Here you'll find a summary and bullet points about exactly what you need to know to take Microsoft Certified: Azure Fundamentals (AZ-900).
💡 To facilitate your study, all categories are splitted into topics so you can read and try to memorize the key words.
⚠️ This article isn't small! The purpose is to elevate your study to a high level. It's a study guide for you. ⚠️
I hope you enjoy it. Have a good journey!😊
1. Cloud Computing
1.1.Cloud Models
-
Public Cloud:
- It belongs to a Hosting Provider (Azure, AWS, Oracle...);
- CapEx.
-
Private Cloud:
- On Premises/Local Data Center;
- Organization is responsible to hardware's management and maintenance.
-
Hybrid Cloud:
- Mix between Public&Private.
1.2. Benefits of Cloud Computing
- High Availability;
- Scalability (Vertical and Horizontal);
- Governance;
- Elasticity;
- Reliability;
- Security;
- Manageability.
1.3. Services Types
-
IaaS (Infrastructure as a Service):
- You don't need to worry about hardware;
- This type of service is the most flexible than the others;
- Ex.: VNet, VMs, Storages, Servers...
-
PaaS (Platform as a Service):
- It's focus on application developments;
- Platform Management provider's responsability;
- Ex.: Azure App Service, Managed Store, Azure SQL, Front Door...
-
SaaS (Software as a Service):
- Pay as you Go;
- You can use it through the internet, you just need to configure the environment to your usage;
- Ex.: Microsoft 365, E-mail, Windows Desktop...
1.4. Investment Options
-
CAPEX (Capital Expenditure):
- It's a one-time expense to buy or to protect resources like a Data Center construction.
-
OPEX (Operating Expenditure):
- It's a investment based on services and products that are used over the time.
-
Consumption Based Model:
- Pay as you go.
2. Azure Architectural Components
2.1.Regions
- It's made of one or more too closely Data Centers;
- Each Data Center is called "Availability Zone", a.k.a "AZ";
- Each Region is made of one or more AZs.
- They supply flexibility and scalability to reduce latency to the client;
- Azure has 60+ regions around the world;
- Each Region has it's own Region Pair;
- There're automatic replica from one Region to it's Region Pair.
-
Sovereign Region:
- Regions are dedicated only to government services;
- They aren't acessible;
- EUA, China (21 ViaNet).
2.2.Availability Zone
- There's a minimium of 3 AZs in each region.
3. Resources
3.1.Resource Group
- It's a logical agroupment;
- For good practices, should allocate project resources into the same resource group;
- Resources can be moved to differents resource groups.
3.2.Subscriptions
- Provides authenticated and authorizated access to Azure accounts and resources;
- It's important to have Costs Alerts and Budgets Alerts in each Subscription;
- It inhrerits the conditions applied to Management Group.
3.3.Management Group
- Manage Azure Account directly.
(source: https://learn.microsoft.com/en-us/azure/cloud-adoption-framework/ready/azure-setup-guide/media/organize-resources/scope-levels.png)
4. Compute Services
4.1.Virtual Machine (VM - IaaS)
- It's analogue to a Server. A single physical machine has been divided into slices and you can to rent a single slice of it;
- Even if the VM is turned off, billing will be still charged. Billings won't be charged only if you delete the machine;
- If you have a public IP assigned to your VM, when you delete it, don't forget to delete public IP too. Otherwise, you'll continue being charged.
- Must belong at least to 1 subnet using a Network Interface Card (NIC) - some VMs have 1 or more NIC and can connect to 1 or more subnet;
- Can be assigned to a public IP which can be accessed from outside Azure.
- Standalone Server: You don't share any resources/services.
- Virtualization: Some resources/services are shared with other VMs.
Microsoft provides over 700 images (CPU, RAM, IOPS...) os types to choose.
4.1.2.VM Scaling Sets (VMSS)
- Scale Up: To increase the size of a VM;
- Scale Out: Add more VMs and have them working together (it's the most common scenario);
-
Scale Sets: Group of VM that can grow and shrink based on a predefined rule (base on monitoring demand, time/schedule...);
- A Scale Sets fills the elasticity requirement of cloud compute;
- Usually can handle over 100 VMs per Single Set, but you can configure to increase that to 1000 VMs per Single Set;
- To deploy a VMSS you have to provision at least 2 VMs running the exact same code;
- Can manage groups of VMs as one unit;
- With a Load Balancer in front of it to direct traffic randomly to one of VMs.
