Professional Documents
Culture Documents
AZ-900 Slides - 5th May
AZ-900 Slides - 5th May
AZ-900 Slides - 5th May
The English language version of this exam was updated on January 25, 2022.
➢ Describe core Azure services (15-20%) ➢ Describe Azure architecture and services (35–40%)
➢ Describe core solutions and management tools on Azure (10-15%) ➢ Describe Azure management and governance (30–35%)
❖ Approach:
❖ Course Goal:
✓ Avoid Demos
✓ Take full course, all lessons, demos, quizzes, summary and practice
tests.
✓ By the end of course you will get good confidence on Azure cloud.
❖ Intended Audience
❖ Prerequisite
❖ What includes?
❖ Cost: 99 USD (India: ₹3696 INR - Price based on the country in which the exam is proctored)
❖ Exam duration:
❖ Seat duration: 65 minutes
❖ Exam duration: 45 minutes
❖ Exam Sandbox -https://aka.ms/examdemo
❖ Question types:
Exam Info ❖ Multiple choice, and Multiple response
❖ Drop down
❖ Drag & Drop
❖ Transcript/Caption
❖ Video Quality
❖ Billing
❖ Site issues
❖ Certificate of completion
⮚ Difficult to Scaling
Hardware (CPU, Memory, Disk) Hardware (CPU, Memory, Disk) Hardware (CPU, Memory, Disk)
⮚ Maintenance
Hypervisor
Virtualization
Introduction Cloud Computing
⮚ Pay only what you use ⮚ Pay only what you use
⮚ Renting IT Resources
⮚ Build, manage, and monitor everything from simple web apps to complex cloud deployments.
⮚ Azure Marketplace helps connect users with Microsoft partners, independent software vendors, and startups that are
offering their solutions and services, which are optimized to run on Azure.
⮚ Continuous availability
22
Portal
23
Create Sample Service -
Storage
Set Budget
Set Budget and Delete Resources
⮚ FREE Subscription
⮚ Your FREE subscription and services are disabled once your credit runs out.
⮚ Set Alert - notify you when your spending reaches or exceeds the amount defined in the alert condition of the budget.
26
➢ Azure Advisor
Learning Outcome
➢ Azure Monitor
▪ Collect, Analyze, Visualize and take actions based on matric and logging data
▪ keeps you informed about the current and upcoming issues at Azure side.
➢ You’ll also learn about the fundamental concepts of cloud computing, how Azure implements these concepts,
➢ CapEx vs OpEx
Learning Objectives
➢ Economic benefits of the cloud
➢ Consumption-based model
➢ Computing Models
➢ Deployment Models
⮚ Network outage
⮚ Application failure
⮚ System outage
⮚ Power outage
⮚ Protect against data center, server, network and storage subsystem failures to keep your business running without downtime.
⮚ Highly available systems are reliable in the sense that they continue operating even when critical components fail.
⮚ They are also resilient, meaning that they can simply handle failure without service disruption or data loss, and seamlessly recover from
such failure.
⮚ Azure provide high availability features such as redundancy, load balancing, auto-scaling and provisioning across Availability Zones (AZ),
representing isolated parts of an Azure data center.
High Availability
⮚ Scalable architectures provide the ability to grow your environment when this is needed (increase in number of
users, traffic throughput)
▪ Example: Workload increased as business expanded over a period of time
▪ Two types of Scalability:
o Vertical Scalability
o Horizontal Scalability
Vertical Scalability
⮚ Increasing a capacity of current server: A larger hard drive, A faster CPU, More RAM, CPU, I/O, or networking capabilities
⮚ Has Limits
Horizontal Scalability
Bachelor
Bachelors
⮚ Elasticity: Ability to automatically expand or compressed the infrastructural resources on a sudden-up and down in the
requirement so that the workload can be managed efficiently.
⮚ Example: workload increases during festive season like Christmas.
Elasticity Scalability
⮚ Elasticity is used just to meet the sudden up and ⮚ Scalability is used to meet the static increase in the
down in the workload for a small period of time. workload.
⮚ Elasticity is used to meet dynamic changes, where ⮚ Scalability is always used to address the increase in
the resources need can increase or decrease. workload in an organization.
⮚ It is a short term planning and adopted just to deal ⮚ Scalability is a long term planning and adopted just
with an unexpected increase in demand or seasonal to deal with an expected increase in demand.
demands.
Agility
Agility: Rapidly deploy and configure cloud resources as your app's needs change.
39
CapEx vs OpEx
Capital Expenditure (CapEx) vs Operational Expenditure (OpEx)
CapEx vs OpEx
⮚ Spending money ahead on physical infrastructure and ⮚ There is no up-front cost, as you pay for a service or product as
then deducting that cost over time from your tax bill. you use it.
⮚ Example: Deploying your own data center ⮚ Pros: Demand and growth may be unexpected and exceed
⮚ Server, Storage , Network , Backup and archive , estimates, posing a capex issue.
expenditures.
uses.
41
Benefits of the cloud computing
New Startup
44
Cloud Computing Benfits
Advantages of Cloud Computing
Traditional Data Center Challenges
➢ Trade capital expense for variable expense
➢ Large up-front investment
▪ No Initial investment
➢ Forecast Infrastructure needs ▪ Pay only for how much you use – do not own hardware
45
Consumption-based model
pay-as-you-go model
Consumption-based model vs fixed cost model
⮚ Cloud pricing model in which clients are only pay for the resources they utilize.
47
Computing Models
Categories of cloud services - SaaS vs PaaS vs IaaS
SaaS vs PaaS vs LaaS
SaaS vs PaaS vs LaaS
SaaS vs PaaS vs LaaS
Shared responsibility Model
Who owns the workload responsibility?
Shared responsibility in the cloud
Workload responsibilities vary depending on whether the workload is hosted on SaaS, PaaS, IaaS or on-premises datacenter
https://docs.microsoft.com/en-us/azure/security/fundamentals/shared-responsibility
Deployment Models
Types of Cloud Computing - Public, Private and Hybrid
Cloud Deployment Models
VS. VS.
