Microsoft Azure Fundamentals AZ-900
• Cloud Concepts - Principles of cloud computing
• Create an Azure account
• Core Cloud Services - Introduction to Azure
• Core Cloud Services - Azure architecture and service guarantees
• Core Cloud Services - Manage services with the Azure portal
•Core Cloud Services - Azure compute options
•Core Cloud Services - Azure data storage options
• Core Cloud Services - Azure networking options
• Security, responsibility, and trust in Azure
• Apply and monitor infrastructure standards with Azure Policy
• Control and organize Azure resources with Azure Resource Manager
• Predict costs and optimize spending for Azure
Key concepts & Terms :
Economies of scale :
Economies of scale are apparent to end-users in several ways, one of which is the ability to acquire hardware at a lower cost than if a single user or smaller business were purchasing it. Storage costs, for example: have decreased significantly over the last decade due in part to cloud providers' ability to purchase larger amounts of storage at significant discounts.
CapEx VS OpEx :
Today, organizations can sign up for a service from a cloud provider to get up and running. This enables them to begin selling or providing services to their customers more quickly, without the need for significant upfront costs.
If your service is busy and you consume a lot of resources in a month, then you receive a large bill. If those services are minimal and don't use a lot of resources, then you will receive a smaller bill.
A business can still use the CapEx expenditure strategy if they want, but it is no longer a requirement that they do so.
Demand and growth can be unpredictable and can outpace expectations, which is a challenge for the CapEx model as shown in the following graph.
Public Cloud Models :
Public Cloud Models have the following characteristics:
- Multiple end users Public cloud availability Public clouds are the most common cloud deployment model.
- Connectivity Users and organizations are typically connected to public clouds over the internet.
- Skills Public clouds do not require deep technical providers to make resources available to multiple organizations.
- knowledge to set up and use
Businesses can use multiple public cloud service providers. Microsoft Azure is an example of a public cloud provider.
Private Cloud Models :
Private Cloud Models have the following characteristics:
• Hardware The organization is entirely responsible for the purchase, maintenance, and management of the hardware. • Users Private cloud computing resources are used exclusively by a single organization. • Connectivity A connection is typically made over a highly secure, private network. • Public access A private cloud does not provide access to the public. • Skills Deep technical knowledge is required to set up, manage, and maintain the private cloud.
Hybrid Cloud Models :
Hybrid Cloud Models have the following characteristics :
- Resource location Specific resources are used in a public cloud, others are used in a private cloud.
- Cost and efficiency Hybrid cloud models allow an organization to leverage some of the benefits of cost, efficiency, and scale that are available with a public cloud model.
- Control Organizations retain management control in private clouds.
- Skills Technical skills are required to maintain the private cloud and ensure both cloud models can operate together.
Hybrid cloud scenarios can be useful when organizations have some information that cannot be put in a public cloud, possibly for legal reasons. For example, you may have medical data that cannot be exposed publicly.
Cloud Service Comparison :
There is a shared responsibility model for ensuring cloud workloads are run securely and in a well-managed way. Depending on the service you are using, the cloud provider is responsible for some aspects of the workload, leaving the customer responsible for the remaining aspects of the workload.
Azure Core Sevices :
• Understand core Azure architectural components
• Understand core Azure services and products
• Understand Azure solutions
• Understand Azure management tools
Azure is made up of data centers located around the globe. These datacenters are organized and made available to end-users by country/region About data centers, a region is a geographical area on the planet containing at least one, but potentially multiple datacenters that are in proximity and networked together with a low latency network Each region is paired with another within the same geography (such as US, Europe, or Asia). This approach allows for the replication of resources and helps reduce the likelihood of interruptions due to events such as natural disasters, power outages, or physical network outages.
Geography is a discrete market typically containing two or more regions that preserve data residency and compliance boundaries Geographies allow customers with specific data residency and compliance needs to keep their data and applications close Geographies are broken up into Americas, Europe, Asia Pacific, The Middle East, and Africa.
Availability Zones :
Availability zones are physically separate locations within an Azure region. Each availability zone is made up of one or more data centers equipped with independent power, cooling, and networking. Availability Zones are set up to be an isolation boundaries. If one availability zone goes down, the other continues working.
