Nazaudy, a spark in your curious mind

Lab Setup for Microsoft Exam Azure AZ-900

In this article I explore the contents theory for the Microsoft Exam Azure AZ-900, so you can revise and actually do some testing before taking the AZ-900 exam. I didn't have any Azure certification, and it was long overdue for me to jump into the pool of the cloud. Sooner or later, the maintenace of an on-prem infrastructure will dissapear, think about it: a brand new business most likely will have its infrasctructure on the cloud, rather than facing the initial investment in-house knowing if the company is going to do well or not

So, let's go and focus, study hard and get Microsoft Azure Fundamentals certified. The topics for the Exam AZ-900: Microsoft Azure Fundamentals can be found here: https://docs.microsoft.com/en-us/learn/certifications/exams/az-900 , these topics were last updated by Microsoft 23rd January 2024, and that update is the one used in this article

The Cloud could be described as simply using somebody else's CPU and memory, basically somebody else computer. Just so we understand the concept, let me share this video with you. It is an ancient video relating to a VMware product, but to me it clearly demonstrates what cloud computing (name it Azure, VMware or Google Cloud) can do for you, how flexible "borrowing" resources from the Cloud could be for your business:

VMware Distributed Power Management

 

These are the contents of this article:

  1. Azure - starting up
  2. Cloud Concepts
  3. Azure Architecture
  4. Azure Infrastructure
    • Compute, Networking, Storage and Database
  5. Authentication and Authorisation
  6. Azure Solutions
  7. Security
  8. Monitoring and Management
  9. Pricing
  10. Support

 

1. Azure - starting up

Start by registering your email account with Microsoft. If so, then use it to sign up at Azure Portal here: https://azure.microsoft.com/en-gb/free/ You'll get lots of things with this new account, and it is absolutely perfect to explore Azure and do some testing without messing up with your production environment

AZ Asure subscription

During the setup process, you will need to verify your account by entering your mobile number (notice VoIP phone numbers are not allowed for some silly reason) and a valid credit card number. There is no way to avoid this, so just do it! Unfortunately, you only got one month to test Azure, after that you'll get the "not eligible" message if you try to register again with another account

You're not eligible for an Azure free account

Even if you sign it with a different credit card number, Microsoft Azure won't allow you to "cheat" and duplicate the account, so basically you only have one flipping month to use the free service. Be wise and use it just to prepare for this exam! You can create multiple subscriptions in a single Azure Active Directory tenant

The main topics for the AZ-900 exams are:

  • Cloud Concepts
  • Azure Architecture
  • Azure Infrastructure: Compute, Networking, Storage and Database
  • Authentication and Authorisation
  • Azure Solutions
  • Security: Privacy, Compliance and Trust
  • Monitoring and Management
  • Pricing
  • Support

The tools you need to be familiar with to pass this exam are:

  • Azure Portal
  • Azure CLI
  • Azure PowerShell
  • Azure Cloud Shell
  • Azure Mobile Apps (download the app for IOS or Android, so you can access Azure from your smartphone)
  • ARM Templates (automate and simplify Azure resources)

2. Cloud Concepts

The 7 main concepts using when working in the Cloud are:

  1. High Availability; means the systems are always available, even automatically; this is achieve by using different datacenters in Azure
  2. Reliability; describes how Azure can tolerate failures or even disasters
  3. Scalability; refers to scaling out or scaling up while automatically providing resources as needed
  4. Predictability; is knowing your application will always perform as expected and knowing what it will cost
  5. Security; is having full control of your cloud security posture
  6. Governance; is standardising cloud deployments to meet requirements and company standards
  7. Manageability; is management of cloud resources and how we interact with them

The National Institute for Standards in Technology (NIST) defines Cloud Computing as having the characteristics of pay-per-use, resource pooling, rapid elasticity of resources and on-demand self-service. There are basically 3 types of Delivery Models of the Cloud, as follows, and your company may need one, two or all three models implemented, it depends:

  1. IaaS: Infrastructure as a Service (datacenters); you move virtualisation, servers, storage and networking to the Cloud. This is the most flexible way of using the Cloud but you still need someone to look after the Firewalls, networking and Operating Systems. A larger provider of this is Amazon Web Services, Microsoft Azure and Google Cloud Platform
  2. PaaS: deploy applications on the cloud; Platform as a Service (web browsers), focused on developers where you only have to worry for your apps. PaaS lies on IaaS to work, and with PaaS you don't have to worry about the OS,windows updates, IIS configuration, networking, storage, etc. A large provider of this is Google App Engine, AWS's Elastic Beanstalk or some part of Azure too. For example, with PaaS you can use Azure SQL instead of a VM with your SQL. PaaS includes Middleware, which is software that lies in between your apps and the OSs. You can get lots of middleware apps from the Azure Marketplace, all of them built to save you time. You can find the Azure Maketplace on this link: https://azuremarketplace.microsoft.com/en-us/marketplace/ Azure Marketplace offer less maintenance than creating your own service or application from scratch
  3. SaaS; run applications on the cloud; Software as a Service, the most popular way of using the Cloud, with this method the client just uses a cloud-based app something like email, office 365 or storage (dropbox, oneDrive, box.com, etc). A large provider of this is Salesforce, providing cheaper ways to consume enterprises applications such as CRM and ERP, also consider Google Apps for Work (automation on demand) and Microsoft 365 (office over the open Internet). Other software solutions like Finance and expense tracking, email or ticketing systems use SaaS

IaaS PaaS SaaS

Depending on the Model used above (IaaS, PaaS or SaaS), the Shared Responsibility Model will also change, thouh at all time you are responsibly for your data and accounts

Azure Customer Responsabilities

Azure Provider Responsabilities

In addition to these 3 main cloud-model, there are also these specific ones like:

  • DSaaS; Data Science as a Service outsources the delivery of data that is gathered via progressive analytics applications
  • NaaS; Network as a Service outsources services for network transport connectivity such as routers and subnets

