AZ-900 Study Guide
- Describe cloud concepts (25–30%)
- Describe cloud concepts (25–30%)
- Describe cloud concepts (25–30%)
- Describe cloud concepts (25–30%)
- Describe cloud concepts (25–30%)
- Describe cloud concepts (25–30%)
- Describe cloud concepts (25–30%)
- Describe cloud concepts (25–30%)
- Describe cloud concepts (25–30%)
- Describe cloud concepts (25–30%)
- Describe cloud concepts (25–30%)
- Describe cloud concepts (25–30%)
- Describe cloud concepts (25–30%)
- Describe Azure architecture and services (35–40%)
- Describe Azure architecture and services (35–40%)
- Describe Azure architecture and services (35–40%)
- Describe Azure architecture and services (35–40%)
- Describe Azure architecture and services (35–40%)
- Describe Azure architecture and services (35–40%)
- Describe Azure architecture and services (35–40%)
- Describe Azure architecture and services (35–40%)
- Describe Azure architecture and services (35–40%)
- Describe Azure architecture and services (35–40%)
- Describe Azure architecture and services (35–40%)
- Describe Azure architecture and services (35–40%)
- Describe Azure architecture and services (35–40%)
- Describe Azure architecture and services (35–40%)
- Describe Azure architecture and services (35–40%)
- Describe Azure architecture and services (35–40%)
- Describe Azure architecture and services (35–40%)
- Describe Azure architecture and services (35–40%)
- Describe Azure architecture and services (35–40%)
- Describe Azure architecture and services (35–40%)
- Describe Azure architecture and services (35–40%)
- Describe Azure architecture and services (35–40%)
- Describe Azure architecture and services (35–40%)
- Describe Azure architecture and services (35–40%)
- Describe Azure architecture and services (35–40%)
- Describe Azure architecture and services (35–40%)
- Describe Azure management and governance (30–35%)
- Describe Azure management and governance (30–35%)
- Describe Azure management and governance (30–35%)
- Describe Azure management and governance (30–35%)
- Describe Azure management and governance (30–35%)
- Describe Azure management and governance (30–35%)
- Describe Azure management and governance (30–35%)
- Describe Azure management and governance (30–35%)
- Describe Azure management and governance (30–35%)
- Describe Azure management and governance (30–35%)
- Describe Azure management and governance (30–35%)
- Describe Azure management and governance (30–35%)
- Describe Azure management and governance (30–35%)
- Describe Azure management and governance (30–35%)
- Describe Azure management and governance (30–35%)
- Describe Azure management and governance (30–35%)
Describe cloud concepts (25–30%)
Describe cloud computing
Definition of Cloud Computing
Cloud computing is a modern technological paradigm that fundamentally transforms the way computing services are delivered and consumed. It involves the provision of various computing services, such as servers, storage, databases, networking, software, analytics, and intelligence, over the internet, which is often referred to as “the cloud.” This innovative approach enables flexible resources, rapid innovation, and economies of scale.
Key Characteristics of Cloud Computing:
- On-Demand Self-Service: Users can provision computing resources as needed automatically, without requiring human interaction with the service provider https://learn.microsoft.com/en-us/training/modules/describe-cloud-compute/3-what-cloud-compute .
- Broad Network Access: Services are available over the network and accessed through standard mechanisms that promote use by heterogeneous thin or thick client platforms (e.g., mobile phones, tablets, laptops, and workstations).
- Resource Pooling: The provider’s computing resources are pooled to serve multiple consumers using a multi-tenant model, with different physical and virtual resources dynamically assigned and reassigned according to consumer demand.
- Rapid Elasticity: Capabilities can be elastically provisioned and released to scale rapidly outward and inward commensurate with demand. To the user, the capabilities available for provisioning often appear to be unlimited and can be appropriated in any quantity at any time.
- Measured Service: Cloud systems automatically control and optimize resource use by leveraging a metering capability at some level of abstraction appropriate to the type of service (e.g., storage, processing, bandwidth, and active user accounts). Resource usage can be monitored, controlled, and reported, providing transparency for both the provider and consumer of the utilized service.
Cloud Service Models:
- Infrastructure as a Service (IaaS): Offers essential compute, storage, and networking resources on demand, on a pay-as-you-go basis https://learn.microsoft.com/en-us/azure/defender-for-cloud/defender-for-cloud-glossary .
- Platform as a Service (PaaS): Provides a platform allowing customers to develop, run, and manage applications without the complexity of building and maintaining the infrastructure typically associated with developing and launching an app.
- Software as a Service (SaaS): Delivers software applications over the internet, on-demand, and typically on a subscription basis.
Cloud Deployment Models:
- Public Cloud: Services are provided over the public internet and available to anyone who wants to purchase them https://learn.microsoft.com/en-us/training/modules/describe-cloud-compute/7-knowledge-check .
- Private Cloud: The services are maintained on a private network, and the hardware and software are dedicated solely to one organization https://learn.microsoft.com/en-us/training/modules/describe-cloud-compute/7-knowledge-check .
- Hybrid Cloud: Combines public and private clouds, bound together by technology that allows data and applications to be shared between them https://learn.microsoft.com/en-us/training/modules/describe-cloud-compute/7-knowledge-check .
Advantages of Cloud Computing:
- Cost Savings: Eliminates the capital expense of buying hardware and software and setting up and running on-site datacenters https://learn.microsoft.com/en-us/training/modules/describe-cloud-compute/3-what-cloud-compute .
- Speed: Vast amounts of computing resources can be provisioned in minutes, typically with just a few mouse clicks.
- Global Scale: The ability to scale elastically, delivering the right amount of IT resources—for example, more or less computing power, storage, bandwidth—right when they are needed, and from the right geographic location.
- Productivity: On-site datacenters typically require a lot of “racking and stacking”—hardware setup, software patching, and other time-consuming IT management chores. Cloud computing removes the need for many of these tasks https://learn.microsoft.com/en-us/training/modules/describe-cloud-compute/3-what-cloud-compute .
- Performance: The biggest cloud computing services run on a worldwide network of secure datacenters, which are regularly upgraded to the latest generation of fast and efficient computing hardware https://learn.microsoft.com/en-us/training/modules/describe-cloud-compute/3-what-cloud-compute .
- Reliability: Cloud computing makes data backup, disaster recovery, and business continuity easier and less expensive because data can be mirrored at multiple redundant sites on the cloud provider’s network https://learn.microsoft.com/en-us/training/modules/describe-cloud-compute/3-what-cloud-compute .
For additional information on cloud computing, you can refer to the following resource: What is IaaS? https://learn.microsoft.com/en-us/azure/defender-for-cloud/defender-for-cloud-glossary .
Please note that the above definitions and explanations are provided to help understand the concept of cloud computing and are not linked to any specific exam or certification.
Describe cloud concepts (25–30%)
Describe cloud computing
Shared Responsibility Model
The shared responsibility model is a framework that delineates the responsibilities of cloud service providers and cloud service consumers to ensure security and compliance in cloud computing environments. This model is essential to understand because it clarifies what the cloud provider is responsible for and what the consumer must manage.
Responsibilities of the Cloud Provider
The cloud provider is responsible for the security and maintenance of the cloud infrastructure. This includes:
- Physical Datacenter: Ensuring the physical security of the data centers where the cloud infrastructure is housed.
- Physical Network: Maintaining the physical network components and connectivity.
- Physical Hosts: Managing the physical servers and hardware that power the cloud services.
Responsibilities of the Cloud Consumer
The cloud consumer is responsible for managing the data, applications, and services operated in the cloud environment. This includes:
- Data and Information: Ensuring the security and integrity of the data stored in the cloud.
- Devices: Managing the devices that connect to the cloud services, such as cell phones and computers.
- Accounts and Identities: Controlling the access and identities of users, services, and devices within the organization.
Shared Responsibilities
Depending on the cloud service model being used (IaaS, PaaS, SaaS), certain responsibilities are shared between the provider and the consumer:
- Operating Systems: In IaaS, the consumer is responsible for the OS, while in PaaS and SaaS, it is typically managed by the provider.
- Network Controls: The consumer manages these in IaaS, but in PaaS and SaaS, the provider may take on more responsibility.
- Applications: In IaaS, the consumer is responsible for applications; in PaaS, the responsibility is shared; and in SaaS, the provider manages the applications.
Service Model Responsibilities
- Infrastructure as a Service (IaaS): The consumer has the most responsibility, including the OS, applications, and network controls.
- Platform as a Service (PaaS): Responsibilities are more evenly distributed between the provider and the consumer.
- Software as a Service (SaaS): The provider takes on most of the responsibilities, with the consumer managing only the data and access to the application.
For more detailed information on the shared responsibility model, you can refer to the following resource: - Shared responsibility model https://learn.microsoft.com/en-us/training/modules/describe-cloud-compute/8-summary .
Understanding the shared responsibility model is crucial for effectively managing and securing cloud environments. It helps consumers know what aspects they need to focus on and ensures that both parties are clear on their security obligations https://learn.microsoft.com/en-us/training/modules/describe-cloud-compute/4-describe-shared-responsibility-model https://learn.microsoft.com/en-us/training/modules/describe-cloud-compute/8-summary .
Cloud Models: Public, Private, and Hybrid
Public Cloud - The public cloud is a type of computing where services are delivered over the public internet and shared across different customers. - It offers scalability and high elasticity, allowing users to scale up or down their computing resources as needed. - There are no capital expenditures required for scaling up as the infrastructure is owned and managed by the cloud service provider. - Services can be provisioned and deprovisioned quickly, offering agility in operations. - Customers pay only for the resources they consume, adhering to a pay-as-you-go model. - While the public cloud offers many conveniences, organizations do not have complete control over resources and security, as the infrastructure is shared https://learn.microsoft.com/en-us/training/modules/describe-cloud-compute/5-define-cloud-models .
Private Cloud - A private cloud is dedicated to a single organization, providing complete control over resources and security. - The infrastructure can be located on-premises or hosted by a third-party provider, but it is not shared with other organizations. - Organizations have the responsibility for hardware maintenance, updates, and capital expenditures for startup and maintenance. - Data and applications are managed within the private cloud, ensuring that sensitive information is not collocated with other organizations’ data https://learn.microsoft.com/en-us/training/modules/describe-cloud-compute/5-define-cloud-models .
Hybrid Cloud - Hybrid cloud combines public and private cloud elements, allowing data and applications to be shared between them. - This model provides the most flexibility, enabling organizations to leverage the scalability of the public cloud while maintaining sensitive workloads in a private cloud. - Organizations can use the public cloud to handle spikes in demand, a concept known as “cloud bursting.” - The hybrid cloud model allows organizations to determine where to run their applications based on security, compliance, or legal requirements. - It offers a balance between having complete control over resources and security (as in a private cloud) and the cost-effectiveness and scalability of the public cloud https://learn.microsoft.com/en-us/training/modules/describe-cloud-compute/5-define-cloud-models .
For additional information on cloud models, you can refer to the following resources: - Public Cloud - Private Cloud - Hybrid Cloud
Cloud Service Models and Their Use Cases
Infrastructure as a Service (IaaS)
IaaS provides virtualized computing resources over the internet. It offers the fundamental building blocks for cloud services and allows users to rent IT infrastructures—servers, virtual machines (VMs), storage, networks, and operating systems—from a cloud provider on a pay-as-you-go basis.
Use Cases for IaaS: - Test and Development: Quickly setting up and dismantling test and development environments. - Website Hosting: More scalable and cost-effective than traditional web hosting. - Storage, Backup, and Recovery: Handling unpredictable demand and steadily growing storage needs. - Web Apps: Supporting web applications’ infrastructure. - High-Performance Computing: Complex tasks like financial modeling, climate and weather predictions. - Big Data Analysis: Processing big data to identify patterns and make business predictions https://learn.microsoft.com/en-us/training/modules/describe-cloud-service-types/1-introduction https://learn.microsoft.com/en-us/training/modules/describe-cloud-service-types/6-summary AZ-900 Study Guide.docx .
Platform as a Service (PaaS)
PaaS provides a platform allowing customers to develop, run, and manage applications without the complexity of building and maintaining the infrastructure typically associated with developing and launching an app.
Use Cases for PaaS: - Development Framework: PaaS provides a framework that developers can build upon to develop or customize applications. - Analytics or Business Intelligence: Tools provided can help analyze and mine data, finding insights and patterns and predicting outcomes to improve forecasting, product design decisions, investment returns, and other business decisions. - Additional Services: PaaS providers may offer other services that enhance applications, such as workflow, directory, security, and scheduling https://learn.microsoft.com/en-us/training/modules/describe-cloud-service-types/1-introduction https://learn.microsoft.com/en-us/training/modules/describe-cloud-service-types/6-summary AZ-900 Study Guide.docx .
Software as a Service (SaaS)
SaaS provides a way to deliver software applications over the internet, on-demand, and typically on a subscription basis. With SaaS, cloud providers host and manage the software application and underlying infrastructure and handle any maintenance, such as software upgrades and security patching.
Use Cases for SaaS: - Hosted Applications: End-user applications, like email, customer relationship management (CRM), and enterprise resource planning (ERP), without the need for underlying infrastructure management. - Streamlined Operations: Applications that require both web and mobile access. - Collaboration and Communication: Tools that allow for communication and collaboration among business teams. - Content Management: Solutions for managing and distributing content across different platforms and audiences https://learn.microsoft.com/en-us/training/modules/describe-cloud-service-types/1-introduction https://learn.microsoft.com/en-us/training/modules/describe-cloud-service-types/6-summary AZ-900 Study Guide.docx .
For additional information on cloud service models, you can refer to the following resources: - Microsoft Azure IaaS - Microsoft Azure PaaS - Microsoft Azure SaaS
Please note that the URLs provided are for reference purposes and should be accessed for more detailed information on each cloud service model.
Describe cloud concepts (25–30%)
Describe cloud computing
Detailed Explanation of the Consumption-Based Model
The consumption-based model is a fundamental aspect of cloud computing that allows users to pay only for the IT resources they use, rather than incurring the costs of owning and maintaining physical infrastructure. This model is characterized by several key benefits:
No Upfront Costs: Users do not need to invest in hardware or infrastructure before they start using cloud services. This eliminates the capital expenditure (CapEx) that would typically be required for such investments https://learn.microsoft.com/en-us/training/modules/describe-cloud-compute/6-describe-consumption-based-model .
Pay-as-you-go: Costs are operational expenditure (OpEx) and are based on actual usage. If a user does not utilize any IT resources in a given period, they incur no charges for that period https://learn.microsoft.com/en-us/training/modules/describe-cloud-compute/6-describe-consumption-based-model .
Scalability: Users can easily scale their resource consumption up or down based on their current needs. This flexibility means that users can quickly adapt to changing demands without the need to predict future requirements accurately https://learn.microsoft.com/en-us/training/modules/describe-cloud-compute/6-describe-consumption-based-model .
No Wasted Resources: Since users only pay for what they use, there is no waste on unused capacity. This contrasts with traditional datacenter models where users might over-provision to avoid potential performance issues, leading to unnecessary costs https://learn.microsoft.com/en-us/training/modules/describe-cloud-compute/6-describe-consumption-based-model .
Rapid Elasticity: Cloud services can be rapidly provisioned and released, allowing users to respond swiftly to increases or decreases in demand. This agility is a significant advantage over traditional models, where expanding capacity can be time-consuming and expensive https://learn.microsoft.com/en-us/training/modules/describe-cloud-compute/6-describe-consumption-based-model .
For additional information on the consumption-based model and cloud pricing models, you can refer to the Azure SQL Database pricing page, which provides details on how costs are determined in a vCore-based purchasing model, which is an example of the consumption-based model in action https://learn.microsoft.com/en-us/azure/azure-sql/database/service-tiers-sql-database-vcore .
Visit Azure SQL Database Pricing
Please note that the above explanation is tailored for educational purposes and does not explicitly mention any exam.
Describe cloud concepts (25–30%)
Describe cloud computing
When comparing cloud pricing models, it’s important to understand the various options available and how they can impact the cost of cloud services. Here’s a detailed explanation of the key cloud pricing models:
Consumption-Based Model
The consumption-based model, also known as the pay-as-you-go model, is one where customers pay only for the resources they use. This model offers flexibility and is cost-effective for workloads that are unpredictable or vary in scale. Users are billed based on the amount of resources consumed, such as compute time, storage space, or data transfer https://learn.microsoft.com/en-us/training/modules/describe-cloud-compute/8-summary AZ-900 Study Guide.docx https://learn.microsoft.com/en-us/training/modules/describe-cloud-compute/2-introduction-cloud-compute .
Provisioned Model
In the provisioned model, customers reserve resources for a specified period, typically at a discounted rate compared to the consumption-based model. This model is suitable for workloads with predictable resource needs. Azure Files, for example, offers a provisioned model for premium file shares, where users pay for a fixed amount of storage provisioned in advance https://learn.microsoft.com/en-us/azure/storage/files/understanding-billing .
Pay-As-You-Go Model
This model is similar to the consumption-based model but is specifically applied to standard file shares in Azure Files. Users are billed for the storage and operations they actually use without any upfront commitment. This model provides the most flexibility and is ideal for workloads with variable usage patterns https://learn.microsoft.com/en-us/azure/storage/files/understanding-billing .
Comparing Models
When comparing cloud pricing models, consider factors such as:
- Predictability of Workload: Choose provisioned models for predictable workloads to benefit from lower rates. For variable workloads, the consumption-based model may be more cost-effective.
- Scale: For large-scale deployments, reserved instances or provisioned models can offer significant savings.
- Flexibility: If your workload requires the ability to scale up or down frequently, the pay-as-you-go model offers the necessary flexibility.
- Budgeting: Consumption-based models can be challenging for budgeting as costs can vary month to month, whereas provisioned models offer more predictable billing.
For additional information on Azure Files pricing models, you can refer to the Azure Files pricing page https://learn.microsoft.com/en-us/azure/storage/files/understanding-billing . For a broader understanding of Azure pricing, including examples and illustrations, the Azure Pricing page provides detailed information https://learn.microsoft.com/en-us/azure/frontdoor/understanding-pricing .
Please note that prices and models are subject to change, and it’s important to review the latest information on the official Azure pricing pages for the most accurate and up-to-date details.
