Study set for Azure AZ-900 test
Key Characteristics of Cloud Computing
Resource pooling
Elasticity
Pay per use
Automation
CapEx vs. OpEx
CapEx refers to upfront investments in hardware and infrastructure
OpEx refers to ongoing costs associated with running workloads in the cloud
IaaS
Cloud computing model where virtualized computing resources, storage, and networking services are provided over the internet, allowing users to create and manage virtual machines without having to purchase and manage physical hardware
PaaS
Cloud computing model that provides a complete development and deployment environment for building and deploying apps, allowing users to focus on app development without worrying about the underlying infrastructure, operating systems, or networking infrastructure.
SaaS
Cloud computing model that provides software applications over the internet as a service, allowing users to access and use the applications without having to install or manage any hardware or software infrastructure.
Shared Responsibility Model
On premises: Customer responsible for everything
IaaS: Customer responsible for OS, patches, frameworks, apps and data; Cloud responsible for physical space, power/cooling/internet, hardware
PaaS: Customer responsible for app and data; Cloud responsible for everything in IaaS and OS, patches, frameworks and runtime
SaaS: Customer only responsible for data associated with app; Cloud responsible for everything in PaaS and application
Public Cloud
Cloud deployment model well-suited for organizations that want to host their apps or services on a shared infrastructure that is accessible over the internet
Use cases: hosting web apps, running apps that require high availability and scalability, storing/processing data that doesn’t have strict compliance requirements
Private Cloud
Cloud deployment model best-suited for organizations that need to maintain control over their data and infrastructure
Use cases: hosting apps that have strict compliance requirements, storing/processing sensitive data, creating a dedicated environment for development and testing
Hybrid Cloud
Cloud deployment model suitable for organizations that want to leverage benefits of both public and private cloud deployment models
Use cases: hosting apps that need on-premises and cloud-based resources, supporting disaster recovery or business continuity, scaling up or down while maintaining control over sensitive data or apps
Consumption-based Model
Pricing model where users only pay for the amount of Azure resources that they use, with no upfront costs or long-term commitments. This allows users to scale up or down based on their needs, and provides a flexible and cost-effective way to use Azure services.
Benefits of high availability and scalability in the cloud
increased uptime and and availability of apps and services
reduced risk of data loss or corruption
ability to handle sudden increases in demand without impacting performance
cost savings by only paying for resources used
Benefits of reliability and predictability in the cloud
improved uptime
faster disaster recovery
better performance
predictable costs
improved security
Benefits of security and governance in the cloud
greater visibility and control over data and system access
more efficient compliance
enhanced protection against cyber threats
reduced risk of data loss
Benefits of manageability in the cloud
simplified and centralized IT management
reduced admin burden
better resource utilization
enhanced automation
IaaS
provides virtualized computing resources over the internet
users have full control over the OS, apps, and configurations of their VMs
IaaS providers are responsible for the underlying physical infrastructure
users pay for IaaS on a pay-as-you-go or subscription basis
scalable and flexible
PaaS
provides a platform for building, deploying, and managing apps over the internet
offers preconfigured computing environments
providers handle underlying infrastructure, like servers, storage, and networking
users have control over the apps they develop
example is azure app services
SaaS
allows users to access software apps over the internet
benefits include lower costs, increased scalability, easier maintenance
examples include CRM software, email services, project management tools
Fixed Price Model
allows customers to pay a fixed, upfront cost for a specific amount of Azure service usage over a set period of time
best suited for customers with predictable, steady usage who want to avoid the unpredictability of Pay-as-you-go
Consumption Model
allows customers to only pay for the services they use, on a per-second basis
best suited for customers with fluctuating or unpredictable usage patterns who want to optimize costs
Azure Regions
physical locations around the world with Microsoft data cetners
made of one or more data centers
region is AZ-enabled when there are 3 or more AZs
Azure Region Pairs
two Azure regions within the same geography that are set up for data replication and high availability
primary and secondary region at least 300 miles apart
secondary region is failover for the primary
Azure Sovereign Regions
specialized regions of the Azure cloud that are designed for governments
physically and logically isolated from the rest of the Azure cloud
currently 2: Azure Government for the US and Azure China
provide secure and compliant cloud services to customers with specialized needs
Availability Zones
physically separate data centers within an Azure region
made of one or mode data centers
apps and services can be deployed over multiple availability zones
provide protection against data center-level failure