Availability sets :
Availability sets comprise update and fault domains:
• Update domains. When a maintenance event occurs (such as a performance update or critical security patch applied), the update is sequenced through update domains.
• Fault domains. Fault domains provide for the physical separation of a workload across different hardware in the datacenter.
Availability sets help ensure applications remain online during the maintenance events, or hardware failure.
Resource Group :
A resource group is a unit of management, similar to a container that allows you to aggregate and manage all resources required for an application to run within a single manageable unit Resource groups allow you to control costs, set automation and set policy against resources
Resource Manager :
Azure Resource Manager is a management layer in which resource groups and all the resources within it are created, configured, managed, and deleted.
With Azure Resource Manager, you can:
- Deploy application resources
- Organize resources
- Control access and resources
Azure Resource Manager, provides a consistent management layer that allows you to automate deployment and configuration of resources using different automation and scripting tools, such as Azure PowerShell, Azure Command Line Interface, Azure portal, REST API, and client software development kits (SDKs).
Azure Marketplace :
Azure Marketplace is a service on Azure that helps connect end-users with Microsoft partners, independent software vendors (ISVs), and startups that are offering their solutions and services, which are optimized to run on Azure
Azure Marketplace allows customers mostly IT professionals and cloud developers to find, try, purchase, and provision applications and services from hundreds of leading service providers, all certified to run on Azure.
Azure Compute :
Examples of Azure services for virtual machines include:
Examples of Azure services for containers include:
Azure Networking :
Networking on Azure allows you to connect cloud and on premises infrastructure and services.
Azure Data Services :
Azure Storage is a service that you can use to store files, messages, tables, and other types of information.
Azure database services are fully managed PaaS database services that free up valuable time you’d otherwise spend managing your database
Big Data & Analytics :
Big data refers to large volumes of data that become increasingly hard to make sense of or consequently make decisions about. Some big data and analytic services in Azure include:
Internet of Things :
The ability for devices to gather and then relay information for data the analysis is referred to as the Internet of Things (IoT).
Artificial Intelligence :
Artificial Intelligence (AI), in the context of cloud computing, is based around a broad range of services, the core of which is machine learning. Machine learning is a data science technique that allows computers to use existing data to forecast future behaviors, outcomes, and trends. Using machine learning, computers learn without being explicitly programmed.
Some AI services in Azure include:
- Azure Machine Learning service. Provides a cloud based environment used to develop, train, test, deploy, manage, and track machine learning models.
- Azure Machine Learning Studio. A collaborative, drag and drop visual workspace where you can build, test, and deploy machine learning solutions without needing to write code
Cognitive Servies :
Cognitive services are a collection of domain-specific pre-trained AI models that can be customized with your data. They are categorized broadly into vision, speech, language, and search.
Serverless Computing :
Serverless computing is a cloud hosted execution environment that runs your code but abstracts the underlying hosting environment.
Some serverless services in Azure include:
Security, Privacy, Compliance, and Trust :
• Understand how to secure network connectivity.
• Understand core Azure identity services.
• Understand security tools and features.
• Understand Azure governance methodologies.
• Understand monitoring and reporting in Azure.
•Understand privacy, compliance, and data protection standards in Azure.
Azure Security Center :
Azure Security Center is a monitoring service that provides threat protection across all of your services both in Azure, and on-premises.
- Azure Security Center is available in two tiers:
Free Available as part of your Azure subscription but limited to assessments and recommendations of Azure resources only.
Standard Provides a full suite of security-related services including continuous monitoring, threat detection and just in time access control.
Azure Active Directory :
Azure Active Directory is a cloud based identity and access management service that helps employees of an organization sign in and access resources, providing services such as:
• Single sign-on (SSO)
• Multi-Factor Authentication
• Application management
• Business to business (B2B) identity services
• Business to Customer (B2C) identity services
Advanced Protection services :
Microsoft Azure Information Protection helps organizations classify and protect intellectual property by applying labels, this can be:
• Automatically by administrators who define rules and conditions
• Manually by users
• A combination of the two, where users are given recommendations.
Azure Advanced Threat Protection identifies, detects, and helps you investigate threats, compromised identities, and malicious insider actions. It consists of the following components:
• Azure ATP portal Monitor and respond to suspicious activity
• Azure ATP sensor: which are installed directly on your domain controllers.