Describe cloud concepts (25–30%)
Describe cloud computing
Describe Serverless
Serverless computing is an execution model where the cloud provider dynamically manages the allocation and provisioning of servers. A serverless architecture allows users to write and deploy code without worrying about the underlying infrastructure. In the serverless model, a cloud provider runs the server, and dynamically manages the allocation of machine resources.
Key Characteristics of Serverless Computing:
Event-driven: Serverless architectures are often designed around the concept of events. These events can trigger functions, which are small, single-purpose pieces of code that respond to specific triggers such as HTTP requests, messages, or changes in data https://learn.microsoft.com/azure/architecture/serverless-quest/serverless-overview .
Micro-billing: With serverless, you pay only for the compute time you consume. This means billing is based on the actual amount of resources consumed by an application, rather than on pre-purchased units of capacity https://learn.microsoft.com/azure/architecture/serverless-quest/serverless-overview .
Auto-scaling: Serverless platforms automatically scale the number of function instances based on the number of incoming events. This means that applications can handle a large number of requests just as well as they handle a single request.
Abstracted infrastructure: The infrastructure required to run and scale the code is entirely handled by the cloud provider. Developers can focus on writing the application code without having to manage, provision, or maintain servers https://learn.microsoft.com/azure/architecture/serverless-quest/serverless-overview .
Integrated with cloud services: Serverless functions can easily integrate with other cloud services and resources. Function bindings allow developers to declaratively connect functions to other services without writing detailed integration code https://learn.microsoft.com/azure/architecture/serverless-quest/serverless-overview .
Azure Serverless Offerings:
Azure Functions: Azure Functions is a serverless compute service that enables you to run event-triggered code without having to explicitly provision or manage infrastructure. It supports a variety of programming languages and integrates with Azure and third-party services https://learn.microsoft.com/azure/architecture/serverless-quest/serverless-overview .
Event-driven triggers: Functions can be triggered by a wide range of events, including HTTP requests, messages in Azure Storage queues, and changes in a database https://learn.microsoft.com/azure/architecture/serverless-quest/serverless-overview .
Bindings: Azure Functions provides bindings that offer a declarative way to connect with other services, making it easier to work with data and services without dealing with the underlying implementation https://learn.microsoft.com/azure/architecture/serverless-quest/serverless-overview .
Hosting options: Azure Functions can be hosted on Azure, Azure Stack, Kubernetes, and other environments, thanks to the open-source Functions runtime https://learn.microsoft.com/azure/architecture/serverless-quest/serverless-overview .
Considerations for Using Serverless:
Serverless architectures are not suitable for every scenario. They work best for applications with variable or unpredictable workloads, and for operations that can be encapsulated into stateless, event-driven functions https://learn.microsoft.com/azure/architecture/serverless-quest/serverless-overview .
Long-running functions may not be ideal for serverless architectures due to potential timeouts and higher costs associated with longer execution times https://learn.microsoft.com/azure/architecture/serverless-quest/serverless-overview .
For more information on serverless computing and Azure Functions, you can visit the following resources:
- Azure Functions Documentation
- Azure Serverless Documentation
- Serverless Application Development
- Azure Functions Security
- Choose an Azure Compute Service for Your Application
Please note that the URLs provided are for additional information and should be accessed directly for further reading.
Describe cloud concepts (25–30%)
Describe the benefits of using cloud services
High availability and scalability are two of the fundamental benefits offered by cloud services. Here’s a detailed explanation of each:
High Availability
High availability in the cloud refers to the ability of a system to remain operational and accessible for a very high percentage of time, minimizing the chances of downtime. This is achieved through redundant resources and failover mechanisms that ensure service continuity in case of hardware failures, network issues, or other disruptions.
Benefits: - Redundancy: Cloud services often replicate data and applications across multiple geographically dispersed data centers, providing backups that can be used if one site goes down. - Disaster Recovery: High availability features contribute to effective disaster recovery strategies, allowing for quick recovery of data and applications in the event of a disaster. - Maintenance with Minimal Downtime: Cloud providers can perform maintenance tasks without significant service interruptions, as they can reroute traffic to other resources seamlessly.
Scalability
Scalability in the cloud refers to the ability to increase or decrease IT resources as needed to meet changing demand. This can be done without upfront investment in physical hardware, and it’s typically a quick and straightforward process.
Benefits: - Elasticity: Cloud services can automatically scale resources up or down based on real-time demand, ensuring that applications can handle peak loads without manual intervention. - Cost-Effectiveness: With scalability, you pay only for the resources you use. This eliminates the need for over-provisioning and reduces costs associated with underutilized resources. - Performance Management: Scalable cloud services can adapt to performance demands, maintaining optimal user experiences even as the number of users or transactions increases.
For additional information on high availability and scalability in the cloud, you can refer to the following resources: - Azure high availability - Azure scalability
Please note that while URLs are provided for further reading, they should not be included in the final study guide as per the instructions.
Describe cloud concepts (25–30%)
Describe the benefits of using cloud services
Benefits of Reliability and Predictability in the Cloud
Reliability in the cloud refers to the ability of a cloud service to operate consistently and to perform as expected over time. Cloud providers like Microsoft Azure offer a robust infrastructure that is designed to ensure that services are available and functional when needed. Here are some key benefits of cloud reliability:
- Minimized Downtime: Cloud services are designed to minimize outages and ensure that applications are available to users without significant disruption.
- Data Redundancy: Cloud providers often store multiple copies of data across different locations to protect against data loss.
- Disaster Recovery: Cloud environments have built-in disaster recovery capabilities, allowing for quick restoration of services in the event of a failure.
Predictability in the cloud encompasses both performance predictability and cost predictability. It allows users to plan and manage their cloud resources with confidence. Here are the benefits of predictability in the cloud:
- Performance Predictability: Ensures that cloud services perform consistently, meeting the expected performance levels. This is often guided by the Microsoft Azure Well-Architected Framework, which helps in deploying solutions with predictable performance https://learn.microsoft.com/en-us/training/modules/describe-benefits-use-cloud-services/3-reliability-predictability-cloud .
- Cost Predictability: Helps organizations budget and forecast their spending on cloud services. By understanding and controlling cloud costs, businesses can avoid unexpected expenses.
For additional information on monitoring and setting up alerts for web apps, which is crucial for maintaining reliability, you can refer to Application Insights availability tests https://learn.microsoft.com/en-us/azure/app-service/../reliability/reliability-app-service .
To manage application resources effectively and ensure predictability in complex deployments, consider using an infrastructure-as-code (IaC) mechanism. Azure Resource Manager templates and Terraform are recommended tools for creating a predictable, testable, and repeatable process for managing resources. For more details, visit Azure Resource Manager templates and Terraform overview https://learn.microsoft.com/en-us/azure/app-service/../reliability/reliability-app-service .
By leveraging the benefits of reliability and predictability in the cloud, organizations can achieve a more stable and controlled cloud environment, which is essential for maintaining service quality and managing costs effectively.
Describe cloud concepts (25–30%)
Describe the benefits of using cloud services
Benefits of Security and Governance in the Cloud
Cloud security and governance are critical components of cloud services that ensure the protection of data, applications, and infrastructure. Here are the detailed benefits of implementing robust security and governance measures in the cloud:
Enhanced Data Security
Cloud services provide advanced security measures that protect sensitive data from unauthorized access and cyber threats. With encryption, identity management, and access controls, data in the cloud can be more secure than in traditional on-premises environments AZ-900 Study Guide.docx https://learn.microsoft.com/en-us/training/modules/describe-benefits-use-cloud-services/1-introduction .
Compliance with Regulations
Cloud providers often comply with a wide range of industry standards and government regulations. This compliance ensures that organizations can meet their legal and regulatory obligations regarding data protection and privacy.
Risk Management
Effective governance in the cloud helps organizations manage risks by setting policies and monitoring compliance. This proactive approach to risk management can prevent security breaches and data loss, thereby maintaining the integrity and reputation of the organization.
Operational Efficiency
Cloud governance frameworks enable organizations to streamline operations by defining clear policies for resource usage, cost management, and service provisioning. This leads to more efficient use of cloud resources and can reduce overall operational costs.
Improved Security Posture
Governance features in cloud services, such as those provided by Defender for Cloud, help organizations improve their security posture. By creating governance rules and monitoring compliance, organizations can take action to enhance their secure score and overall security health https://learn.microsoft.com/en-us/azure/defender-for-cloud/episode-fifteen https://learn.microsoft.com/en-us/azure/defender-for-cloud/release-notes-archive .
Scalable Security Solutions
Cloud services offer scalable security solutions that can grow with the organization’s needs. As the demand for resources increases, security measures can be scaled up to ensure continuous protection without the need for significant capital investment AZ-900 Study Guide.docx .
Centralized Security Management
With cloud governance, security teams can define and apply governance rules at scale across various scopes, such as subscriptions and connectors. This centralized management approach simplifies the enforcement of security policies and ensures consistency across the organization’s cloud environments https://learn.microsoft.com/en-us/azure/defender-for-cloud/release-notes-archive .
For additional information on cloud governance and security, you can refer to the following resources: - Governance Overview - Defender for Cloud Governance Rules
Please note that these URLs are included to provide further reading and should be accessed for more detailed information on the respective topics.
Describe cloud concepts (25–30%)
Describe the benefits of using cloud services
Benefits of Manageability in the Cloud
Cloud computing offers a range of manageability benefits that can significantly enhance the way organizations deploy, manage, and scale their IT resources. Here are some of the key advantages:
Simplified Infrastructure Management: Cloud computing abstracts the underlying infrastructure, allowing IT teams to manage resources without worrying about the physical hardware. This simplification leads to more efficient resource utilization and easier management tasks https://learn.microsoft.com/en-us/training/modules/describe-benefits-use-cloud-services/5-manageability-cloud .
Enhanced Security and Governance: The cloud provides advanced security features and governance tools that help organizations protect their data and comply with various regulations. Cloud providers invest heavily in security measures, which are continuously updated to respond to emerging threats https://learn.microsoft.com/en-us/training/modules/describe-benefits-use-cloud-services/1-introduction .
Scalability and Flexibility: Cloud services can be easily scaled up or down based on the demand. This elasticity means that organizations can quickly adapt to changing workloads without the need for significant upfront investments in hardware.
Cost-Effectiveness: With cloud computing, organizations can shift from a capital expenditure (CapEx) model to an operational expenditure (OpEx) model. This pay-as-you-go approach reduces the need for large investments in IT infrastructure and allows for better cost management https://learn.microsoft.com/en-us/training/modules/describe-benefits-use-cloud-services/1-introduction .
Disaster Recovery and Backup: Cloud-based backup solutions, such as Azure Backup, provide robust and enterprise-class capabilities for data protection. All backups are stored and managed in a secure and centralized location, which simplifies disaster recovery processes https://learn.microsoft.com/en-us/azure/azure-sql/virtual-machines/windows/backup-restore .
High Availability: Cloud services are designed to provide high availability, ensuring that applications and data are accessible when needed. This is achieved through redundant systems and failover mechanisms that minimize downtime https://learn.microsoft.com/en-us/training/modules/describe-benefits-use-cloud-services/7-summary https://learn.microsoft.com/en-us/training/modules/describe-benefits-use-cloud-services/1-introduction .
Predictability and Reliability: The cloud offers a reliable environment for hosting applications and services. Providers typically offer service level agreements (SLAs) that guarantee a certain level of uptime and performance.
For more detailed information on manageability in the cloud, you can refer to the following resources: - Azure Backup for insights into cloud-based backup solutions and their advantages for enterprises.
By leveraging these manageability benefits, organizations can focus more on their core business activities and less on the complexities of IT infrastructure management.
Describe cloud concepts (25–30%)
Describe cloud service types
Infrastructure as a Service (IaaS) is one of the fundamental service models of cloud computing alongside Platform as a Service (PaaS) and Software as a Service (SaaS). IaaS provides virtualized computing resources over the internet. In an IaaS model, a cloud provider hosts the infrastructure components traditionally present in an on-premises data center, including servers, storage, and networking hardware, as well as the virtualization or hypervisor layer.
Key Characteristics of IaaS:
- Scalability and Flexibility: IaaS allows for on-demand scaling of resources, which means that users can increase or decrease resources as needed, making it highly flexible to changes in workload demands.
- Utility Pricing Model: Users typically pay on a per-use basis, often by the hour, week, or month, depending on their consumption of computing resources, such as CPU cycles, memory, and bandwidth.
- Access and Management: Customers access resources and services through a wide range of interfaces such as APIs, web portals, and command-line tools. They retain full control over the virtualized environment, with the ability to deploy and run their own operating systems and applications.
- Physical Security of Data Center Facilities: The underlying physical servers are located in the provider’s data centers, offering robust physical security measures.
- No Capital Expense: IaaS eliminates the upfront cost of setting up and managing an on-site data center, making it an economical option for businesses looking to reduce capital expenditures.
Use Cases for IaaS:
- Web Hosting: IaaS provides a quick and easy way to host websites without the need for physical hardware.
- Test and Development: Teams can quickly set up and dismantle test and development environments, bringing new applications to market faster.
- Storage, Backup, and Recovery: Organizations avoid the capital outlay for storage and complexity of storage management, which typically requires a skilled staff to manage data and meet legal and compliance requirements.
- High-Performance Computing: High-performance computing on supercomputers, computer grids, or computer clusters helps solve complex problems involving millions of variables or calculations.
- Big Data Analysis: IaaS provides the enormous processing power required for analyzing big data. This is a common use case for IaaS, as it allows for the analysis of data patterns, predictions, and human behavior.
For additional information on IaaS, you can refer to the following resources: - What is IaaS? - IaaS Documentation
Please note that the URLs provided are for reference purposes to supplement the study guide and are not to be explicitly mentioned in the context of the exam.
Describe cloud concepts (25–30%)
Describe cloud service types
Platform as a Service (PaaS) is a cloud computing model that provides customers with a complete development and deployment environment in the cloud. This service model is a middle ground between Infrastructure as a Service (IaaS), where clients rent virtualized hardware, and Software as a Service (SaaS), where clients use provider’s applications running on a cloud infrastructure. PaaS is designed to support the complete web application lifecycle of building, testing, deploying, managing, and updating https://learn.microsoft.com/en-us/training/modules/describe-cloud-service-types/3-describe-platform-service .
In a PaaS environment, the cloud provider manages the infrastructure, including servers, storage, and networking, as well as the software platform, which includes operating systems, middleware, and development tools. This allows customers to focus on the development of their applications without the complexity of building and maintaining the underlying infrastructure https://learn.microsoft.com/en-us/training/modules/describe-cloud-service-types/3-describe-platform-service .
Key features of PaaS include:
- Managed Infrastructure: The cloud provider is responsible for the maintenance of physical hardware, network security, and internet connectivity https://learn.microsoft.com/en-us/training/modules/describe-cloud-service-types/3-describe-platform-service .
- Operating System and Middleware: PaaS providers maintain the operating systems and middleware components, ensuring they are up to date with the latest patches and updates https://learn.microsoft.com/en-us/training/modules/describe-cloud-service-types/3-describe-platform-service .
- Development Tools: PaaS offers a suite of development tools to create, test, and deploy applications quickly and efficiently https://learn.microsoft.com/en-us/training/modules/describe-cloud-service-types/3-describe-platform-service .
- Business Intelligence Services: These services are part of the PaaS offering, enabling businesses to analyze data and gain insights https://learn.microsoft.com/en-us/training/modules/describe-cloud-service-types/3-describe-platform-service .
- No Licensing Hassles: Users do not need to worry about software licensing or patch management for operating systems and databases, as these are handled by the provider https://learn.microsoft.com/en-us/training/modules/describe-cloud-service-types/3-describe-platform-service .
PaaS is particularly well-suited for developers who want to create applications without the expense and complexity of buying and managing the underlying hardware and software layers. It is also beneficial for scenarios where multiple developers are working on a project or where external parties need to collaborate on the development process https://learn.microsoft.com/en-us/training/modules/describe-cloud-service-types/3-describe-platform-service .
For additional information on PaaS, you can refer to the following resources: - Azure SQL Database Service Level Agreement (SLA) https://learn.microsoft.com/en-us/azure/azure-sql/database/high-availability-disaster-recovery-checklist .
Please note that the URLs provided are for reference purposes and should be accessed for more detailed information on the respective topics.
Describe cloud concepts (25–30%)
Describe cloud service types
Software as a Service (SaaS) is a cloud computing offering that provides users with access to a vendor’s cloud-based software. Users do not install applications on their local devices. Instead, the applications reside on a remote cloud network accessed through the web or an API. Through the application, users can store and analyze data and collaborate on projects.
Here are the key points to understand about SaaS:
Accessibility: SaaS applications are available from any internet-enabled device, which makes them accessible from virtually anywhere at any time https://learn.microsoft.com/en-us/azure/defender-for-cloud/defender-for-cloud-glossary .
Subscription Model: Instead of purchasing software to install, or additional hardware to support it, customers subscribe to a SaaS offering. Typically, they pay for this service on a monthly or annual basis using a pay-as-you-go model https://learn.microsoft.com/en-us/azure/defender-for-cloud/defender-for-cloud-glossary .
No Hardware: The SaaS provider manages the infrastructure, middleware, app software, and app data. This means that the user is freed from having to install, manage, or upgrade software; SaaS providers manage all potential technical issues, such as data, middleware, servers, and storage.
Multi-Tenancy Model: A SaaS application is multi-tenant, meaning that any number of customers can use the same application. This is achieved by logically separating data for each tenant so that they only see their individual data https://learn.microsoft.com/en-us/azure/azure-sql/database/saas-tenancy-app-design-patterns .
Complete Software Solution: SaaS is often referred to as a turnkey solution, or software on demand. This is because the software is already installed and configured. In a SaaS model, the cloud service provider gives customers network-based access to a single copy of an application that the provider created specifically for SaaS distribution https://learn.microsoft.com/en-us/training/modules/describe-cloud-service-types/4-describe-software-service .
Use Cases: SaaS is suitable for applications that demand web or mobile access, such as email, sales management, customer relationship management (CRM), financial management, human resources (HR), and billing https://learn.microsoft.com/en-us/training/modules/describe-cloud-service-types/6-summary .
Tenancy Models: SaaS can have different tenancy models, such as single-tenancy where each customer has their own independent database, and multi-tenancy where multiple customers share the same database with privacy mechanisms in place. Hybrid models are also available https://learn.microsoft.com/en-us/azure/azure-sql/database/saas-tenancy-app-design-patterns .
