Az 900
Az 900
Az 900
Dev AZURE
MODULE 1
Cloud computing is the delivery of computing services over the internet. Computing
services include common IT infrastructure such as virtual machines, storage,
databases, and networking. Cloud services also expand the traditional IT offerings to
include things like Internet of Things (IoT), machine learning (ML), and artificial
intelligence (AI).
Because cloud computing uses the internet to deliver these services, it doesn’t have
to be constrained by physical infrastructure the same way that a traditional
datacenter is. That means if you need to increase your IT infrastructure rapidly, you
don’t have to wait to build a new datacenter—you can use the cloud to rapidly
expand your IT footprint.
Dev AZURE 1
With the shared responsibility model, these responsibilities get shared between
the cloud provider and the consumer. Physical security, power, cooling, and network
connectivity are the responsibility of the cloud provider. The consumer isn’t collocated
with the datacenter, so it wouldn’t make sense for the consumer to have any of those
responsibilities. At the same time, the consumer is responsible for the data and
information stored in the cloud. (You wouldn’t want the cloud provider to be able to
read your information.) The consumer is also responsible for access security,
meaning you only give access to those who need it.
If you’re using a cloud SQL database, the cloud provider would be responsible for
maintaining the actual database. However, you’re still responsible for the data that
gets ingested into the database. If you deployed a virtual machine and installed an
SQL database on it, you’d be responsible for database patches and updates, as well
as maintaining the data and information stored in the database.
With an on-premises datacenter, you’re responsible for everything. With cloud
computing, those responsibilities shift. The shared responsibility model is heavily tied
into the cloud service types (covered later in this learning path): infrastructure as a
service (IaaS), platform as a service (PaaS), and software as a service (SaaS). IaaS
places the most responsibility on the consumer, with the cloud provider being
responsible for the basics of physical security, power, and connectivity. On the other
end of the spectrum, SaaS places most of the responsibility with the cloud provider.
PaaS, being a middle ground between IaaS and SaaS, rests somewhere in the
middle and evenly distributes responsibility between the cloud provider and the
consumer.
Dev AZURE 2
Define cloud models
Private cloud Public cloud Hybrid cloud
Dev AZURE 3
on site datacenter/ in services to keep in
a dedicated public cloud and
datacenter offsite, which to deploy to
potentially even by a their private cloud
third party that has infrastructure.
dedicated that
datacenter to your
company.
Multi-cloud - in a multi-cloud environment you deal with two (or more) public cloud
providers and manage resources and security in both environments.
Or maybe you started your cloud journey with one provider and are in the
process of migrating to a different provider
Azure Arc- is a set of technologies that helps manage your cloud environment.
can help manage your cloud environment, whether it's a public cloud solely on
Azure, a private cloud in your datacenter, a hybrid configuration, or even a
multi-cloud environment running on multiple cloud providers at once.
Dev AZURE 4
When comparing IT infrastructure models→ two types of expenses ⇒ Capital
expenditure (CapEx) and operational expenditure (OpEx)
CapEx OpEx
cloud computing→ you don’t pay for the physical infrastructure, the electricity, the
security, or anything else associated with maintaining a datacenter→ BUT you pay
for the IT resources you use.
If you don’t use any IT resources this month, you don’t pay for any IT
resources.
Benefits:
No upfront costs.
No need to purchase and manage costly infrastructure that users might not use
to its fullest potential.
The ability to stop paying for resources that are no longer needed.
In a cloud-based model, you don’t have to worry about getting the resource needs
just right. If you find that you need more virtual machines, you add more. If the
demand drops and you don’t need as many virtual machines, you remove machines
as needed. Either way, you’re only paying for the virtual machines that you use, not
the “extra capacity” that the cloud provider has on hand.
Dev AZURE 5
Plan and manage your operating costs.
cloud computing is a way to rent compute power and storage from someone else’s
datacenter. You can treat cloud resources like you would resources in your own
datacenter. You’re billed only for what you use.
Dev AZURE 6
A service with the 99.9 SLA percentage add more could be
can be unavailable for CPUs or RAM scaled out
only 10 minutes per week to the virtual (either
or 43.2 minutes per month machine automatically
or manually)
if you realized
you had over- you could
specified the add
needs, you additional
could virtual
vertically machines or
scale down containers,
by lowering scaling out.
the CPU or In the same
RAM manner, if
specifications. there was a
significant
drop in
demand,
deployed
resources
could be
scaled in
(either
automatically
or manually),
scaling in
Dev AZURE 7
regions around the world→ global focuses on is focused on
scale⇒ even if one region has a predicting predicting or
catastrophic event other regions are the forecasting
still up and running resources the cost of the
needed to cloud spend
In some cases, your cloud environment
deliver a
itself will automatically shift to a different Cloud→ you
positive
region for you, with no action needed on can track your
experience
your part resource use
for your
in real time,
customers
monitor
Autoscaling resources to
(can deploy ensure that
additional you’re using
resources to them in the
meet the most efficient
demand, way, and
and then apply data
scale back analytics to
when the find patterns
demand and trends
drops), load that help
balancing ( better plan
if the traffic resource
is heavily deployments
focused on
By operating
one area →
in the cloud
will help
and using
redirect
cloud
some of the
analytics and
overload to
information→
less
can predict
stressed
future costs
areas), and
and adjust
high
your
availability
resources as
are just
needed.
some of the
cloud
Dev AZURE 8
concepts → Use tools
that support ex. Total Cost
performance of Ownership
(TCO) or
Pricing
Calculator to
get an
estimate
→ software patches and updates may also automatically be applied, which helps with
both governance and security.
If you want maximum control of security, IaaS provides you with physical
resources → but lets you manage the operating systems and installed software,
including patches and maintenance.
If you want patches and maintenance taken care of automatically, PaaS or SaaS
deployments may be the best cloud strategies for you.
Using APIs.
Dev AZURE 9
Automatically scale resource Using PowerShell.
deployment
Dev AZURE 10
database and for operating users that have
storage configuration systems and access.
databases.
Scenarios The cloud provider is
Scenarios responsible for
Lift-and-shift
physical security of
migration: You’re Development
the datacenters,
standing up cloud framework: PaaS
power, network
resources similar to provides a
connectivity, and
your on-prem framework that
application
datacenter, and then developers can build
development and
simply moving the upon to develop or
patching.
things running on- customize cloud-
prem to running on based applications. Scenarios
the IaaS Similar to the way
Email and
infrastructure. you create an
messaging.
Excel macro, PaaS
Testing and
lets developers Business productivity
development: You
create applications applications.
have established
using built-in Finance and expense
configurations for
software tracking.
development and test
components. Cloud
environments that
features such as
you need to rapidly
scalability, high-
replicate. You can
availability, and
stand up or shut
multi-tenant
down the different
capability are
environments rapidly
included, reducing
with an IaaS
the amount of
structure, while
coding that
maintaining complete
developers must do.
control.
Scenarios
Some common
scenarios where PaaS
might make sense
include:
Development
framework: PaaS
Dev AZURE 11
provides a
framework that
developers can build
upon to develop or
customize cloud-
based applications.
Similar to the way
you create an Excel
macro, PaaS lets
developers create
applications using
built-in software
components. Cloud
features such as
scalability, high-
availability, and
multi-tenant
capability are
included, reducing
the amount of
coding that
developers must do.
Analytics or
business
intelligence: Tools
provided as a
service with PaaS
allow organizations
to analyze and mine
their data, finding
insights and patterns
and predicting
outcomes to
improve forecasting,
product design
decisions,
investment returns,
Dev AZURE 12
and other business
decisions.
Analytics or
business
intelligence: Tools
provided as a
service with PaaS
allow organizations
to analyze and mine
their data, finding
insights and patterns
and predicting
outcomes to
improve forecasting,
product design
decisions,
investment returns,
and other business
decisions.
MODULE 2
Describe Azure architecture and services
What is Azure?
Most of Azure services are pay as you go, you only pay for the computing time
that you use. If your business needs complete control over your computing
environment, Azure allows you to host virtual machines in the Cloud. You can create
virtual machines from scratch, upload your own virtual hard drive, or choose from an
array of templates that Azure provides. Azure also provides Cloud-based storage,
which allows you to store your application or backup data safely and securely.
Dev AZURE 13
Azure's app services provide a scalable hosting platform where developers can
create web based applications using popular development frameworks. You can
easily deploy, operate, and scale your apps in a fully managed environment. With
Azure functions, you can create event driven serverless applications with no coding
required.
Azure Container Instances and Azure Kubernetes Service allow you to deploy
containerized applications with fully managed services. Azure offers a choice of
fully managed relational and in-memory databases, spanning proprietary and open
source engines, and Microsoft's Cosmos DB provides support for several popular
NoSQL APIs.
Be ready for the future: Continuous innovation from Microsoft supports your
development today and your product visions for tomorrow.