Azure Key Vault is a centralized service that you use for storing application secrets. It helps control application secrets by keeping them in a single, central location and providing secure access, permissions control, and access logging.
Network Protection :
Network Security Groups filter network traffic to and from Azure resources in an Azure virtual network. They can contain multiple inbound and outbound security rules that filter traffic to and from resources by source and destination IP address, port, and protocol.
Azure DDoS Protection protects your Azure applications by scrubbing traffic at the Azure network edge before it can impact your service's availability.
Azure Firewall is a fully stateful firewall as a service with built-in high availability and unrestricted cloud scalability. Features include inbound and outbound filtering rules and advanced Monitor logging
Azure Policies and initiatives :
Azure Policies enforce rules and effects over your resources keeping them compliant with corporate standards and SLAs.
Azure Policy uses policies and initiatives to run evaluations of your resources, scanning for those not compliant.
Initiatives work alongside policies, simplifying the process of managing policy definitions by grouping as a single item.
Azure Policy comes with several built in policy and initiative definitions under categories such as Storage, Networking, Compute, and Monitoring.
Azure Bluprints :
Azure Blueprints enable cloud architects to define a repeatable set of Azure resources that implement and adhere to an organization's standards, patterns, and requirements.
•Use Blueprint artifacts and tools to help with auditing, traceability, and compliance of deployments.
•Use with DevOps scenarios, where blueprints are associated with specific build artifacts and release pipelines, and require more rigorous tracking.
Role-Based Access Control :
Role-based access control (RBAC) provides fine-grained access management for Azure resources.
Grants users the rights they need to perform their jobs and are provided at no additional cost to all Azure subscribers
Examples of when you might use RBAC include when you want to:
• Allow one user to manage VMs in a subscription, and another user to manage virtual networks.
•Allow a database administrator (DBA) group to manage Microsoft SQL Server databases in a subscription.
•Allow a user to manage all resources in a resource group, such as VMs, websites, and subnets.
Locks help you prevent accidental deletion or modification of your Azure resources. You manage these locks from within the Azure portal.
You may need to lock a subscription, resource group, or resource to prevent other users in your organization from accidentally deleting or modifying critical resources. You can set the lock level to:
• Delete. Authorized users can still read and modify a resource, but they can't delete the resource.
• ReadOnly. Authorized users can read a resource, but they can't delete or update the resource. Applying this lock is similar to restricting all authorized users to the permissions granted by the Reader role.
Azure Monitor :
Azure Monitor maximizes the availability and performance of applications by delivering a comprehensive solution for collecting, analyzing, and acting on telemetry from the cloud and on-premises environments.
As soon as you create an Azure subscription and start adding resources, Azure Monitor starts collecting data.
Azure Monitor integrates with other Azure services to provide robust monitoring capabilities. These can be categorized as:
Analyze: Use Azure Monitor for containers and virtual machines, and Application Insights for applications.
Respond: Proactively respond to critical conditions identified using Azure Alerts, or Autoscale using Azure Monitor metrics.
Visualize items such as charts, tables, or Power BI.
Integrate: Integrate Azure Monitor with other systems and build custom solutions.
Azure Service Health :
Azure Service Health is a suite of experiences that provide personalized guidance and support when issues with Azure services arise. It can notify you, help you understand the impact of issues, and keep you updated as the issue is resolved.
Azure Service Health is composed of:
• Azure Status. Provides a global view of the health state of Azure services.
• Service Health. A customizable dashboard that tracks the state of Azure services in the regions where you use them.
•Azure Resource Health: Diagnose and obtain support when an Azure service issue affects your resources.
Compilance and Privacy :
Microsoft provides the most comprehensive set of compliance offerings (including certifications and attestations) of any cloud service provider.
You can view all the Microsoft compliance offerings at Microsoft Compliance Center Compliance Offerings Compliance and Privacy Microsoft Privacy Statement explains what personal data Microsoft processes, how Microsoft processes it, and for what purposes.
This applies to the interactions Microsoft has with users and Microsoft products such as Microsoft services, websites, apps, software, servers, and devices.
It is intended to provide openness and honesty about how Microsoft deals with personal data in its products and services.
For more information, review the privacy statement at Microsoft Privacy Statement.
