Az 900
Az 900
Az 900
V I J AY S A I N I
Course Structure
Microsoft
Azure Core Azure Identity services
Fundamentals
✓ This exam measures your ability to understand the following concepts: cloud concepts; core
Azure services; security, privacy, compliance, and trust; and Azure pricing and support.
Importance of AZ-900 Exam
Build Team:
Which resource group you want me to deploy the database server?
Planning team:
Why Azure resources are not tagged properly? This is impacting their cost calculation
for the quarter.
Sales team:
Use the latest version of image and build us an environment for demonstration of our
product to customer. Don’t forget to create guest user account for customer in azure AD.
Course Structure
▪ More Theory
• https://docs.microsoft.com/en-in/azure
Thank You
Section 1 : Understand Cloud Concepts
Cloud Deployment
What is Cloud Why Cloud
Models
Computing:
The process of utilizing computer technology to complete a task. Computing may
involve computer hardware and/or software, but must involve some form of a computer system.
Virtualization:
In computing, virtualization means to create a virtual version of a device or resource, such as a server,
storage device, network or even an operating system.
What is Cloud Computing
Microsoft Says:
Cloud computing is the delivery of computing services including servers,
storage, databases, networking, software, analytics, intelligence and more over
the Internet (“the cloud”) to offer faster innovation, flexible resources and
economies of scale.
AWS says:
Cloud computing is the on-demand delivery of compute power, database
storage, applications, and other IT resources through a cloud services platform via
the internet with pay-as-you-go pricing.
What is Cloud Computing
NIST Definition:
Cloud computing is a model for enabling ubiquitous, convenient, on-demand network access to a shared
pool of configurable computing resources (e.g., networks, servers, storage, applications, and services) that
can be rapidly provisioned and released with minimal management effort or service provider interaction.
This cloud model is composed of five essential characteristics, three service models, and four deployment
models.
Source: https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-145.pdf
Cloud Computing
As per NIST, Essential Characteristics of Cloud Computing:
✓ On-demand self-service
✓ Broad network access
✓ Resource pooling
✓ Rapid elasticity
✓ Measured service
As per NIST, Cloud Computing
✓ Hybrid cloud
Advantages of cloud
❑ Cost
❑ Agility
❑ Service Quality
❑ High Availability
❑ Disaster recovery
❑ Ease of Management
CapEx vs OpEx
Capital Expense (CapEx)
It is a spending of money on physical infrastructure up front to create a benefit in the long term.
Example: Server costs, Storage costs, Network costs, Backup and archive costs,
It is an expense required for the day-to-day functioning of a business. OpEx is spending money on services or products
now and being billed for them now. There's no upfront cost.
❑Operating expenses and capital expenses are treated quite differently for accounting and tax purposes.
Should I go for
purchasing hardware
Should I own a
or lease it in cloud?
house or rent it?
Azure Data Center
Azure Data Center
Economies of scale
at a larger scale
Disadvantages of cloud
B.) Elasticity
Answer: B
Clouds Deployment Models
A cloud deployment model defines where your data is stored and how your customers interact
with it – how do they get to it, and where do the applications run?
➢ Private cloud
➢ Public cloud
➢ Hybrid cloud
➢ Community Cloud
Private Cloud
✓Services offered over the Internet or over a private internal network to only select users, not
the general public. It is a cloud-based infrastructure used by stand-alone organizations.
✓A private cloud hosting solution resides on company’s intranet or hosted data center where all
of your data is protected behind a firewall.
✓Private clouds are perfect for organizations that have high-security requirements, high
management demands, and availability requirements.
✓Services offered over the public Internet and available to anyone who wants to purchase them.
✓Infrastructure is shared by multiple businesses and owned and operated by a service provider,
offering fast provisioning.
✓The cloud resources are owned and operated by a third-party cloud service provider and
delivered over the Internet. Microsoft Azure is an example of a public cloud.
✓Often called “the best of both worlds”, hybrid clouds combine on-premises infrastructure, or
private clouds, with public clouds so organizations can reap the advantages of both.
✓Connect dedicated servers, private and public clouds to tap the power of each and run
✓It is a mutually shared model between organizations that belong to a particular community
such as banks, government organizations, or commercial enterprises.
❑ User Experience
❑ Security
❑ Responsibilities
Test your Knowledge
Question 1.) Suppose you have two types of applications: legacy applications that require
specialized mainframe hardware and newer applications that can run on commodity hardware.
Which cloud deployment model would be best for you?
