001 PROD-DECK-AZ-305-Exam-Prep-Designing-Microsoft-Azure-Infrastructure-Solutions

Designing Microsoft Azure
Infrastructure Solutions
Designing Microsoft Azure Infrastructure Solutions © Thomas Mitchell / labITout Learning

Thomas Mitchell
• 25-year veteran of the IT industry
• Significant cloud experience
• Numerous Microsoft certifications
• Senior Systems Engineer and Architect
https://www.linkedin.com/in/thomas-j-mitchell
This course has been designed to
help pass the AZ-305 exam.
Video Lectures
Hands-On Labs
Exam Objectives
Design Identity, Governance, and Monitoring Solutions
Design Data Storage Solutions
Design Business Continuity Solutions
Design Infrastructure Solutions
AZ-104 AZ-305
The AZ-305 exam focuses on the ability
to make recommendations, so this
course will focus on the information
you need to know to recommend the
proper solutions when asked to do so.
Designing Infrastructure Solutions
• Designing a compute solution

• Designing an application architecture
• Designing migrations
• Designing network solutions
Designing Identity, Governance, and
Monitoring Solutions
• Design logging and monitoring solutions
• Design authentication and authorization solutions
• Design governance solutions
• Design identities and access for apps
• Design data storage solutions
Designing Data Storage Solutions
• Design data storage solutions for relational data

• Recommend data storage solutions
• Design data storage solutions for non-relational data
Designing Business Continuity Solutions
• Designing backup and disaster recovery solutions

• Designing for high availability
Section quizzes will test your
grasp of the topics we cover
Download Over 500 Slides!
Let’s Get Started!
Recommending a Virtual Machine-
Based Compute Solution

Azure Virtual Machines
Azure VMs are an IaaS offering:
• You can completely customize software
that runs a VM.
• Often recommended when you run
custom software.
• Azure VMs are the solution of choice
when you need total control.
• You are responsible for configuration,
updates, and maintenance of software
that runs on the VM.
There are several scenarios
where you might want to
use virtual machines.
Testing and Development
Because virtual machines are easy to deploy and
configure, they allow you to quickly spin up
different OS and application configurations that
developers can use for testing.
Run Applications in the Cloud
Cloud-based VMs can offer significant cost savings.
Often crops up when an organization deploys an application that
might need to handle fluctuations in demand.
• Shut down VMs when demand drops.
• Start VMs up to meet a sudden increase in demand.
• Pay only for the resources you use.
Extend Datacenter
to the Cloud
Virtual machines and virtual networks can
be used to extend the on-prem datacenter
to the cloud.
Allows organizations to run apps like
SharePoint on azure VMs instead of
running them on physical servers.
Makes it easier and sometimes even less
expensive to deploy apps.
Disaster Recovery
Extending an on-prem datacenter to the cloud allows you to run apps in the cloud on VMs.
If the primary datacenter fails, you can create VMs Azure to run the critical apps.
Once the primary datacenter comes back up, those VMs can be shutdown.

Virtual machines are a good choice when you want to
Lift and Shift move from a physical on-prem server to the cloud.
Create an image of your physical server & create a VM.
Availability and Scalability
Use VM Scale Sets when you need
high availability, scalability, and
redundancy.
Number of instances in a scale set

can automatically increase or
decrease, based on demand or on a
defined schedule.
Large-scale Parallel and High-
Performance Batch Jobs
VMs are a good choice when you need

to run large-scale parallel and high-
performance computing batch jobs.
Azure Batch:
Allows you to run large jobs, while also
providing the ability to scale to tens,
hundreds, or even thousands of VMs.
Key Takeaway
While you may often be better off leveraging PaaS
services where you can, there will be times when VMs
and IaaS are a better choice:
• Testing and Development
• Running Applications in the Cloud
• Extending Datacenter to the Cloud
• Disaster Recovery
• Lift and Shift
• Availability and Scalability are Required
• Large-scale Parallel and High-Performance Batch Jobs
Recommending a Container-Based
Compute Solution

Virtual machines allow you
to reduce costs when
compared to on-prem
hardware, but VMs only
run a single OS.
Containers are often more

useful if you need to run
multiple instances of an app
on a single host machine.
A container is a virtualization environment.
You can run multiple containers on a single physical host, or even on

a VIRTUAL host.
Containers are managed through a container orchestrator.
Two ways to manage Docker and

Microsoft-based containers
Azure Kubernetes Service
Azure Container Instances

Azure Container
Instances (ACI)
The fastest and easiest way to run
a container in Azure without the
need to manage any virtual
machines.
A PaaS offering that allows you to

upload your containers, which it
then runs for you.
Azure Kubernetes
Service (AKS)
Azure Kubernetes Service is a complete
orchestration service for container solutions
with distributed architectures and large
volumes of containers.
When to use
containers…
Containers are often used to
create solutions via a
microservice architecture.
A microservice architecture is
allows you to break a single
solution down into smaller,
independent pieces. Front End Storage Back End
When to use
containers…
When to use
containers…
Front End Storage Back End

Front End Storage Back End

Exam Tip
Keep containers in mind when
dealing with questions that revolve
around solutions that might benefit
from a microservice architecture.
Recommending an
App Service Solution

Azure App Service is an Azure
offering that allows you to build and
host web apps, background jobs, mobile
back-ends, and RESTful APIs in the
programming language of your choice.
• Automatic scaling and high availability
• Supports both and
• Enables automated deployments from
repositories like GitHub, Azure DevOps,
and any Git repo.
Azure App Service is a PaaS
offering that allows you to focus on
your website and API logic.
Azure handles the infrastructure to

run and scale the web applications
that you deploy, using the service.
Azure App Service hosts
common app services:
• Web apps
• API apps
• WebJobs
• Mobile apps
Hosting Web Apps with App Service:
• App Service provides full support for
hosting web apps by using ASP.NET,
ASP.NET Core, Java, Ruby, Node.js,
PHP, or Python.
• You can choose either Windows or
Linux as the host operating system.
Hosting API Apps with App Service:

• You can build REST-based web APIs
with your choice of language and
framework.
• You can package and publish your
API in the Azure Marketplace.
WebJobs in App Service:
• Run a programs or scripts in the
same context as a web app, API app,
or mobile app.
• Used to run background tasks as
part of application logic.
Mobile Apps in App Service:

• Allows you to build a back end for
both iOS and Android apps.
• Store mobile app data in a cloud-
based SQL database, and
authenticate customers against
common social providers, like
Facebook, Twitter, and Google.
• Send push notifications and execute
custom back-end logic.
Exam Tip
App Service is a good solution
when you need to host web-
oriented applications.
If asked about hosting web-oriented

apps, App Service should be your
default choice, especially if the term
“micro-architecture” is mentioned.
Recommending a Serverless
Compute Solution

Serverless Computing is the
abstraction of servers, infrastructure,
and operating systems.
• Azure handles the management of the
underlying server infrastructure AND
allocation of resources.
• Scaling and performance are both
handled automatically by Azure
• Only billed the resources that you use.
Event-Driven Scale
Serverless is good for workloads that respond to incoming events.
HTTP GET
Static Content Static Website Hosting
CI/CD
CDN Storage Blob
API Azure Pipelines

Web Application
Cosmos DB
API Mgmt Function App
AJAX Request
Azure Monitor
Sign-In
Authentication
Azure AD
Serverless computing is billed for only
the time that the code runs.
+ 5 = 1 Execution
Five Minutes

Two serverless compute options are available in Azure
Azure Functions Logic Apps

Azure Functions can execute code
in just about all modern languages.
Azure Logic Apps are designed in a

web-based designer and can execute
logic triggered by Azure services without
writing any code.

Azure Functions
Azure Functions is a good choice if
you are only concerned about the code
running your service, and not the
underlying infrastructure.
Often used when you need to perform

work in response to some event, timer,
or message from another Azure service.
NOTE: The work that needs to be

completed has to be completed quickly,
often within seconds or less.
Functions can scale automatically, based on demand,
making them a good choice when demand is variable.
When using Azure Functions, you
are only charged for the CPU time
that’s used while your function runs.
Azure Logic Apps
Azure Logic Apps are similar to
functions, insomuch as they both allow you
to trigger logic based on an event.
KEY DIFFERENCE:
Functions execute code, while Logic Apps
execute workflows.
*Workflows are designed to automate

business scenarios, and they’re built from
predefined logic blocks.
Generate Email Confirmation Add Item to SharePoint
Submit Ticket
Determine Intent
Add User to CRM

Functions vs
Logic Apps
Logic Apps and Functions
can both create complex
orchestrations.
Using Functions: you write code

to complete each step
Using Logic Apps: you use a GUI

to define the actions and how they
relate to one another
Azure Functions Azure Logic Apps
Development Code-first (imperative) Designer-first (declarative)
Connectivity About a dozen built-in binding types, Large collection of connectors, Enterprise
write code for custom bindings Integration Pack for B2B scenarios, build
custom connectors
Actions Each activity is an Azure function; write Large collection of ready-made actions
code for activity functions
Monitoring Azure Application Insights Azure portal, Azure Monitor logs
Management REST API, Visual Studio Azure portal, REST API, PowerShell, Visual
Studio
Execution context Can run locally or in the cloud Runs only in the cloud
Exam Tip
If you encounter a question that requires

you to recommend a compute solution in a
particular scenario, I’d lean toward
serverless if there is any mention of not
wanting to deal with servers, infrastructure,
or operating systems.
Familiarize yourself with the comparisons

made in the Functions vs Logic Apps table.
Recommend a Caching Solution
for Applications

Azure Cache for Redis is used
to improve the performance of
applications that use backend
data stores heavily, and the
scalability of those applications.
Azure Cache for Redis keeps
frequently accessed data in server
memory.
Azure Cache for Redis
provides a low-latency, high-
throughput data storage solution
for modern applications.
OSS Redis Redis Enterprise

Azure Cache for Redis can be used as a distributed data or
content cache, as a session store, or as a message broker.
KEY SCENARIOS
Pattern Description
Databases are often too large to load directly into a cache. It's common to use the cache-
Data cache aside pattern to load data into the cache only as needed. When the system makes changes to the
data, the system can also update the cache, which is then distributed to other clients.
Using an in-memory cache provides quick access to static content like content such as website
headers, footers, banners that don’t change often, compared to backend datastores. Reduces
Content cache processing time and server load, allowing web servers to be more responsive. Can even allow you
to reduce the number of servers needed to handle loads.
Commonly used with shopping carts and other user history data that a web application might
associate with user cookies. Typical solution uses a cookie as a key to query the data in a
Session store database. Using Azure Cache for Redis to associate information with a user is much faster than
interacting with a full relational database.
Applications often add tasks to a queue when the operations associated with the request take
Job and message
time to execute. Longer running operations are queued to be processed in sequence, often by
queuing another server. This method of deferring work is called task queuing.
Applications sometimes require a series of commands against a backend data-store to execute as
Distributed
a single atomic operation. Azure Cache for Redis supports executing a batch of commands as a
transactions single transaction.
SERVICE TIERS
Tier Description
Basic An OSS Redis cache running on a single VM. This tier has no service-level agreement
(SLA) and is ideal for development/test and non-critical workloads.
Standard An OSS Redis cache running on two VMs in a replicated configuration.
Premium High-performance OSS Redis caches. This tier offers higher throughput, lower
latency, better availability, and more features. Premium caches are deployed on
more powerful VMs compared to the VMs for Basic or Standard caches.
Enterprise High-performance caches powered by Redis Labs' Redis Enterprise software. This tier
supports Redis modules including RediSearch, RedisBloom, and RedisTimeSeries.
Also, it offers even higher availability than the Premium tier.
Enterprise Flash Cost-effective large caches powered by Redis Labs' Redis Enterprise software. This
tier extends Redis data storage to non-volatile memory, which is cheaper than
DRAM, on a VM. It reduces the overall per-GB memory cost.
Choosing the
Right Tier
Considerations when
deciding on a tier:
• Memory
• Cache Performance
• Network Performance
• Max number of client
connections
• High Availability
• Data Persistence
• Network Isolation
Option Details
Option Details
Basic and Standard tiers offer 250 MB – 53 GB of memory. Premium tier offers 6 GB -
Memory
1.2TB. Enterprise tiers offer 12 GB - 14 TB of memory.
Option Details
Memory
Premium and Enterprise tiers are deployed on underlying hardware with faster processors.
Performance Provides a significant performance boost versus the Basic or Standard tiers. Premium tiers
have higher throughput and lower latencies.
Option Details
Memory
Network performance Premium and Enterprise tiers are good for workloads that require high throughput.
Option Details
Memory
Maximum number of client Premium and Enterprise tiers support higher numbers of connections for larger sized
connections caches than lower tiers.
Option Details
Memory
The SLA for Standard, Premium, and Enterprise cache guarantees a monthly uptime of
High availability 99.9%. SLA only covers connectivity to cache endpoints. It DOES NOT cover protection
from data loss.
Option Details
Memory
from data loss.
Premium tier allows you to persist cache data to an Azure Storage account. Enterprise tier
Data persistence
allows you to persist cache data to a Managed Disk.
Option Details
Memory
from data loss.
Premium tier allows you to persist cache data to an Azure Storage account. Enterprise tier
Data persistence
allows you to persist cache data to a Managed Disk.
Azure Private Link and vNet deployments in Azure can be used to provide enhanced
Network isolation
security and traffic isolation for Azure Cache for Redis.
can be scaled from the
Basic tier all the way up
to the Premium, even
after it has been created.
Scaling down to a lower

tier IS NOT supported.
Exam Tip
You would be wise to remember
they key scenarios, the service
tiers that are available, and the
different options.
Recommending a Messaging
Architecture

Service Bus can be used to
decouple applications and
services from each other.

Service Bus is a message
broker with message queues
and publish-subscribe topics
that can be use with
enterprise-level applications
that require transactions,
ordering, duplicate detection,
and instantaneous consistency.
MESSAGE BROKER
EXAM TIP:
If you are presented with a scenario
where you have to handle high-value
messages that cannot be lost or
duplicated, Azure Service Bus would
be the solution to choose.
Common messaging scenarios
where Service Bus would be a
good fit include:
• Those where an app

messaging solution is needed
• Those where you want to
decouple apps and services
• Load balancing scenarios
• Scenarios where topics and
subscriptions are required
App Messaging
Scenarios where business data is transferred.
Some examples include sales or purchase orders,
journals, and inventory movements.
Application Decoupling
Improves reliability and scalability of apps and
services. When the producer and the consumer of
the data do not have to be available at the same
time, load is leveled.
Load Balancing
Service Bus can be used to allow multiple
consumers to simultaneously read from the same
queue.
Topics and Subscriptions
Allows for 1:n relationships between publishers
and subscribers.
Exam Tip
If you see a question that mentions app
decoupling, and Service Bus is listed as
a possible answer, connect the dots and
answer correctly.
Recommending an
Event-Driven Architecture

BROKER
What is an An event is a notification of a condition or a change of state.

The consumer of an event decides what to do with the event.
Event? Events can be discrete units or part of a series of events.

