My notes for preparing to AZ-900 exam. I passed! :)
- Resources consuming on demand as utility e.g. VMs, storage
- Delivery of computing services over the Internet
- No need to maintain own infrastructure
- Faster innovation
- Rapid elasticity (flexible resources)
- Pay-as-you-need
- Reliability
- Economies of scale
- Infrastructure as a service: pay-as-you-go, infrastructure building (renting servers, VMs, storage, networks)
- Platform as a service: environment for building, testing and deploying software applications, without focus on managing underlying infrastructure
- Software as a service: users connect to and use cloud-based apps over the Internet
- IaaS: test and development, storage and backups, high performance computing, big data analysis
- PaaS: analytics, business intelligence, development framework
- SaaS: access to sophisticated applications
- Public Cloud: hardware shared between clients, Azure, Office 365
- Private Cloud: Azure Stack, looks like data center model, hardware used by a single company (company responsible), no access to users outside of the organization
- Hybrid Cloud (public + private w/ orchestration): Azure Stack
- Community Cloud: governments, Azure Government, Germany, China
- 160+ Azure data centers around the world
- 150+ edge locations: smaller data centers, caching (Azure CDN)
- Organized into regions: multiple data centers within regions to help with failover (fault tolerance) and high availability
- Economy of scale: no costs related to hardware and infrastructure management
- Datacenter security
- You don't know the specific locations of each data center
- Access control: prior approval and justification
- Physical security, security guards, biometric identification
- Complies with standards and regulations: ISO 27001, HIPAA, FedRamp, SOC 1&2
- Region-specific standards: Australia, UK
- Virtual security: data encryption, separate from data of other customers
- Redundancy: data stored three times within the data center, possible to expand to other data centers (disaster recovery)
- Security professionals dedicated to keep customer data and applications safe
- Energy efficiency
- Data centers are carbon neutral since 2012
- Renewable energy certificates
- 100% renewable energy by 2025
- Solar, wind and hydropower
- Research and experimenting
- Choices affect performance and availability of data: high availability and disaster recovery
- Not all services are available in all regions
- Some services do not require specific region
- Regions may have regulatory and compliance rules: data residency
- Azure Geographies: contains one or more regions
- Used to meet data residency and compliance requirements
- Single country or set of countries
- Availability Sets: keep applications online during maintenance or hardware failure
- Update domains (UD): scheduled maintenance, performance or security updates are sequenced through update domains
- Fault domains (FD): physical separation of workloads across different hardware in a datacenter
- Availability Zones: unique physical locations within a single region
- One or more data centers equipped with independent power, cooling and networking
- Not available in every region: some regions may contain one data center only. When availability zones are available, there's a minimum of three separate zones
- Some services may replicate data between availability zones automatically
- Connected through private fiber-optic networks
- Region Pairs: data centers located 300+ miles, main goal to reduce impact on availability
- Configuration of automatic replication and failover for some services
- High availability: service updates for one region at one time
- Outage recover prioritization: at least one region in each pair will be prioritized for disaster recovery
- Updates rolled out sequentially to minimize downtime
- Resource: manageable item (VMs, storage, web apps, databases)
- Container that holds related resources: set of resources that share the same lifecycle
- Deploy, update and delete resources together
- It's possible moving individual resources between resource groups
- Resources can be in a single resource group only
- Resources in a resource group can communicate with resources in other resource groups
- Resources can be in different regions
- Resource group can be created in a different region than the resources in the group
- If a resource needs to exist on a different deployment cycle, it should be in another resource group
- Security controls for administrative actions: roles in the team do not have full control to every resource
- Can export infrastructure-as-code using resource manager templates
- Azure Resource Manager: management layer tha enables creation, update and deletion of resourcesn in a Azure subscription
- Accessed by many tools such as Azure Portal, Azure PowerShell, Azure CLI, REST interfaces
- Accessed by many tools such as Azure Portal, Azure PowerShell, Azure CLI, REST interfaces
- Azure Subscription: authenticated and authorized access to Azure accounts
