Azure Fundamental Exam Notes

Here are some AZ-900 Azure Fundamental Exam Notes. These should be helpful for anyone who wants to prepare for this basic exam for getting certification with basic cloud computing with Microsoft's Azure.

Exam measures:

• 20-25% cloud concepts; 15-20% core Azure services; 10-15% core solutions and management tools; 10-15% general security and network security; 20-25% identity, governance, privacy, and compliance; 10-15% cost and service
• Cloud computing: companies consume computing resources (virtual machine, storage, apps) as a utility like electricity instead of building/maintaining computing infrastructure in-house (https://searchcloudcomputing.techtarget.com/definition/cloud-computing).
• Three types of cloud computing that are all supported by Microsoft Azure:
• Infrastructure as a Service or IaaS where you handle apps, middleware, OS, routing, and data while the vendor handles virtualization, servers, storage, & networking. Azure versions include Azure Compute and Azure Storage. Commonly used for Test and development, storage and backups, high performance computing, and big data analysis.
• Platform as a Service or PaaS where you handle apps and data. Meanwhile vendors handle OS, middleware, routing, virtualization, servers, storage, & networking. Azure versions include Azure Logic apps, Azure Functions, Azure Web Jobs, and Azure Automation. Common uses include analytic intelligence and business intelligence as well as development framework.
• Software as a Service or SaaS: You don’t handle anything, and everything is handled by the vendor. Azure versions include SharePoint, OneDrive for Business, Microsoft Teams, and Power Platform. Common scenarios for this include access to sophisticated apps and mobilize your workforce easily
• Cap-Ex: cost over useful life of an asset, can’t deduction from fiscal year; Op-Ex: deducted same year they are made
• 4 Deployment modules for cloud computing:
• Public: third party provider with hardware among multiple clients
• Private: hardware used by company owning hardware alone
• Hybrid: combo of public and private
• Community: Infrastructure shared between several organizations from a specific community with common concerns (Azure Government provides this)
• Azure Data Centers: cost effective; ITPACs: pods of servers with own electricity and cooling; data center security and energy efficient since they are carbon neutral since 2012 & 100% renewable energy by 2025; Project Natick (underwater Scottish data center using water to cool off)
• Choose where data for most services (like service account) is stored: Region (usually 300+ miles apart, HA (high availability), has availability zones
• Resources in Azure: VMs, storage accounts, web apps, databases, VNETs, etc.
• Resource Group: contains set of resources that share the same lifestyle; container for security boundaries & can export infrastructure as a code using Resource Manager Templates; can be in different regions
• Made in portal.azure.com, can delete (all resources gone), add tags
• Install Azure CLI -> 2 ways: download Windows/Mac/Linux and use az login; Azure
• Portal -> click Azure Cloud Shell
• Az group list, azresource list
• Infrastructure as a Code-Template: JSON, infrastructure and config, deployment: GitHub, Power and Azure CLI, Rest API
• Expert Resource: check resource/export template, download zip (can also add to library), deploy to other resource group
• Service Health: Service issues, planned maintenance, Health Security advisors, Resource Health, Rules management (create alert rule)
• Monitor: Activity log, Alerts, Metrics, Logs, Service Health, Workbooks
• Insights: Apps, Virtual Machines, Networks (preview), Storage accounts
• Microsoft Azure app from Google Play or iOS -> Connects with Cloud Shell, alerts, Service Health
• Start VMs, Microsoft Remote Desktop if you have it
• Advisor: optimize and reduce spending by idle and underused resources
• Security- access config
• Reliability
• All recommendations
• Advisor Alert
• Azure Core Products: VMs, containers, apps service, serverless computing -> Azure Computing (new resources, PaaS), pay for what you use
• Azure Virtual Machines: IaaS, full operating system control, maintain and patch VM, making VM (type of image, size, availability options)
• VM Scale Sets: multiple VMs with load balancing, scale out/in, spread across fault domains and update domains, only pay for underlying resources. Can install custom software, shutdown to save on cost manually or on schedule, hybrid cloud possible, lift-and-shift migration (site recovery, Azure Mitigate, ssh or RDP for Windows)
• Containers: app in isolated package, has runtime and libraries
• Same across different deployments (Azure Container Registry; Hosting Options for Containers: Local workstation, on-premises servers, VMs in Azure, Azure Container Instances (ACI), Azure Kubernetes Service (AKS), Azure App Service ?