Discrete Events
Discrete events report state change and are actionable.
Event data contains information about WHAT happened, but not the
data that actually triggered the event.
Event: File Creation Event: File Creation

Producer Event Broker Consumer
(ie. Event Hub) subscribed to File Creation

Series Events
Series events are events that report a condition.
Series events are analyzable, time-ordered, and interrelated.
Event Series
Event 1
Event 2
Event Broker Consumer
Event 3 (ie. Event Hub) subscribed to File Creation
Event 4

Azure Event Grid
Subscriber
Azure Event Grid is an
eventing backplane:
Subscriber
• Event-driven, reactive programming
• Leverages publish-subscribe model
Subscriber
Topic
Azure Event Grid can
be used to build
applications with event-
based architectures.
Azure Event Grid supports events that come from many
different Azure services, and also supports your own events, via
custom topics.
Consumer

Serverless Application Architectures
Ops Automation
Application Integration
Exam Tip
If you are asked how you can trigger a
serverless function that does something
like analyze images that are uploaded to a
website, you might think about choosing
Event Grid as the solution.
If you’re asked how you can notify Azure

Automation whenever a VM gets created
in your Azure subscription, again, see if
Event Grid is a possible answer.
Azure Event Event Subscriptions
Hubs Topics
Azure Event Hubs is

a big data streaming
platform that
functions as an event
ingestion service that
can receive and
handle millions of Event Publishers Event Handlers
events per second.
Common use cases
for Event Hubs:
• Anomaly detection (fraud/outliers)
• Application logging
• Analytics pipelines, such as
clickstreams
• Live dashboarding
• Archiving data
• Transaction processing
• User telemetry processing
• Device telemetry streaming
Event Subscriptions
Topics
Event Publishers Event Handlers

Exam Tip
If you remember the common use cases
for Event Grid and for Event Hubs, you
should be able to answer most questions
that ask you about recommending an
event-driven architecture.
Recommending an Application
Configuration Management Solution

Azure App
Configuration
The key benefit of Azure App
Configuration is that it allows you
to centrally manage application
settings and feature flags.
Azure App Configuration
App Configuration
Use Cases
Scenario 1: You have microservices
that are based on Azure
Kubernetes Service, Azure Service
Fabric, or other some
containerized apps that are
deployed in multiple geographies.
Scenario 2: You are using

serverless apps, which include
Azure Functions or other event-
driven stateless compute apps.
Scenario 3: You are leveraging a

continuous deployment pipeline.
Important!
Remember that Azure App Configuration
provides the following benefits:
• Simplifies centralized management and
distribution of hierarchical configuration data
for different environments / geographies
• Allows you to dynamically change
application settings without the need to
redeploy or restart an application
• Helps control feature availability in real-time
Exam Tip
If you encounter a question that sets
up an example where you need to
deploy a solution that can centrally
manage application settings for a
particular app with distributed
settings, it’s probably a good bet
that Azure App Configuration will be
part of that solution, so you’d want
to scan the available answers for
Azure App Configuration.
Evaluating a Migration Solution that
Leverages the Cloud Adoption Framework

When you migrate workloads to Azure in line with the Cloud Adoption
Framework, your activities will typically fall into three phases.
Assess Workloads Deploy Workloads Release Workloads

The Cloud Adoption
Framework's Migrate
Methodology is an iterative
process of migrating one
workload per release.
Migration Waves
The Plan, Ready, and Adopt strategy establishes a repeatable

process for change management. Using this process establishes
waves of workload migrations.
Plan Ready Adopt
Migration Iterations
Assess each Replicate functionality to Test, optimize, document,
workload migration cloud, using IaaS, PaaS, and review. Release by
batch to evaluate and other modernization handing off for governance,
cost, architecture, options. management, and security.
and deployment
tooling.
Assess Workloads
When you assess your workloads,
you evaluate cost, modernization,
and deployment tooling.
Focus on validating or
challenging assumptions that
were made during discovery.
Study user patterns and
dependencies.
Deploy Workloads
Replicate the existing functionality of
those workloads in the cloud.
Lift-and-shift and rehost are common
ways to deploy workloads.
Modernize workloads by taking
advantage of cloud services.
Examples:
• Replace app servers with App Services
• Replace SQL servers with Azure SQL
Release Workloads
Test, optimize, document, and

release cloud workloads for
ongoing operations.
Review migrated workloads and
hand them off to governance,
operations management, and
security teams for ongoing support.
Migration Waves
The Plan, Ready, and Adopt strategy establishes a repeatable

process for change management. Using this process establishes
waves of workload migrations.
Plan Ready Adopt
Migration Iterations
Assess each Replicate functionality to Test, optimize, document,
workload migration cloud, using IaaS, PaaS, and review. Release by
batch to evaluate and other modernization handing off for governance,
cost, architecture, options. management, and security.
and deployment
tooling.
Cloud Migration in the Cloud Adoption Framework
https://docs.microsoft.com/en-us/azure/cloud-adoption-framework/migrate
Recommending a Solution for Migrating
Apps, VMs, Data, and Databases to Azure

Azure Migrate can be used to
assess and migrate on-prem servers,
infrastructure, applications, and data,
using a single, centralized hub.
Provides several tools:

• Azure Migrate: Discovery and Assessment
• Azure Migrate: Server Migration
• Data Migration Assistant
• Azure Database Migration Service
• Azure App Service Migration Assistant
• Azure Data Box
Azure Migrate Discovery and Assessment: Assess
and migrate servers, databases, and web apps. Can be
used to discover and assess on-prem servers running
on VMware, Hyper-V, and physical servers.
Azure Migrate Server Migration: Migrate VMware

VMs, Hyper-V VMs, physical servers, other virtualized
servers, and public cloud VMs to Azure.
Data Migration Assistant: Stand-alone tool used to

assess SQL Servers and to help identify potential
problems that would block a migration.
Azure Database Migration Service: Migrate on-prem

databases to Azure VMs running SQL Server, to Azure
SQL Database, or to SQL Managed Instances.
Azure App Service: A standalone tool that is used to

migrate on-prem websites and web apps to Azure.
Azure Data Box: Move offline data to Azure.

Exam Tip
If you can remember all of the
different integrated Azure Migrate
tools, and what each one does,
you shouldn’t have too much
trouble answering questions about
which tool to use to migrate a
specific workload to Azure.
Recommending a Solution for
Migrating Unstructured Data

An unstructured data migration is
necessary when you have to migrate files
from something like a NAS to an Azure
file offering.
An object migration from an object

storage solution to an Azure object
storage platform, like Azure Blob Storage
or Azure Data Lake Storage is also
considered an unstructured data migration.
AzCopy
robocopy
xcopy
Commercial Software
rsync
Open-Source Solutions
SUPPORTED AZURE SERVICES
Microsoft Datadobi Data Dynamics Komprise

Data Mobility and Intelligent Data
Solution Name Azure File Sync DobiMigrate
Migration Management
Azure Files support
Yes Yes Yes Yes
(all tiers)
Azure NetApp Files
No Yes Yes Yes
support
Azure Blob
No Yes (via NFS preview) Yes Yes
Hot / Cool support
Azure Blob Yes (as migration
No No No
Archive tier support destination)
Azure Data Lake
No No No No
Storage support
Windows Server 2012 NAS & cloud file
Supported Sources Any NAS and S3 NAS, Blob, S3
R2 and up systems
Recommending Connectivity Solutions that
Connect Azure Resources to the Internet

All Azure resources that are
connected to a vNet can
communicate outbound to
the internet, by default.
You can allow inbound

communication to resource
FROM the internet by
assigning a public IP address
or by putting those
resources behind a public
Load Balancer – and those
are the two options we are
going to look at here.
Public IP Addresses
When you assign a public IP address to an Azure
resource that supports public IP addresses, you
can allow inbound communication from the
Internet to that resource.
xxx.xxx.xxx.xxx
Resources that support public IPs include Azure
Virtual Machines, Azure Application
Gateways, Azure Load Balancers, and Azure
VPN Gateways.
Assigning a public IP to an Azure resource also

enables outbound connectivity to the internet
using a predictable IP address.
Public Load Balancer
You can use a public Load Balancer to manage
outbound connections to the internet from Azure
resources. xxx.xxx.xxx.xxx
A public load balancer can be used to provide

outbound connections for VMs on your vNets.
Connection is created by translating the internal
private IP of resources to a public IP addresses. xxx.xxx.xxx.xxx
Ensures that traffic always appears to come from

the same address.
xxx.xxx.xxx.xxx
Key Takeaway
There are two ways to connect Azure

resources to the Internet.
• Assign public IP to your Azure resource.
• Put resource behind a public load balancer.
Exam Tip
When asked how to provide
inbound AND outbound internet
access for a VM without adding a
public IP to the VM, the answer is
usually the public load balancer.
Recommending Connectivity Solutions that
Connect Azure Resources to On-Prem Networks

There are two ways to connect Azure
resources to an on-prem network.
VPN Gateway ExpressRoute

One VPN Gateway per vNet
One VPN Gateway per vNet
3rd-Party Connectivity Partner
ExpressRoute connectivity can be
from any of the following:
• an any-to-any network
• a point-to-point Ethernet network
• virtual cross-connection through
a connectivity provider
ExpressRoute connections DO NOT go

over the public Internet.
ExpressRoute connections offer:

• Better Reliability
ExpressRoute
• Faster Speeds
• Consistent Latencies
• Higher Security
PLANNING TABLE
Point-to-Site Site-to-Site ExpressRoute
Azure Supported Services Cloud Services and Virtual Machines Cloud Services and Virtual Machines Services list
50 Mbps, 100 Mbps, 200 Mbps, 500

Typical Bandwidths Based on the gateway SKU Typically < 1 Gbps aggregate
Mbps, 1 Gbps, 2 Gbps, 5 Gbps, 10 Gbps
Secure Sockets Tunneling Protocol (SSTP), Direct connection over VLANs, NSP's VPN
Protocols Supported OpenVPN and IPsec
IPsec
technologies (MPLS, VPLS,...)
We support PolicyBased (static routing)

Routing RouteBased (dynamic)
and RouteBased (dynamic routing VPN)
BGP
Connection resiliency active-passive active-passive or active-active active-active
Dev / test / lab scenarios and small to Access to all Azure services, Enterprise-
Secure access to Azure virtual networks
Typical use case for remote users
medium scale production workloads for class and mission critical workloads,
cloud services and virtual machines Backup, Big Data, Azure as a DR site
SLA SLA SLA SLA
Pricing Pricing Pricing Pricing
Technical Documentation VPN Gateway Documentation VPN Gateway Documentation ExpressRoute Documentation
FAQ VPN Gateway FAQ VPN Gateway FAQ ExpressRoute FAQ

PLANNING TABLE
50 Mbps, 100 Mbps, 200 Mbps, 500

IPsec

BGP
SLA SLA SLA SLA

PLANNING TABLE
50 Mbps, 100 Mbps, 200 Mbps, 500

IPsec

BGP
SLA SLA SLA SLA

PLANNING TABLE
50 Mbps, 100 Mbps, 200 Mbps, 500

IPsec

BGP
SLA SLA SLA SLA

PLANNING TABLE
50 Mbps, 100 Mbps, 200 Mbps, 500

IPsec

BGP
SLA SLA SLA SLA

Recommending a Solution
to Optimize Network Security

There are 7 different Azure
products and services that
address network security:
• Azure Bastion
• Azure DDoS Protection
• Azure Firewall
• Azure Firewall Manager
• Azure Front Door
• Azure Network Watcher
• Azure Web Application Firewall
Azure Bastion
Azure Bastion is a service that
allows you to connect to VMs via a
web browser and the Azure portal. RDP / SSH over TLS
Connecting to VMs with Bastion

requires no public IP, agent, or
client on your VMs.
Bastion helps optimize network
security by eliminating the need to
expose RDP and SSH ports on your
VMs to the outside world.
Azure Bastion
Azure Bastion

client on your VMs.
Azure Bastion

client on your VMs.
Bastion helps optimize network
security by eliminating the need to
expose RDP and SSH ports on your
VMs to the outside world.
Azure DDoS Protection
DDoS attacks rank among the largest availability and security
concerns facing organizations that are moving to the cloud.
Azure DDoS
Protection Basic
Azure DDoS Protection Basic
automatically protects all
Resources in Azure for FREE.
Azure DDoS Protection Basic offers
always-on traffic monitoring and
real-time mitigation.
Azure DDoS
Protection Standard
Azure DDoS Protection
Standard is a paid offering.
Provides enhanced DDoS

mitigation features.
Requires no application or
resource changes.
Provides additional benefits

over the Basic offering, like
logging, alerting, and telemetry.
Exam Tip
Azure resources are automatically
protected by Azure DDoS Protection
Basic. Advanced protection and features
are enabled in the Standard plan.
If you encounter a question about DDoS
protection, understand that it’s already
provided at no cost. If you see
something about enhanced DDoS
protection, you should be thinking about
the DDoS Protection Standard option.
Azure Firewall is
Microsoft’s managed,
cloud-based network
security service that
protects Azure Virtual
Network resources.
Azure Firewall can be used to
create, enforce, and log
application and network Static IP: xxx.xxx.xxx.xxx
connectivity policies across

multiple subscriptions and
across multiple virtual networks.
Azure Firewall uses a static public

IP address to represent your virtual
network resources to the outside.
Azure Firewall allows you to
setup inbound traffic filtering and
outbound filtering. RDP SSH
Azure Firewall is normally used

to filter inbound traffic that is non- Other Traffic
HTTP/S, like RDP, SSH, and FTP.
RDP SSH
If you need to filter inbound Other Traffic
HTTP/S traffic, use Azure Web

Application Firewall.
Exam Tip
If you are asked to recommend a
network security solution for a
scenario that requires you to filter
HTTP/S traffic, Azure Firewall would
be the wrong answer if Web
Application Firewall is also an option.
Azure Firewall Manager
Azure Firewall Manager is a security
management service that offers centralized
security policy and route management for
cloud-based security perimeters.
Firewall Manager supports two network

architecture types:
• Secured Virtual Hub
• Hub Virtual Network
Secured Virtual Hub
An Azure Virtual WAN Hub is a Microsoft-
managed resource that you can use to create hub
and spoke architectures. When you associate
security and routing policies with it, it is referred to
as a secured virtual hub.
Hub Virtual Network

A hub virtual network is the standard Azure virtual
network that you create and manage yourself
when working in Azure. When you associate
security policies with it, it’s referred to as a hub
virtual network.
Exam Tip
Azure Firewall Manager makes it easier
to centrally define network and
application-level rules for traffic filtering
across multiple Azure Firewall instances.
If you encounter questions about

recommending a solution that allows
central management of security policies
and routes, you should be thinking
about Azure Firewall Manager.
Azure Front Door
Azure Front Door is an application
delivery network service.
Offers Layer 7 load-balancing

capabilities for applications.
Provides dynamic site acceleration

and global load balancing with near
real-time failover.
Azure Front Door allows
you to build, operate, and
scale out dynamic web
applications and static
content.
Azure Front Door allows

you to define, manage,
and monitor global routing
for web traffic.
Azure Front Door is
available in two flavors:
• Standard
• Premium
Standard is optimized
for content delivery.
Premium is optimized
for security.
If content optimization is more important
than extensive security capabilities, Azure Front
Door Standard would be a good choice.
If you have enhanced security requirements

that must be met, it’s likely that Azure Front Door
Premium would be the best option.
Azure Network Watcher
Azure Network Watcher is a suite of tools
used for monitoring Azure virtual networks,
diagnosing them, viewing metrics, and enabling
or disabling logs for resources in them.
You can monitor and repair the network health

of IaaS products:
• Virtual Machines
• Virtual Networks
• Application Gateways
• Load balancers
*You CANNOT use it for PaaS monitoring

or Web analytics.
Exam Tip
If you encounter a question where you
need to recommend a network security
solution that allows you to do any of the
things in the list that I’m about to show
you, Azure Network Watcher is probably
your best bet.
Use Cases & Tools in Azure Network Watcher
Connection Monitor: Monitor communication between a VM and an endpoint
IP Flow Verify: Diagnose network traffic filtering problems to/from a VM
Next Hop: Diagnose network routing problems from a VM
Connection Troubleshoot: Diagnose outbound connections from a VM
Packet Capture: Capture packets to and from a VM
VPN Diagnostics: Diagnose problems with Azure Virtual network gateway & connections
Security Group View: View security rules for a network interface
NSG Flow Log: Analyze traffic to or from a network security group
Diagnostic Logs: View diagnostic logs for network resources
*Network Watcher can also be used to view metrics and to determine relative latencies between Azure regions
and internet service providers
Network Watcher would
be the tool of choice if you
need to optimize network
performance for applications.
Azure Web Application Firewall
Web Application Firewall provides centralized protection of web
apps from things like SQL injection attacks and cross-site scripting attacks.
Web Application
Firewall can react
to security threats by
centrally patching
known vulnerabilities.
Exam Tip
If you encounter a question that mentions
protecting a web app against SQL
injection or cross-site scripting attacks,
Web Application Firewall should probably
be involved in your proposed solution.
That was a
long lesson!
If you can at least remember
what each offering does,
you’ll have a better shot at
answering correctly when
you are asked to
recommend a solution that
optimizes network security
in Microsoft Azure.
The Blue Widget corporation uses ExpressRoute to
establish connectivity between its on-prem network and
Azure. You've noticed network connectivity issues between
the on-prem VMWare VMs and the VMs in Azure.
Knowledge Which tool should you use to analyze the network traffic
Check
to determine if or where packets are being denied to your
virtual machines?
A. Azure Monitor
B. Network Watcher
C. Network Analyzer
D. NetFlow Logging
The Blue Widget corporation uses ExpressRoute to
establish connectivity between its on-prem network and
Azure. You've noticed network connectivity issues between
the on-prem VMWare VMs and the VMs in Azure.
Knowledge Which tool should you use to analyze the network traffic
Check
to determine if or where packets are being denied to your
virtual machines?
A. Azure Monitor
B. Network Watcher
C. Network Analyzer
D. NetFlow Logging
Load Balancing and Routing Solutions

Load balancing is used to optimize
resource use, maximize throughput, and
minimize response time, while avoiding
overloading any single resource.
• Application Gateway
• Azure Front Door
• Load Balancer
• Traffic Manager
Zone 1 Zone 2
Azure Load Zone-Redundant Load Balancer (Standard)
Balancer
Azure Load Balancers are
typically used to load balance
VMs across availability zones.
They help protect apps and

data from a failure or loss of
an entire datacenter.
Subnet 1 Subnet 2
Azure Front Door
New York Los Angeles Berlin
Often used to provide

higher availability for
applications than can be Central US East Asia UK South
achieved by deploying to a
single region.
If a regional outage affects
the primary region, you can
use Front Door to fail over
to your secondary region. Tokyo Aukland
ImagePool
Application
Gateway
/images/*
domain.com
A web traffic load
balancer that can /video/*
make its routing VideoPool
decisions based on
the attributes of an
HTTP request.
Traffic Manager
A DNS-based load balancer.
Used to distribute traffic to a public
facing application across different
global Azure regions.
Provides public endpoints with high
availability and quicker response.
Directs requests, via DNS, to the
appropriate service endpoint, based
on traffic-routing method you select.
Health monitoring for every endpoint.
Image Source: docs.microsoft.com

Traffic Manager
Used to deploy multi-tier applications

that require HA and DR.
If primary region becomes unavailable,
Traffic Manager fails over to the
secondary region.
The traffic-routing method you choose
determines which endpoint is returned
in the DNS response.