- Billing boundary: separate billing reports and invoices for each subscription
- Access control boundary: manage and control access to resources that users can provision with specific subscriptions
- Azure Resource Manager: management layer tha enables creation, update and deletion of resourcesn in a Azure subscription
- Tools for managing resources (Azure Management/Monitoring Tools)
- Azure CLI Interface
- Resource Manager Templates
- Infrastructure as code: script out repeatable deployments of servers and application infrastructure
- CI/CD pipelines (Azure Pipelines, GitHub, PowerShell, Azure CLI, Azure Portal)
- .json files that defines infrastructure and configuration for Azure resources
- Create and deploy Azure infrastructure without having to write programming commands
- Azure Service Health
- Global view of health of Azure across regions
- Azure Status
- Service issues, planned maintenance
- Health advisories: features or services getting deprecated
- Security advisories: notifications or violations that may affect availability of services
- Resource health: service specific information -> if any issues, information on actions to be taken by Microsoft
- Health alerts: to be notified when there are any changes to services or status of resources. It’s possible to filter what kinds of alerts to receive, for which event type, services and/or regions. Sent to action groups
- Action groups: group to include people to be notified on health alerts via email/sms/push/voice
- Azure Monitor: collecting and analyzing telemetry from Azure services
- Can monitor on-prem resources
- Collects metrics from azure resources (single resources only)
- Different metrics depending on type of resource
- Maximize availability and performance of applications
- Application Insights, Log Analytics, Smart Alerts, Automation Alerts, Customized Dashboards
- Azure Mobile App
- Useful for health and status monitoring for Azure resources
- Diagnose and fix issues
- Run commands via Cloud Shell
- Possible to watch resources
- Azure Advisor: how to optimize Azure for security best practices, cost savings, reliability, operational excellence and performance
- Recommendations
- Possible to create alerts depending on category and impact
- Azure PowerShell
- Azure Cloud Shell
- Azure REST API
- Azure Portal
- Easy to provision new computing resources, like disks, processors, memory, networking and operating systems
- Pay as you use
- No need to manage infrastructure with PaaS options
- Scale depending on workloads
- Not only cost savings compared to on-prem, but in terms of ease of development, deployment and hosting
- Azure Virtual Machines: IaaS
- Full control over OS
- Maintain and patch VM image
- When creating a VM: type of image, size of VM (RAM, processors), availability options
- Lots of preconfigured images and purpose (Azure Marketplace: applications/services created by Microsoft or technology partners)
- Shut down to save costs: manually or on a schedule
- Enables hybrid cloud: extend on-prem
- Administrative model: role-based, permissions
- Lift-and-shift migration: on-prem VMs migration to the cloud -> Azure Site Recovery, Azure Migrate (assess the compatibility of on-prem VMs and databases
- Possibility to change disk size, enable auto-shutdown, configure backup
- Tools to support troubleshooting VM problems (e.g. boot problems)
- Connect to the machine remotely via RDP, SSH or Bastion
- Virtual Machine Scale Set: multiple VMs at once with configured load balancing
- Number of VMs can be configured to increase or decrease depending on load or schedule
- Spread VMs across fault domains and update domains
- No additional charge for scale set: pay for underlying resources (VMs, load balancer, disk storage)
- Azure Batch: pool of VMs to do large-scale high performance computing jobs in parallel
- Azure Containers: reduction of costs and improve agility by simplifying processes and reducing friction when releasing/shipping applications
- Azure Container Instances: deploy containers without maintaining or patching environments
- Smaller applications: simple web apps, smaller devtest scenarios, small-scale batch processing
- Single container instance per container (low availability, limited scalability)
- Azure Kubernetes Service: more complex architectures with greater control around deploying and managing health and performance of containers
- Container management system
- Scale out container-based applications
- Monitoring and deploying containers
- Possibility to leverage VM Scale Sets
- Connect with Azure Container Registry: pull container images and build containers from those images
- Connect with Azure Monitor: monitoring performance and health of the cluster
- Azure App Service
- Azure Container Instances: deploy containers without maintaining or patching environments
- Azure App Service: PaaS, no need to manage infrastructure
- Similar to traditional web hosting: frameworks already installed on servers
- Handles management and patching of the web servers
- Hosts web applications, REST APIs, back-end for mobile applications, containers, WebJobs (continuously/on-schedule) -> executable files, scripts
