AZ-900

IaaS (Infrastructure as a Service):

Most flexible category of cloud service, provide maximum amount of control over resource, but Provider is responsible for hardware, physical security, and network connectivity

On-Premises

Cloud Provider manages nothing, you manage everything from (infrastructure, platform, and software) 

PaaS (Platform as a Service)

Providers maintain hardware, physical security, and network connectivity. Also OS, development, and databases.

SaaS (Software as a Service)

Renting / using a full developed application. Most Responsibility on Provider, and least flexible

Public Cloud

Everything is built on the Cloud Provider. Pay-as-you-go, low control over resource/security, no capital expenditure to scale up, application can be quickly set up/removed

Private cloud

Everything is built on company’s data center. Complete control over resource/security, data no collocated with other’s data, hardware cost, responsible for maintenances/upgrade

Hybrid

• Mix of On-Premises, Private Cloud, and Third Party with public cloud services (combine provider and your own data center) 

• Most flexibility, determine where to run their applications, control security, compliance or legal requirements 

Capital Expenditure (CAPEX)

Spending Money upfront on Physical Infrastructure, deducting that expense from your tax bill over time. Gues Upfront

Operational Expenditure (OPEX)

Cost associated with an on-premises datacenter that has shifted to the cost to the service provider. Customer deal with non-physical costs

High Availability

Ability for your service to remain available by ensuring there is NO SINGLE POINT OF FAILURE

High Scalability

ability to increase your capability based on the increasing demand of traffic, memory, and computing power allocate and dallocate resource at any time)

High Elasticity

ability to automatically increase or decrease your capacity based on current demand of traffic, memory, and computing powe

Highly fault Tolerant

ability for your service to ensure there is no single point of failure. Preventing the chance of failure

Fail-overs

• when you have a plan to shift traffic to a redundant system in case the primary system fails 

High Durability

 ability to recover from a disaster and prevent the loss of data

Disaster recovery (DR)

is the process and design principle which allows a system to recovers from natural or human induced disasters

Agility

is the ability to react fast (scale quickly)

fault tolerance

is the ability to maintain system uptime while physical and service component failures happen

Vertical scaling up

Upgrade to bigger servers. Bigger hard-drives, more CPU/RAM, etc, Better hardware

Horizontal scaling out

adding more server, adding more hardware of similar capacity

Reliability

1. Ability of a system to recover from failure and continue to function:

Predictability

focused on performance predictability or cost predictability

Cost

cost predictability is focused on predicting or forecasting the cost of the cloud spend

Governance

1.  designed to support governance and compliance 

• Deploy resource like set template help ensure that deployed resource meet corporate standard and government requirements

Security

Security: cloud solution that matches security needs

Manageability

Management of cloud: managing cloud resources, Management in the Cloud: manage your cloud environment and resource

Consumption-Based Models

Pricing Model used in the cloud so that customer are only charged based on their resource usage (pay for what you use) Characteristic: 

1. No associated upfront cost

2. No wasted resources

3. Pay for what you need 

4. Stop paying when you don’t 

5. Better cost prediction

6. Price monitoring and service are provided

Data Center

• physical infrastructure that is a hosting for a group of networked servers

• Has it own power cooling, and networking infrastructure

Availability Zone:

• Regional feature which contains grouping of physically separated facilities of data centers. 

• Physically separate Datacenter that are grouped within the same  Regions 

• Made up of 1 or more datacenter equipped with independent power, cooling, and networking 

• Designed to protect from data center failures and if one zone goes down other will keep on working (High Availability) does this with isolation boundary 

• Three service categories:

Regions

• Geographical area on a planet, where one but usually more data centers connected with low-latency network (multiple datacenters)

The locations for your services

Sovereign Regions

specialized cloud regions that designed to meet specific data residency and compliance requirement of certain countries or regions

Geography

discreetly market of two or more regions that preserves data residency and compliance boundaries

Region Pairs

• Each region is paired with another region in the same geography in order to prevent a disaster from happening 

• Pairs are static and based within the same geography

• Each region is paired another region 300 miles away (ensure one region is always up when one region goes down) 

Azure Resources:

• basic building block Azure and anything you create, provision, deploy,etc is a resource

• Objects used to manage service in Azure, when someone buys a service they use a resource

Azure Resource Groups

•  logical container for resources deployed on Azure. 