Used when you want to have a primary service endpoint for all traffic. You can provide
Priority multiple backup endpoints in case the primary or one of the backup endpoints is
unavailable.
Used when you want to distribute traffic across a set of endpoints based on their
Weighted weight. Set the weight the same to distribute evenly across all endpoints.
Used when you have endpoints in different geographic locations, and you want end
Performance users to use the "closest" endpoint for the lowest network latency.
Used to direct users to specific endpoints (Azure, External, or Nested) based on where
Geographic their DNS queries originate from geographically. This routing method allows you to be in
compliance with scenarios such as data sovereignty mandates, localization of content &
user experience and measuring traffic from different regions.
Select MultiValue for Traffic Manager profiles that can only have IPv4/IPv6 addresses as
Multivalue endpoints. When a query is received for this profile, all healthy endpoints are returned.
Used to map sets of end-user IP address ranges to a specific endpoint. When a request
Subnet is received, the endpoint returned will be the one mapped for that request’s source IP
address.
Traffic Manager
+ Load Balancer
Combine Traffic Manager and Load
Balancer to build a multi-region N-
tier application where Traffic
Manager routes incoming requests
to a primary region.
Load Balancer in each region load

balances across multiple backends.
If primary region becomes

unavailable, Traffic Manager fails
over to the secondary region. I’ve
personally built several solutions in
almost this exact fashion. Image Source: docs.microsoft.com
Exam Tip
Remember what each load balancing and
traffic routing solution does.
If presented with a question that mentions
directing people in different countries to
endpoints of an app in their own geography,
Traffic Manager is probably the go-to solution.
Spreading an app across multiple VMs in a
location will probably require Load Balancer.
Anything about layer 4 load balancing will
probably involve the Load Balancer option.
Recommending Database Service Tier Sizing

There are two different purchasing models available when
purchasing Azure SQL Database or Azure SQL Managed Instance.
Available service tiers will differ, depending on the deployment model

you choose AND on the purchasing model you select.
vCore-Based Model DTU-Based Model

vCore-Based Purchasing Model
Available for both Azure SQL Database and Azure SQL
Managed Instance.
Provides flexibility, control, and transparency
Two tiers available:
• Provisioned Compute tier allows you to choose
the exact amount of compute resources that are
always provisioned for your particular workload.
• Serverless Compute tier allows you to specify the
autoscaling of the compute resources over a
configurable compute range, and to automatically
pause and resume the database, based on
workload activity.
DTU-Based Purchasing Model
Available only for Azure SQL Database

Simple, preconfigured resource options
Bundled compute and storage packages
that are balanced for common workloads
vCore Service Tiers
Two vCore service tiers available in both Azure SQL
Database and Azure SQL Managed Instance:
• General purpose tier: budget tier, that’s designed for
most workloads with common performance and
availability requirements.
• Business critical tier: designed more for performance-
sensitive workloads with strict availability requirements.
Azure SQL Database also provides a third tier:

• Hyperscale tier is designed for most business workloads
• Highly scalable storage, read scale-out, fast scaling, and
fast database restore capabilities
SERVICE TIER COMPARISON
-
Resource type General Purpose Hyperscale Business Critical
Use Case budget oriented balanced Most business workloads. OLTP applications with high
compute and storage options. Auto-scaling storage size up transaction rate and low IO
to 100 TB, fluid vertical and latency. Offers highest
horizontal compute scaling, resilience to failures and fast
fast database restore. failovers using multiple
synchronously updated
replicas.
Available In SQL Database / SQL Managed Single Azure SQL Database SQL Database / SQL
Instance Managed Instance
Compute Size SQL Database 1 to 80 vCores 1 to 80 vCores 1 to 128 vCores
4, 8, 16, 24, 32, 40, 64, 80 vCores N/A 4, 8, 16, 24, 32, 40, 64, 80
SQL Managed Instance
vCores
2, 4, 8, 16, 24, 32, 40, 64, 80 N/A N/A
SQL Managed Instance pools vCores
Storage Type Remote storage Tiered remote and local SSD Local SSD storage
All
storage
Database Size SQL Database 1 GB – 4 TB 40 GB - 100 TB 1 GB – 4 TB
32 GB – 8 TB N/A 32 GB – 4 TB
SQL Managed Instance 16 TB (Preview) depending on
number of cores, Gen5 only
Availability 99.99% 99.95% with one secondary 99.99%
All replica, 99.99% with more 99.995% with zone
-
replicas.
4, 8, 16, 24, 32, 40, 64, 80 vCores N/A 4, 8, 16, 24, 32, 40, 64, 80
vCores
2, 4, 8, 16, 24, 32, 40, 64, 80 N/A N/A
All
storage
32 GB – 8 TB N/A 32 GB – 4 TB
-
replicas.
4, 8, 16, 24, 32, 40, 64, 80 vCores N/A 4, 8, 16, 24, 32, 40, 64, 80
vCores
2, 4, 8, 16, 24, 32, 40, 64, 80 N/A N/A
All
storage
32 GB – 8 TB N/A 32 GB – 4 TB
-
replicas.
4, 8, 16, 24, 32, 40, 64, 80 vCores N/A 4, 8, 16, 24, 32, 40, 64, 80
vCores
2, 4, 8, 16, 24, 32, 40, 64, 80 N/A N/A
All
storage
32 GB – 8 TB N/A 32 GB – 4 TB
Exam Tip
Familiarize yourself with these bits of
information because this is the type of
stuff you normally look at when it
comes time to recommend a service
tier. That being the case, you can expect
to see some questions on the exam
that revolve around this type of stuff.
DTU Service Tiers
Service tiers in the DTU-based purchase model

are broken out by compute sizes with a fixed
amount of included storage, fixed retention
period for backups, and fixed price.
Single databases and elastic pools are billed

hourly based on service tier and compute size.
Azure SQL Managed Instance
DOES NOT support the DTU-
based purchasing model. It only
supports the vCore model.

DTU service tiers only apply
to Azure SQL Database
DTU Service Tiers
Three DTU-based service tiers available:
• Basic
• Standard
• Premium
The service tier that you recommend will largely

depend on business continuity requirements, storage
requirements, and performance requirements.
COMPARE THE DTU-BASED SERVICE TIERS
Basic Standard Premium

Target workload
Development and production Development and production Development and production
Uptime SLA
99.99% 99.99% 99.99%
Maximum backup retention

7 days 35 days 35 days
CPU
Low Low, Medium, High Medium, High
IOPS (approximate)*
1-4 IOPS per DTU 1-4 IOPS per DTU >25 IOPS per DTU
IO latency (approximate)
5 ms (read), 10 ms (write) 5 ms (read), 10 ms (write) 2 ms (read/write)
Columnstore indexing
N/A S3 and above Supported
In-memory OLTP
N/A N/A Supported

Target workload
Uptime SLA
99.99% 99.99% 99.99%

CPU
IOPS (approximate)*
In-memory OLTP
N/A N/A Supported

Target workload
Uptime SLA
99.99% 99.99% 99.99%

CPU
IOPS (approximate)*
In-memory OLTP
N/A N/A Supported

Target workload
Uptime SLA
99.99% 99.99% 99.99%

CPU
IOPS (approximate)*
In-memory OLTP
N/A N/A Supported
Exam Tip
Basic is typically used in lab and dev environments,
while you’d see Standard in what you might
consider typical environments, where workloads are
moderate. The Premium tier is usually reserved for
the most demanding workloads.
Use this rule of thumb when answering questions

about Azure SQL Database service tier
recommendations and use cases.
for Database Scalability

Azure SQL Database and SQL Managed Instance both allow you to
dynamically add resources to a database with very little downtime.
Scaling can produce a brief “switchover period” where connectivity to the
database is lost for a short period of time.
When using Azure SQL Database, you
can modify resources that are allocated
to the databases hosted on it.
You can scale down resources

in Azure SQL Database when
they are no longer needed.
SQL costs can be reduced by
starting out with a small,
single database in the Basic,
Standard, or General-Purpose
service tiers and then
changing to Premium or
Business Critical as needed

Dynamic Scalability
Dynamic scalability allows a database to
transparently respond to quickly-
changing resource requirements.
Dynamic scalability is separate and
distinct from autoscale.
*Autoscale allows a service to scale automatically,

based on defined criteria, dynamic scalability allows
you to manually scale with a minimal downtime.
Important Notes
Single databases in Azure SQL Database
support manual dynamic scalability, but
they DO NOT support autoscale.
If you are presented with a business need

that requires a more automated solution,
you might want to think about
recommending elastic pools, since they
allow databases to share resources in a
pool, based on individual database needs.
You can change DTU service tiers or vCore
characteristics to meet demand as necessary.
Azure SQL Managed Instance
uses only the vCore model.
You can define the max CPU cores and the
maximum amount of storage that can be
allocated to your instance.
All databases within the managed instance
will then share the resources that have been
allocated to the instance.
Launching a scale up or scale down action will restart the database
engine process as it is moved to a different virtual machine.

Don’t scale a managed instance
during a long-running transaction,
like a data import or an index rebuild.
Alternative Scaling Methods
Alternative scaling methods include Read
Scale-Out and Database Sharding.
• Read scale-out provides one read-only
replica of your data that you can execute
demanding read-only queries against.
• Database sharding allows you to split your

data into several databases and scale them
independently.
Exam Tip
If asked to recommend a scalable SQL database
solution, you have dynamic scaling at your
disposal, you have autoscale, and you have the
alternative methods of read scale-out and
database sharding.
It’s important to remember which flavors of SQL

support which scaling options, and what
downtime ramifications there are to scaling.
Recommending a Solution for
Encrypting Data at Rest

Data at rest refers to data in
persistent storage on physical
media, in a digital format.
Azure offers several ways to encrypt
data across the SaaS platform, the
PaaS platform, and the IaaS platform.
It also offers ways to

encrypt data that’s stored
in Azure SQL Database,
Azure Cosmos DB, and
Azure Data Lake.
Azure Encryption Models
for Data at Rest
There are several encryption models or
strategies available in Azure for data at rest:
• Server-Side Encryption
• Client-Side Encryption
• Azure Disk Encryption
• Azure Storage Service Encryption
• Client-Side Encryption of Azure Blobs
SQL offers Transparent
Data Encryption, the
Always Encrypted
feature, and Cell-level or
column-level encryption.
Other encryption models

for data at rest include
Cosmos DB database
encryption and at-rest
encryption in Data Lake.
Client-Side Encryption
Client-side encryption happens outside of Azure. It includes data that’s been
encrypted by an application running in your datacenter or by a service application.
+
API Request HTTPs
Blob Data
Unencrypted Encrypted Data
Encryption Key Encryption Key Data

Server-Side Encryption
Available in three flavors:
• Service-managed keys offer a
combination of control and
convenience with low overhead.
• Customer-managed keys provide you
with control over the keys.
• Service-managed keys in customer-
controlled hardware allow you to
manage keys in your own proprietary
repository, which is outside of
Microsoft’s control. Most Azure services
do not support this model.
Azure Disk Encryption
• Protects both Windows and Linux VMs.
• Uses Windows BitLocker on Windows VMs,
and Linux DM-Crypt on Linux VMs.
• Protects OS disks and data disks with full
volume encryption.
• Keys are secured in an Azure Key Vault.
Azure Storage
Service Encryption
Azure Storage Service Encryption
can automatically encrypt data
before it is stored in Azure storage.
Automatically decrypts data when
it’s retrieved.
Storage Service Encryption uses
256-bit AES encryption.
Key management is managed
transparently by the service.
Client-Side Encryption
of Azure Blobs
Azure Storage Client Library for .NET NuGet package: encrypt

data within client applications prior to uploading to Azure storage.
Client-side encryption with Key Vault: Data is encrypted using a

one-time symmetric Content Encryption Key, which is encrypted
with a Key Encryption Key, which can be managed locally or stored
in Key Vault. Once encrypted, data is uploaded to Azure Storage.
Azure Storage Client Library for Java: performs client-side

encryption on data before it’s upload to Azure Storage. Can also
be used to decrypt data when downloading it.
Encryption of data at rest with Azure SQL Database
Transparent Data Encryption Always Encrypted

server-side encryption client-side encryption

Transparent Data Encryption

Transparent Data Encryption
TDE protects data and log files, using AES and
Triple Data Encryption Standard (3DES) encryption.
The database file is encrypted at the page level.
The pages in an encrypted database are encrypted
before they get written to disk.

Transparent Data Encryption is
enabled by default on all newly
created Azure SQL databases.
Always Encrypted
Encrypt data in client app before it gets stored in the Azure SQL Database.
Protect sensitive data in Azure SQL Database or in SQL Server database.
Encrypt data inside client app, without revealing encryption key to SQL.
App SQL Server

Encrypted Query
Data Returned
Columnar Key
Master Key

TABLE
Cell-level or column-
level encryption
User A User B
Cell-Level Encryption
Cell-level or column-level encryption
is available with Azure SQL Database:
TABLE
• Apply symmetric encryption to a column
of data by using T-SQL.
• Encrypt specific columns or cells of data
with different encryption keys.
• Provides more granularity than TDE, since User A User B
TDE encrypts data in pages.
Column-Level Encryption

Cosmos DB Database Encryption
User data stored in Cosmos DB on solid-state

drives is encrypted by default.
Cosmos DB database encryption cannot be
turned off or disabled.
Encryption keys for Cosmos DB database
encryption are managed by Microsoft.

At-rest Encryption
in Data Lake
Data Lake Store supports "on by
default" encryption of data at rest.
Transparent encryption is enabled
during the creation of the account.
Exam Tip
As far as the exam goes, be sure to understand,
at least at a high level, what each of these types
of encryption options offers for data at rest.
for Encrypting Data in Transit

Encrypting Data in Transit
• Data-link Layer Encryption
• TLS Encryption
• Encrypted Azure Storage Transactions
• SMB Encryption over Azure vNets
• In-transit Encryption in VMs:
• RDP and SSH
• VPN Encryption Options:
• Encrypted VPN Gateways
• Point-to-Site VPNs
• Site-to-Site VPNs
• In-transit Encryption in Data Lake
When traffic moves beyond physical boundaries that are
Data-link Layer controlled by Microsoft, it’s protected via MACsec.
Encryption MACSec protection enabled by default for all Azure

traffic traveling within a region or between regions.

TLS Encryption
in Azure
To protect data when in
transit between the Azure
cloud services and
customers, Microsoft
provides customers with the
ability to use TLS.
Azure Storage
Transactions
Azure storage transactions are
encrypted. All transactions occur over
HTTPS.
The Storage REST API can also be used
over HTTPS to interact with Azure
Storage.
To enforce HTTPS when you call the REST
APIs to access objects in storage
accounts, you can enable secure transfer
for the storage account.
Azure Storage
Transactions
Shared Access Signatures include the option
to specify that only the HTTPS protocol can
be used to use Shared Access Signatures.
SMB 3.0 is used to access Azure Files shares.
Client-side encryption encrypts data before it
gets sent to an Azure Storage instance.
SMB Encryption over
Azure Virtual Networks
SMB encryption is available over
Azure virtual networks.
You can use SMB 3.0 on VMs with
Server 2012 or later, to make data
transfers more secure.
SMB encryption can be enabled for
an entire server, or just for specific
shares on the server.
NOTE: Once you enable SMB

encryption for a share / server, only
SMB 3.0 clients will be allowed to
access the encrypted shares.
In-transit Encryption
in Virtual Machines
Data that’s in transit to, from, and
between virtual machines that are
running Windows can be encrypted
in a few different ways.
Both RDP and SSH are available.