- Azure App Service Plans: defines size of the underlying infrastructure (VMs Azure-managed, limited access) like CPU, RAM and storage -> pricing tier
- Access to different features depending on the pricing tier
- Azure Serverless Computing: build applications without managing any underlying infrastructure
- Focus on code and business logic
- Azure Functions: run small blocks of code
- Initiated by triggers, timer event
- Based on events
- Azure Logic Apps: configure/design workflows in the cloud
- No need to write code, but it's possible to call Azure Functions if needed
- Initiated by triggers
- Large library of connectors (e.g. SharePoint, Azure Storage, Zendesk, SAP, Outlook)
- Azure Event Grid: build applications that respond to events (event-based architecture e.g publish/subscribe)
- Connects data sources and event handlers
- Possibility to create events subscription, automation
- Azure Containers: reduction of costs and improve agility by simplifying processes and reducing friction when releasing/shipping applications
- Networking
- Virtual network
- Load balancers
- Application Gateway
- SSL Termination
- Autoscaling
- Session Affinity
- HTTP Header Rewriting
- Advanced Routing
- Web Application Firewall
- Application Gateway
- Hybrid Cloud
- ExpressRoute: connect on-prem servers directly to Microsoft data centers
- Increased speed and encryption options -> increased cost
- Made for big corporate clients with major security requirements
- Pricing may be under metered data (per GB) or unlimited data (monthly fee)
- Bandwidth up to 10Gbps (100Gbps if using ExpressRoute Direct)
- Also provides redundancy
- ExpressRoute: connect on-prem servers directly to Microsoft data centers
- Windows Virtual Desktop - Full desktop for users - Apps running remotely - Similar to Remote Desktop Services (RDS) - Fully managed solution in the cloud - Possibility to use a single VM for multiple users: each user's data persisted on a separate disk - Possibility to scale in and/or out depending on needs (pay as you go) - Possibility of using pre-built images on Azure Marketplace or own prebuilt custom images - Authentication: Azure Active Directory, Azure multi-factor authentication - Support for most Windows Server versions and 10, 7
- Azure CDN: distributed network of servers to store cached data, in order to minimize latency to global users and offloading traffic from source web
- Mostly static data e.g. images, fonts, videos, HTML pages, client-side scripts, etc.
- Can connect to multiple Azure services
- Dynamic Site Acceleration: deliver content faster
- Virtual network
- Benefits
- Automated backup and recovery
- Replication across the world
- Encryption options
- Security and platform integration
- Development features and support
- SQL Server on VMs
- Full control over SQL Server
- Provision VMs from Azure Marketplace
- Pay as you go pricing - no licensing fees
- Automated updates scheduling
- Managed backup to Microsoft Azure
- Azure SQL Database: fully managed platform-as-a-service
- Always running the latest version of SQL Server
- Flexible pricing model: number of virtual cores, DTUs (database transaction units: CPU + memory + data throughput)
- Flexible deployment options: single database, elastic pool (collection of databases with shared set of resources)
- Automatic scaling
- Service tiers for different workloads: common workloads, high transaction rates, very large transactional
- Some built-in functions are not available, but majority of features is available
- Azure SQL Managed Instance
- Broadest set of SQL Server capabilities
- Benefits of managed platform
- Deploy VM onto VNET
- Lift-and-shift on-prem databases with minimal changes into an isolated environment
- Automatic patching and version updates, automated backups, high availability
- Azure Database for MySQL: platform-as-a-service
- Open-source tools and platform compatibility
- MySQL Community Edition
- Pay as you go pricing
- High availability
- Dynamic scalability
- Encryption
- Automated patching and backup
- Azure Database for PostgreSQL: platform-as-a-service
- Supports complex data structures
- Geometric data types
- Extensions for GIS
- Managed database features (same as Azure Database for MySQL)
- Deployment models: single server and Hyperscale Citus (faster response time, good performance for huge datasets 100GB+)
- Other databases can be used under VMs (some images available on Azure Marketplace)
- Azure Cosmos DB: globally distributed, multi-modal database
- Fast response times
- Ability to scale up and down rapidly and globally: different regions
- Backed by SSD storage
- Consistency options: ensure distributed data is updated
- Flexible: APIs, not one-size-fits-all
- Azure Storage Accounts
- Azure Blob Storage: unstructured data e.g. files and documents
- Blob snapshots
- Blob leases: prevent other people to make changes
- Soft delete: recycle bin
- Static website hosting
- CDN integration
- Azure Search integration
- Cost factors: storage cost vs transaction cost