Microsoft runs on Trust :
Trust Center is a website resource containing information and details about how Microsoft implements and supports security, privacy, compliance, and transparency in all our cloud products and services.
The Service Trust Portal is the Microsoft public site for publishing audit reports and other compliance-related information related to Microsoft’s cloud services.
It also hosts the Compliance Manager service, and allows you to:
•Access audit reports across Microsoft cloud services.
•Access compliance guides to help understand how to manage compliance with various regulations.
•Access trust documents to help understand how Microsoft cloud services help protect your data.
Azure Pricing and Support
•Subscriptions and Management groups
•Plan and manage Azure costs
• Identify Azure support options
• Understand Azure Service Level Agreements
•Understand the service lifecycle in Azure
Azure subscriptions :
An Azure subscription provides you with authenticated and authorized access to Azure products and services. It is a logical unit that links to an Azure account.
Azure offers free and paid subscription options to suit different needs and requirements. An the account can have one subscription or multiple subscriptions that have different billing models, and to which you apply for different access management policies.
You can use Azure subscriptions to define boundaries around Azure products, services, and resources. This includes:
•Billing boundary which determines how an Azure the account is billed for using Azure.
•Access control boundary which applies to access management policies at the subscription level.
Management Groups :
Azure Management groups are containers for managing access, policies, and compliance across multiple Azure subscriptions.
Management groups allow you to order your Azure resources hierarchically into collections, which provides a further level of classification beyond subscriptions.
A zone is a geographical grouping of Azure Regions for billing purposes:
•Zone 1 . Includes West US, East US, West Europe, and others.
•Zone 2 . Includes Australia Central, Japan West, Central India, and others.
•Zone 3 . Includes Brazil South
•DE Zone 1 . Includes Germany Central and Germany Northeast.
Enterprise customers commit to spending a negotiated amount on Azure services, which they typically pay annually.
Web direct customers sign up through the Azure website.
Cloud solution providers are Microsoft partner companies that a customer hires to build solutions on top of Azure. Payment and billing for Azure usage occurs through the customer's CSP.
Three factors affect costs:
•Resource Type: Costs are resource-specific, so the usage that a meter tracks and the number of meters associated with a resource depending on the resource type.
•Services: Azure usage rates and billing periods can differ between Enterprise, Web Direct, and CSP customers.
•Location: The Azure infrastructure is globally distributed, and usage costs might vary between locations that offer particular Azure products, services, and resources.
•Helps you estimate your needs and configure them according to your specific requirements
•Azure provides a detailed estimate of the costs associated with your selections and configurations
•Helps you estimate cost savings realized by migrating to Azure
•Compares the costs of on-premises infrastructures with the costs of using Azure products and services to host infrastructure in the cloud
Azure Cost Mangement :
Azure Cost Management provides a set of tools for monitoring, allocating, and optimizing Azure costs.
Azure Cost Management Includes:
•Improved accountability with resource tags
•Monitor resource demand trends, consumption rates, and cost patterns
•Alerting based on cost and usage budgets
•Recommendations to eliminate idle resources and to optimize provisioned Azure resources.
Azure Support :
Every Azure subscription includes:
•Free access to billing and subscription support
•Azure products and services documentation
•Online self-help documentation
•Community support forums
Paid Azure support plans:
•Developer for trial and nonproduction environments
•The standard for production environments
•Professional Direct for organizations with business-critical dependence on Azure
•Premier for organizations with substantial dependence on Microsoft products, including Azure.
Other support channels include:
•Azure community support.
•Azure Feedback Forums
•Twitter: @ AzureSupport
Service Level Agreements:
•SLAs define Microsoft’s commitment to an Azure service or product
•Individual SLAs are available for each Azure product and service
•SLAs also define what happens if a service or product fails to meet the designated availability commitments
Three key characteristics of SLAs for Azure products and services:
•Performance targets, uptime, and connectivity guarantees
•Performance targets range: Typical SLAs specify performance target commitments ranging from 99.9 percent to 99.99 percent.
•Service credits: Percentage of the applicable monthly service fees credited to you if a service fails to meet the uptime guarantee
Written by : Mohamed Abdalla Ibrahim
PMP | CISM | ITIL | CEH | Azure Architect | Azure Security Engineer | IBM Cybersecurity Analyst