RDP Sessions
You can connect to a VM by
using RDP from a Windows
machine, or from a Mac with
an RDP client installed.
Data that’s in transit over the
network in an RDP sessions
can be protected by TLS.
Secure Access to
Linux VMs with SSH
Remote management of Linux VMs
can be performed over SSH, because
you can use SSH to connect to them.
SSH is an encrypted connection
protocol that allows secure sign-ins
over unsecured connections.
SSH keys remove the need for
passwords to sign-in.
Public VPN IP
xxx.xxx.xxx.xxx Public VPN IP
xxx.xxx.xxx.xxx
IPSec IKE S2S VPN Tunnel

VPN Gateway On-Prem
Azure vNet
Datacenter
Used to send encrypted traffic over the internet between a

Azure VPN virtual network and an on-prem location.
Can also send encrypted traffic between virtual networks.
Gateways Site-to-site VPNs use IPsec for transport encryption.
Point-to-Site
VPNs in Azure
Point-to-site VPNs allow VPN Clients
access from an individual
client computer to an
Azure vNet via SSTP.
Resource Gateway
Subnet Subnet
Point-to-site VPNs can Azure vNet
traverse firewalls.
Site-to-site
VPNs in Azure
Site-to-site VPNs can be
used to connect an on-
prem network to an Azure IPSec IKE S2S VPN Tunnel
virtual network, through an
IPsec, or IKE1/2 VPN tunnel.
Resource Gateway On-Prem
A Site-to-site VPN requires Subnet Subnet
Datacenter
an on-prem VPN device Azure vNet
with an external-facing
public IP assigned to it.
In-transit Encryption
in Data Lake
Data in motion is always encrypted

in Data Lake Store.
It’s encrypted just prior to being
stored in persistent media and is
also always secured in transit by
using HTTPS.

Key Management
with Key Vault
Azure Key Vault is used for managing
and controlling access to encryption
keys that are used by cloud services.
You can configure permissions to

access keys that can be assigned to
services and users through Azure
Active Directory accounts.
Allows you to maintain control of

encryption keys.
for Storing Relational Data

Relational Data
Relational data adheres to a strict schema because
all the data contains the same fields or properties.
Relational data can be easily searched using query

languages like Structured Query Language.
Relational data is a good fit for things like CRM

systems, reservations, and inventory management.
Relational data is stored in
database tables that consist of
rows and columns.
Key columns are used to

indicate how one row in a
table relates to the data in
another row of another table.
There are several Azure services that are
available for storing relational data.
Azure SQL Database
Azure SQL is a family of
managed, secure, and
intelligent solutions that use
the SQL Server database
engine in the Azure cloud
Azure SQL Database is Microsoft’s
managed database service, which includes
serverless compute.
Azure SQL Managed Instance is a fully

managed SQL instance as a service that’s
helpful when you want to migrate and store
relational data in the cloud.
SQL Server on Azure VMs is a SQL

offering in Azure that you can use to lift-and-
shift on-prem SQL Server workloads to Azure.
Azure Database for MySQL
Azure Database for MySQL is another
relational database service available in
the Microsoft cloud.
Two deployment modes:

• Single Server
• Flexible Server
Azure Database for
MySQL (Single Server)
A fully managed relational database
service that has minimal requirements
for customizations of database.
Designed to handle most database
management functions, like patching,
backups, HA, and security, with minimal
user configuration and control.
99.99% availability on a single
availability zone.
Azure Database for
MySQL (Single Server)
The Single Server deployment option of
Azure Database for MySQL comes in three
pricing tiers:
• Basic
• General Purpose
• Memory Optimized
Supports dynamic scalability.

Azure Database for
MySQL (Flexible Server)
A fully managed relational database service.
Provides more granular control and more flexibility.
Allows you to opt for high availability within a single
availability zone AND across multiple availability zones.
Provides better cost optimization controls with the ability
to stop and start the server.
Gets you the burstable compute tier.
Recommended for:
• Application developments that require better
control and customizations.
• zone redundant high availability is required.
Azure Database for PostgreSQL
A relational database service available in the
Microsoft cloud that’s based on the PostgreSQL
Community Edition database engine.
Available in three deployment modes:

• Single Server
• Flexible Server
• Hyperscale (Citus)

Azure Database for
PostgreSQL (Single Server)
Fully managed relational database
service with minimal requirements
for customizations of database.
Designed to handle most of the
database management functions
such as patching, backups, high
availability, security with minimal
user configuration and control.
Optimized for built-in high
availability with 99.99% availability
on a single availability zone.
Azure Database for
Offers three pricing tiers:
• Basic
• General Purpose
• Memory Optimized
Start off with a small database and then
scale up when you need to.
Supports dynamic scalability.
Azure Database for
Recommended for cloud native
applications that are designed to
handle automated patching, without
a need for granular control on the
patching schedule, nor custom
PostgreSQL configuration settings.
Azure Database for
PostgreSQL (Flexible Server)
Fully managed relational database service designed to
provide more granular control and more flexibility.
Allows you to opt for high availability within a single

availability zone AND across multiple availability zones.
Offers better cost optimization controls with the ability

to stop and start the server.
Offers burstable compute tier, which is great for

workloads that don’t always need full compute capacity
all the time.
Azure Database for
PostgreSQL (Flexible Server)
You would typically recommend an Azure
Database for PostgreSQL Flexible Server for:
• Application developments that require better
control and customizations
• When you need cost optimization controls with
ability to stop and start the server
• Solutions requiring zone redundant HA

Azure Database for
PostgreSQL (Hyperscale)
The Hyperscale option of Azure Database for
PostgreSQL is a relational database that allows you
to horizontally scale queries across multiple
machines using sharding.
Parallelizes incoming SQL queries across multiple
servers to produce faster responses on large
datasets.
Serves applications requiring greater scale. It’s
generally for workloads that exceed 100 GB of data.

Azure Database
for MariaDB
Based on the MariaDB community edition database
engine and offers several service tiers, including Basic,
General Purpose, and Memory Optimized.
Each tier provides different performance / capabilities.
Start small, and then scale up as needed.
Supports dynamic scalability, which allows your

database to transparently respond to rapidly changing
resource requirements.
Typical Relational
Data Workloads
Relational data is often found in
workloads where records are frequently
created and updated, and in scenarios
where multiple operations have to be
completed in a single transaction.
Business requirements that require data

relationships to be enforced using
database constraints will usually require
relational data, as will requirements
where indexes are used to optimize
query performance.
Examples of
Relational Data
Real-world scenarios where you would
recommend a solution for storing relational data:
• Inventory Management Systems
• Order Management Systems
• Reporting Databases
• Accounting Packages
You’d recommend a solution like Azure SQL

because these types of business requirements
often rely on relational data like customer lists,
inventory lists, and the like.
Exam Tip
When dealing with a question that asks you to
recommend a storage solution for relational data,
there really are only 4 solutions to choose from:
• Azure SQL Database
• Azure Database for MySQL
• Azure Database for PostgreSQL
• Azure Database for MariaDB
As long as you remember the key features of

each offering, you shouldn’t have too much
trouble answering correctly.
for Storing Non-Relational Data

Relational data isn’t always the kind of data that needs to be
stored, because its structure may not fit into relational tables.
There are multiple ways to
store non-relational data:
• Azure Table Storage
• Azure Blob Storage
• Azure File Storage
• Azure Cosmos DB
Azure Table Storage
Azure Table Storage is a key-value
store that leverages the NoSQL key-
value model.
Allows you to create tables in an Azure
storage account.
Data for an item is stored as a set of
fields. Item is identified by a unique key.
Azure Table
Storage
Each item in a table is referred
to as a row.
Fields are called columns.
Azure Table Storage table is
NOT anything like a table in a
relational database.
Azure tables allow you to
store semi-structured data.
Every row in a table must
have a key
Columns in each row can vary.
Azure Table Storage tables have no concept of
relationships, stored procedures, secondary
indexes, or foreign keys.
Each row typically holds the entire data for a
logical entity.
Example:
A table that holds customer data might store a
customer’s first name, last name, one or more
telephone numbers, and one or more
addresses for each customer in the table.
Depending on the number of telephone
numbers and addresses for each customer, the
number of fields in each row can vary for each
customer.
Use Cases for Azure
Table Storage
Azure Table Storage

tables are schema-less.
You can store flexible

datasets in tables.
Use Cases for Azure
Table Storage
Azure Table Storage is a good
solution for hosting product
catalogs for online stores.
Example:
If you use table storage to host a
product catalog, the partition key
could be the product category,
and the row key can identify a
specific product in that category.
Table storage can also a good solution when implementing
an IoT system where IoT device sensors collect data.
Table storage can be used for
solutions that collect event
logging and performance
monitoring data.
Example:
Data is collected and
structured based on the type
of event identified or the
performance measure being
recorded.
Data can be ordered by the

date and time it was recorded.
Azure Table Storage can
support large volumes of data.
Azure Table Storage
automatically manages
partitions and allocates storage.
https://docs.microsoft.com/en-us/azure/storage/tables/table-storage-overview
Azure Blob Storage
Some applications have to store
large, binary data objects, like
images and video streams.
Azure VMs use blob storage for
holding virtual machine disk images.
Azure Blob storage allows you to
store huge amounts of unstructured
data, or blobs, in Azure.
Block blobs are used to store
large, binary objects that change
infrequently.
Page blobs are optimized to
support random read and write
operations, and they can hold
up to 8 TB of data.
Append blob is a block blob
that’s optimized to support only
append operations. The
maximum size of an append
blob is just over 195 GB.
Hot Tier Cool Tier Archive Tier
Hot tier is the default tier, and it’s designed for blobs that are
accessed frequently. Blob data in the Hot tier is stored on high-
performance media.
performance media.
Cool tier has lower performance than the Hot tier, but it incurs
lower storage charges than the Hot tier. The Cool tier is used to
store data that’s accessed infrequently.
performance media.
Cool tier has lower performance than the Hot tier, but it incurs
lower storage charges than the Hot tier. The Cool tier is used to
store data that’s accessed infrequently.
Archive tier offers the lowest storage costs, but with the lower
costs, comes increased latency. This tier is designed to host historical
data that CANNOT be lost, but that is also only required rarely. Blobs
in the Archive tier are effectively stored in an offline state.
Read latency for the Hot and Cool
tiers is generally a few milliseconds.
In archive tier, it can sometimes take
HOURS for data to become available.
To retrieve a blob from the Archive
tier, you have to first change the
access tier for the data to Hot or Cool.
Use Cases for Azure Blob Storage
When you need to serve images or documents directly to a browser or

when you need to store files for distributed access.

When you want to stream audio or video.

Storing backup and restore data, disaster

recovery data, and archive data.
Storing data that you plan on analyzing with either an on-

prem service or an Azure-hosted service.

Azure File
Storage
Azure File Storage allows you
to create files shares in Azure.
Shares can be accessed from
anywhere with an internet
connection, via SMB protocol.
Access to shares in Azure File
Storage can be controlled via
Azure Active Directory
Domain Services.
Azure File Storage comes in two
performance tiers:
• The Standard tier uses hard disk-
based hardware in a datacenter.
• The Premium tier uses solid-state
disks and offers greater throughput.

Use Cases for Azure
File Storage
Azure File Storage is helpful
when migrating existing
applications to the cloud.
Azure File Storage can be used

to share server data on-prem
and in the cloud in order to take
advantage of cloud reliability
and scalability.
All data in Azure File Storage is encrypted at rest.
You can also enable encryption for data that’s in-transit
between Azure File Storage and your applications.
Azure Cosmos DB
When the relational structure
is too rigid for your
requirements, you can
leverage NoSQL databases.
NoSQL stores data in
structures like documents,
graphs, key-value stores, and
column family stores.
Azure Cosmos DB is a
multi-model NoSQL DB
management system.
It manages data as a
partitioned set of
documents.
A document consists of a
collection of fields,
identified by a key.
Fields can vary.
https://docs.microsoft.com/en-us/azure/cosmos-db/introduction

Azure Cosmos DB is a good non-relational data storage
option for many IoT and telematics solutions.
Retail and marketing
solutions like cataloging
solutions and order
processing solutions can also
benefit from Cosmos DB.
Gaming apps can also benefit
from Azure Cosmos DB because
it can handle the speed
requirements of most games.
Azure Cosmos DB is often used within
web and mobile applications.
Exam Tip
Make a list of all the use cases for each
type of non-relational data storage service
– and remember them.
When you are presented with a particular
scenario and asked for a non-relational
storage solution, align the requirements
with the use cases we covered here.
Recommending Access Control
Solutions for Data Storage

All data in an Azure Storage
account is secured.
Every request for data must
be authorized to ensure
that the person or device or
app accessing the data has
the necessary permissions
to access that data.
Controlling Access to
Data in Azure Storage
Azure AD Integration
Azure AD DS Authentication
On-prem AD Authentication
Shared Key Authorization
Shared Access Signatures
Anonymous Public Read Access
Azure AD Can be used to control access to blob,
Integration queue, and table resources.
Azure AD Can be used to control access to Azure Files, because
Azure Files supports identity-based authorization over
Domain Services SMB through Azure AD DS.
On-Prem AD
Can be used to control access to Azure Files

because Azure Files supports identity-based
authorization over SMB.
SMB access to Azure Files is supported using

AD credentials from domain joined
machines, whether on-prem or in Azure.
Using Azure RBAC for share level access

control, and NTFS DACLs for directory and
file level permissions creates a complete
solution for controlling access to Azure Files.
Shared Key
Authorization
Can be used to control
access to blobs, files,
queues, and tables.
When using shared key

authorization to access
data, the client passes a
header with every request
that is signed using the
storage account access key.
IMPORTANT!
If you disallow Shared Key

authorization for a storage
account, clients must use
Azure AD to authorize
requests for data in that
storage account.
Can be used to provide limited delegated access to blobs, files,
Shared Access queues, and tables in a storage account.
Signatures Allows you to specify WHEN the signature is valid, and what
permissions are granted to the data.
Anonymous Public
Read Access can be used
with containers and blobs.
Enabling anonymous public
read access allows clients to
access blob data without
any authorization.
If you disallow anonymous
public read access for a
storage account, users
cannot configure containers
for anonymous access.
AUTHORIZE ACCESS TO DATA IN AZURE STORAGE
Shared Key Shared access Anonymous

(storage signature Azure AD On-Prem AD public read
account key) (SAS) access
Azure Blobs Supported Supported Supported Not supported Supported

Supported,
Azure Files Supported, only with credentials must
Supported Not supported Not supported
(SMB) AAD Domain Services be synced to
Azure AD
Azure Files
Supported Supported Not supported Not supported Not supported
(REST)
Azure Queues Supported Supported Supported Not Supported Not supported
Azure Tables Supported Supported Supported (preview) Not supported Not supported
Exam Tip
When presented with a question about
controlling access to storage or data, pay
close attention to the KIND of storage that
you need to recommend a solution for.
Narrowing down the KIND of storage you

are protecting vastly reduces your solution
choices. Of course, you’ll want to really
familiarize yourself with the table I just
showed you.
Design a Data Solution for Data Protection

Data Protection
It’s critical that you think about
how to protect your data BEFORE
an incident occurs.
Data protection refers to strategies

that you can use to protect your
storage account and the data
contained in it.
Features and
Strategies
Azure Resource Manager Locks
Immutability Policies on a Blob Version
Immutability Policies on a Container
Container Soft Delete
Blob Versioning
Blob Soft Delete
Point-in-Time Restores
Blob Snapshots
Recommendations for
Basic Data Protection
Microsoft recommends configuring
an Azure Resource Manager lock
on your storage account.
Once you’ve secured the storage
account with a lock, you should
enable container soft-delete for the
storage account.
Save the state of your blobs at
regular intervals.
Recommendations for
Basic Data Protection
Microsoft recommends configuring
an Azure Resource Manager lock
on your storage account.
Once you’ve secured the storage
account with a lock, you should
enable container soft-delete for the
storage account.
Save the state of your blobs at
regular intervals.
When working with Azure Data
Lake Storage workloads, take
manual snapshots.
Azure Resource
Manager Lock
Implementing resource manager
locks allows you to prevent
storage accounts from being
deleted or modified.
Locking a storage account DOES
NOT protect the containers and
blobs inside the account from
being deleted or overwritten.
Immutability Policy
on a Blob Version
Setting an immutability policy
on a blob version protects it
from being deleted. It also
prevents its metadata from
being overwritten.
Enabling version-level
immutability on at least one
container in the storage
account protects the entire
storage account from deletion.
Immutability Policy
on a Container
Setting immutability policies on containers
within a storage account ensures that you are
preventing containers and their blobs from
being deleted or modified for an interval that
you control.
Setting an immutability policy on a container

allows you to protect data by protecting the
container and its blobs from all deletes and
overwrites.
If a legal hold or a locked time-based retention

policy is in effect, the storage account itself is
also protected from deletion.
Allows you to automatically save the state of a blob in a previous
version when it is overwritten.
Blob Versioning
You can store blob data that does NOT require versioning in a
separate storage account.
Allows you to restore a deleted blob or blob version within a
specified interval.
Blob Soft Delete
If you have blobs with different retention periods, you can just
store them in separate storage accounts.
Allows you to restore a deleted container within a specified
Container interval, or retention period.
Soft Delete You should enable container soft-delete for all storage accounts
with a minimum retention interval of 7 days.
Point-in-Time
Restore
Allows you to restore a set of
block blobs back to a previous
point in time.
Only operations performed on

block blobs are reverted.
Operations performed on
containers, page blobs, or
append blobs are NOT reverted.
Blob Snapshots allow you to manually save the state of a blob
at a given point in time.
Blob Snapshot Microsoft recommends blob snapshots as an alternative to blob
versioning, if blob versioning isn’t appropriate for your scenario.
Exam Tip
When presented with a data protection
question, filter out extra information when
reading the question.
Focus on buzz words to sort out whether
you need to protect a storage account, a
container, or a blob. Look to see if
versioning is mentioned as well.
By focusing on those buzz words, the
answer should be easier to formulate.
Azure Site Recovery for
Azure, Hybrid, and On-prem Workloads

Recovery Part of most BCDR strategies.
Services Includes Site Recovery Service and Backup Service.
Site Recovery Service
Replicates workloads from a primary site to a secondary location.
Can replicate workloads running on physical machines and VMs.