• AKS: Container management system in Azure, scale out container-based apps, monitoring and deploying containers, pods are groups of containers, nodes are virtual machines, can leverage VM Scale Sets, Azure Container Registry, Azure Monitor
• Install container instances
• Azure App Service: like traditional web hosting, framework runtimes installed on servers, handles web servers for you, web apps, api, mobile app, containers, web jobs
• Url: https://<service name>. azurewebsites.net
• Basics, Docker, Monitoring, Tags, Review and create
• Serverless Compute: functions (run custom code started by triggers), logic apps (designer in portal started by triggers, large library of connectors), Azure Event Grid
• (connect data sources and event handlers)
• Application Gateway Features:
• SSL Termination, Autoscaling, Session Affinity, HTTP Header Rewriting, Advanced Routing, Web App Firewall (WAF)
• ExpressRoute: pricing (unlimited or metered data-per GB outbound), Bandwidth (50 Mbps to 10 Gbps or 100 Gbps- ExpressRoute Direct), Redundancy
• Vnet-> subsets for resources, DNS -> Default or Custom, Public IP address. Config DNS name label for ip
• Windows Virtual Desktop: full desktop remotely like remote desktop services (or RDS), supported by PC, Mac, iOS, Android, HTML5
• Windows Virtual Desktop: Azure AD, Multi-factor auth, support Server 2012 R2/2016/2019, 7 & 10 Enterprise
• Azure CDD: Network of servers, cached data (less latency, traffic offload from source), typically static data but also dynamic
• CDN endpoint for content
• Dynamic Site Acceleration -> dynamic data, route optimization, TCP optimization
• Data Storage: flexible solutions to new/old problems, storage services for specific data types, Azure data storage problems
• Categories of Data include:
• Structured Data: Azure SQL Database, Azure Database for MySQL, Azure Database for PostgreSQL
• Unstructured Data: Blob/File/Disk
• Semi-structured: Cosmos DB
• SQL Server on VM -> full control, provision from Azure Marketplace, Flexible pricing options, Automatic updates and Azure backup
• Azure SQL Database: PaaS, latest SQL server version, Flexible pricing model (Vcore, DTu’s). 1 database or Elastic Pool, autoscaling
• Azure Database for MySQL: open-source tools, MySQL community edition, flexible pricing options, high-availability, dynamic scalability, encryption, automated patched and backup
• Azure SQL Managed Instance: SQL Server set, VM on own VNET
• Azure Database for PostgreSQL: Geometric data types, extensions for GIS, single server hyperscale (faster response time, 100 GB+), Geo-Replication (disaster recovery, in region), connection string, auditing, dynamic data masking
• Enable IP address, for servers in firewall, data encryption
• Cosmos DB: global distribution, mutli-modal, fast response times, backed by SSD storage, APIs: SQL API, Cassandra, MondoDB, Gremlin, Azure Table Storage
• Data Explorer
• Azure Storage Account: Blob (unstructured), File, Disk (VM disks and page blob, table (NoSQL structured non-relational data), Queue (async for apps)
• Authorization to Data: RBAC in Azure AD, Storage Account Keys, Shared Access Signatures (“SAS Token” for storage account, validity period)
• Programmatic Access to Storage Accounts: Rest API, SDKs, Powershell, Azure CLI, Azure Storage Explorers, AZ Copy
• AzureFiles: supports SMB protocol (multiple VMs, file share with drive letter), good for mitigation scenarios, access with REST interface
• Blob -> Binary Large OBject
• Block - text/binary
• Append - logs (append only)
• Page -> 8 TB, VM disks and databases, apps (Database)
• Cost effective for large files
• Hot Tier -> frequent
• Cool Tier -> infrequent
• Archive -> rare (hours, offtime)
• Snapshots, leases, soft delete, static website, CDN integration, Azure Search Integration
• Data Migration:
• Azure Database Migration Service (DMS): to Azure from other regular/cloud platforms (process) -> Target, authentication
• IoT: Devices and sensors, devices linked to each other/ internet -> alerts, insights, actions
• Issues: no standards (IEEE working on); security
• Azure IoT Central: managed app platform, built-in device profiles, industry-specific templates (set up url, app id, duplicate instance), free 7 days
• Azure IoT Hub: platform service, bi-directional communication, auto provisioning of device objects. SDKs, api, auth (X.509, shared access signatures)