Hybrid Cloud
Private Cloud
Public Cloud
Public Cloud Private Cloud Hybrid Cloud
⮚ Cloud resources are those that are owned ⮚ Cloud services that are utilized by a
⮚ Combination of public and private
and managed by a third-party cloud particular organization and are not
cloud with automation and
service provider and are provided through accessible to the general public.
orchestration between the two
the Internet. ⮚ Advantages
⮚ Advantages: Use your own equipment
⮚ Advantages ⮚ No Legal obligation
to meet security, compliance, or
⮚ No Maintenance ⮚ Control
legacy scenarios
⮚ Near unlimited scalability ⮚ Strict security and compliance
⮚ Disadvantages
⮚ High reliability ⮚ Disadvantages
⮚ Expensive
⮚ Disadvantages ⮚ Infrastructure cost
⮚ Complicated
⮚ Less control ⮚ Difficult to elasticity
⮚ IT Skills ⮚ Use case scenario
⮚ Use case scenario
⮚ Medical data can’t expose to
⮚ Deploy website quickly ⮚ Use case scenario
public.
⮚ Focus on development ⮚ Government policy requires
⮚ Application runs on old
specific data to be kept in-
hardware.
country
Cloud Pricing Models
Factors that affect cost
Cloud Pricing Models
➢ Building, electricity, cooling, Internet ➢ Yes, but It’s not straight forward
➢ Employees to maintain infrastructure ➢ Bill could depends on multiple metrics for each service
60
Cloud Pricing Models
➢ Virtual Network
➢ Azure Policy
➢ Azure Migrate
➢ Azure Lighthouse
61
Cloud Pricing Models
➢ Examples:
➢ Virtual Machine
➢ SQL Database
➢ Load Balancer
62
Cloud Pricing Models
➢ Database Storage
63
Cloud Pricing Models
➢ Cosmos DB
64
Cloud Pricing Models
➢ Serverless offerings
➢ Azure Function
➢ Serverless Database
➢ Logic Apps
65
Cloud Pricing Models
66
Cloud Pricing Models
➢ Regions/Locations
➢ Support options
➢ And so on….
67
Benefits of Cloud Computing
High availability: Provide a continuous user experience with no apparent downtime
Elasticity: Cloud-based applications may be configured to use autoscaling, ensuring they always have enough resources.
Agility: Rapidly deploy and configure cloud resources as your app's needs change.
Geo-distribution: Global geo-distribution of applications and data ensures that consumers get the optimum performance in their area.
Disaster recovery: Cloud-based backup services, data replication, and geo-distribution allow you to deploy applications with assurance that
your data will be secure in the event of a disaster.
68
➢ High availability, Fault tolerance and Disaster recovery
➢ CapEx vs OpEx
➢ Deployment Models
➢ Availability Zones
Learning Objectives
➢ Resource Groups
➢ Subscription
➢ Management Groups
Azure Global Infrastructure
Data Centers, Regions, Region pairs
Regions
⮚ Region, which is a physical location
around the world where we cluster data
centers.
⮚ Each Azure region is always paired with another region within the same
geography
⮚ Resource group is a logical container which help manage and organize your Azure resources.
⮚ For example similar usage, type, or location
⮚ You can move a resource from one resource group to another group.
⮚ The resources in a resource group can be located in different regions than the resource group.
⮚ A resource group can be used to scope access control for administrative actions. To manage a resource group, you can assign Azure
Policies, Azure roles, or resource locks.
⮚ You can apply locks to a resource group or subscription to prevent deletion or make contained resources read-only. You can
also apply locks directly to a resource.
⮚ You can apply tags to a resource group. The resources in the resource group don't inherit those tags.
⮚ Life cycle: When you delete a resource group, all resources in the resource group are also deleted.
⮚ To create a resource group, you can use the portal, PowerShell, Azure CLI, or an ARM template.
Azure Resource Manager
Deployment and management service for Azure
Azure Resource Manager (ARM)
⮚ ARM template is a JSON file that defines what you want to deploy to Azure.
⮚ Integrates with Azure portal, PowerShell, CLI, and REST API to perform
deployment and management tasks.
Ref: https://docs.microsoft.com/en-us/learn/modules/azure-architecture-fundamentals/management-groups-subscriptions
Management Groups
Organize multiple subscriptions as a single management entity
Management groups
➢ Specific regions of azure that were created to meet high security and other regulatory and compliance requirements for specific markets
➢ Azure China
Azure Sovereign Regions
Azure Government
⮚ Specially Designed for US government
⮚ US federal state
Azure China
⮚ Azure China is designed for organizations doing business in China that need to meet
Chinese regulations.
▪ Regions - physical location around the world where we cluster data centers.
➢ Availability Zones
➢ Resource Groups
Learning Outcome ▪ Resource group is a logical container which help manage and organize your Azure resources.
▪ ARM template is a JSON file that defines what you want to deploy to Azure.
➢ Subscription
▪ Azure subscription is a logical unit of Azure services that links to an Azure account
➢ Management Groups
➢ What is Compute?
➢ Deploy Website on VM
➢ Load Balancer
Learning Objectives ➢
➢
Deploy VMs at Availability Zones
➢ Containers
➢ ACI vs AKS
93
❖ Azure Virtual Machines
❖ Azure Functions
Apps
⮚ With Azure Virtual Machine service, you can create and use VMs in the cloud.
⮚ Infrastructure-as-a-Service (IaaS)
⮚ Size of VM – CPU/RAM/Storage
⮚ Availability options
⮚ Use Cases:
▪ Components:
High-speed, private
fiber-optic networks
Availability sets
Provides High availability and Business continuity for applications
Availability Sets
▪ Availability Sets make use of two key concepts - Fault Domains, and Update
Domains.
▪ Update domains define the group of virtual machines that are going to be
patched/maintained/rebooted at same time.
▪ Fault domains define the group of virtual machines that share a common
power source and network switch.