For additional information on SaaS, you can refer to the following URL: What is SaaS?.
Please note that the provided URL is for reference and further reading. It should not be included in the study guide as an explicit mention of the exam or external resources.
Describe cloud concepts (25–30%)
Describe cloud service types
Certainly! Below is a detailed explanation of the appropriate use cases for each cloud service type: IaaS, PaaS, and SaaS. Please note that URLs are not included as per the instructions.
Infrastructure as a Service (IaaS)
IaaS provides virtualized computing resources over the internet. It offers the fundamental infrastructure of virtual servers, networks, operating systems, and data storage drives.
Use Cases for IaaS: - Testing and Development: Quickly setting up and dismantling test and development environments. - Website Hosting: More scalable and cost-effective than traditional web hosting. - Storage, Backup, and Recovery: Simplifies the web-scale challenges of storage, especially with large volumes of data. - Web Apps: Hosting web applications on IaaS can be more flexible and cost-effective. - High-Performance Computing: On-demand high-configured servers can perform complex calculations for scientific, engineering, and financial models.
Platform as a Service (PaaS)
PaaS provides a platform allowing customers to develop, run, and manage applications without the complexity of building and maintaining the infrastructure typically associated with developing and launching an app.
Use Cases for PaaS: - Application Development: Streamlines the application development process with preconfigured features. - Business Analytics/BI Tools: Tools provided can help analyze and mine business data. - Additional Services: PaaS can provide services such as team collaboration, web service integration, and marshalling. - Database Integration: Simplified and managed database integration services.
Software as a Service (SaaS)
SaaS provides software applications over the internet, on-demand and typically on a subscription basis. With SaaS, cloud providers host and manage the software application and underlying infrastructure and handle any maintenance, such as software upgrades and security patching.
Use Cases for SaaS: - Email Services: Hosted email services that users can access online. - Customer Relationship Management (CRM): Access to CRM software over the internet without the need for local installation. - Healthcare Applications: Patients’ portals and scheduling systems that can be accessed by multiple users from various locations. - Financial Management: Accounting and financial management applications that are accessible from anywhere. - Human Resources: Online HR solutions to manage employee records, benefits, and recruitment processes.
For additional information, you can refer to the cloud service providers’ documentation and resources, which typically offer comprehensive guides and case studies on how to effectively utilize these services.
Please ensure to review the terms of use and privacy policies of any external URLs before sharing them in your study guide.
Describe Azure architecture and services (35–40%)
Describe the core architectural components of Azure
Azure Regions, Region Pairs, and Sovereign Regions
Azure regions are geographical areas around the world where Microsoft’s datacenters are clustered. Each Azure region is made up of one or more datacenters that are connected through a dedicated low-latency network. This setup allows customers to run their applications closer to their users or customers, thus reducing latency and improving performance.
Region pairs are a unique Azure concept designed to provide a higher level of availability and disaster recovery. Each Azure region is paired with another region within the same geography, such as the US, Europe, or Asia. The two regions in a pair are always located at least 300 miles apart to ensure that natural disasters, civil unrest, power outages, or physical network outages affecting one region do not affect the other.
Sovereign regions are specialized Azure regions that are designed to meet the compliance needs of specific governmental or regulatory standards. These regions are physically and logically isolated from Microsoft’s global Azure network but offer the same Azure services and features. Sovereign regions are intended for use by government agencies, their partners, and other entities that handle data subject to certain government regulations and requirements.
For example, Azure sovereign regions in the United States include:
- US DoD Central
- US Gov Virginia
- US Gov Iowa
These regions are operated by screened US personnel and include additional compliance certifications to meet the needs of US government agencies.
In China, Azure operates through a unique partnership with 21Vianet, where Microsoft does not directly maintain the datacenters. This allows Azure to offer services in China while complying with Chinese regulations.
For more detailed information on Azure regions, region pairs, and sovereign regions, you can refer to the following URLs:
- Azure Regions
- Azure Region Pairs
- Azure Sovereign Regions - US Government
- Azure Sovereign Regions - China
Please note that the URLs provided are for additional information and are not part of the study guide content.
Describe Azure architecture and services (35–40%)
Describe the core architectural components of Azure
Describe Availability Zones
Availability zones are a high-availability offering that protects your applications and data from datacenter failures. These zones are unique physical locations within an Azure region, each consisting of one or more datacenters equipped with independent power, cooling, and networking to ensure isolation from failures https://learn.microsoft.com/azure/azure-sql/virtual-machines/index .
Each availability zone is an isolated zone within a region, and there are typically three zones to ensure redundancy and high availability. The physical separation of these zones within a region is designed to provide a robust solution by ensuring that at least one virtual machine will be available and operational, even in the event of a datacenter failure, thus meeting the Azure Service Level Agreement (SLA) of 99.99 percent https://learn.microsoft.com/azure/azure-sql/virtual-machines/index .
To configure high availability for your applications, it is recommended to distribute your SQL Server virtual machines across different availability zones within the region. This approach ensures that your applications can continue to run even if one zone goes down https://learn.microsoft.com/azure/azure-sql/virtual-machines/index .
For virtual machines (VMs), using availability zones during creation is a way to protect your applications and data against unlikely datacenter failure. There are specific steps and considerations for enabling availability zones when creating VMs, as well as for migrating existing VMs to support availability zones https://learn.microsoft.com/en-us/azure/virtual-machine-scale-sets/../reliability/reliability-virtual-machines .
In the context of Azure SQL Database, enabling zone redundancy allows the database or elastic pool to use availability zones to be resilient to zonal failures. This setup enhances the high availability of the database service and can provide a higher availability SLA of 99.995% https://learn.microsoft.com/en-us/azure/azure-sql/database/business-continuity-high-availability-disaster-recover-hadr-overview .
For Azure Kubernetes Service (AKS), you can determine the availability zone of agent nodes in a scale set by using specific Azure CLI and Kubernetes commands. This helps in understanding how the nodes are distributed across the availability zones https://learn.microsoft.com/en-us/azure/aks/availability-zones .
Azure regions with availability zones are carefully selected based on rigorous vulnerability risk assessment criteria to minimize the risk of simultaneous outages. These zones are interconnected with a high-performance network, ensuring low-latency connections and the ability to maintain regional services and high availability even if one zone experiences an outage https://learn.microsoft.com/en-us/azure/virtual-machines/../availability-zones/az-overview .
For more detailed information on availability zones and to see which Azure regions support them, you can refer to the following resources: - Availability zones overview https://learn.microsoft.com/azure/azure-sql/virtual-machines/index - Availability zone support for VMs https://learn.microsoft.com/en-us/azure/virtual-machine-scale-sets/../reliability/reliability-virtual-machines - Zone redundancy for Azure SQL Database https://learn.microsoft.com/en-us/azure/azure-sql/database/business-continuity-high-availability-disaster-recover-hadr-overview - Azure regions with availability zone support https://learn.microsoft.com/en-us/azure/virtual-machines/../availability-zones/az-overview
Please note that there may be additional charges for network-to-network transfers between availability zones https://learn.microsoft.com/azure/azure-sql/virtual-machines/index .
Describe Azure architecture and services (35–40%)
Describe the core architectural components of Azure
Azure datacenters are the foundational physical infrastructure of Microsoft Azure’s cloud services. They are large facilities that house a vast array of computer, networking, and storage resources. These resources are organized in racks and are supported by dedicated power, cooling, and networking infrastructure to ensure their continuous operation https://learn.microsoft.com/en-us/training/modules/describe-core-architectural-components-of-azure/5-describe-azure-physical-infrastructure .
Each datacenter is designed to host a multitude of services and applications, providing customers with the computing power and storage capacity needed to run their workloads in the cloud. The datacenters are strategically located around the world, allowing Azure to offer global coverage and local presence to its users. This global distribution of datacenters is categorized into Azure Regions and Azure Availability Zones https://learn.microsoft.com/en-us/training/modules/describe-core-architectural-components-of-azure/5-describe-azure-physical-infrastructure .
Azure Regions are geographical areas around the world, each containing one or more datacenters. These regions are the main location service for Azure, allowing customers to choose where their data and applications reside to meet their performance, compliance, and data residency requirements.
Azure Availability Zones are unique physical locations within an Azure region. Each zone is made up of one or more datacenters equipped with independent power, cooling, and networking to ensure resilience. The separation of availability zones within a region provides protection against datacenter failures and is a key component in achieving high availability for applications and data. Azure guarantees a service-level agreement (SLA) of 99.99 percent uptime when virtual machines are spread across availability zones https://learn.microsoft.com/en-us/azure/azure-sql/virtual-machines/windows/doc-changes-updates-release-notes-whats-new-archive .
For more information on Azure datacenters and their global distribution, you can visit the Global infrastructure site, which offers an interactive exploration of Azure’s underlying infrastructure https://learn.microsoft.com/en-us/training/modules/describe-core-architectural-components-of-azure/5-describe-azure-physical-infrastructure .
For additional details on Azure Availability Zones, including their design and how to configure services for high availability, refer to the Availability zones overview https://learn.microsoft.com/en-us/azure/azure-sql/virtual-machines/windows/doc-changes-updates-release-notes-whats-new-archive .
Describe Azure architecture and services (35–40%)
Describe the core architectural components of Azure
Azure Resources and Resource Groups
Azure organizes its services and capabilities through a hierarchy that includes management groups, subscriptions, resource groups, and resources. Understanding this hierarchy is crucial for efficient management and organization of Azure services.
Azure Resources
An Azure resource is an individual computer, networking data, or app hosting service that you create and use in Azure. Each resource exists in only one resource group, and it’s the fundamental building block of Azure services. Examples of Azure resources include virtual machines, databases, and application gateways.
Azure Resource Groups
A resource group is a container that holds related resources for an Azure solution. The resource group can include all the resources for the solution, or only those resources that you want to manage as a group. You decide how to allocate resources to resource groups based on what makes the most sense for your organization.
Here are some key points about resource groups:
Scope of Management: Resource groups provide a way to manage and monitor resources collectively. Settings, permissions, and policies can be applied to the resource group and will be inherited by the resources within it https://learn.microsoft.com/en-us/azure/firewall/../azure-resource-manager/management/overview .
Lifecycle: Typically, resources in a resource group share the same lifecycle. You can deploy, update, or delete all the resources in a resource group in one coordinated operation https://learn.microsoft.com/en-us/azure/firewall/../azure-resource-manager/management/overview .
Location: Resources can exist in different regions than their resource group. However, it’s recommended to keep resources in the same region to minimize latency and costs https://learn.microsoft.com/en-us/azure/firewall/../azure-resource-manager/management/overview .
Policies and Access Control: Resource groups can be used to apply access control and policies. If a policy is applied at the resource group level, it will affect all resources within that group https://learn.microsoft.com/en-us/azure/firewall/../azure-resource-manager/management/overview .
Organizational Clarity: Resource groups can be used to structure Azure resources to reflect an organization’s structure, service, or billing model https://learn.microsoft.com/en-us/azure/firewall/../azure-resource-manager/management/overview .
For additional information on Azure resource groups, you can visit the following URL: Azure Resource Groups Overview.
Best Practices for Using Resource Groups
Consistent Naming Conventions: Use a consistent naming convention for resource groups and resources to make it easier to manage and locate them.
Granular Access Control: Assign access control at the resource group level to manage permissions efficiently and securely https://learn.microsoft.com/en-us/azure/virtual-machines/linux/image-builder-permissions-powershell .
Resource Group Deletion: Be cautious when deleting a resource group, as it deletes all the resources contained within it. Always ensure that the resources within a resource group are no longer needed before deleting it https://learn.microsoft.com/en-us/azure/dns/tutorial-alias-tm .
Architectural Components: Understand the core architectural components of Azure, including regions, availability zones, datacenters, and the hierarchy of resource groups, subscriptions, and management groups AZ-900 Study Guide.docx .
By following these guidelines and understanding the structure of Azure resources and resource groups, you can create a well-organized and manageable cloud environment.
For a deeper dive into Azure’s core architectural components, you can explore the following resource: Core Azure Architectural Components.
Describe Azure architecture and services (35–40%)
Describe the core architectural components of Azure
Detailed Explanation: Describe Subscriptions
In Azure, a subscription is a logical container used to provision resources in Microsoft Azure. It holds the details of all your resources like virtual machines, databases, and more. Subscriptions act as a boundary for billing and resource management. Each subscription is associated with an Azure account, which is an identity in Azure Active Directory (Azure AD) or in a directory that Azure AD trusts.
Key Points about Azure Subscriptions:
Billing: Subscriptions are the level at which billing takes place. Each subscription generates its own set of billing reports and invoices. This allows for clear cost management and resource usage tracking.
Access Control: Azure Role-Based Access Control (RBAC) is applied at the subscription level. This means you can define roles and permissions to determine who can manage resources within a subscription.
Resource Limits: Each subscription has limits on the number of resources that can be created within it. These limits are defined by Azure and vary by service.
Multiple Subscriptions: Organizations can have multiple subscriptions, and they can be used to separate environments, departments, or projects to maintain order and clarity in resource and cost management.
Subscription Types: There are various types of subscriptions available, such as Free, Pay-As-You-Go, Enterprise Agreement, and more, each with its own set of services and pricing structures.
Management Groups: Subscriptions can be organized into management groups to provide a level of scope above subscriptions. You can apply governance conditions to management groups, and those conditions are inherited by all subscriptions within the group.
For more detailed information on Azure subscriptions, you can refer to the Azure documentation: Azure Subscriptions.
Hierarchy of Management:
Azure provides a hierarchy that enables you to organize and manage multiple subscriptions. The hierarchy consists of the following levels:
Management Groups: These are containers that help you manage access, policy, and compliance across multiple subscriptions.
Subscriptions: As mentioned, subscriptions are billing and access boundaries that contain resources.
Resource Groups: Within subscriptions, resources are further organized into resource groups, which are containers that hold related resources for an Azure solution.
Resources: These are individual instances of services that you use, such as virtual machines, databases, etc.
Understanding the structure and purpose of Azure subscriptions is crucial for effective cloud resource management and cost optimization. It allows for better governance, accountability, and organizational flexibility within the Azure environment.
For additional information on managing Azure subscriptions, you can visit: Manage Azure Subscriptions.
Please note that the URLs provided are for reference purposes and to offer additional information on the topic.
Describe Azure architecture and services (35–40%)
Describe the core architectural components of Azure
Management Groups in Azure
Management groups in Azure provide a level of scope above subscriptions. They are containers that help you manage access, policy, and compliance across multiple subscriptions. A management group allows you to efficiently manage governance controls such as Azure policies and Role-Based Access Control (RBAC) across various subscriptions.
When organizing resources and subscriptions, you can consider the following aspects of management groups:
Hierarchy: Management groups form a hierarchy that can be up to six levels deep, not including the Root level. This hierarchy allows for the structured organization of resources and subscriptions, enabling consistent governance and compliance across large sets of resources.
Access Control: By applying RBAC roles at the management group level, you can assign access permissions that are inherited by all subscriptions within the management group. This simplifies the process of managing access for users who need to work across multiple subscriptions.
Policy Assignment: Azure policies can be applied to a management group, automatically inheriting the policy settings to all subscriptions within the group. This ensures that all resources within those subscriptions comply with the organization’s standards and regulations.
Flexibility: Management groups can be arranged in a flexible way to reflect your organization’s needs, whether it’s based on geography, department, application, or any other criteria.
Cost Management: By organizing subscriptions into management groups, you can more easily report on and analyze costs across subscriptions, helping to optimize and control Azure spending.
For more detailed information on management groups, you can refer to the Azure documentation:
By utilizing management groups, organizations can achieve a higher level of governance and simplify the management of their Azure environment.
Describe Azure architecture and services (35–40%)
Describe the core architectural components of Azure
Hierarchy of Resource Groups, Subscriptions, and Management Groups
In Azure, resources are organized into a hierarchical structure that allows for efficient management and governance. This hierarchy consists of management groups, subscriptions, and resource groups, each serving a specific purpose in the organization of Azure resources.
Management Groups
Management groups are containers that help you manage access, policy, and compliance across multiple Azure subscriptions. They provide a level of scope above subscriptions, allowing you to organize subscriptions into containers and apply governance conditions to these containers. All subscriptions within a management group automatically inherit the conditions applied to the management group. This is useful for enterprises that require large-scale management of various subscriptions, potentially across different applications, development teams, and geographies https://learn.microsoft.com/en-us/training/modules/describe-core-architectural-components-of-azure/6-describe-azure-management-infrastructure .
- Limitations: A Microsoft Entra tenant can have up to 10,000 management groups, and each management group can have one direct parent and multiple levels of hierarchy, specifically a root level plus 6 additional levels https://learn.microsoft.com/en-us/azure/vpn-gateway/../azure-resource-manager/management/azure-subscription-service-limits .
- Deployment: Management group level deployments are limited to 800 per location, and you can deploy to a maximum of 10 locations https://learn.microsoft.com/en-us/azure/vpn-gateway/../azure-resource-manager/management/azure-subscription-service-limits .
Subscriptions
Subscriptions act as a billing unit within Azure and are a way to group resources for billing purposes. Each subscription can have multiple resource groups, and resources within a subscription inherit the governance conditions applied to the subscription. Subscriptions are often aligned with organizational structures, such as departments or projects, and can have different payment methods and quotas AZ-900 Study Guide.docx .
Resource Groups
Resource groups are containers that hold related resources for an Azure solution. The resources in a resource group can include virtual machines, storage accounts, web apps, databases, and more. Resource groups are used to manage and organize resources within a subscription, and they can be used to control access and manage policies at a more granular level than subscriptions https://learn.microsoft.com/en-us/azure/firewall/../azure-resource-manager/management/overview .
Hierarchy Example
Here is an example of how these levels of management scope are structured:
- Management Group: At the top level, you might have a management group for your entire organization.
- Subscriptions: Within the management group, you could have multiple subscriptions, each for different departments like IT, HR, or Finance.
- Resource Groups: Within each subscription, you could have multiple resource groups, each containing resources related to specific projects or applications.
This hierarchy ensures that policies, access controls, and compliance settings can be applied at different levels and inherited accordingly, providing a flexible and scalable way to manage Azure resources across an organization.