A.) Public cloud
B.) Private cloud
C.) Hybrid cloud
Answer: C
Explanation: Hybrid cloud the benefit of both private cloud( you need for running your legacy
application) and public cloud (which you can utilize for running you newer application)
Test your Knowledge: Understanding Cloud Concepts
Question 2.) Which cloud model provides the greatest degree of ownership and control?
A.) Public
B.) Private
C.) Hybrid
Answer: B
Explanation: Private cloud models is the correct answer. Both public and hybrid clouds have an
infrastructure that is managed by another party. As such, there is less control over the
infrastructure.
Microsoft Azure Fundamentals
V I J AY S A I N I
Types of Cloud Services
The cloud computing service provider such as Azure or AWS, manages the infrastructure, while
you purchase, install, configure, and manage your own software—operating systems,
middleware, and applications.
Software as a Service
SaaS providers provide fully functionally web-based applications on demand to customers. The
applications are mainly targeted at business users and can include web conferencing, ERP,
CRM, email, time management, project tracking among others.
This service makes the users connect to the applications through the Internet on a
subscription basis.
Answer: B
In PaaS model, user has to only worry about application and data and other management
responsibilities are with Cloud Service Provider.
Test your Knowledge : Understanding Cloud Concepts
Question 2: You are an IT company providing a supply chain software solution which is a
multi tier application and has very complex architecture. You want to be able to quickly
migrate your solution to public cloud. Which Service Model is ideal for your needs:
A.) SaaS
B.) PaaS
C.) IaaS
Answer: C
Explanation: IaaS will provides maximum flexibility and control among other service model to
deploy your application quickly(lift and shift migration)
Cloud computing summary
Cloud computing provides a modern alternative to the traditional on-premises
datacenter. Public cloud vendors provide and manage all computing infrastructure
and the underlying management software.
These vendors provide a wide variety of cloud services. A cloud service in this case
might be a virtual machine, a web server, or cloud-hosted database engine. As a
cloud provider customer, you lease these cloud services on an as-needed basis.
In doing so, you convert the capital expense of hardware maintenance into an
operational expense
Thank You
Section 2 : Understand core Azure services
Core Azure
Core Products
Architectural
Available in Azure
Components
A region is a geographical area on the planet containing at least one, but potentially
multiple datacenters that are nearby and networked together with a low-latency
network. Azure intelligently assigns and controls the resources within each region to
ensure workloads are appropriately balanced.
Azure Regions
https://azure.microsoft.com/en-in/global-infrastructure/regions/
https://thenextweb.com/microsoft/2018/06/07/microsoft-just-dropped-864-servers-into-the-sea-to-run-
an-underwater-data-center/
https://youtu.be/AvvJc4Uw3aA
Azure
Architecture
Availability Zone
Availability Zones is a high-availability offering that
protects your applications and data from datacenter
failures
To ensure resiliency, there’s a minimum of three separate
zones in all enabled regions. The physical separation of
Availability Zones within a region protects applications and
data from datacenter failures.
https://docs.microsoft.com/en-us/azure/availability-
zones/az-overview
Availability Zone
✓ Availability Zones are physically separate datacenters within an Azure region.
The resource group can include all the resources for the solution, or only resources that
you want to manage as a group.
Resource
A manageable item that is available through Azure.
Virtual machines, storage accounts, web apps, databases, and virtual networks are
examples of resources.
Azure Resource
Manager(ARM)
It provides a management
layer that enables you to
create, update, and delete
resources in your Azure
subscription.
Test your Knowledge : Understand core Azure services
Q1. Deploying an app can be done directly to what level of physical granularity?
A.) Region
B.) Datacenter
C.) Server rack
Answer: A
Test your Knowledge : Understand core Azure services
Q2. To use Azure datacenters that are made available with power, cooling, and
networking capabilities independent from other datacenters in a region, choose a
region that supports _________?
Answer : C
Test your Knowledge : Understand core Azure services
Q3. Application availability refers to what?
A.) The service level agreement of the associated resource.
B.) Application support for an availability zone.
C.) The overall time that a system is functional and working.
Answer: C
Azure Compute Services
Services for hosting and running application workload
Application/Batch/
File Server
Database Server
Virtual Network
An Azure Virtual Network (VNet) is a representation of your own network in
the cloud.
You can use VNets to provision and manage virtual private networks (VPNs)
A Simple Application Architecture
-VNET
Virtual Network
Application/Batch/
File Server
Database Server
A Simple Application Architecture
-Multiple Web Servers
Virtual Network
Application/Batch
/ File Server
Azure load balancer is a layer 4 load balancer that distributes incoming traffic among healthy
virtual machine instances. Load balancers uses a hash-based distribution algorithm.
