Professional Documents
Culture Documents
Infrastructure Solutions
Hands-On Labs
Exam Objectives
Design Identity, Governance, and Monitoring Solutions
Design Data Storage Solutions
Design Business Continuity Solutions
Design Infrastructure Solutions
AZ-104 AZ-305
The AZ-305 exam focuses on the ability
to make recommendations, so this
course will focus on the information
you need to know to recommend the
proper solutions when asked to do so.
Designing Infrastructure Solutions
Azure Batch:
Allows you to run large jobs, while also
providing the ability to scale to tens,
hundreds, or even thousands of VMs.
Key Takeaway
While you may often be better off leveraging PaaS
services where you can, there will be times when VMs
and IaaS are a better choice:
• Testing and Development
• Running Applications in the Cloud
• Extending Datacenter to the Cloud
• Disaster Recovery
• Lift and Shift
• Availability and Scalability are Required
• Large-scale Parallel and High-Performance Batch Jobs
Recommending a Container-Based
Compute Solution
A microservice architecture is
allows you to break a single
solution down into smaller,
independent pieces. Front End Storage Back End
When to use
containers…
Containers are often used to
create solutions via a
microservice architecture.
A microservice architecture is
allows you to break a single
solution down into smaller,
independent pieces. Front End Storage Back End
When to use
containers…
Containers are often used to
create solutions via a
microservice architecture.
A microservice architecture is
allows you to break a single
solution down into smaller,
independent pieces. Front End Storage Back End
Front End Storage Back End
HTTP GET
Static Content Static Website Hosting
CI/CD
Authentication
Azure AD
Serverless computing is billed for only
the time that the code runs.
+ 5 = 1 Execution
Five Minutes
KEY DIFFERENCE:
Functions execute code, while Logic Apps
execute workflows.
Submit Ticket
Determine Intent
Add User to CRM
Connectivity About a dozen built-in binding types, Large collection of connectors, Enterprise
write code for custom bindings Integration Pack for B2B scenarios, build
custom connectors
Actions Each activity is an Azure function; write Large collection of ready-made actions
code for activity functions
Management REST API, Visual Studio Azure portal, REST API, PowerShell, Visual
Studio
Execution context Can run locally or in the cloud Runs only in the cloud
Exam Tip
Network performance Premium and Enterprise tiers are good for workloads that require high throughput.
Option Details
Basic and Standard tiers offer 250 MB – 53 GB of memory. Premium tier offers 6 GB -
Memory
1.2TB. Enterprise tiers offer 12 GB - 14 TB of memory.
Premium and Enterprise tiers are deployed on underlying hardware with faster processors.
Performance Provides a significant performance boost versus the Basic or Standard tiers. Premium tiers
have higher throughput and lower latencies.
Network performance Premium and Enterprise tiers are good for workloads that require high throughput.
Maximum number of client Premium and Enterprise tiers support higher numbers of connections for larger sized
connections caches than lower tiers.
Option Details
Basic and Standard tiers offer 250 MB – 53 GB of memory. Premium tier offers 6 GB -
Memory
1.2TB. Enterprise tiers offer 12 GB - 14 TB of memory.
Premium and Enterprise tiers are deployed on underlying hardware with faster processors.
Performance Provides a significant performance boost versus the Basic or Standard tiers. Premium tiers
have higher throughput and lower latencies.
Network performance Premium and Enterprise tiers are good for workloads that require high throughput.
Maximum number of client Premium and Enterprise tiers support higher numbers of connections for larger sized
connections caches than lower tiers.
The SLA for Standard, Premium, and Enterprise cache guarantees a monthly uptime of
High availability 99.9%. SLA only covers connectivity to cache endpoints. It DOES NOT cover protection
from data loss.
Option Details
Basic and Standard tiers offer 250 MB – 53 GB of memory. Premium tier offers 6 GB -
Memory
1.2TB. Enterprise tiers offer 12 GB - 14 TB of memory.
Premium and Enterprise tiers are deployed on underlying hardware with faster processors.
Performance Provides a significant performance boost versus the Basic or Standard tiers. Premium tiers
have higher throughput and lower latencies.
Network performance Premium and Enterprise tiers are good for workloads that require high throughput.
Maximum number of client Premium and Enterprise tiers support higher numbers of connections for larger sized
connections caches than lower tiers.
The SLA for Standard, Premium, and Enterprise cache guarantees a monthly uptime of
High availability 99.9%. SLA only covers connectivity to cache endpoints. It DOES NOT cover protection
from data loss.
Premium tier allows you to persist cache data to an Azure Storage account. Enterprise tier
Data persistence
allows you to persist cache data to a Managed Disk.
Option Details
Basic and Standard tiers offer 250 MB – 53 GB of memory. Premium tier offers 6 GB -
Memory
1.2TB. Enterprise tiers offer 12 GB - 14 TB of memory.
Premium and Enterprise tiers are deployed on underlying hardware with faster processors.
Performance Provides a significant performance boost versus the Basic or Standard tiers. Premium tiers
have higher throughput and lower latencies.
Network performance Premium and Enterprise tiers are good for workloads that require high throughput.
Maximum number of client Premium and Enterprise tiers support higher numbers of connections for larger sized
connections caches than lower tiers.
The SLA for Standard, Premium, and Enterprise cache guarantees a monthly uptime of
High availability 99.9%. SLA only covers connectivity to cache endpoints. It DOES NOT cover protection
from data loss.
Premium tier allows you to persist cache data to an Azure Storage account. Enterprise tier
Data persistence
allows you to persist cache data to a Managed Disk.
Azure Private Link and vNet deployments in Azure can be used to provide enhanced
Network isolation
security and traffic isolation for Azure Cache for Redis.
Azure Cache for Redis
can be scaled from the
Basic tier all the way up
to the Premium, even
after it has been created.
EXAM TIP:
If you are presented with a scenario
where you have to handle high-value
messages that cannot be lost or
duplicated, Azure Service Bus would
be the solution to choose.