▪ Availability sets are free to use! You only pay for the virtual machines being
created.
▪ All VM instances are created from the same base OS image and configuration.
▪ VM size, disk configuration, and application installs should match across all VMs.
▪ There is no cost for the scale set itself, you only pay for each VM instance that you create.
https://docs.microsoft.com/en-us/azure/virtual-machine-scale-sets/overview
Azure App Service
enables you to build and host web apps, background jobs, mobile back-ends, and RESTful APIs
Azure App Service
⮚ Problem Statement 2: Need different machines to run three different Python-based applications that use of a different version of
Python
⮚ Solution: The simple solution is to create a container of your project in which you mention all the dependencies to run the project.
Thus your project can be run universally on any computer having container runtime installed.
⮚ Containers are a way to wrap up an application into its own isolated package.
⮚ In a nut shell, Container is the modern era solution for transferring your projects to friends, family, colleagues, clients etc without
worrying about their system configuration to run the project.
⮚ Imp Features:
⮚ Portability: Deploy to diff environment
⮚ Consistency: will behave same each time
⮚ No maintenance related to infrastructure Apps
⮚ Deployment and maintenance are efficient DLLs/ Libs
⮚ Auto scaling
Container
ACI vs AKS
Azure Container Instances (ACI) vs Azure Kubernetes Services
Hosting Options for Containers
Azure Container Instances (ACI) Azure Kubernetes Services (AKS) Azure App Services
ACI vs AKS
⮚ ACI is a service that lets you deploy containers on Azure without having to
maintain or patch the environment.
⮚ Basic web applications, DevTest scenarios, and batch processing are all
supported by ACI.
⮚ When you just need to run a few containers, it's a perfect option.
⮚ Managed environment
Azure Container Instances (ACI)
⮚ Only pay for containers
⮚ Deployment is easy.
⮚ Alternatively, For more complex container designs where you require additional control
over the health and performance of your containers, you may utilize Azure Kubernetes
Service (AKS).
⮚ You can coordinate the deployment, update, and management operations for all of your
containers using AKS.
⮚ If you need to operate tens, hundreds, or even thousands of containers, the AKS Open
source project could be a good fit.
container instances
may come
⮚ Virtual machine virtualizes the underlying hardware, meaning the CPU, memory, and storage
⮚ Containers smaller in size than a virtual machine and quicker to spin up because you're only waiting for the app to launch, not the
operating system.
Docker & Azure Container Registry
Docker is an open source containerization platform
Azure Container Registry
⮚ An image is a read-only template with instructions on how to create the container.
⮚ Container is the runnable instance of the image.
⮚ A container registry is a service that stores and distributes container images.
⮚ Docker Hub is a public container registry on the web that serves as a general catalog of images.
⮚ Azure offers a similar service called Azure Container Registry, which gives customers complete control over their images, integrated authentication
with Azure AD, and more.
Container Registry
Docker Hub
⮚ Docker is an open source project that automates the deployment of containers that can run in the cloud or on-premises.
⮚ Docker is also a company that promotes and evolves the technology, and they work in collaboration with cloud vendors like Microsoft.
⮚ The result from adopting docker, or container, is that application can be deployed or undeployed faster, start and stop faster, change to
another “image” faster, process and do many things faster.
⮚ Any machine
⮚ No compatibility issues
⮚ Predictable behavior
⮚ Some challenges
⮚ IT management overhead
⮚ Security management
⮚ Solution
⮚ Provide:
⮚ Enables your users to use a cloud-hosted version of Windows from any location.
⮚ Use Azure Marketplace prebuilt VM images or provide your own custom images.
⮚ Save cost
⮚ Bring your own licenses
⮚ Buy reserved instance
Why should you use Azure Virtual Desktop?
⮚ Low Latency
⮚ Run host virtual machines (VMs) near apps and services that
connect to your datacenter
⮚ Secure
⮚ Authentication using Azure AD
⮚ Azure Multi-factor Authentication
⮚ Role-based access controls (RBACs) to users
⮚ No confidential data on personal device.
⮚ User sessions are isolated in both single and multi-session
environments.
➢ What is Compute?
➢ Azure Virtual Machine – IaaS, configure OS, CPU, RAM storage and so on
➢ Deploy Website on VM
➢ Load Balancer
➢ Availability Zones
➢ Each Availability Zone has a distinct power source, network, and cooling.
Learning Outcome
➢ Availability sets
➢ Containers
➢ Containers are a way to wrap up an application into its own isolated package
➢ You'll learn what they are, how they differ, and when you should choose one over the other.
Learning Objectives
➢ Advantages of Serverless technology
➢ Azure Functions
⮚ Event-driven: Excellent fit for workloads that respond to incoming events. Events include triggers by:
⮚ Timers, for example, if a function needs to run every day at 10:00 AM UTC.
⮚ HTTP, for example, API and webhook scenarios.
⮚ Queues, for example, with order processing.
⮚ And much more.
⮚ Azure Functions can be triggered by various event types, including HTTP requests.
⮚ User Case:
⮚ Process file uploads - Run code when a file is uploaded or changed in blob storage
⮚ Build a web API - Implement an endpoint for your web applications using the HTTP
trigger
⮚ Respond to database changes - Run custom logic when a document is created or
updated in Cosmos DB
Logic Apps
Quickly build powerful integration solutions
Logic Apps
Learning Outcome
▪
▪ Event-driven
➢ Azure Functions
➢ ExpressRoute
➢ Azure DNS
unauthorized access.
VNet VNet
VNet CIDR Range:
10.0.0.0/16
Need for VNet Subnets
⮚ Each kind of resource has distinct access requirements.
⮚ Elastic Load Balancers that are publicly available are accessible through the internet (public resources)
⮚ Databases and App Server instances should be inaccessible from the internet.
⮚ Only apps running inside your VNet should be able to access them (private resources).