Economy of Scale: you can buy one apple for £1, but if you buy 100 apples all at once, each apple might cost you just 10 pence each. Rocket Science ah? :) And this Economy of Scale can be apply to these two things;

  • CapEX (Capital Expenditure); you spent money upfront as a one time purchase for hardware, e.g. you buy a laptop. Problem is the value of the item will go down with time
  • OpEx (Operational Expenditure); you go a subscribe to a payment plan with Apple, and eery month to pay and always have the latest phone in the market. This is a more agile approach, and can be described as the ongoing cost needed to run your business

Cloud Architecture Model (Deployment Models of the Cloud,) you can implement the Cloud in your company in basically 3 ways, but of course you have to UNDERSTAND the workloads first before suggesting anything

Public; (elastic scaling) everything is at the provider's end, you put all your VMs on Azure and that's it, gives you Scalability/Agility, pay-as-you-go, some of your VMs could be running very security sensitive-data, so you might prefer to have them in-house. This model provides the best security

  • Agility is the capacity to react quickly, providing on-demand services in minutes without manual intervention
  • Elasticity, is a feature that increases or decreases resources automatically
  • Scalability also increases or decreases resources, but this is done manually

Private; (more secure) it behaves like a public cloud but the company owns all the infrastructure, is like having VMware vSphere where you own all the kit and your provide cloud services to your company. Government entities will do that, for example. This method provides no scalability and also you need to provide the IT personnel to support this

Hybrid; (seamless, of the two above)  this is mixed of the two, with some services running on a private datacenter (running Hyper-V or VMware vSphere) and others in the public cloud (Azure or AWS). Note that connecting your private cloud to your public cloud could be a complex task and requires skilled IT personnel (like us :)) This model can be the best of all models, but it incurs in lots of complexity to setup

  • AD Connect Tool; integrates your local AD to Azure, syhn users groups and computers and providing SSO and ADFS, thus making you a hybrid mutant, and allowing your users to access both your on-prem and cloud resources

 

3. Azure Architecture

Azure Regions: be mindful, you don't want to deploy your IIS server in Europe if your main customers are based in South-East-Asia (SEA). For logistical purposes, Azure geographical areas may contain one or more regions. To minimize latency, you want a datacenter that is on the closest region where you are. Price varies from Region to Region, as well as features. Azure Region is a set of datacenters that are close enough to each other that it doesn't matter which datacenter your data is in

Regions Pairs; each Region is pair with another Region (except Brazil South), two regions that are at least 300 miles from one to another (within the same geography area) where one region kind of functions as the backup of the other. When doing planned updates, only one Region in the pair is updated at any one time

Availability Zones; they are physically isolated datacenters; if you create 2 x VMs (master & replica) and put them on the same region, the replica will go to an availability zone, physically away from the production area. Availability Zone is within a Region, and each zone has its own separated power, cooling and networking

Resource Group; Everything in Azure is inside a Resource Group, no exceptions, but note that the Resource Group itself is not a resource, they help structure your Azure architecture. They are use to logically group your stuff, the items in a Resource Group can expand different regions. Note that one resource can only be part of a Resource Group. The "Locks" option prevents you form accidentally deleting a resource group, you can also "lock" a VM to prevent deletion

new-azresourcegroup -name NazaudyRG -location 'East US 2'

When you delete a resources group, Resource Manager uses this criteria to execute your deletion command:

  • All nested child resources are deleted first
  • All resources that manage other resources (indicated by the property managedBy on the managed resource) are deleted next
  • The remaining resources are deleted next, without following any chronological order
  • Resource Manager will continue trying the DELETE call every 15' when a resource respond with an error status 408, 428 or 5xx

Azure Resource Manager (ARM); when interacting with resources you are interacting with ARM, whether you go with the web, PowerCLI, etc, so basically ARM is the key component of Azure Portal itself, the core engine. All interaction with Azure resources go through the ARM

ARM Templates; let's say you create a resource for your website, which obviously will contain 2 x VMS (web end + database) in addition to network connections, virtual IPs, storage, etc. You can save this resource creation as an ARM Template, which will be saved on a JSON file, in case you want to deploy the same solution again in the future

Tags; it allows you greater customisation to group your resources

Availability Sets; they are logical groups of 2 or more VMs that ensure you remain up and running during plan (or unplanned) periods, basically it puts the VMs on different rack servers if they fall on the same datacenter. Note that you can only mark a VM with High Availability at its creating point, once it is created you'd need to delete it if you want it to be part of an availability set. If you forget to put your infrastructure on an availability set, it is possible that all of it could be restarted at once, when Azure does update of the datacenter where all your VMs are, therefore it is advisable to configure the "Availability set" at the time of create VMs to ensure you have a high SLA. When you create an availability set, each VM in the set is assigned a fault domain and an updated domain; you can configured each availability set with up to 3 fault domains and 20 update domains

 

4. Azure Infrastructure

This section covers Compute, Networking, Storage and Database

Compute

Creating a VM: A virtual machine in Azure is your machine exclusively. Virtual machines are an IaaS offering, where you are responsible for the entire virtual machine. Using the Azure portal gets the clicks >>> the API chats to the Orchestrator >>> the Orchestrator send the inputs to the Fabric Controllers >>> and they push the info to the rack servers, where your VM is then created. Azure Virtual Machines take advantage of Azure tools

new-azvm -name VM1 -resourcegroup NazaudyRG -location 'East US 2'-image CentOS -size "Standards_bits" -credential $credential

Scale-Sets; manage a group of identical, load-balanced VMs, where you can create a rule by which if a VM CPU's hits over 70% Azure can automatically create another VM, and another VM to deal with the load. Scale Sets should be deployed on multiple or separated datacenters to ensure web applications are available if a single datacenter fails, obvioulsy they are created with VMs of the same OS image and configuration, and basically the Scale Set increase or decrease the number of instances depending on the demand

az vmss crete --help
#vmss stands for Virtual Machine Scale Set

Azure Spot VM; allows you to take advantage of unused capacity at Azure at a lower cost, but your VM can be evicted with only 30 seconds notice. VMs can be evicted based on capacity or the configured maximum price