Common messaging scenarios
where Service Bus would be a
good fit include:
Event Series
Event 1
Event 2
Event Broker Consumer
Event 3 (ie. Event Hub) subscribed to File Creation
Event 4
Subscriber
Azure Event Grid is an
eventing backplane:
Subscriber
• Event-driven, reactive programming
• Leverages publish-subscribe model
Subscriber
Topic
Designing Microsoft Azure Infrastructure Solutions © Thomas Mitchell / labITout Learning
Azure Event Grid can
be used to build
applications with event-
based architectures.
Azure Event Grid supports events that come from many
different Azure services, and also supports your own events, via
custom topics.
Consumer
Hubs Topics
Topics
Migration Iterations
Assess Workloads Deploy Workloads Release Workloads
Assess each Replicate functionality to Test, optimize, document,
workload migration cloud, using IaaS, PaaS, and review. Release by
batch to evaluate and other modernization handing off for governance,
cost, architecture, options. management, and security.
and deployment
tooling.
Assess Workloads
When you assess your workloads,
you evaluate cost, modernization,
and deployment tooling.
Focus on validating or
challenging assumptions that
were made during discovery.
Study user patterns and
dependencies.
Deploy Workloads
Replicate the existing functionality of
those workloads in the cloud.
Lift-and-shift and rehost are common
ways to deploy workloads.
Modernize workloads by taking
advantage of cloud services.
Examples:
• Replace app servers with App Services
• Replace SQL servers with Azure SQL
Release Workloads
Migration Iterations
Assess Workloads Deploy Workloads Release Workloads
Assess each Replicate functionality to Test, optimize, document,
workload migration cloud, using IaaS, PaaS, and review. Release by
batch to evaluate and other modernization handing off for governance,
cost, architecture, options. management, and security.
and deployment
tooling.
Cloud Migration in the Cloud Adoption Framework
https://docs.microsoft.com/en-us/azure/cloud-adoption-framework/migrate
Recommending a Solution for Migrating
Apps, VMs, Data, and Databases to Azure
robocopy
xcopy
Commercial Software
rsync
Open-Source Solutions
SUPPORTED AZURE SERVICES
ExpressRoute
• Faster Speeds
• Consistent Latencies
• Higher Security
PLANNING TABLE
Azure Supported Services Cloud Services and Virtual Machines Cloud Services and Virtual Machines Services list
Secure Sockets Tunneling Protocol (SSTP), Direct connection over VLANs, NSP's VPN
Protocols Supported OpenVPN and IPsec
IPsec
technologies (MPLS, VPLS,...)
Dev / test / lab scenarios and small to Access to all Azure services, Enterprise-
Secure access to Azure virtual networks
Typical use case for remote users
medium scale production workloads for class and mission critical workloads,
cloud services and virtual machines Backup, Big Data, Azure as a DR site
Technical Documentation VPN Gateway Documentation VPN Gateway Documentation ExpressRoute Documentation
Azure Supported Services Cloud Services and Virtual Machines Cloud Services and Virtual Machines Services list
Secure Sockets Tunneling Protocol (SSTP), Direct connection over VLANs, NSP's VPN
Protocols Supported OpenVPN and IPsec
IPsec
technologies (MPLS, VPLS,...)
Dev / test / lab scenarios and small to Access to all Azure services, Enterprise-
Secure access to Azure virtual networks
Typical use case for remote users
medium scale production workloads for class and mission critical workloads,
cloud services and virtual machines Backup, Big Data, Azure as a DR site
Technical Documentation VPN Gateway Documentation VPN Gateway Documentation ExpressRoute Documentation
Azure Supported Services Cloud Services and Virtual Machines Cloud Services and Virtual Machines Services list
Secure Sockets Tunneling Protocol (SSTP), Direct connection over VLANs, NSP's VPN
Protocols Supported OpenVPN and IPsec
IPsec
technologies (MPLS, VPLS,...)
Dev / test / lab scenarios and small to Access to all Azure services, Enterprise-
Secure access to Azure virtual networks
Typical use case for remote users
medium scale production workloads for class and mission critical workloads,
cloud services and virtual machines Backup, Big Data, Azure as a DR site
Technical Documentation VPN Gateway Documentation VPN Gateway Documentation ExpressRoute Documentation
Azure Supported Services Cloud Services and Virtual Machines Cloud Services and Virtual Machines Services list
Secure Sockets Tunneling Protocol (SSTP), Direct connection over VLANs, NSP's VPN
Protocols Supported OpenVPN and IPsec
IPsec
technologies (MPLS, VPLS,...)
Dev / test / lab scenarios and small to Access to all Azure services, Enterprise-
Secure access to Azure virtual networks
Typical use case for remote users
medium scale production workloads for class and mission critical workloads,
cloud services and virtual machines Backup, Big Data, Azure as a DR site
Technical Documentation VPN Gateway Documentation VPN Gateway Documentation ExpressRoute Documentation
Azure Supported Services Cloud Services and Virtual Machines Cloud Services and Virtual Machines Services list
Secure Sockets Tunneling Protocol (SSTP), Direct connection over VLANs, NSP's VPN
Protocols Supported OpenVPN and IPsec
IPsec
technologies (MPLS, VPLS,...)
Dev / test / lab scenarios and small to Access to all Azure services, Enterprise-
Secure access to Azure virtual networks
Typical use case for remote users
medium scale production workloads for class and mission critical workloads,
cloud services and virtual machines Backup, Big Data, Azure as a DR site
Technical Documentation VPN Gateway Documentation VPN Gateway Documentation ExpressRoute Documentation
Requires no application or
resource changes.
Standard is optimized
for content delivery.
Premium is optimized
for security.
If content optimization is more important
than extensive security capabilities, Azure Front
Door Standard would be a good choice.
*Network Watcher can also be used to view metrics and to determine relative latencies between Azure regions
and internet service providers
Network Watcher would
be the tool of choice if you
need to optimize network
performance for applications.
