Quick Reference for Exam AZ-900: Microsoft Azure Fundamentals

Hello All,

In recent times cloud technologies have become more popular and are demanding in the market. Recently I passed the AZ-900 exam. It helped me to understand different cloud deployment models, cloud services, security, identity and access management, features, pricing tiers, etc. Being a data engineer I am always curious about how we can implement our solutions quickly and in a more robust way. So, we have Azure DevOps, DevTest Labs, MFA, Security Advisor, Azure Monitor etc which fulfils our need. We also have Azure databricks which I can use to develop a spark solution. We have HDInsights for big data framework. We have Azure Marketplace where we can search for many products, available solutions which existing users have implemented. Everything is under your budget!

The purpose of this certification is to get a high-level understanding of Azure cloud, cloud offerings for computing, storage, networking, monitoring and management needs, security services, compliance management, user management, access management, etc.

Here are few links which I referred to:

• https://docs.microsoft.com/en-us/azure/azure-glossary-cloud-terminology
• https://www.youtube.com/watch?v=NPEsD6n9A_I&list=PLGjZwEtPN7j-Q59JYso3L4_yoCjj2syrM
• https://marczak.io/az-900/episode-17/practice-test/
• https://k21academy.com/microsoft-azure/az-104/az-104-region-availability-zone-availability-sets-and-fault-domainupdate-domain-in-microsoft-azure/
• https://www.udemy.com/course/az-900-practice-tests/

I have prepared my own notes by studying all materials. Most of the questions that appeared in the exam were covered in this.

---------------------------------------------------------------------------------------

AZURE - Compute, Storage, Networking, Monitoring

1. Cloud terms such as High Availability, Fault Tolerance (continues to function if underlying hardware fails), Scalability, Elasticity, Disaster Recovery (ability of system to recover ex. region failure), Agility

2. Capital Expenditure (Fixed upfront investment model) , Operational Expenditure (Pay per use model/consumption based model, eg. leasing software)

VM IAAS - connect using RDP, BASTION SSH for VM access over private network

Azure Virtual Machine provides Operating System Virtualization. (like cpu, disk, memory, network etc.)

Only Windows and Linux images are supported. NOT MAC image as it's owned by Apple.

Cloud Models - Public, Private, Hybrid

Hybrid model combines services from on-premises and public cloud . So many organizations are using this model.

Private cloud: Local datacenters, Advantage: More control disadvantage: Cap Ex is more.

* On premises to azure connection - vpn network gateways (VNET Gateway)

Azure Stack Potfolio - Azure Stack is a portfolio of products that extend Azure services and capabilities to your environment of choice—from the datacentre to edge locations and remote offices. Build and deploy hybrid and edge computing applications and run them consistently across location boundaries.

1.    Preserve business sensitive data in on-premises data center of an Enterprise.
2.    Process on-premise data with Azure Cloud like capabilities.
3.    Host DevOps on a Private or Public Cloud.
4.    Seamlessly integrate on-premises and Cloud set-ups.

AZURE REGION

-All azure regions have region pair. But availability zones not enabled for all regions.

-Zone enabled regions must have 3 or more availability zones.

-Azure resource manager uses JSON for template purpose.

-Resource Groups can't be nested.

Azure Paired Regions: business continuity and disaster recovery handled using this. Primary region and secondary region.

(Backup and restoration of operations)

Region:

A region is a set of data centers deployed within a latency-defined perimeter and connected through a dedicated regional low-latency network.

Availability Zone:

Azure Availability Zones is a high-availability offering that protects your applications and data from datacenter failures.

These are unique physical locations within an Azure region.

Each zone is made up of one or more data centers equipped with independent power, cooling, and networking.

Availability Set:

   An Availability Set is a logical grouping capability for isolating VM resources from each other when they’re deployed.

   By deploying your VMs across multiple hardware nodes Azure ensures that if hardware or software failure happens within Azure, only a sub-set of your virtual machines is impacted and your overall solution is safe and in working condition.

   It provides redundancy for your virtual machines.

*** Keep in Mind:

1. Azure Government is only available for USA Government and Contractors.

2. China Region is managed by a Chinese Telecom company.

3. Germany Region can be only used if we want data resides only in Germany.

4. also, Not every region has availability zones. But every region has a paired region.

------------------------------------------------------------------------------------------

Single VM — running a Virtual Machine (VM) on Azure with no replication.

Availability Sets — running a VM with one or more replicated copies on separate hardware within the same Availability Zone, providing resiliency against machine failure.

Availability Zones — running a VM with one or more replicated copies on different Availability Zones, providing resiliency against data center failure. Each zone is made up of one or more datacenters.

Region Pairs — running a VM with one or more replicated copies on different Azure Regions (but always staying within the same geopolitical boundary, typically meaning the same country), protecting against natural disasters and large-scale outages.