• Grouping of resources, when you create a resource, you need to put inside resource group

Azure Subscriptions

• Units of management, billing, and scale. Allow you to logically organize resource group and facilitate billing 

• To use Azure require Subscription and allow for authorized access to product/services 

Azure Management Groups

• organize subscription into container and apply governance conditions at a level above subscription

• Manages access, policies, and compliance across multiple subscription

Hierarchy

• Resources -> Resources Groups -> Subscriptions -> Management Groups (on top)

Azure Virtual desktop

• a type of VM that is desktop and application virtualization that run on the cloud (create virtualization environment) 

• Enable user to use cloud-hosted version of window from anywhere

Virtual Machines:

Virtualized servers that provide infrastructure as a service (IaaS) in the cloud (software emulation of physical computer) 

• Infrastructure as a Service (IaaS) (you have to configuration and maintenance it) 

• Total control over OS, software, and hosting configurations  

• Flexibility without having to buy/maintain hardware

Virtual Machine Scale Sets

•  Allows creation and management of a group of identical, load-balanced VMs. 

• Automate work such as configuring the VMs identically, network routing parameter, and monitoring utilization

• Can run any application/scenario

  • web apps & web services,

  • databases,

  • desktop applications,

  • jumpboxes,

  • gateways, etc.

Virtual Machine Availability Set

•  feature that enhance the resilience and high availability of your VMs by ensuring they are not all affect by a single point of failure 

• Ensure that VMs are protected by distributing VMs across difference update and fault domains 

Containers:

• lightweight virtualization environment that involves running multiple isolated application on single physical or virtual host that does not require a OS

• Major Difference: NO OS across different containers: 

• Key character:

• host’s operation system

Azure Container Instance

• Platform as a Service (PaaS) and allow you to upload your containers quickly without managing Vms (developer works on for it you) 

• Runs a container or pod of container in Azure 

• Simplest and fastest way to run a container in Azure

Azure Container Apps

• Builds on Container Instance with additional features like load balancing and scaling capabilities and increased elasticity 

• Support multiple programming language and containers  

Azure Kubernetes Services (AKS)

• Container orchestration service for managing containerized application at scale such as distributed architecture and large volumes of containers

• Highly scalable and customizable

• Designed for high scale container deployments

Azure Functions (serverless):

•  a PaaS event-driven that support serverless compute option that doesn’t require maintaining virtual machine or containers

• Event-based code runs when called without requiring server infrastructure during inactive period 

• In 2 states: stateless or stateful 

• Stateless: behave if they’re restarted every time they respond 

• Stateful: a context is passed to function to track prior activity 

Serverless computing:

• taking care of server manage issues and workload by the providers

• STILL USE SERVER, responsibility is on Providers (abstract the way you manage server underneath) 

• Benefits:

• No Infrastructure Management: just run your application without server issues 

• Scalability: application will run away due to scaling

Azure App Service

•  Fully managed platform that enable users to build, deploy, and scale API in any programming language without managing infrastructure

• Automatic scaling and high availability

• Robust hosting options 

• Works with .NEt, .NEt Core, Mode.js, Java, or php

Azure Virtual Networking

• enable Azure Resources (Vms, web apps, databases) to communicate with each other, user on internet, and on-premises client computers

• On-premises networking functionality and connect cloud and on-premises

• Support Public and private endpoint communication between external or internal resource with other internal resources

• Designed for isolation + segmentation, commmunication, filtering, and ruting between between resource.

VNet Peering:

• Connect two virtual networks directly to each other, allowing resource in different VNets to communicate as if they were on the same network

SubNets

• Subdivision/segmentation of an Azure Vnet used for allocation of addresses and network filtering through creating multiple isolated virtual networks. 

Public Endpoint:

• public IP address and can be accessed from anywhere in the world

• Accessible from anywhere on the internet

Private endpoint:

•  exist within a virtual network and have private IP address from within the address space of that virtual network 

• Accessible only from within your network

VPN gateways

• type of network gateway that are deployed to end encrypted traffic between an Azure Vnet and on-premises location over public internet

• Used to connect on-premises to Azure traffic over public internet or cross-regional communication of Azure Vnets

Azure ExpressRoute

• extend your on-premises networks into Microsoft cloud over a private connection, with help of a provider. 

