1 parent.
AZURE RESOURCES AND AZURE RESOURCE MANAGER
Resource groups are a fundamental element of the Azure platform because a
resource group is a logical container for resources deployed on Azure.
All resources must be in a resource group and a resource can only be a member of
a single resource group.
Resource groups can’t be nested.
Before any resource can be provisioned, you need a resource group for it to be
placed in.
If you delete a resource group, all resources contained within it are also deleted.
Azure Resource Manager is the deployment and management service for Azure.
It provides a management layer that enables you to create, update and delete
resources in your Azure account.
When a user sends a request from any of the Azure tools (Azure Portal, Azure
PowerShell, Azure CLI, REST clients), Resource Manager receives the request and
it authenticates and authorizes the request and, then, it sends the request to the
Azure service, which takes the requested action.
Azure can help make your app highly available through availability zones.
Availability zones are physically separate datacenters within an Azure region.
Each availability zone is made up of one or more datacenters equipped with
independent power, cooling and networking.
If one zone goes down, the others continues working.
Not every region has support for availability zone.
It’s possible that a large disaster could cause an outage big enough to affect even
two datacenters.
That’s why Azure also creates region pairs.
Each Azure region is always paired with another region within the same
geography at least 300 miles away.
Part 2 – Describe core Azure services
Module 2: Explore Azure database and analytics services
AZURE COSMOS DB
Azure Cosmos DB is a globally distributed, multi-model database service.
It provides comprehensive service level agreements for throughput, latency,
availability and consistency guarantees.
Azure Cosmos DB supports schema-less data.
At the lowest level, Azure Cosmos DB stores data in ARS (Atom-Record-Sequence)
format.
The data is then abstracted and projected as an API, which you specify when
you’re creating your database.
Your choices include SQL, MongoDB, Cassandra, Tables, and Gremlin.
You can migrate your existing SQL Server databases with minimal downtime by
using the Azure Database Migration Service.
Azure SQL Managed Instance provides several options that might not be available
to Azure SQL Database.
(Example: the Cyrillic characters for collation are available in SQL Managed
Instance and not in SQL Database)
AZURE DATABASE FOR MYSQL
Azure Database for MySQL is a relational database service in the cloud and it’s
based on the MySQL Community Edition database engine.
Azure Database for MySQL offers several service tiers, and each tier provides
different performance and capabilities to support lightweight to heavyweight
database workloads.
AZURE HDINSIGHT
Azure HDInsight is a fully managed, open-source analytics service for enterprises.
It’s a cloud service that makes it easier, faster and more cost-effective to process
massive amounts of data.
AZURE DATABRICKS
Azure Databricks helps you unlock insights from all your data and build AI
solutions.
AZURE DATA LAKE ANALYTICS
Azure Data Lake Analytics is an on-demand analytics job service that simplifies
big data.
You write queries to transform your data and extract valuable insights.
Summary
If you want:
• Limitless analytics service with unmatched time to insight, you should
choose Azure Synapse Analytics,
• A fully managed Hadoop and Spark service backed by 99,9% SLA for your
enterprise, you should choose Azure HDInsight,
• A fully managed, fast, easy and collaborative Apache Spark based analytics
platform optimized for Azure, you should choose Azure Databricks,
• A fully managed on-demand pay-per-job analytics service with enterprise-
grade security, auditing and support, you should choose Azure Data Lake
Analytics.
AZURE FUNCTIONS
Azure Functions are ideal when you’re concerned only about the code running
your service and not the underlying platform or infrastructure.
Functions are commonly used when you need to perform work in response to an
event, timer or message from another Azure service and when the work can be
completed quickly.
Functions scale automatically based on demand (so they’re a solid choice when
demand is variable).
Summary
If you want to:
• Provision Linux and Windows virtual machines in seconds with the
configurations of your choice, you should choose Azure Virtual Machines.