------------------------------------------------------------------------------------------

One azure resource belongs to only one RESOURCE GROUP (resource group is logical structure for management).

Resources are managed by AZURE RESOURCE MANAGER.

Resource Templates can be used to quickly create a new resource. / automate multiple resources creation of same type.

Azure Kubernetes Service: Manages large no. of container instances (container is portable version of an application)

Virtual Network Gateway: provides secure encrypted network connection from on-prem network to Azure VPN Gateway.

Multiple virtual networks are connected via VNet peering or VPN Gateway.

Subnet : deviding virtual networks

Network Security Groups manages traffic between internet and subnets.

Application Gateway: Web traffic load balancer

*Virtual Machines Traffic is not encrypted by default.

*NSG/Firewall cannot encrypt/decrypt traffic.

***NSG can only manage traffic based on Ports, addresses, protocols.

***Firewall manages inbound/outbound traffic based on rules/FQDN (fully qualified domain name)/service tags(range of IP addresses)/Threats management [Allow/Deny]

AZURE STORAGE SERVICES [IAAS]

1. BLOB: Unstructured data like images, videos, text, exe - Binary Large OBject

Blobs are stored inside Containers. [ VM Disk is also stored as BLOB ]

Three Storage Tiers: Hot (freq accessed data), Cool (less freq accessed data) Backups/old data, Archive - (accessed over years)

2. QUEUE: Asynchronous messaging service

3. Tables: Semistructured/ No sql data

4. Azure File Storage: Same as BLOB storage. Just diff in how you access.

Here blobs are files and containers are called shares. Shares are accessed using SMB protocol.

It is like a mounted network drive in Windows.

LIFT-and-shift - You already have on-prem applications and you want quick readiness on cloud without re-developing using BLOB store. Then we use File Storage.

Azure Storage Account: It's a group of services like BLOB, queue, tables, file storage. (IAAS)

5. AZURE DISK STORAGE:

Disk emulation in cloud

Persistent Storage in Cloud for VMs.

Performance tiers. - pricing

Disks can be managed / unmanaged(customers are responsible for managing)

Designed to be used with Azure Virtual Machines, Azure Disk Storage offers high-performance, highly durable block storage for your mission- and business-critical applications. Confidently migrate to Azure Infrastructure with four disk storage options for the cloud—Ultra Disk Storage, Premium SSD, Standard SSD and Standard HDD—to optimise costs and performance for your workload needs. Achieve high performance with sub-millisecond latency for throughput and transaction-intensive workloads such as SAP HANA, SQL Server and Oracle.

** Customers can mount File Storage or Disk Storage.

Azure DATABASES Service

1. Azure Cosmos DB: Geo Distributed. NO SQL DB. High Availability. - PAAS

is same as Tables in Storage Account.

Instead of table we have collection.

*Ability to replicate across regions.(Geo replication)

*Low latency.

2. Azure SQL Database - PAAS

defined using schema and relationship

Rich Query capabilities

3. Azure SQL - has support for sql family

4. Managed Instance (full capability but managed by provider)

5. SQL DW data warehouse (Big data/ massive processing)

6. SQL VM(Managed by user. all core features)

7. DB for mysql

8. DB postgresql (for migrating applications)

AZURE Marketplace (Azure Shop/Templates/Solutions)

If any license required for any solution then that will be automatically added in your billing.

Azure Marketplace - Developers and IT pros

Microsoft Appsource - business users

----------------------------------------------------------

Azure IOT Services

1.IOT Hub: [*Paas*] / bi-directional communication service

2.IOT Central - Has Apps Templates for quick development of apps (*SAAS*) Built on top of IOT Hub.

3.Azure Sphere - Set of components allows to build secure IOT applications

Sphere micontroller units chipsets for Hardwares - Sphere OS (based on LINUX) - Apps on Sphere OS.

**is used for highly secure Apps Development

AZURE Big Data and Analytics Services

1. Azure Synapse Analytics: [PAAS] for end to end enterprise data warehouseing and analytics with lot of integrated tools like data factory, spark, sql etc.

Synapse Studio LINKED WITH Azure Data lake services

2. Azure HDInsight - [PAAS] Big data clusters. Flexible multi purpose big data platforms.

3. Azure Databricks - [PAAS] Spark Cluster (Only Spark Workspace) for ML or transformations

AI Services - for Artificial intelligence

Azure Machine Learning (PAAS) - create, manage and publish ML models - end to end machine learning modeling

features: notebooks, Automated ML, Designer, Data and Compute resources, pipelines

Machine learning workspace is a top level resource in Azure. It consolidates all features from AZURE ML from management perspective.

Machine Learning Studio - is visual interface for management of ML workspace.