- Availability Set: Availability Sets allow you to tell Azure which virtual machines are identical, so that Azure will keep them apart physically inside the datacenter. This helps when there are either expected or unexpected downtime, by increasing the chances that one issue does not affect all VMs in a single Availability Set.
4.2.App Services (Web Apps - PaaS)
- Upload your code and configure it into Azure;
- You can download the software that you want, but only what is supported by Microsoft;
- You can access servers through FTP to get your files;
- You can do A/B tests using deployments slots.
4.3.Azure Container Instance (ACI)
- Quickest way to create and to deploy a container on Azure;
- Isn't easily scalable;
- Single Instance.
4.4.Azure Container Apps
- It's easy to use like a web service;
- Has advanced features.
4.5.Azure Kuberenetes Services (AKS)
- It runs on VMSS and has auto-scaling;
- Enterprise grade.
4.6.Azure Virtual Desktop
- Windows desktop version that runs in the cloud;
- Login with ID/Password on console and have your software installed available anywhere;
- Works on iOS, Android and any browser.
4.7.Azure Functions (Serverless)
- Small pieces of code that run entirely in the cloud;
- Does something specific in a finite time;
- Is triggered by something happening (Http call, timer, message queue...);
- Cheap;
- Has free tier (1MM executions/month);
- Can support more complicated designs like durable functions, long running functions;
- Has premium or dedicated hosting options.
5. Network Services
5.1.Virtual Networking (VNets - IaaS)
- Are assigned to an address space of either iPv4 or iPv6 (both);
- Private Address: cannot be accessed from outside Azure or other networks inside Azure;
- A single VNet is usually assigned a large quantity address space to support future growth;
- Allows VMs to talk to each other and to the Internet as long as it follows the rules that were defined previously;
- If you want to make 2 VNets seeing each other, you have to Peering their subnets.
5.2.Subnets
- All VNets are subdivided into one or more subnets and it's assigned a range of IP addressess which must exist in the address space of the VNet;
- There is a security layer between subnets.
5.3.Network Security Group (NSG)
- An access control list (ACL) that blocks traffic inbound/outbound from a subnet, unless it matches a rule(s);
- Rules can be based on source IP, source Port, destination IP/Port, Protocol (5-TUPLE-MATCH)...
5.4.Application Security Group (ASG)
- Group all related resources together to facilitate to create rules in NSG.
5.5.VNet Peering
- Connects 2 Subnets together;
- Allows communication between a VM on one VNet and another VM on a different VNet;
- Cannot have address IP that are conflicting.
5.6.Azure DNS (Domain Name System)
- Only applies internally to Azure;
- Hosting domain resolution in Azure.
5.7.Azure VPN Gateway (Virtual Private Network - IaaS)
- Allows communication between a workstation and a network; or between 2 networks;
- Encrypts traffic between those two points;
- Work from home: Point to Site (P2S).
- It works through the public internet;
- Less Expensive than Express Route.
5.8.VPN Peering
- Connect 2 distant networks using "Site to Site VPN" (S2S);
- Those networks are private.
5.9.Express Route
- Communicates into Azure with High Speeds;
- Private Connection from Internet Services Provider (ISP) to an Azure endpoint;
- Private Connection from Azure to On Prem;
- Traffic never travels to the public internet;
- Traffic can be encrypted.
- More expensive than Azure VPN Gateway;
- In unusual places around the globe, like Amazônia, Express Route isn't used as there isn't cabling there. Instead of it, "Azure VPN Gateway" is used.
6. Storage Services - IaaS
- First, you have to create an storage than you can create the specific type of it, like Blob, disk, queue, file...
- Storages name must be unique globally (Azure).
6.1.Redundancy Options
-
Locally Redundant Storage (LRS):
- 3 copies, one zone.
-
Zone-Redundant Storage (ZRS):
- 3 copies, 3 zones, 3 DCs (one copy in each zone/DC).
-
Geo-Redundant Storage (GRS):
- LRS + LRS (into another region). Six copys, 2 DCs, 2 regions.