Azure Web Application Firewall
Web Application Firewall provides centralized protection of web
apps from things like SQL injection attacks and cross-site scripting attacks.
Web Application
Firewall can react
to security threats by
centrally patching
known vulnerabilities.
Exam Tip
If you encounter a question that mentions
protecting a web app against SQL
injection or cross-site scripting attacks,
Web Application Firewall should probably
be involved in your proposed solution.
That was a
long lesson!
If you can at least remember
what each offering does,
you’ll have a better shot at
answering correctly when
you are asked to
recommend a solution that
optimizes network security
in Microsoft Azure.
The Blue Widget corporation uses ExpressRoute to
establish connectivity between its on-prem network and
Azure. You've noticed network connectivity issues between
the on-prem VMWare VMs and the VMs in Azure.
Knowledge Which tool should you use to analyze the network traffic
Check
to determine if or where packets are being denied to your
virtual machines?
A. Azure Monitor
B. Network Watcher
C. Network Analyzer
D. NetFlow Logging
The Blue Widget corporation uses ExpressRoute to
establish connectivity between its on-prem network and
Azure. You've noticed network connectivity issues between
the on-prem VMWare VMs and the VMs in Azure.
Knowledge Which tool should you use to analyze the network traffic
Check
to determine if or where packets are being denied to your
virtual machines?
A. Azure Monitor
B. Network Watcher
C. Network Analyzer
D. NetFlow Logging
Load Balancing and Routing Solutions
Balancer
Azure Load Balancers are
typically used to load balance
VMs across availability zones.
Subnet 1 Subnet 2
Azure Front Door
New York Los Angeles Berlin
achieved by deploying to a
single region.
If a regional outage affects
the primary region, you can
use Front Door to fail over
to your secondary region. Tokyo Aukland
ImagePool
Application
Gateway
/images/*
domain.com
A web traffic load
balancer that can /video/*
make its routing VideoPool
decisions based on
the attributes of an
HTTP request.
Traffic Manager
A DNS-based load balancer.
Used to distribute traffic to a public
facing application across different
global Azure regions.
Provides public endpoints with high
availability and quicker response.
Directs requests, via DNS, to the
appropriate service endpoint, based
on traffic-routing method you select.
Health monitoring for every endpoint.
Used when you want to distribute traffic across a set of endpoints based on their
Weighted weight. Set the weight the same to distribute evenly across all endpoints.
Used when you have endpoints in different geographic locations, and you want end
Performance users to use the "closest" endpoint for the lowest network latency.
Used to direct users to specific endpoints (Azure, External, or Nested) based on where
Geographic their DNS queries originate from geographically. This routing method allows you to be in
compliance with scenarios such as data sovereignty mandates, localization of content &
user experience and measuring traffic from different regions.
Select MultiValue for Traffic Manager profiles that can only have IPv4/IPv6 addresses as
Multivalue endpoints. When a query is received for this profile, all healthy endpoints are returned.
Used to map sets of end-user IP address ranges to a specific endpoint. When a request
Subnet is received, the endpoint returned will be the one mapped for that request’s source IP
address.
Image Source: docs.microsoft.com
Traffic Manager
+ Load Balancer
Combine Traffic Manager and Load
Balancer to build a multi-region N-
tier application where Traffic
Manager routes incoming requests
to a primary region.
Storage Type Remote storage Tiered remote and local SSD Local SSD storage
All
storage
Database Size SQL Database 1 GB – 4 TB 40 GB - 100 TB 1 GB – 4 TB
32 GB – 8 TB N/A 32 GB – 4 TB
SQL Managed Instance 16 TB (Preview) depending on
number of cores, Gen5 only
Availability 99.99% 99.95% with one secondary 99.99%
All replica, 99.99% with more 99.995% with zone
SERVICE TIER COMPARISON
-
Resource type General Purpose Hyperscale Business Critical
Use Case budget oriented balanced Most business workloads. OLTP applications with high
compute and storage options. Auto-scaling storage size up transaction rate and low IO
to 100 TB, fluid vertical and latency. Offers highest
horizontal compute scaling, resilience to failures and fast
fast database restore. failovers using multiple
synchronously updated
replicas.
Available In SQL Database / SQL Managed Single Azure SQL Database SQL Database / SQL
Instance Managed Instance
Compute Size SQL Database 1 to 80 vCores 1 to 80 vCores 1 to 128 vCores
4, 8, 16, 24, 32, 40, 64, 80 vCores N/A 4, 8, 16, 24, 32, 40, 64, 80
SQL Managed Instance
vCores
2, 4, 8, 16, 24, 32, 40, 64, 80 N/A N/A
SQL Managed Instance pools vCores
Storage Type Remote storage Tiered remote and local SSD Local SSD storage
All
storage
Database Size SQL Database 1 GB – 4 TB 40 GB - 100 TB 1 GB – 4 TB
32 GB – 8 TB N/A 32 GB – 4 TB
SQL Managed Instance 16 TB (Preview) depending on
number of cores, Gen5 only
Availability 99.99% 99.95% with one secondary 99.99%
All replica, 99.99% with more 99.995% with zone
SERVICE TIER COMPARISON
-
Resource type General Purpose Hyperscale Business Critical
Use Case budget oriented balanced Most business workloads. OLTP applications with high
compute and storage options. Auto-scaling storage size up transaction rate and low IO
to 100 TB, fluid vertical and latency. Offers highest
horizontal compute scaling, resilience to failures and fast
fast database restore. failovers using multiple
synchronously updated
replicas.