ML STUDIO

  |

ML Workspace

  |

AZURE ML

Serverless computing Services

Azure functions, Logic Apps, Event Grids

Serverless computing is cloud hosted execution environment which allows customers to run their applications while completely abstracting underlying details. (Execution platform where everything is managed by cloud provider)

1. Azure functions - Serverless coding platform.

2. Azure Logic Apps [PAAS]: Design workflows / can have some conditions

Azure Logic Apps is a cloud service that helps you schedule, automate, and orchestrate tasks, business processes, and workflows when you need to integrate apps, data, systems, and services across enterprises or organizations.

   Ex. when new file arrives in storage then send an email to user.

3. Event Grid - for routing messages

event based / publish-subscribe model

Topics are sent to Event Grid. Services (functions, logic apps, web hooks, queue storage) Subscribe to Topics.

------------------------------------------------------------------------------------------

Azure Dev-ops solutions

Dev-Ops (development and operations) CICD, high quality deliverables

DevTest Labs

Azure DevOps [SAAS]

1. BOARDS: tracking work like Rally

2. REPOS - Code collab/versioning

3. Pipeline - Automated build and deployment processes - CICD

4. Artifacts - shared packages, maven , manage project deliverables

5. Test Plans

On top we have marketplace.

AZURE DevTest Labs [PAAS]

- Admin Manages Policies/Quoata/Restrict VM images

- Developers and test colabs and use multiple VMs

--------------------------------------------------------------------

AZURE Portal (web)

Powershell (web/tool)

CLI (web/tool)

Cloud Shell (web)

Powershell and Bash both are available on Cloud Shell.

Powershell script runs only on powershell.

Powershell / CLI / Cloud shell these tools are cross platform. Available on windows/mac/linux

Azure Portal is web based interface. https://portal.azure.com

--------------------

Azure Advisor: Personal consultant

Advisor is a personalized cloud consultant that helps you follow best practices to optimize your Azure deployments. It doesn't include recommendations targeting Azure Active Directory (Azure AD).

The recommendations are divided into five categories:

· Reliability (formerly called High Availability)

· Security

· Performance

· Cost

· Operational Excellence

---------------------------------------------

SECURITY GROUPS:

NSG can be assigned to virtual subnet or network interface.

Network Security Group - Designed to filter inbound/outbound traffic to/from Azure resources located in Azure Virtual Network.

Application Security Group - Logical grouping of virtual network resources for easier maintainance.

Source/Target Ports

Source/Target Address

Protocol

Direction (inbound/outbound)

MANAGING SECURED NETWORK ACCESS INSIDE VIRTUAL NETWORK.

------------------------------------------------------

Azure Routing: process of creating static routes to route traffic from another server.

For secured API access.

Managed via Azure Route Tables. USED to override default routing system in azure.

Associated with zero or more VIRTUAL NETWORK SUBNET.

-------------------------------------------------------------

AZURE FIREWALL [PAAS]

Firewall monitors and control incoming/outgoing network traffic.

Fully qualified domain name. (address of website)

By default, all traffic will be blocked before adding RULE.

----------------------------------------------------

DOS Attack - Denial of Service

DDOS Attack - Distributed DOS - from multiple servers

Basic Plan covers DDOS attack.

But if needed more security then need to buy (STANDARD) service by paying extra cost. Standard tier uses ML to analyze patterns for more accuracy.

----------------------------------------------------

Authentication

Authorization

Access Management : controlling, Verifying, tracking and managing access to

authorized users and applications.

Azure Active Directory:

Identity and Access Management Service

User account is stored on Azure AD. everything goes through AD.

Identities can be User , Server/Applications

MFA require two or more authentication factors.

----------------------------------------------------

Azure Security Center:

Centralized Security Management service

Integrated with Azure Advisor

2 tiers: Free(Defender off) and Paid(Defender on)

Secure Score: Virtual score calculated for all resources based on security recommendations. Higher Scored = More SECURED

----------------------------------------------------

Azure Key vault

-Managed service for securing sensitive information such as encrypt/decrypt keys, secrets (DB usernames/passwords), certificates etc.

-Provides Access monitoring and logging

----------------------------------------------------

Role Based Access Control [Access Control - IAM]

Security Principal - User, Application, Group.

Role - collection of actions that an assigned Identity can perform.

One user can have multiple roles.

User Group can be created for group of users.

Role -> Scope (one or more azure resources that access is applied to)

Resource Group inherits subscription level role.

Resources inherit access from Resource group.

Scopes are hierarchical.

----------------------------------------------------

Resource Locks:

If lock is applied owner also cannot perform action like (delete/update)

Can be applied on Resource Group level/Subscription level/individual resources.

Resource locks are inherited.

Read-only lock can be used with delete-lock as well.