• Azure Sphere: app platform, Foundation for IoT devices, component to IoT solutions, devices also use Azure Sphere Service
• Big Data Solutions
• Azure HDInsight: open-source analytics tools, Apache Hadoop, cluster of compute nodes, on-demand scalability and auto scale, integration with Azure services for building analytics pipelines
• Features: Hadoop Distributed File System (DFS), MapReduce for batch processing, supports Apache Spark, familiar open source tools, supports newer development environments
• Azure Databricks: Company outside Microsoft, Azure has hosted Databricks platform, based on Apache Spark platform, fully managed Spark clusters, workspace for visualizing data, serverless option, notebooks, interactive dashboards, integration with other Azure services
• Azure Synapse Analytics: Formerly Azure SQL Data Warehouse, Storage component, Azure Synapse Analytics (SQL technologies, Spark analytics,
• pipelines for orchestration, serverless or provisioned options, Spark languages and T-SQL, ETL functionality, Integration with Azure services)
• See by Launch Synapse Studio for resource or Resource Groups (url is web.azuresynapse.net)
• Data, Develop, Orchestrate, Monitor, Manage
• Azure Machine Learning: existing data to forecast future behaviors and outcomes and trends, model is trained using known data, makes predictions for unknown data, Machine Learning Studio (ml.azure.com)
• Notebooks, Automated ML (preview), Designer (preview), Dataset (created from multiple forms of data storage)
• Cognitive Services: prebuilt AI capabilities. Services include Vision (Process and catalog and generate captions for images, video indexer, optical character recognition for many languages as well as typed & handwritten text, Face API, Form Recognizer), Speech (Speech to text and text to speech, Speaker recognition), Language (Language understanding API , Sentiment Analysis, Translator Service – 70+ languages), Web Search (Bing Web Search/Custom Search API/ Image Search/ Entity Search/News Search/ Video Search/ Visual Search/ Autosuggest/Spell Check/ Business Search API), and Decision (Anomaly API, Content Moderator, Personalizer)
• Azure Bot Service: virtual assistant to respond to question and uses natural language processing, Tools (Bot Framework SDK or Bot Framework Composer on Desktop app or Emulator that requires .NET Core SDK 3.1+), Deploy to app service or function app
• DevOps Solutions in Azure: host git repo, Collaboration Tools (Tracking of tasks and responsibilities, work broken into iterations), dev.azure.com
• Azure DevOps Boards supports popular project management methods (Agile, Scrum, Basic, CMMI), link work items (pull requests, code commits, tests, builds, architectural diagrams)
• Azure DevOps Pipelines and GitHub Actions:
• DevOps CI/CD – Continuous Integration, Continuous Deployment
• DevOps Pipelines: build and release pipelines defined in YAML files and run tests during pipeline and create reports within pipeline, publish artifacts, publish ARM templates to create resources in Azure, Code can be pulled From Azure Repos or external repo like GitHub (spinning blue = good running pipeline)
• GitHub Actions: like Azure DevOps Pipelines, YAML, build code on PC and Linux and Mac agents, GitHub actions run within workflows
• Azure DevTest Labs:
• Base images for VMs and images preconfigured, existing VMs in a pool, Auto-start and auto-stop of VMs, Constraints on resources that can be created by a developer (Size of VM, # of VMs)
• Use for developer desktops and test environments/sandbox, hands-on labs
• Microsoft Azure Security & Privacy Concepts:
• Authentication (prove who or what something is like user logging in with password or biometrics or prove someone part of staff) v. Authorization (correct level of resources like access to some files, can user make VM?, and access to what buildings)
• Azure Active Directory: user and computer register, no group policies, no trust relationships, app management
• Active Directory Domain Services: User and computer register, group policies and trust and app/device management & deployment, Kerberos and NTLM support, schema management, Hierarchical directory service; PaaS
• Accounts: full time IT staff, full time users, contactors
• Azure AD Single Sign-On: key feature of Azure AD, put in 3rd party.