Available In SQL Database / SQL Managed Single Azure SQL Database SQL Database / SQL
Instance Managed Instance
Compute Size SQL Database 1 to 80 vCores 1 to 80 vCores 1 to 128 vCores
4, 8, 16, 24, 32, 40, 64, 80 vCores N/A 4, 8, 16, 24, 32, 40, 64, 80
SQL Managed Instance
vCores
2, 4, 8, 16, 24, 32, 40, 64, 80 N/A N/A
SQL Managed Instance pools vCores
Storage Type Remote storage Tiered remote and local SSD Local SSD storage
All
storage
Database Size SQL Database 1 GB – 4 TB 40 GB - 100 TB 1 GB – 4 TB
32 GB – 8 TB N/A 32 GB – 4 TB
SQL Managed Instance 16 TB (Preview) depending on
number of cores, Gen5 only
Availability 99.99% 99.95% with one secondary 99.99%
All replica, 99.99% with more 99.995% with zone
SERVICE TIER COMPARISON
-
Resource type General Purpose Hyperscale Business Critical
Use Case budget oriented balanced Most business workloads. OLTP applications with high
compute and storage options. Auto-scaling storage size up transaction rate and low IO
to 100 TB, fluid vertical and latency. Offers highest
horizontal compute scaling, resilience to failures and fast
fast database restore. failovers using multiple
synchronously updated
replicas.
Available In SQL Database / SQL Managed Single Azure SQL Database SQL Database / SQL
Instance Managed Instance
Compute Size SQL Database 1 to 80 vCores 1 to 80 vCores 1 to 128 vCores
4, 8, 16, 24, 32, 40, 64, 80 vCores N/A 4, 8, 16, 24, 32, 40, 64, 80
SQL Managed Instance
vCores
2, 4, 8, 16, 24, 32, 40, 64, 80 N/A N/A
SQL Managed Instance pools vCores
Storage Type Remote storage Tiered remote and local SSD Local SSD storage
All
storage
Database Size SQL Database 1 GB – 4 TB 40 GB - 100 TB 1 GB – 4 TB
32 GB – 8 TB N/A 32 GB – 4 TB
SQL Managed Instance 16 TB (Preview) depending on
number of cores, Gen5 only
Availability 99.99% 99.95% with one secondary 99.99%
All replica, 99.99% with more 99.995% with zone
Exam Tip
Familiarize yourself with these bits of
information because this is the type of
stuff you normally look at when it
comes time to recommend a service
tier. That being the case, you can expect
to see some questions on the exam
that revolve around this type of stuff.
DTU Service Tiers
Uptime SLA
99.99% 99.99% 99.99%
CPU
Low Low, Medium, High Medium, High
IOPS (approximate)*
1-4 IOPS per DTU 1-4 IOPS per DTU >25 IOPS per DTU
IO latency (approximate)
5 ms (read), 10 ms (write) 5 ms (read), 10 ms (write) 2 ms (read/write)
Columnstore indexing
N/A S3 and above Supported
In-memory OLTP
N/A N/A Supported
COMPARE THE DTU-BASED SERVICE TIERS
Uptime SLA
99.99% 99.99% 99.99%
CPU
Low Low, Medium, High Medium, High
IOPS (approximate)*
1-4 IOPS per DTU 1-4 IOPS per DTU >25 IOPS per DTU
IO latency (approximate)
5 ms (read), 10 ms (write) 5 ms (read), 10 ms (write) 2 ms (read/write)
Columnstore indexing
N/A S3 and above Supported
In-memory OLTP
N/A N/A Supported
COMPARE THE DTU-BASED SERVICE TIERS
Uptime SLA
99.99% 99.99% 99.99%
CPU
Low Low, Medium, High Medium, High
IOPS (approximate)*
1-4 IOPS per DTU 1-4 IOPS per DTU >25 IOPS per DTU
IO latency (approximate)
5 ms (read), 10 ms (write) 5 ms (read), 10 ms (write) 2 ms (read/write)
Columnstore indexing
N/A S3 and above Supported
In-memory OLTP
N/A N/A Supported
COMPARE THE DTU-BASED SERVICE TIERS
Uptime SLA
99.99% 99.99% 99.99%
CPU
Low Low, Medium, High Medium, High
IOPS (approximate)*
1-4 IOPS per DTU 1-4 IOPS per DTU >25 IOPS per DTU
IO latency (approximate)
5 ms (read), 10 ms (write) 5 ms (read), 10 ms (write) 2 ms (read/write)
Columnstore indexing
N/A S3 and above Supported
In-memory OLTP
N/A N/A Supported
Exam Tip
Basic is typically used in lab and dev environments,
while you’d see Standard in what you might
consider typical environments, where workloads are
moderate. The Premium tier is usually reserved for
the most demanding workloads.
+
API Request HTTPs
Blob Data
Unencrypted Encrypted Data
Encryption Key Encryption Key Data
Data Returned
Columnar Key
Master Key
Cell-level or column-
level encryption
User A User B
Cell-Level Encryption
Cell-level or column-level encryption
is available with Azure SQL Database:
TABLE
• Apply symmetric encryption to a column
of data by using T-SQL.
• Encrypt specific columns or cells of data
with different encryption keys.
• Provides more granularity than TDE, since User A User B
TDE encrypts data in pages.
Column-Level Encryption
Recommended for:
• Application developments that require better
control and customizations.
• zone redundant high availability is required.
Azure Database for PostgreSQL
A relational database service available in the
Microsoft cloud that’s based on the PostgreSQL
Community Edition database engine.
Example:
A table that holds customer data might store a
customer’s first name, last name, one or more
telephone numbers, and one or more
addresses for each customer in the table.
Depending on the number of telephone
numbers and addresses for each customer, the
number of fields in each row can vary for each
customer.
Use Cases for Azure
Table Storage
Example:
If you use table storage to host a
product catalog, the partition key
could be the product category,
and the row key can identify a
specific product in that category.
Table storage can also a good solution when implementing
an IoT system where IoT device sensors collect data.
Table storage can be used for
solutions that collect event
logging and performance
monitoring data.
Example:
Data is collected and
structured based on the type
of event identified or the
performance measure being
recorded.
Cool tier has lower performance than the Hot tier, but it incurs
lower storage charges than the Hot tier. The Cool tier is used to
store data that’s accessed infrequently.
Hot tier is the default tier, and it’s designed for blobs that are
accessed frequently. Blob data in the Hot tier is stored on high-
performance media.