Build on your terms: You have choices. With a commitment to open source,
and support for all languages and frameworks, you can build how you want and
deploy where you want.
Operate hybrid seamlessly: On-premises, in the cloud, and at the edge, we'll
meet you where you are. Integrate and manage your environments with tools and
services designed for a hybrid cloud solution.
Trust your cloud: Get security from the ground up, backed by a team of experts,
and proactive compliance trusted by enterprises, governments, and startups.
Azure provides more than 100 services that enable you to do everything
from running your existing applications on virtual machines to exploring new
Dev AZURE 14
software paradigms, such as intelligent bots and mixed reality.
To sign up, you need a phone number, a credit card, and a Microsoft or GitHub
account. The credit card information is used for identity verification only.
Dev AZURE 15
A credit ($100 credit and free developer tools) to use in the first 12 months.
Many of the Learn exercises use a technology called the sandbox, which creates a
temporary subscription that's added to your Azure account. This temporary
subscription allows you to create Azure resources during a Learn module. Learn
automatically cleans up the temporary resources for you after you've completed the
module. ⇒
However, the sandbox is the preferred method to use because it
allows you to create and test Azure resources at no cost to you.
Dev AZURE 16
you deploy a resource in Azure, many resources, a single resource
you'll often need to choose the can only be in one resource
region where you want your group at a time.
resource deployed.
When you move a resource to a
🚨
new group, it will no longer be
Some services or virtual associated with the former
machine (VM) features group.
are only available in Resource groups can't be
certain regions, such as nested, meaning you can’t put
specific VM sizes or resource group B inside of
storage types. There are resource group A.
also some global Azure
services that don't When you apply an action to a
require you to select a resource group, that action will
particular region, such apply to all the resources within
as Azure Active the resource group. If you
Directory, Azure Traffic delete a resource group, all the
Manager, and Azure resources will be deleted. If you
DNS. grant or deny access to a
resource group, you’ve granted
or denied access to all the
Availability Zones resources within the resource
Availability zones are physically group.
separate datacenters within an →if you’re setting up a temporary
Azure region. Each availability zone dev environment, grouping all the
is made up of one or more resources together means you can
datacenters equipped with deprovision all of the associated
independent power, cooling, and resources at once by deleting the
networking. An availability zone is resource group.
set up to be an isolation boundary. If
→ If you’re provisioning compute
one zone goes down, the other
resources that will need three
continues working. Availability
different access schemas, it may be
zones are connected through high-
best to group resources based on
speed, private fiber-optic networks.
the access schema, and then
assign access at the resource group
level.
Azure subscriptions
Dev AZURE 17
🚨 To ensure resiliency, a
minimum of three
⇒ subscriptions are a unit of
management, billing, and scale.
Similar to how resource groups are
separate availability
a way to logically organize
zones are present in all
resources, subscriptions allow
availability zone-enabled
you to logically organize your
regions. However, not all
resource groups and facilitate
Azure Regions currently billing.
support availability
zones.
Dev AZURE 18
Zone-redundant services: The billed for using Azure. You
platform replicates can create multiple
automatically across zones subscriptions for different types
(for example, zone-redundant of billing requirements. Azure
storage, SQL Database). generates separate billing
reports and invoices for each
Non-regional services:
subscription so that you can
Services are always available
organize and manage costs.
from Azure geographies and
are resilient to zone-wide Access control boundary:
outages as well as region- Azure applies access-
wide outages. management policies at the
subscription level, and you can
An event could be so large that it
create separate subscriptions
impacts multiple availability zones in a
single region ⇒ further resilience,
to reflect different
organizational structures. An
Azure has Region Pairs.
example is that within a
Region pairs business, you have different
Most Azure regions are paired departments to which you apply
with another region within the distinct Azure subscription
same geography (such as US, policies. This billing model
Europe, or Asia) at least 300 allows you to manage and
miles away. control access to the resources
Dev AZURE 19
🚨 Not all Azure services
automatically replicate
occurs at the subscription
level.
Dev AZURE 20
Planned Azure updates are manage access, policies, and
rolled out to paired regions compliance for those
one region at a time to minimize ⇒
subscriptions managament
downtime and risk of application groups
outage.
You organize subscriptions into
Data continues to reside containers called management
within the same geography as groups and apply governance
its pair (except for Brazil South) conditions to the management
for tax- and law-enforcement groups. All subscriptions within a
jurisdiction purposes. management group automatically
inherit the conditions applied to the
management group, the same way
that resource groups inherit settings
from subscriptions and resources
inherit from resource groups.
Dev AZURE 21
🚨 Most regions are paired
in two directions,
meaning they are the
backup for the region that
provides a backup for
them (West US and East
US back each other up).
However, some regions,
such as West India and Some examples of how you could
Brazil South, are paired in use management groups might be:
only one direction. In a Create a hierarchy that applies a
one-direction pairing, the policy. You could limit VM locations
Primary region does not to the US West Region in a group
provide backup for its called Production. This policy will
secondary region. So, inherit onto all the subscriptions that
even though West India’s are descendants of that
secondary region is management group and will apply to
South India, South India all VMs under those subscriptions.
does not rely on West This security policy can't be altered
India. West India's by the resource or subscription
secondary region is owner, which allows for improved
South India, but South governance.
India's secondary region
Provide user access to multiple
is Central India. Brazil
subscriptions. By moving multiple
South is unique because
subscriptions under a management
it's paired with a region
group, you can create one Azure
outside of its geography.
role-based access control (Azure
Brazil South's secondary
RBAC) assignment on the
region is South Central
management group. Assigning
US. The secondary
Azure RBAC at the management
region of South Central
group level means that all sub-
US isn't Brazil South.
management groups, subscriptions,
resource groups, and resources
underneath that management group
would also inherit those
Sovereign Regions
permissions. One assignment on
Sovereign regions are instances of the management group can enable
Azure that are isolated from the
Dev AZURE 22
main instance of Azure. You may users to have access to everything
need to use a sovereign region for they need instead of scripting Azure
compliance or legal purposes. RBAC over different subscriptions.
🚨
Azure sovereign regions include:
⇒
Azure Virtual Machines (VMs) you can create and use VMs in the cloud. VMs
provide infrastructure as a service (IaaS) in the form of a virtualized server and
can be used in many ways. Just like a physical computer, you can customize all of
the software running on your VM. VMs are an ideal choice when you need:
Dev AZURE 23
An Azure VM gives you the flexibility of virtualization without having to buy and
maintain the physical hardware that runs the VM. However, as an IaaS offering, you
still need to configure, update, and maintain the software that runs on the VM.
You can even create or use an already created image to rapidly provision VMs. You
can create and provision a VM in minutes when you select a preconfigured VM
image. An image is a template used to create a VM and may already include an
OS and other software, like development tools or web hosting environments.
You can run single VMs for testing, development, or minor tasks. Or you can
group VMs together to provide high availability, scalability, and redundancy.
Azure can also manage the grouping of VMs for you with features such as scale
sets and availability sets.
⇒ let you create and manage a group ⇒ are designed to ensure that VMs
of identical, load-balanced VMs stagger updates and have varied
Dev AZURE 24
resources are being used Fault domain: The fault domain
efficiently. groups your VMs by common
⇒
virtual machine scale sets you can
power source and network
switch. By default, an availability
build large-scale services for areas
set will split your VMs across up
such as compute, big data, and
to three fault domains. This helps
container workloads.
protect against a physical power
or networking failure by having
VMs in different fault domains
(thus being connected to different
power and networking resources).
During testing and development. VMs provide a quick and easy way to create
different OS and application configurations. Test and development personnel can
then easily delete the VMs when they no longer need them.
When running applications in the cloud. The ability to run certain applications
in the public cloud as opposed to creating a traditional infrastructure to run them
can provide substantial economic benefits. For example, an application might
need to handle fluctuations in demand. Shutting down VMs when you don't need
them or quickly starting them up to meet a sudden increase in demand means
you pay only for the resources you use.
When extending your datacenter to the cloud: An organization can extend the
capabilities of its own on-premises network by creating a virtual network in Azure
and adding VMs to that virtual network. Applications like SharePoint can then run
on an Azure VM instead of running locally. This arrangement makes it easier or
less expensive to deploy than in an on-premises environment.
Dev AZURE 25
🚨 VMs are also an excellent choice when you move from a physical server to
the cloud (also known as lift and shift). You can create an image of the
physical server and host it within a VM with little or no changes. Just like a
physical on-premises server, you must maintain the VM: you’re responsible
for maintaining the installed OS and software.
When you provision a VM, you’ll also have the chance to pick the resources that are
associated with that VM, including:
Azure Virtual Desktop is a desktop and application virtualization service that runs on
the cloud. It enables you to use a cloud-hosted version of Windows from any
location. Azure Virtual Desktop works across devices and operating systems, and
works with apps that you can use to access remote desktops or most modern
browsers.