Azure Site Recovery: Azure to Azure
Azure VMs Azure VMs
West US Region East US Region

Azure Site Recovery: On-Prem to Azure
Azure Site Recovery
VMs and Physical Servers
Process/Config Server
On-Prem Datacenter

Azure Site Recovery: On-Prem to On-Prem
Config Server
VMs and Physical Servers
Process Server
Master Target
Primary Datacenter Secondary Datacenter

When you
replicate to Azure,
data is stored in
Azure storage.
When failover
happens, Azure
VMs get created.
RTO and RPO
Site recovery offers continuous replication for Azure and VMWare VMs.
Provides replication frequency as low as 30 seconds for Hyper-V.
Running VMs Offline Replicated VMs
Continuous Replication
Primary Site Secondary Site

BlueWidgetCoASR
BlueWidgetBackup
You can use site

recovery to keep
applications consistent,
even after a failover,
because you can
replicate using recovery
points with application-
consistent snapshots.
Customized Recovery Plans
Allow you to customize failovers and even sequence the failover and
recovery of multi-tier applications that run on multiple VMs.

Backup and Recovery Solutions for Compute

Azure Backup
Azure Virtual Machines
On-prem Servers
Azure File Shares
SQL Server On Azure VMs
SAP HANA On Azure VMs
Other Workloads
Why use Azure
Backup?
Cloud Integration
Azure Backup offers better
integration with cloud services
since it’s a cloud-based
service itself.
Why use Azure Backup?
Zero-infrastructure Backup
Backup compute resources without
deploying and managing backup
infrastructure or storage.
Requires no backup server
maintenance, nor storage scaling.

Long-term Retention: Azure backup allows you to retain backups
for years, helping to meet compliance & audit needs.
Why use Azure
Backup?
Security
Backup data in transit and at
rest is secured.
RBAC used to segregate duties.
Backup data is automatically
encrypted using Microsoft-
managed, or customer-
managed keys.
Also offers soft delete.
Why use Azure Backup?
Offers high availability of data, via four different
types of replication: LRS, GRS, ZRS, and GZRS.
• Locally redundant storage: lowest-cost option. Basic
protection against server rack and drive failures.
Recommended for non-critical scenarios.
• Geo-redundant storage an intermediate option.
Offers failover capabilities in a secondary region.
Recommended for most scenarios.
• Zone-redundant storage an intermediate option.
Provides protection against datacenter-level failures.
Recommended for HA scenarios.
• Geo-zone-redundant storage The optimal data
protection solution. Includes both GRS and ZRS
options. Recommended for critical data scenarios.
Offers built-in monitoring and alerting capabilities.
Azure Backup Supported Scenarios

Azure Backup Supported Scenarios
Azure VMs
Azure Backup provides independent and isolated backups of each
VM, which are stored in a Recovery Services vault with built-in
management of recovery points.
Azure Backup
Supported Scenarios
On-Prem
On-premises
On-prem files, folders, and system
state are backed up via the
Microsoft Azure Recovery
Services, or MARS, agent.
Microsoft Azure Backup Server, Azure
also called MABS, or a Data
Protection Manager (DPM) server
can be used to protect on-prem
Hyper-V and VMWare VMs.
Azure Backup can be used to manage Azure Files snapshots.
2
1 Backups run on user-
Configure Backup defined schedule
Recovery
Services Vault Azure Files Azure File
Snapshots
Retention Management via Backup Policy

Azure Backup Azure Backup Service
Supported Scenarios
SQL Server SAP HANA in

Azure VMs Data Path Recovery Services Vault
Azure Backup can take
workload-aware backups that VDI Stream
Full/Differential/Log
Backups
support different backup SQL Plugin
types, including: SSE
• Full
Control Path
• Differential and Log
• 15-minute RPO
• Point-in-Time Recovery Coordinator
SQL in a VM
Exam Tip
Remember the reasons to use Azure
backup, remember the four different
types of replication that are available, and
remember the scenarios supported by
Azure Backup.
Backing up Azure VMs with Azure Backup

Azure VM
Azure Backup
Backup
Extension
OS Disk Data Disk

Data Transfer
Snapshot Vault

Recovery Services Vault
The Recovery Services Vault is used
to manage and store backup data.
The Recovery Services vault also acts
as an RBAC boundary to allow secure
access to the data.

Snapshots
Snapshots, in the context of backup, are
point-in-time backups of all disks on a VM.
Azure Backup uses extensions for each
supported operating system:
• Windows VMs: Uses the VMSnapshot
extension with the Volume Shadow Copy
• Linux VMs: Uses the VMSnapshotLinux
extension to snapshot the disks.

When you take a snapshot,
you can achieve different
levels of consistency:
• Application Consistent
• File System Consistent
• Crash Consistent
Application Consistent
Snapshots
An Application Consistent snapshot
captures a VM as a whole: 1
Configure
• VSS writers on a Windows VM Backup
capture the content of the
machine memory and any 2 3 pre-script 4 VM Snapshot
pending I/O operations. Launch 5 post-script

• On Linux machines, you need Backup
to write custom pre- or post-

scripts per app to capture the 6
application state. Incremental backup saved in vault
Application Consistent snapshots get

you complete consistency for the
VM and all running applications.
File System Consistent
Snapshots
If the Volume Shadow Copy 1

Service on a Windows VM Configure
Backup
fails, or if the pre and post
scripts fail on Linux, Azure 2 3 pre-script 4 VM Snapshot
Backup will create a file- Launch

Backup
5 post-script
system-consistent snapshot.
6
Applications will likely need to Incremental backup saved in vault
do their own cleanup during
startup to become consistent.
Crash Consistent
Snapshots
Crash consistent snapshots are
achieved only when the VM
being backed up is shut down
at the time of the backup.
No I/O operations are
captured during this type of
backup, nor are memory
contents captured.
Doesn't guarantee data
consistency for OS or app.
Backup Policies
Backup policies allow you to
define the backup frequency
and the retention duration for
backups.
You can trigger VM backups
daily or weekly, and can they
can be stored for years.
Snapshot tier: When a snapshot happens, it’s stored locally for up to 5 days.
Microsoft recommends restoring from snapshots because it’s faster.
Vault tier: Snapshots are additionally transferred to the vault. When restoring
from vault tier, the recovery point type changes to “snapshot and vault”, rather
than “Instant Restore”.
Azure VM
Azure Backup
Backup
Extension
OS Disk Data Disk

Data Transfer
Snapshot Vault
Restore Types
There are several restore options:
• Create a New VM
• Restore a Disk
• Replace an Existing Disk
• Cross-region Restore
Create a New VM
Creates a new VM from
your chosen restore point.
The new VM must be
created in the same region
as the source VM.
Restore Disk
Restores a VM disk.
The restored VM disk can be
used to create a new VM.
You can attach the restored disk
to an existing VM.
Useful when customizing the VM
or add configuration settings.
Replace Existing
Restore a disk and use it to
replace an existing disk on the
existing VM.
Azure Backup takes a snapshot
of the existing VM before
replacing the disk.
Existing disks are replaced with
selected restore point.
The current VM must exist.
Cross-Region Restore
Allows you to restore Azure VMs in a
secondary, paired region.
Available with Create a new VM
option, and with Restore Disk option.

Recover Files
from a Backup
Recover individual files
from a recovery point.
Mount the snapshot on
the target machine
using the iSCSI initiator
in the machine, get the
files you need, then
dismount the snapshot.
Restore Encrypted Virtual Machine
Azure Backup supports the backup and restore of

machines that are encrypted via Azure Disk Encryption.
Limitations:
• Supports only standalone key encryption.
• File-level and folder-level restores not supported.
• Replace existing VM option isn't available.
Exam Tip
Remember the levels of consistency that
you can achieve when you take a
snapshot, and the different restore types.
Remembering these will go a long way
toward being able to recommend the
proper backup solution when asked.
Backup Solutions for Databases

Storage for Azure
SQL DB Backups
SQL Database automatically
creates its own DB backups.
• Retention: 7-35 days.
• Stored as a blob in a read-
access geo-redundant
storage account.
• Offers protection against a
regional outage.
Full Backup Transaction Log Transaction Log Full Backup
Backups Differential Backups
Backup
Azure SQL Database creates three types of backups:

Backup Types • Full Backups
• Differential Backups
• Transactional Backups

Backup
Captures everything in a database AND the transaction logs.

Full Backup SQL Database creates a full backup once a week.

Backup
Differential Captures everything that’s changed since the last full backup.
Backup SQL Database makes a differential backup every 12 hours.

Backup
Transactional Captures the contents of the transaction logs.

Backup Allow you to restore up to a specific time.

Recovery Options
Several recovery options are available:
• Restore an existing database.
• Restore a deleted database up to the
time when it was deleted.
• Restore the database to an alternative
location or region.
• Restore a database from a long-term
backup by using long-term retention.
If live transaction logs are available, you

can restore a SQL database right up to
the moment that the failure occurred.
Backups and Service Tiers
Default retention period for a database based on the DTU model will
depend on the service tier selected.
1 Week 5 Weeks 5 Weeks
Basic Service Tier Standard Service Tier Premium Service Tier

How Often Do Backups Happen?
Backups are useful for point-in-time restores and for long-term retention.

How Often Do
Backups Happen?
Azure Backup Service
The first full backup for point-in-time restores is

scheduled when the database is created.
Future backups are automatically scheduled and

Data Path Recovery Services Vault
silently managed. Full/Differential/Log Backups

VDI Stream
SQL Plugin
Full backups for LTR can be kept up to 10 years in a
blob storage account. SSE
Control Path
LTR policy can be configured to perform automatic
weekly full backups.
Coordinator
Storage of LTR backups depends on frequency and SQL in a VM
chosen retention period.

West US Region East US Region
Primary Datacenter Alternate Datacenter

Using Long-Term Retention Policies
Azure SQL Database automatic backups are

35 Days available for up to 35 days by default.
The LTR feature allows you to store Azure SQL Database

10 Years backups in RA-GRS storage blobs for up to 10 years.

How SQL Database
LTR Works
LTR takes the automatic point-in-
time recovery backups and copies
them to blobs in the background.
LTR backups DO NOT run by
default.
LTR backups are setup and
managed with long-term retention
policies.
Creating a Long-Term
Retention Policy
Letters are used to specify how
frequently automatic backups should
be copied for long-term retention:
• W: Used to specify that one full
backup each week gets copied
to long-term retention.
• M: Used to specify that one full
backup from the first week of
each month should be copied to
long-term retention.
• Y: Used to specify that one full
backup each year gets copied to
long-term retention.
You can also specify the week of the
year when a yearly backup is copied by
using the WeekOfYear parameter.
Example of a Long-Term Retention Policy
W=4, M=12, Y=7, WeekOfYear=1

Identity Management via Azure AD

Azure AD
Azure AD is a cloud-based identity and
access management service.
Allows users to sign in / access resources:
• Provides access to internal resources
• Provides access to external resources
Who Uses Azure AD?
• IT Administrators
• Application Developers
• Subscribers
Who Uses Azure AD?
IT Administrators
• Use Azure AD to control access to apps and resources
• Enforce multifactor authentication
• Automate user provisioning
Application Developers
• Adding single sign-on to applications
• Allow applications to work with the existing credentials for users
Subscribers
• Microsoft 365 & Office 365 subscriptions are already automatically Azure
AD tenants because user access to these apps are controlled by Azure AD

Azure AD Licenses
Azure AD is offered in a free version
and paid versions
Paid Azure AD licenses provide
additional benefits:
• Self-service
• Enhanced monitoring
• Security
• Reporting
• Secure access for mobile users
Azure Active Azure Active Azure Active
Office 365 Apps
Directory Free Directory Premium P1 Directory Premium P2

Azure AD Free Edition
Offers User & Group Management
Offers On-Prem Directory Synchronization
Offers Some Basic Reporting Functionality
Self-Service Password Change (Cloud-Only)
SSO for Azure, Office 365, Other SaaS Apps
Premium P1
Offers everything the free version offers
Advanced administration capabilities:
• Dynamic groups
• Self-service group management
• SSPR for on-prem users
• Microsoft Identity Manager
Azure AD Premium P2
Builds off Free and P1 Editions
Offers Azure AD Identity Protection
• Used to leverage risk-based conditional
access to applications & data
Privileged Identity Management

• Restrict and monitor the access and
activities of administrators
• Just-in-time access
Office 365 Apps

https://azure.microsoft.com/en-us/pricing/details/active-directory

Key Terms
Term or Concept Description
Identity A thing that can get authenticated. An identity can be a user with a username and
password. Identities also include applications or other servers that might require
authentication through secret keys or certificates.
Azure AD Account An identity created through Azure AD or another Microsoft cloud service, such as
Microsoft 365. Identities are stored in Azure AD and accessible to your organization's
cloud service subscriptions. Sometimes called a Work or school account.
Azure AD Directory Each Azure tenant has a dedicated and trusted Azure AD directory. The Azure AD
directory includes the tenant's users, groups, and apps and is used to perform identity
and access management functions for tenant resources.
Azure AD Global This administrator role is automatically assigned to whomever created the Azure AD
Administrator tenant. Global administrators can do all of the administrative functions for Azure AD and
any services that federate to Azure AD, such as Exchange Online, SharePoint Online, and
Skype for Business Online. You can have multiple Global administrators, but only Global
administrators can assign administrator roles.

https://docs.microsoft.com/en-us/azure/active-
directory/fundamentals/active-directory-whatis#terminology

Azure AD Features
Application management features
• Application proxy
• Single sign-on
• My apps portal
Authentication features
• Self-service password reset
• Multifactor authentication
• Banned password lists
• Smart lockout
More Azure AD Features
Hybrid Identity Features
• Azure Active Directory Connect
• Azure Active Directory Connect Health
Reporting and Monitoring Features
• Provide insights into the security and usage
patterns within your organization
Privileged Identity Management (PIM)
• Manage, control, and monitor access to resources

https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/active-
directory-whatis#which-features-work-in-azure-ad

Azure Active Directory B2B

What is Azure Active Directory B2B?
Used to share applications and services with guest users
External org doesn’t need to have Azure Active Directory
B2B uses an invitation and redemption process
No need to manage external accounts or external passwords

Azure AD B2B
You can add guest users through
the Azure AD portal.
Process is similar to that of adding
an internal user.
App owners and group owners can
manage their own guest users
Azure AD B2B Licensing
Guest users can use free Azure AD features without any additional
licensing requirements.
You can invite up to five guest users for each paid Azure AD edition
license that you are own.
Azure AD Free
Azure AD Premium P1
Azure AD vs Traditional AD

Azure AD vs
Traditional AD
Azure Active Directory is essentially
Microsoft’s next iteration of identity and
access management for the cloud.
• Identity-as-a-Service solution
• Key differences between traditional AD
and Azure Active Directory
User Management: Azure AD vs Traditional AD
Task Traditional AD Azure AD
Provision Users manually or through automated synchronize on-prem user identities into Azure
provisioning systems that are AD OR automatically created in Azure AD
hosted in-house through the use of cloud HR systems and
through SCIM-enabled software
External Users Created manually in a dedicated Azure AD B2B used to manage links to external
external Active Directory forest user identities
Resource Access create groups which are granted Access to resources granted through Azure AD
permissions to resources and then groups can OR via the entitlement management
add users to groups feature OR via time-based criteria
Admin Management domains, OUs, and groups used to built-in roles, RBAC, and custom roles used to
delegate admin privileges delegate admin privileges. PIM can also be used.
Authentication credentials based on passwords, uses intelligent password protection, MFA, and
certificates, smart cards, and are self-service password reset
managed with password policies