• Ask: Off site access, Multi factor access, Devices (restricted to some devices)
• Azure AD Conditional Access: signals to make decisions and conditions like if-then statements. Decisions based on ip location info, risk analysis, device info, and app being accessed. Can block access or grant access (might still enforce MFA or joined device)
• RBAC: assign roles and permissions to roles. 3 main built-in: owner, contributor (can’t great access, but can make changes), reader (view, no changes). You have built-in or custom that can use built-in as template (use least privilege). Default Directory to create or invite user (lock to delete or read only – assign to resource group)
• Governance Tools: Security and technical requirements enforced
• Azure Tags: key/value pairs for resources, organizations should have a tagging policy enforced by Azure policies (collection of rules -> policy definition assignment, parameters), Tags can be used (enforce security requirements, control costs, deploy software)
• Initiatives: group of policies and assigned to scope like resource group with definition, assignment, and parameters
• Built-in policies: Storage account with SKU sizes, allowed locations, resource types, Enforce tags, and Virtual Machine SKUs
• Dashboard -> Policy
• Authoring: Assignments, Definitions (can sort by name, definition location, type, policies, etc.), Exemptions
• Make initiative with new Initiative definition -> add policy definitions
• Azure Blueprints: orchestrate deployment of resource templates and artifacts, blueprints maintain relationship with deployed resources, Blueprints include Azure policy & initiatives as well as artifacts such as roles. Definition (resource groups defined and created, resource manager templates can be included to deploy resources, policy can be included, and roles can be assigned to resources that blueprints have created) and publishing (Home>Blueprints)
• Azure Advisor Security Assistance: Azure advisor integrates with Azure security center, Advisor security assistance that helps prevent/detect/respond to threats, should be using tool every day, configuration is managed through security center
• Defense in depth: physical security, identity and access, perimeter, network and app, compute and data
• Network Security Groups (NSGs): NSGs filter traffic (allow or deny inbound & outbound traffic), NSGs contain rules (rules order based on a number from 100 to 4096 which are processed from 100 to 4096 in that order).
• Attached to subnets or network cards, each NSG can be linked to multiple resources, stateful, includes things like name, priority, source or destination, protocol, direction, port range, action
• Problems: can be complex and hard to maintain
• Solve with service tags, default security rules, and use application security groups
• Application Security Groups: reference a group of resources, used as source/destination in network security groups, network security groups still required (consider N-Tier apps, DMZ, Automation)
• Azure Firewalls and User Defined Roles: stateful firewall service, highly available, features include:
• Threat intelligence, outbound and inbound NAT support, integration with Azure Monitor, network traffic filtering rules, unrestricted scalability.
• DDoS Protection with always on monitoring with multi-layer protection, analytics, scale, and elasticity as well as protection against unplanned costs. Has basic (free, backed by an SLA, availability guaranteed and active monitoring) and standard (everything in basic, real time metric, post attack reports, access to DDoS experts during attack and security info, monthly fee, usage based)
• User Defined Routes: default system routes, system routes routing between subnet and internet, user defined routes to override defaults, traffic can be filtered through virtual appliance
• Security Options: Azure firewall, Network Security groups, forced tunneling, Azure DDoS Protection, Marketplace devices, Azure web app firewall
• Control internet traffic, Azure hosted SQL server, and router internet traffic are security scenarios
• Security and Reporting Tools: Azure Info Protection used to classify documents and emails with label to documents (labeled docs protected), AIP labels (auto, manually, recommended to users)
• Sides to AIP: Classification and Protection, 3 Security and Reporting Resources: Azure monitor (collect, analyze and act on telemetry; Azure or on-premises; troubleshooting and performance monitoring; data collected by Azure monitor in the form of metrics and logs), Azure service health (notifies you of service status with report on incidents and planned maintenance and Azure health offers such as personalized dashboards & configurable alerts & guidance), Azure advanced threat protection (monitor user activity to identify suspicious events, works on-premises Active Directory forest, identifies domain dominance and lateral movements and compromised credentials and reconnaissance attacks)
• Azure Key Vault: Centralized storage of app secrets, logging to monitor how secrets used, centralized admin of secrets, uses FIPS 140-2 level 2 validated HSMs. Recommend separate vault for app or environment, regular backups, turn on logging and alerts, turn on soft delete/purge protection (Dashboard -> Key Vaults. Create key vault and access policy). Key, Secrets, Certificates, Access policies, firewalls and virtual
• networks
• Azure Security Center (Protect PaaS, Compliance, Assessment, Threat protection, Non-Azure services)
• Azure Sentinel: cloud native security info event management (SIEM) and security orchestration automation response (SOAR) solution; single solution for collect date at cloud scale, detect previously undetected threats, and investigate threats with AI (Connect your security sources with data connectors, deep investigation and hunting, analyze your data using workbooks and analytics, security automation/orchestration using playbooks (Dashboard > Security Center)
• Azure Industry Compliance: ensure following laws of governing bodies; people and process monitor systems to detect and prevent violations; compliance monitoring can be complex; several tools to help us assess compliance posture
• Selected Compliance Standards: HIPAA, PCI, GDPR, FedRAMP, ISO 27001
• Azure Compliance: Global (more than 90 offerings), Industry (35+ offerings), Blueprints (deploy complaint environments), proof (access to 3rd party reports), Azure security center
• Azure Service Trust Portal: Contents (details of Microsoft’s implementation of controls and processes), Access (login as an authenticated user with a Microsoft cloud service account). Servicetrust.microsoft.com -> white papers and azure blueprints and security assessments, Compliance Manager.