VNet VNet
VNet CIDR Range:
10.0.0.0/16
VNet Subnets
⮚ Organize and group resources on subnets
⮚ Separate public and private resources into distinct subnets
⮚ Resources in a public subnet CAN be accessed from internet
⮚ Resources in a private subnet CANNOT be accessed from internet, but resources in a public subnet can connect with resources in a
private subnet.
⮚ We can use network security groups to secure individual subnets
VNet Peering
Tunnel
⮚ Connect two or more trusted private networks to one another over securely an untrusted network (typically the public internet).
⮚ Traffic is encrypted while traveling over the untrusted network to prevent eavesdropping or other attacks.
VPN gateways
Network Peering
East US VNet
West US VNet
⮚ Vnet Peering
⮚ Low Latency: Resources between diff VNets are connected using high bandwidth connections.
⮚ VNet Peering provides a low latency, high bandwidth connection useful in scenarios such as cross-region data replication and
database failover scenarios. Since traffic is completely private and remains on the Microsoft backbone, customers with strict data
policies prefer to use VNet Peering as public internet is not involved. Since there is no gateway in the path, there are no extra hops,
ensuring low latency connections.
⮚ VPN Gateways provide a limited bandwidth connection and is useful in scenarios where encryption is needed, but bandwidth
restrictions are tolerable. In these scenarios, customers are also not as latency-sensitive.
Application Gateway
Provides HTTP based load balancing.
Load Balancer
HTTP Request
Load Balancer
Uses IP address / port
Backend Pool
Application Gateway
https://docs.microsoft.com/en-us/azure/cdn/cdn-overview
⮚ To reduce latency, CDNs cache content on edge servers near end users.
⮚ Benefits:
⮚ More responsive apps, particularly those that need many round-trips to load content.
⮚ User requests and content are served directly from edge servers, reducing traffic to the origin server.
ExpressRoute
Fast, reliable, and private connection to Azure
ExpressRoute
ExpressRoute
ExpressRoute
⮚ Create private connections between Azure datacenters and infrastructure on your on-premises
⮚ The setup and configuration for ExpressRoute is more complex, and will require collaboration with the connectivity provider.
⮚ Large-scale, mission-critical workloads requiring scalability and resilience are suitable for this architecture.
ExpressRoute vs VPN Gateway
⮚ ExpressRoute:
⮚ Suitable for requirement for a high speeds, low-latency connection and high level of
availability/resiliency.
⮚ Doesn’t suit smaller satellite offices that have a lower connectivity requirement.
⮚ VPN Gateway:
⮚ Suitable for prototyping, development, test, labs, and small production workloads.
Microsoft.com
4. HTTP Response
3. HTTP Request
Web Browser
Server
10.5.10.6
2. IP Address:
10.5.10.6
1. Where is Microsoft.com
⮚ Hosting service for DNS domains that provides name resolution by using
⮚ Advantages:
⮚ DNS domains in Azure DNS are hosted on Azure's global network of DNS
name servers.
Private IP Storage
on the VNet.
Storage
⮚ A private endpoint is a network interface that uses a private IP address from your virtual network.
⮚ This network interface connects you privately and securely to a service that's powered by Azure Private Link.
⮚ Data protection
⮚ Service Endpoint — For exfiltration protection, traffic must pass through an NVA/Firewall.
⮚ Private Link — It has a built-in data protection system.
⮚ Complexity
⮚ Service Endpoint — It's a lot easier to implement, and it reduces the complexity of your architecture design significantly.
⮚ Private Link — Another resource must be managed.
⮚ Cost
⮚ Service Endpoint — Using VNet service endpoints comes at no extra cost.
⮚ Private Link — Depending on total ingress and egress traffic as well as the link's runtime, costs can quickly escalate.
⮚ Availability
⮚ Both services are not available for all resources/services.
▪ Corporate networks offer a secure internal network that safeguards your resources, data, and communications
from unauthorized access.
➢ Subnets
➢ VPN Gateway
Learning Outcome ▪
▪
Can connect Azure virtual network with On-premises network
➢ Vnet Peering
▪ To reduce latency, CDNs cache content on edge servers near end users.
➢ ExpressRoute
▪ Create private connections between Azure datacenters and infrastructure on your on-premises
▪ Hosting service for DNS domains that provides name resolution by using Microsoft Azure
infrastructure.
Learning Outcome
Azure Storage Services
➢ In this module, you'll learn about the different Azure storage options and the scenarios in which each is appropriate.
➢ Disk Storage
Azure Storage Services
➢ In this module, you'll learn about the different Azure storage options and the scenarios in which each is appropriate.
➢ File Sync
➢ Azure Migrate
⮚ Features
⮚ Managed - Azure handles hardware maintenance, updates, and critical issues for you.
⮚ Even in the event of a failure, redundancy ensures your storage account's availability and durability.
⮚ With GRS or GZRS, the data in the secondary region isn't available for read or write access unless there is a failover to the
secondary region.
⮚ For read access to the secondary region, configure your storage account to use
⮚ Read-access geo-redundant storage (RA-GRS)
⮚ Read-access geo-zone-redundant storage (RA-GZRS).
Azure Storage Redundancy
⮚ Locally redundant storage (LRS) – Three synchronous copies in same data center
⮚ Zone-redundant storage (ZRS) – Three synchronous copies in three availability zones (AZs)
⮚ Geo-redundant storage (GRS) - LRS + Asynchronous copy to secondary region (three more copies using LRS) – Read only access
⮚ Read-access geo-redundant storage (RA-GRS) – Read Access on GRS
⮚ Geo-zone-redundant storage (GZRS) – ZRS + Asynchronous copy to secondary region (three more copies using LRS) – Read only access
⮚ Read-access geo-zone-redundant storage (RA-GZRS) – Read Access on GZRS
Azure Blob Storage
Binary Large Object
Blob Storage
⮚ Use cases:
⮚ Storing files for shared access
⮚ Video and audio streaming
⮚ Storing data for analysis (Data Lake Gen2)
⮚ Writing to the log file
⮚ Storing data for disaster recovery, backup, and archiving
⮚ Flat structure
⮚ Block Blobs:
⮚ For large objects that doesn't use random read and write operations, files that are
read from beginning to end
⮚ Such as media files or image files for websites.