Application/Batch/
File Server
Database Server
Virtual Network 1
A Simple Application
-VPN Gateway Application/Batch/
File Server
Web Servers
Load
Balancer
VPN
Gateway
Internet
End
users Virtual Network 2
VPN Gateway
Database
Server
VPN Gateway
• A VPN gateway is a specific type of virtual network gateway that is used to send encrypted
traffic between an Azure virtual network and an on-premises location over the public
Internet.
• You can also use a VPN gateway to send encrypted traffic between Azure virtual networks
over the Microsoft network.
Application/Batch/
File Server
▪ Structured Data
▪ Semi-structured Data
▪ Unstructured Data
Types of data
Structured Data
Structured data is data that adheres to a schema, so all of the data has the same fields or properties.
Example: A database table
Types of data
Semi-structured Data
Semi-structured data doesn't fit neatly into tables, rows, and columns. Instead, semi-structured data
uses tags or keys that organize and provide a hierarchy for the data.
Example: JSON file, XML file
Types of data
Unstructured Data
Unstructured data encompasses data that has no designated structure to it. This lack of structure also
means that there are no restrictions on the kinds of data it can hold.
Example: email, video file, pdf
Example
Structured data
Semi-Structured data
Un-Structured data
Azure Data Services
Azure SQL Database
Azure SQL Database is a relational database as a service (DaaS) based on the latest stable version of the
Microsoft SQL Server database engine.
Azure Cosmos DB
Azure Cosmos DB is a globally distributed database service. It supports schema-less data that lets you
build highly responsive and Always On applications to support constantly changing data.
You can use it to build data-driven applications and websites in the programming language of your choice
without needing to manage infrastructure.
Azure Storage Services
Services for storing and managing Unstructured data:
❑ Blob Storage
❑ Disk Storage
❑ File Storage
❑ Archive Storage
Azure Storage Services
Blob Storage
✓ Azure Blob Storage is a service for storing large amounts of unstructured object
data, such as text or binary data.
✓ You can use Blob Storage to expose data publicly to the world, or to store
application data privately.
Azure Storage Services
File Storage
✓ Azure Files offers fully managed file shares in the cloud that are accessible via the
industry standard Server Message Block (SMB) protocol.
✓ Azure file shares can be mounted concurrently by any number of cloud or on-
premises VMs of Windows, Linux, and macOS at time.
✓ Typical usage scenarios would be to share files anywhere in the world, diagnostic
data, or application data sharing.
Azure Storage Services
Disk Storage
✓ Disk storage provides disks for virtual machines, applications, and other services
to access and use as they need
✓ lift and shift of applications that read and write data to persistent disks
Azure Storage Services
Archive Storage
Optimized for storing data that is rarely accessed and stored for at least 180 days
with flexible latency requirements
Azure Data Services
A.) To ensure you run on a specific brand of hardware, which will let you form a
marketing partnership with that hardware vendor.
B.) The Azure pay-as-you-go billing model lets you avoid buying expensive hardware.
C.) To get exact control over the location of your data store.
Answer: B
Test Your Knowledge
Q2.) Which of the following situations would yield the most benefits from relocating an
on-premises data store to Azure?
A.) Unpredictable storage demand that increases and decreases multiple times
throughout the year.
B.) Long-term, steady growth in storage demand.
C.) Consistent, unchanging storage demand.
Answer: A
Test Your Knowledge
Q3.) A newly released mobile app using Azure data storage has just been mentioned by
a celebrity on social media, seeing a huge spike in user volume. To meet the unexpected
new user demand, what feature of pay-as-you-go storage will be most beneficial?
Answer: A
Test Your Knowledge
Q4.) You plan to map a network drive from several computers that run Windows 10 to Azure Storage. You need to
create a storage solution in Azure for the planned mapped drive. What should you create?
A.) An Azure SQL database
B.) Virtual machine data disk
C.) Files service in a storage account
D.) Blobs service in a storage account
Answer C
An Azure SQL database can not be mapped to a VM. virtual machine data disk can be used by one VM only at a time.
It cannot be used as a shared resource. Blobs storage can not be mapped/mounted to a VM. Hence The Files service
in a storage account is the best solution for mapping a network drive from several computers.