Azure Data Centers
physical locations where the cloud operates
Resources
building blocks of Azure services
represents a piece of infrastructure or a service
has it’s own properties, config settings, and access control policies
billed based on usage
Resource Groups
logical containers that hold related Azure resources
Azure Subscriptions
logical container that holds the resources created by a user or organization in Auzre
used to manage billing, access control, and resource limits
each subscription is associated with a billing account
Azure Management Groups
provide a way to manage access, policies, and compliance across multiple subscriptions
allow users to organize subscriptions into hierarchies
can be used to apply policies, monitor compliance, and control access at scale across multiple subscriptions
Hierarchy of Resource groups, subscriptions, and management groups
multiple resource groups can be in a subscription
multiple subscriptions can be in a management group
VM vs Containers vs Functions
VM is a type of OS virtualization that runs an entire guest OS system on top of a host OS
VMs have their own set of virtualized hardware resources
VMs can be isolated from each other and they can run different OS and apps
Containers are a type of OS virtualization that allows multiple isolated apps to run on a single host OS
Unlike VMs, containers share the same OS kernal as the host, but they have their own file system and network stack
Containers are lightweight
functions are small pieces of code that run in response to an event or trigger
ideal for short-lived and event-driven apps
serverless and automatically scale to meet demand
VM Scale Sets
allow for deployment and management of a set of identical VMs
number of VMs can be automatically adjusted based on demand or custom metrics
provide high availability and can be used for load balancing and autoscaling
VM Availability Sets
logical grouping of VMs that help you ensure high availability of your apps
distributes VMs across multiple physical hardware
VMs in same availability set are placed in different fault domains and update domains
fault domain: group of hardware where a single failure affects only one group
update domain: group of hardware that can be updated or restarted at the same time
Azure Virtual Desktop
cloud-based virtual desktop infrastructure that allows users to access remote desktops and apps from anywhere on any device
provides a virtualized environment for desktop management and deployment
Resources Required for VMs
Processor
Memory
Storage
Network
Azure App Service
PaaS offering that allows developers to build and deploy web and mobile apps easily
auto scaling and load balancing
support for multiple programming languages and frameworks
Azure Kubernetes Service (AKS)
open-source container orchestration platform
PaaS
highly scalable and customizable
designed for high scale container deployments
Virtual Network
VNet is a foundational building block for networking
enables secure and isolated communications between Azure resources and on-premises networks
can be segmented into subnets
allows you to define IP address ranges and configure routing tables and gateways
can connect VNets together, or to on-prem networks using VNet peering or VPN gateways
VPN Gateway
allows connecting VNets to on-prem networks using site-to-site VPN or point-to-site VPN connections
supports active-active and active-passive modes for high availability
supports both policy-based and route-based VPN configurations
Azure Load Balancer
distributes incoming traffic among healthy instances of services defined in a backend pool
for TCP, UDP or both
both inbound and outbound traffic
layer 4 (transport layer)
Application Gateway
web traffic load balancer that allows you to manage and optimize the delivery of web traffic to your web apps
SSL offloading, cookie-based session affinity, URL-based routing, and end-to-end SSL encryption
can easily scale your apps and apply firewall and application security policies
layer 7 (application layer)
Content Delivery Network
network of distributed servers that caches content closer to end-uses for faster delivery
can be used to deliver various types of content, including web pages, images, videos, and apps
can provide real-time analytics and monitoring to help optimize content delivery
Azure ExpressRoute
dedicated private connection between an on-premises data center azure datacenters
provides faster speeds, lower latencies and more consistent conecction
offers better security, reliability and privacy
allows for hybrid cloud
allows customers to bypass public internet
Azure DNS
hosting service for DNS domains
provides name resolution
can be used to host domains and perform DNS resolution
provides high availability and low latency
Public vs Private Endpoints
public endpoints are used to access services over the internet and have a public IP address
private endpoints are used to access services over a private network
provide more secure way to access services by keeping traffic off the public internet
can create a direct connection between VNet and the desired service
useful in scenarios where you need to keep traffic in your private network for security compliance
Azure Blob Storage
BLOB: binary large object
unstructured data files
3 storage tiers
hot - frequently accessed data
cool - infrequently accessed data
archive - rarely accessed data
Azure Queue Storage
storage for small pieces of data (messages)
designed for decoupling and asynchronous processing of applications
Azure Table Storage
semi-structured data
NoSQL
designed for fast access
many programming interfaces and SDKs