Enhance security
With Azure Virtual Desktop, the data and apps are separated from the local
hardware. The actual desktop and apps are running in the cloud, meaning the
risk of confidential data being left on a personal device is reduced. Additionally, user
sessions are isolated in both single and multi-session environments.
Azure Virtual Desktop lets you use Windows 10 or Windows 11 Enterprise
multi-session, the only Windows client-based operating system that enables
multiple concurrent users on a single VM. Azure Virtual Desktop also provides a
more consistent experience with broader application support compared to Windows
Server-based operating systems.
Describe Azure Containers
Dev AZURE 26
If you want to run multiple instances of an application on a single host machine,
containers are an excellent choice.
What are containers?
Dev AZURE 27
The decision of whether to use a VM or a container depends on how much
flexibility you need.
→If you need to completely control the environment, then you might choose a VM.
→ If not then the portability, performance characteristics, and management
capabilities of containers might be the better choice.
Dev AZURE 28
takes to run your code instead of paying for the resources if they're not being
used.
Using Azure Functions is ideal when you're only concerned about the code
running your service and not about the underlying platform or infrastructure.
Functions are commonly used when you need to perform work in response to an
event (often via a REST request), timer, or message from another Azure service, and
when that work can be completed quickly, within seconds or less.
Functions scale automatically based on demand, so they may be a good choice
when demand is variable.
Azure Functions runs your code when it's triggered and automatically deallocates
resources when the function is finished.
Functions can be either stateless or stateful. When they're stateless (the
default), they behave as if they're restarted every time they respond to an event.
When they're stateful (called Durable Functions), a context is passed through the
function to track prior activity.
Describe application hosting options
If you need to host your application on Azure, you might initially turn to a virtual
machine (VM) or containers. Both VMs and containers provide excellent hosting
solutions. VMs give you maximum control of the hosting environment and allow you
to configure it exactly how you want. VMs also may be the most familiar hosting
method if you’re new to the cloud. Containers, with the ability to isolate and
individually manage different aspects of the hosting solution, can also be a robust
and compelling option.
Azure App Service is an HTTP-based service for hosting web applications, REST
APIs, and mobile back ends. It supports multiple languages, including .NET, .NET
Core, Java, Ruby, Node.js, PHP, or Python. It also supports both Windows and Linux
environments.
App Service handles most of the infrastructure decisions you deal with in hosting
web-accessible apps:
Dev AZURE 29
Deployment and management are integrated into the platform.
The built-in load balancing and traffic manager provide high availability.
Send push
notifications.
Execute
custom back-
Dev AZURE 30
end logic in
C# or
Node.js.
Internet communications
You can enable incoming connections from the internet by assigning a public IP
address to an Azure resource, or putting the resource behind a public load
balancer.
Virtual networks can connect not only VMs but other Azure resources, such
as the App Service Environment for Power Apps, Azure Kubernetes Service,
and Azure virtual machine scale sets.
Dev AZURE 31
→ you can create a network that spans both your local and cloud environments.
There are three mechanisms:
Route tables allow you to define rules about how traffic should be directed.
You can create custom route tables that control how packets are routed
between subnets.
Border Gateway Protocol (BGP) works with Azure VPN gateways, Azure
Route Server, or Azure ExpressRoute to propagate on-premises BGP routes
to Azure virtual networks.
Azure virtual networks enable you to filter traffic between subnets by using the
following approaches:
Network security groups are Azure resources that can contain multiple
inbound and outbound security rules. You can define these rules to allow or
block traffic, based on factors such as source and destination IP address,
port, and protocol.
Dev AZURE 32
Connect virtual networks
You can link virtual networks together by using virtual network peering. Peering
allows two virtual networks to connect directly to each other. Network traffic
between peered networks is private, and travels on the Microsoft backbone
network, never entering the public internet. Peering enables resources in each
virtual network to communicate with each other. These virtual networks can be in
separate regions, which allows you to create a global interconnected network
through Azure.
User-defined routes (UDR) allow you to control the routing tables between
subnets within a virtual network or between virtual networks. This allows for
greater control over network traffic flow.
Azure virtual networking supports both public and private endpoints to enable
communication between external or internal resources with other internal resources.
Public endpoints have a public IP address and can be accessed from anywhere
in the world.
Private endpoints exist within a virtual network and have a private IP address
from within the address space of that virtual network.
All data transfer is encrypted inside a private tunnel as it crosses the internet.
→You can deploy only one VPN gateway in each virtual network.
Dev AZURE 33
→You can use one gateway to connect to multiple locations, which includes other
virtual networks or on-premises datacenters.
you specify the VPN type: either policy-based or route-based. The main
difference between these two types of VPNs is how traffic to be encrypted is
specified. In Azure, both types of VPN gateways use a pre-shared key as the
only method of authentication.
Use a route-based VPN gateway if you need any of the following types of
connectivity:
Point-to-site connections
Multisite connections
High-availability scenarios
There are a few ways to maximize the resiliency of your VPN gateway.
Active/standby
By default, VPN gateways are deployed as two instances in an
active/standby configuration, even if you only see one VPN gateway
resource in Azure. When planned maintenance or unplanned disruption
affects the active instance, the standby instance automatically assumes
responsibility for connections without any user intervention. Connections are
interrupted during this failover, but they're typically restored within a few
seconds for planned maintenance and within 90 seconds for unplanned
disruptions.
Active/active
Dev AZURE 34
In this configuration, you assign a unique public IP address to each instance.
You then create separate tunnels from the on-premises device to each IP
address. You can extend the high availability by deploying an additional VPN
device on-premises.
Zone-redundant gateways
In regions that support availability zones, VPN gateways and ExpressRoute
gateways can be deployed in a zone-redundant configuration. This
configuration brings resiliency, scalability, and higher availability to virtual
network gateways. Deploying gateways in Azure availability zones physically
and logically separates gateways within a region while protecting your on-
premises network connectivity to Azure from zone-level failures. These
gateways require different gateway SKUs and use Standard public IP
addresses instead of Basic public IP addresses.
ExpressRoute failover
ExpressRoute circuits have resiliency built in. However, they aren't immune
to physical problems that affect the cables delivering connectivity or outages
that affect the complete ExpressRoute location. In high-availability scenarios,
where there's risk associated with an outage of an ExpressRoute circuit, you
can also provision a VPN gateway that uses the internet as an alternative
method of connectivity. In this way, you can ensure there's always a
connection to the virtual networks.
Azure ExpressRoute lets you extend your on-premises networks into the
Microsoft cloud over a private connection, with the help of a connectivity
provider.
→ you can establish connections to Microsoft cloud services, such as
Microsoft Azure and Microsoft 365. Each location would have its own
ExpressRoute circuit.
→virtual cross-connection
through a connectivity provider at a colocation facility.
Dev AZURE 35
latencies, and higher security than typical connections over the Internet.
Benefits:
CloudExchange colocation
→refers to your datacenter, office, or other facility being physically
co-located at a cloud exchange, such as an ISP. If your facility is co-
Dev AZURE 36
located at a cloud exchange, you can request a virtual cross-connect
to the Microsoft cloud.
Any-to-any connection
you can integrate your wide area network (WAN) with Azure by
providing connections to your offices and datacenters. Azure
integrates with your WAN connection to provide a connection like
you would have between your datacenter and any branch offices.
Azure DNS leverages the scope and scale of Microsoft Azure to provide numerous
benefits, including:
Security
Azure DNS is based on Azure Resource Manager, which provides features such
as:
Dev AZURE 37
Azure role-based access control (Azure RBAC) to control who has
access to specific actions for your organization.
Ease of Use
Azure DNS can manage DNS records for your Azure services and provide DNS
for your external resources as well. Azure DNS is integrated in the Azure portal
and uses the same credentials, support contract, and billing as your other Azure
services.
→it means you can manage your domains and records with the Azure portal,
Azure PowerShell cmdlets, and the cross-platform Azure CLI.
Applications that require automated DNS management can integrate with the
service by using the REST API and SDKs.
Azure DNS also supports private DNS domains. This feature allows you to use
your own custom domain names in your private virtual networks, rather than
being stuck with the Azure-provided names.
Alias records
Azure DNS also supports alias record sets. You can use an alias record set to
refer to an Azure resource, such as an Azure public IP address, an Azure Traffic
Manager profile, or an Azure Content Delivery Network (CDN) endpoint. If the IP
address of the underlying resource changes, the alias record set seamlessly
updates itself during DNS resolution. The alias record set points to the service
instance, and the service instance is associated with an IP address.
🚨 You can't use Azure DNS to buy a domain name. For an annual fee,
you can buy a domain name by using App Service domains or a third-
party domain name registrar. Once purchased, your domains can be
hosted in Azure DNS for record management.