Cool tier has lower performance than the Hot tier, but it incurs
lower storage charges than the Hot tier. The Cool tier is used to
store data that’s accessed infrequently.
Archive tier offers the lowest storage costs, but with the lower
costs, comes increased latency. This tier is designed to host historical
data that CANNOT be lost, but that is also only required rarely. Blobs
in the Archive tier are effectively stored in an offline state.
Read latency for the Hot and Cool
tiers is generally a few milliseconds.
In archive tier, it can sometimes take
HOURS for data to become available.
To retrieve a blob from the Archive
tier, you have to first change the
access tier for the data to Hot or Cool.
Use Cases for Azure Blob Storage
Soft Delete You should enable container soft-delete for all storage accounts
with a minimum retention interval of 7 days.
Point-in-Time
Restore
Allows you to restore a set of
block blobs back to a previous
point in time.
Operations performed on
containers, page blobs, or
append blobs are NOT reverted.
Blob Snapshots allow you to manually save the state of a blob
at a given point in time.
Blob Snapshot Microsoft recommends blob snapshots as an alternative to blob
versioning, if blob versioning isn’t appropriate for your scenario.
Exam Tip
When presented with a data protection
question, filter out extra information when
reading the question.
Focus on buzz words to sort out whether
you need to protect a storage account, a
container, or a blob. Look to see if
versioning is mentioned as well.
By focusing on those buzz words, the
answer should be easier to formulate.
Azure Site Recovery for
Azure, Hybrid, and On-prem Workloads
Process/Config Server
On-Prem Datacenter
Config Server
VMs and Physical Servers
Process Server
Master Target
Primary Datacenter Secondary Datacenter
Continuous Replication
2
1 Backups run on user-
Configure Backup defined schedule
Recovery
Services Vault Azure Files Azure File
Snapshots
Snapshot Vault
system-consistent snapshot.
6
Applications will likely need to Incremental backup saved in vault
do their own cleanup during
startup to become consistent.
Crash Consistent
Snapshots
Crash consistent snapshots are
achieved only when the VM
being backed up is shut down
at the time of the backup.
No I/O operations are
captured during this type of
backup, nor are memory
contents captured.
Doesn't guarantee data
consistency for OS or app.
Backup Policies
Backup policies allow you to
define the backup frequency
and the retention duration for
backups.
You can trigger VM backups
daily or weekly, and can they
can be stored for years.
Snapshot tier: When a snapshot happens, it’s stored locally for up to 5 days.
Microsoft recommends restoring from snapshots because it’s faster.
Vault tier: Snapshots are additionally transferred to the vault. When restoring
from vault tier, the recovery point type changes to “snapshot and vault”, rather
than “Instant Restore”.
Azure VM
Azure Backup
Backup
Extension
Snapshot Vault
Restore Types
There are several restore options:
• Create a New VM
• Restore a Disk
• Replace an Existing Disk
• Cross-region Restore
Create a New VM
Creates a new VM from
your chosen restore point.
The new VM must be
created in the same region
as the source VM.
Restore Disk
Restores a VM disk.
The restored VM disk can be
used to create a new VM.
You can attach the restored disk
to an existing VM.
Useful when customizing the VM
or add configuration settings.
Replace Existing
Restore a disk and use it to
replace an existing disk on the
existing VM.
Azure Backup takes a snapshot
of the existing VM before
replacing the disk.
Existing disks are replaced with
selected restore point.
The current VM must exist.
Cross-Region Restore
Allows you to restore Azure VMs in a
secondary, paired region.
Available with Create a new VM
option, and with Restore Disk option.
Differential Captures everything that’s changed since the last full backup.
Backup SQL Database makes a differential backup every 12 hours.
Control Path
LTR policy can be configured to perform automatic
weekly full backups.
Coordinator
Storage of LTR backups depends on frequency and SQL in a VM
Authentication features
• Self-service password reset
• Multifactor authentication
• Banned password lists
• Smart lockout
More Azure AD Features
Hybrid Identity Features
• Azure Active Directory Connect
• Azure Active Directory Connect Health
Reporting and Monitoring Features
• Provide insights into the security and usage
patterns within your organization
Privileged Identity Management (PIM)
• Manage, control, and monitor access to resources
Azure AD Free
Azure AD Premium P1
Azure AD vs Traditional AD
Usually require Active Directory leverages managed identities that are managed
Services service accounts to run; creates a by Azure AD and are tied to the resource
security hole provider; can’t be used to gain backdoor access
Usually require Active Directory leverages managed identities that are managed
Services service accounts to run; creates a by Azure AD and are tied to the resource
security hole provider; can’t be used to gain backdoor access
Usually require Active Directory leverages managed identities that are managed
Services service accounts to run; creates a by Azure AD and are tied to the resource
security hole provider; can’t be used to gain backdoor access
Usually require Active Directory leverages managed identities that are managed
Services service accounts to run; creates a by Azure AD and are tied to the resource
security hole provider; can’t be used to gain backdoor access
Usually require Active Directory leverages managed identities that are managed
Services service accounts to run; creates a by Azure AD and are tied to the resource
security hole provider; can’t be used to gain backdoor access
Mobile Devices does not natively support them provides integration with Microsoft InTune
Windows Desktops Can be joined to the domain and Can be joined to the domain and managed with
managed with group policy Microsoft InTune
Windows Servers Can be joined to the domain and cannot be joined to an Azure Active Directory
managed with group policy
Linux Workloads does not support Linux workloads Linux and UNIX virtual machines in Azure can
natively leverage managed identities to access resources
Authentication credentials based on passwords, uses intelligent password protection, MFA, and
certificates, smart cards, and are self-service password reset
managed with password policies
Mobile Devices does not natively support them provides integration with Microsoft InTune
Windows Desktops Can be joined to the domain and Can be joined to the domain and managed with
managed with group policy Microsoft InTune
Windows Servers Can be joined to the domain and cannot be joined to an Azure Active Directory
managed with group policy
Linux Workloads does not support Linux workloads Linux and UNIX virtual machines in Azure can
natively leverage managed identities to access resources
Authentication credentials based on passwords, uses intelligent password protection, MFA, and