Applications: Azure AD vs Traditional AD
Not supported natively; require

allows SaaS applications to be integrated,
ADFS federation; more
SaaS provided they support OAuth2, SAML, or WS-*
administrative overhead and
authentication
additional hardware costs
Usually require Active Directory leverages managed identities that are managed
Services service accounts to run; creates a by Azure AD and are tied to the resource
security hole provider; can’t be used to gain backdoor access


authentication


authentication


authentication


authentication

Devices: Azure AD vs Traditional AD
Mobile Devices does not natively support them provides integration with Microsoft InTune
Windows Desktops Can be joined to the domain and Can be joined to the domain and managed with
managed with group policy Microsoft InTune
Windows Servers Can be joined to the domain and cannot be joined to an Azure Active Directory
managed with group policy
Linux Workloads does not support Linux workloads Linux and UNIX virtual machines in Azure can
natively leverage managed identities to access resources











Azure AD vs Azure ADDS

Azure AD
vs Azure ADDS
Azure Active Directory and Azure AD
domain services share common names
and technologies but are really are two
different offerings that are designed to
provide different services.
Azure Active Directory is a
cloud-based identity and
mobile device management
solution.
Provides user account and

authentication services.
Synchronize traditional on-

prem AD to Azure AD to
provide a single identity
solution.
Azure AD
Domain Services
Azure AD Domain Services is a fully-
managed domain services offering.
Includes a fully-compatible subset of
features found in a traditional AD
• Domain Join
• Group Policy
• LDAP
• Kerberos & NTLM Authentication
Integrates with Azure AD
Can be synchronized with Azure AD
Azure AD
vs Azure AD DS
When you deploy Azure Active
Directory, it allows you to manage the
identity of the devices that are used by
the organization and to control access
to resources from such devices.
Azure AD vs Azure AD DS
Azure Active Directory allows users to register
their personal devices with the directory.
• Creates identities for devices that can be
authenticated by Azure AD
• Device management is performed via MDM software
like Microsoft InTune
Computers & laptops can be joined to Azure AD.
• Provides the same benefits as registering personal
devices with Azure AD
• Secure applications with single sign-on
• Leverage enterprise policy compliant roaming of user
settings across different devices
Azure AD
vs Azure AD DS
When a user with an Azure AD joined or
Azure AD register device authenticates,
that authentication is performed via
modern OAuth or open ID connect
based protocols.
HOWEVER…
When a user authenticates from an

Azure AD domain services joined device,
applications can use Kerberos and NTLM
protocols for authentication instead.
Aspect Azure AD-joined Azure AD DS-joined
Device controlled by Azure AD Azure AD DS managed domain
Representation in the Device objects in the Azure Computer objects in the Azure AD DS
directory AD directory managed domain
OAuth / OpenID Connect
Authentication Kerberos and NTLM protocols
based protocols
Mobile Device Management
Management Group Policy
(MDM) software like InTune
Must be connected to, or peered with,
Networking Works over the internet the virtual network where the managed
domain is deployed
Azure Identity Protection

Azure Identity Protection is a tool that allows
organizations to accomplish several tasks:
• Automate detection & remediation of
identity-based risks
• Investigate risks using data in the portal
• Export risk detection data to third-party tools
identifies several types of risks:
• Anonymous IP address
• Atypical travel
• Malware linked IP address
• Unfamiliar sign-in properties
• Leaked Credentials
• Password spray
• New country
• Activity from anonymous IP address
• Suspicious inbox forwarding
• Atypical travel
• Password spray
• New country
• Atypical travel
• Password spray
• New country
• Atypical travel
• Password spray
• New country
• Atypical travel
• Password spray
• New country
• Atypical travel
• Password spray
• New country
• Atypical travel
• Password spray
• New country
• Atypical travel
• Password spray
• New country
• Atypical travel
• Password spray
• New country
• Atypical travel
• Password spray
• New country
Risk signals picked up by
Identity Protection can
trigger remediation efforts:
• Perform Azure AD MFA
• SSPR
• Account Blocking
Azure Identity
Protection
There are 3 key reports
that administrators can use
for investigations in Identity
Protection:
• Risky users
• Risky sign-ins
• Risk detections
Risk Levels
HIGH
MEDIUM
LOW
Risk Levels
HIGH
Highest Confidence
MEDIUM
LOW
Azure Identity
Protection
• Security Reader
• Security Operator
• Security Administrator
• Global Reader
• Global Administrator
Role Can do Can't do
Global administrator Full access to Identity Protection
Security administrator Full access to Identity Protection Reset password for a user
View all Identity Protection reports and Configure or change policies

Overview blade
Security operator Reset password for a user
Dismiss user risk, confirm safe sign-in, confirm
compromise Configure alerts
View all Identity Protection reports and Configure or change policies

Overview blade
Reset password for a user
Security reader
Configure alerts
Give feedback on detections

Azure Identity
Protection
Identity Protection requires an
Azure AD Premium P2 license
Azure AD
Capability Details Azure AD Free / 365 Apps Azure AD Premium P1
Premium P2
User risk policy (via Identity
Risk policies No No Yes
Protection)
Sign-in risk policy (via Identity
Risk policies No No Yes
Protection or Conditional Access)
Security
Overview No No Yes
reports
Limited Information. Only users with Limited Information. Only users with
Security
Risky users medium and high risk are shown. No medium and high risk are shown. No Full access
reports
details drawer or risk history. details drawer or risk history.
Security Limited Information. No risk detail or Limited Information. No risk detail or
Risky sign-ins Full access
reports risk level is shown. risk level is shown.
Security
Risk detections No Limited Information. No details drawer. Full access
reports
Notifications Users at risk detected alerts No No Yes
Notifications Weekly digest No No Yes
MFA registration policy No No Yes
Azure Identity Protection is a tool
that allows organizations to
accomplish several tasks:
• Automate detection & remediation of
identity-based risks
• Investigate risks using data in the portal
• Export risk detection data to third-party tools
Identity Protection Policies

Azure Active Directory Identity Protection
Identity includes 3 default policies that
administrators can enable:
Protection • Azure AD MFA registration policy
Policies • User risk policy
• Sign-in risk policy
Azure AD MFA
Registration Policy
The Azure AD MFA Registration Policy
ensures new users have registered for
MFA on their first day.
MFA is a self-remediation method for risk
events within Identity Protection that
allows users to take action on their own
to reduce helpdesk call volume.
User Risk Policy
Used to calculate what Identity Protection believes is
normal behavior for a user.
Calculates probability that an identity has been
compromised.
Administrator can make a decision based on this risk
score signal:
• Block access
• Allow access
• Allow access / require password change via SSPR
Users can perform self-service password reset to

self-remediate.
Sign-In Risk Policy
Identity Protection analyzes signals from each
sign-in, both real-time and offline.
Calculates a risk score based on the probability
that a specific sign-in wasn't performed by the
actual user.
Administrators can:
• Block access
• Allow access
• Allow access but require MFA
Custom
Conditional
Access Policies
Administrators can
create custom
Conditional Access
policies that include
sign-in risk as an
assignment condition.
Protecting Identities with PIM

Privileged Identity Management
Privileged Identity Management is an Azure AD service that is used
to manage, control, and monitor access to critical resources.
PIM Use Cases
PIM is useful to organizations that want to
minimize the number of people who have
access to critical information or resources.
• Reduces the chance of a malicious
actor getting that access
• Reduces chances of an authorized
user impacting a sensitive resource
• Allows just-in-time privileged access
to Azure resources and Azure AD
• Provides oversight for what users are
doing with admin privileges
Key Features of PIM:
• Provide just-in-time privileged access to Azure
AD and Azure resources
• Assign time-bound access to resources
• Require approval to activate privileged roles
• Enforce MFA to activate any role
• Use justification to understand activations
• Notifications when privileged roles activated
• Conduct access reviews
• Download audit history
Privileged Identity As an administrator, you can choose to manage Azure AD roles,
Management Azure resource roles, or privileged access groups.
Privileged Privileged Role Administrator Permissions:
Identity • Enable approval for specific roles

• Specify approver users or groups
Management • View request and approval history
View pending approvals
Privileged Identity Approve or reject requests for role elevation
Management Provide justification for my approval or rejection
Request activation of a role that requires approval
Privileged Identity View the status of your request to activate
Management Complete task in Azure AD if activation approved
https://docs.microsoft.com/azure/active-directory/privileged-identity-management/subscription-requirements

Securing Resources with
Role-Based Access Control

An authorization system used to secure Azure resources
Azure RBAC by controlling what resources people can access, and
what they can do with those resources.
How Azure RBAC works
Azure RBAC controls access
to resources via Azure roles.
Three elements:
• Security Principal
• Role Definition
• Scope
Security Principal
Represents a user, group, service principal, or a managed identity.
Roles can be assigned to any of these security principals.
User Group Service Managed

Principal Identity

How Azure
RBAC works
https://docs.microsoft.com/en-us/azure/role-based-access-control/role-definitions
Scope Management Group
A set of resources that access applies to.

Subscription
Further limit the actions allowed by a role:
• Use a scope when you want to make
someone a Virtual Machine Contributor, Resource Group
but only for one specific resource group.
• Can be defined at four levels: Resource

• Management Group
• Subscription
• Resource Group
• Individual Resource
How Azure RBAC works Management Group
Scopes are structured in a Subscription
parent-child relationship.
Resource Group
Resource
Role assignments
The process of attaching a role definition
to a user, group, service principal, or
managed identity at a particular scope.
Used to manage access to resources:
• Creating a role assignment grants access.
• Revoking a role assignment removes access.
=
Contributor Contributor
Widget Sales Widget Sales

Marketing Group Resource Group Marketing Group Resource Group
Sales Group Sales Group
User User
Role assignments are transitive for groups.

How Azure If a user is a member of a group that’s a member of another group
RBAC Works that has a role assignment, the user will have the permissions in
that role assignment.
How Azure Subscription Subscription
RBAC works
Multiple role assignments Resource Group Resource Group
=
User User
Azure RBAC is an additive model.
Effective permissions to a resource

will be the sum of the role Resources Resources
assignments assigned.
Contributor Contributor
Reader
How Azure A Deny Assignment attaches a set of deny actions to a
security principal at a particular scope to deny access.
RBAC works Deny assignments take precedence over role assignments.
Azure RBAC is a free feature that’s included
in all Azure subscriptions.
Exam Tip
Remember that there are built in roles
and custom roles available.
Familiarize yourself with the 3 elements of
a role assignment and be sure to
remember that overlapping role
assignments are summed.
Remember that deny assignments take
precedence over role assignments.
Azure Organization and Hierarchy

Organizing Azure resources allows you to
better secure, manage, and track costs Management Group
that are associated with those resources.
To do this: Subscription
• Define a management group hierarchy
• Define a naming convention
• Apply resource tagging when necessary
Resource Group
Resource
Management Group
4 Levels of Management
• Management Groups
Subscription
• Subscriptions
• Resource Groups
• Resources
Resource Group
Resource
Management groups can be used to manage access,
policy, and compliance for multiple subscriptions.
Subscriptions are used to logically associate user

accounts with the resources they create. Used to manage
costs and resources.
Resource groups are logical containers that you can

deploy Azure resources into.
Resources are instances of services that you can create,

like VMs, storage accounts, vNets, and such.
Management Settings Scope Management Group
Can be applied at any of the 4

management levels.
Subscription
Determines how widely a
particular setting is applied.
A policy applied to a Resource Group
subscription will also apply to all
resource groups and resources
within that subscription.
Resource
Critical Settings
Project-Specific
Managing a handful subscriptions is easy.
Management Group
Managing a large number of subscriptions is hard.
Leverage a management group hierarchy to

simplify subscription and resource management.
Subscription
Resource Group
Resource
Naming Standards
Naming standards are useful for identifying
resources in the Azure portal, in automation
scripts, and even in billing statements.
Naming standards should include both business
and operational details in resource names.
• For example, you might use a resource's short
name, along with the business owners who are
responsible for the resource costs.
• Operational details in resource names should
include information that IT teams need.
There’s no hard and fast rule.

Resource Tags
Can be used to quickly identify resources / resource groups.
Apply tags to logically organize Azure resources by category.
Use tags that include context about a resource's associated
workload or application or ownership information.
Example:
Organizations often specify an Environment: Production
name/value pair to identify production resources.
More easily retrieve all resources in a subscription.
Resource Tags Can be used to break out billing for resources.
Each resource support a max of 50 tag name/value pairs.
Exam Tip
Familiarize yourself with the levels of
hierarchy in Azure. Remember that they
include management groups, subscriptions,
resource groups, and resources.
Don’t forget how settings and policies filter
down through the parent-child relationship
of these levels.
Enforcing and Auditing Compliance
in Azure with Azure Policy

Azure Policy
Used to enforce organizational standards
and to assess compliance.
The compliance dashboard allows you to
evaluate the overall state of your
environment and to drill down with per-
resource, per-policy granularity.
Helps bring resources into compliance
via bulk remediation for existing
resources and through automatic
remediation for new resources.
Azure Policy is often used to implement governance for resource
consistency, regulatory compliance, security, cost, and management.
How Does Azure Policy Work?
Azure Policy evaluates Azure resources by
comparing their properties to business rules
(policy definitions) that you create.
Several policy definitions can be grouped

together to form a policy initiative.
An assignment is used to assign the policy

definition or initiative to a scope of resources.

Azure Policy uses the JSON format to form
the logic the evaluation uses to determine
whether a resource is compliant or not.
Definitions include metadata & a policy rule.
Policy rules can use functions, parameters,
logical operators, conditions, and property
aliases to match your desired scenario.
Evaluation Outcomes
Resources are evaluated at multiple times during the
resource lifecycle and policy assignment lifecycle:
• Resources are evaluated when they are created,
updated, or deleted in a scope with a policy
assignment.
• Resources are evaluated when a policy or
initiative is newly assigned to a scope.
• Resources are evaluated whenever a policy or
initiative already assigned to a scope is updated.
• Resources are evaluated simply as part of the
standard compliance evaluation cycle, which
occurs once every 24 hours.
Effects typically only affect a resource when that resource is
created or updated; however, Azure Policy also supports the
handling of existing resources that are non-compliant as well.
Azure Policy can be used to evaluate all Azure resources at or
below the subscription-level, including Arc enabled resources.
Start with an audit effect.

Consider organizational hierarchies.

Create definitions at management
group or subscription levels and
create assignments at child levels.

Create definitions at management
group or subscription levels and
create assignments at child levels.
Scope down assignments to
subscriptions or resource groups.

Microsoft recommends creating
and assigning initiative definitions
even if you only have a single
policy definition.
If a specific policy needs to be
evaluated individually, it's better
to not include it in an initiative.
Exam Tip
Azure Policy is used to enforce and audit
compliance in an Azure environment.
Start with the policy definition to define
conditions that will trigger policy enforcement.
Several policy definitions can be grouped
together to form a policy initiative.
Once a policy definition or initiative has been
created, an assignment is used to assign the
policy definition or initiative to a scope of
resources that Azure supports.
Backup and Recovery Solutions
for Unstructured Data

Operational
Backup for
Azure Blobs
Operational Backup for Blobs
is a managed solution that you
can use to protect block blobs.
Backup data is stored locally
within the source storage
account and can be recovered to
a selected point in time.
Integrates with Backup Center.
Operational backup of blobs is a solution that’s local to
How Operational the storage account that contains the blobs.
Backup works The Backup vault is used only to manage the backups,
which are continuous.

How Operational Operational backup of blobs offers point-in-time restore,
Backup works which allows you to restore blob data to an earlier state.

Configured and managed at the storage account level.
Operational Data protection tab of the blob service in a storage account allows you
Backup to configure point-in-time restore, soft delete, versioning for blobs and
blob change feed, and Delete Lock.
Backup vault must be granted the Storage Account Backup
Operational Contributor role on storage accounts to be backed up.
Backup Operational backup only supports operations on block blobs.
Once backup has been enabled on a storage account, a Backup Instance is created.
Backup instance corresponds to the storage account in the Backup vault.
When using operation backup,
you can restore data from any
point in time for which a
recovery point exists.
You can restore all block blobs
in the storage account, specific
containers, or a subset of blobs.
Restores can be performed only
to the source storage account.
Azure File
Share Backup
Azure file share backup is a
cloud-based backup solution
in Azure that protects data in
the cloud.
Integrates with Azure File
Sync and allows you to
centralize your file share data
as well as your backups.
Key Benefits
Requires no infrastructure.
Configure backups with
daily, weekly, monthly, and
yearly retention.
More Benefits
Select just the files you
want to restore instantly.
Provides alerting and
reporting features.
Enables the soft delete
feature on a storage
account level.
On-Prem / Azure MacOS On-Prem Azure
Linux Windows Windows VM On-Prem Windows Windows Azure VM Azure Portal PS / CLI
Storage Sync Service Direct Access
Recovery Services Vault Storage Account

Storage Account
Mount Share
Snapshots
1 2
Backup Policy Configure Backup Scheduled Snapshots
Azure File Share
Azure File Share
Snapshot
Management
3
Manage Snapshot Retention with Backup Policy
Exam Tip
You have two different backup and recovery
options for unstructured data, like blobs and file
shares: operational backup for blobs and
Azure file share backup.
Operational backup for blobs protects block
blobs from things like corruption, deletions, and
even accidental storage account deletion.
Azure file share backup protects Azure file shares.
Azure Monitor

Azure Monitor collects, analyzes, and acts on telemetry
from cloud and on-prem environments.
Smart Alerts and Automated Actions
Azure Monitor Metrics
Application Insights
Container Insights
VM Insights
Azure Dashboards and Workbooks

Data Sources Azure Monitor
Insights
Application Container VM Monitoring
Applications
Metrics Visualize
Operating Systems Dashboards Views Power BI Workbooks
Azure Resources
Analyze
Azure Subscriptions Metrics Logs
Logs
Azure Tenants
Respond
Other Sources Alerts Autoscale
Integrate
Logic Apps APIs
Metrics data consists of numerical values that describe
Monitoring some aspect of a system at a specific point in time.
Data Platform Log data contains different kinds of data organized into
records with different sets of properties for each type.