In addition, if you want to achieve high availability by autoscaling to create
thousands of VMs in minutes, you should choose Virtual Machine Scale Sets
and if you want to cloud-scale job scheduling and compute management
with the ability to scale to tens, hundreds or thousands of VMs, you should
choose Azure Batch,
• Containerize apps and easily run containers with a single command, you
should choose Azure Container Instances,
• Simplify the deployment, management and operations of Kubernetes, you
should Azure Kubernetes Service (AKS),
• Quickly create cloud apps for web and mobile with fully managed platform,
you should choose Azure App Service.
To begin using Azure Storage, you first create an Azure Storage account.
A storage account provides a unique namespace for your Azure Storage Data that
are highly available, durable and massively scalable.
AZURE FILES
Azure Files offers fully managed file shares in the cloud.
Use Azure Files for the following situations:
• Many on-premises applications use file shares;
• Store configuration files on a file share and access them from multiple VMs;
• Write data to a file share and process or analyze the data later.
One thing that distinguishes Azure Files is that you can access the file from
anywhere in the world by using a URL that points to the file.
You can also use a SAS (Shared Access Signature) tokens to allow access to a
private asset for a specific amount of time.
Summary
If you want to:
• Get scalable and secure storage for your VMs, you should choose Azure Disk
Storage,
• Find massively scalable and secure storage for your unstructured data, you
should choose Azure Blob Storage,
• Get secure cloud file shares, you should choose Azure Files.
AZURE EXPRESSROUTE
With ExpressRoute, you can establish connections to Microsoft cloud services,
such as Microsoft Azure and Microsoft 365.
ExpressRoute connections don’t go over the public internet and this allows
ExpressRoute connections to offer more reliability, faster speeds, consistent
latencies and higher security.
You can enable ExpressRoute Global Reach to exchange data across your on-
premises sites by connecting your ExpressRoute circuits.
There are 3 models that you can use to connect your on-premises network to the
Microsoft cloud:
Part 3 – Describe core solutions and management tools
on Azure
Module 2: Choose the best AI service for your needs
AZURE MACHINE LEARNING
Azure Machine Learning is a platform for making predictions.
It consists of tools and services that allow you to connect to data to train and test
models to find one that will most accurately predict a future result.
Choose Azure Machine Learning when your data scientists need complete control
over the design and training of an algorithm using your own data.
Do you need a service that can understand the content and meaning of images,
video or audio, or that can translate text into a different language?
Use Azure Cognitive Services.
Will your app predict future outcomes based on private historical data?
Use Azure Machine Learning.
Do you need to build a model by using your own data or perform a different task
than those listed above?
Use Azure Machine Learning.
GITHUB ACTIONS
GitHub is arguably the word’s most popular code repository for open-source
software and has lightweight project management features that allow you to
assign tasks to a user.
GitHub Actions enables workflow automation with triggers for many lifecycle
events.
One example could be automating a CI/CD toolchain.
A toolchain is a combination of software tools that aid in the delivery,
development and management of software applications throughout a system’s
development lifecycle.
The output of one tool is the input of the next tool in the toolchain.
Decision criteria:
Do you need to automate and manage test-lab creation?
Use Azure DevTest Labs.
However, you can automate the provisioning of new labs as part of a toolchain by
using Azure Pipelines or GitHub Actions.
Regarding source-code management and DevOps tools, how tightly do you need
to integrate with third-party tools?
It’s important for you to understand your organization’s existing investments in
tools and services.
Most third-party DevOps tools integrate with both Azure DevOps and GitHub.
AZURE MONITOR
Azure Monitor is a platform for collecting, analyzing, visualizing and potentially
taking action based on the metric and logging data from your entire Azure and on-
premises environment.
On the left is a list of sources of logging and metric data that can be collected at
every layer in your application infrastructure, from application to network;
In the center, you can see how the logging and metric data is stored in centrale
repositories (Metrics & Logs);
On the right, the data is used in a number of ways.
Additionally, you can use the data to help you react to critical events in real time,
through alerts, for example.
Do you need to set up alerts for outages or when autoscaling is about to deploy
new instances?
Use Azure Monitor.
Visual tools provide full, visually friendly access to all the functionality of Azure.