- Azure File Storage
- SMB protocol (port 445)
- Can be attached to VMs like a network drive
- File share with drive letter e.g. H:\
- Good for migration scenarios
- Files accessible through REST interface with mechanisms for restricting access
- Can be mounted concurrently by cloud or on-prem servers
- Can be cached on Windows servers using Azure File Sync for fast access
- Possibility to tier files based on how they're used
- Azure Disk Storage: VMs disks
- Azure Table Storage: structured date in form of NoSQL non-relational data (similar to CosmosDB)
- Azure Queue Storage: store and retrieve messages
- Azure Blob Storage: unstructured data e.g. files and documents
- Data Access Authorization
- Role-based access control in Azure Active Directory
- Storage account keys
- Shared Access Signatures
- Security token string
- Scope access to particular services, containers or folders
- Start and end validity period
- May contain permissions
- Programatic access to storage accounts
- REST APIs
- SDKs for many languages
- PowerShell
- Azure CLI
- Azure Storage Explorer
- AzCopy (CLI tool)
- Transferring data to Azure
- Azure Database Migration Service
- Internet of Things
- Azure IoT Central: fully managed global IoT SaaS solution that makes it easy to connect, monitor and manage IoT assets at scale
- Azure IoT Hub: managed service hosted in the cloud, act as a central message hub for bi-directional communication between IoT applications and devices
- Azure Sphere: secured, high-level application platform with built-in communication and security features for internet-connected devices
- Big Data & Analytics
- Azure Synapse Analytics: cloud-based enterprise data warehouse
- Azure HDInsight: fully managed, open-source analytics service for enterprises
- Azure Databricks: Apache Spark based analytics service
- Artificial Intelligence & Machine Learning
- Azure Machine Learning: cloud-based to develop, train and deploy machine learning models
- Azure Cognitive Services: quickly enable apps to see, hear, speak, understand and interpret user's needs
- Azure Bot Service: develop intelligent, enterprise-grade bots
- Azure DevOps: development collaboration tools including pipelines, Kanban boards and automated cloud-based load testing
- GitHub: software development hosting with version control, source code management and bug/task management
- GitHub Actions for Azure: automate software workflow to build, test and deploy from within GitHub
- Azure DevTest Labs: quickly create environments in Azure while minimizing waste and controlling cost
- Azure Security Center: monitoring service that provides threat protection across both Azure and on-prem datacenters
- Security recommendations, detect and block malware, analyze and identify potential attacks
- Capabilities:
- Azure Sentinel: security information management (SIEM) and security automated response (SOAR) solution that provides security analytics and threat intelligence across an enterprise
- Integrations with Office 365, Azure Active Directory, Microsoft Cloud App Security, Advanced Threat Protection
- Key Vault: stores application secrets in a centralized cloud location in order to securely control access permissions and access logging
- Secrets management
- Key management
- Certificate management
- Access policies
- Azure Dedicated Hosts: physical servers that host one or more Azure virtual machines that is dedicated to a single organization's workload
- Hardware isolation at server level
- Control over maintenance event timer
- Aligned with Azure Hybrid Use Benefits
- Defense in depth
- Layered approach to securing computer systems
- Multiple levels of protection
- Shared concern between cloud providers and customers
- Combine network security solutions (e.g. NSGs with Azure Firewall, perimeter layer with DDoS protection and Firewall, networking layer with NSG)
- Network Security Groups (NSG)
- Azure Firewall
- Azure DDoS protection
- Authentication and authorization
- Multi-Factor Authentication: additional security requiring two or more elements for full authentication (something you now, possess and/or are)
- Azure Active Directory
- Condition access
- Role based access control (RBAC)
- Fine grained access management
- Segregate duties within the team and grant only amount of access to users that need to perform their jobs
- Access to Azure portal and access control to resources
- Resource locks
- Tags
- Metadata for Azure resources
- Logically organizes resources into a taxonomy
- Consists of name-value pair
- Very useful for rolling up billing information
- Management Groups
- Azure Policy
- Azure Blueprints
- Cloud Adoption Framework for Azure
- Microsoft core tenants of Security, Privacy and Compliance
- Compliance Terms and Requirements
- Microsoft Privacy Statement
- Online Services Terms and Data Protection Addendum
- Trust Center
- Azure Compliance Documentation
- Azure Sovereign Regions
-
Factors that affect costs
-
Factors that reduce costs
-
Pricing calculator
-
Total Cost of Ownership Calculator
-
Azure Cost Management
-
Minimizing costs