-
Geo-Zone-Redundant Storage (GZRS):
- ZRS + LRS (into another region). Six copys, 3 DCs, 3 AZs, 2 regions.
6.2.Azure Storage GPv2 (General Purpose)
- Standard Storage;
- Subdivided into 4 types of data:
- Container;
- File;
- Queue;
- Table.
- Hold up to 5PB;
- Cost: U$0,20/GB per month;
- It isn't recommended for high demand workloads;
- When you create a GPv2 you can transform it into a Data Lake.
6.3.Azure Data Lake
- Good for big data;
- Can hold PB and Exabytes;
- Extremely large storage;
- https://.dfs.core.windows.net
6.4.Premium Storage Options
- For high performance requirements;
- Can only hold Blobs, not queue or tables;
- You can choose the type for blobs or for files.
- Uses premium SSD;
- 3x OPs and less latency;
- More expensive than GPv2.
6.5.High performance
- Premium SSD;
- Premium SSD v2;
- Ultra Disk.
6.6.Blob Storage (Binary Large Object)
- Files of any type (txt, pdf, zip, csv...);
- Can be public or private;
- Unstructured data;
- For Redundancy: Azure keeps 3 copies of your data by default;
- Global Redundancy: Azure will keep 6 copies of your data. 3 are locally and 3 in another region of the same geo;
- https://.blob.core.windows.net
6.7.Azure File
- Hierarchical structure with folders;
- You can mount this storage to a server and use a drive letter for it:
- Supports Windows, Linux, MacOS, SMB, NFS (Linux);
- You can use Azure File for lift and shift; or to replace or supplement your on premises file storage;
- https://.file.core.windows.net
6.8.Access Tiers
- Hot:
- Default;
- Balanced Access;
- Frequently data that are accessed.
- Cool:
- Cheaper storage with more expensive Read/Write (compared to Hot);
- Frequently data that are less accessed than Hot Tier;
- Data needs to be stored for at least 30 days.
- Cold:
- Much cheaper storage, more expensive Read/Write (compared to Cool);
- Infrequently accessed data;
- Data needs to be stored for at least 90 days.
- Archive:
- Cannot get immediate access to files;
- Cheapest storage, more expensive Read/Write;
- Rarely accessed data;
- Data need to be stored for at least 180 days, with flexible latency.
6.9.Failover
- If hard disks fails Azure recreates a new hard disk keeping your data safe.
7. Migration and Moving Options
7.1.Azure File Sync
- File Sync between on premises and Azure;
- Hybrid option (on premises files with cloud options);
- Cloud backup for on premises files;
- Distributed access around the world.
7.2.AZCopy
- It's a CLI (Command Line Interface) tool for copying blobs or files;
- Allows you to copy files between two Azure Storage accounts without having to download the files to your local machine;
- Is the best approach when you need to copy large amount of files between two Azure Storage accounts.
7.3.Azure Migrate
- Assess your systems environment and make recommendations that will make easier to move to the cloud.
7.4.Azure Data Box
- Helps to decide how you'll transfer your data from on premises to cloud, depending on the data volume. There are 3 types:
- Data Box: 100TB;
- Data Box Disk: 8TB;
- Data Box Heavy: 1PB.
- Microsoft mail it to you, you'll fill it up with your data and you'll mail it back to them.
- Data is encrypted.
7.5.Azure Storage Explorer
- Allows you to upload something to Azure, download from Azure or move between storage accounts.
8. Identity, Access and Security
- Authentication: user proving who they are (ID + password);
- Authorization: Ensuring that a user is permited to do an action.
8.1.Microsoft Entra ID
- Allows you to synchronize on premises directories to enable a consistent ID between on premises and Cloud;
- Uses SAML and OAuth protocols for communication;
- Handle Authentication and Authorization;
- Entra ID Global ADM must have MFA;
- B2B;
- Microsoft Entra ID isn't the same as Active Directory (AD uses LDAP and Kerberos protocols for communication while Entra uses SAML/OAuth).
- Benefits:
- More security;
- Reduced development time + easier support;
- Additional features (like uses IA to analyze the login patterns to see possible threats);
- Centralized administration (see who has access to what);
- SSO (Single Sign On);
- Integrated with others Azure services.