For more information on management groups, visit the Azure Management Groups Overview https://learn.microsoft.com/en-us/azure/vpn-gateway/../azure-resource-manager/management/azure-subscription-service-limits . For a deeper understanding of Azure’s core architectural components, including the hierarchy of resource groups, subscriptions, and management groups, refer to the Azure documentation AZ-900 Study Guide.docx https://learn.microsoft.com/en-us/azure/firewall/../azure-resource-manager/management/overview .
Please note that the URLs provided are for additional information and should be accessed to gain a more comprehensive understanding of the topic.
Describe Azure architecture and services (35–40%)
Describe Azure compute and networking services
Compute Types in Azure: Containers, Virtual Machines, and Functions
When considering compute options in Azure, it’s essential to understand the differences between containers, virtual machines (VMs), and functions, as each serves different purposes and offers unique benefits.
Containers
Containers are lightweight, provide a consistent software environment, and are designed to run applications in isolation from other processes. They are a great choice for microservices architectures and can be managed by orchestration services like Azure Kubernetes Service (AKS). Azure also offers Azure Container Instances (ACI) for scenarios where you need a container without orchestration https://learn.microsoft.com/azure/architecture/guide/technology-choices/compute-decision-tree .
- Pros:
- Fast startup times.
- Efficient use of system resources.
- Portability across environments.
- Cons:
- Less isolation compared to VMs.
- Requires container orchestration for complex applications.
- Use Cases:
- Microservices.
- Continuous integration and deployment (CI/CD) pipelines.
- Additional Information: Azure Container Instances
Virtual Machines (VMs)
Virtual Machines are emulations of physical computers. They provide the most control over the computing environment, including the operating system and the hardware it runs on. Azure offers various VM options, such as Azure Virtual Machine Scale Sets for auto-scaling and Azure Virtual Desktop for delivering a virtualized desktop experience AZ-900 Study Guide.docx https://learn.microsoft.com/en-us/training/modules/describe-azure-compute-networking-services/1-introduction .
- Pros:
- Full control over the OS and software.
- Strong isolation and security.
- Familiarity for those used to on-premises environments.
- Cons:
- Higher overhead due to the need to manage the OS and hardware.
- Slower to start compared to containers and functions.
- Use Cases:
- Legacy applications.
- Applications requiring strong isolation.
- Additional Information: Azure Virtual Machines
Functions (Serverless Computing)
Azure Functions is a serverless compute service that runs code in response to events. It abstracts away the underlying infrastructure, allowing developers to focus solely on the application logic. It’s event-driven and scales automatically, so you only pay for the compute time you use https://learn.microsoft.com/en-us/training/modules/describe-azure-compute-networking-services/6-functions https://learn.microsoft.com/azure/architecture/guide/technology-choices/compute-decision-tree .
- Pros:
- No need to manage servers or infrastructure.
- Scales automatically with demand.
- Pay only for what you use.
- Cons:
- Limited control over the environment.
- Potential for cold starts, which can introduce latency.
- Use Cases:
- Event-driven applications.
- Automation tasks.
- Additional Information: Azure Functions
In summary, containers offer a balance between efficiency and portability, VMs provide full control with higher overhead, and functions deliver a serverless experience with automatic scaling. The choice between these compute types will depend on the specific requirements of the application, such as scalability, control, and operational overhead.
Describe Azure architecture and services (35–40%)
Describe Azure compute and networking services
Virtual Machine Options in Azure
Azure offers a variety of virtual machine (VM) options to cater to different needs regarding scalability, management, and availability. Below is a detailed explanation of the primary virtual machine options available in Azure:
Azure Virtual Machines
Azure Virtual Machines (VMs) are on-demand, scalable computing resources offered by Microsoft Azure. They provide the flexibility of virtualization without having to buy and maintain the physical hardware that runs the VM. Users have the control over the VMs, including the choice of operating systems, networking settings, and storage configurations. Azure VMs can be used for a wide range of computing solutions such as development and testing, running applications, and extending data centers.
- For more information on Azure Virtual Machines, visit: What is Azure Virtual Machine?
Azure Virtual Machine Scale Sets
Azure Virtual Machine Scale Sets (VMSS) allow you to create and manage a group of load-balanced VMs. The number of VM instances can automatically increase or decrease in response to demand or a defined schedule, ensuring your application remains available and is performant. VMSS is an excellent solution for building large-scale services that are scalable, reliable, and manageable.
- For more information on Azure Virtual Machine Scale Sets, visit: What are Virtual Machine Scale Sets? https://learn.microsoft.com/en-us/azure/load-balancer/configure-vm-scale-set-powershell https://learn.microsoft.com/en-us/azure/virtual-machine-scale-sets/virtual-machine-scale-sets-mvss-custom-image https://learn.microsoft.com/en-us/azure/virtual-machine-scale-sets/virtual-machine-scale-sets-design-overview .
Availability Sets
Availability Sets are another feature in Azure that helps to ensure high availability of your applications. They are logical groupings of VMs that allow Azure to understand how your application is built to provide for redundancy and availability. This is achieved by distributing VMs across multiple isolated hardware nodes in a cluster. If a hardware or software failure happens within Azure, only a subset of your VMs is impacted and your overall solution remains available and operational.
- For more information on Availability Sets, visit: Manage the availability of Windows virtual machines in Azure.
Azure Virtual Desktop
Azure Virtual Desktop is a desktop and app virtualization service that runs on the cloud. It enables users to access a virtual desktop environment that is hosted on Azure from any location. This service is ideal for remote or hybrid work scenarios, providing secure and scalable virtual desktops. With Azure Virtual Desktop, you can set up a multi-session Windows 10 deployment that delivers a full Windows 10 with scalability.
- For more information on Azure Virtual Desktop, visit: What is Azure Virtual Desktop?.
Each of these options provides different capabilities and benefits that can be tailored to the specific needs of your applications and workloads. When designing your Azure infrastructure, it is essential to consider these options to optimize for cost, performance, and availability.
Describe Azure architecture and services (35–40%)
Describe Azure compute and networking services
Resources Required for Virtual Machines
When setting up a virtual machine (VM), it is essential to understand the various resources that are required to ensure optimal performance and functionality. Below is a detailed explanation of the resources needed for virtual machines:
Compute Resources: VMs require compute resources such as CPU and memory. The size of the VM determines the amount of CPU cores and memory allocated to it. Different VM sizes are available to cater to various workloads and performance requirements https://learn.microsoft.com/en-us/training/modules/describe-azure-compute-networking-services/14-summary .
Storage: VMs need storage to hold the operating system, applications, and data. Azure offers several types of storage, including disk storage, which can be premium or standard, depending on the performance needs. The performance of an application running on premium storage can be influenced by factors such as disk size and number of disks https://learn.microsoft.com/en-us/azure/virtual-machine-scale-sets/../virtual-machines/premium-storage-performance .
Networking: A virtual network is necessary for VMs to communicate with each other and with the internet. This includes Azure Virtual Networks, subnets, and the configuration of network interfaces (NICs). Additionally, specific inbound ports may be required, such as RDP (3389) for Windows VMs and SSH (22) for Linux VMs https://learn.microsoft.com/en-us/azure/virtual-machines/../bastion/bastion-create-host-powershell https://learn.microsoft.com/en-us/training/modules/describe-azure-compute-networking-services/14-summary .
Operating System: An operating system is required to manage the hardware and software resources on the VM. Azure supports various operating systems, including Windows and Linux distributions https://learn.microsoft.com/en-us/azure/virtual-machines/nd-series .
GPU Drivers (for GPU-enabled VMs): If using Azure N-series VMs, which are GPU-enabled, it is necessary to install NVIDIA GPU drivers to take advantage of the GPU capabilities. These drivers can be installed manually or through the NVIDIA GPU Driver Extension https://learn.microsoft.com/en-us/azure/virtual-machines/nd-series .
VM Extensions: Azure VM extensions can be used to add additional capabilities to the VM, such as monitoring, security, and automation features. Extensions are managed through the Azure portal or tools like Azure PowerShell https://learn.microsoft.com/en-us/azure/virtual-machines/nd-series .
Time Synchronization: Accurate timekeeping is crucial for many applications. Azure VMs can synchronize their clocks with time servers to maintain accurate time. This is particularly important for security protocols and transaction tracking https://learn.microsoft.com/en-us/azure/virtual-machines/linux/time-sync .
For additional information and guidance on creating and configuring virtual machines in Azure, you can refer to the following resources:
- Quickstart: Create a VM using PowerShell
- Quickstart: Create a VM using the portal
- NVIDIA GPU Driver Extension documentation
- Azure virtual machine extensions and features
- N-series GPU driver setup for Windows
- N-series GPU driver setup for Linux
By understanding and provisioning these resources appropriately, you can ensure that your virtual machines run efficiently and meet the performance needs of your applications.
Describe Azure architecture and services (35–40%)
Describe Azure compute and networking services
Application Hosting Options in Azure
When considering application hosting in Azure, there are several options available, each with its own set of features and use cases. Below is a detailed explanation of the primary application hosting options: Web Apps, Containers, and Virtual Machines.
Azure Web Apps
Azure Web Apps is a part of the Azure App Service and provides a highly scalable, self-patching web hosting service. It supports multiple languages and frameworks, such as .NET, .NET Core, Java, Ruby, Node.js, PHP, or Python. Users can quickly deploy and manage web applications without having to manage infrastructure.
- Local Debugging: Supported through tools like IIS Express and others https://learn.microsoft.com/azure/architecture/guide/technology-choices/compute-decision-tree .
- Programming Model: Primarily designed for Web and API applications, with support for WebJobs to run background tasks https://learn.microsoft.com/azure/architecture/guide/technology-choices/compute-decision-tree .
- Application Update: Offers deployment slots for staging and production environments, allowing for seamless swap operations https://learn.microsoft.com/azure/architecture/guide/technology-choices/compute-decision-tree .
For more information on Azure Web Apps, you can visit the official documentation: Azure Web Apps Documentation.
Containers
Containers offer a lightweight, virtualized environment for applications, allowing them to run in isolation and ensuring consistent behavior across different environments. Azure provides several services to manage containers:
- Azure Kubernetes Service (AKS): An enterprise-grade service for deploying, managing, and scaling containerized applications using Kubernetes https://learn.microsoft.com/azure/architecture/guide/technology-choices/compute-decision-tree .
- Azure Container Instances (ACI): A service that allows users to run containers directly on Azure without managing any underlying infrastructure https://learn.microsoft.com/azure/architecture/guide/technology-choices/compute-decision-tree .
- Azure Container Apps: A service that enables users to deploy containerized applications without managing complex container orchestration https://learn.microsoft.com/azure/architecture/guide/technology-choices/compute-decision-tree .
- Azure Red Hat OpenShift: A fully managed OpenShift service that provides a powerful environment for Kubernetes applications https://learn.microsoft.com/azure/architecture/guide/technology-choices/compute-decision-tree .
Each container service offers different features for local debugging, programming models, and application updates, such as rolling updates and revision management https://learn.microsoft.com/azure/architecture/guide/technology-choices/compute-decision-tree .
For additional information on Azure’s container services, refer to the following resources: - Azure Kubernetes Service (AKS) Documentation - Azure Container Instances Documentation - Azure Container Apps Documentation
Virtual Machines
Azure Virtual Machines (VMs) provide full control over the operating system and the hosted application. This option is ideal for applications that require custom configurations or run on specific operating systems.
- Local Debugging: Agnostic to the development environment https://learn.microsoft.com/azure/architecture/guide/technology-choices/compute-decision-tree .
- Programming Model: Agnostic, providing flexibility for any kind of application https://learn.microsoft.com/azure/architecture/guide/technology-choices/compute-decision-tree .
- Application Update: No built-in support for application updates, requiring manual management or custom automation https://learn.microsoft.com/azure/architecture/guide/technology-choices/compute-decision-tree .
Virtual Machines are suitable for scenarios where you need complete control over the computing environment, including the choice of the operating system, the ability to host any application, and the need for custom security configurations.
For more details on Azure Virtual Machines, you can explore the following link: Azure Virtual Machines Documentation.
By understanding the capabilities and features of each hosting option, you can make an informed decision on the best approach for your application’s requirements.
Describe Azure architecture and services (35–40%)
Describe Azure compute and networking services
Virtual Networking in Azure
Virtual networking is a foundational service in Azure that enables various resources to securely communicate with each other, the internet, and on-premises networks. Here’s a detailed explanation of the key components:
Azure Virtual Networks (VNets)
Azure Virtual Networks (VNets) provide the backbone of Azure networking. They allow Azure resources, like virtual machines (VMs) and databases, to securely communicate with each other, the internet, and on-premises networks. VNets are isolated from one another by default and can be segmented into subnets https://learn.microsoft.com/javascript/azure#azure-sdk .
Azure Virtual Subnets
Subnets are segments within a VNet that can be used to organize and secure resources into groups with similar functions, requirements, or access policies. Each subnet has a specific IP address range, and resources within the same subnet can communicate directly with each other https://learn.microsoft.com/javascript/azure#azure-sdk .
VNet Peering
VNet peering is a mechanism that connects two VNets, enabling resources in one VNet to communicate with resources in another VNet. This connection is seamless and uses the Azure backbone network, so it doesn’t require a VPN gateway. Peering is a low-latency, high-bandwidth connection that can be used for a variety of scenarios, such as data replication and database failover https://learn.microsoft.com/en-us/azure/virtual-network/../vpn-gateway/vpn-gateway-vnet-vnet-rm-ps .
Azure DNS
Azure DNS is a hosting service for DNS domains that provides name resolution using Microsoft Azure infrastructure. By hosting domains in Azure, you can manage your DNS records using the same credentials, APIs, tools, and billing as your other Azure services https://learn.microsoft.com/javascript/azure#azure-sdk .
Azure VPN Gateway
The Azure VPN Gateway is a type of virtual network gateway that sends encrypted traffic between an Azure virtual network and an on-premises location over the public internet. It’s used for cross-premises connectivity and can also be used to connect VNets to each other (“VNet-to-VNet”). The VPN Gateway includes features like forced tunneling, custom routes, and additional DNS servers https://learn.microsoft.com/en-us/azure/vpn-gateway/openvpn-azure-ad-client .
ExpressRoute
ExpressRoute is a service that provides a private connection between Azure datacenters and infrastructure on-premises or in a colocation environment. It doesn’t go over the public internet, which offers more reliability, faster speeds, lower latencies, and higher security than typical connections. It’s suitable for scenarios like periodic data migration, replication for business continuity, and disaster recovery https://learn.microsoft.com/en-us/azure/expressroute/expressroute-troubleshooting-expressroute-overview .
For more information on these components, you can visit the following URLs: - Azure Virtual Network overview - VNet peering - Azure DNS overview - Azure VPN Gateway documentation - ExpressRoute documentation
Please note that pricing for these services varies and can be found at the respective links: - VNet peering pricing - VNet-to-VNet VPN Gateway pricing - App Service pricing - Azure Cosmos DB pricing - Azure Virtual Network pricing - Azure DNS pricing
Describe Azure architecture and services (35–40%)
Describe Azure compute and networking services
Public and Private Endpoints in Azure
When working with Azure services, understanding the distinction between public and private endpoints is crucial for designing secure and efficient network architectures. Here’s a detailed explanation of both:
Public Endpoints
Public endpoints refer to the points of connection to Azure services that are accessible over the internet. They allow communication with Azure resources from anywhere, provided the request comes from allowed sources as configured in the Azure Storage firewall settings. By default, all incoming requests to a storage account through public endpoints are blocked unless explicitly allowed by the firewall. The firewall can be configured to permit access based on the source IP address, virtual network subnet, or specific Azure services or resources. Public endpoints are typically used when services need to be accessible from outside the Azure virtual network.
For more information on public endpoints and how to configure them, visit the Virtual Network service endpoints overview.
Private Endpoints
Private endpoints, on the other hand, provide secure and private connectivity to Azure services from within an Azure virtual network. They use a private IP address from the virtual network’s address space, ensuring that the traffic between the virtual network and the Azure service remains on the Microsoft backbone network, isolated from the public internet. This setup enhances security by allowing Azure resources to be accessed only from specific virtual networks, effectively reducing the risk of data exposure to the public internet.
Private endpoints are particularly useful for services that require secure and private access, such as Azure SQL Database, Azure Storage, and Azure Cosmos DB. They are also beneficial when connecting to Azure services from on-premises networks via VPN or ExpressRoute with private peering.
For a deeper dive into private endpoints and the services that support them, you can refer to the Private endpoints documentation and What is Private Link?.
Comparison
To decide when to use each type of endpoint, consider the security requirements, the need for internet accessibility, and the scale of the deployment. For a comprehensive comparison of private endpoints and service endpoints, see Compare Private Endpoints and Service Endpoints.
In summary, public endpoints are suitable for scenarios where resources need to be accessible over the internet with proper security controls, while private endpoints are ideal for scenarios that demand secure, private access within a virtual network, without exposure to the public internet.
Describe Azure architecture and services (35–40%)
Describe Azure storage services
Compare Azure Storage Services
Azure Storage services offer a range of solutions to handle various data storage scenarios. Here’s a detailed comparison of the key Azure Storage services:
Azure Blob Storage
- Purpose: Designed for storing large amounts of unstructured data, such as text or binary data.
- Use Cases: Ideal for serving images or documents directly to a browser, storing files for distributed access, streaming video and audio, and storing data for backup, disaster recovery, and archiving.
- URL for More Information: Azure Blob Storage
Azure File Storage
- Purpose: Provides shared storage for applications using the standard SMB protocol.
- Use Cases: Suitable for migration of on-premises file shares to the cloud, storing configuration files, diagnostic logs, metrics, and crash dumps.
- URL for More Information: Azure File Storage
Azure Queue Storage
- Purpose: Offers a messaging store for reliable messaging between application components.
- Use Cases: Effective for communication between components of a distributed application, passing messages from an Azure web role to an Azure worker role.
- URL for More Information: Azure Queue Storage
Azure Table Storage
- Purpose: Provides a NoSQL key-attribute data store for semi-structured datasets.
- Use Cases: Ideal for storing structured, non-relational data, such as user data, address books, device information, and other metadata.
- URL for More Information: Azure Table Storage
Azure Disk Storage
- Purpose: Offers high-performance, durable block storage for Azure Virtual Machines.
