AZ-900 Domain 2: Describe Azure architecture and services (35–40%)

Azure Geography

A discrete market, typically containing two or more regions, that preserves data residency and compliance boundaries

Azure Regions

A set of datacenters deployed within a latency-defined perimeter and connected through a dedicated regional low-latency network

Azure sovereign regions

Special regions that you might need to for compliance or legal purposes: Government (Fed govt. DOD), China

Region Pairs

A relationship between 2 Azure Regions within the same geographic region for disaster recovery purposes.

Management Groups

Management  groups provide a level of above subscriptions. Each directory is given a single top-level management group called the root

Subscriptions

Subscription is a logical container used to provision resources in Azure. Logical use cases: when subscription limits are reached,  to use different payment methods,  to isolate resources between departments, projects, etc

Resource Groups

A container that holds related resources for an Azure solution. Used to group resources that share a common resource lifecycle.

Resources

An entity managed by Azure, like a virtual machine, virtual network, or storage account

Availability Zones

Unique physical locations within a region with independent power, network, and Comprised of one or more datacenters. Tolerant to datacenter failures via redundancy and isolation

Azure Datacenters

datacenters are locate  all over the world and are organized into regions. Designed to secure, reliable, and efficient, leveraging economies of scale, multi-tenant.

Azure VMS

Server virtualization (compute) on-demand without need for hardware purchase

Virtual machine scale sets

Allow you to create and manage a group of identical. load-balanced VMS. The number Of VM instances can automatically increase or decrease in response to demand or based on a schedule.

Virtual machine availability sets

Help build a more resilient, highly available environment by staggering VM updates and ensuring varied power and network connectivity

Update domains

Allows you to apply updates while only one update domain grouping will be offline at a time.

Fault domains

Groups your VMS by common power source and network switch. By default an availability set will split your VMs across up to three fault domains

Azure Virtual Desktop

A desktop and app virtualization service that runs in Microsoft Azure

Azure Container Instance (ACI)

Runs Docker containers on-demand in a serverless Azure environment. A solution for any scenario that can operate in isolated containers, without orchestration

Azure Kubernetes Services (AKS)

A hosted Kubernetes service, where Azure handles critical tasks like health monitoring and maintenance for you. You pay only for the agent nodes within your clusters, not for the masters (free tier) For a financially backed SLA, you pay a few cents per hour for cluster management

VM Resource Requirements

Virtual Disk, Virtual Network (VNET) , Network Interface (Virtual NIC) , Network Security Group, Public IP Address

App Service

An HTTP-based service for hosting web applications, REST APIs, and mobile back ends.

Virtual Network (VNET)

A logical representation of your network in Azure. VNETs provide logical isolation in Azure dedicated to your subscription. Securely extend your data center (Site-to-Site VPN) and hybrid cloud scenarios

Virtual Subnet

Segment address space of VNET to create sub-networks, allows Azure resource deployment into a specific subnet

VPN Gateway

A virtual network gateway that sends encrypted traffic between an Azure VNET and an on-premises location over the Internet

VNET Peering

Enables seamless connection of two or more Virtual Networks in Azure. The two networks function as one in terms of connectivity

ExpressRoute

Extends your on-premises networks into Azure over a private connection with the help of a connectivity provider, traffic does not traverse the public internet

Azure DNS

a hosting service for DNS domains that provides name resolution by using Microsoft Azure infrastructure. Can provide internal and external DNS

Service Endpoint

Provides a way to lock down access to all instances Of a PaaS service to a VNET (accessible from public internet)

Private Endpoint

Grants access to a specific instance (resource) of a PaaS service in your VNET on a private IP address (Enables access from on prem without public endpoint)

Defense in-Depth

A layered (defense in depth) approach that does not rely on one method to completely protect an environment

Network security Group

Contains security rules that allow or deny inbound network traffic to, or outbound network traffic from, several types of Azure resources. For each rule, you can specify source and destination port and protocol. Can be applied to a subnet or network adapter

Azure Firewall

A managed, cloud-based network security service that protects your Azure Virtual Network resources. It's a fully stateful firewall as a service with built-in high availability and unrestricted cloud scalability.

Blob Storage

Storage optimized for storing massive amounts of unstructured data

Unstructured data

Cannot be in a row-column database and does not have and associated data model

Structured data

Data contained in rows and columns such as an excel spreadsheet or relational database

File Storage

Fully managed file shares in Azure accessible via SMB (Server message block) or NFS (Network file system)

Disk Storage

Azure managed disks are block-level storage volumes that are managed by Azure and used with Azure VMS

Table Storage

A service that stores structured NoSQL data in Azure, including a schemaless key/attribute store

Queue Storage

A service for storing large numbers of messages, accessible from anywhere via authenticated HTTP or HTTPS calls

Storage tiers

Hot, cool, cold and archive

LRS (Locally redundant storage)

Copies your data synchronously three times within a single physical location in the primary region

ZRS (Zone redundant storage)

Copies your data synchronously across three Azure availability zones in the primary region

GRS (Geo-redundant storage)

Copies your data synchronously three times Within a single physical location in the using LRS. it then copies it asynchronously  to a single physical LRS location in the secondary region

GZRS (Geo-zone redundant storage)

copies your synchronously three times within the primary region using ZRS it then copies it asynchronously to a single physical location in the secondary region

Azcopy

A command line utility that you can use to copy blobs or files to or from a storage account

Azure storage explorer

A standalone app that provides a graphical interface to manage files and blobs in your azure account

Azure file sync

A tool that lets you centralize your file shares in azure files and keep the flexibility, performance and compatibility of a windows file server, Once installed on a local Windows servers, it Will automatically stay bi-directionally synced with your files in Azure.

Azure Migrate

A service that provides a simplified migration, modernization. and optimization for Azure. Includes all pre-migration steps such as discovery, assessments, and right-sizing

Azure Data Box

A cloud solution that lets you send terabytes Of data into and out Of Azure in a quick, inexpensive, and reliable fashion. Customers are shipped a proprietary Data Box Storage device

Authentication (AuthN)

Is the process of proving that you are who you say you are. (Identity)

Authorization (AuthZ)

Is the act of granting an authenticated party permission to do something. (Access)

Entra ID

Entra is Microsoft's cloud-based identity and access management

Single Sign-on (SSO)

Single sign-on means a user doesn't have to sign into every application they use (Modern authentication)

MFA ( Multi-factor authentication)

MFA in Entra ID works by requiring two or more of the following authentication methods: Something you know (pin or password), Something you have (trusted device), Something you are (biometric)

Conditional Access

Used by Entra ID to bring signals together, to make decisions, and enforce organizational policies

Azure RBAC

who has access to Azure resources, what they can do with those resources, which resources/areas they have access to

Defender for Cloud

A unified infrastructure security management system that strengthens the security posture of your cloud and on-premises data centers