- Licenses:
- Microsoft Entra ID P1;
- Microsoft Entra ID Free;
- Microsoft Entra ID P2;
- Microsoft Entra Governance.
8.2.Entra ID Conditional Access
- Classifies some login attributes on system as normal, routine and exactly as expected accross an spectrum to things that are highly suspiscious and to completely unexpected;
- You decide how is the risk you allow.
8.3.Passwordless
- Using gestures to sign in;
- Using PIN or biometric with windows devices;
- Windows Hello offers support by a bluetooth link, so when you leave your computer, Windows Hello blocks it as soon as you were some meters away.
8.4.Role-Based Access Control (RBAC)
- Microsoft's preferred solution for authorization to resources;
- It's only for allow rules (following principle of least privilege);
- 3 basic roles:
- Reader;
- Contributor (has all access, but can't give access to others);
- Owner.
8.5.Zero-Trust Model of Security
- You can't trust any connection, regardless where it comes from, so you'll gonna force everybody to prove them authentication.
- Principles:
- Verify Explicity;
- Use least privileged access;
- Assume breach.
- Use every available method to validate identity and authorization it;
- Just in Time (JIT);
- Just Enough Access (JEA).
- Security even inside the network;
- Encryption, segmentation and threat detection.
- Devices: ensure compliance and health status;
- Applications: appropriate in-app permissions, monitor user actions;
- Data: data driven protection, encryption and restrict access;
- Infrastructure: robust monitoring to detect attacks, block and flag risky behavior;
- Network: encrypt all communications.
8.6.Defence in Depth
- Security layer all accross your application.
- There are 5 layers:
1. Identity and Access
- RBAC;
- MFA;
- Central ID Management;
- Identity Protection;
- Privileged Identity Management.
2. Apps and Data Security
- Encryption;
- Confidential Computing;
- Key Management;
- Certificate Management;
- Information Protection.
3. Network Security
- DDoS Protection;
- NG Firewall;
- Web App Firewall;
- Private Connections;
- Network Segmentations.
4. Threat Protection
- Antimalware;
- AI - Based Detection and Response;
- Cloud Workload Protection;
- SQL Threat Detection;
- IoT Security.
5. Security Management
- Log Management;
- Security Posture Assessment;
- Policy and Governance;
- Regulatory;
- SIEM.
8.7.Azure Firewall
- You can restrict traffic to multiple virtual networks in multiple subscriptions;
- Managed;
- Stateful;
- Built-in high availability and unrestricted cloud scalability.
8.8.Microsoft Defender
- You have all types of defender in one service, like servers, app service, SQL, Storage, Key...
- Provides protection against DC and locally threats;
- Has free trial;
- Pattern: all access are denied by default;
- Has a dashboard to see how all mecanisms are going;
- Rates you in protection recommendations to improve your security.
8.9.Microsoft Service Trust Portal
- A list of standards that Microsoft follows, pen test results, security assessments, white papers, faqs, and other documents that can be used to show Microsoft's compliance efforts.
8.10.Azure Security Center
- It's a security dashboard that contains all the security and threat protection in one place.
9. Cost Management in Azure
9.1.Factors that affect cost in Azure
- Time;
- Consumption (storage, compute, bandwidth);
- Service Tier;
- Computing Power (vCPUs, RAM, CPU Type);
- Software Licenses;
- Bandwidth (Egress from Azure);
- First 5GB outbound is free.
- Bandwidth (Between Azure Regions);
- Ingress bandwidth is free.
- IP Addresses;
- Reservations;
- Per Transaction.
9.2.Total Cost of Ownership Calculator (TCO)
- Compare the cost of cloud (Azure) to On Premises, including all type of costs (hardware, software, electricity, backups, cooling, etc).
9.3.Pricing Calculator
- You can create costs estimates in Azure;
9.4.Azure Cost Management
- Set of tools for managing and optimize existing costs;
- Free;
- Analyzing spending over time;
- Tracking against budgets;
- See all your past invoices;
- Schedule reports;
- Resources tags (Metadata);
- Helps with billing and support issues.