⮚ Page Blobs:
⮚ Optimized for random read and write operations.
⮚ Provide durable disks for Azure Virtual Machines (Azure VMs)
⮚ Append Blobs:
⮚ Optimized for append operations. e. g. Logs
⮚ When you modify an append blob, blocks are added to the end of the blob only
⮚ Updating or deleting of existing blocks is not supported
⮚ For example, you might write all of your trace logging to the same append blob for
an application running on multiple VMs
Storage Access Tiers
Organize your data based on attributes like frequency of access and planned retention period.
Storage Access Tiers
⮚ Data stored in the cloud can be different based on how it's generated, processed, and accessed over its lifetime.
⮚ Pricing
Hot
⮚ The volume of data stored/month
⮚ Cool
⮚ Infrequent accessed data
⮚ Example - invoices for your customers Hot Cool Archive
⮚ High latency
⮚ Lower cost
⮚ Stored for at least 30 days
⮚ Archive
Fast Access Slow Access
⮚ Rarely accessed data Higher Cost Lower Cost
⮚ Example - long-term backups
⮚ Highest access times and access cost
⮚ Latency in hours
⮚ Stored for at least 180 days
⮚ Use Case: Business policy mandated Data Archiving, long term retention like healthcare data
Azure Table Storage
A NoSQL key-value store
Azure Table Storage
⮚ NoSQL key-value Storage
⮚ To help ensure fast access, Azure Table Storage splits a table into partitions
⮚ Advantages
⮚ It's simpler to scale
⮚ A table can hold semi-structured data
⮚ No complex relationships
⮚ Data insertion and retrieval is fast
⮚ May contain millions of messages, up to the total capacity limit of a storage account.
Challenges
⮚ Limited Amount of Storage
⮚ Maintenance (hardware and OS)
⮚ Schedule Backups
⮚ Security
⮚ Difficult to share files across Datacenters
Azure
Azure File Storage
⮚ Enables you to create files shares in the cloud, and access these file shares from anywhere with an
internet connection
On-Premises
⮚ Accessible Server Message Block (SMB) protocol or Network File System (NFS) protocol
⮚ Azure Files ensures the data is encrypted at rest, and the SMB protocol ensures the data is encrypted in
transit.
⮚ Use Cases
⮚ Dev/Test/Debug
⮚ Key Benefits
⮚ Shared access: Replace on-premises file shares with Azure file shares without application
compatibility issues
⮚ Resiliency: you don’t have to deal with local power and network issues.
Disk Storage
High-performance, highly durable block storage for Azure Virtual Machines
Azure Disk Storage
⮚ VM uses disks as a place to store an operating system, applications, and data in Azure.
⮚ One virtual machine can have one OS disk and multiple Data disk but one data disk can only be link with one VM.
⮚ Both the OS disk and the data disk are virtual hard disks (VHDs) stored in an Azure storage account.
⮚ The VHDs used in Azure is .vhd files stored as page blobs in a standard or premium storage account in Azure.
⮚ Unmanaged disks: We can create a storage account and specify it when we create the disk.
⮚ Not recommended, previous unmanaged disks should migrate to managed disk
⮚ Managed disk
⮚ Azure creates and manages storage accounts in the background.
⮚ We don't have to worry about scalability issues.
⮚ Azure creates and manages the disk for us based on the size and performance tier we specify.
⮚ AzCopy
⮚ Move large amount of data (TBs) between on-premises and Azure storage securely.
⮚ Scenarios
▪ Backup
▪ Data recovery
⮚ Issues
▪ Network is slow
➢ Solution
➢ Disk drive – you can use your own or ones provided by Microsoft.
➢ Import large amounts of data to Azure Blob storage and Azure Files by shipping disk drives to an Azure datacenter.
➢ Export large amounts of data from Azure Blob storage to disk drives and ship to your on-premises sites.
Azure File Sync
⮚ Replication occurs between Windows servers in your data centers and Azure.
⮚ Provide local caching for your users. You can have as many caches as you want.
⮚ By default, all files are tied to Azure Files, but with Cloud Tiering enabled, only frequently accessed files are cached locally on the server.
⮚ You can access your data locally using SMB, NFS, or FTPS on Windows Server.
⮚ Advantages
⮚ File Archiving
Source: https://docs.microsoft.com/
Azure File Sync Implementation
Defines the sync
topology for a set of
files.
Storage Sync Services (Azure File Sync) Endpoints within a
(same region as storage account) sync group are kept in
sync with each other.
Sync Group
Azure File Share
Allows Windows
Server to sync with an A server endpoint
Azure file share. represents a specific
location on a
registered server,
A cloud endpoint is an such as a folder on
Azure file share that is a server volume.
part of a sync group.
Azure File Sync agent Azure File Sync agent Server Endpoint:
Azure file share can be C:\FolderA
a member of only one
sync group.
⮚ Use it to copy data to/from Microsoft Azure Blob and File storage On-Premises Servers Azure File/Blob
Storage
⮚ you can copy data between a file system and a storage account, or between storage accounts.
⮚ AzCopy is preinstalled in Azure Cloud Shell, so you can use it there if you can't run it locally. AzCopy
⮚ Simple commands
⮚ Basic syntax for AzCopy commands: azcopy copy [source] [destination] [flags]
Azure File/Blob
⮚ azcopy copy "C:\local\path" "https://account.blob.core.windows.net/mycontainer1/?sv=2018-03- Storage
28&ss=bjqt&srt=sco&sp=rwddgcup&se=2019-05-01T05:01:17Z&st=2019-04-
30T21:01:17Z&spr=https&sig=MGCXiyEzbtttkr3ewJIh2AR8KrghSy1DGM9ovN734bQF4%3D" --recursive=true
⮚ Authentication options
Source: https://docs.microsoft.com/
Azure Migrate
Discover, assess, right-size, and migrate your on-premises virtual machines (VMs) to Azure
Azure Migrate
⮚ Provides:
⮚ Range of tools
Source: https://docs.microsoft.com/
Azure Data Box
⮚ You can order the Data Box device via the Azure portal to import or export data from
Azure.