Dev AZURE 38
⇒ Core storage services offer a massively scalable object store for data objects,
disk storage for Azure virtual machines, a file system service for the cloud, a
messaging store for reliable messaging, and a NoSQL store.
The Azure Storage platform includes the following data services:
Azure Blobs: A massively scalable object store for text and binary data. Also
includes support for big data analytics through Data Lake Storage Gen2.
Azure Blob Storage is an object storage solution that you can use to store
massive amounts of unstructured data, such as text or binary data. Blob Storage
is ideal for serving images or documents directly to a browser, storing data for
archives or distributed access, streaming video and audio, and disaster recovery
scenarios. Blobs aren't limited to common file formats. A blob could contain
gigabytes of binary data streamed from a scientific instrument, an encrypted
message for another application, or data in a custom format for an app you're
developing. One advantage of blob storage over disk storage is that it doesn't
require developers to think about or manage disks.
Storing data for backup and restore, disaster recovery, and archiving.
Objects in Blob storage can be accessed from anywhere in the world via
HTTP or HTTPS. Users or client applications can access blobs via URLs, the
Azure Storage REST API, Azure PowerShell, Azure CLI, or an Azure Storage
client library. The storage client libraries are available for multiple languages,
including .NET, Java, Node.js, Python, PHP, and Ruby.
Data stored in the cloud can grow at an exponential pace. To manage costs for
your expanding storage needs, it's helpful to organize your data based on
attributes like frequency of access and planned retention period.
Azure Storage offers different access tiers for your blob storage, helping you
store object data in the most cost-effective manner. The available access tiers
include:
Hot access tier: Optimized for storing data that is accessed frequently (for
example, images for your website).
Dev AZURE 39
Cool access tier: Optimized for data that is infrequently accessed and
stored for at least 30 days (for example, invoices for your customers).
Archive access tier: Appropriate for data that is rarely accessed and stored
for at least 180 days, with flexible latency requirements (for example, long-
term backups).
Only the hot and cool access tiers can be set at the account level. The
archive access tier isn't available at the account level.
Hot, cool, and archive tiers can be set at the blob level, during or after
upload.
Data in the cool access tier can tolerate slightly lower availability, but still
requires high durability, retrieval latency, and throughput characteristics
similar to hot data. For cool data, a slightly lower availability service-level
agreement (SLA) and higher access costs compared to hot data are
acceptable trade-offs for lower storage costs.
Archive storage stores data offline and offers the lowest storage costs, but
also the highest costs to rehydrate and access data.
Azure File Storage offers fully managed file shares in the cloud, and shares are
accessible using industry standard network protocols. Mounting Azure file shares
is just like connecting to shares on your local network.
Azure Files key benefits:
Shared access: Azure file shares support the industry standard SMB and
NFS protocols, meaning you can seamlessly replace your on-premises file
shares with Azure file shares without worrying about application compatibility.
Fully managed: Azure file shares can be created without the need to
manage hardware or an OS. This means you don't have to deal with patching
the server OS with critical security upgrades or replacing faulty hard disks.
Scripting and tooling: PowerShell cmdlets and Azure CLI can be used to
create, mount, and manage Azure file shares as part of the administration of
Azure applications. You can create and manage Azure file shares using
Azure portal and Azure Storage Explorer.
Dev AZURE 40
Resiliency: Azure Files has been built from the ground up to always be
available. Replacing on-premises file shares with Azure Files means you
don't have to wake up in the middle of the night to deal with local power
outages or network issues.
Queue storage can be combined with compute functions like Azure Functions to
take an action when a message is received. For example, you want to perform
an action after a customer uploads a form to your website. You could have the
submit button on the website trigger a message to the Queue storage.
Azure Table Storage offers a NoSQL data store for key value pairs using large scale
datasets. You can use Azure Table Storage to store petabytes of semi-structured
data, and keep your costs down.
There are three Azure storage tiers that you can use to balance your costs: hot,
cool, and archive.
The hot storage tier is optimized for storing data that is accessed frequently,
such as images for your website.
Dev AZURE 41
The cold storage tier is optimized for data that is infrequently accessed, and
stored for at least 30 days, such as customer invoices.
The archive storage tier is appropriate for data that is rarely accessed, and
stored for at least 180 days, such as long-term backups.
Supported Redundancy
Type Usage
services Options
Dev AZURE 42
One of the benefits of using an Azure Storage Account is having a unique
namespace in Azure for your data. In order to do this, every storage account in
Azure must have a unique-in-Azure account name. The combination of the
account name and the Azure Storage service endpoint forms the endpoints for your
storage account.
Storage account names must be between 3 and 24 characters in length and may
contain numbers and lowercase letters only.
Your storage account name must be unique within Azure. No two storage
accounts can have the same name. This supports the ability to have a unique,
accessible namespace in Azure.
The following table shows the endpoint format for Azure Storage services.
Redundancy ensures that your storage account meets its availability and
durability targets even in the face of failures.
When deciding which redundancy option is best for your scenario, consider the
tradeoffs between lower costs and higher availability. The factors that help
determine which redundancy option you should choose include:
Whether your application requires read access to the replicated data in the
secondary region if the primary region becomes unavailable.
Dev AZURE 43
Redundancy in the primary region
Data in an Azure Storage account is always replicated three times in the primary
region. Azure Storage offers two options for how your data is replicated in the primary
region, locally redundant storage (LRS) and zone-redundant storage (ZRS).
Locally redundant storage (LRS) replicates your data three times within a single
data center in the primary region. LRS provides at least 11 nines of durability
(99.999999999%) of objects over a given year.
LRS is the lowest-cost redundancy option and offers the least durability
compared to other options. LRS protects your data against server rack and
drive failures. However, if a disaster such as fire or flooding occurs within
the data center, all replicas of a storage account using LRS may be lost or
unrecoverable. To mitigate this risk, Microsoft recommends using zone-
redundant storage (ZRS), geo-redundant storage (GRS), or geo-zone-
redundant storage (GZRS).
Zone-redundant storage
For Availability Zone-enabled Regions, zone-redundant storage (ZRS) replicates
your Azure Storage data synchronously across three Azure availability zones in
the primary region. ZRS offers durability for Azure Storage data objects of at
least 12 nines (99.9999999999%) over a given year.
Dev AZURE 44
With ZRS, your data is still accessible for both read and write operations even if a
zone becomes unavailable. No remounting of Azure file shares from the
connected clients is required. If a zone becomes unavailable, Azure undertakes
networking updates, such as DNS repointing. These updates may affect your
application if you access data before the updates have completed. Microsoft
recommends using ZRS in the primary region for scenarios that require
high availability. ZRS is also recommended for restricting replication of data
within a country or region to meet data governance requirements.
Azure Storage offers two options for copying your data to a secondary region:
geo-redundant storage (GRS) and geo-zone-redundant storage (GZRS). GRS is
similar to running LRS in two regions, and GZRS is similar to running ZRS in the
primary region and LRS in the secondary region.
By default, data in the secondary region isn't available for read or write access
unless there's a failover to the secondary region. If the primary region becomes
unavailable, you can choose to fail over to the secondary region. After the failover
has completed, the secondary region becomes the primary region, and you can
again read and write data.
Dev AZURE 45
🚨 Important
Geo-redundant storage
GRS copies your data synchronously three times within a single physical
location in the primary region using LRS. It then copies your data asynchronously
to a single physical location in the secondary region (the region pair) using LRS. GRS
offers durability for Azure Storage data objects of at least 16 nines
(99.99999999999999%) over a given year.
Geo-zone-redundant storage
GZRS combines the high availability provided by redundancy across
availability zones with protection from regional outages provided by geo-
replication. Data in a GZRS storage account is copied across three Azure
availability zones in the primary region (similar to ZRS) and is also replicated to a
secondary geographic region, using LRS, for protection from regional disasters.
Microsoft recommends using GZRS for applications requiring maximum
consistency, durability, and availability, excellent performance, and resilience
for disaster recovery.
Dev AZURE 46
GZRS is designed to provide at least 16 nines (99.99999999999999%) of durability
of objects over a given year.
Read access to data in the secondary region
Geo-redundant storage (with GRS or GZRS) replicates your data to another physical
location in the secondary region to protect against regional outages. However, that
data is available to be read only if the customer or Microsoft initiates a failover from
the primary to secondary region. However, if you enable read access to the
secondary region, your data is always available, even when the primary region is
running optimally. For read access to the secondary region, enable read-access geo-
redundant storage (RA-GRS) or read-access geo-zone-redundant storage (RA-
GZRS).
🚨 Important
Remember that the data in your secondary region may not be up-to-date
due to RPO.
Durable and highly available. Redundancy ensures that your data is safe if
transient hardware failures occur. You can also opt to replicate data across data
centers or geographical regions for additional protection from local catastrophes
or natural disasters. Data replicated in this way remains highly available if an
unexpected outage occurs.