9.5.Best Practices to Reduce Costs
- Use Azure Advisor cost tab for recommendations;
- Auto shutdown of Dev resources;
- Utilize storage lifecycle;
- Utilize reserved instances if you'll use a VM for a long period;
- Configure alerts when billing exceeds an expected level;
- Use Azure Policy to prevent excessive spending;
- Implement automatic scaling to reduce costs;
- Downsize resources that are bigger than your need;
- Use tags to identify named owners/projects of running resources in Azure.
10. Governance and Compliance
10.1.Azure Policy
- Create rules for some/all resources and groups;
- Evaluate compliance of those rules;
- Can operate a custom policy using JSON;
- Scope: Management Group + Subscription + Resource Group.
10.2.Microsoft Purview
- It's a big centralized dashboard for all your data government;
- Some features:
- Auditing;
- Communication Compliance;
- Data Map and Data Catalog;
- eDiscovery;
- Information Protection;
- Insider Risk Management;
- Data lifecycle management;
- Data loss prevention;
- Compliance Manager.
10.3.Azure Blueprint
- Defines a repeatable set of Azure resources that implements and adheres to an organizations patterns and requirements;
- It's a way to define templates for subscriptions; new subscriptions already comes with a default set of users and policies. Instead of having to set up a subscription before using and possibly missing a security policy.
10.4.Resource Locks
- There're 2 types: "read only" and "can not delete";
- Lock Access Control (LAC): You can use RBAC to restrict who can update, delete or add some locks.
11. Deploying Tools
11.1.Azure ARC
- Allows you to manage a VM, DC and Containers outside of Azure as if they're Azure VM Servers and Containers;
- It's cross platform, VM hybrid and Container Management;
-Features:
- Consistent management for servers accross your environment;
- Azure VM extensions allows Azure tools to work for monitoring, security and updates;
- Supports data services;
- Works with Kubernetes Clusters;
- Works with Azure Policy.
-Servers:
- Manage Windows/Linux physical servers and VMs outside of Azure through installing Azure VM extensions on non-Azure Windows and linux VMs.
- Collect log data for log analytics and monitor;
- Use VM insights to analyze performance;
- Download and execute scripts to hybrid connected machines;
- Refresh certification using key vault.
11.2.Infrastructure as Code (IaC)
- Related with all servers, storage, DB settings, network settings, firewalls, load balancer, etc;
- You define your desired infrastructure in a configuration file;
-
Desired Configuration File (DCF):
- Using automation to ensure your configuration doesn't drift from the original setup.
-
Desired Configuration File (DCF):
-IaC Options:
- ARM Templates (JSON);
- Bicep;
- Terraform;
- Chef Puppet;
- Powershell scripts;
- CLI;
- Azure Portal;
- SDK/API REST ...
11.3.ARM Templates (Azure Resources Manager)
- To manage IaC;
- Pieces of code/files that allows you to define what your infrastructure needs to be;
- Management layer that allows you to create/update/delete resources called deployments;
- All actions that you take to manage your resources goes through the ARM layer.
- The most common resource for deployments.
11.4.Azure Cloud Shell
- You can run scripts using Bash or Power Shell;
- It allows access to the CLI and PowerShell consoles in the Azure Portal (CLI and PowerShell aren't entirely compatible with each other).
11.5.Azure Services LifeCycle
- Private Preview: Available only to a selected audience; Microsoft invites select participants to test and provide feedback on new features or services before a wider release.
- Public Preview: Available to all Azure customers with an active subscription, but with some limitations;
- General Availability (GA): Available to all customers.
12. Monitoring Tools
12.1.Azure Advisor
- Analyzes your account and make some recommendations following 5 pillars:
- Cost;
- Security;
- Reliability;
- Operational excellence;
- Performance.
12.2.Azure Service Health
- It's a dashboard tool to track the resources health in all regions you're using it;
- You can see services/resources health through all regions, not only the ones you have.
12.3.Azure Monitor
- It's a centralized dashboard of all the login and analytics across your account;
- You can use it to other clouds and on premises too;
- Collects all of the logs from various resources into a central dashboard, where you can run queries, view graphs, and create alerts on certain events.
Thanks for reading till the end 😃
Hope it helps you and increase your cloud knowledge. ☁️ 😎
📍 If you want, you can find me on LinkedIn
Top comments (1)
Great article! Thanks for sharing with the community!
🦀🚀