Monitoring Data Platform
Log data is analyzed via queries, which retrieve,
consolidate, and analyze collected data.
You can use Log Analytics to create and run
queries against log data.

Azure Monitor collects data from
applications, operating systems, Azure
resources, subscriptions, and tenants:
• Application monitoring data reflects the

performance and functionality of the code you
have written.
• Guest OS monitoring data is data about
the OS on which an application is running.
• Azure resource monitoring data tells you
about the operation of an Azure resource.
• Azure subscription monitoring data is
data about the operation and management of
an Azure subscription and about the health
and operation of Azure itself.
• Azure tenant monitoring data tells you
about the operation of tenant-level Azure
services, like Azure Active Directory.
Application Application Insights monitors availability,
performance, and usage of web applications in the
Insights cloud and on-prem.
Container Insights is used to monitor the performance of container
workloads that are deployed to managed Kubernetes clusters hosted on AKS.
Monitors Azure virtual machines at scale and analyzes the
performance and health of both Windows and Linux VMs.
VM Insights Provides support for monitoring performance and application
dependencies for VMs hosted on-prem and even hosted with
another cloud provider.
Azure Monitor allows you to proactively respond to critical conditions that
are identified in the data that gets collected.
These tools include alerts and autoscale integration.
Alerts
Alerts can proactively notify you of critical
conditions and sometimes even try to take
corrective action.
• Alert rules that are based on metrics can
provide almost real time alerting that’s based on
numeric values.
• Alert rules that are based on logs allow for
complex logic across data from multiple sources.
Alert rules leverage action groups that can use

webhooks to have alerts start external actions
or to integrate with ITSM tools.
Autoscale ensures you have the right amount of
resources to handle the load on your application.
Create rules that use metrics that are collected by
Azure Monitor to determine when to automatically
add resources when load increases.
CPU Utilization > 70%
Autoscale
Minimum = 2
Current = 3
Maximum = 5
Visualizing
Monitoring Data
Azure Monitor allows you to visualize
your monitoring data via dashboards,
workbooks, and Power BI.
Dashboards
Azure Dashboards combine
different kinds of data into a
single pane of glass.
Example:
You can create a dashboard that
provides a complete picture by
including tiles that show a
metrics graphs, an activity log
table, a usage chart from
Application Insights, and the
output of a log query.
Workbooks can be used to perform data analysis and to
create visual reports right in the Azure portal.
Power BI provides interactive visualizations across all
Power BI kinds of data sources and is often used to make data
available to people inside and outside the organization.
Exam Tip
Be sure to know which monitoring tools are
available, what they can monitor, and when they
should be used. Remember what Azure Monitor
does, what Application Insights offers, what VM
Insights offers, and what Container Insights does.
Be sure to visit the URL below to familiarize
yourself with ALL Azure Monitor features:
https://docs.microsoft.com/azure/azure-monitor/monitor-reference
Recovery Solutions for Databases

When Automated backups occur in
Azure SQL Database, copies of the
databases are made in Azure blobs
in Azure storage.
To restore one of these backups, you
have to create a new database that
will contain the restored data.

Restore Options
Create a new database on the same SQL
Database server recovered to a specified point in
time within the retention period.
Create a database on the same SQL Database
server recovered to the deletion time for a
deleted database.
Create a new database on any SQL Database
server in the same region recovered to the point
of the most recent backups.
Create a new database on any SQL Database
server in any other region recovered to the point
of the most recent replicated backups.
How Restore Works
During a restore, Azure copies the database from the storage
account to the Azure SQL Database server.
During a point-in-time restore, after the database copy finishes, SQL
Database applies the transaction logs to the restored database.
Blob Storage
Transaction
Logs
Database Database

Point-in-Time Restore
Database replacement. Specify the
same compute size and service tier
as the original database, rename the
original database, and give the
restored database the original name.
Data recovery. No need to rename

the original or restored databases.
Use T-SQL commands to extract the
data that you need from the restored
database and then insert that data
into the original database.
Ways to Restore
Azure Portal: Select the Restore button on the database

overview page, and then specify the time to restore to.
PowerShell: Use the Restore-AzSqlDatabase cmdlet.
Azure CLI: Use the az sql db restore command

You can use the Azure portal or PowerShell to restore a deleted
database from backup, right up to the time it was deleted.
Restore a Deleted How to do it…

Database Browse to database server in the portal and go into its Overview
page. Browse to Deleted databases, select a deleted database,
and then specify a point in time up to the deletion to restore to.

Perform a Geo-Restore
Because Azure SQL Database
automatically replicates backed-up
databases to datacenters in other
regions, you can perform geo-
restores of Azure SQL databases.
How to do it…
Via the Azure portal, select your
database server and click “Create
database.” In the “Additional Settings”
section, select “Backup” in the “Data
Source” section, and then select the
backup to restore from.
Exam Tip
To be prepared for the exam, make sure you
remember the different restore types that are
available for databases.
Azure Service Health

Azure Service Provides notification of, and information on, issues with Azure
services that may affect your environment.
Health Combines Azure Status, Service Health, and Resource Health.
Azure Status
Provides a global view of the
health of Azure services that
includes information on
service availability.
Accessed via:
https://status.azure.com
Everyone has access to the

Azure Status page, and
everyone can view all services
that report their health state.
Customizable dashboard that tracks the state of your Azure services
in whatever regions you use them in.
Allows you to track ongoing service issues, upcoming planned

maintenance, relevant Health advisories, and security advisories.
Best place to look for info about stuff that affects you, because
Service Health knows which services and resources YOU are using.
Service
Health
Resource Health
Helps you diagnose issues and obtain
support when an Azure service issue
affects your resources.
Provides details about current and
past state of YOUR resources and
provides technical support to help
mitigate problems.
Shows when, in the past, when your
resources were unavailable due to
Azure service problems.
Combined with Azure Monitor
notifications, Azure Service Health allows
you to stay informed about the
availability of your resources on a
minute-by-minute basis.
Because Service Health notifications are
stored in the Azure activity log, you can
even set up activity log alerts for service
health notifications, using the Azure
portal or even ARM templates.

Exam Tip
Be sure to familiarize yourself with the three
services that make up Azure Service Health. You
want to also remember that Azure Status is
available to all users, whether they are
authenticated or not.
Remembering these things will help you answer
monitoring questions that may involve Azure
Service Health.
Azure Blueprints

Azure
Blueprints
Allows you to define
repeatable sets of Azure
resources that adhere to
organizational standards
and requirements.
Used to quickly deploy
new environments that
adhere to organizational
compliance.
ARM templates allow you to create virtual machines,
Blueprints vs network infrastructure, and storage systems declaratively.
ARM Templates Blueprints are designed to help with environment setup.
When you create a blueprint, what you are doing is pulling
together all these artifact types to build an entire environment.
Once resources defined in an ARM templates are
deployed, there's no longer an active connection
between the resources and the ARM template itself.
Azure Blueprints can be used to
upgrade multiple subscriptions at
the same time.

Blueprints vs An Azure Policy focuses on resource properties
Azure Policy during deployment and for already existing resources.

Blueprints vs Azure Blueprints are used to build environments
Azure Policy that adhere to requirements and standards.

A blueprint is composed of artifacts.
Azure Blueprints supports resource groups, ARM templates, policy
assignments, and role assignments.
BLUEPRINT DEFINITION
Resource Hierarchy options Description
Resource Groups Subscription Create a new resource group for use by other artifacts within the blueprint. These
placeholder resource groups enable you to organize resources exactly the way you
want them structured and provides a scope limiter for included policy and role
assignment artifacts and ARM templates.
ARM template Subscription, Resource Templates, including nested and linked templates, are used to compose complex
Group environments. Example environments: a SharePoint farm, Azure Automation State
Configuration, or a Log Analytics workspace.
Policy Assignment Subscription, Resource Allows assignment of a policy or initiative to the subscription the blueprint is
Group assigned to. The policy or initiative must be within the scope of the blueprint
definition location. If the policy or initiative has parameters, these parameters are
assigned at creation of the blueprint or during blueprint assignment.
Role Assignment Subscription, Resource Add an existing user or group to a built-in role to make sure the right people always
Group have the right access to your resources. Role assignments can be defined for the
entire subscription or nested to a specific resource group included in the blueprint.
Exam Tip
Azure Blueprints allow cloud architects to define a
repeatable set of Azure resources that
implements and adheres to an organization's
standards and requirements.
If you encounter a question about building a new
environment that involves defining role
assignments, policy assignments, and deploying
Azure resources, Azure Blueprints is the solution
you should be thinking about.
Identity Governance in Azure AD

Azure AD Identity Governance is used to ensure that the
right users have the access they need to the right resources.

Azure Identity Governance is used to govern the identity lifecycle,
the access lifecycle, and to secure privileged access for administration.

Identity Governance can be used to control external user lifecycles
by configuring onboarding approval flows, setting up regular access
reviews, and removing external users when they’re done collaborating.

Identity Governance
can also be used to
manage group
memberships.
Identity Governance allows
you to protect resources
with role assignments.

You can also use Identity Governance to audit
Audit Reports and create reports on activity within Azure AD.
Azure AD Identity Governance is
broken down into a few pieces:
• Entitlement Management
• Access Reviews
• Privileged Identity Management
• Terms of Use
• Activity
Entitlement
Management
Used to manage the
identity and access lifecycle
by automating access
request workflows, access
assignments, reviews, and
expiration.
Typically used to delegate

the ability to create what
are called “access packages”
to non-administrators.
Azure AD Access Reviews allow you
to manage group memberships, access
to enterprise applications, and role
assignments in Azure.
Example Use Cases:

• You might use access reviews to check on
how many users have administrative
access, like Global Admin access, or if
there are any guest accounts that haven’t
been removed.
• You’re going to sync a group to Azure
AD for a specific app or task. It might be
useful to ask the group owner to review
the group membership prior to the
group being used.
Privileged
Identity
Management
Privileged Identity
Management allows you
to manage, control, and
monitor access to resources
within your organization.
Terms of Use
Azure AD Terms of Use policies
are used to present information like
disclaimers for legal or compliance
requirements to end users.
Under Activity, you can view audit logs.

Azure AD Identity Governance
allows you to balance the need for
security and employee productivity
with the right processes and visibility.
Exam Tip
Remember the roles that Entitlement
Management, Access Reviews, and
Privileged Identity Management play.
To use all the Identity Governance features that
are available, you need to have either an EMS
E5 license OR an Azure AD Premium P2
subscription.
Securely Storing Passwords
and Secrets in Azure

Azure Key Vault provides
secrets, key, and certificate
management capabilities:
• Secrets Management: Stores and

controls access to tokens,
passwords, certs, API keys, and
other secrets.
• Key Management: Create and

control encryption keys that you use
to encrypt your data.
• Certificate Management:
Provision, manage, and deploy
public and private TLS and SSL
certificates.
Service Tiers
Standard Tier
• Encrypts with a
software key.
Premium Tier
• Includes HSM-
protected keys.
Azure Key Vault can be used to centralize storage of application
Why use Azure secrets in order control the distribution of those secrets.
Key Vault? Simplifies things for developers, because they don’t need to store
security information within the apps that they are developing.

Application Backend SQL
Key Vault
xxxxx-xxxxxx-xx-xxxx-xxxxxx
Connection String
(stored in Key Vault)

Azure Key Vault requires authentication and authorization before a
user or app can access the vault, or the secrets and keys in it.
Authentication
Authorization

Authentication is handled via Azure Active Directory.
Authorization is handled by RBAC or by a Key Vault access policy.
Azure AD
Authentication
Authorization
Key Vault Access Policy

RBAC can be used to manage vault & access to data stored in the vault, while
access policies can be used when attempting to access data stored in a vault.
RBAC
Key Vault Access Policy

Azure Key Vault is designed so that Microsoft
cannot see, nor extract, your data.
Key Vault access and use can be monitored by enabling logging
Storage Accounts
Event Hub
Azure Monitor
Azure Key Vault can be used with many other Azure services
VM Disk Encryption Always Encrypted App Service

TDE

Key Vault can integrate with many services as well
Storage Accounts Event Hubs Log Analytics

Exam Tip
Key Vault is the preferred Azure solution for
storing keys, certs, and secrets.
If you encounter any kind of question on the
exam that asks about storing keys, certs, or
secrets to eb used with encryption or with an
app, Azure Key Vault is probably involved
somewhere in the solution.
Security Analytics and Threat
Intelligence with Azure Sentinel

Azure Sentinel
Azure Sentinel is a SIEM and a SOAR.
It’s used to collect and view security

analytics data and threat intelligence
data in your environment.
Azure Sentinel
Azure Sentinel uses Microsoft’s
analytics and threat intelligence to
detect previously undetected threats,
allowing you to investigate incidents
using artificial intelligence.
Detects previously
Collects data across the uncovered threats
entire enterprise
Collect
Respond Detect
Respond to incidents
Investigate threats with

artificial intelligence Investigate
Onboarding Sentinel
Azure Sentinel is built on Azure Logic Apps
and offers over 200 connectors.
Customer Support
Handles Ticket
Event Ingested
into Sentinel
Logic Apps Creates Ticket

in Zendesk
Event Occurs
Azure Sentinel’s hunting tools allow you to proactively hunt
for security threats before an actual alert is triggered.
The Azure Sentinel community is a place where Microsoft
Sentinel Community security analysts frequently upload new workbooks, playbooks,
and hunting queries.
Exam Tip
When sitting the exam, remember what Azure
Sentinel does.
Azure Sentinel collects data across the entire
enterprise, it detects previously uncovered
threats and allows you to investigate threats
with artificial intelligence, and it allows you to
respond to incidents.
Azure AD Domain Services

Azure AD domain services is essentially a managed version
What is Azure of a traditional on-prem Active Directory
AD Domain • Offers Domain Join, Group Policy, LDAP, Kerberos, and NTLM
authentication
Services? • Does not require deployment or management of DCs

What is Azure AD
Domain Services?
Azure AD Domain
Services works with your
existing Azure AD tenant
• Fully compatible with cloud
only Azure AD tenants
• Compatible with Azure AD
tenants that are synced with
an on-prem AD
• Users synced into Azure AD
will show up in Azure AD
domain services
How does Azure ADDS Work?
When Azure ADDS is deployed, a managed

domain is created on the virtual network that
you specify.
• Azure spins up two Windows server domain
controllers that run on VMs
• You cannot manage, or even access, the domain
controllers
• Azure performs all management of the domain
controllers

• The managed domain that is spun up is configured for one-way
synchronization from Azure AD

Azure ADDS
Best Practices
CLOUD-ONLY BEST PRACTICE:
• Create resources in Azure Active
Directory and let them sync over to
the managed domain service.
HYBRID BEST PRACTICE:

• Create users in the on-prem AD so
they synchronize over to Azure Active
Directory with Azure AD connect.
• After syncing to Azure AD, they will
sync to Azure AD domain services
How Does Azure ADDS Work?
Azure AD Domain Services is tightly integrated
with Azure Active Directory.
• Accounts in external directories that are linked to your
Azure AD will not be available in Azure Active Directory
domain services
• Because users and their credentials are synchronized
from Azure Active Directory into Azure Active Directory
domain services, users only have to remember one set
of credentials to sign in and to authenticate against
Azure Active Directory domain services.
Azure ADDS Azure ADDS supports Kerberos & NTLM authentication.
• Allows you to deploy applications that rely on Windows
Authentication integrated authentication
• Simplifies lift and shift of applications to Azure
Azure ADDS Because Azure Active Directory domain services
includes multiple domain controllers, the managed
Availability domain is always available.