- Use Cases: Suitable for applications that require persistent, secure disk storage, such as virtual desktops, and enterprise applications.
- URL for More Information: Azure Disk Storage
Each of these services is designed to meet specific needs and scenarios, and they can be used in combination to build scalable, secure, and cost-effective storage solutions in the cloud. When choosing between these services, consider factors such as the type of data you’re storing, access patterns, scalability requirements, and cost constraints.
For a more comprehensive understanding of Azure Storage services and to determine which service best fits your needs, refer to the official Azure documentation provided in the URLs above.
Describe Azure architecture and services (35–40%)
Describe Azure storage services
Describe Storage Tiers
Azure Storage offers several access tiers that you can use to store blob object data based on the frequency of access needed. These tiers help you manage costs while keeping your data accessible and are categorized into the following:
Hot Access Tier
- The Hot access tier is optimized for storing data that is accessed frequently.
- It has higher storage costs compared to cool and archive tiers, but the access costs are lower.
- This tier is suitable for data that is in active use or expected to be accessed regularly.
Cool Access Tier
- The Cool access tier is optimized for data that is infrequently accessed and stored for at least 30 days.
- It provides lower storage costs compared to the hot tier, but with higher access costs.
- Ideal for short-term backup and disaster recovery solutions.
Archive Access Tier
- The Archive access tier is for data that is rarely accessed and stored for at least 180 days with flexible latency requirements (on the order of hours).
- It offers the lowest storage cost but has higher costs for retrieval and higher latency for access.
- Suitable for long-term storage, archival, and compliance data.
When you upload a blob to Azure Storage, you can specify the tier in which the blob will be created, or you can upload a blob without specifying a tier, in which case the blob will be created in the default access tier specified for the storage account (either hot or cool) https://learn.microsoft.com/en-us/azure/storage/blobs/access-tiers-online-manage .
For more information about blob tiers, you can refer to the following resources: - Access tiers for blob data https://learn.microsoft.com/en-us/azure/storage/queues/../common/storage-redundancy . - Hot, cool, and archive storage tiers https://learn.microsoft.com/en-us/azure/storage/blobs/access-tiers-online-manage .
It’s important to choose the right access tier based on your data usage patterns to optimize costs and performance. Azure also allows you to change the access tier of your blob data after it has been uploaded, which provides flexibility as your data access patterns change over time.
Describe Azure architecture and services (35–40%)
Describe Azure storage services
Describe Redundancy Options
Redundancy in Azure Storage is a method to ensure that your data is replicated for protection against hardware failures, natural disasters, and other potential data loss scenarios. Azure provides several redundancy options to cater to different needs for availability, durability, and cost. Below are the redundancy options available in Azure Storage:
Locally Redundant Storage (LRS): This option replicates your data three times within a single physical location in the primary region. LRS is a cost-effective data redundancy option that protects your data from normal hardware failures.
Zone-Redundant Storage (ZRS): ZRS replicates your data across three Azure availability zones in the primary region. Each zone is a unique physical location with independent power, cooling, and networking. ZRS offers higher availability and resilience than LRS by protecting against zone-level failures.
Geo-Redundant Storage (GRS): GRS replicates your data to a secondary geographic location for protection against regional outages. It provides six copies of your data: three in the primary region and three in the secondary region.
Read-Access Geo-Redundant Storage (RA-GRS): RA-GRS builds on GRS by providing read access to the data in the secondary location. This means that if the primary region becomes unavailable, you can still read your data from the secondary region.
Geo-Zone-Redundant Storage (GZRS): GZRS combines the features of GRS and ZRS by replicating your data across availability zones in the primary region and also to a secondary region. This option provides the highest level of durability and availability.
Read-Access Geo-Zone-Redundant Storage (RA-GZRS): RA-GZRS is the most comprehensive redundancy option, offering all the benefits of GZRS with read access to the data in the secondary region.
For an overview of all the redundancy options, you can refer to the Azure Storage redundancy documentation here.
It’s important to note that you can change how your storage account is replicated from any redundancy configuration to any other, with some limitations. Before making any changes, review the limitations and downtime requirements to ensure you have a plan that will produce the best end result within a time frame that suits your needs and satisfies your uptime requirements https://learn.microsoft.com/en-us/azure/storage/queues/../common/redundancy-migration .
For additional information on setting storage redundancy for the Recovery Services vault, which extends these benefits to backup data, see the documentation here https://learn.microsoft.com/en-us/azure/backup/backup-release-notes-archived .
When preparing for Azure certifications, understanding these redundancy options is crucial as they play a significant role in designing resilient and available cloud solutions.
Please note that the URLs provided are for additional information and should be used to supplement the study material.
Describe Azure architecture and services (35–40%)
Describe Azure storage services
Storage Account Options and Storage Types
Azure Storage provides a rich set of options and types to cater to different storage needs. Here’s a detailed explanation of the storage account options and storage types available in Azure:
Storage Account Options
Standard General-Purpose v2 Accounts: These are the most commonly used storage account types. They support a variety of services including Blob Storage (with Data Lake Storage), Queue Storage, Table Storage, and Azure Files. They offer a range of redundancy options such as Locally Redundant Storage (LRS), Geo-Redundant Storage (GRS), Read-Access Geo-Redundant Storage (RA-GRS), Zone-Redundant Storage (ZRS), Geo-Zone-Redundant Storage (GZRS), and Read-Access Geo-Zone-Redundant Storage (RA-GZRS). This type of account is recommended for most scenarios using Azure Storage https://learn.microsoft.com/en-us/training/modules/describe-azure-storage-services/2-accounts .
Premium Block Blobs: This account type is optimized for block blobs and append blobs, which are ideal for scenarios with high transaction rates or that require consistently low storage latency. They support LRS and ZRS redundancy options and are recommended for scenarios using smaller objects https://learn.microsoft.com/en-us/training/modules/describe-azure-storage-services/2-accounts .
Premium File Shares: Specifically designed for Azure Files, this account type is recommended for enterprise or high-performance scale applications. It supports both Server Message Block (SMB) and Network File System (NFS) file shares and offers LRS and ZRS redundancy options https://learn.microsoft.com/en-us/training/modules/describe-azure-storage-services/2-accounts .
Premium Page Blobs: This is a specialized account type for page blobs only and supports LRS redundancy. It is typically used for scenarios that require premium performance characteristics https://learn.microsoft.com/en-us/training/modules/describe-azure-storage-services/2-accounts .
Storage Types
Blob Storage: Used for storing large amounts of unstructured data, such as text or binary data. Blob storage is ideal for serving images or documents directly to a browser, storing files for distributed access, streaming video and audio, and storing data for backup and restore, disaster recovery, and archiving https://learn.microsoft.com/en-us/training/modules/describe-azure-storage-services/2-accounts .
File Storage: Offers shared storage for applications using the standard SMB or NFS protocols. Azure Files can be mounted concurrently by cloud or on-premises deployments of Windows, Linux, and macOS https://learn.microsoft.com/en-us/training/modules/describe-azure-storage-services/2-accounts .
Queue Storage: Provides messaging for workflow processing and for communication between components of cloud services https://learn.microsoft.com/en-us/training/modules/describe-azure-storage-services/2-accounts .
Table Storage: Stores large amounts of structured, non-relational data. Table storage is a NoSQL data store for semi-structured data https://learn.microsoft.com/en-us/training/modules/describe-azure-storage-services/2-accounts .
Disk Storage: Provides disks for virtual machines, applications, and other services to access and use as they need, similar to how they would in on-premises scenarios.
Redundancy Options
- Locally Redundant Storage (LRS): Maintains three copies of your data. LRS is a low-cost option for protecting your data from local hardware failures https://learn.microsoft.com/en-us/training/modules/describe-azure-storage-services/2-accounts .
- Geo-Redundant Storage (GRS): Replicates your data to a secondary region (hundreds of miles away from the primary location) for protection against regional outages https://learn.microsoft.com/en-us/training/modules/describe-azure-storage-services/2-accounts .
- Read-Access Geo-Redundant Storage (RA-GRS): Provides read-only access to the data in the secondary location, in addition to geo-replication https://learn.microsoft.com/en-us/training/modules/describe-azure-storage-services/2-accounts .
- Zone-Redundant Storage (ZRS): Spreads your data across multiple availability zones in the same region for higher availability https://learn.microsoft.com/en-us/training/modules/describe-azure-storage-services/2-accounts .
- Geo-Zone-Redundant Storage (GZRS): Combines the high availability of ZRS with the protection of GRS https://learn.microsoft.com/en-us/training/modules/describe-azure-storage-services/2-accounts .
- Read-Access Geo-Zone-Redundant Storage (RA-GZRS): Provides read-only access to the data in the secondary location, in addition to GZRS https://learn.microsoft.com/en-us/training/modules/describe-azure-storage-services/2-accounts .
For more detailed information on Azure Storage account options and types, you can refer to the following resources: - Introduction to Azure Storage - Azure Storage account overview - Redundancy options in Azure Storage
Please note that the URLs provided are for additional information and should be accessed for a more comprehensive understanding of Azure Storage options and types.
Describe Azure architecture and services (35–40%)
Describe Azure storage services
Options for Moving Files in Azure
When working with Azure, there are several tools available for moving files efficiently. Below are the options with a brief explanation of each:
AzCopy
AzCopy is a command-line utility designed for copying data to and from Microsoft Azure Blob, File, and Table storage, using simple commands designed for optimal performance. You can copy data between a file system and a storage account, or between storage accounts. Here’s how you can create a container or file share with AzCopy:
azcopy make [resourceURL] [flags]
For more information on how to get started with AzCopy and transfer data, you can refer to the following resources: - Get started with AzCopy - Transfer data with AzCopy and Blob storage - Transfer data with AzCopy and file storage https://learn.microsoft.com/en-us/azure/storage/blobs/../common/storage-ref-azcopy-make .
Azure Storage Explorer
Azure Storage Explorer is a graphical user interface tool that allows you to manage Azure storage data. It uses AzCopy for data transfer operations, providing the performance benefits of AzCopy with the convenience of a GUI. Storage Explorer can be used for uploading, downloading, and managing Azure blobs, files, queues, and tables. It uses your account key for operations, so no additional authorization credentials are needed after signing in.
For more details on Azure Storage Explorer, visit: - Storage Explorer https://learn.microsoft.com/en-us/azure/storage/files/../common/storage-use-azcopy-v10 .
Azure File Sync
Azure File Sync enables centralizing your organization’s file shares in Azure Files, while keeping the flexibility, performance, and compatibility of an on-premises file server. It allows for syncing the root of a volume to an Azure file share, and it’s recommended to keep the number of items per sync scope below 20 million to 30 million for optimal performance. Azure File Sync can help with faster initial scans, cloud-side restores, disaster recovery, and syncing changes made directly in an Azure file share.
For a deeper understanding of Azure File Sync, consider these points: - Syncing the root of a volume isn’t always the best option due to item count considerations. - Benefits of a lower number of items per sync scope include faster initial scans and restores, as well as quicker disaster recovery and change detection. - For assessing the number of files and folders, the TreeSize tool is recommended.
For additional guidance on Azure File Sync, refer to: - Azure File Sync https://learn.microsoft.com/en-us/azure/databox/../storage/files/storage-files-migration-server-hybrid-databox .
Please note that for tiered files in Azure File Sync, thumbnails and previews won’t be visible at your server endpoint due to the offline attribute set by the Cloud Tiering feature. For more information on managing tiered files, you can visit: - How to manage tiered files https://learn.microsoft.com/en-us/azure/storage/files/storage-files-faq .
Each of these tools offers unique features that cater to different needs and scenarios. It’s important to choose the right tool based on the specific requirements of your file transfer task.
Describe Azure architecture and services (35–40%)
Describe Azure storage services
Azure Migration Options: Azure Migrate and Azure Data Box
When considering the migration of resources to Azure, two primary services can be utilized to facilitate the process: Azure Migrate and Azure Data Box. Each service offers unique features and is designed to address different migration scenarios.
Azure Migrate
Azure Migrate provides a centralized hub to assess and migrate to Azure on-premises servers, infrastructure, applications, and data. It offers a range of tools for assessment and migration, making it easier to move workloads to Azure.
Key Features: - Assessment: Azure Migrate can assess on-premises workloads for migration to Azure, providing guidance on the readiness of the workloads and sizing recommendations. - Migration: It supports the migration of servers, databases, web applications, virtual desktops, and data to Azure. - Integration: Azure Migrate integrates with other Azure services, such as Azure Site Recovery and Azure Database Migration Service, to provide a comprehensive migration solution.
For more information on Azure Migrate, you can visit the following URL: Azure Migrate.
Azure Data Box
Azure Data Box is designed to transfer large amounts of data to Azure when network-based data transfer is not practical due to high data volumes or network constraints. It is a physical device that you can order from Microsoft, load with data, and then ship back to an Azure data center for upload.
Key Features: - Data Box Disk: Suitable for data sizes less than 40 TB. It is a set of SSD disks that you can connect to your on-premises servers to copy data https://learn.microsoft.com/en-us/azure/databox/data-box-faq . - Data Box: Ideal for data sizes ranging from 40 TB to 500 TB. It is a ruggedized, tamper-resistant, and secure appliance https://learn.microsoft.com/en-us/azure/databox/data-box-faq . - Data Box Heavy: Best for data sizes larger than 500 TB. It is a large, rugged shipping container with up to 1 PB of capacity https://learn.microsoft.com/en-us/azure/databox/data-box-faq .
Azure Data Box is particularly useful in scenarios where the source does not have good connectivity to Azure, or when the data volume is so large that it would take an impractical amount of time to transfer over the network https://learn.microsoft.com/en-us/azure/sentinel/migration-ingestion-tool .
For more information on Azure Data Box and its different SKUs, you can visit the following URLs: - Data Box Disk Overview - Data Box Overview - Data Box Heavy Overview
By leveraging Azure Migrate and Azure Data Box, organizations can plan and execute a migration strategy that is tailored to their specific needs, ensuring a smooth transition to Azure cloud services.
Describe Azure architecture and services (35–40%)
Describe Azure identity, access, and security
Directory Services in Azure: Microsoft Entra ID and Microsoft Entra Domain Services
Azure offers a range of directory services to manage identities and access within the cloud environment. Two key components of Azure’s directory services are Microsoft Entra ID (formerly known as Azure Active Directory or Azure AD) and Microsoft Entra Domain Services. Below is a detailed explanation of each service.
Microsoft Entra ID
Microsoft Entra ID is a cloud-based identity and access management service that helps employees sign in and access resources. It includes:
- Single Sign-On (SSO): Allows users to access multiple services with one set of credentials, simplifying the login process and improving security https://learn.microsoft.com/en-us/training/modules/describe-azure-identity-access-security/1-introduction .
- Multifactor Authentication (MFA): Adds an additional layer of security by requiring two or more verification methods to access Azure resources https://learn.microsoft.com/en-us/training/modules/describe-azure-identity-access-security/1-introduction .
- Passwordless Authentication: Enables users to access services without a password, using alternatives like biometrics or security keys, which enhances security and user convenience.
Microsoft Entra ID is the backbone of Azure’s identity services and provides a robust set of capabilities to manage users and groups, enforce security policies, and facilitate secure access to applications and data.
Microsoft Entra Domain Services
Microsoft Entra Domain Services offers a managed domain that provides domain join, group policy, LDAP, and Kerberos/NTLM authentication. It is designed to be compatible with Windows Server Active Directory and allows you to:
- Domain-Join Azure VMs: Easily integrate cloud-based virtual machines into a domain without the need for on-premises infrastructure https://learn.microsoft.com/en-us/azure/storage/files/storage-files-active-directory-overview .
- Use Group Policies: Apply and enforce security settings and access policies across your Azure resources.
- Authenticate with LDAP and Kerberos/NTLM: Utilize standard protocols for authenticating users and services, ensuring compatibility with a wide range of applications and services.
Microsoft Entra Domain Services is ideal for organizations that want to lift-and-shift applications to Azure that rely on Windows Server Active Directory, without having to manage a full Active Directory environment in the cloud.
For additional information on these services, you can refer to the following resources:
- Microsoft Entra service limits and restrictions https://learn.microsoft.com/en-us/azure/traffic-manager/../azure-resource-manager/management/azure-subscription-service-limits#traffic-manager-limits .
- Authentication methods in Azure https://learn.microsoft.com/en-us/training/modules/describe-azure-identity-access-security/1-introduction .
- External identities and guest access in Azure https://learn.microsoft.com/en-us/training/modules/describe-azure-identity-access-security/1-introduction .
- Microsoft Entra Conditional Access https://learn.microsoft.com/en-us/training/modules/describe-azure-identity-access-security/1-introduction .
- Azure Role Based Access Control (RBAC) https://learn.microsoft.com/en-us/training/modules/describe-azure-identity-access-security/1-introduction .
- Enable Microsoft Entra Domain Services authentication on Azure Files https://learn.microsoft.com/en-us/azure/storage/files/storage-files-active-directory-overview .
By understanding Microsoft Entra ID and Microsoft Entra Domain Services, users can effectively manage identities and access within Azure, ensuring secure and efficient operations in the cloud.
Describe Azure architecture and services (35–40%)
Describe Azure identity, access, and security
Authentication Methods in Azure
Azure provides a variety of authentication methods to ensure secure access to resources. Here are the key methods:
Single Sign-On (SSO)
Single Sign-On (SSO) allows users to authenticate once and gain access to multiple applications without the need to log in again for each app. Azure supports SSO through Active Directory Federation Services (AD FS), which can be configured for specific host pools in Azure Virtual Desktop environments https://learn.microsoft.com/en-us/azure/virtual-desktop/whats-new .
For more information on configuring AD FS SSO for Azure Virtual Desktop, visit: Configure AD FS single sign-on for Azure Virtual Desktop.
Additionally, Windows 11 22H2 Insider build introduces an Azure AD-based SSO experience, supporting passwordless authentication methods like Windows Hello and FIDO2 security keys https://learn.microsoft.com/en-us/azure/virtual-desktop/whats-new .
For further details, refer to: Insider Preview Single Sign-On and Passwordless Authentication.