Code-based tools are the best choice when you’re attempting to quickly set up
and configure Azure resources.
AZURE PORTAL
Azure Portal provides a friendly, graphical UI to view all the services you’re using,
create new services, configure your services and view reports.
AZURE CLI
Azure CLI is an executable program with which a developer, DevOps or IT
professional can execute commands in Bash.
These commands call the Azure Rest API to perform every possible management
task in Azure.
The primary difference between Azure CLI and Azure PowerShell is the syntax.
ARM TEMPLATES
By using Azure Resource Manager templates (ARM templates) you can describe
the resources you want to use in a declarative JSON format.
The benefit is that the entire ARM template is verified before any code is executed
to ensure that the resources will be created and connected correctly.
They are the good option to deploy an entire cloud infrastructure.
Decision criteria:
Do you need to perform one-off management, administrative or reporting actions?
Use either Azure PowerShell or Azure CLI or Azure Portal, depends on your needs:
ARM templates aren’t intended for one-off scenarios, but it’s possible to use them
for this purpose, even you should prefer Azure PowerShell/CLI/Portal.
Do you need a way to repeatedly set up one or more resources and ensure that all
the dependencies are created in the proper order?
Use ARM templates, because they express your application’s infrastructure
requirements for a repeatable deployment.
When you’re scripting, do you come from a Windows administration or Linux
administration background?
Use Azure PowerShell (Windows administration) or Azure CLI (Linux
administration).
You can call Azure Functions from Azure Logic Apps and vice versa.
The primary difference between the two services is their intent:
• Azure Functions is a serverless compute service,
• Azure Logic Apps is a serverless orchestration service.
Another difference is pricing:
• Azure Functions is based on the number of executions and the running time
of each execution;
• Azure Logic Apps is based on the number of executions and the type of
connectors that it utilizes.
Decision criteria:
Do you need to perform an orchestration across well-known APIs?
Use Azure Logic Apps.
It’s possible to create the same workflow by using Azure Functions, but it might
take a considerable amount of time to research which APIs to call and how to call
them, while Azure Logic Apps has already componentized these API calls.
By using Azure IoT services, devices that are equipped with sensors and that can
connect to the internet cloud send their sensor readings to a specific endpoint in
Azure via a message.
The message’s data is then collected and aggregated and it can be converted into
reports and alerts.
AZURE SPHERE
Azure Sphere creates an end-to-end, highly secure IoT solution for customers.
Azure Sphere has built-in communication and security features for internet-
connected devices.
Decision criteria:
Is it critical to ensure that the device is not compromised?
Use Azure Sphere.
You can use Security Center to get a detailed analysis of different components in
your environment.
In the Resource security hygiene section, you can see the health of your resources
from a security perspective.
To help prioritize remediation actions, recommendations are categorized as low,
medium, high.
From Security Center, you can dismiss false alerts, investigate them further,
remediate alerts manually or use an automated response with a workflow
automation, that uses Azure Logic Apps and Security Center connectors.
AZURE SENTINEL
A SIEM (Security Information and Event Management) system aggregates security
data from many different sources and it also provides capabilities for threat
detection and response.
You can visualize defense in depth as a set of layers, with the data to be secured
at the center.
Each layer provides protection so that if one layer is breached, a subsequent layer
is already in place to prevent further exposure.
This approach removes reliance on any single layer of protection.
Layers of defense-in-depth:
• Physical security layer : it’s a the first line of defense to protect computing
hardware in the datacenter;
• Identity and access layer : it controls access to infrastructure and change
control;
• Perimeter layer : it uses DDoS protection to filter large-scale attacks before
they can cause a denial of service for users and perimeter firewalls to
identify and alert on malicious attacks against your network;
• Network layer : it limits communications between resources (through
segmentation and access controls);
• Compute layer : it secures access to VMs;
• Application layer : it helps ensure that applications are secure and free of
security vulnerabilities;
• Data layer : it controls access to business and customer data that you need
to protect.
Azure provides security tools and features at every layer o the defense-in-depth
concept.
Your security posture is your organization’s ability to protect from and respond to
security threats.