Dev AZURE 47
Scalable. Azure Storage is designed to be massively scalable to meet the data
storage and performance needs of today's applications.
Managed. Azure handles hardware maintenance, updates, and critical issues for
you.
⇒ it’s important to also understand how to get your data and information into
Azure. Azure supports both real-time migration of infrastructure, applications, and
data using Azure Migrate as well as asynchronous migration of data using Azure
Data Box.
Azure Migrate
Azure Migrate is a service that helps you migrate from an on-premises
environment to the cloud. Azure Migrate functions as a hub to help you manage
the assessment and migration of your on-premises datacenter to Azure. It provides
the following:
Unified migration platform: A single portal to start, run, and track your migration
to Azure.
Range of tools: A range of tools for assessment and migration. Azure Migrate
tools include Azure Migrate: Discovery and assessment and Azure Migrate:
Server Migration. Azure Migrate also integrates with other Azure services and
tools, and with independent software vendor (ISV) offerings.
Assessment and migration: In the Azure Migrate hub, you can assess and
migrate your on-premises infrastructure to Azure.
Integrated tools
In addition to working with tools from ISVs, the Azure Migrate hub also includes the
following tools to help with migration:
Dev AZURE 48
Azure Migrate: Server Migration. Migrate VMware VMs, Hyper-V VMs, physical
servers, other virtualized servers, and public cloud VMs to Azure.
Azure Data Box. Use Azure Data Box products to move large amounts of offline
data to Azure.
Data Box is ideally suited to transfer data sizes larger than 40 TBs in scenarios with
no to limited network connectivity. The data movement can be one-time, periodic, or
an initial bulk data transfer followed by periodic transfers.
Here are the various scenarios where Data Box can be used to import data to Azure.
Dev AZURE 49
Moving a media library from offline tapes into Azure to create an online media
library.
Moving historical data to Azure for in-depth analysis and reporting using
HDInsight.
Initial bulk transfer - when an initial bulk transfer is done using Data Box (seed)
followed by incremental transfers over the network.
Here are the various scenarios where Data Box can be used to export data from
Azure.
Disaster recovery - when a copy of the data from Azure is restored to an on-
premises network. In a typical disaster recovery scenario, a large amount of
Azure data is exported to a Data Box. Microsoft then ships this Data Box, and the
data is restored on your premises in a short time.
Security requirements - when you need to be able to export data out of Azure
due to government or security requirements.
Once the data from your import order is uploaded to Azure, the disks on the device
are wiped clean in accordance with NIST 800-88r1 standards. For an export order,
the disks are erased once the device reaches the Azure datacenter.
Azure also has tools designed to help you move or interact with individual files or
small file groups. Among those tools are AzCopy, Azure Storage Explorer, and Azure
File Sync.
AzCopy
AzCopy is a command-line utility that you can use to copy blobs or files to
or from your storage account. With AzCopy, you can upload files, download
files, copy files between storage accounts, and even synchronize files. AzCopy
can even be configured to work with other cloud providers to help move files
back and forth between clouds.
Dev AZURE 50
🚨 Important
Synchronizing blobs or files with AzCopy is one-direction
synchronization. When you synchronize, you designated the source
and destination, and AzCopy will copy files or blobs in that direction. It
doesn't synchronize bi-directionally based on timestamps or other
metadata.
Use any protocol that's available on Windows Server to access your data
locally, including SMB, NFS, and FTPS.
Replace a failed local server by installing Azure File Sync on a new server in
the same datacenter.
Configure cloud tiering so the most frequently accessed files are replicated
locally, while infrequently accessed files are kept in the cloud until requested.
Dev AZURE 51
Azure Active Directory (Azure AD) is a directory service that enables you to
sign in and access both Microsoft cloud applications and cloud
applications that you develop. Azure AD can also help you maintain your on-
premises Active Directory deployment.
When you secure identities on-premises with Active Directory, Microsoft doesn't
monitor sign-in attempts. When you connect Active Directory with Azure AD,
Microsoft can help protect you by detecting suspicious sign-in attempts at no
extra cost. For example, Azure AD can detect sign-in attempts from unexpected
locations or unknown devices.
Users. Users can manage their identities and take maintenance actions like
self-service password reset.
Online service subscribers. Microsoft 365, Microsoft Office 365, Azure, and
Microsoft Dynamics CRM Online subscribers are already using Azure AD to
authenticate into their account.
Dev AZURE 52
Single sign-on: Single sign-on (SSO) enables you to remember only one
username and one password to access multiple applications. A single
identity is tied to a user, which simplifies the security model. As users change
roles or leave an organization, access modifications are tied to that identity,
which greatly reduces the effort needed to change or disable accounts.
An Azure AD DS managed domain lets you run legacy applications in the cloud
that can't use modern authentication methods, or where you don't want directory
lookups to always go back to an on-premises AD DS environment. You can lift
and shift those legacy applications from your on-premises environment into a
Dev AZURE 53
managed domain, without needing to manage the AD DS environment in the
cloud.
Dev AZURE 54
Authentication is the process of establishing the identity of a person,
service, or device. It requires the person, service, or device to provide
some type of credential to prove who they are. Authentication is like
presenting ID when you’re traveling. It doesn’t confirm that you’re ticketed, it just
proves that you're who you say you are. Azure supports multiple
authentication methods, including standard passwords, single sign-on
(SSO), multifactor authentication (MFA), and passwordless.
The following diagram shows the security level compared to the convenience.
Notice Passwordless authentication is high security and high convenience
while passwords on their own are low security but high convenience.
Consider the process of managing all those identities. More strain is placed on
help desks as they deal with account lockouts and password reset requests. If a
user leaves an organization, tracking down all those identities and ensuring
Dev AZURE 55
they're disabled can be challenging. If an identity is overlooked, this might allow
access when it should have been eliminated.
With SSO, you need to remember only one ID and one password. Access
across applications is granted to a single identity that's tied to the user,
which simplifies the security model. Using SSO for accounts makes it easier
for users to manage their identities and for IT to manage users.
🚨 Important
Think about how you sign into websites, email, or online services. After entering
your username and password, have you ever needed to enter a code that was
sent to your phone? If so, you've used multifactor authentication to sign in.
Multifactor authentication → requiring two or more elements to fully authenticate.
These elements fall into three categories:
Something the user has – this might be a code that's sent to the user's
mobile phone.
Dev AZURE 56
Azure AD Multi-Factor Authentication is a Microsoft service that provides
multifactor authentication capabilities. Azure AD Multi-Factor Authentication
enables users to choose an additional form of authentication during sign-in, such
as a phone call or mobile app notification.
Windows Hello for Business is ideal for information workers that have
their own designated Windows PC. The biometric and PIN credentials are
directly tied to the user's PC, which prevents access from anyone other than
the owner. With public key infrastructure (PKI) integration and built-in support
for single sign-on (SSO), Windows Hello for Business provides a convenient
method for seamlessly accessing corporate resources on-premises and in
the cloud.
The Authenticator App turns any iOS or Android phone into a strong,
passwordless credential. Users can sign-in to any platform or browser by
getting a notification to their phone, matching a number displayed on the
screen to the one on their phone, and then using their biometric (touch or
face) or PIN to confirm.
Dev AZURE 57
FIDO2 security keys
The FIDO (Fast IDentity Online) Alliance helps to promote open
authentication standards and reduce the use of passwords as a form of
authentication. FIDO2 is the latest standard that incorporates the web
authentication (WebAuthn) standard.
FIDO2 security keys are an unphishable standards-based passwordless
authentication method that can come in any form factor. Fast Identity
Online (FIDO) is an open standard for passwordless authentication. FIDO
allows users and organizations to leverage the standard to sign-in to their
resources without a username or password by using an external security
key or a platform key built into a device.
Users can register and then select a FIDO2 security key at the sign-in
interface as their main means of authentication. These FIDO2 security keys
are typically USB devices, but could also use Bluetooth or NFC. With a
hardware device that handles the authentication, the security of an account is
increased as there's no password that could be exposed or guessed.
Dev AZURE 58
Business to business (B2B) collaboration - Collaborate with external
users by letting them use their preferred identity to sign-in to your Microsoft
applications or other enterprise applications (SaaS apps, custom-developed
apps, etc.). B2B collaboration users are represented in your directory,
typically as guest users.
With Azure Active Directory (Azure AD), you can easily enable collaboration
across organizational boundaries by using the Azure AD B2B feature. Guest
users from other tenants can be invited by administrators or by other users. This
capability also applies to social identities such as Microsoft accounts.
You also can easily ensure that guest users have appropriate access. You can
ask the guests themselves or a decision maker to participate in an access review
and recertify (or attest) to the guests' access. The reviewers can give their input
on each user's need for continued access, based on suggestions from Azure AD.
Dev AZURE 59
When an access review is finished, you can then make changes and
remove access for guests who no longer need it.