⮚ Scenarios: Onetime migration, Initial bulk transfer, Disaster recovery, Migrate back to
Source: https://docs.microsoft.com/
➢ Azure Storage Service
▪ Even in the event of a failure, redundancy ensures your storage account's availability and durability.
▪ Locally redundant storage (LRS), Zone-redundant storage (ZRS, Geo-redundant storage (GRS) , Read-access
geo-redundant storage (RA-GRS) , Geo-zone-redundant storage (GZRS), Read-access geo-zone-redundant
storage (RA-GZRS)
➢ Types of Storage
Learning Outcome ▪
o Block, Page and Append
▪ Azure File Storage - Enables you to create files shares in the cloud, and access these file shares from anywhere
with an internet connection
➢ Disk Storage
▪ VM uses disks as a place to store an operating system, applications, and data in Azure.
▪ Free tool to conveniently manage your Azure cloud storage resources from your desktop
▪ Move large amount of data (TBs) between on-premises and Azure storage securely.
➢ File Sync
Learning Outcome
▪ Replication occurs between Windows servers in your data centers and Azure.
➢ AzCopy
▪ Use it to copy data to/from Microsoft Azure Blob and File storage
➢ Azure Migrate
▪ Centralized hub to assess and migrate on-premises servers, infrastructure, applications, and data to Azure.
▪ Microsoft provides you a piece of hardware in three different sizes developed specifically for import and export
tasks.
Identity Service
➢ Authentication vs Authorization
➢ Azure AD Groups
➢ Azure AD Roles
➢ Multi-Factor authentication
➢ Conditional Access
➢ Password-less authentication
➢ Defense in Depth
⮚ It answers the question “Is this person who they claim to be?”
Source: Microsoft
Authentication and Authorization Techniques
⮚ Authentication techniques
⮚ Password-based authentication
⮚ Single Sign-on
⮚ Social Authentication
⮚ Authorization Techniques
⮚ OpenID authorization
⮚ OAuth
Azure Active Directory
Microsoft's cloud-based identity and access management service
Azure Active Directory
User
Source: https://docs.microsoft.com/
Azure Active Directory
⮚ Helps your employees sign in and access resources
⮚ User information such as name, Id, email, password and address is stored in Azure AD by organizations.
⮚ Every day, Azure AD manages over 1.2 billion identities, according to Microsoft.
⮚ Tenant
⮚ Represents an organization
⮚ Tenant is automatically created when your organization signs up for a Microsoft cloud service subscription.
⮚ The term Tenant means a single instance of Azure AD representing a single organization.
Azure Active Directory
⮚ The terms Tenant and Directory are often used interchangeably.
Source: https://docs.microsoft.com/
Windows Server AD (AD DS) vs Azure AD
⮚ Authorization - OAuth
Source: https://docs.microsoft.com/
User Accounts
⮚ Cloud Identities
⮚ B2B collaboration
Source: https://docs.microsoft.com/
Azure B2B – External Users
Source: https://docs.microsoft.com/
Azure AD Roles vs RBAC Roles
User
➢ Billing/Payment Info
Source: https://docs.microsoft.com/
Single sign-on (SSO)
⮚ Problem statement - Why we need it?
⮚ Users had to create individual identity and password for each application
⮚ Single sign-on allows users to sign in once and access multiple resources and
applications from multiple providers.
⮚ With SSO, you need to remember only one ID and one password.
Source: Microsoft
Multifactor authentication
⮚ Two processes that enable secure authentication: Azure AD Multi-Factor Authentication and Conditional Access.
⮚ Multifactor authentication provides additional security for your identities by requiring two or more elements to fully authenticate.
⮚ Something the user knows: This might be an email address and password.
⮚ Something the user has: This might be a code that's sent to the user's mobile phone.
⮚ Something the user is: This is typically some sort of biometric property, such as a fingerprint or face scan that's used on
many mobile devices.
⮚ What device the user is requesting access from (is this a new device?)
⮚ Based on signals AAD can decide to allow, deny, or require MFA access.
Source: Microsoft
Conditional access use cases?
⮚ You can specify whether all users, or just administrators, require multifactor authentication.
⮚ Choose whether multifactor authentication is required for all networks or just untrusted ones.
⮚ For example, allow users to access Office 365 services from a mobile device only if they use approved client apps, like the Outlook
mobile app.
Source: Microsoft
Passwordless authentication
⮚ MFA
▪ Ease-of-use challenges
⮚ Passwordless
⮚ Passwordless Options
▪ Microsoft Authenticator
Source: Microsoft
Windows hello for business
⮚ Biometric sign-in
⮚ Facial recognition
⮚ Fingerprint recognition
⮚ 4 digit PIN
Source: Microsoft
Microsoft Authenticator
Source: Microsoft
FIDO2
Source: Microsoft
Azure RBAC
Role-based access control
Role-based access control
⮚ Azure RBAC is system that allows control over who has access to which
Azure resources, and what those people can do with those resources.
⮚ You can create your own custom Azure roles to assign custom
permissions
⮚ You can assign roles using the Azure portal, Azure CLI, Azure
PowerShell, Azure SDKs, or REST APIs.
Zero Trust principles
Why Zero Trust
➢ Mobile access
➢ Cloud migration
➢ Risk mitigation
225
Guiding Principles of Zero Trust
➢ Verify explicitly
➢ Assume breach
226
Verify explicitly
➢ Always authenticate
227
Use least privileged access
228
Assume breach
➢ Use analytics to
▪ Get visibility
▪ Drive threat detection
▪ Improve defenses
229
Defense in depth
Protect information and prevent it from being stolen by those who aren't authorized to access it.