Microsoft Azure Fundamentals
Vijay Saini
Azure management tools
▪ Azure Portal
▪ Azure PowerShell
▪ Azure CLI
▪ Azure Advisor
Azure management tools
Azure PowerShell
Azure CLI
Azure management tools
Important Tips :
✓ Azure PowerShell and Azure CLI are cross platform, so you can use them
on Windows, Linux and MacOS without any problem
✓ Azure Portal supports all modern browsers and is not dependent on any
OS
performance, and cost. Advisor analyzes your deployed services and looks for ways to improve your environment
Q2.) An Azure administrator plans to run a PowerShell script that creates Azure resources. Administrator is running
the script from a computer that runs macOS and has PowerShell Core 6.0 installed.
Does this meet the goal?
A. Yes B. No
Answer: False, Azure Advisor only gives recommendation. Implementation of those is left with you.
Thank You
Microsoft Azure Fundamentals
V I J AY S A I N I
SECURING NETWORK CORE AZURE IDENTITY SECURITY TOOLS & AZURE GOVERNANCE
CONNECTIVITY SERVICES FEATURES METHODOLOGIES
The wall that surrounds the ancient fort of Kumbhalgarh is one of the best-kept secrets in India, and perhaps the
world. Protecting a massive fort that contains over 300 ancient temples, the wall was constructed half a
millennium ago in tandem with Kumbhalgarh Fort itself.
https://azure.microsoft.com/en-au/blog/azure-ddos-protection-service-preview/
Azure Network Security
Groups (NSG)
NSG contains a list of security rules that allow or
deny network traffic to resources connected to
Azure Virtual Networks (VNet).
Port 80
Application/Batch/
File Server
Database Server
Azure Application Security Groups( ASG )
It's a fully stateful firewall as a service with built-in high availability and unrestricted cloud scalability.
DDoS Attack
Distributed denial-of-service (DDoS) attack
Azure DDoS Protection
Azure DDoS protection, combined with application design best practices, provide defense against DDoS attacks such
as Volumetric attacks, Protocol attacks, Resource (application) layer attacks
Azure DDoS Protection
Available in 2 tiers:
Basic:
Automatically enabled as part of the Azure platform. Always-on traffic monitoring, and real-time
mitigation of common network-level attacks, provide the same defenses utilized by Microsoft’s online
services.
Standard:
Provides additional mitigation capabilities over the Basic service tier that are tuned specifically
to Azure Virtual Network resources.
Azure DDoS Protection
https://azure.microsoft.com/en-au/blog/azure-ddos-protection-service-preview/
Shared Responsibility Model
Authentication and Authorization
Authentication.
Authentication is the process of establishing the identity of a person or service looking to access
a resource. It involves the act of challenging a party for legitimate credentials, and provides the basis for c
reating a security principal for identity and access control use. It establishes if they are who they say they
are.
Authorization
Authorization is the process of establishing what level of access an authenticated person or servi
ce has. It specifies what data they're allowed to access and what they can do with it.
Azure Active Directory
Azure Active Directory (Azure AD) is Microsoft’s cloud-based identity and access
management service, which helps your employees sign in and access resources in:
External resources, such as Microsoft Office 365, the Azure portal, and thousands of
other SaaS applications.
Internal resources, such as apps on your corporate network and intranet, along with any
cloud apps developed by your own organization.
Azure AD provides services such as:
▪ Authentication
▪ Single-Sign-On
▪ Application management
▪ Device Management
Azure Multi-Factor Authentication
Azure Multi-Factor Authentication (MFA) provides additional security for your identities
by requiring two or more elements for full authentication
Azure Security Center
Azure Security Center is a monitoring service that provides threat protection across all
of your services both in Azure, and on-premises.
✓ Continuously monitor all your services, and perform automatic security assessments
Free
Limited to assessments and recommendations of Azure resources only
Standard
full suite of security-related services including continuous monitoring, threat detection, just-in-
time access control for ports, and more.
Azure Security Center -Usage scenarios
1.) Use Security Center for incident response
▪ Azure Policies
▪ Initiatives
▪ Lock
▪ Azure Blueprints
Azure Policy
Azure Policy is an Azure service you use to create, assign and, manage policies. These
policies enforce different rules and effects over your resources so that those resources stay
compliant with your corporate standards and service level agreements.
Policy effects
Requests to create or update a resource through Azure Resource Manager are evaluated by
Azure Policy first. Policy creates a list of all assignments that apply to the resource and then
evaluates the resource against each definition.
Azure Policy
Azure Policy
Initiatives
An initiative definition is a set or group of policy definitions to help track your compliance
state for a larger goal.
Even if you have a single policy, it is recommended to use initiatives if you anticipate
increasing the number of policies over time.
