AZ-900 Azure Architecture and Compute

Datacenters

facilities with resources arranged in racks, with dedicated power, cooling, and networking infrastructure

Region

geographical area on the planet that contains at least one, but potentially multiple datacenters that are nearby and networked together with a low-latency network

Availability zone

physically separate datacenters within an Azure region, they are made up of one or more datacenters; connected with fiber-optic networks

Zonal Services

services that pins the resource to a specific zone (VMs, managed disks, IP addresses)

Zone-redundant Services

services where the platform replicates automatically across zones (zone-redundant storage, SQL database)

Non-regional Services

where the services are always available from Azure geographies and are resilient to zone-wide outages as well as region-wide outages

Zonal services, zone-redundant services, and non-regional services

Azure services that support availability zones

Region Pairs

Azure region paired with another region within the same geography at least 300 miles away

Sovereign Regions

instances of Azure that are isolated from the main instance of Azure

Resource

anything you can create, provision, deploy, etc.

Resource group

grouping of resources

Azure subscription

unit of management, billing, and scale

Billing boundary and Access Control Boundary

Subscription Boundaries that you can use

Billing Boundary

subscription type that determines how an Azure account is billed for using Azure

Access Control Boundary

When Azure applies access-management policies at the subscription level, and you can create separate subscriptions to reflect different organizational structures

Management Groups

containers subscriptions are organized into where all subscriptions inherit the conditions applied to it

Virtual Machine

provide infrastructure as a service (IaaS) in the form of a virtualized server and are limited to a single operating system per

Image

template used to create a VM and may already include an OS and other software, like development tools or web hosting environments

Virtual Machine Scale Sets

lets you create and manage a group of identical, load-balanced VMs

Virtual Machine Availability Sets

ensure VMs stagger updates and have varied power and network connectivity, preventing you from losing all your VMs with a single network or power failure

Update domain and Fault Domain

Availability Set Groupings

Update Domain

groups VMs that can be rebooted at the same time

Fault Domain

groups VMs by common power source and network switch

Azure Virtual Desktop

desktop and application virtualization service that runs on the cloud and enables you to use a cloud-hosted version of Windows from any location

Containers

virtualization environment where multiple of it can run on a single physical or virtual host, they are meant to create and deploy virtual machines as application demand increases

Azure Container Instances

allow you to upload your containers and then the service runs the containers for you; are a (PaaS) offering

Azure Container Apps

Remove the container management piece and allow you to get up and running right away, are a (PaaS) offering. they incorporate load balancing and scaling

Azure Kubernetes Service (AKS)

container orchestration service (manages the lifecycle of containers); good for deploying a fleet of containers

Azure Functions

event-driven, serverless compute option that doesn't require maintaining virtual machines or containers

stateless

when function behavior as if they restart every time they respond to an event

stateful (Durable Functions)

when a context is passed through the function to track prior activity

Azure virtual networks and virtual subnets

enable Azure resources, such as VMs, web apps, and databases, to communicate with each other, with users on the internet , and with your on-premises client computers

Public and Private Endpoints

what azure virtual networking supports to enable communication between external or internal resources with other internal resources

Public Endpoints

have a public IP address and can be accessed from anywhere in the world

Private Endpoints

exist within a virtual network and have a private IP address from within the address space of that virtual network

Virtual Networks and Service Endpoints

how to communicate between Azure resources

Virtual networks

connect not only VMs but other Azure resources, such as the App Service Environment for Power Apps, Azure Kubernetes Service, and Azure virtual machine scale sets

Service Endpoints

can connect to other Azure resource types, such as SQL database and storage accounts enabling you to link multiple Azure resources to virtual networks to improve security and provide optimal routing between resources

Point-to-site private network connections, site-to-site virtual private networks, and Azure ExpressRoute

mechanisms to achieve connect with a network that spans both your local and cloud environments

Point-to-site virtual private network connections

where the client computer initiates an encrypted VPN to connect to the Azure virtual network (computer outside organization back into your corporate network)

Site-to-site virtual private networks

link your on-premises VPN device or gateway to the Azure VPN gateway in a virtual network (devices in Azure can appear as being on the local network)

Azure ExpressRoute

provides dedicated private connectivity to Azure that doesn't travel over the internet

Route tables and Border Gateway Protocol (BGP)

control routing and override Azure's routing of traffic between subnets on any connected virtual networks, on-premises networks, and the internet

Route tables

allow you to define rules about how traffic should be directed

Border Gateway Protocol (BGP)

works with Azure VPN gateways, Azure Route Server, or Azure ExpressRoute to propagate on-premises BGP routes to Azure virtual networks

Network security groups and network virtual appliances

approaches to filter traffic between subnets

Network security groups

Azure resources that can contain multiple inbound and outbound security rules that could be defined to allow or block traffic, based on factors such as source and destination IP address, port, and protocol

Network virtual appliances

specialized VMs that carry out a particular network function, such as running firewall or performing wide area network (WAN) optimization

Virtual Network Peering

allows two virtual networks to connect directly to each other where the network traffic is private, and travels on the Microsoft backbone network, never entering the public internet (resources in each virtual network can communicate with each other)

User-defined routes (UDR)

allow you to control the routing tables between subnets within a virtual network or between virtual networks

Virtual Private Network (VPN)

typically deployed to connect two or more trusted private networks to one another over an untrusted network (typically the public internet); uses an encrypted tunnel within another network

VPN gateway

instances are deployed in a dedicated subnet of the virtual network and enable site-to-site connection, point-to-site connection, and network-to-network connection

types of VPN

Policy-based and route-based

Policy-based VPN gateways

specify statically the IP address of packets that should be encrypted through each tunnel; evaluates every data packet against those sets of IP address to choose the tunnel where that packet is going to be set through

Route-based gateways

uses IP Routing (either static routes or dynamic routing protocols) to decide which one of these tunnel interfaces to use when sending each packet; are resilient to topology changes

Deploy configurations for VPN gateway

two instances of active/standby configuration

Active/Standby Configuration

when planned maintenance or unplanned disruption affects the active instance, the standby instance automatically assumes the responsibility for connections without any user intervention

Active/Active Configuration

assign a unique public IP address to each instance where you can then create separate tunnels from the on-premises dvice to each IP address

ExpressRoute Failover Path

when you provision a VPN gateway that uses the internet as a alternative method of connectivity, this is to ensure there's always a connection to the virtual networks

Zone-redundant gateways

VPN gateways and ExpressRoute gateways deployed in zone-redundant configuration, this is to physically and logically separate gateways within a region while protecting your on-premises network connectivity to Azure from zone-level failures. The gateways require different gateway stock keeping units (SKUs) and use Standard public IP addresses instead of Basic public IP addresses

ExpressRoute Circuit

private connection to Microsoft cloud services, each service having its own. connections can be any-to-any network, point-to-point, or a virtual cross-connection

ExpressRoute Global Reach

exchange data across your on-premises sites, connect facilities and allow them to communicate without transferring data over the public internet

Border Gateway Protocol BGP

used to exchange routes between on-premises networks and resources running in Azure

ExpressRoute connectivity models

CloudExchange colocation, Point-to-point Ethernet Connection, Any-to-any connection, directly from ExpressRoute sites

Colocation

datacenter, office, or other facility sharing location at a cloud exchange such as ISP

Azure DNS

hosting service for DNS domains that provides name resolution by using Microsoft Azure infrastructure.