• Group -> amount access and how close to compliance your system is. Privacy.microsoft.com for Microsoft Privacy Statement
• Azure Special Regions: US Gov (Virginia and Iowa – US govt. agencies; Level 5 DoD approval and certifications such as FedRAMP and DISA), China (China East and China north through partnership with 21Vianet), Germany (Germany central and Germany Northeast – T-System), must request access
• Trusted Cloud: Security, Privacy (Microsoft Privacy Statement/ Subscription Agreement or MOSA, Online Services Terms or OST), Compliance (Industry specific – Financial, Auto, Media, Energy)
• Understanding Azure Subscriptions: starts with making a new subscription, tying it to an account, and then deploying cloud resources you will consume. Azure.microsoft.com to sign up with Microsoft account. In portal, select new Subscriptions
• Management Groups: Activity Log, access control (IAM), Policies
• Planning and Management in costs:
• Free - $200 credit for 30 days, many services free for 12 months, 25+ free services forever? ?
• Pay as you go – Monthly
• Student - $100 credits for 12 months. No credit card required
• Enterprise Agreement – purchase services and software under single agreement.
• Options for Azure purchases: Enterprise Agreement or EA (for large organizations, premiere support & dedicated Azure resources, annual spend commit, Customized and deeply discounted), Direct – from Microsoft (bill from Microsoft, self-manage or use partner for Azure usage management/deployment/provisioning), Indirect – Cloud
• Solution Provider or CSP (bill and support or usage and provisioning from CSP
• Cost affected by Location, Service, Egress traffic, Resource Type
• Azure Zone – grouping of regions based on billing, data transfer cost
• Zone 1: US, Europe, Canada, UK, France, Switzerland
• Zone 2: East Asia, Southeast Asia, Japan, Australia, India Korea
• Zone 3: Brazil, South Africa, UAE
• DE Zone 1: Germany
• Pricing Calculators: Azure Pricing calculator, Total Cost of Ownership calculator or TCO (migration) – azure.microsoft.com/en-us/pricing/ (tco/calculator)
• Support Plans: Basic (free, 24x7 access to building and subscription, online self-help, support forums)
• Go to Azure Portal -> Help Support
• Outside of Support Plan: MSDN Forum, Server Fault, Stack Overflow, Azure Support (@AzureSupport) on Twitter
• Azure Knowledge Center: common questions from experts, developers, and users
• Azure Services Level Agreements (SLAs): comes from ITIL. An SLA is a commitment between a service provider and its internal or external customers.
• Service provide gives to customers and standards to meet (azure.microsoft.com/en-us/support/legal/sla)
• Composite SLA – more than one service for app. Different levels of availability and connectivity (ex: app with Azure App Service web app on front end and Azure SQL Database on backend)
• Service Lifecycle:
• Azure Previews: feature previews for evaluation of beta or pre-release items. Public (for any customer for evaluation) or private (specific customers, Invite directly from product group). Public has PREVIEW label and click on “+Create a resource” or “All Services”. General Availability
• (GA) – preview becomes general product.
• Register for AZ-900 Exam: Microsoft account (always use same one), create certification profile if first time (enter name as it appears on govt. ID). Provided by Pearson VUE or Certiport (students and instructors).
• Select test center (arrive a bit early to give name and appointment date, Show ID, put personal items in locker) or online (proctor)
• Select Language
• Select Date and Time
• Review, Confirm, and Pay
• Take It Online (system test a few days in advance, clean desk and room with no papers or electronics. Tell family and co-workers to not interrupt you since that is automatic failure. Have smartphone and piece of ID nearby, close apps and all unnecessary services, plug-in laptop or have full battery, check in 30 min before exam starts, begin when system checks done from Learning Dashboard)
• Exam Structure & Question Types:
• Doesn’t share exact number of questions (might differ from person to person), guidelines
• AZ-900 Basics: 45 to 60 minutes (plan for 80 mins), 40 to 60 questions. About 1 min per question for fundamental exams. Short questions: more on the types of questions up next (can mark questions for later)
• Generally: accept NDA, complete exam questions, provide comments and feedback (optional)
• Ten types of questions: Active screen, best answer, build list, case studies, drag and drop, hot area, multiple choice, repeated answer choices, short answer, labs
• Max score 1K, passing score 700. Passing get you badge and digital certificate. Badge on Social Media like LinkedIn. If fail: wait at least 24h before failing first time, 2nd: 14 days between 3rd, 4th, or 5th. No more than 5 times in 12-month period