Azure File Storage
similar to Blob
different in the way that you access the data
via shared drive protocols
designed to extend on-premises file shares or implement lift-and-shift scenarios
Azure Storage Account
group of services: blob, queue, table, and file storage
used to store files, messages, and semi-structured ata
highly scalable
highly durable
cheapest per GB storage
Azure Disk Storage
disk emulation in the cloud
persistent storage for VMs
different sizes, types (HDD, SSD), performance tiers
disks can be unmanaged or managed
unmanaged - not managed by cloud provider
managed - microsoft manages everything
Storage Redundancy in the Primary region
Locally redundant storage (LRS) copies your data synchronously three times within a single physical location in the primary region
Zone-redundant storage (ZRS) copies your data synchronously across three Azure availability zones in the primary region
Storage Redundancy in a secondary region
Geo-redundant storage (GRS) does LRS, then copies data synchronously to the secondary region, then does LRS in the secondary region
Geo-zone-redundant storage (GZRS) does ZRS, then copies to another region and does ZRS there
data in the secondary region isn’t available for read or write access unless there’s a failover to the primary region
can configure read access with read-access geo-redundant store (RA-GRS) or read-access geo-zone-redundant storage (RA-GZRS)
AzCopy
command-line tool used for copying data to and from Azure blob storage, Azure files, and Amazon S3
Azure Storage Explorer
free, cross-platform tool used for managing and working with Azure storage accounts
provides a GUI for managing storage accounts
allows for easy uploading and downloading of data to and from storage accounts
Azure File Sync
hybrid cloud storage solution that enables organizations to synchronize on-premises file servers with Azure Files
Azure Migrate
service used for assessing and migrating on-premises servers, databases, and apps to the cloud
centralized hub for assessing and discovering on-premises environments for migration to azure
Azure Data Box
a physical data transfer solution for moving large volumes of data to azure
Azure AD
cloud-based IAM service
provides SSO and MFA
enables user and group management
synchronize with on-prem AD through AD connect
Azure AD DS
managed domain services solution build on Azure AD
simplifies hybrid identity management with sync to Azure AD
Azure AD B2B
facilitate collaboration with external organizations
local authorization for local tenant resources
Azure AD B2C
support consumers using public-facing applications at scale
self-service for user account lifecycle management
Azure AD Conditional Access
analyzes signals, makes a decision, performs enforcements
various parameters are checked (user, location, group, device, app, real-time risk)
allows access, allows after additional steps, or blocks access
Azure Role-Based Access Control
provides smart authorization for Azure resources
granular and fine-grained access control mechanism
security principle, role definition, and a scope
role assignments attach role definitions to security principles
use built-in roles or create your own custom roles
Zero Trust Approach
3 guiding principles
verify explicitly
least privilege
assume breach
Defence in Depth
a layered security strategy to protect data and resources in Azure
ensures no single point of failure and improves resilience against attacks
follows the principle of least privilege and zero trust
Microsoft Defender for Cloud
unified security management and advanced threat protection service for Azure resources
formerly known as Azure Security Center
provides continuous security assessments, monitoring, and recommendations
offers JIT VM access, Adaptive Application Controls, and File Integrity Monitoring
integrates with Azure Sentinel for security info and event management
available in free and standard tiers
Factors Affecting Cost
resource type
service tiers
region
storage and data transfer
compute resources
reserved instances
azure cost management
Azure Pricing Calculator vs Total Cost of Ownership Calculator
Azure pricing calculator estimates the cost of azure services based on selected resources, tiers, and usage
allows customization of configurations
useful for comparing different azure services and configs
TCO calculator compares the cost of running workloads on-premises vs in Azure
considers factors like hardware, software, IT labor, and datacenter costs
helps identify potential cost savings with Azure adoption
Azure Cost Management and Billing Tool
suite of tools to monitor, allocate, and optimize cloud costs in Azure
provides cost analysis, budgets, alerts, and recommendations
granular tracking with resource tags and cost allocation
Azure Blueprints
service for automating the creation, deployment, and updating of Azure environments
combines Azure Resource Manager (ARM) templates, RBAC, and policies
enforces consistent architecture, compliance, and security across resources
allows versioning and tracking of blueprint changes
supports both subscription and management group levels
facilitates IaC practices
Azure Policy
a service to enforce organizational standards and assess compliance at scale
uses policy definitions to describes rules and effects for resources
can audit, deny, or modify resources to comply with policies
supports built-in and custom policy definitions
integrates with azure blueprints for consistent infrastructure deployment
allows policy assignments at management group, subscription, or resource group level
Resource Locks
a feature to prevent accidental modification or deletion of critical resources