During sign-in, Conditional Access collects signals from the user, makes
decisions based on those signals, and then enforces that decision by allowing or
denying the access request or challenging for a multifactor authentication
response.
The following diagram illustrates this flow:
→ the signal might be the user's location, the user's device, or the
application that the user is trying to access.
Based on these signals, the decision might be to allow full access if the user
is signing in from their usual location. If the user is signing in from an unusual
location or a location that's marked as high risk, then access might be blocked
entirely or possibly granted after the user provides a second form of
authentication.
Dev AZURE 60
Enforcement is the action that carries out the decision. For example, the action
is to allow access or require the user to provide a second form of
authentication.
The principle of least privilege says you should only grant access up to the
level needed to complete a task. If you only need read access to a storage
blob, then you should only be granted read access to that storage blob. Write
access to that blob shouldn’t be granted, nor should read access to other storage
blobs. It’s a good security practice to follow.
Instead of defining the detailed access requirements for each individual, and then
updating access requirements when new resources are created or new people
join the team, Azure enables you to control access through Azure role-
based access control (Azure RBAC).
Dev AZURE 61
→Azure provides built-in roles that describe common access rules for
cloud resources.
→You can also define your own roles. Each role has an associated set of
access permissions that relate to that role. When you assign individuals or
groups to one or more roles, they receive all the associated access permissions.
So, if you hire a new engineer and add them to the Azure RBAC group for
engineers, they automatically get the same access as the other engineers in
the same Azure RBAC group. Similarly, if you add additional resources and
point Azure RBAC at them, everyone in that Azure RBAC group will now have
those permissions on the new resources as well as the existing resources.
The following diagram shows the relationship between roles and scopes. A
management group, subscription, or resource admin might be given the role of
owner, so they have increased control and authority. An observer, who isn't
expected to make any updates, might be given a role of Reader for the same
scope, enabling them to review or observe the management group, subscription,
or resource group.
Scopes include:
A single subscription.
A resource group.
Dev AZURE 62
A single resource.
Azure RBAC is hierarchical, in that when you grant access at a parent scope,
those permissions are inherited by all child scopes. For example:
When you assign the Owner role to a user at the management group scope,
that user can manage everything in all subscriptions within the management
group.
When you assign the Reader role to a group at the subscription scope, the
members of that group can view every resource group and resource within
the subscription.
Azure RBAC uses an allow model. When you're assigned a role, Azure RBAC
allows you to perform actions within the scope of that role. If one role
assignment grants you read permissions to a resource group and a different role
assignment grants you write permissions to the same resource group, you have
both read and write permissions on that resource group.
→ is a security model that assumes the worst case scenario and protects
resources with that expectation. Zero Trust assumes breach at the outset, and
then verifies each request as though it originated from an uncontrolled network.
Dev AZURE 63
Use least privilege access - Limit user access with Just-In-Time and Just-
Enough-Access (JIT/JEA), risk-based adaptive policies, and data protection.
Assume breach - Minimize blast radius and segment access. Verify end-to-
end encryption. Use analytics to get visibility, drive threat detection, and
improve defenses.
The Zero Trust model flips that scenario. Instead of assuming that a device is
safe because it’s within the corporate network, it requires everyone to
authenticate. Then grants access based on authentication rather than location.
Describe defense-in-depth
Layers of defense-in-depth
Dev AZURE 64
layers functioning to protect that
central data layer.
The physical security layer is the first line of defense to protect computing
hardware in the datacenter.
→securing access to buildings and controlling access to computing hardware
within the datacenter are the first line of defense.
The identity and access layer controls access to infrastructure and change
control.
→ is all about ensuring that identities are secure, that access is
granted only to what's needed, and that sign-in events and changes are
logged.
At this layer, it's important to:
Dev AZURE 65
The perimeter layer uses distributed denial of service (DDoS) protection to
filter large-scale attacks before they can cause a denial of service for users.
→ protects from network-based attacks against your resources.
Identifying these attacks, eliminating their impact, and alerting you
when they happen are important ways to keep your network secure.
At this layer, it's important to:
Use DDoS protection to filter large-scale attacks before they can affect
the availability of a system for users.
Deny by default.
The application layer helps ensure that applications are secure and free of
security vulnerabilities.
Dev AZURE 66
Integrating security into the application development lifecycle helps reduce
the number of vulnerabilities introduced in code. Every development
team should ensure that its applications are secure by default.
The data layer controls access to business and customer data that you need
to protect
Stored in a database.
→provides the tools needed to harden your resources, track your security
posture, protect against cyber attacks, and streamline security
management. Deployment of Defender for Cloud is easy, it’s already natively
integrated to Azure.
Dev AZURE 67
environment, monitoring of Azure services may not give you a complete picture
of your security situation.
Azure-native protections
Defender for Cloud helps you detect threats across:
Azure data services – Defender for Cloud includes capabilities that help
you automatically classify your data in Azure SQL. You can also get
assessments for potential vulnerabilities across Azure SQL and Storage
services, and recommendations for how to mitigate them.
Networks – Defender for Cloud helps you limit exposure to brute force
attacks. By reducing access to virtual machine ports, using the just-in-time
VM access, you can harden your network by preventing unnecessary
access. You can set secure access policies on selected ports, for only
authorized users, allowed source IP address ranges or IP addresses, and for
a limited amount of time.
→you can add Defender for Cloud capabilities to your hybrid cloud environment
to protect your non-Azure servers. To help you focus on what matters the
most, you'll get customized threat intelligence and prioritized alerts according to
your specific environment.
To extend protection to on-premises machines, deploy Azure Arc and enable
Defender for Cloud's enhanced security features.
Defender for Cloud can also protect resources in other clouds (such as
AWS and GCP).
Dev AZURE 68
→ ex. if you've connected an Amazon Web Services (AWS) account to an Azure
subscription, you can enable any of these protections:
Defender for Cloud's CSPM features extend to your AWS resources. This
agentless plan assesses your AWS resources according to AWS-specific
security recommendations, and includes the results in the secure score. The
resources will also be assessed for compliance with built-in standards
specific to AWS (AWS CIS, AWS PCI DSS, and AWS Foundational Security
Best Practices). Defender for Cloud's asset inventory page is a
multicloud enabled feature helping you manage your AWS resources
alongside your Azure resources.
Defender for Cloud fills three vital needs as you manage the security of your
resources and workloads in the cloud and on-premises:
Dev AZURE 69
machines, container security policies in When Defender for
registries, and SQL place that are tailored Cloud detects a threat
servers. to your environment in any area of your
and situation. environment, it
Microsoft Defender for
Because policies in generates a security
servers includes
Defender for Cloud are alert. Security alerts:
automatic, native
built on top of Azure
integration with Describe details of
Microsoft Defender for Policy controls, you're
the affected
Endpoint. With this getting the full range
resources
integration enabled, and flexibility of a
world-class policy Suggest
you'll have access to
solution. In Defender remediation steps
the vulnerability findings
from Microsoft threat for Cloud, you can set Provide, in some
and vulnerability your policies to run on cases, an option to
management. management groups, trigger a logic app
across subscriptions, in response
Between these
and even for a whole
assessment tools you’ll Whether an alert is
tenant.
have regular, detailed generated by Defender
vulnerability scans One of the benefits of for Cloud or received by
that cover your moving to the cloud ⇒ Defender for Cloud from
compute, data, and ability to grow and an integrated security
infrastructure. You can scale as you need, product, you can
review and respond to adding new services export it. Defender for
and resources as Cloud's threat
the results of these
necessary. Defender protection includes
scans all from within
for Cloud is constantly fusion kill-chain
Defender for Cloud.
monitoring for new analysis, which
resources being automatically correlates
deployed across your alerts in your
workloads. Defender environment based on
for Cloud assesses if cyber kill-chain
new resources are analysis, to help you
configured according to better understand the
security best practices. full story of an attack
If not, they're flagged campaign, where it
and you get a started, and what kind
prioritized list of of impact it had on
recommendations for your resources.
Dev AZURE 70
what you need to fix. Advanced threat
Recommendations protection
help you reduce the
Defender for cloud
attack surface across
provides advanced
each of your
threat protection
resources.
features for many of
The list of your deployed
recommendations is resources, including
enabled and supported virtual machines, SQL
by the Azure Security databases, containers,
Benchmark. This web applications, and
Microsoft-authored, your network.
Azure-specific, Protections include
benchmark provides securing the
a set of guidelines for management ports of
security and your VMs with just-in-
compliance best time access, and
practices based on adaptive application
common compliance controls to create allow
frameworks. lists for what apps
should and shouldn't
→Defender for Cloud
run on your machines.
enables you not just
to set security
policies, but to apply
secure configuration
standards across
your resources.
Dev AZURE 71
while the controls give
you a working list of
things to consider to
improve your security
score and your overall
security posture.