Infrastructure as Code (IaC); enforces consistency with code development, IaC uses automated configuration that stress consistency by having well documented code that represent desired environment states

Containers in Azure: if you put your application inside a container together with all the dependencies, it should run on any machine. Containers are an important part of modern computing. Container in Azure can be used in 2 ways

  • ACI (Azure Container Instances) is a PaaS so you don't have to worry about the underlining OS or infrastructure, this is for small deployments with one a few containers; with ACI the billing is per-second but you only pay when running the container
  • AKS (Azure Kunernetes Services), Kubernetes sometimes is pronounces "K8s" and in means 'governor' or 'captain' in Greek language. Kubernetes is an open-source (code is available to the public) container orchestration system (keep track of lots of parts of the system), automatic deployment, scaling and management. Kubernetes allows you to replicate containers architectures, is a way to orchestrate your containers, enabling communication through APIs from one container to another. This is what to use if you have lots of containers

Docker is a way of creating containers (an easy way), visit https://hub.docker.com/ to download images to create containers

Azure Container Instances vs Azure Kubernetes Services

Azure Container Registry; this service keep track of current valid container images, managing the associated files and being a repository of images from where containers and Kubernetes are created

Azure Functions; this is the serverless solution, code with servers for developers, is the smallest compute service on Azure and can be called or invoked via a standard web address. Azure Functions runs once and then stops. We have these flavours of serverless Azure Functions, note that of course there is always a server behind, but Azure uses the word "serverless" to emphasise that you don't manage any aspect of the server in the background

  • Golden Oldie; the first serverless service on Azure, they are the smallest compute system in Azure
  • Event Grid; is a term in Azure that tells an application when something has happened
  • Azure Event Grid; is a serverless routing service for sending and receiving events between applications

Azure Logic Apps; server-less workflows for those who don't know how to code but want results

Azure App Services; is a PaaS offering from Azure where you can deploy Web Apps, API Apps, Web Jobs, Mobile Apps, etc without of course worrying about the infrastructure. Swagger is a standard for designing APIs https://swagger.io/ There are fundamentally 3 types of apps offering in the App Services of Azure:

  • Web Apps: use to host web site and web applications
  • Web Apps containers; all the dependencies and code are inside the containers
  • API apps; is an application programming interface without any GUI, they can be created using a wide range of programming languages

AKS Cluster; A Pod is a group of one or more containers, where K8s can provisioning pods once the load increases

Azure Virtual Desktop; this comes with different benefits like reuse of Windows 10 license

 

Networking

Azure Vnet; that is the name of a network in Azure, Vnet. A virtual network is bound to one region only, meaning that every resource associated to the Vnet must be in the same region too. To see your networks nicely, visit Virtual Networks >> your vnet >> Diagram. You can essentially peer Vnet using a local balancer or using a VPN gateway to increase availability

VPN Gateway; they are instrumental in a hybrid cloud architecture, and is the way you connect your Azure VMs to your on-prem VMs, the link is encrypted and, like all VPNs, occur across a public connection

Load Balancer; distributes new inbound flow (traffic from web or local network) that arrives on the Load Balancer front's end and send it to the backend VMs according to rules and health probes that redirect the traffic according to IP and/or port number

Application Gateway; AG is a higher level of load balancer, if you want to re-direct traffic using attributes other than IP or port numbers, use an application balancer. The traffic can be specific routed using header. Application Gateway span multiple availability zones and improve fault resiliency. Application Gateway provides load-balancing for web services, in particular URL routing, and also includes a Firewall called WAF (Web Application Firewall). Application Gateway offload CPU intensive SSL (known as SSL offload or SSL bridging) and provides Layer 7 routing capabilities, including:

  • round-robin distribution of incoming traffic
  • cookie-bases session affinity
  • URL path-based routing
  • ability to host multimple websites behind a single application gateway

Content Delivery Network (CDN), it provides a "cache" (not a full replication) that is distributed as close to your customers as possible to reduce latency; this method would be cheaper. CDN places caches of your data on other datacenter physically closer to the customer's location for speed access.

Express Route; is a private network inside Azure with low latency and high bandwidth connection, it establishes connections to Microsoft Cloud Services (like Azure, O365, CRM Online, etc). ExpressRoute connections are more secure and reliable than VPN-based solutions, and the connectivity can be:

  • point-to-point (Ethernet network)
  • any-to-any (IP VPN network)
  • virtual cross connections through a connectivity provider at a co-location facility

 

Storage

Using the right storage for your Azure solution is critical. In Azure the "storage account" is unique in the whole of Azure, being an object with its own web address, like for example: nazaudy.storage-type.core.windows.net.

Blob; stands for Binary Large Object, the data is stored in containers into the storage account, you can store files of any type like images, videos to be streamed, logs, backups. The pricing tiers of Blob can be Hot (lower access time but high cost), Cool (same as hot but data remains here for only 30 days) and Archive (the cheapest but the highest access time). Blob is organised in 3 types:

  1. Blob Block; store text and binary data up to 4.7 TB, and is made up of individually managed blocks of data
  2. Blob Append; like above but are optimised for data that is appended like data coming from VMs
  3. Page Blob; store files up to 8TB, and this emulate the hold typical hard drive

Azure Premium Data Storage.jpg

You create a Storage Account first, then a Container within the Storage Account, and then a Blob inside the container

Data Redundancy; in Azure you have a minimum of 3 copies, this is an automatic process invisible to the en end users. You can improve this is you like and provide a higher data redundancy by choosing options like below; all of them including 3 copies per region, meaning that if you choose multi-region you will have 6 copies of the data, 3 in the primary zone and 3 in the secondary zone:

  • Locally Redundant Storage (LRS); use a single-region and a single datacenter. Premium data storage Page Blob only supports LRS
  • Zone-Redundant Storage (ZRS); uses a single-region, meaning that there is no geographical protection, but the data is stored on more than one datacenter
  • Geo-Redundant Storage (GRS); is multi-region, having 3 copies in 2 different regions; in this scenario multiple nodes contain stored data, these nodes are in separate geographical locations and the data is read from both locations
    • Read-Access Geo-Redundant Storage (RA-GRS); this option works as a failover, where data is available to read on the secondary location only is the primary fail
  • Geo-Zone Redundant Storage (GZRS); is multi-region too, providing the maximum redundancy by having 3 copies in different zones in the primary region

Azure Replication Strategy

Tools for moving data: Azure comes with different way to moving data across your Azure VMS, like AZCopy (command-line utility), Azure Storage Explorer (GUI tool which you can download on your own computer) and Azure File Sync (sync files between Azure and on-prem file serves, handy for disaster scenarios where you want to use your data on the cloud just in case). For large scale migration with lots of data to migrate, you can use:

  • Azure Data Box; in case you have slow bandwidth, the data is transfer to a box, and then from the box to your Storage Account or viceversa; Azure Data Box is best suited to transfer data larger than 40TB
  • Azure Migrate; to migrate on-prem application to the cloud like VMs, Database or your whole local datacenter

Databases

"If you DATA doesn't exists in 3 different places, it really doesn't exist" Networkchuck. Azure supports 3 types of data structure:

  1. Structured data, relational databases
  2. Semi-structure data, non-relational databases, non-sql where data is organised in tags and is all over the place
  3. Unstructured data, everything else, video files, etc

If you have all your data on-premisses, then all the security is on-you, you got to look after entrance, security door, CCTV, physical servers, etc. When you use Azure as IaaS you still have to worry about the security of the OS, networking, etc but not physical any-more, as Azure will look after that for you. With PaaS you still have to worry who can access that, while with SaaS all the security lies on Microsoft Azure, you deal plainly with the simple access, no "share responsibility" whatsoever

Cosmos DB; to create non-sql databases for modern app development with integration with open-source APIs, MongoDB and Cassandra; Cosmos DB is an example of PaaS. https://azure.microsoft.com/en-gb/services/cosmos-db/ Cosmos DB make it easy to expand your data to other regions; Cosmos DB provide single digit milliseconds of latency across the world, providing infinite number of users. The big pitfall of Cosmos DB is....its price of course!

Cosmos DB is a non-relational database, where data is stored in files

Azure SQL; for structured data databaes (sql), allows you to move your SQL data to the cloud. Azure SQL is use to manage Azure itself. Azure SQL suports up to 100 TB database in size. Azure SQL is composed of two components:

  • Azure SQL Database, it most like the traditional SQL database
  • Azure SQL Managed Instance; it meant to bridge the gap and help migrate on-prem DB to Azure

Here we got the main differences in between the two:

Azu SQL databases

MySQL and PostgreSQL; open source databases, they are relational databases (built on relationship between tables), their format is also supported in Azure. MySQL use cases are web applications, e-commerce, mobile apps, digital marketing, finance management and gaming that must have low latency among others. PostgreSQL is default DB for macOS, and some of the features it has are: extensions, horizontal scaling without impact on performance and fully managed like automated backup and patching. Governments, Financials and Manufacturing use PostgreSQL a lot due to its features

 

5. Authentication and Authorisation

Azure Active Directory; not that the classic AD is not the same as Azure AD, this is Identity as a service, it allows you to authenticate your own AD with the management accounts of Azure, you can access only the users portal using this link: https://aad.portal.azure.com

Applications that do not use OAuth 2.0 are not able to authenticate to Azure Directory properly

Azure AD Connect; it syncs the on-prem AD with the Azure AD

Microsoft Entra ID (formaly known as Azure AD Service (AAD); you can't have an Azure account without an ADD service, every Azure account needs a first user and this user is the initial ADD instance. A "tenant" represent an organisation in Azure Multiple subscriptions can be associated to a single tenant. Every Azure account will have an Azure AD service. A user can be a member of up to 500 tenants

  • Microsoft Entra Identity Privileage Manager (PIM) assign privileages access to a resource thus reducing the change of a malicious actor getting access or an unauthorised user inadvertibly impacing a sensitive resource

Azure Active Directory Domain Services (Azure AD DS); AD DS is a fully managed service, no need to configure any OS, though behind the screen there are 2 x DC for high availability. For AD DS you need to create a unique namespace/domain name (for example adds-nazaudy.com) totally separated from your internal domain name, and there is only one-way sync with Azure AD

Azure AD DS

Zero Trust Security Model; whether inside or outside the security boundary network, all users are assumed to be untrustworthy unless proven otherwise; your identity is the key to access the resources without the location (inside or outside building, the VPN, etc) like on the traditional model

Multi-factor authentication; no excuses, 2FA is a must to access any resource now, authenticate using your phone, fob, face, finger print, etc. MFA uses something you know (username+password) plus something you have (phone, fob, biometrics, etc).  MFA; Multi Factor Authentication uses more than one thing to authenticate you. For the Azure account that manages Azure MFA is free of charge, but for everybody else... guess what, buy a licence

  • Something you know, like a password or security question
  • Something you posses, like your phone or an app on your phone
  • Something you are, like finger print of facial recognition

Conditional Access Policies; they are "if" and "then" policies (access lists) in order to gain access to resources, you can do stuff like block sign-ins using legacy authentication protocols, grant access only from specific location, enforce MFA, etc

Passwordless Authentication; MFA is more secure but obviously is less convenient, with passwordless authentication you use the Microsoft Authentication App to generate an enter a code that is used as a password; FIDO2 Security key is another method, where you enter a USB that is used as a password

Business2business accounts; you can invite external guest to Azure to provide business 2 business collaboration, effectively inviting external users into your internal environment without having to create an internal account for them

Azure Active Directory Seamless Single Sign-On; this is SSO for Azure

 

6. Azure Solutions

There are tons and tons of solutions in Azure, like for example:

IoT Central Hub;  Internet of Things, provides data for millions of sensors. Internet Of Things Central is a software-as-a-service solution that provide all pre-made components that you need

Azure Sphere; An all-in-one solution for IoT devices on Azure

Data Lake Analytics; where a data lake is a very large body of data; collecting data is easy, just storing it, but make sense of it and meaning is different, hence the following tools to extract meaning from the data from a business value: Data Lake Analytics, HDInsights (open sources supported)

Azure Databricks is an Apache spark-base analytics service; Apache Spark is a distributed cluster-computing framework; Databricks provides all the computer power

Azure Synapse Analytics (used to be called Azure SQL Data Warehouse), is used for reporting and data analysis, uses the Synapse SQL Language to manipulate the data in any way you need. The old Azure SQL Data Warehouse works with PowerBI

Machine Learning; this is the AI (Artificial Intelligence) of Azure where we allow the machines to take decisions for us. A model is a set of rules of how to use the data provided, the model finds patters based on the rules. Knowledge Mining use Azure Search to find existing insights in your data like file relationship, geography connections and more. The main tool for use machine learning in Azure is Machine Learning Studio, a pre-made modules for your project. The Machine Learning Service is a end-to-end service that uses AI almost anywhere in Azure; AI is about better products and better customer services

Azure Boot Service; this is machine learning Azure PaSS offering that lets you build boots for Q&A services, virtual assistants and more

Azure Cognitive Services; they provide vision to recognise images, decision to detect IoT anomalies and leverage data analytics and automatic speech-to-text transcription, for speaker identification and verification

DevOps; devops is the work between the development and the production of an app, code or feature. DevOps is about how developers, engineers and SysAdmins organise themselves and work as a team to deliver better products faster, and on that line Azure DevOps comes to helps with the following services

  • Azure Boards (loved by project managers) that helps keep track of work tasks, timelines, issues, planning and much more
  • Azure Pipelines; produce and test your software automatically and continuously
  • Azure Repos; store the code for your application
  • Azure Test Plans; design tests of application to implement automatically
  • Azure Artifacts; share applications and code libraries with other teams inside and outside your organisation

Azure DevTest Labs; it focuses on the environment to test and deploy the app, it allows you to track cost on VM resources, putting caps on the labs, as well as given you the option to create base Azure VM images and use Azure Resource Management (ARM) templates to quickly create new labs or modify existing ones

GitHub; is a code repository service for lots of big and small projects, it was bought by Microsoft in 2018; GitHub is well known for hosting open-source communities, being Microsoft one of its biggest users

GitHub Actions; is very similar to Azure pipeline, in which it is use to build, test and publish code

Hands-on with AI: use this Microsoft AI link to find out what AI can do for you: https://aidemos.microsoft.com/

The official link of Azure services when doing Microsoft free training is linked here:

Azure Site Recovery; keeps corporate workloads and apps up and running when planned and unplanned outages occur; ASR helps orchestrate replication, failover and recovery of workloads an apps so that they are available in a secondary location if the primary one fails

Azure Goverment; 

 

7. Security

Defense in Depth; having a single security measure is....never enough! On chess, not only the queen defense the king, but also the pawns, bishop, knight, etc. The same thing goes for Azure and on-prem, you need to build up several layers of defense, these layers are: Physical >> Identity and Access >> Perimiter >> Network >> Compute  (databases) >> Gateways and Firewall >> Data (ensure it is encrypted)

DDoS Protection Service; in 2012 60GB of traffic per seconds was sent on a DDoS attack in 6 banks, CloudFlare had similar attack in 2014 with 400GB of traffic per second, and GitHub suffered the same in 2018 with 1.35TB a second. The Distributed (meaning it comes from different sources) Denial of Service (DDoS) attack is the most fearful attack to suffer on the web

Network Security Group (NSG); are personal resource firewall that attach to virtual network, subnet or network interface. An extension of NGS ia an Application Security Group that focus on securing an application rather than an IP endpoint

Private Endpoints; they are publicly reachable PaaS services, a good example of this is an Azure Storage (public endpoint) that is accessible your your on-prem VM, in order to secure this endpoints we use these methods:

Service Endpoint; you connect to the resource via the Azure subnet, Microsoft private backbone, hence not going through the public Internet, in other words, you privately connect VNet subnet to Azure PaaS services. The limitation of Service Endpoints is that it secures only VNet Azure access (not on-prem, meaning that on-prem must still use access over a Public IP), and its settings apply to the entire VNet and not to a single storage account if we need

Private Endpoint; acts as a managed network interface and is "better" than service endpoint

Microsoft Defender for Cloud; a console where you get alerts, policy and compliance metrics, secure scores to visualise the strength of your security, etc. This console integrates with other cloud provides (but for that Azure Arc is required). To setup Defender for Cloud you need to define your policies, protect resources and response to any security alerts if any. The word "hygiene" is used in this context to tag the security weakness and best practices of the resources

Microsoft Defender for Identity (formerly known as Advanced Treat Protection - ATP); a cloud-based security solution that identifies and detect compromised systems and identities as well as malicious insider actions. This solution is locate in https://portal.atp.azure.com/ and to access it you need to be a member of Microsoft Defender for Identity, the Azure AD security group. This contain an ATP Sensor that you install on your ADs and then send the data back to the ATP Portal, from where you can analyse al the security events. Microsoft Defender for Identity monitor users, create a baseline behaviour for them and suggest changes to conform with security best practices in order to reduce risks

Cyber-Attack Kill Chain; is a methodology used by hackers that follow: reconnaissance (search for IPs, info, etc), Brute Force and increasing Privileges

Azure Key Vault; this is a centralised cloud service where you lock your private keys, your passwords, certificates, tokens, API keys, etc. These are the two main ways to encrypt data on Azure:

  • Storage Service Encryption (SSE), it encrypts the data before it is stored and decrypts it before it is retrieved, meaning that it is transparent to you; it is automatic and enabled by default on Blob, Managed disks, Queue storage and Azure Files
  • Client-side Encryption; the data is already encrypts it by the client before Azure access it, this method implies that you store your private key on the Azure Key Vault