two lock levels
ReadOnly: allows read actions but prevents write and delete actions
CanNotDelete: allows read and write actions but prevents delete actions
applies to individual resources or entire resource groups
bypassable only by users with specific access (Owner or User Access Administrator)
Azure Service Trust Portal
a one-stop resource for Azure security, privacy, and compliance information
provides access to reports, whitepapers, and assessments
offers information on:
compliance certifications and attestations
security best practices and resources
data protection and privacy policies
auditing and monitoring tools
helps customers understand and manage risk in the cloud
Azure Portal
a web-based, unified console for managing and monitoring Azure resources
provides a user-friendly, customizable interface with a dashboard and various blades
offers tools for creating, configuring, and deploying resources
supports RBAC for granular permissions management
includes features like Cloud Shell, Cost Management, and Azure Advisor
Azure Cloud Shell
a browser-based, interactive shell for managing Azure resources
provides a pre-configured environment with common tools
accessible directly from Azure Portal or standalone
supports both Bash and PowerShell environments
includes a persistent, per-user storage mounted as Azure Files share
enables scripting, automation, and IaC
Azure CLI
a cross-platform command-line tool for managing Azure resources
supports Windows, macOS, and Linux environments
simplifies complex tasks with concise, easy-to-read commands
organized in groups and subgroups based on resource types (e.g., az vm, az storage)
integrates with Azure Cloud Shell for browser-based access
can be used in scripts, automation, and IaC
Azure PowerShell
a set of PowerShell cmdlets for managing and automating Azure resources
supports Windows, macOS, and Linux environments
enables scripting, automation, and IaC with PowerShell syntax
organized in modules based on resource types (e.g., AzCompute, AzStorage)
integrates with Azure Cloud Shell for browser-based access
complements Azure CLI for users familiar with PowerShell scripting
Azure Arc
a service for extending Azure management and governance to multi-cloud, on-premises, and edge environments
simplifies hybrid and multi-cloud management with a single control plane
enables deployment of Azure data services and Kubernetes clusters on any infrastructure
offers Azure Policy and Azure Security Center integration for consistent policies and security
supports Azure Arc-enabled servers, Kubernetes, and data services
Facilitates application modernization and cloud-native deployment outside of Azure
Azure Resource Manager
a service for deploying, managing, and monitoring resources in Azure
organizes resources into resource groups
provides ARM templates for IaC
supports RBAC
enables tagging
Azure advisor
a personalized guidance service for optimizing Azure resources
analyzes resource configs and usage to provide best practice recommendations
covers four areas: cost, security, reliability, and operational excellence
helps improve performance, reduce costs, and strengthen security posture
offers actionable, context-aware suggestions based on Azure usage patterns
integrated within Azure Portal for easy access
Azure Service Health
a monitoring service for the health and status of Azure resources
provides personalized alerts and guidance for issues impacting your resources
offers 3 types of health info
Azure Status: global view of service incidents
Service Health: personalized view of incidents and maintenance events
Resource Health: detailed status of individual resources
supports customizable alerts and integration with IT Service Management tools
accessible through Azure Portal, REST API, and PowerShell
Azure Monitor
a comprehensive monitoring service for Azure resources and apps
collects and analyzes performance and diagnostic data from various sources
application logs, platform logs, metrics, and activity logs
offers insights into app performance, infrastructure health, and user behavior
provides features like Log Analysics, Application Insights, and Alerts
supports integration with third-party tools and Azure Sentinel for SIEM
enables proactive issue detection, troubleshooting, and resolution
Azure Log Analytics
feature of Azure monitor for collecting, storing, and analyzing log data
supports log data from Azure resources, on-prem systems, and other clouds
offers powerful querying and visualization capabilities with Kusto Query Language (KQL)
integrates with Azure Monitor Workbooks for custom dashboards and reports
provides pre-built solutions for specific services
enables long-term retention and advanced analytics for troubleshooting and trend analysis
Azure Monitor Alerts
feature of Azure Monitor for creating and managing alert rules based on metrics or logs
proactively notifies when specified conditions are met or thresholds are breached
supports various actions like sending emails, invoking Azure Functions, or creating incidents in ITSM tools
enables faster detection and resolution of performance, availability, or security issues
offers customizable severity levels, alert suppression, and auto-mitigation
Application Insights
feature of Azure Monitor for monitoring and diagnosing app performance and issues
supports web apps, services, and background components on various platforms
collects telemetry data, including custom events, exceptions, requests, and dependencies
offers powerful analytics, diagnostics, and visualization tools for app insights
integrates with Azure DevOps, Visual Studio, and GitHub