Defense in depth
⮚ Each layer provides protection, so If one layer is penetrated, a following layer is already in place to
prevent further exposure.
⮚ Physical security: Microsoft own and is responsible to manages physical security. Only authorized
personnel have access to different areas of data centers.
⮚ Identity & Access: The identity and access layer is all about ensuring that identities are secure, access is
granted only to what's needed, and sign-in events and changes are logged.
⮚ Network perimeter - it's about protecting from network-based attacks against your resources.
Identifying these attacks, eliminating their impact, and alerting you when they happen are important
ways to keep your network secure.
⮚ Example - Use DDoS protection to filter large-scale attacks before they can affect the
availability of a system for users.
Source: Microsoft
Defense in depth
⮚ Network - the focus is on limiting the network connectivity across all your resources to allow only
what's required.
⮚ Deny by default.
⮚ Restrict inbound internet access and limit outbound access where appropriate.
⮚ Compute - Malware, unpatched systems, and improperly secured systems open your environment to
attacks.
⮚ Implement endpoint protection on devices and keep systems patched and current.
⮚ Application - Integrating security into the application development lifecycle helps reduce the number
of vulnerabilities introduced in code.
Source: Microsoft
Defense in depth
⮚ Regulatory requirements dictate the controls and processes that must be in place to ensure
the confidentiality, integrity, and availability of the data.
⮚ Confidentiality - The principle of least privilege means only allowing access to information to
those who need it to do their jobs properly.
⮚ In transit: when it's being transferred from one place to another, including from a
local computer to the cloud.
⮚ Availability: Ensure that services are functioning and can be accessed only by authorized
users.
Source: Microsoft
Microsoft Defender for Cloud
Protect your multicloud and hybrid environments
Microsoft Defender for Cloud
⮚ Microsoft Defender for Cloud is a set of security tools.
⮚ Ensure that all of company systems meet a minimum level of security and that its information is protected from attacks.
⮚ Monitoring service that provides visibility of your security posture across all of your services
Defend: detect
Azure Resources
Microsoft Defender threats and send
for Cloud Alerts alerts (email)
(PaaS and IaaS)
Microsoft Defender for Cloud
⮚ Security Center can:
⮚ Automatically apply required security settings to new resources as they come online.
⮚ Provide security recommendations that are based on your current configurations, resources, and networks.
⮚ Use machine learning to detect and block malware from being installed on your virtual machines (VMs) and other resources.
⮚ Detect and analyze potential inbound attacks and investigate threats and any post-breach activity that might have occurred.
⮚ Included in all Azure services, provides continuous assessments, security score, and actionable security recommendations.
⮚ This tier provides a full suite of security-related services, including continuous monitoring, hybrid security, threat detection
alerts, vulnerability scanning, JIT (just in time) access control for VM, and more.
Source: Microsoft
⮚ Authentication vs Authorization
Learning Outcome ⮚
▪ Azure AD Connect to sync
▪ Allows users to sign in once and access multiple resources and applications from
multiple providers
➢ Multifactor authentication
➢ Passwordless authentication
▪ Microsoft Authenticator
➢ RBAC Roles
➢ Defense in depth
▪ Monitoring service that provides visibility of your security posture across all of your
services
➢ Pricing calculator
⮚ Free Trial
⮚ Pay-as-you-go
⮚ Directly from the Azure portal website and pay standard prices
⮚ Example: Storage type (block blob storage, table storage, performance tier, access tier)
⮚ Usage meters
⮚ Microsoft generates meter at the time of resource provision, this meter generates usage record
⮚ Single VM: CPU time + Public IP address + network traffic (incoming, outgoing) + disk size + disk operations (read, write)
⮚ Resource usage
⮚ Example – deallocate VM when not in use, save compute cost but storage will still cost.
⮚ Location
⮚ Reservations
pay-as-you-go prices.
⮚ Hybrid Benefits
⮚ Spot VM
⮚ If Azure needs the capacity back, spot VMs can be evicted with a 30-
second notice.
⮚ You can set the maximum price that you agree to pay.
⮚ Your VMs are automatically evicted when the current spot price is higher
than the maximum price you agree to pay or if Azure no longer has
compute capacity available .
On-premises
Upfront Cost
Capital Expenditure (CapEx)
• Hardware costs
• Software costs Azure Cloud
• Electricity costs • Pay-As-You-Go
⮚ This allows you to see what is costing you money and how it compares against your budget.
⮚ Download cost and usage data that was used to generate your monthly invoice
⮚ Identify opportunities for workload changes that can optimize your spending
Source: Microsoft
⮚ Cost Affecting Factors
⮚ Types of Azure Subscription
⮚ Azure Services purchase options (Direct, Third-party vendors, CSP, Enterprise agreement)
⮚ Resource type
⮚ Usage meters
⮚ Resource usage
⮚ Location
⮚ Bandwidth
⮚ Pricing Calculator - estimate the monthly cost of running your cloud workloads.
➢ The term governance refers to the process of establishing and enforcing rules and policies.
➢ A good governance strategy helps you maintain control over the cloud applications and resources you manage.
➢ Resource Lock
➢ Azure Policy
➢ Azure Blueprints
⮚ Azure tags are the name-value pairs that help to organize the Azure resources in the Azure portal.
⮚ Azure Tags are simply labels that you can attach to your Azure resources.
⮚ You can use tags to easily group and classify resources and assets in Azure.
⮚ For example, explore of the costs generated by resources having the same tag applied.
⮚ Tagging is a primary way to understand the data in any cost or billing reporting.
⮚ Resources don’t inherit any Azure tags applied at the Resource Group level.
⮚ It’s a fundamental part of any well-manage environment. It’s also the first step in establishing proper governance of any
environment.
⮚ For example, you can require that certain tags be added to new resources as they are provisioned.
Azure Policy
Achieve real-time cloud compliance at scale with consistent resource governance
Azure POlicy
⮚ Azure Policy can help you control or restrict or audit your resources.
⮚ Enforce rules on Azure resources configurations to make sure they remain compliant with corporate standards.