Azure Information Protection (AIP); companies need to share documents, emails and data outside of the company network. AIP is used to protect files that are transfer between companies

Azure Sentinel; is a security information and event management (SIEM) tool, that works by first collect the data from services (logs, dns, etc), then aggregation and normalisation of that data, and finally analysis and treat detection upon which actions can be taken. Some of the benefits and features of Azure Sentinel are: behavioural analytics, AWS integration and cloud scale meaning large companies use it

Azure Dedicated Host; in case you need to compliance with your company and run some VMs with specific hardware, etc, you can use Azure Dedicated Hosts, meaning you get control of the entire physical server on Azure without any other 'foreign' VMs but yours running on that host. The only issue with this is that, of course, it is expensive to provide hardware isolation at the physical level

 

8. Monitoring and Management

Governance; set of policies to ensure the Azure resources compliant with the policies, the example is a rocket launcher where sysadmin, devops, engineers, etc, all working together towards a goal guided by the Governance instead of each individual or group doing whatever they want

Cloud Adoption Framework; is use by the Governance to make a smooth transaction to the cloud

RBAC (Role-Based Access Control); this is just like the access list in NFTS, give the bare minimum permission that you an get away with. RBAC is the area where you configure the set of permissions and roles that users can be be a member of to access Azure Services. Privilege Identity Manager (PIM), is an add-on to RBAC and paid-for offering that makes sure of all the roles ensuring they are all correct

Locks; they can de assigned to a subscription, resource group or resources

Azure blueprints; are templates where you can find rules and regulations, policies and sample of common regulations and highlights,; the blueprint templates are for creating standard Azure environments. Blueprints; a repeatable set of Azure resources that adhere to standard set of requirements, they are like ARM Templates but also including RBAC roles, policies, resources groups, etc, things that ARM Template can do. Blueprints basically put the creation of a new company in a JSON file, while ARM Templates puts the infrastructure on a JSON

Azure Advisor; Azure Advisor for Security Assassinate is part of the Security Center. Azure Advisor Score is a sub-feature of Azure Advisor that help users asses how well they are following the guidelines of Azure Advisor

Azure Monitor; collect and analyse the health of your resources based on telemetry (events), you can also send to "Monitor" your data from the on-prem infrastructure as well as from other cloud-services like AWS. VM telemetry (data of sensors) is feed constantly into Azure Monitor, even on-prem VMs can be configure to send their telemetry data to Azure Monitor with the goal of maximise performance, maximise availability and identify issues

Application Insights;  this is a feature inside Azure Monitor that gives you performance metrics, potential bottlenecks and more for your web base applications only; you can use this for app services in non-Azure resources also, in other words for web apps not hosted in Azure. Application Insights typical scenarios are to find performance bottlenecks in the web application, to discover how users are using the website and to detect performance anomalies automatically

Azure Monitor Alerts; give you notifications of misbehaving of your VMs (unresponsive, high cpu usage, application latency over 500ms, etc). Your first create an alert rule with the condition and then specify the severity you wish, 1 for error, 2 for warning and 3 for informational. An email can be sent to a group using Azure Monitor and action can be configure for automation like triggering workflows depending on the condition of the rule, etc

Log Analytics; stores and queries the data to gain valuable insights, like VM disk size, VPN connection logs, long term analysis. You can create queries using the Kusto Query Language (KQL) to ask the logs or choose some of the pre-built queries, this is similar to SQL queries; you can also combine metrics for complex queries. Azure Log Analytics can collect data from on-prem and store it on a single workspace

Azure Service Health; a tool to check how healthy Azure is and to see a history of previously incidents or downtimes of Azure, of course most of the time it would be working just fine, like on this screenshot:

Lab Setup for Microsoft Exam Azure AZ-900

Azure Service Health is a free service that you should use with any resource that you create; it will send Custom Alerts and provide Real-Time Tracking of how the issue is being solved as well as a Report of the root cause once all is up and running again

Compliance; companies in EU must comply with GDPR and other IT regulations

  • General Data Protection Regulation (GDPR) main objective is to protect the individual by given them control of the personal data, instead of the company owning it; companies need to provide tools in place for the customer to control its own data
  • ISO Standard; is an organization that creates different International Standard for Organisation (ISO) to normalise quality control and satisfaction. The most common ISO is 9001:2008
  • NIST: National Institute of Standard and Technology focuses purely in providing compliance for Federal US Regulations

Azure Compliance Manager; it gives you recommendation for ensuring compliance with GDPR, ISO, NIST and others. This extension comes with a Secure Storage area where you can upload secure documents for compliance if needed. The Azure Government Cloud is an area of the US government that ensure its datacenter and compliance with US federal laws. If you want to use Azure in China, you have to use the The China Region, which ensure it complies with China's laws and applicable legislation, where all data and datacenters are within China

Azure Trust Center; a gigantic resource or hub of information to prove that you can trust Microsoft with your infrastructure and data https://www.microsoft.com/en-gb/trust-center ; not that Azure is K-ISMS certified, a certification designed to ensure the security and privacy of data in the Korean region. Azure Trust Center is built on four foundational principles of trust:

  1. Security; keep customer's data secure
  2. Privacy; how customers are in control of their data
  3. Compliance; comprehensive list of compliance offerings and solutions
  4. Transparency; being transparent about how Microsoft users customer's data

Service Trust Portal; another portal from Microsoft to show you how good they are at keeping, auditing your data, it this contains a tool called "Compliance Management" that tell you if you're compliance with standards and data regulations: https://servicetrust.microsoft.com/ComplianceManager/V3  They audit their own performance and tell you that Azure complies with more standards than any other cloud provider

Azure Arc; it provides a centralised governance and management of the resources (Azure, on-prem, AWS, etc) into a single location as to reduce the management overhead; it manages azure and non-azure resources as if they were in Azure

 

9. Pricing

Subscriptions: This is the core heart of Azure, subscriptions: nothing works without a subscription. Every single resource in Azure must belong to a subscription, they are billing entities. Any Azure account can have multiple subscriptions, useful when some departments within an organisation pay for what they consume. The Billing Admin role manages the subscriptions in Azure, the payments are made within 30 to 90 days. This is what happens when you add a subscription to a Microsoft Entra ID tenant:

  • Users with RBAC role lose their access
  • Service administrators and co-administrator lose their access
  • Existing key vaults are inaccessible until the key vault tenant ID is changed
  • Managed Identities for resources such a Virtual Machines or Logic Apps must be re-enable or re-created
  • The registered Azure Stack must be re-registered after adding a subscription to an AD tenant.