certificates, smart cards, and are self-service password reset
managed with password policies
Mobile Devices does not natively support them provides integration with Microsoft InTune
Windows Desktops Can be joined to the domain and Can be joined to the domain and managed with
managed with group policy Microsoft InTune
Windows Servers Can be joined to the domain and cannot be joined to an Azure Active Directory
managed with group policy
Linux Workloads does not support Linux workloads Linux and UNIX virtual machines in Azure can
natively leverage managed identities to access resources
Authentication credentials based on passwords, uses intelligent password protection, MFA, and
certificates, smart cards, and are self-service password reset
managed with password policies
Mobile Devices does not natively support them provides integration with Microsoft InTune
Windows Desktops Can be joined to the domain and Can be joined to the domain and managed with
managed with group policy Microsoft InTune
Windows Servers Can be joined to the domain and cannot be joined to an Azure Active Directory
managed with group policy
Linux Workloads does not support Linux workloads Linux and UNIX virtual machines in Azure can
natively leverage managed identities to access resources
Authentication credentials based on passwords, uses intelligent password protection, MFA, and
certificates, smart cards, and are self-service password reset
managed with password policies
Mobile Devices does not natively support them provides integration with Microsoft InTune
Windows Desktops Can be joined to the domain and Can be joined to the domain and managed with
managed with group policy Microsoft InTune
Windows Servers Can be joined to the domain and cannot be joined to an Azure Active Directory
managed with group policy
Linux Workloads does not support Linux workloads Linux and UNIX virtual machines in Azure can
natively leverage managed identities to access resources
Authentication credentials based on passwords, uses intelligent password protection, MFA, and
certificates, smart cards, and are self-service password reset
managed with password policies
Mobile Devices does not natively support them provides integration with Microsoft InTune
Windows Desktops Can be joined to the domain and Can be joined to the domain and managed with
managed with group policy Microsoft InTune
Windows Servers Can be joined to the domain and cannot be joined to an Azure Active Directory
managed with group policy
Linux Workloads does not support Linux workloads Linux and UNIX virtual machines in Azure can
natively leverage managed identities to access resources
Authentication credentials based on passwords, uses intelligent password protection, MFA, and
certificates, smart cards, and are self-service password reset
managed with password policies
Mobile Devices does not natively support them provides integration with Microsoft InTune
Windows Desktops Can be joined to the domain and Can be joined to the domain and managed with
managed with group policy Microsoft InTune
Windows Servers Can be joined to the domain and cannot be joined to an Azure Active Directory
managed with group policy
Linux Workloads does not support Linux workloads Linux and UNIX virtual machines in Azure can
natively leverage managed identities to access resources
Authentication credentials based on passwords, uses intelligent password protection, MFA, and
certificates, smart cards, and are self-service password reset
managed with password policies
Mobile Devices does not natively support them provides integration with Microsoft InTune
Windows Desktops Can be joined to the domain and Can be joined to the domain and managed with
managed with group policy Microsoft InTune
Windows Servers Can be joined to the domain and cannot be joined to an Azure Active Directory
managed with group policy
Linux Workloads does not support Linux workloads Linux and UNIX virtual machines in Azure can
natively leverage managed identities to access resources
Authentication credentials based on passwords, uses intelligent password protection, MFA, and
certificates, smart cards, and are self-service password reset
managed with password policies
Mobile Devices does not natively support them provides integration with Microsoft InTune
Windows Desktops Can be joined to the domain and Can be joined to the domain and managed with
managed with group policy Microsoft InTune
Windows Servers Can be joined to the domain and cannot be joined to an Azure Active Directory
managed with group policy
Linux Workloads does not support Linux workloads Linux and UNIX virtual machines in Azure can
natively leverage managed identities to access resources
Authentication credentials based on passwords, uses intelligent password protection, MFA, and
certificates, smart cards, and are self-service password reset
managed with password policies
Mobile Devices does not natively support them provides integration with Microsoft InTune
Windows Desktops Can be joined to the domain and Can be joined to the domain and managed with
managed with group policy Microsoft InTune
Windows Servers Can be joined to the domain and cannot be joined to an Azure Active Directory
managed with group policy
Linux Workloads does not support Linux workloads Linux and UNIX virtual machines in Azure can
natively leverage managed identities to access resources
Authentication credentials based on passwords, uses intelligent password protection, MFA, and
certificates, smart cards, and are self-service password reset
managed with password policies
Mobile Devices does not natively support them provides integration with Microsoft InTune
Windows Desktops Can be joined to the domain and Can be joined to the domain and managed with
managed with group policy Microsoft InTune
Windows Servers Can be joined to the domain and cannot be joined to an Azure Active Directory
managed with group policy
Linux Workloads does not support Linux workloads Linux and UNIX virtual machines in Azure can
natively leverage managed identities to access resources
Authentication credentials based on passwords, uses intelligent password protection, MFA, and
certificates, smart cards, and are self-service password reset
managed with password policies
HOWEVER…
MEDIUM
LOW
Risk Levels
HIGH
Highest Confidence
MEDIUM
LOW
Azure Identity
Protection
• Security Reader
• Security Operator
• Security Administrator
• Global Reader
• Global Administrator
Role Can do Can't do
Global administrator Full access to Identity Protection
Security administrator Full access to Identity Protection Reset password for a user
parent-child relationship.
Resource Group
Resource
How Azure RBAC works
Role assignments
The process of attaching a role definition
to a user, group, service principal, or
managed identity at a particular scope.
Used to manage access to resources:
• Creating a role assignment grants access.
• Revoking a role assignment removes access.
=
Contributor Contributor
User User
RBAC works
Multiple role assignments Resource Group Resource Group
=
User User
Azure RBAC is an additive model.