Most common use case is PRODUCTION environment.

2 locks: Read only, Delete lock

Management Groups can not be locked.

----------------------------------------------------

**Resource group name cannot be changed.**

Tags can be assigned. Its like labeling. Key:value pairs

Multiple tags to a single resource can be applied.

On Resource group level also we can apply.

Resource Tags are NOT INHERITED.

Can be applied to Resource Group level/Subscription level/individual resources.

----------------------------------------------------

Azure Policy: Set of Rules to help in compliance, cost management, security, governance.

Policy effect - allow / deny / audit / modify action.

Policy definition: which property should be checked ? and what should be happened ?

Scope can be from management group to resource level.

-Policy initiative: groups of policy definition is called policy initiative.

-Policy assignment: Assigning policy def to scope.

-Policy exclusion : exclude specific service from policy assignment

Azure policies can be used to define requirements for resource properties during deployment and for already existing resources. Azure Policy controls properties such as the types or locations of resources.

Azure Policy is a service in Azure that you use to create, assign, and manage policies. These policies enforce different rules and effects over your resources, so those resources stay compliant with your corporate standards and service level agreements. Azure Policy meets this need by evaluating your resources for noncompliance with assigned policies. All data stored by Azure Policy is encrypted at rest.

-----------------------------------------------------

Blueprint - creating template of policies for quick assignment to another resource group.

Centralized stoarge for organizationally approved design patterns.

Consists of Resource Groups, Resource Manager template, Role Assignment, Policy Assignment

AZURE SUBSCRIPTION :

One Microsoft account can have Multiple subscription.

One AD Tenant can have multiple subscriptions, but one subscription can be assigned to only one AD Tenant.

One Resource can be moved to another subscription.

Subscription can be transferred only by Administrator/Global Administrator.

Multiple subscription cannot be merged into single.

*All subscriptions are managed under Management Group.

--------------------------------------------------------------

Cloud Adoption framework: set of tools, best practices, guidelines and documentation to help companies with cloud journey.

Strategy - Plan - Ready - Adopt - Govern - Manage

CAF mainly focus on Plan - Ready - Adopt.

Stragetgy

- Motivation

- Business Outcome

- Business Justification

Five R's of Rationalization:

Rehost

Refactor

ReArchitect

Rebuild

Replace

****** AZURE PRICING CALCULATOR tool to estimate monthly cost. for cloud *****

****** For ON PREMISE - Azure TCO (total cost of ownership) calculator

Cost Affecting Factors:

• Resource Types
• Services
• Location
• Bandwidth
• Reserve Instances

*Hybrid Benefit is available for - use of existing license in cloud

Azure Cost Management Service: Cost Estimation purpose

estimated cost of services before you make a purchase.

More services:

· Azure App Service : is used to host packaged/containarized web applications

· Azure Application Insights : Azure Application Insights detects and diagnoses anomalies in web applications.

· Azure Activity Logs : keeps track of activities performed by users

· Azure Service Health : monitor azure services; not limited to resources that are deployed. All services across Azure.

· Azure Compliance Manager (Security Advisor): Compliance checks

· Azure Sentinel : Intelligent Security analytics for enterprise [SaaS]

· Azure Log Analytics : Log service.

· Azure PowerApps: Quickly create apps using templates.

· Budget alerts: Budget alerts notify you when spending, based on usage or cost, reaches or exceeds the amount defined in the alert condition of the budget. Cost Management budgets are created using the Azure portal or the Azure Consumption API.

· Azure Information Protection: You use Azure Information Protection labels to apply classification to documents and emails. When you do this, the classification is identifiable regardless of where the data is stored or with whom it’s shared. The labels can include visual markings such as a header, footer, or watermark.

Free Azure Account has 5 gb free blob storage, 5 gb free file storage and 10 apps in App service.

You cannot increase spending limits. $200 free credits are provided at first.

Private Preview vs Public Preview

Private preview services are rolled out to specific users only.

Public preview services are rolled out for everyone.

Common flow For most of the services, BUT NOT FOR EVERY SERVICE.

Private preview -> Public Preview -> General Availability [GA]

------------------------------------------------------

**Data Transfer between services located in two DIFFERENT regions IS CHARGED. (OUTBOUND)

**Data Transfer between services located in SAME regions IS NOT CHARGED. (INBOUND)

------------------------------------------------------

Azure Log Monitor and Azure Security Center both can monitor on-premises resources as well.

Azure Security Center has:

- Compliance Manager - regulatory compliance dashboard - azure security center

- JIT VM

The Microsoft Online Services Privacy Statement - explains what personal data Microsoft processes, how Microsoft processes the data, and the purpose of processing the data.

Thank you for reading this article! Please share with your colleagues/friends. Best luck !!