Groups Subscriptions; good to have when you have many subscriptions, you can group them in groups

Cost Analysis: use the Cost Alerts option too, to send alerts. You can use the "Spot VM Usage", an opportunistic method to save up to 90% of the cost of your VM, by using unused capacity of Azure, but be aware of "not to put any critical production processes on a Spot VM" because Microsoft, at any time, may ask for the processing power back; the VM can be evicted at any time

  • Pricing Factors; calculating the Azure cost of a mature infrastructure is almost impossible, those to be consider are Resource Size, Resource Type, Location and Bandwidth of the Resource
  • Billing Zones; Azure has 3 billing zone; the transfer of data between zones (ingress data-in) is always free, but if your data have to transfer between different billing zones (egress data-out) you got to pay for it
  • Azure has a cost calculator to give you an "estimated", and where you can setup quotes to later export. The TOC can also be calculated

Azure Cost Management; best practice is to use "tags", non-functional label that you attach to a resource or resource group, having as many tags as you like, this helps you identify the roles of the resources; each tag can represent a department or a project, and have a value to it

  • Pay-As-You-Go; is not the cheaper subscription model, paying for month only for what you use; however, it would be cheaper if you can commit to a year of Azure usage
  • Reserve Instances in VM, where you commit for 1 to 3 years, come with a 70% discount, this also applies to Azure SQL (save of 80%), Cosmos DB (65%), Synapse Analytics (65%) and Redis Cache (save up to 55%). You can cancel your subscription at any time
  • Azure Hybrid Benefit; this model allows you to use your existing licensing

Azure costs; the following are tips for managing the costs associated with your Azure subscription

  • Azure costs can be filtered by the tags associated to resources and services
  • Invoice Manager is a role that is available for Cost Managements but for customers with a Microsoft Customer Agreement
  • AWS Cost and Usage report can be integrated with Azure Cost Management to analise the AWS costs in the Azure portal

Advisor; it gives you recommendations to safe money. You can also use the Azure Pricing Calculator to find out what you want: https://azure.microsoft.com/en-gb/pricing/calculator/

 

10. Support

To provide support for Azure, Microsoft offers different plans to which you can subscribe to Microsoft Support plans, which are:

  • Basic; it's free and includes all the free features
  • Developer, Standard, Professional Direct and Premier. All the them can be signed up online except Premier, for which you have to contact Microsoft

All supported plans include "free" features like 24/7 access to billing and subscription support, online self-help, forums to ask other Azure users about issues, Azure Advisor and access to Service Health.

Azure Support Plans

Tickets; A ticket is a support entity with a unique identifier number which is use as a single reference to an issue. You can submit tickets through the Azure portal, and Microsoft will attend your ticket on a time frame that depends on the support level you have

Channels; you can also get support by other different channels like Azure Documentation, Forums as well as Social Media

Knowledge Center; this is the gigantic documentation for Azure, where you can search for solutions (though you cannot ask new questions)

Service Level Agreement; the SLAs for Azure give you confidence that the services will be up and running (uptime and reliability); they are a contact with Microsoft and normally each product has an associated SLA agreement, they can be complex and they are mandatory for every Azure account. While you cannot choose an SLA, you can improve the value of it by purchasing a back of a given VM, etc

Service Lifecycle; in Azure some services or features come first as a "Preview", which can be Private or Public; there after the service/feature goes into "General Availability", which is deployed in a rolling basis

 

 

 

 

 

 

 

 

All the resources of Azure are bound to a subscription, so the credit card associated to the subscription is the one that will get charge. The Pay-as-you-Go payment model (also called "Web Direct") is the starting way to go. The "Usage Meters" of every resource are ones that keep track of your usage, and add to your bill at the end of the month

  • Enterprise Subscription model: you pay directly to Microsoft, most likely annually
  • Cloud Solution Provider; you pay a 3rd party company who in return pay to Microsoft

Even if all your VMs are off, you still will get charge for the space, so be mindful of the VM sizes when creating it

We careful as well of where you place your VM, the running costs of Datacenter regions are different: having a datacenter in south-Europe will cost more than in Iceland, for example, where you pay very little for air cooling

Azure will not charge you for upload (they are already charging for space, anyway), but they indeed will charge you for any bandwidth of data leaving their datacener, for what you download from them https://azure.microsoft.com/en-gb/pricing/details/bandwidth/

Azure Pricing Calculator; find out how much you would pay before moving your stuff to the cloud by using this tool https://azure.microsoft.com/en-gb/pricing/calculator/ 

Total Cost of Ownership; lets you estimate the cost of migrating your workloads to Azure, and any savings that you could make https://azure.microsoft.com/en-gb/pricing/tco/calculator/ 

After you move your servers and workloads to the cloud, you can use these two tools to further optimise the costings, so we don't waste resources:

  • Azure Advisor, also called just "Advisor", it gives you recommendation after a 14-days of usage to see if you actually need to downsize some VMs that were over specs
  • Cost Management and Billing Service

Both of these tools are found on the Azure portal

If you buy Visual Studio you might be entitle to free Azure credit. Spending Limit is when you have spent all your credit and Azure then shuts down all your stuff

SLA; 99.95% (21 minutes downtime a month) is the reality of what you get instead of the advertised 99.999% (down for only 25.9 seconds a month) of availability