Multi-Factor Authentication (MFA)
Multi-Factor Authentication (MFA) adds an extra layer of security by requiring two or more verification methods. This includes something you know (like a password), something you have (like a phone or hardware token), or something you are (like a fingerprint). Azure MFA can be used with SQL Database, SQL Managed Instance, and Azure Synapse for both cloud-only identity users and hybrid identities https://learn.microsoft.com/en-us/azure/azure-sql/database/authentication-aad-configure .
For a comprehensive guide on using MFA with SQL Database and Azure Synapse, visit: Using multi-factor Microsoft Entra authentication with SQL Database and Azure Synapse (SSMS support for MFA).
Passwordless Authentication
Passwordless Authentication in Azure allows users to access resources without a password, using alternative methods such as biometrics, PINs, or security keys. This method is supported in the Windows Insider build of Windows 11 22H2, which enables a preview version of Azure AD-based SSO and integrates with Windows Hello and FIDO2 keys for a passwordless experience https://learn.microsoft.com/en-us/azure/virtual-desktop/whats-new .
For additional insights into passwordless authentication, refer to: Insider Preview Single Sign-On and Passwordless Authentication.
By implementing these authentication methods, Azure ensures that access to resources is secure and manageable, providing flexibility and convenience for users while maintaining a high level of security.
Describe Azure architecture and services (35–40%)
Describe Azure identity, access, and security
External Identities in Azure
Azure provides a comprehensive identity management solution that allows organizations to manage and secure access for users outside of their corporate directory. This includes both business-to-business (B2B) and business-to-customer (B2C) scenarios.
Azure B2B (Business-to-Business)
Azure B2B collaboration allows organizations to securely share their applications and services with guest users from any other organization while maintaining control over their own corporate data. Users can sign in using their own credentials, and organizations can apply their own policies to these external accounts.
Key features of Azure B2B include: - Invitation and redemption process: External users are invited via email and can redeem these invitations to access resources. - Cross-organization sharing: Share applications across different Azure AD tenants. - Conditional Access policies: Apply Conditional Access policies such as Multi-Factor Authentication (MFA) to enhance security. - Custom branding: Customize the sign-in experience with your organization’s branding.
For more information on Azure B2B, you can visit the Azure AD B2B documentation.
Azure B2C (Business-to-Customer)
Azure B2C is a customer identity access management (CIAM) solution that provides business-to-customer services. It allows organizations to provide secure access to their applications for customers using their preferred social, enterprise, or local account identities.
Key features of Azure B2C include: - Customizable user journeys: Define how customers sign up, sign in, and manage their profiles. - Social identity providers: Integration with social accounts like Facebook, Google, and more. - Scalability: Azure B2C is designed to handle millions of users and billions of authentications. - Security: Protect customer accounts with strong authentication options, including MFA.
For additional details on Azure B2C, refer to the Azure AD B2C documentation.
Microsoft Entra
It’s important to note that Azure AD External Identities B2B and B2C have been converged into a modern identity solution known as Microsoft Entra. This platform secures access to applications and services for customers, citizens, and partners, replacing the previous Azure Active Directory External Identities https://learn.microsoft.com/answers/topics/azure-functions.html .
For further exploration of Microsoft Entra and its capabilities, you can visit the Microsoft Entra documentation.
By utilizing Azure’s external identity solutions, organizations can enhance collaboration, improve customer engagement, and maintain a high level of security and compliance.
Describe Azure architecture and services (35–40%)
Describe Azure identity, access, and security
Microsoft Entra Conditional Access
Microsoft Entra Conditional Access is a security feature that enhances the control over access to applications and services within an organization’s environment. It is part of the Microsoft Entra product family, which includes various identity and access management capabilities. Conditional Access policies enable organizations to apply the right access controls when needed to keep their organization secure and ensure productivity.
Key Features of Microsoft Entra Conditional Access:
- User and Group Assignments: Policies can be targeted at specific users or groups within the organization to enforce different access requirements https://learn.microsoft.com/en-us/azure/azure-sql/database/authentication-azure-ad-landing .
- Cloud App Selection: Conditional Access policies can be applied to cloud apps, such as Azure SQL Database, and other Microsoft services https://learn.microsoft.com/en-us/azure/azure-sql/database/authentication-azure-ad-landing .
- Access Control Conditions: Policies can require conditions to be met before access is granted, such as requiring multifactor authentication (MFA) or device compliance https://learn.microsoft.com/en-us/azure/azure-sql/database/authentication-azure-ad-landing https://learn.microsoft.com/entra/identity/devices/howto-vm-sign-in-azure-ad-linux .
- Integration with Azure Services: Microsoft Entra Conditional Access can be integrated with services like Azure Kubernetes Service (AKS) to control access to clusters using Conditional Access or Privileged Identity Management (PIM) https://learn.microsoft.com/en-us/azure/aks/access-control-managed-azure-ad .
- Support for Multiple Devices: Conditional Access policies can be enforced on various devices, including compliance checks for devices running SSH clients on Windows and macOS https://learn.microsoft.com/entra/identity/devices/howto-vm-sign-in-azure-ad-linux .
- Flexible Authentication Prompts: Organizations can configure MFA to prompt users for a second factor of authentication, either on a per-user basis or through Conditional Access policies for more granular control https://learn.microsoft.com/en-us/azure/vpn-gateway/openvpn-azure-ad-mfa .
Steps to Configure Conditional Access:
- Sign in to the Azure portal and select Microsoft Entra ID, then select Conditional Access https://learn.microsoft.com/en-us/azure/azure-sql/database/authentication-azure-ad-landing .
- Create a new policy by clicking New policy, provide a name, and configure rules https://learn.microsoft.com/en-us/azure/azure-sql/database/authentication-azure-ad-landing .
- Under Assignments, select Users and groups, and choose the specific users or groups for the policy https://learn.microsoft.com/en-us/azure/azure-sql/database/authentication-azure-ad-landing .
- Select Cloud apps and specify the applications to which the policy will apply https://learn.microsoft.com/en-us/azure/azure-sql/database/authentication-azure-ad-landing .
- Under Access controls, select Grant, and choose the desired access control, such as Require multifactor authentication https://learn.microsoft.com/en-us/azure/azure-sql/database/authentication-azure-ad-landing .
Considerations:
- Microsoft Entra Conditional Access is available as part of Microsoft Entra ID P1 or P2 capabilities, which require a Premium P2 SKU https://learn.microsoft.com/en-us/azure/aks/access-control-managed-azure-ad .
- The enforcement of certain Conditional Access policies, like device compliance, is limited to specific operating systems and may not be supported on all platforms https://learn.microsoft.com/entra/identity/devices/howto-vm-sign-in-azure-ad-linux .
For more detailed information and technical reference, you can visit the Microsoft Entra Conditional Access documentation: - Microsoft Entra Conditional Access technical reference
Please note that the URLs provided are for additional information and should be accessed for further details on configuring and understanding Microsoft Entra Conditional Access.
Describe Azure architecture and services (35–40%)
Describe Azure identity, access, and security
Describe the Concept of Zero Trust
Zero Trust is a security model that operates on the principle of “never trust, always verify.” It is designed to address the security challenges of the modern digital environment by assuming that a breach has already occurred or is inevitable. This model requires strict identity verification for every person and device trying to access resources on a private network, regardless of whether they are within or outside of the network perimeter https://learn.microsoft.com/en-us/training/modules/describe-azure-identity-access-security/7-describe-zero-trust-model .
Principles of Zero Trust
The Zero Trust model is built upon three core principles:
Verify Explicitly: Every access request must be authenticated, authorized, and continuously validated for security configuration and posture before granting or keeping access https://learn.microsoft.com/security/zero-trust/azure-infrastructure-avd .
Use Least Privileged Access: Limit user access with just-in-time and just-enough-access (JIT/JEA), risk-based adaptive polices, and data protection to help secure both data and productivity https://learn.microsoft.com/security/zero-trust/azure-infrastructure-avd .
Assume Breach: Minimize blast radius for breaches and prevent lateral movement by segmenting access by network, user, devices, and app awareness. Verify all sessions are encrypted end to end. Use analytics to get visibility, drive threat detection, and improve defenses https://learn.microsoft.com/security/zero-trust/azure-infrastructure-avd .
Application of Zero Trust
In practice, applying Zero Trust involves a series of steps to secure various components of an IT environment:
- Identities: Secure your identities with Zero Trust by ensuring that they are verified explicitly https://learn.microsoft.com/security/zero-trust/azure-infrastructure-avd .
- Endpoints: Secure your endpoints with Zero Trust, which includes devices that access your network https://learn.microsoft.com/security/zero-trust/azure-infrastructure-avd .
- Storage Resources: Apply Zero Trust principles to storage resources to protect data https://learn.microsoft.com/security/zero-trust/azure-infrastructure-avd .
- Virtual Networks: Implement Zero Trust principles to virtual networks, both hub and spoke, to manage network traffic securely https://learn.microsoft.com/security/zero-trust/azure-infrastructure-avd .
- Session Hosts: Apply Zero Trust principles to session hosts, such as those used in Azure Virtual Desktop https://learn.microsoft.com/security/zero-trust/azure-infrastructure-avd .
- Security and Compliance: Deploy security, governance, and compliance measures to ensure ongoing adherence to Zero Trust principles https://learn.microsoft.com/security/zero-trust/azure-infrastructure-avd .
- Management and Monitoring: Secure management and monitoring practices are essential to maintain the integrity of the Zero Trust model https://learn.microsoft.com/security/zero-trust/azure-infrastructure-avd .
Additional Resources
For further reading and detailed configurations of the separate components of Zero Trust for Azure IaaS, the following resources are available:
- Apply Zero Trust principles to Azure IaaS overview
- Azure Storage services
- Spoke VNets
- Hub VNets
- Azure Virtual Desktop
- Azure Virtual WAN
- Microsoft Sentinel and Microsoft Defender XDR
These resources provide a comprehensive view of how to apply Zero Trust principles across various Azure services and infrastructure components https://learn.microsoft.com/security/zero-trust/azure-infrastructure-virtual-machines https://learn.microsoft.com/security/zero-trust/azure-infrastructure-virtual-machines https://learn.microsoft.com/security/zero-trust/azure-infrastructure-avd .
Describe Azure architecture and services (35–40%)
Describe Azure identity, access, and security
Defense-in-Depth Model
The defense-in-depth model is a comprehensive approach to cybersecurity that involves implementing a series of defensive mechanisms to protect information from unauthorized access and theft. The core objective of this model is to create a multilayered defense system that can slow down or thwart an attack aimed at gaining unauthorized access to data https://learn.microsoft.com/en-us/training/modules/describe-azure-identity-access-security/8-describe-defense-depth .
Key Principles of Defense-in-Depth:
Layered Security: By using multiple layers of defense, each layer provides a backup in case one fails or is bypassed. This redundancy is crucial in protecting against a variety of attack vectors.
Deterrence: The presence of multiple security measures can deter potential attackers by increasing the perceived difficulty of breaching the system.
Detection: With various security controls in place, it becomes easier to detect malicious activities at different points within the system.
Delay: Even if an attacker manages to penetrate one layer, additional layers can slow their progress, providing more time to detect and respond to the attack.
Response: A well-designed defense-in-depth strategy includes provisions for responding to breaches, including isolating affected systems and conducting forensic analysis.
Components of Defense-in-Depth:
Physical Security: Protecting the physical components of a network, such as servers and network infrastructure, from unauthorized physical access.
Network Security: Implementing security measures like firewalls, intrusion detection systems, and network segmentation to protect the network perimeter and internal network traffic.
Endpoint Security: Securing individual devices (e.g., computers, mobile devices) that connect to the network with antivirus software, device management, and patch management.
Application Security: Ensuring that applications are designed with security in mind, including the use of secure coding practices and regular security testing.
Data Security: Protecting data at rest and in transit through encryption, access controls, and data loss prevention techniques.
Identity and Access Management (IAM): Controlling who has access to what resources within an organization through authentication, authorization, and auditing.
User Education and Awareness: Training users to recognize potential security threats and to follow best practices in cybersecurity.
The defense-in-depth model is not just about technology; it also encompasses policies, procedures, and awareness to create a culture of security within an organization. By understanding and implementing this model, organizations can significantly enhance their security posture and resilience against cyber threats.
For additional information on the defense-in-depth model and related security concepts, you can refer to the following resources:
- Microsoft Defender for Cloud
- Azure Role-Based Access Control (RBAC)
- Microsoft Entra Conditional Access
Please note that while URLs are provided for further reading, they should not be explicitly mentioned in the study guide.
Describe Azure architecture and services (35–40%)
Describe Azure identity, access, and security
Microsoft Defender for Cloud: Purpose and Overview
Microsoft Defender for Cloud is a comprehensive security management and threat protection service that provides advanced threat protection across hybrid cloud workloads. It offers tools to strengthen the security posture of your data centers, and provides advanced threat protection for your workloads in Azure, on-premises, and in other cloud environments.
Key Features and Benefits:
Unified Security Management: Defender for Cloud provides a central hub for monitoring the security status of resources in Azure, on-premises, and other clouds. It offers a unified view and control over the security of these resources https://learn.microsoft.com/en-us/training/modules/describe-azure-identity-access-security/1-introduction .
Advanced Threat Protection: The service uses advanced analytics and global threat intelligence to detect threats and provide alerts. This helps in identifying and responding to attacks and anomalies quickly.
Secure Score: Defender for Cloud offers a Secure Score to help understand your security posture. It assesses the security of your Azure environment and provides recommendations for improvement https://learn.microsoft.com/en-us/azure/defender-for-cloud/secure-score-access-and-track .
Compliance Assessment: It evaluates your environment against regulatory compliance standards and provides insights into the compliance status of your resources.
Integrated Security Solutions: Defender for Cloud integrates with various Azure services and partner solutions, offering a comprehensive set of security tools and capabilities.
Additional Resources:
For a more in-depth understanding of Microsoft Defender for Cloud and its capabilities, the following resources can be explored:
A detailed explanation of how Secure Score is calculated can be found here: Calculations - understanding your score https://learn.microsoft.com/en-us/azure/defender-for-cloud/secure-score-access-and-track .
To learn about the features and benefits of Defender for Storage, visit: Defender for Storage - Introduction https://learn.microsoft.com/en-us/azure/defender-for-cloud/defender-for-storage-classic-enable .
For a step-by-step walkthrough of Defender for Cloud, check out: Protect your multi-cloud environment with Microsoft Defender for Cloud https://learn.microsoft.com/en-us/azure/defender-for-cloud/defender-for-cloud-introduction .
To hear from experts in cybersecurity about their experiences with Defender for Cloud, you can watch the interview series: Lessons Learned from the Field https://learn.microsoft.com/en-us/azure/defender-for-cloud/defender-for-cloud-introduction .
For use cases of Microsoft Defender for Cloud, refer to: Microsoft Defender for Cloud - Use cases https://learn.microsoft.com/en-us/azure/defender-for-cloud/defender-for-cloud-introduction .
To understand how Microsoft Defender for Containers can be leveraged, explore the PoC Series: Microsoft Defender for Cloud PoC Series - Microsoft Defender for Containers https://learn.microsoft.com/en-us/azure/defender-for-cloud/defender-for-cloud-introduction .
By utilizing Microsoft Defender for Cloud, organizations can enhance their security measures, protect against threats, and ensure a robust defense for their cloud and hybrid environments.
Describe Azure management and governance (30–35%)
Describe cost management in Azure
Factors Affecting Costs in Azure
When considering the costs associated with Azure, it is important to understand the various factors that can influence the overall expenses. Here are the key factors that can affect costs in Azure:
Resource Type: The specific Azure services and resources you choose will have different pricing models. For example, virtual machines, storage accounts, and databases each have their own set of costs based on the resources they consume https://learn.microsoft.com/en-us/training/modules/describe-cost-management-azure/2-describe-factors-affect-costs-azure .
Consumption: The amount of resources you consume, such as compute hours, storage space, and data transfer, directly impacts your costs. More consumption generally leads to higher costs.
Maintenance: Costs can be affected by the level of maintenance required for the services you use. Managed services might cost more upfront but can potentially reduce long-term maintenance expenses.
Geography: The location of Azure datacenters where your resources are hosted can influence costs due to regional price variations and data transfer costs.
Subscription Type: Different types of Azure subscriptions, such as pay-as-you-go or reserved instances, offer different pricing models and discounts. Choosing the right subscription type can affect the overall cost https://learn.microsoft.com/en-us/training/modules/describe-cost-management-azure/2-describe-factors-affect-costs-azure .
Azure Marketplace: Third-party services and applications available through the Azure Marketplace come with their own pricing and can add to the total cost of your Azure solution https://learn.microsoft.com/en-us/training/modules/describe-cost-management-azure/2-describe-factors-affect-costs-azure .
For a more comprehensive understanding of Azure pricing, you can refer to the following resources:
- Azure Pricing Calculator: A tool to estimate your expected monthly Azure bill by configuring and pricing your Azure services https://learn.microsoft.com/en-us/training/modules/describe-cost-management-azure/1-introduction .
- Total Cost of Ownership (TCO) Calculator: A tool that helps you estimate the cost savings of migrating to Azure compared to on-premises infrastructure https://learn.microsoft.com/en-us/training/modules/describe-cost-management-azure/1-introduction .
- Microsoft Cost Management Tool: A suite of tools that provides reporting, data analysis, and budgeting to help manage Azure costs https://learn.microsoft.com/en-us/training/modules/describe-cost-management-azure/1-introduction .
- Understanding Pricing: For detailed information on specific Azure service pricing, visit Understanding pricing https://learn.microsoft.com/en-us/azure/application-gateway/overview-v2 .
Additionally, the use of tags in Azure can help in organizing resources and managing costs by grouping similar resources for more efficient cost tracking and reporting.
By considering these factors and utilizing the available tools, you can better manage and optimize your Azure costs.
Describe Azure management and governance (30–35%)
Describe cost management in Azure
Comparison of the Azure Pricing Calculator and the Total Cost of Ownership (TCO) Calculator
When planning and managing costs in Azure, it is essential to understand the tools available to estimate expenses. Two key calculators provided by Azure for this purpose are the Pricing Calculator and the Total Cost of Ownership (TCO) Calculator. Below is a detailed comparison of both:
Azure Pricing Calculator
- Purpose: The Azure Pricing Calculator is designed to provide an estimate of the costs for Azure services based on your specific requirements. It allows you to select and configure services and features to match your planned usage and see an approximation of the monthly costs https://learn.microsoft.com/en-us/training/modules/describe-cost-management-azure/3-compare-pricing-total-cost-of-ownership-calculators .