MODULE 3
Describe Azure management and governance
→First, the Total Cost of Ownership, or TCO, Calculator helps you understand
the cost savings of operating your solution on Azure compared to your on-
premises data center. Define your workloads by specifying your current on-
premises infrastructure based on service, databases, storage, and
networking. Then you can make adjustments to costs based on your location
and organization. Finally, you can view a report that shows your costs and
savings over time.
→The second useful tool is the Pricing Calculator, which can help you
determine which Azure services best fit your budget. As you select your
subscriptions, services, resources, and third-party solutions, you can add up your
costs. You can make adjustments for regions, billing options, Dev/Test
pricing, and support options. This can give you a good estimate of the costs of
your plans.
→To monitor your actual costs, you can use the Azure Advisor. It can make
recommendations around unused resources and ways to optimize your services.
Dev AZURE 72
You can also set spending limits on your costs to prevent accidental cost
overruns. By using these tools, you can monitor your costs while tracking your
overall long-term savings of moving to the cloud.
Azure shifts development costs from the capital expense (CapEx) of building out
and maintaining infrastructure and facilities to an operational expense (OpEx) of
renting infrastructure as you need it, whether it’s compute, storage, networking,
and so on.
That OpEx cost can be impacted by many factors. Some of the impacting
factors are:
Resource type
The type of resources, the settings for the resource, and the Azure region will
all have an impact on how much a resource costs. When you provision an
Azure resource, Azure creates metered instances for that resource. The
meters track the resources' usage and generate a usage record that is
used to calculate your bill.
With a virtual machine (VM), you may have to consider licensing for the
operating system or other software, the processor and number of cores for
the VM, the attached storage, and the network interface. Just like with
storage, provisioning the same virtual machine in different regions may result
in different costs.
Dev AZURE 73
Consumption
However, Azure also offers the ability to commit to using a set amount of
cloud resources in advance and receiving discounts on those “reserved”
resources. Many services, including databases, compute, and storage all
provide the option to commit to a level of use and receive a discount, in
some cases up to 72 percent.
When you reserve capacity, you’re committing to using and paying for a
certain amount of Azure resources during a given period (typically one or
three years). With the back-up of pay-as-you-go, if you see a sudden surge
in demand that eclipses what you’ve pre-reserved, you just pay for the
additional resources in excess of your reservation. This model allows you
to recognize significant savings on reliable, consistent workloads while
also having the flexibility to rapidly increase your cloud footprint as the
need arises.
Maintenance
The flexibility of the cloud makes it possible to rapidly adjust resources
based on demand. Using resource groups can help keep all of your
resources organized. In order to control costs, it’s important to maintain your
cloud environment. For example, every time you provision a VM, additional
resources such as storage and networking are also provisioned. If you
Dev AZURE 74
deprovision the VM, those additional resources may not deprovision at the
same time, either intentionally or unintentionally. By keeping an eye on
your resources and making sure you’re not keeping around resources
that are no longer needed, you can help control cloud costs.
Geography
When you provision most resources in Azure, you need to define a region
where the resource deploys. Azure infrastructure is distributed globally,
which enables you to deploy your services centrally or closest to your
customers, or something in between. With this global deployment comes
global pricing differences. The cost of power, labor, taxes, and fees vary
depending on the location. Due to these variations, Azure resources can
differ in costs to deploy depending on the region.
Network Traffic
Subscription type
Azure Marketplace
Dev AZURE 75
preinstalled and configured, or managed network firewall appliances, or
connectors to third-party backup services. When you purchase products
through Azure Marketplace, you may pay for not only the Azure services
that you’re using, but also the services or expertise of the third-party
vendor. Billing structures are set by the vendor.
The pricing calculator and the total cost of ownership (TCO) calculator are
two calculators that help you understand potential Azure expenses. Both
calculators are accessible from the internet, and both calculators allow you to
build out a configuration. However, the two calculators have very different
purposes.
🚨
compares the anticipated costs for
The Pricing calculator is for your current environment with an
information purposes Azure environment supporting the
only. The prices are only same infrastructure requirements.
an estimate. Nothing is With the TCO calculator, you enter
provisioned when you add your configuration, add in
resources to the pricing assumptions like power and IT labor
calculator, and you won't be costs, and are presented with an
charged for any services estimation of the cost difference to run
you select. the same environment in your current
datacenter or in Azure.
Dev AZURE 76
→ you can estimate the cost of any
provisioned resources, including
compute, storage, and associated
network costs. You can even account
for different storage options like
storage type, access tier, and
redundancy.
Recall that the TCO Calculator
involves three steps:
⇒ provides the ability to quickly check Azure resource costs, create alerts
based on resource spend, and create budgets that can be used to automate
management of resources.
Dev AZURE 77
→ use cost analysis to explore and analyze your organizational costs. You
can view aggregated costs by organization to understand where costs are
accrued and to identify spending trends. And you can see accumulated costs
over time to estimate monthly, quarterly, or even yearly cost trends against a
budget.
Cost alerts
Dev AZURE 78
defined by cost or by reflected in cost
consumption usage alerts, and in the
when using the Azure email sent to the
Consumption API. account owners.
Budget alerts support
both cost-based and
usage-based budgets.
Budget alerts are
generated automatically
whenever the budget
alert conditions are met.
You can view all cost
alerts in the Azure
portal. Whenever an
alert is generated, it
appears in cost alerts.
An alert email is also
sent to the people in
the alert recipients list
of the budget.
Budgets
A budget is where you set a spending limit for Azure. You can set budgets
based on a subscription, resource group, service type, or other criteria.
When you set a budget, you will also set a budget alert. When the budget hits
the budget alert level, it will trigger a budget alert that shows up in the cost alerts
area. If configured, budget alerts will also send an email notification that a budget
alert threshold has been triggered.
Dev AZURE 79
Resource management Tags enable you to locate and act on resources
that are associated with specific workloads, environments, business
units, and owners.
You can add, modify, or delete resource tags through Windows PowerShell,
the Azure CLI, Azure Resource Manager templates, the REST API, or the
Azure portal.
You can use Azure Policy to enforce tagging rules and conventions. For
example, you can require that certain tags be added to new resources as they're
provisioned. You can also define rules that reapply tags that have been
removed. Tags aren’t inherited, meaning that you can apply tags one level
and not have those tags automatically show up at a different level, allowing
you to create custom tagging schemas that change depending on the level
(resource, resource group, subscription, and so on).
An example tagging structure
Dev AZURE 80
A resource tag consists of a name and a value. You can assign one or more
tags to each Azure resource.
Name Value
Keep in mind that you
don't need to enforce
The name of the application that the
AppName that a specific tag is
resource is part of.
present on all of your
CostCenter The internal cost center code.
resources. For
The name of the business owner who's example, you might
Owner
responsible for the resource.
decide that only
An environment name, such as "Prod," mission-critical
Environment
"Dev," or "Test."
resources have the
How important the resource is to Impact tag. All non-
business operations, such as "Mission- tagged resources
Impact
critical," "High-impact," or "Low-
would then not be
impact."
considered as mission-
critical
Dev AZURE 81
You can specify a parameter's value when you create the blueprint
definition or when you assign the blueprint definition to a scope. In this way,
you can maintain one standard blueprint but have the flexibility to specify the
relevant configuration parameters at each scope where the definition is assigned.
Role assignments
Policy assignments
Resource groups
With Azure Blueprints, the relationship between the blueprint definition (what
should be deployed) and the blueprint assignment (what was deployed) is
preserved.
→ Azure creates a record that associates a resource with the blueprint that
defines it. This connection helps you track and audit your deployments.
Dev AZURE 82
How does Azure Policy define policies?
Azure Policy enables you to define both individual policies and groups of
related policies, known as initiatives. Azure Policy evaluates your resources
and highlights resources that aren't compliant with the policies you've
created. Azure Policy can also prevent noncompliant resources from being
created.
Azure Policies can be set at each level, enabling you to set policies on a
specific resource, resource group, subscription, and so on. Additionally, Azure
Policies are inherited, so if you set a policy at a high level, it will automatically
⇒
be applied to all of the groupings that fall within the parent if you set an Azure
Policy on a resource group, all resources created within that resource
group will automatically receive the same policy.
Azure Policy comes with built-in policy and initiative definitions for Storage,
Networking, Compute, Security Center, and Monitoring. For example, if you
define a policy that allows only a certain size for the virtual machines (VMs) to be
used in your environment, that policy is invoked when you create a new VM
and whenever you resize existing VMs. Azure Policy also evaluates and
monitors all current VMs in your environment, including VMs that were created
before the policy was created.
Azure Policy also integrates with Azure DevOps by applying any continuous
integration and delivery pipeline policies that pertain to the pre-deployment and
post-deployment phases of your applications.