Composite SLA; this is when you combine 1 or more SLA that are dependable of one another for a complete solution to run effectively. For example you have a Web Front End VM that needs to run at 99.95 % of the time, and a SQL database the feeds that server that needs to run at 99.99%, we you combine those times for your solution you get a composite SLA: 99.4%

Azure support, these are the different types of support in Azure:

  • Basic; free, you still get support by phone, but this is the only plan in which you cannot open support cases
  • Premier; this plan provides customer specific architectural support such as design reviews, performance tuning, configuration and implementation assistance delivered by Microsoft
  • Professional Direct
  • Standard
  • Developer

 

 

 

 

 

 

Azure Data Lake Storage Gen2; use for Big Data Analytics, you upload your data and then Azure analyses it. This seats on top of Azure Blob service; Data Lake include all of the capabilities required to make it easy for developers, data scientists and analysts to store data of nay size and shape, and at any speed, it works with Power BI too!

Azure Queue; to store a large number of messages, it helps out app to off load messages on their behalf

 

Power Apps, it lets you quickly build business applications with little or no code, allowing organisations to create websites which can be shared with external users through logon providers of their choice like Linkedin, Microsoft Account or other commercial login providers

 

Azure Traffic Manager; allows by the grace of DNS to put your resources as close of your customers as possible, avoiding in that way high latency and providing the best performance, but relies on replication (obviously) and it could expensive that is probably why Azure has an alternative to reduce the latency called CND:

Azure Security Center; it checks that you are doing the things right, monitoring that your settings for security are correct. Azure also uses machine learning to scan your machine for potential malware (Azure Defender) as well for any kind of attacks, if you enable those features ($$), of course

Azure Network Security group is a stateless firewall (analyses only traffic by port) while the Azure Firewall is a stateful firewall (analyses traffic end-to-end)

Azure address machine authentication in two ways:

  • Service Principal, identity used by a service or application, most likely the credentials are stored on the code
  • Managed Identity, a bit more secure as the credentials are automated by Microsoft, all you got to do is just enable/disable the access as needed. No security sensitivity information is stored in any code whatsoever

Azure Disk Encryption (ADE) is for the VMs data disk and that you have to turn it on

Transparent Data Encryption (TDE) is use to back up databases and log files at rest

Just a bit of theory, in IT we have to types of encryption:

  1. Symmetric; uses the same key for encrypt it and decrypt it
  2. Asymmetric; uses different keys, a public to encrypt it and a private key to decrypt the message

Azure Information Protection (AiP), a purchased add-on solution that helps you classify and protect your office documents and emails

Cloud Shell; visit https://shell.azure.com or click the PS icon on the top-right corner of the Azure Portal to start Powershell (if you're using Windows) or Bash (if you prefer a Linux environment). The 1st time you're trying to open Cloud Shell, it will ask you to create storage, I'm afraid there is no escape and you have to create it, check here the pricing list for this storage:

You can also have Cloud Powershell on you phone too!!! (Azure mobile app), fire up some VMs while you queue up for a coffee

Azure CLI; Microsoft developed this as a transition between Powershell and the portal. You use the Cloud Shell window to run Azure CLI commands, all CLI commands start with "az" , you can install it on macOS, Linux and Windows for automation of tasks. Azure CLI is definitely the way to go when working with Azure because is stable, its commands don't change, the CLI commands are structured in a way that is logical and is Cross Platform (you can use it in Linux), it provides Automation and Logging, so Go Azure CLI!

az (focus) xxx (group) xxx (subgroup) xxx (base comannd) --xxx (required arguments)
                                                         --xxx (optional arguments)
                                                         --xxx (global arguments) 
az vm -h #calls for help to see what you can do with the group "vm"
az vm create -h #again, the -h will shows you the options for the "create" subgroup
az vm create --resource-group myRG --name myVM01 --image ubuntuOS --generate-ssh-keys
az vm show
az vm list
az vm deallocate --name VM01 -g myRG

For learning Azure CLI quickly, use it in "interactive" mode so that it will give you the options for you to easily choose

az interactive
az configure --defaults
#you can configure the shell to use default VMs, groups, etc to work with while commanding

Some handy Azure powershell commands:

  • Get-CloudDrive
  • Get-AzResourceGroup | Format-Table
  • Invoke-WebRequest -Uri "https://raw.githubusercontent.com/BrentenDovey-ACG/AZ-104_Azure_Administrator/master/cleanerScript.ps1" -OutFile ~/cleanerScript.ps1 #THIS WILL DOWNLOAD A SCRIPT FROM GITHUB THAT YOU CAN USE TO CLEAN YOUR ENVIRONMENT
    • code cleanerscript1.ps #TO OPEN THE SCRIPT, like on the Linux text editor "vi"

 

Azure Batch; is like scale sets but on steroids, where you can deploy hundred or thousand of computer

Azure Policy; a service in Azure where you can define, assign and manage standard for the usage of resources in your environment, this is where you'll  go if you want to allow let's say the Engineers team to have the ability to create their own VMs, with limitations. You can create policies to force the version of Windows to use, if https will be enforced, etc

  1. Policy Definition, is the first thing you need to create, it defines the action to take, which could be deny, disable, append, audit, deploy, etc. The Policy Definition is on JSON format
  2. Policy Assignment, you assign the Policy Definition to create a scope, you can assign to a subscription, resource or group

Initiative Definition; a group of policies definitions that can be assign to a resource or scope, with Initiative Definition you have many policies but only do an assignment, thus saving time and reducing management complexity

Azure AD Join and Azure AD Domain Services allows you to join to Azure AD both computers and applications. To manage devices in Azure AD Join you use Microsoft InTune or other MDM solutions

Azure AD B2B; Business to Business, allows you to share you Azure resources with another company Azure's stuff, this is like AD Federation services and Domains and Trusts

Azure AD B2C; Business to Customers, allows you to share your Azure resources with customers on different organisations

Management Groups; is a layer on top of subscriptions where you can managed them if you have more than one

References