Role-based access control (RBAC)
Examples of when you might use RBAC, when you want to:
▪ Allow one user to manage VMs in a subscription, and another user to manage Vnet.
▪ Allow a database administrator (DBA) group to manage SQL databases in a subscription.
▪ Allow a user to manage all resources in a resource group, such as VMs, websites, and sub
nets.
▪ Allow an application to access all resources in a resource group.
Locks
Locks help you prevent accidental deletion or modification of your Azure resources.
You may need to lock a subscription, resource group, or resource to prevent other users in
your organization from accidentally deleting or modifying critical resources.
Azure Blueprints enables cloud architects and central information technology groups to
define a repeatable set of Azure resources that implements and adheres to an organization's
Role assignments
Policy assignments
Azure Resource Manager templates
Resource groups
Azure Monitor
Azure Monitor maximizes the availability and performance of your applications by delivering
a comprehensive solution for collecting, analyzing, and acting on telemetry from your cloud
and on-premises environments.
It helps you understand how your applications are performing and proactively identifies
issues affecting them and the resources they depend on.
Azure Monitor
▪ Azure Service Health is a suite of experiences that provide personalized guidance and
support when issues with Azure services affect you.
▪ It can notify you, help you understand the impact of issues, and keep you updated as the
issue is resolved.
▪ Azure Service Health can also help you prepare for planned maintenance and changes
that could affect the availability of your resources.
Azure Service Health
Azure Status
provides a global view of the health state of Azure services
Service Health
customizable dashboard that tracks the state of your Azure services
Resource Health
diagnose and obtain support when an Azure service issue affects your resources
Azure Monitor
vs
Azure Service Health
Thank You
Section 4 : Understand Azure Pricing and
Support
AZURE PLANNING AND THE SUPPORT AZURE SERVICE LEVEL SERVICE LIFECYCLE IN
SUBSCRIPTIONS MANAGEMENT OF OPTIONS AVAILABLE AGREEMENTS (SLAS) AZURE
COSTS WITH AZURE
Azure Account
An Azure account is an identity in either Azure AD, or a directory that is trusted by Azure AD,
such as a work or school organization.
Azure Subscriptions
Users and services that access the resources of the subscription first need to authenticate with
Azure AD.
Azure Subscriptions
Subscription types
Azure offers free and paid subscription options to suit different needs and requirements. The
most commonly used subscriptions are:
▪ Free
▪ Pay-As-You-Go
▪ Enterprise Agreement
▪ Student
Azure Subscriptions
❑ Access Management
❑ Separate Bill for Each Subscription
Azure Subscriptions
Management Groups
Management Groups
Azure Management Groups are containers for managing access, policies, and compliance across
multiple Azure subscriptions.
Management groups allow you to order your Azure resources hierarchically into collections,
which provides a further level of classification that is above the level of subscriptions.
Object Hierarchy
https://azure.microsoft.com/en-in/support/plans/
Azure Support Options
Every Azure subscription includes free access to the following essential support services:
o Stackoverflow ( https://stackoverflow.com/questions/tagged/azure/ )
The Azure Knowledge Center is a searchable database that contains answers to common
support questions, from a community of Azure experts, developers, customers, and users.
https://azure.microsoft.com/en-in/resources/knowledge-center/
Service Level Agreements (SLAs)
There are three key characteristics of SLAs for Azure products and services:
Performance Targets
Uptime and Connectivity Guarantees
Service credits
Service Level Agreements (SLAs)
Microsoft maintains its commitment to providing customers with high-quality products and
services by adhering to comprehensive operational policies, standards, and practices.
Formal documents called Service-Level Agreements (SLAs) capture the specific terms that
define the performance standards that apply to Azure.
Composite SLAs
COMPOSITE SLA
= 99.95 percent × 99.99 percent
= 99.94 percent
Composite SLAs
COMPOSITE SLA
= 99.95 percent × 99.99 percent
= 99.94 percent
#Composite SLA
Either SQL or Queue AND WebApp
SLAs also describe how Microsoft will respond if an Azure product or service fails to perform to
its governing SLA's specification.
For example, customers may have a discount applied to their Azure bill, as compensation for an
under-performing Azure product or service.
Public and Private Preview Features
Private Preview
Feature is available to certain Azure customers for evaluation purposes.
Public Preview
Feature is available to all Azure customers for evaluation purposes.
General Availability (GA)
Once a feature is evaluated and tested successfully, it may be released to customers as part of
Azure's default product, service or feature set means that feature is moved to General
Availability(GA) stage.
Thank You