To do this: Subscription
• Define a management group hierarchy
• Define a naming convention
• Apply resource tagging when necessary
Resource Group
Resource
Management Group
4 Levels of Management
• Management Groups
Subscription
• Subscriptions
• Resource Groups
• Resources
Resource Group
Resource
Management groups can be used to manage access,
policy, and compliance for multiple subscriptions.
Project-Specific
Managing a handful subscriptions is easy.
Management Group
Managing a large number of subscriptions is hard.
Resource Group
Resource
Naming Standards
Naming standards are useful for identifying
resources in the Azure portal, in automation
scripts, and even in billing statements.
Naming standards should include both business
and operational details in resource names.
• For example, you might use a resource's short
name, along with the business owners who are
responsible for the resource costs.
• Operational details in resource names should
include information that IT teams need.
Example:
Organizations often specify an Environment: Production
name/value pair to identify production resources.
More easily retrieve all resources in a subscription.
Resource Tags Can be used to break out billing for resources.
Each resource support a max of 50 tag name/value pairs.
Exam Tip
Familiarize yourself with the levels of
hierarchy in Azure. Remember that they
include management groups, subscriptions,
resource groups, and resources.
Don’t forget how settings and policies filter
down through the parent-child relationship
of these levels.
Enforcing and Auditing Compliance
in Azure with Azure Policy
1 2
Backup Policy Configure Backup Scheduled Snapshots
Azure File Share
Azure File Share
Snapshot
Management
3
Manage Snapshot Retention with Backup Policy
Exam Tip
You have two different backup and recovery
options for unstructured data, like blobs and file
shares: operational backup for blobs and
Azure file share backup.
Operational backup for blobs protects block
blobs from things like corruption, deletions, and
even accidental storage account deletion.
Azure file share backup protects Azure file shares.
Azure Monitor
Application Insights
Container Insights
VM Insights
Applications
Metrics Visualize
Operating Systems Dashboards Views Power BI Workbooks
Azure Resources
Analyze
Azure Subscriptions Metrics Logs
Logs
Azure Tenants
Respond
Integrate
Logic Apps APIs
Metrics data consists of numerical values that describe
Monitoring some aspect of a system at a specific point in time.
Data Platform Log data contains different kinds of data organized into
records with different sets of properties for each type.
Autoscale
Minimum = 2
Current = 3
Maximum = 5
Visualizing
Monitoring Data
Azure Monitor allows you to visualize
your monitoring data via dashboards,
workbooks, and Power BI.
Dashboards
Azure Dashboards combine
different kinds of data into a
single pane of glass.
Example:
You can create a dashboard that
provides a complete picture by
including tiles that show a
metrics graphs, an activity log
table, a usage chart from
Application Insights, and the
output of a log query.
Workbooks can be used to perform data analysis and to
create visual reports right in the Azure portal.
Power BI provides interactive visualizations across all
Power BI kinds of data sources and is often used to make data
available to people inside and outside the organization.
Exam Tip
Be sure to know which monitoring tools are
available, what they can monitor, and when they
should be used. Remember what Azure Monitor
does, what Application Insights offers, what VM
Insights offers, and what Container Insights does.
Be sure to visit the URL below to familiarize
yourself with ALL Azure Monitor features:
https://docs.microsoft.com/azure/azure-monitor/monitor-reference
Recovery Solutions for Databases
Blob Storage
Transaction
Logs
Database Database
How to do it…
Via the Azure portal, select your
database server and click “Create
database.” In the “Additional Settings”
section, select “Backup” in the “Data
Source” section, and then select the
backup to restore from.
Exam Tip
To be prepared for the exam, make sure you
remember the different restore types that are
available for databases.
Azure Service Health
Best place to look for info about stuff that affects you, because
Service Health knows which services and resources YOU are using.
Service
Health
Resource Health
Helps you diagnose issues and obtain
support when an Azure service issue
affects your resources.
Provides details about current and
past state of YOUR resources and
provides technical support to help
mitigate problems.
Shows when, in the past, when your
resources were unavailable due to
Azure service problems.
Combined with Azure Monitor
notifications, Azure Service Health allows
you to stay informed about the
availability of your resources on a
minute-by-minute basis.
Because Service Health notifications are
stored in the Azure activity log, you can
even set up activity log alerts for service
health notifications, using the Azure
portal or even ARM templates.
ARM template Subscription, Resource Templates, including nested and linked templates, are used to compose complex
Group environments. Example environments: a SharePoint farm, Azure Automation State
Configuration, or a Log Analytics workspace.
Policy Assignment Subscription, Resource Allows assignment of a policy or initiative to the subscription the blueprint is
Group assigned to. The policy or initiative must be within the scope of the blueprint
definition location. If the policy or initiative has parameters, these parameters are
assigned at creation of the blueprint or during blueprint assignment.
Role Assignment Subscription, Resource Add an existing user or group to a built-in role to make sure the right people always
Group have the right access to your resources. Role assignments can be defined for the
entire subscription or nested to a specific resource group included in the blueprint.
Exam Tip
Azure Blueprints allow cloud architects to define a
repeatable set of Azure resources that
implements and adheres to an organization's
standards and requirements.
If you encounter a question about building a new
environment that involves defining role
assignments, policy assignments, and deploying
Azure resources, Azure Blueprints is the solution
you should be thinking about.
Identity Governance in Azure AD
• Certificate Management:
Provision, manage, and deploy
public and private TLS and SSL
certificates.
Service Tiers
Standard Tier
• Encrypts with a
software key.
Premium Tier
• Includes HSM-
protected keys.
Azure Key Vault can be used to centralize storage of application
Why use Azure secrets in order control the distribution of those secrets.