Dev AZURE 83
recommendations for all Azure resource types in Azure Security Center.
there's still a risk that people with the right level of access could delete
⇒
critical cloud resources Resource locks prevent resources from being
deleted or updated, depending on the type of lock. Resource locks can be
applied to individual resources, resource groups, or even an entire
subscription. Resource locks are inherited, meaning that if you place a resource
lock on a resource group, all of the resources within the resource group will also
have the resource lock applied.
two types of resource locks, one that prevents users from deleting and one
that prevents users from changing or deleting a resource.
Delete means authorized users can still read and modify a resource, but they
can't delete the resource.
ReadOnly means authorized users can read a resource, but they can't delete
or update the resource. Applying this lock is similar to restricting all
authorized users to the permissions granted by the Reader role.
You can manage resource locks from the Azure portal, PowerShell, the Azure
CLI, or from an Azure Resource Manager template.
To view, add, or delete locks in the Azure portal, go to the Settings section of any
resource's Settings pane in the Azure portal.
Dev AZURE 84
How do I delete or change a locked resource?
To modify a locked resource, you must first remove the lock. After you
remove the lock, you can apply any action you have permissions to perform.
Resource locks apply regardless of RBAC permissions. Even if you're an owner
of the resource, you must still remove the lock before you can perform the
blocked activity.
The Service Trust Portal features and content are accessible from the main
menu. The categories on the main menu are:
Dev AZURE 85
Service Trust Portal provides a quick access hyperlink to return to the
Service Trust Portal home page.
All Documents is a single landing place for documents on the service trust
portal. From All Documents, you can pin documents to have them show up
in your My Library.
To get the most out of Azure, you need a way to interact with the Azure
environment, the management groups, subscriptions, resource groups,
resources, and so on. Azure provides multiple tools for managing your
environment, including the:
Azure portal
Azure PowerShell
Dev AZURE 86
The Azure portal is designed for resiliency and continuous availability. It
maintains a presence in every Azure datacenter. This configuration makes the
Azure portal resilient to individual datacenter failures and avoids network
slowdowns by being close to users. The Azure portal updates continuously
and requires no downtime for maintenance activities.
Azure Cloud Shell has several features that make it a unique offering to
support you in managing Azure. Some of those features are:
You choose the shell you’re most familiar with; Azure Cloud Shell supports
both Azure PowerShell and the Azure CLI (which uses Bash).
Dev AZURE 87
The deployment of an entire infrastructure, which might contain dozens
or hundreds of resources, from imperative code.
In addition to be available via Azure Cloud Shell, you can install and configure
Azure PowerShell on Windows, Linux, and Mac platforms.
What is the Azure CLI?
The Azure CLI provides the same benefits of handling discrete tasks or
orchestrating complex operations through code. It’s also installable on
Windows, Linux, and Mac platforms, as well as through Azure Cloud Shell.
In utilizing Azure Resource Manager (ARM), Arc lets you extend your Azure
compliance and monitoring to your hybrid and multi-cloud configurations.
Azure Arc simplifies governance and management by delivering a consistent
multi-cloud and on-premises management platform.
Dev AZURE 88
Configure custom locations as an abstraction layer on top of Azure
Arc-enabled Kubernetes clusters and cluster extensions.
Currently, Azure Arc allows you to manage the following resource types
hosted outside of Azure:
Servers
Kubernetes clusters
SQL Server
Azure Resource Manager (ARM) is the deployment and management service for
Azure. It provides a management layer that enables you to create, update, and
delete resources in your Azure account. Anytime you do anything with your
Azure resources, ARM is involved.
When a user sends a request from any of the Azure tools, APIs, or SDKs, ARM
receives the request. ARM authenticates and authorizes the request. Then, ARM
sends the request to the Azure service, which takes the requested action. You
see consistent results and capabilities in all the different tools because all
requests are handled through the same API.
Deploy, manage, and monitor all the resources for your solution as a group,
rather than handling these resources individually.
Apply access control to all services because RBAC is natively integrated into
the management platform.
Dev AZURE 89
Apply tags to resources to logically organize all the resources in your
subscription.
The following video provides an overview of how you can use different Azure tools
with ARM to manage your environment:
ARM templates
By using ARM templates, you can describe the resources you want to use in a
declarative JSON format. With an ARM template, the deployment code is verified
before any code is run. This ensures that the resources will be created and
connected correctly. The template then orchestrates the creation of those resources
in parallel. That is, if you need 50 instances of the same resource, all 50 instances
are created at the same time.
Declarative syntax: ARM templates allow you to create and deploy an entire
Azure infrastructure declaratively. Declarative syntax means you declare what
you want to deploy but don’t need to write the actual programming
commands and sequence to deploy the resources.
Dev AZURE 90
deployments finish faster than serial deployments. You deploy the template
through one command, rather than through multiple imperative commands.
Modular files: You can break your templates into smaller, reusable
components and link them together at deployment time. You can also nest
one template inside another template. For example, you could create a
template for a VM stack, and then nest that template inside of templates that
deploy entire environments, and that VM stack will consistently be deployed in
each of the environment templates.
Extensibility: With deployment scripts, you can add PowerShell or Bash scripts
to your templates. The deployment scripts extend your ability to set up
resources during deployment. A script can be included in the template or
stored in an external source and referenced in the template. Deployment
scripts give you the ability to complete your end-to-end environment setup in a
single ARM template.
The recommendations are available via the Azure portal and the API, and you can
set up notifications to alert you to new recommendations.
When you're in the Azure portal, the Advisor dashboard displays personalized
recommendations for all your subscriptions. You can use filters to select
recommendations for specific subscriptions, resource groups, or services. The
recommendations are divided into five categories:
Dev AZURE 91
Cost is used to optimize and reduce your overall Azure spending.
Azure Status is a broad picture of the status of Azure globally. Azure status
informs you of service outages in Azure on the Azure Status page. The
page is a global view of the health of all Azure services across all Azure regions.
It’s a good reference for incidents with widespread impact.
Dev AZURE 92
By using Azure status, Service health, and Resource health, Azure Service
Health gives you a complete view of your Azure environment-all the way from
the global status of Azure services and regions down to specific resources.
Additionally, historical alerts are stored and accessible for later review.
Something you initially thought was a simple anomaly that turned into a trend, can
readily be reviewed and investigated thanks to the historical alerts.
Finally, in the event that a workload you’re running is impacted by an event, Azure
Service Health provides links to support.
Describe Azure Monitor
Azure Monitor is a platform for collecting data on your resources, analyzing that
data, visualizing the information, and even acting on the results. Azure Monitor
can monitor Azure resources, your on-premises resources, and even multi-
cloud resources like virtual machines hosted with a different cloud provider.
The following diagram illustrates just how comprehensive Azure Monitor is:
Azure Monitor
Experiences
Visualize
Data Platform
Metrics
Workbooks Dashboards PowerBI Grafana
Workloads
Analyze
Infrastructure Logs
Integrate
On the left is a list of the sources of logging and metric data that can be
collected at every layer in your application architecture, from application to
operating system and network.
In the center, the logging and metric data are stored in central repositories.
On the right, the data is used in several ways. You can view real-time and
historical performance across each layer of your architecture or aggregated
and detailed information. The data is displayed at different levels for different
Dev AZURE 93
audiences. You can view high-level reports on the Azure Monitor Dashboard or
create custom views by using Power BI and Kusto queries.
Additionally, you can use the data to help you react to critical events in real time,
through alerts delivered to teams via SMS, email, and so on. Or you can use
thresholds to trigger autoscaling functionality to scale to meet the demand.
Alerts can be set up to monitor the logs and trigger on certain log events, or they can
be set to monitor metrics and trigger when certain metrics are crossed. For example,
you could set a metric-based alert up to notify you when the CPU usage on a virtual
machine exceeded 80%. Alert rules based on metrics provide near real time alerts
based on numeric values. Rules based on logs allow for complex logic across data
from multiple sources.
Dev AZURE 94
Azure Monitor Alerts use action groups to configure who to notify and what
action to take. An action group is simply a collection of notification and action
preferences that you associate with one or multiple alerts. Azure Monitor, Service
Health, and Azure Advisor all use actions groups to notify you when an alert
has been triggered.
Application Insights
Application Insights, an Azure Monitor feature, monitors your web applications.
Application Insights is capable of monitoring applications that are running in
Azure, on-premises, or in a different cloud environment.
There are two ways to configure Application Insights to help monitor your
application. You can either install an SDK in your application, or you can use the
Application Insights agent. The Application Insights agent is supported in
C#.NET, VB.NET, Java, JavaScript, Node.js, and Python.
Once Application Insights is up and running, you can use it to monitor a broad array
of information, such as:
Dependency rates, response times, and failure rates, to show whether external
services are slowing down performance
AJAX calls from web pages, including rates, response times, and failure rates
Not only does Application Insights help you monitor the performance of your
application, but you can also configure it to periodically send synthetic requests
to your application, allowing you to check the status and monitor your
application even during periods of low activity.
Dev AZURE 95