- Functionality: Users can add services to their estimate and adjust the configurations such as region, tier, and support options to match their needs. The calculator updates the cost estimate in real-time as changes are made.
- Use Cases: It is particularly useful for budgeting and planning for new deployments on Azure or estimating the costs of scaling existing services.
Total Cost of Ownership (TCO) Calculator
- Purpose: The TCO Calculator is aimed at providing a cost comparison between on-premises infrastructure and Azure services. It helps organizations estimate the savings they could realize by migrating their workloads to Azure https://azure.microsoft.com/pricing/details/storage/container-storage .
- Functionality: The calculator takes into account various factors such as hardware, software, space, and labor costs associated with on-premises infrastructure and compares them with the equivalent Azure services. It provides a detailed report including cost breakdowns and potential savings over time https://azure.microsoft.com/pricing/details/storage/container-storage .
- Use Cases: This tool is valuable for organizations considering a migration to the cloud and wanting to understand the financial implications and benefits of moving to Azure.
Additional Information
- Accessibility: Both calculators are accessible from the internet, allowing users to explore different scenarios and configurations without any commitment https://learn.microsoft.com/en-us/training/modules/describe-cost-management-azure/3-compare-pricing-total-cost-of-ownership-calculators .
- Comparison: While both calculators allow you to build out a configuration, they serve different purposes. The Pricing Calculator is for estimating the cost of Azure services, while the TCO Calculator is for comparing the costs of on-premises infrastructure with Azure https://learn.microsoft.com/en-us/training/modules/describe-cost-management-azure/3-compare-pricing-total-cost-of-ownership-calculators .
For further details and to use the calculators, you can visit the following URLs: - Azure Pricing Calculator: Pricing Calculator - Azure Total Cost of Ownership (TCO) Calculator: TCO Calculator
These tools are part of the cost management capabilities in Azure, which also include the Microsoft Cost Management Tool for monitoring and controlling Azure spending, and the use of tags for organizing resources and managing costs https://learn.microsoft.com/en-us/training/modules/describe-cost-management-azure/9-summary AZ-900 Study Guide.docx https://learn.microsoft.com/en-us/training/modules/describe-cost-management-azure/1-introduction .
Describe Azure management and governance (30–35%)
Describe cost management in Azure
Azure provides a suite of cost management capabilities that enable users to monitor, control, and optimize their cloud spending. Here is a detailed explanation of these capabilities:
Cost Monitoring and Analysis
Azure allows continuous monitoring of cloud consumption and cost trends. This enables users to understand their spending patterns and identify areas where costs can be optimized. Users can allocate cloud costs to specific business units and projects, improving organizational accountability https://azure.microsoft.com/pricing/details/#Linux .
Budgeting and Cost Allocation
With Azure Cost Management, users can set budgets for their cloud resources and monitor costs against these budgets. This helps in ensuring that spending does not exceed the planned amount. Cost allocation is simplified by using tags, which can categorize resources for cost tracking and reporting AZ-900 Study Guide.docx .
Cost Optimization
Azure offers tools to optimize and save costs by identifying and eliminating idle resources. Virtual machine rightsizing is one such tool that suggests changes to resource allocation based on usage patterns, potentially leading to cost savings https://azure.microsoft.com/pricing/details/#Linux .
Pricing and Total Cost of Ownership (TCO) Calculators
Azure provides a pricing calculator and a Total Cost of Ownership (TCO) Calculator. The pricing calculator helps estimate the costs for Azure services before deployment. The TCO Calculator allows for a comparison of the costs of Azure services with on-premises infrastructure, helping to make informed decisions about cloud investments AZ-900 Study Guide.docx .
Cost Management for Multiple Clouds
Azure Cost Management also supports managing spending for services not only in Azure but also in other clouds like AWS. This provides a unified view of costs and insights based on data from both Azure and AWS environments https://azure.microsoft.com/pricing/details/#Linux .
Azure ExpressRoute Cost Management
For services like Azure ExpressRoute, users can plan for costs using the Azure pricing calculator and manage them using the Cost Management features. This includes setting budgets, monitoring costs, reviewing forecasted costs, and identifying spending trends https://learn.microsoft.com/en-us/azure/expressroute/plan-manage-cost .
For additional information on Azure Cost Management, you can explore the following resources: - Microsoft Cost Management - Azure Pricing Calculator - Azure Total Cost of Ownership (TCO) Calculator
Please note that the URLs provided are for reference and additional information. They should be accessed to gain a deeper understanding of Azure Cost Management capabilities.
Describe Azure management and governance (30–35%)
Describe cost management in Azure
Purpose of Tags in Azure
Tags in Azure serve as a method to annotate resources with metadata consisting of name-value pairs. This metadata allows for the organization, management, and categorization of resources within Azure. Here are the key purposes of using tags:
Categorization: Tags help categorize resources by assigning key-value pairs that can be used to reflect the environment, department, project, or any other classification relevant to the organization https://learn.microsoft.com/en-us/azure/storage/blobs/storage-blob-tags-typescript .
Cost Management: By utilizing tags, it’s possible to track costs at a more granular level. Tags can be used to report usage and cost data, which aids in understanding and managing Azure expenses https://learn.microsoft.com/en-us/azure/virtual-desktop/tag-virtual-desktop-resources .
Automation and Management: Tags can be used to automate the management of resources. For example, you can apply policies to resources that share a specific tag, ensuring consistent management across resources.
Resource Grouping: Although tags do not create a physical grouping of resources, they can be used to logically group resources for easier management and reporting.
Searchability: Tags are indexed and can be used to quickly find and retrieve resources within your Azure environment.
Operational Clarity: Tags can provide additional context about the purpose or nature of a resource, which can be particularly useful in complex environments with many similar resources.
For more information on how to manage and find Azure Blob data with blob index tags, you can refer to the following resource: Manage and find Azure Blob data with blob index tags.
To understand how tags are used in Azure Cost Management and to learn about known limitations, the following resources may be helpful: - How tags are used in cost and usage data - Use tags to organize your Azure resources and management hierarchy.
Please note that while tags are powerful for categorization and management, they have certain limitations and should be used within the scope of Azure’s best practices and guidelines.
Describe Azure management and governance (30–35%)
Describe features and tools in Azure for governance and compliance
Purpose of Microsoft Purview in Azure
Microsoft Purview serves as a comprehensive data governance service that enables organizations to manage and govern their on-premises, multicloud, and SaaS data. The primary purpose of Microsoft Purview in Azure is to provide a unified data governance solution that helps organizations understand their data landscape and manage the risks associated with data compliance and governance.
Key functionalities of Microsoft Purview include:
Automated Data Discovery: Microsoft Purview automates the process of discovering data across various sources, helping organizations to maintain an up-to-date inventory of their data assets https://learn.microsoft.com/en-us/training/modules/describe-features-tools-azure-for-governance-compliance/2-describe-purpose-microsoft-purview .
Sensitive Data Classification: It classifies sensitive data to ensure that organizations can identify and protect critical information, adhering to compliance requirements https://learn.microsoft.com/en-us/training/modules/describe-features-tools-azure-for-governance-compliance/2-describe-purpose-microsoft-purview .
End-to-End Data Lineage: Microsoft Purview provides visibility into data lineage, offering insights into the lifecycle of data, including its origin, movement, and transformation https://learn.microsoft.com/en-us/training/modules/describe-features-tools-azure-for-governance-compliance/2-describe-purpose-microsoft-purview .
Risk and Compliance Management: As part of its risk and compliance solution area, Microsoft Purview helps organizations to comply with various regulations by providing tools for data protection and compliance monitoring https://learn.microsoft.com/en-us/training/modules/describe-features-tools-azure-for-governance-compliance/2-describe-purpose-microsoft-purview .
Unified Data Governance: The unified data governance solution area of Microsoft Purview brings together insights about data from different environments, enabling a single view of data governance across an organization https://learn.microsoft.com/en-us/training/modules/describe-features-tools-azure-for-governance-compliance/2-describe-purpose-microsoft-purview .
For additional information on Microsoft Purview, you can refer to the following resources:
- What is Microsoft Purview? https://learn.microsoft.com/en-us/azure/defender-for-cloud/information-protection
- Microsoft Purview’s supported data sources and file types https://learn.microsoft.com/en-us/azure/defender-for-cloud/information-protection
- Microsoft Purview deployment best practices https://learn.microsoft.com/en-us/azure/defender-for-cloud/information-protection
- How to label your data in Microsoft Purview https://learn.microsoft.com/en-us/azure/defender-for-cloud/information-protection
By leveraging Microsoft Purview, organizations can enhance their data governance practices, improve data compliance, and reduce risks associated with data management.
Describe Azure management and governance (30–35%)
Describe features and tools in Azure for governance and compliance
Azure Policy is a service within Microsoft Azure that allows users to create, assign, and manage policies. These policies enforce different rules and effects over the resources in your Azure environment, helping you to maintain control over the resources and ensure compliance with your company standards and service level agreements (SLA).
The purpose of Azure Policy is to:
Enforce Standards and Compliance: Azure Policy helps ensure your resource configurations comply with both internal policies and external regulations. By defining conventions for resources, you can ensure that resources stay compliant with those conventions.
Audit Resource Configurations: It can audit existing resources for compliance with the policies you create. This is useful for getting visibility into how well your organization is aligning with your compliance goals.
Automate Remediation: When resources are non-compliant, Azure Policy can often remediate them by applying the required changes to make them compliant. This is done through the ‘Deploy If Not Exists’ policy definition, which can automatically deploy a resource if it’s not already present.
Apply Policy Definitions at Scale: Policies can be applied to multiple resources across different subscriptions, enabling governance at scale. This is particularly useful for larger organizations with complex resource hierarchies.
Group Policies for Specific Goals: Azure Policy allows grouping of related policies into an initiative, which simplifies the management and assignment of policies that are intended to work together towards a specific goal or compliance need.
For more information on Azure Policy, you can refer to the following resources:
- What is Azure Policy?
- Built-in policy definitions for Kubernetes
- What are security policies, initiatives, and recommendations?
Azure Policy is a key component of the Azure governance ecosystem and plays a critical role in the management and compliance of Azure resources https://learn.microsoft.com/azure/architecture/framework/services/compute/azure-kubernetes-service/azure-kubernetes-service https://learn.microsoft.com/en-us/azure/defender-for-cloud/defender-for-cloud-glossary https://learn.microsoft.com/en-us/azure/virtual-machines/../azure-resource-manager/management/move-resource-group-and-subscription .
Describe Azure management and governance (30–35%)
Describe features and tools in Azure for governance and compliance
Purpose of Resource Locks
Resource locks in Azure serve as a security control mechanism to prevent accidental deletion or modification of resources. They are effective across all users and roles, ensuring that critical resources remain unchanged unless explicitly intended. Resource locks can be applied to individual resources, resource groups, or even an entire subscription, and they are inherited by all resources within a locked resource group https://learn.microsoft.com/en-us/training/modules/describe-features-tools-azure-for-governance-compliance/4-describe-purpose-of-resource-locks .
There are two types of resource locks:
- CanNotDelete: This lock allows users to read and modify a resource but prevents the resource from being deleted https://learn.microsoft.com/en-us/azure/dns/dns-protect-private-zones-recordsets .
- ReadOnly: This lock prevents users from deleting or modifying a resource. When applied, users can still read a resource but cannot make any changes, including adding or removing record sets https://learn.microsoft.com/en-us/azure/dns/dns-protect-zones-recordsets .
Resource locks are particularly useful in environments where multiple users have varying levels of access, and there is a risk that someone could inadvertently delete or alter important resources. By applying a resource lock, organizations can ensure that their critical cloud resources are protected from such unintended actions https://learn.microsoft.com/en-us/training/modules/describe-features-tools-azure-for-governance-compliance/4-describe-purpose-of-resource-locks .
To apply a resource lock, administrators can use the Azure portal, Azure PowerShell, or the Azure CLI. For example, to create a zone-level resource lock using Azure PowerShell, the following command can be used:
# Lock a DNS zone
$lvl = "<lock level>"
$lnm = "<lock name>"
$rsc = "<zone name>"
$rty = "Microsoft.Network/DNSZones"
$rsg = "<resource group name>"
-LockLevel $lvl -LockName $lnm -ResourceName $rsc -ResourceType $rty -ResourceGroupName $rsg New-AzResourceLock
Similarly, the Azure CLI command to create a lock would be:
# Lock a DNS zone
az lock create \
--lock-type "<lock level>" \
--name "<lock name>" \
--resource-name "<zone name>" \
--namespace "Microsoft.Network" \
--resource-type "DnsZones" \
--resource-group "<resource group name>"
For additional information on resource locks and how to apply them, please refer to the following resources:
- Lock resources with Azure Resource Manager
- Apply an Azure Resource Manager lock to a storage account
- Azure PowerShell - New-AzResourceLock
- Azure CLI - az lock create
By understanding and utilizing resource locks, administrators can enhance the security and stability of their Azure environments, ensuring that essential resources remain intact and operational.
Describe Azure management and governance (30–35%)
Describe features and tools for managing and deploying Azure resources
Describe the Azure Portal
The Azure portal is an online user interface that you can use to manage your Azure services and resources. It provides a centralized place for you to access and manage all of your applications, services, and resources in the cloud. Here are some key features and aspects of the Azure portal:
User-Friendly Interface: The Azure portal has a dashboard that can be customized with tiles to display information about your services. It allows you to quickly view the health and status of your resources and navigate to the specific service you need to manage.
Resource Management: Through the Azure portal, you can create, configure, and delete Azure resources such as virtual machines, storage accounts, and databases. It provides detailed configuration options for each service, allowing for granular control over your cloud environment.
Cloud Shell Integration: The portal integrates Azure Cloud Shell, which is a browser-based command-line experience that enables you to manage Azure resources using either Azure PowerShell or Azure CLI directly within the portal.
Monitoring and Diagnostics: The portal offers built-in monitoring and diagnostics tools that help you track the performance and health of your resources. You can set up alerts, view metrics, and access logs to ensure your services are running smoothly.
Marketplace Access: Azure Marketplace is accessible from the portal, where you can find and deploy a wide range of third-party applications and services that are certified to run on Azure.
Security and Compliance: The portal provides access to security features and compliance information. You can manage role-based access control (RBAC), monitor security recommendations, and check compliance with industry standards.
Cost Management: Azure Cost Management tools are available in the portal to help you analyze and manage your cloud spending. You can set budgets, view billing reports, and get recommendations for optimizing your costs.
For additional information and a more hands-on experience with the Azure portal, you can refer to the following resources:
The Azure portal is continually updated to provide the latest features and enhancements, making it a powerful tool for managing Azure resources effectively.
Describe Azure management and governance (30–35%)
Describe features and tools for managing and deploying Azure resources
Azure Cloud Shell
Azure Cloud Shell is an interactive, browser-accessible shell for managing Azure resources. It provides the flexibility of choosing the shell experience that best suits the way you work, either Bash or PowerShell. Users can work with it directly on the Azure portal.
Features of Azure Cloud Shell:
Browser-based Access: Azure Cloud Shell can be accessed through a web browser, making it convenient to manage Azure resources without the need for local installations.
Choice of Shells: Users can choose between Bash or PowerShell according to their preference or requirement for the task at hand.
Preinstalled Commands: It comes with preinstalled commands that enable users to run code and manage Azure services without the need to install any additional software on their local environment.
Integrated Authentication: Automatically authenticated with your Azure credentials when using Cloud Shell in the Azure portal.
Using Azure Cloud Shell:
To initiate Azure Cloud Shell, you can select “Try It” in the upper-right corner of a code block within Azure documentation, go to Azure Cloud Shell, or select the Cloud Shell button on the menu bar in the Azure portal.
Once Cloud Shell is started, you can copy the code or command from the documentation by selecting the Copy button on a code block.
Paste the copied code or command into the Cloud Shell session using Ctrl+Shift+V on Windows and Linux, or Cmd+Shift+V on macOS.
Press Enter to execute the code or command.
Azure Command-Line Interface (CLI):
Azure CLI is a set of commands used to manage Azure resources. The CLI is designed to make scripting easy, flexibly query data, support long-running operations as non-blocking processes, and more.
Cross-Platform: Azure CLI can be used on Windows, macOS, and Linux.
Scriptable Commands: Allows for the creation of complex scripts that can automate tasks and manage resources.
Query Data: Supports querying Azure resources data in a format that’s convenient for the user.
Azure PowerShell:
Azure PowerShell is a module offering cmdlets to manage Azure through Windows PowerShell and PowerShell Core. It is built on the Azure Resource Manager model and allows for managing Azure resources directly from the PowerShell command line.
Powerful Scripting: Leverages the power of PowerShell scripting to automate Azure resource management.
Resource Manager Model: Uses the Azure Resource Manager model, which provides a consistent management layer.
Local Installation: Can be installed on a local machine and used in any PowerShell session.
For more information on Azure Cloud Shell, Azure CLI, and Azure PowerShell, you can visit the following URLs:
- Azure Cloud Shell: Azure Cloud Shell Documentation
- Azure CLI: Install Azure CLI
- Azure PowerShell: Install Azure PowerShell https://learn.microsoft.com/en-us/azure/virtual-machines/windows/tutorial-manage-data-disk AZ-900 Study Guide.docx https://learn.microsoft.com/en-us/azure/frontdoor/../web-application-firewall/afds/waf-front-door-tutorial-geo-filtering https://learn.microsoft.com/en-us/training/modules/describe-features-tools-manage-deploy-azure-resources/6-summary .
Describe Azure management and governance (30–35%)
Describe features and tools for managing and deploying Azure resources
Purpose of Azure Arc
Azure Arc is a set of technologies that brings Azure services and management to any infrastructure. It extends Azure’s management capabilities to hybrid environments, allowing you to manage resources such as virtual machines, Kubernetes clusters, and databases as if they were running in Azure, regardless of their actual location. Here are the key purposes of Azure Arc:
Unified Management: Azure Arc enables you to project your on-premises and multi-cloud resources into Azure Resource Manager, providing a consistent management layer. This means you can manage your resources with the same Azure-based tools and interfaces you use for Azure services https://learn.microsoft.com/en-us/azure/virtual-machines/../azure-monitor/vm/monitor-virtual-machine-agent .