Exam Tip
An Azure Active Directory domain services
managed domain is a standalone domain. It IS
NOT an extension of an on-prem Active
Directory domain.
Azure AD DS offers Domain Join, Group Policy,
LDAP, Kerberos, and NTLM authentication
.
Multi-Tenant Management
with Azure Lighthouse

Provides a more scalable multi-tenant management solution.
Azure Lighthouse Manage resources for multiple customers from within your own
Azure AD tenant, via Azure delegated resource management.
Azure Lighthouse is
most helpful for service
providers like MSPs.
Customer retains
control over who has
access to their tenant,
which resources they
can access, and what
actions can be taken.
Foundation Control Plane Options & Scenarios
Delegated Resource Management Cross-Tenant Experience ARM Templates, API, Marketplace
Azure Resource Manager Marketplace Offers
Azure Services
ARM Templates
Azure Identity
APIs
Azure Lighthouse allows existing APIs, management tools,

and workflows to be used with delegated resources.

Lighthouse makes it easier to manage Azure resources for customers
without having to switch back and forth between tenants.
Customer A Customer B Customer C

Customer A Customer B Customer C
Customer D Customer E Customer F

You can delegate
access to customer
subscriptions and
resource groups to
specified users and
roles in the
managing tenant.
Azure Resource Manager templates can even be
ARM Template used to onboard delegated customer resources and
to perform cross-tenant management tasks.
Azure Lighthouse is free for all Azure customers & partners.

Important Notes
Azure Lighthouse is a non-regional service.
Lighthouse does not support delegation of
subscriptions across a national cloud and the
Azure public cloud, nor does it support
delegation across two separate national clouds.
Exam Tip
When sitting the exam, it’s important to
remember that Azure Lighthouse is used to
streamline the management of multiple
tenants. It’s designed to allow you to manage
resources for multiple customers from within
your own Azure AD tenant, via Azure
delegated resource management.
Designing a Data Solution
for Data Durability

Azure Storage always stores multiple copies
of your data to protect it from transient
hardware failures, network outages, power
outages, and natural disasters.
When considering a redundancy option:

• How is your data replicated in the
primary region?
• Is your data replicated to a 2nd region?
• Does your app need read access to the
data in the secondary region?
Primary Region
Redundancy in Datacenter
Primary Region LRS
Data in an Azure Storage account is always Storage Account
replicated three times in the primary region:
• Locally Redundant Storage (LRS)
• Zone-Redundant Storage (ZRS)
Copies 1, 2, and 3

Primary Region
Redundancy in
Datacenter
Primary Region
Locally Redundant Storage copies data
LRS
synchronously three times within a single
physical location within the primary region. Storage Account
Locally Redundant Storage is cheapest
replication option.
Locally Redundant Storage shouldn’t be
used for applications that require high Copies 1, 2, and 3
availability or durability.

Primary Region
Redundancy in ZRS
Redundancy in
Primary Region Primary Region
Availability Zone 1 Availability Zone 2
Datacenter Datacenter
Zone-Redundant Storage Zone-Redundant Storage
copies data synchronously Storage Account
copies data synchronously
Storage Account
across three different across three different Azure

Azure availability zones availability
Copy 1 zones within theCopy 2
primary region.
within the primary region. Availability Zone 3
Zone Redundant Storage is
Zone Redundant Storage recommended for
Datacenter
is recommended for applications that require
applications that require high availability.
Storage Account
high availability.
Copy 3
Locally Redundant
Storage (LRS)
LRS provides 11 nines of durability of
objects over a given year.
LRS protects data against server, rack,
and drive failures.
If an entire datacenter is lost, all replicas
of a storage account that use LRS may
be lost or unrecoverable.
Microsoft recommends using ZRS, GRS,
or GZRS instead of LRS.
Primary Region
Locally Redundant
Storage (LRS) Datacenter
LRS
Storage Account
A write request to a storage account that is
using LRS happens synchronously.
Write operation returns successfully only
after the data is written to all three replicas.
Copies 1, 2, and 3

Exam Tip
Remember which scenarios are good use
cases for locally redundant storage.
Remember that LRS is only a good choice if
you have an app that stores data that can be
easily reconstructed if data loss occurs, OR if
data for your app must remain within a
certain country or region due to data
governance requirements.
Zone-Redundant
Storage (ZRS)
ZRS replicates Azure Storage data synchronously
across three different Azure availability zones
within the primary region.
Each availability zone is a separate physical location
that has its own power, cooling, and networking.
ZRS offers 12 nines of durability over a given year.
ZRS-replicated data is accessible for both read and
write operations even if a zone becomes
unavailable.
Zone-Redundant
Storage (ZRS)
ZRS in the primary region is the

recommended solution for scenarios that
require high availability and for situations
where you need to restrict replication of
data to within a specific country or region
to meet data governance requirements.

Zone-Redundant
Storage (ZRS)
ZRS, alone, may not protect data against a
regional disaster where multiple zones are
permanently affected.
Microsoft recommends using geo-zone-

redundant storage to protect your data against
these types of disasters.
GZRS uses ZRS in the primary region, but also

geo-replicates your data to a secondary region.

Redundancy in a
Secondary Region
Azure Storage offers two
ways to copy your data
to a secondary region:
• Geo-redundant
storage (GRS)
• Geo-zone-
redundant storage
(GZRS)

Primary Region Secondary Region
LRS LRS
Storage Account Storage Account
(RA-)GRS
Geo-Replication
Copies 1, 2, and 3 Copies 1, 2, and 3
GRS uses LRS to copy data synchronously 3 times within a single physical location in
the primary region, and then copies your data asynchronously to a single physical
location in the secondary region.
Within the secondary region, data is copied synchronously 3 more times using LRS.

Redundancy in a Geo-Zone-Redundant
Storage (GZRS) uses ZRS to
Secondary Region copy data synchronously
across three different Azure
availability zones in the
Primary Region Secondary Region primary region.
Redundanc
It then copies your data
ZRS
y in Primary
Datacenter
Region
LRS asynchronously to a single
Zone-Redundant Storage Account physical location in the
Storage copies dataStorage Account
secondary region.
Storage Account
synchronously across (RA-)GZRS
three different Azure
availability
Copy 1 zones withinCopy 2
Geo-Replication
the primary region.
Within the secondary
Copies 1, 2, and 3
Availability Zone 3
Zone Redundant
Storage is
recommended for
Datacenter region, your data is copied
applications that require
high
Storageavailability.
Account synchronously three more
Copy 3
times using LRS.
GRS vs GZRS
The key difference between GRS and GZRS is how
your data is replicated in the primary region:
• GRS uses LRS to copy data synchronously
three times within a single physical location
in the primary region.
• GZRS uses ZRS to copy your data
synchronously across three different Azure
availability zones in the primary region.
When using GRS or GZRS, the data in the
secondary region IS NOT available for read or
write access until and unless there’s a failover to
the secondary region.
Enabling Read
Access to the
Secondary Region
To enable read access to the
secondary region, configure your
storage account to use RA-GRS
or RA-GZRS.
How Data is Replicated with GRS or RA-GRS

LRS LRS
Storage Account Storage Account
(RA-)GRS
Geo-Replication
Copies 1, 2, and 3 Copies 1, 2, and 3

How Data is Replicated with GZRS or RA-GZRS

ZRS Redundanc
y in Primary
Datacenter
Region
LRS
Zone-Redundant Storage Account

Storage copies dataStorage Account
Storage Account
synchronously across (RA-)GZRS
three different Azure
availability
Copy 1 zones withinCopy 2
the primary region. Geo-Replication Copies 1, 2, and 3
Availability Zone 3
Zone Redundant
Storage is
recommended for
Datacenter
applications that require
high
Storageavailability.
Account
Copy 3

Only General-Purpose v2
Storage accounts support
GZRS and RA-GZRS.

A word about Azure Files…
Azure Files DOES NOT support read-
access geo-redundant storage (RA-
GRS), nor read-access geo-zone-
redundant storage (RA-GZRS).

DURABILITY AND AVAILABILITY PARAMETERS
PARAMETER LRS ZRS GRS/RA-GRS GZRS/RA-GZRS
Percent durability of objects

Eleven 9’s Twelve 9’s Sixteen 9's Sixteen 9's
over a given year
At least 99.9% (99% for At least 99.9% (99% for At least 99.9% (99% for At least 99.9% (99% for
cool access tier) cool access tier) cool access tier) for GRS cool access tier) for GZRS
Availability for read requests At least 99.99% (99.9% for At least 99.99% (99.9% for
cool access tier) for RA- cool access tier) for RA-
GRS GZRS
At least 99.9% (99% for At least 99.9% (99% for At least 99.9% (99% for At least 99.9% (99% for
Availability for write requests
cool access tier) cool access tier) cool access tier) cool access tier)
3 copies within a single 3 copies across separate 6 copies total, including 3 6 copies total, including 3
region availability zones within in the primary region and across separate
Number of copies of data a single region 3 in the secondary region availability zones in the
maintained on separate nodes primary region and 3
locally redundant copies
in the secondary region
DURABILITY AND AVAILABILITY BY OUTAGE SCENARIO
Outage Scenario LRS ZRS GRS/RA-GRS GZRS/RA-GZRS
A node within a data center

Yes Yes Yes Yes
becomes unavailable
An entire data center (zonal or

No Yes Yes1 Yes
non-zonal) becomes unavailable
A region-wide outage occurs in

No No Yes1 Yes1
the primary region
Read access to the secondary

region is available if the primary No No Yes (with RA-GRS) Yes (with RA-GZRS)
region becomes unavailable
*1 Account failover is required to restore write availability if the primary region becomes unavailable.
SUPPORTED AZURE STORAGE SERVICES
LRS ZRS GRS RA-GRS GZRS RA-GZRS
Blob storage
Blob storage Blob storage Blob storage
Queue storage Blob storage Blob storage
Queue storage Queue storage Queue storage
Table storage Queue storage Queue storage
Table storage Table storage Table storage
Azure Files1,2 Table storage Table storage
Azure Files1,2 Azure Files1 Azure Files1
Azure managed disks
*1 Standard file shares are supported on LRS and ZRS. Standard file shares are supported on GRS and GZRS
as long as they are less than or equal to five TiB in size.
*2 Premium file shares are supported on LRS and ZRS.
SUPPORTED STORAGE ACCOUNT TYPES
LRS ZRS GRS/RA-GRS GZRS/RA-GZRS
General-purpose v2
General-purpose v1 General-purpose v2 General-purpose v2
Premium block blob Premium block blobs General-purpose v1 General-purpose v2
Legacy blob Premium file shares Legacy blob
Premium file shares
Important!
Azure Premium Disk Storage
currently supports only locally
redundant storage. Block blob
storage accounts support both
LRS and ZRS in certain regions.
Exam Tip
Take the summary tables that I’ve included from
Microsoft’s storage documentation, and maybe
not memorize them, but really familiarize
yourself with the information in them.
This information is critical to being able to
recommend a storage solution that meets
specific durability and availability requirements.
Integrating Applications
into Azure AD

Azure AD provides
authentication and
authorization functionality.
Can be used to centralize
app management.
New apps should be added to your tenant immediately.
Integrating Azure
Use Enterprise Applications in the Azure AD portal to add new
AD and New Apps apps and to manage existing apps.
Publish an App
You can integrate apps that are NOT already in
the gallery by publishing your app in the gallery.
Once an app is published, it shows in the gallery.
You can also integrate apps that have been
developed in-house.
Existing Application Use
Identify apps that are used most frequently by end-
users, so they can be integrated with Azure AD.
Use Microsoft Defender for Cloud Apps cloud
discovery tools to discover apps not currently
managed by the IT department.
The AD FS application activity report in the
Azure portal can be used to track down the AD FS
apps that are in use.
You’ll often identify applications
that are untracked by the IT
department, or that are relying on
alternative identity solutions, like
Active Directory Federation
Services and other 3rd party
identity providers.
Integrate them with Azure AD to
reduce the number of identity
solutions that you have to use
and support.
Azure AD
AD & ADFS
On-Prem Apps
LOB Apps SaaS Apps

Azure AD
On-Prem Apps
LOB Apps SaaS Apps

Integrating On-Prem Apps
Organizations often need to make on-prem apps
available to people who are NOT on the
corporate LAN.
Use Azure AD Application Proxy to connect
existing on-prem apps to Azure AD in order to
make them accessible.
Publish on-prem web applications externally.
https://app-bluewidgetcorp.msappproxy.net
AppProxy
How Azure AD
AppProxy
Works On-Prem
https://app.bluewidgetcorp.com
Connector
https://app
App
https://docs.microsoft.com/azure/active-directory/app-proxy/what-is-application-proxy
Developers can use Microsoft Identity Platform to implement authentication
and authorization.
The Microsoft Identity Platform offers integration of features like passwordless
authentication, step-up authentication, and Conditional Access.
Apps integrated with the Microsoft
Identity Platform will be registered
with Azure AD and managed just
like any other app in your portfolio.
Microsoft Authentication Libraries,
or MSAL, is a part of the platform
that developers can use to enable
things like MFA and the use of
security keys to access apps.
Apps that are integrated with the
Microsoft identity platform can
access Microsoft Graph.

001 PROD-DECK-AZ-305-Exam-Prep-Designing-Microsoft-Azure-Infrastructure-Solutions

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

001 PROD-DECK-AZ-305-Exam-Prep-Designing-Microsoft-Azure-Infrastructure-Solutions

Uploaded by

Copyright:

Available Formats

Designing Microsoft Azure

Designing Microsoft Azure Infrastructure Solutions © Thomas Mitchell / labITout Learning

• Designing a compute solution

• Design data storage solutions for relational data

• Designing backup and disaster recovery solutions

Designing Microsoft Azure Infrastructure Solutions © Thomas Mitchell / labITout Learning

Designing Microsoft Azure Infrastructure Solutions © Thomas Mitchell / labITout Learning

Number of instances in a scale set

VMs are a good choice when you need

Designing Microsoft Azure Infrastructure Solutions © Thomas Mitchell / labITout Learning

Containers are often more

You can run multiple containers on a single physical host, or even on

Two ways to manage Docker and

Azure Kubernetes Service

Azure Container Instances

Designing Microsoft Azure Infrastructure Solutions © Thomas Mitchell / labITout Learning

A PaaS offering that allows you to

Designing Microsoft Azure Infrastructure Solutions © Thomas Mitchell / labITout Learning

Designing Microsoft Azure Infrastructure Solutions © Thomas Mitchell / labITout Learning

Designing Microsoft Azure Infrastructure Solutions © Thomas Mitchell / labITout Learning

Azure handles the infrastructure to

Hosting API Apps with App Service:

Mobile Apps in App Service:

If asked about hosting web-oriented

Designing Microsoft Azure Infrastructure Solutions © Thomas Mitchell / labITout Learning

CDN Storage Blob

API Azure Pipelines

Designing Microsoft Azure Infrastructure Solutions © Thomas Mitchell / labITout Learning

Azure Functions Logic Apps

Designing Microsoft Azure Infrastructure Solutions © Thomas Mitchell / labITout Learning

Azure Logic Apps are designed in a

Designing Microsoft Azure Infrastructure Solutions © Thomas Mitchell / labITout Learning

Often used when you need to perform

NOTE: The work that needs to be

*Workflows are designed to automate

Designing Microsoft Azure Infrastructure Solutions © Thomas Mitchell / labITout Learning

Using Functions: you write code

Using Logic Apps: you use a GUI

Development Code-first (imperative) Designer-first (declarative)

Monitoring Azure Application Insights Azure portal, Azure Monitor logs

If you encounter a question that requires

Familiarize yourself with the comparisons

Designing Microsoft Azure Infrastructure Solutions © Thomas Mitchell / labITout Learning

OSS Redis Redis Enterprise

Scaling down to a lower

Designing Microsoft Azure Infrastructure Solutions © Thomas Mitchell / labITout Learning

Designing Microsoft Azure Infrastructure Solutions © Thomas Mitchell / labITout Learning

• Those where an app

Designing Microsoft Azure Infrastructure Solutions © Thomas Mitchell / labITout Learning

What is an An event is a notification of a condition or a change of state.

Designing Microsoft Azure Infrastructure Solutions © Thomas Mitchell / labITout Learning

Event: File Creation Event: File Creation

Designing Microsoft Azure Infrastructure Solutions © Thomas Mitchell / labITout Learning

Designing Microsoft Azure Infrastructure Solutions © Thomas Mitchell / labITout Learning

Designing Microsoft Azure Infrastructure Solutions © Thomas Mitchell / labITout Learning

If you’re asked how you can notify Azure

Azure Event Hubs is

Event Publishers Event Handlers

Designing Microsoft Azure Infrastructure Solutions © Thomas Mitchell / labITout Learning

Scenario 2: You are using

Scenario 3: You are leveraging a

Designing Microsoft Azure Infrastructure Solutions © Thomas Mitchell / labITout Learning

Assess Workloads Deploy Workloads Release Workloads

Designing Microsoft Azure Infrastructure Solutions © Thomas Mitchell / labITout Learning