The common principles used to define a security posture are confidentiality,
integrity and availability, known collectively as CIA.
AZURE FIREWALL
A firewall is a network security device that monitors incoming and outgoing
network traffic and decides whether to allow or block specific traffic based on a
defined set of security rules.
Azure DDoS protection help protect your Azure resources from DDoS attacks.
Azure DDoS Protection identifies the attacker’s attempt to overwhelm the network
and blocks further traffic from them.
DDoS Protection can also help you manage your cloud consumption.
DDoS Protection can help prevent volumetric attacks, protocol attacks and
resource layer attacks.
NETWORK SECURITY GROUPS (NSGs)
A network security group (NSG) enables you to filter traffic to and from Azure
resources within an Azure virtual network.
You can think of NSGs like an internal firewall.
When you create a NSG, Azure creates a series of default rules to provide a
baseline level of security.
These default rules can’t be removed, but you can override them by creating new
rules with higher priorities.
Properties of a NSG rule:
• Name (must be unique),
• Priority : a number between 100 and 4096.
Rules are processed in priority order, with lower numbers processed before
higher numbers,
• Source / Destination (a single IP address or IP address range),
• Protocol,
• Direction (to inbound or outbound traffic),
• Port range,
• Action (Allow / Deny).
Part 5 – Describe identity, governance, privacy and
compliance features
Module 2: Secure access to your applications by using Azure
identity services
Authentication is the process of establishing the identity of a person or service
that wants to access a resource.
Authorization is the process of establishing what level of access an authenticated
person or service has.
Azure AD is for:
• IT administrators,
• App developers,
• Users,
• Online service subscribers.
Azure AD provides the following services:
• Authentication,
• Single Sign-On (SSO) (enable you to remember only one username and one
password to access multiple applications),
• Application management,
• Device management.
Azure AD helps users access both external and internal resources, that include
Microsoft Office 365, Azure Portal and thousands of other SaaS applications.
CONDITIONAL ACCESS
Conditional Access is a tool that Azure AD uses to allow or to deny access to
resources based on identity signals.
These signals include who the user is, where the user is and what device the user
is requesting access from.
Conditional Access provides a more granular multifactor authentication
experience for users.
During sign-in, Conditional Access collects signals from the user, makes decisions
based on those signals and then enforces the decision by allowing or denying the
access request.
1 – Define strategy
Here, you answer why you’re moving to the cloud and what you want to get of
cloud migration.
2 – Make a plan
Here, you build a plan that maps your aspirational goals to specific actions.
5 – Govern
Here, you begin to form your cloud governance and cloud management strategies.
You need to create resilient solutions that are constantly optimized.
6 – Manage
Here, you manage your applications in the cloud.
At the beginning of any cloud governance implementation, you identify a cloud
organization structure that meets your business needs.
This step often involves forming a cloud center of excellence team also called
cloud enablement team or cloud custodian team.
This team is empowered to implement governance practices from a centralized
location for the entire organization.
There are three main aspects to consider when you create and manage
subscriptions:
1. Billing
You can create one billing report per subscription.
But, if you have multiple departments and need to do a “chargeback” of
cloud costs, one possible solution is to organize subscriptions by
department or by project.
Resource tags can also help.
2. Access control
Every subscription is associated with an Azure Active Directory tenant.
Each tenant provides administrators the ability to set granular access
though defined roles by using Azure role-based access control.
3. Subscription limits
Subscriptions also have some resource limitations.
For example, the maximum number of network Azure ExpressRoute circuits
per subscription is 10.
Those limits should be considered during the design phase.
If you need to exceed those limits, you might need to add more
subscriptions.
Azure enables you to control access through Azure RBAC (Azure Role-Based
Access Control).
RBAC is applied to a scope, which can be:
• A management group,
• A single subscriptions or a collection of multiple subscriptions,
• A resource group,
• A single resource.
The kinds of users or accounts that would typically be assigned each of the
various roles are Observers, Users managing resources, Admins, Automated
process.
When you grant access to a parent scope, those permissions are inherited by all
child scopes.