⮚ Examples:
⮚ Allows only a certain SKU size for the virtual machines (VMs) to be provisioned.
⮚ Assign policy within a specific scope (management group, a single subscription, or a resource group.)
⮚ Policy assignments are inherited by all child resources within that scope
⮚ You can exclude specific child resources you need to be exempt from the policy assignment
⮚ You can review the noncompliant policy results and take any action that's needed.
Azure Blueprints
Enabling quick, repeatable creation of governed environments
Azure Blueprints
Chair Blueprint
⮚ Create and deploy a replaceable set of Azure resources that meet specific requirements and standards.
⮚ It can be easier to make new environments that are always in line with the company's rules.
⮚ They can do this much faster than if they had to start from scratch each time.
Azure Blueprints
⮚ You can make it easier to set up large-scale Azure deployments by putting together environment artifacts in a single blueprint
definition.
⮚ Role assignments
⮚ Policy assignments
⮚ Resource groups
⮚ Resource Locks
⮚ Tags
⮚ Azure Blueprints
▪ Set of tools, best practices, guidelines and documentation to help companies with
their migration journey
Management Tools
➢ Administrators, developers, and managers may interface with the cloud environment utilizing Azure management tools to
do things like:
➢ Azure Portal
➢ Azure Arc
Azure Portal
One stop shop – Single portal, single login for all your Azure assets
Azure Portal
⮚ See all your services, create new ones, configure them, and see reports
⮚ Occasionally management and administrative tasks can be performed via the Azure portal.
⮚ A visual interface for reporting makes sense if you're just learning Azure and only need to set up and manage resources
occasionally.
⮚ The routine setup, teardown, and maintenance of a single resource or multiple connected resources.
⮚ The routine setup, teardown, and maintenance of a single resource or multiple connected resources.
⮚ The deployment of an entire infrastructure, which might contain dozens or hundreds of resources, from imperative code.
⮚ A validation step ensures that all resources can be created in the proper order based on dependencies, in parallel, and idempotent.
Source: Microsoft
Azure Resource Manager
⮚ Deployment and management service for Azure
⮚ ARM template is verified before any code is executed to ensure that the resources will be created and connected correctly
⮚ Templates can even execute PowerShell and Bash scripts before or after the resource has been set up
⮚ ARM templates define your application's infrastructure requirements for a repeatable deployment that is done in a consistent manner
⮚ If a script encounters an error, the dependency resources can't be rolled back easily
Source: Microsoft
Azure Mobile App
Stay connected to your Azure resources—anytime, anywhere.
Azure Mobile App
⮚ Access via an iOS or Android phone or tablet
⮚ Best choice when a laptop isn't readily available and you need to view and triage issues immediately
⮚ lets employees be away from work and still perform essential, one-off management and administrative tasks.
⮚ Monitor the health and status of your Azure resources such as virtual machines (VMs) and web apps.
⮚ Check for alerts, quickly diagnose and fix issues, and restart a web app or virtual machine (VM).
⮚ Run the Azure CLI or Azure PowerShell commands to manage your Azure resources.
Source: Microsoft
Azure Arc
Secure, develop, and operate infrastructure, apps, and Azure services anywhere.
Azure Arc
⮚ Difficult to control and manage environment across data centers, multiple clouds, and edge.
⮚ Each environment and cloud has its own set of management tools
⮚ Azure Arc
⮚ Manage virtual machines, Kubernetes clusters, and databases as if they are running in Azure.
⮚ Use familiar Azure services and management capabilities, regardless of where they live.
⮚ Servers – Windows and Linux physical servers and VMs hosted outside Azure
⮚ Kubernetes clusters
⮚ SQL Server
⮚ Virtual Machines
Learning Outcome
▪ Command-line tools that enable you to create and manage Azure resources.Azure
Resource Manager (ARM)
▪ CloudShell: An interactive shell that runs in the browser for free (Access from Azure
Portal)
➢ Azure Arc
➢ Microsoft can help you react quickly to outages, research intermittent issues, optimize your usage, and be proactive in
➢ Azure Advisor
Source: Microsoft
Azure Advisor
Source: Microsoft
Azure Advisor
Source: Microsoft
Azure Advisor
Source: Microsoft
Azure Advisor
⮚ Provides recommendations to optimize your Azure deployments
⮚ Azure Advisor integrates with Microsoft Defender for Cloud (Azure Security Center) to help to prevent, detect, and
respond to threats to Azure resources.
⮚ Security: Detect threats and vulnerabilities that might lead to security breaches.
⮚ Operational Excellence: Help you achieve process and workflow efficiency, resource manageability, and
deployment best practices.
Source: Microsoft
Azure Monitor
Full observability into your applications, infrastructure, and network
Azure Monitor
⮚ Collect, Analyze, Visualize and take actions based on matric and logging data
Source: Microsoft
Azure Service Health
Personalized alerts and guidance for Azure service issues
Azure Service Health
⮚ keeps you informed about the current and upcoming issues at Azure side.
⮚ You can set up Service Health alerts – notify you about service issues, planned maintenance, or other changes.
1. Azure status provides global view of the health of all Azure services across all Azure regions
⮚ status.azure.com
2. Service health is a personalized view of the health of the Azure services and regions you're using.
1. Service issues - Problems in the Azure services that affect you right now.
2. Planned maintenance - Upcoming maintenance that can affect the availability of your services in the future.
▪ Reports of some solution on how you could achieve less impact on this downtime
▪ Examples include deprecation of Azure features or upgrade requirements (e.g upgrade to a supported PHP framework).
4. Security advisories - Security related notifications or violations that may affect the availability of your Azure services.
3. Resource health provides information about the health of your individual cloud resources such as a specific virtual machine instance.
Source: Microsoft
➢ Azure Advisor
Learning Outcome
➢ Azure Monitor
▪ Collect, Analyze, Visualize and take actions based on matric and logging data
▪ keeps you informed about the current and upcoming issues at Azure side.