Key Vault? Simplifies things for developers, because they don’t need to store
security information within the apps that they are developing.
xxxxx-xxxxxx-xx-xxxx-xxxxxx
Connection String
(stored in Key Vault)
Authentication
Authorization
Azure AD
Authentication
Authorization
RBAC
Storage Accounts
Event Hub
Azure Monitor
Azure Key Vault can be used with many other Azure services
Collect
Respond Detect
Respond to incidents
Event Ingested
into Sentinel
Azure AD Domain
Services works with your
existing Azure AD tenant
• Fully compatible with cloud
only Azure AD tenants
• Compatible with Azure AD
tenants that are synced with
an on-prem AD
• Users synced into Azure AD
will show up in Azure AD
domain services
How does Azure ADDS Work?
.
Multi-Tenant Management
with Azure Lighthouse
Azure Services
ARM Templates
Azure Identity
APIs
Redundancy in Datacenter
Primary Region LRS
Data in an Azure Storage account is always Storage Account
replicated three times in the primary region:
• Locally Redundant Storage (LRS)
• Zone-Redundant Storage (ZRS)
Copies 1, 2, and 3
Redundancy in ZRS
Redundancy in
Primary Region Primary Region
Availability Zone 1 Availability Zone 2
Datacenter Datacenter
Zone-Redundant Storage Zone-Redundant Storage
copies data synchronously Storage Account
copies data synchronously
Storage Account
LRS LRS
Storage Account Storage Account
(RA-)GRS
Geo-Replication
GRS uses LRS to copy data synchronously 3 times within a single physical location in
the primary region, and then copies your data asynchronously to a single physical
location in the secondary region.
Within the secondary region, data is copied synchronously 3 more times using LRS.
y in Primary
Availability Zone 1 Availability Zone 2
Datacenter
Region
Datacenter Datacenter
LRS asynchronously to a single
Zone-Redundant Storage Account physical location in the
Storage copies dataStorage Account
secondary region.
Storage Account
synchronously across (RA-)GZRS
three different Azure
availability
Copy 1 zones withinCopy 2
Geo-Replication
the primary region.
Within the secondary
Copies 1, 2, and 3
Availability Zone 3
Zone Redundant
Storage is
recommended for
Datacenter region, your data is copied
applications that require
high
Storageavailability.
Account synchronously three more
Copy 3
times using LRS.
GRS vs GZRS
The key difference between GRS and GZRS is how
your data is replicated in the primary region:
• GRS uses LRS to copy data synchronously
three times within a single physical location
in the primary region.
• GZRS uses ZRS to copy your data
synchronously across three different Azure
availability zones in the primary region.
When using GRS or GZRS, the data in the
secondary region IS NOT available for read or
write access until and unless there’s a failover to
the secondary region.
Enabling Read
Access to the
Secondary Region
To enable read access to the
secondary region, configure your
storage account to use RA-GRS
or RA-GZRS.
How Data is Replicated with GRS or RA-GRS
LRS LRS
Storage Account Storage Account
(RA-)GRS
Geo-Replication
Region
Datacenter Datacenter
LRS
Copy 3
At least 99.9% (99% for At least 99.9% (99% for At least 99.9% (99% for At least 99.9% (99% for
cool access tier) cool access tier) cool access tier) for GRS cool access tier) for GZRS
Availability for read requests At least 99.99% (99.9% for At least 99.99% (99.9% for
cool access tier) for RA- cool access tier) for RA-
GRS GZRS
At least 99.9% (99% for At least 99.9% (99% for At least 99.9% (99% for At least 99.9% (99% for
Availability for write requests
cool access tier) cool access tier) cool access tier) cool access tier)
3 copies within a single 3 copies across separate 6 copies total, including 3 6 copies total, including 3
region availability zones within in the primary region and across separate
Number of copies of data a single region 3 in the secondary region availability zones in the
maintained on separate nodes primary region and 3
locally redundant copies
in the secondary region
DURABILITY AND AVAILABILITY BY OUTAGE SCENARIO
Outage Scenario LRS ZRS GRS/RA-GRS GZRS/RA-GZRS
*1 Account failover is required to restore write availability if the primary region becomes unavailable.
SUPPORTED AZURE STORAGE SERVICES
Blob storage
Blob storage Blob storage Blob storage
Queue storage Blob storage Blob storage
Queue storage Queue storage Queue storage
Table storage Queue storage Queue storage
Table storage Table storage Table storage
Azure Files1,2 Table storage Table storage
Azure Files1,2 Azure Files1 Azure Files1
Azure managed disks
*1 Standard file shares are supported on LRS and ZRS. Standard file shares are supported on GRS and GZRS
as long as they are less than or equal to five TiB in size.
*2 Premium file shares are supported on LRS and ZRS.
SUPPORTED STORAGE ACCOUNT TYPES
General-purpose v2
General-purpose v1 General-purpose v2 General-purpose v2
Premium block blob Premium block blobs General-purpose v1 General-purpose v2
Legacy blob Premium file shares Legacy blob
Premium file shares
Important!
Azure Premium Disk Storage
currently supports only locally
redundant storage. Block blob
storage accounts support both
LRS and ZRS in certain regions.
Exam Tip
Take the summary tables that I’ve included from
Microsoft’s storage documentation, and maybe
not memorize them, but really familiarize
yourself with the information in them.
This information is critical to being able to
recommend a storage solution that meets
specific durability and availability requirements.
Integrating Applications
into Azure AD
AD & ADFS
On-Prem Apps
On-Prem Apps
AppProxy
How Azure AD
AppProxy
Works On-Prem
https://app.bluewidgetcorp.com
Connector
https://app
App
https://docs.microsoft.com/azure/active-directory/app-proxy/what-is-application-proxy
Developers can use Microsoft Identity Platform to implement authentication
and authorization.
The Microsoft Identity Platform offers integration of features like passwordless
authentication, step-up authentication, and Conditional Access.
Apps integrated with the Microsoft
Identity Platform will be registered
with Azure AD and managed just
like any other app in your portfolio.
Microsoft Authentication Libraries,
or MSAL, is a part of the platform
that developers can use to enable
things like MFA and the use of
security keys to access apps.
Apps that are integrated with the
Microsoft identity platform can
access Microsoft Graph.