• Provide a dedicated private connection to Azure cloud that doesn’t travel over internet (useful where you need greater bandwidth or high-level security)

• DOESN’T TRAVEL OVER PUBLIC INTERNET

Azure DNS

• : hosting service for DNS domains that provides name resolution by using Microsoft Azure infrastructure 

Azure Storage account

provide a unique namespace for Storage data that is accessible from anywhere in the world. Data in this account is secure, highly available, durable, and massively scalable 

Blob Storage:

• Store solution used to stores very large files/unstructured files

• Ex: text or binary data

• Designed for storage of files of any kind (BLOB- Binary Large OBject file) 

• Ideal for: serving images to browser, storing file, streaming, backup, disaster recovery, and archiving

Hot

1. frequently accessed data

Cool:

1. infrequently accessed data for last 30 days(lower availability, high durability)

Cold

1.  infrequently accessed data for last 90 days

Archive

1. rarely (if-ever) accessed data 

• Queue Storage

• service for storing large numbers of messages, and once stored access message from world-wide and used to create a backlog of work to process asynchronously. 

• Storage for small pieces of data (messages) 

Table Storage

• storage for semi-structured data (NoSQL) 

• No need for foreign join, foreign key, relationship, or strict schema

File Storage

• managed file shares in the cloud that are accessible via industry standard server message block (SMB) or Network file system protocols (NFS)

• Same as BLOB expect, we use SMB sharing, shares, and files

• SMB or NFS to access

Azure Disk Storage

• block-level storage volume managed by Azure for use with Azure VMs, application, and their service. 

• Provision the disk, and azure does that rest 

Locally Redundant Storage (LRS):

• Replicate data 3 times within a single data center in primary region 

• 1 single datacenter in primary region 

• Provides at least 11 nines of durability (99.999999999%)

• Lowest cost/least durability, protect against driver failure, but data center get destroyed rip Data

Zone-redundant Storage (ZRS)

• Replicate data synchronously across 3 azure availability zone in primary region

• 3 availability zone in primary region 

Provides at least 12 nines of durability (99.9999999999%

Geo-redundant storage (GRS)

• replicate data synchronously 3 times within a single physical location in the primary region using LRS then use region pair to copy data to secondary region 

• Single datacenter in primary and secondary region 

• Provides at least 16 nines of durability 

GZRS

• combine ZRS with protection from regional outage provided by GRS

• 3 availability zone in primary and 1 single data center in secondary region 

• Provides at least 16 nines of durability 

• Replicate data 3 time in primary region + 3 availability zones + replicated to secondary geographic region 

• Maximum consistency, durability, and availability, etc for disaster recovery

Azure Migrate:

•  is a service that help you migrate from an on-premises environment to the cloud

• Provides: Unified migration platform, Range of tool, and assessment & migration 

Azure Data Box:

• physical migration service that help transfer large amount of data in quick, inexpensive ,and reliable way

• Store up to 80 terabytes of data and does physical moving

• Various Cases: 

• Move your disaster recovery backups to Azure (disaster recovery)

• Protect data in rugged case during transit via a regional carrier (Security requirements) 

AzCopy:

• command-line utility used to copy blobs or files to or form your storage account

• Upload file, download file, copy file between storage account

One-direction synchronization (designated the source and destination into that single direction)

Azure Storage Explorer:

• stand alone application that provides graphic user interface to manage files and blobs in your Azure Storage Account

• Works on OS such as Window, MacOS, and Linux 

• Use AzCopy to handle file operations such as (upload/download Azure or move between storage accounts 

Azure File Sync

• tool that centralize on-premises files with Azure file in a bidirectional manner 

• Cloud tiering keep frequently access file local while freeing up space

Microsoft Entra ID:

• directory service that enable user to sign in and access both Microsoft cloud applications and your own cloud applications (Microsoft azure’s cloud-based identity and access management service )

• Use cloud-based identity to access service with full control

• Help maintain on-premises Active Directory deployment

Microsoft Entra Domain Services:

• service that provides managed domain services, such as domain join, group policy, and lightweight directory access protocol, and Kerberos/NTLM authentication 

• Eliminates the need to deploy, manage, and patch domain controllers in the cloud 

Authentication

•  process of establishing the identity of a person, service, or device 

• Require the person, service, or device to provide some type of credential to prove who they are

Authorization

• Determines an authenticated person’s or service level of access

• Define which data they can access, what they can do with it

Single sign-on (SSO):

• enable a user to sign in 1 time, and use the credential to access multiple resources and applications from different providers.