Policy Enforcement: With Azure Arc, you can use Azure Policy to enforce organizational standards and assess compliance across your environments. This helps ensure that your hybrid and multi-cloud resources comply with the same governance and security standards as your Azure resources https://learn.microsoft.com/en-us/azure/virtual-machines/../azure-monitor/vm/monitor-virtual-machine-agent .
Deployment at Scale: Azure Arc simplifies the deployment of configurations and applications across your hybrid environment. You can use ARM templates, Bicep, or other deployment tools to automate the deployment of resources and ensure consistency across your infrastructure https://learn.microsoft.com/en-us/training/modules/describe-features-tools-manage-deploy-azure-resources/6-summary .
Access to Azure Services: By enabling Azure Arc on your hybrid machines, you can access Azure services like Azure Monitor, Azure Security Center, and Azure Sentinel, providing insights and advanced threat protection for your non-Azure resources https://learn.microsoft.com/en-us/azure/defender-for-cloud/quickstart-onboard-machines .
Cost Management: Azure Arc allows you to manage and optimize costs across your hybrid environment. You can apply Azure cost management tools to your Arc-enabled resources, gaining visibility into your spending and usage patterns https://learn.microsoft.com/en-us/azure/virtual-machines/../azure-monitor/vm/monitor-virtual-machine-agent .
For additional information on Azure Arc, you can refer to the following resources:
- Overview of Azure Arc-enabled servers: Azure Arc-enabled servers overview
- Planning and deploying Azure Arc at scale: Plan and deploy Azure Arc-enabled servers
- Azure Arc pricing details: Azure Arc pricing
- Quickstart guide for connecting hybrid machines: Quickstart: Connect hybrid machines with Azure Arc-enabled servers
- Connecting multiple machines at scale: Connect hybrid machines to Azure at scale
By integrating Azure Arc into your infrastructure, you can enjoy the flexibility of hybrid and multi-cloud environments while leveraging the robust management and security features of Azure.
Describe Azure management and governance (30–35%)
Describe features and tools for managing and deploying Azure resources
Infrastructure as Code (IaC) is a key practice within the field of DevOps that involves managing and provisioning computing infrastructure through machine-readable definition files, rather than physical hardware configuration or interactive configuration tools. IaC enables developers and operations teams to automatically manage, monitor, and provision resources through code, rather than using a manual process. Here’s a detailed explanation of IaC:
Infrastructure as Code (IaC)
Definition and Purpose: - IaC is a method to provision and manage IT infrastructure through the use of source code, rather than through manual processes. - It allows for consistent and repeatable routines for provisioning infrastructure, ensuring that the environments are provisioned in the same way every time, reducing errors and discrepancies.
Benefits: - Automation: IaC automates the deployment of infrastructure, which means that the setup of servers, databases, networks, and other infrastructure components can be done quickly and with less human intervention https://learn.microsoft.com/en-us/azure/virtual-machines/../availability-zones/migrate-vm . - Version Control: Just like application source code, IaC can be version-controlled, allowing teams to track changes, roll back to previous versions, and understand the evolution of their infrastructure over time https://learn.microsoft.com/en-us/azure/defender-for-cloud/iac-template-mapping . - Consistency and Standardization: By codifying infrastructure, organizations can ensure that their environments are consistent, which is crucial for testing and reliability. - Speed and Efficiency: IaC can significantly reduce the time it takes to provision resources, enabling faster development cycles and the ability to scale infrastructure resources on demand. - Cost Savings: Automating infrastructure provisioning can lead to cost savings by reducing the need for manual labor and by allowing for more precise allocation of resources, thus avoiding over-provisioning.
Practices: - Idempotency: An important principle in IaC is idempotency, which means that no matter how many times you apply your configuration, the result should be the same, ensuring reliability and predictability. - Immutable Infrastructure: This is a model where infrastructure components are replaced rather than changed. Once a component is deployed, it is never modified; if changes are needed, a new component is provisioned through code.
Tools and Technologies: - Configuration Management Tools: These tools, such as Ansible, Chef, and Puppet, are used to automate the configuration of servers. - Provisioning Software: Tools like Terraform and CloudFormation allow for the creation and management of a collection of resources through templating. - Azure Resource Manager (ARM) Templates: ARM templates are JSON files that define the resources you need to deploy for your solution. They are used to provision and manage Azure resources in a consistent and repeatable manner AZ-900 Study Guide.docx .
Security Considerations: - IaC can also be used to enforce security best practices by defining the desired state of infrastructure configurations that comply with security policies. - Microsoft Defender for Cloud provides recommendations to ensure that IaC templates are secure and that any code scanning findings are resolved, which helps minimize cloud misconfigurations reaching production environments https://learn.microsoft.com/en-us/azure/defender-for-cloud/release-notes-archive .
For additional information on Infrastructure as Code and its implementation in Azure, you can refer to the following resources: - Introduction to Azure Resource Manager - Defender for DevOps in Microsoft Defender for Cloud https://learn.microsoft.com/en-us/azure/defender-for-cloud/release-notes-archive .
By incorporating IaC into your workflow, you can achieve more efficient, reliable, and secure management of your IT infrastructure.
Describe Azure management and governance (30–35%)
Describe features and tools for managing and deploying Azure resources
Azure Resource Manager (ARM) and ARM Templates
Azure Resource Manager (ARM)
Azure Resource Manager is the service provided by Azure for deployment and management of resources. It acts as a management layer that allows users to create, update, and delete resources within their Azure account. ARM offers management features such as access control, locks, and tags, which help secure and organize resources post-deployment https://learn.microsoft.com/en-us/azure/ddos-protection/../azure-resource-manager/management/overview .
ARM Templates
ARM templates are JSON files that define the resources you need to deploy for your project. These templates allow you to declaratively set the desired state of your Azure environment. An ARM template describes the structure and details of all the resources for your solution, including their dependencies, so they can be deployed as a group https://learn.microsoft.com/en-us/azure/application-gateway/../azure-resource-manager/templates/syntax https://learn.microsoft.com/en-us/azure/ddos-protection/../azure-resource-manager/management/overview .
Structure of ARM Templates
An ARM template is structured into sections that specify the resources to be deployed and their properties. The main sections include:
- Parameters: Values that are provided when deployment is executed to customize resource deployment.
- Variables: Values that are used for simplifying template language expressions.
- Resources: The Azure resources that will be deployed or updated.
- Outputs: Values that are returned after deployment https://learn.microsoft.com/en-us/azure/application-gateway/../azure-resource-manager/templates/syntax .
Advantages of Using ARM Templates
- Declarative Syntax: You define what you intend to deploy without having to write the sequence of programming commands to create it.
- Idempotency: The same template can be deployed multiple times to create identical environments.
- Modular and Reusable: Templates can be linked together, so you can reuse common elements.
- Orchestration: All resources are deployed in a single, coordinated operation.
Learning Resources
- For a step-by-step guide on creating an ARM template, refer to Tutorial: Create and deploy your first ARM template.
- To understand the structure of ARM templates in detail, see ARM template overview.
- For a guided set of modules on deploying and managing resources with ARM templates, visit Deploy and manage resources in Azure by using ARM templates.
Bicep as an Alternative
Bicep is a new domain-specific language for deploying Azure resources that greatly simplifies the authoring experience. It provides the same capabilities as ARM templates but with a cleaner syntax and better support for code reuse https://learn.microsoft.com/en-us/azure/application-gateway/../azure-resource-manager/templates/syntax .
- To learn about Bicep, see Bicep overview.
- For understanding the structure and syntax of Bicep files, refer to Understand the structure and syntax of Bicep files.
By utilizing ARM and ARM templates, you can efficiently manage and automate your Azure resource deployments, ensuring consistency and repeatability across your environments.
Describe Azure management and governance (30–35%)
Describe monitoring tools in Azure
Azure Advisor Overview
Azure Advisor is a personalized cloud consultancy service that offers best practice recommendations for optimizing Azure deployments. Its primary purpose is to assist users in enhancing their Azure resources across various domains, including reliability, security, cost-effectiveness, performance, and operational excellence.
Key Features of Azure Advisor:
Personalized Recommendations: Azure Advisor provides tailored suggestions based on the user’s resource configuration and usage telemetry.
Optimization Across Multiple Domains:
- Reliability: It helps ensure that Azure deployments are reliable and resilient to failures.
- Security: Azure Advisor evaluates security configurations and suggests improvements to protect Azure resources.
- Cost-Effectiveness: It identifies opportunities to reduce costs by highlighting underutilized resources.
- Performance: The service recommends actions to improve the speed and responsiveness of applications.
- Operational Excellence: Azure Advisor offers advice on best practices and design patterns to enhance the manageability and monitoring of resources.
Actionable Insights: The recommendations provided by Azure Advisor are actionable, allowing users to implement them directly through the Azure portal.
Continuous Monitoring: Azure Advisor continuously analyzes resource configurations and usage to provide up-to-date advice.
Scope of Evaluation: The service can evaluate resources at the virtual machine, resource group, or subscription level.
Additional Resources:
For more information on Azure Advisor and its recommendations, you can visit the official documentation here: Azure Advisor.
To understand how to create Azure Service Health alerts based on Azure Advisor recommendations, refer to this guide: Create Azure Service Health alerts.
To learn about enabling Traffic Analytics for insights into Azure resource traffic patterns, see: Enable Traffic Analytics.
For guidance on following the least privilege principle in Azure, check out: Follow just enough administration.
To protect network resources with Microsoft Defender for Cloud, you can visit: Protect your network resources with Microsoft Defender for Cloud.
Azure Advisor is an essential tool for maintaining and optimizing Azure deployments, ensuring that users can make the most of their cloud resources while adhering to best practices across various critical domains https://learn.microsoft.com/azure/architecture/framework/services/networking/azure-firewall https://learn.microsoft.com/azure/azure-sql/virtual-machines/index .
Describe Azure management and governance (30–35%)
Describe monitoring tools in Azure
Describe Azure Service Health
Azure Service Health is a suite of experiences that provide personalized guidance and support when issues in Azure services affect you. It is a feature within the Azure Portal designed to help you track the health of your Azure services and resources. Azure Service Health offers a comprehensive view of the health of Azure services, regions, and resources, and it combines three different services to provide this information:
Azure Status: This provides a global view of the health of all Azure services across all Azure regions. It is useful for identifying service outages with widespread impact. The Azure Status page is publicly accessible and offers a broad picture of the status of Azure globally https://learn.microsoft.com/en-us/training/modules/describe-monitoring-tools-azure/3-describe-azure-service-health .
Service Health: This offers a more focused view, tailored to the Azure services and regions you are using. Service Health is the best place to look for communications about outages, planned maintenance activities, and health advisories that may impact the services you rely on. It provides personalized alerts and guidance when Azure service issues affect you. You can set up Service Health alerts to be notified about service issues and planned maintenance https://learn.microsoft.com/en-us/training/modules/describe-monitoring-tools-azure/3-describe-azure-service-health .
Resource Health: This provides a customized view of the health of your individual Azure resources, such as a specific virtual machine instance. Resource Health helps you diagnose and get support for service problems that affect your resources. It is integrated with Azure Monitor, allowing you to configure alerts for changes in the availability of your resources https://learn.microsoft.com/en-us/training/modules/describe-monitoring-tools-azure/3-describe-azure-service-health .
Azure Service Health also stores historical alerts, which can be accessed for later review. This feature is particularly useful for investigating trends or recurring issues that may have initially appeared as anomalies https://learn.microsoft.com/en-us/training/modules/describe-monitoring-tools-azure/3-describe-azure-service-health .
For additional information on Azure Service Health, you can visit the following URLs: - Azure Service Health Overview: Azure Service Health https://learn.microsoft.com/en-us/azure/virtual-machine-scale-sets/../virtual-machines/maintenance-notifications-portal - Track Service Health: Track service health https://learn.microsoft.com/en-us/azure/app-service/troubleshoot-http-502-http-503 - Create Activity Log Alerts on Service Notifications: Create activity log alerts on service notifications https://learn.microsoft.com/en-us/azure/virtual-machine-scale-sets/../virtual-machines/maintenance-notifications-portal
By utilizing Azure Service Health, you can stay informed about the status of your services and resources, plan for maintenance events, and respond proactively to issues as they arise.
Describe Azure management and governance (30–35%)
Describe monitoring tools in Azure
Azure Monitor is a comprehensive solution for collecting, analyzing, and acting on telemetry from your cloud and on-premises environments. It helps you understand how your applications are performing and proactively identifies issues affecting them and the resources they depend on. Here’s a detailed explanation of the key components within Azure Monitor:
Azure Monitor Log Analytics
Log Analytics is a tool in the Azure portal used to edit and run log queries from data collected by Azure Monitor Logs and interactively analyze their results. You can collect data from managed or unmanaged resources, whether they are in Azure or another cloud, or on-premises.
- Data Collection: Data from various sources such as Azure resources, the Azure subscription, and the Azure Active Directory can be collected.
- Analysis: The collected data can be analyzed using the powerful query language of Azure Monitor Logs, which allows for complex analysis across all collected data.
- Integration: Log Analytics can be integrated with other Azure services and can also be used to create workbooks and dashboards for visualizing data.
For more information on Log Analytics, visit the [Azure Monitor logs documentation] https://learn.microsoft.com/en-us/azure/azure-sql/database/saas-dbpertenant-wingtip-app-overview .
Azure Monitor Alerts
Alerts in Azure Monitor proactively notify you of critical conditions and potentially take corrective automated actions based on triggers from metrics or logs. Alerts can trigger actions such as sending an email, calling a webhook, or starting an automated runbook.
- Alert Rules: You can configure different settings for alert rules, such as the resource group, severity, and the specific metrics or logs to monitor.
- Severity Levels: Alerts can be classified by severity, allowing you to prioritize issues based on their importance.
- Automated Actions: In response to an alert, automated actions can be configured to resolve or mitigate the issue.
For more information on Azure Monitor alerts, refer to the [Azure Monitor alerts documentation] https://learn.microsoft.com/en-us/azure/virtual-machines/../azure-monitor/vm/tutorial-monitor-vm-alert-availability .
Application Insights
Application Insights is an extensible Application Performance Management (APM) service for developers and DevOps professionals. It monitors the performance and usage of your live applications and automatically detects performance anomalies.
- Performance Monitoring: Track the performance of your app and identify bottlenecks that may affect user experience.
- Telemetry Data: Collect detailed information about your application’s operations, including response times, failure rates, and dependencies.
- Live Metrics: View real-time performance metrics to understand the current state of your application.
- Analytics Tools: Use powerful analytics tools to diagnose issues and to understand what users actually do with your app.
For more information on Application Insights, you can visit the [Application Insights documentation] https://learn.microsoft.com/en-us/azure/azure-functions/functions-consumption-costs .
By utilizing Azure Monitor, including Log Analytics, Azure Monitor alerts, and Application Insights, you can gain a comprehensive understanding of your applications and infrastructure, ensuring they are performing optimally and efficiently.
https://learn.microsoft.com/en-us/azure/azure-sql/database/saas-dbpertenant-wingtip-app-overview : https://learn.microsoft.com/en-us/azure/azure-monitor/logs/log-query-overview https://learn.microsoft.com/en-us/azure/virtual-machines/../azure-monitor/vm/tutorial-monitor-vm-alert-availability : https://learn.microsoft.com/en-us/azure/azure-monitor/alerts/alerts-overview https://learn.microsoft.com/en-us/azure/azure-functions/functions-consumption-costs : https://learn.microsoft.com/en-us/azure/azure-monitor/app/app-insights-overview
Describe Azure management and governance (30–35%)
Describe monitoring tools in Azure
Azure Monitor is a comprehensive solution for collecting, analyzing, and acting on telemetry from your cloud and on-premises environments. It helps you understand how your applications are performing and proactively identifies issues affecting them and the resources they depend on. Here’s a detailed explanation of the components of Azure Monitor:
Azure Monitor
Azure Monitor collects and stores metric and log data from monitored resources. The data collected includes a variety of metrics that describe the performance and operation of the resources and log data that provide insight into their operation. Azure Monitor allows you to:
- Collect data: From applications, operating system, and platform metrics.
- Analyze data: With queries to quickly retrieve, consolidate, and analyze collected data.
- Respond to critical situations: With alerts and automated actions.
- Visualize data: With dashboards and views to track the performance and health of your resources.
Log Analytics
Log Analytics is a tool within Azure Monitor that allows you to edit and run log queries from data collected by Azure Monitor Logs and interactively analyze their results. You can:
- Collect and consolidate log data: From Azure resources, on-premises resources, and other monitoring tools.
- Analyze log data: Using a powerful query language to derive insights from the data.
- Create complex queries: To pinpoint trends and patterns that help in proactive decision-making.
For more information on Log Analytics, you can visit the Log Analytics workspaces overview https://learn.microsoft.com/en-us/azure/aks/../defender-for-cloud/defender-for-containers-enable .
Azure Monitor Alerts
Alerts in Azure Monitor proactively notify you of critical conditions and potentially take corrective actions. Alerts can be based on metrics or logs, and they can trigger actions such as sending an email, calling a webhook, or starting an automated runbook. Key features include:
- Log Alerts: Run queries at predefined intervals and create alerts based on the results, such as the count of certain records or calculations based on numeric columns https://learn.microsoft.com/en-us/azure/aks/monitor-aks .
- Metric Alerts: Notify you when a metric crosses a threshold.
- Action Groups: Define a group of actions to execute when an alert is triggered.
For guidance on creating log alerts, see How to create log alerts from Container Insights https://learn.microsoft.com/en-us/azure/aks/monitor-aks .
Application Insights
Application Insights is an extensible Application Performance Management (APM) service for developers and DevOps professionals. It allows you to:
- Monitor live applications: Automatically detect performance anomalies, and includes powerful analytics tools to help you diagnose issues and understand what users actually do with your app.
- Track through Azure Portal: It’s designed to help you continuously improve performance and usability.
- Integrate with your DevOps processes: It works with your DevOps tools, whether you’re developing in .NET, Java, Node.js, or other languages.
For more information on Application Insights, you can refer to the Application Insights documentation.
By utilizing Azure Monitor, Log Analytics, Azure Monitor Alerts, and Application Insights, you can gain a comprehensive understanding of your applications and infrastructure, ensuring they are performing optimally and efficiently.