For example:
• When you assign the Owner role to a user at the management group scope,
that user can manage everything in all subscriptions within the
management group;
• When you assign the Reader role to a group at the subscription scope, the
members of that group can view every resource group and resource within
the subscription;
• When you assign the Contributor role to an application at the resource
group scope, the application can manage resources of all types within that
resource group, but not other resource groups within the subscriptions.
Azure RBAC is applied on any action that’s initiated against an Azure resource
that passes through Azure Resource Manager.
Azure RBAC uses an allow model : when you’re assigned a role, RBAC allows you
to perform certain actions, such as read, write or delete.
If one role assignment grants you read permissions to a resource group and a
different role assignment grants you write permissions to the same resource
group, you have both read and write permissions on that resource group.
You manage access permissions on the Access Control (IAM) pane for a resource
group.
A resource lock prevents resources from being accidentally deleted or changed.
Think of a resource lock as a warning system that reminds you that a resource
should not be deleted or changed.
You can apply locks to a subscription, a resource group or an individual resource.
You can set the lock level to:
• CanNotDelete
• ReadOnly
To modify a locked resource, you must first remove the lock and after, you can
apply any action you have permissions to perform.
One way to organize related resources is to place them in their own subscriptions.
You can also use resource groups to manage related resources.
Another way is to use Resource tags.
Tags provide extra information, or metadata, about your resources. This metadata
is useful for:
• Resource management,
• Cost management and optimization,
• Operations management,
• Security (tags enable you to classify data by its security level, such as public
or confidential ),
• Governance and regulatory compliance,
• Workload optimization and automation.
TRUST CENTER
Trust Center showcases Microsoft’s principles for maintaining data integrity in the
cloud and how Microsoft implements and support security, privacy, compliance
and transparency in all Microsoft cloud products and services.
AZURE GOVERNMENT
Azure Government is a separate instance of the Microsoft Azure service.
It addresses the security and compliance needs of US federal agencies, state and
local governments and their solution providers.
Azure Pricing Calculator helps you to accurate cost estimates takes all of the
preceding factors into account.
There are some steps to estimate workload cost by using the Pricing calculator:
• Define your requirements,
• Explore the Pricing calculator,
• Estimate your solution,
• Add services to the estimate,
• Configure services to match your requirements,
• Review, share and save your estimate.
A service credit is the percentage of the fees you paid that are credited back to
you according to the claim approval process.
A SLA describes how Microsoft responds when an Azure service fails to perform to
its specification.
AZURE STATUS
Azure Status provides a global view of the health of Azure services and regions.
If you suspect there’s an outage, this is often a good place to start your
investigation.
From the Azure Status page, you can also access Azure Service Health.
Example:
The service lifecycle defines how every Azure service is released for public use.
Every Azure service starts in the development phase and in this phase, the Azure
team collects and defines its requirements and begins to build the service.
Next, the service is released to the public preview phase. During this phase, the
public can access and experiment with it so that it can provide feedback and your
feedback helps Microsoft improve services.
After a new Azure service is validated and tested, it’s released to all customers.
This is known as general availability (GA).
Appendix
Support plans
Azure offers several support plans:
• Basic
Available to all Microsoft Azure accounts, this is the only free plan and does
not have any active support from Azure: the user has access to community
forums, self-help documentation etc… ;
• Developer
Best suggested for trial and non-production environments, this plan has
active support from Azure in the form of access to support engineers via
email during standard business hours.
The response time from Microsoft is within 8 hours;
• Standard
Best suggested for production workload environments, this plan is an
upgrade of the Developer support plan and provides support in the form of
24×7 access to support engineers via email and phone.
The response time from Microsoft is within 1 hour;
• Professional Direct
Absolutely necessary for business-critical environments, this plan also
offers 24/7 technical support with one-hour response time but also includes
operational support, training and proactive guidance from a ProDirect
delivery manager.
If you have an enterprise agreement with Microsoft, you can purchase any of
these plans except the Developer plan and the bill will be incorporated in the
enterprise agreement.