Multi-Factor authentication

•  process of prompting a user for an extra form of identification during the sign-in process

• 3 Categories for providing additional identification for Multi-factor

1. Something the user knows (challenge question)

2. Something the user has (code sent to phone)

3. Something the user is (fingerprint or face) 

Passwordless authentication

•  when a password is removed and replaced with something you have, something you, something you know 

External identity

•  person,device, service that is outside your organization

Business to Business (b2) collaboration

• collaborate with external users by letting them use their preferred identity to sign-in to your app.

• Business to other business

B2B Direct Connect

 External users have access to your resource from within their home instance.

Establish mutual two-way trust with other Microsoft Entra organization with team shared channels

Microsoft Azure Active Directory Business to Customer (B2C):

• publish modern SaaS app or custom-developed app to consumer and customer, while using Azure Ad B2C for identity and access management 

Conditional Access:

• tool that Microsoft Entra ID uses to allow/deny access to resources based on identity signals

• Used by azure active directory to bring signals together, to make decision, and enforce organization policies

• Deny, challenge, or access

• Azure Role-based access Control (RBAC):

Service that provides built-in roles that describe common access rules for cloud resources. 

• Fine grained access management (want to give user least amount of access, just enough for their roles)

• Segregate duties within the team and grant only the amount of access the user that they need to perform their job

• Authorization system built on Azure Resource Manager (ARM)

Zero Trust Model

•  security that assume the worst case scenario and protect resource with that expectation

• Assume breach and verifies each request/every user if it originate from outside 

• Based on: verify explicitly, use least privilege access, and assume breach 

Defense-in-depth-Model

•  strategy use a series of mechanism to slow the advance of an attack that aims at acquiring unauthorized access to data

• Layered approach to securing computer system / protect central data

• Each layer provide protection, so if 1 is breached, another will be ready since each layer is isolated

• The layers: physical security (protect hardware), identity & access (protect control/infrastructure), perimeter(DDOS protection/firewalls), network(limit communication between resources), compute(secure access to VMs), application(apps are secure), data (protect business/customer data)

• Microsoft Defender for Cloud:

• monitoring service that provides threat protection across both Azure and on-premises datacenters. 

• Monitors cloud, on-premises, hybrid, etc environments with Native protection

• Detect and block malware

• Protect azure, and non azure servers. 

Azure Marketplace:

allows customers to find, try, purchase, and provision application and service from hundred of leading service providers, which are all certified to run on Azure

• Open-source container platforms

• Application build/deployment software

• VM’s, database, and developer tools 

Pricing Calculator:

•  tool that helps you estimate the cost of Azure products. The options that you can configure in the Pricing calculator vary product, but basic configuration options include: 

• Region

• Tier

• Billing options 

• Support options

• Program/offers

• Azure dev/test pricing

• Estimate the cost of any provisioned resource and account for different storage options 

Total Cost of Ownership Calculator:

• A tool estimate cost saving you can realize by migrating to Azure by comparing the cost of on-premises infrastructure compared to an Azure cloud infrastructure 

Microsoft cost Management:

• provide the ability to quickly check Azure resource cost, create alert based on resource spend, and create budget used to automate management of resources 

Tags:

• provide metadata for your Azure resources

• Applicable for resources, resource groups and subscriptions

• Logically organize resources into a taxonomy 

• Consist of a name-value pair 

• Very useful for rolling up billing information 

• Used for management, security, optimization, and compliance 

Microsoft Purview

• family of data governance, risk, and compliance solutions that help users get a single unified view into your data. Bring insight about your on-premises, multi-cloud, and software-as-a-service data together

• Microsoft Policy:

• service in Azure that helps enforce organizational standards and to access compliance at-scale. Provide governance and resource consistency with regulatory compliance, security, cost, and management 

• Resource Lock

•  prevent resource from being accidentally deleted or changed

• can be applied to individual resources, resource group, or even an entire subscription