Lab Setup for Microsoft Exam Azure AZ-900
In this article I explore how to do a lab Setup for Microsoft Exam Azure AZ-900, so you can do testing before taking the actual AZ-900 exam. I didn't have any Azure certification, and though I have quite a few Microsoft "flat-operating-system" certifications, plus Cisco certification and plus VMware certification, and of course all the years of actual experience with these products on production environments, I never underestimate the importance of any other certification no matter how "small" or "insignificant" it may appear to the market, for sure you always learn something new during the course of any exam taken
So, let's go and get Microsoft Azure Fundamentals certified. The topics for the Exam AZ-900: Microsoft Azure Fundamentals can be found here: https://docs.microsoft.com/en-us/learn/certifications/exams/az-900 , these topics were last updated by Microsoft 28th October 2022, and that update is the one used in this article
The Cloud could be described as simply using somebody else's CPU and memory, basically somebody else computer. Just so we understand the concept, let me share this video with you. It is an ancient video relating to a VMware product, but to me it clearly demonstrate what cloud computing (name it Azure, VMware or Google Cloud) can do for you, how flexible "borrowing" resource from the Cloud could be for your business:
These are the contents of this article:
- Azure - starting up
- Cloud Concepts
- Azure Architecture
- Azure Infrastructure
- Compute, Networking, Storage and Database
- Authentication and Authorisation
- Azure Solutions
- Security
- Monitoring and Management
- Core solutions and management tools on Azure
- Cloud Shell, Azure CLI
- General security and network security features
- Identity, Governance, privacy and compliance features
- Cost management and Service Level Agreements
Start by registering your email account with Microsoft. If so, then use it to sign up at Azure Portal here: https://azure.microsoft.com/en-gb/free/ You'll get lots of things with this new account, and it is absolutely perfect to explore Azure and do some testing without messing up with your production environment
During the setup process, you will need to verify your account by entering your mobile number (notice VoIP phone numbers are not allowed for some silly reason) and a valid credit card number. There is no way to avoid this, so just do it! Unfortunately, you only got one month to test Azure, after that you'll get the "not eligible" message if you try to register again with another account
Even if you sign it with a different credit card number, Microsoft Azure won't allow you to "cheat" and duplicate the account, so basically you only have one flipping month to use the free service. Be wise and use it just to prepare for this exam! You can create multiple subscriptions in a single Azure Active Directory tenant
The main topics for the AZ-900 exams are:
- Cloud Concepts
- Azure Architecture
- Compute
- Networking
- Storage
- Database
- Authentication and Authorisation
- Solutions
- Security
- Privacy, Compliance and Trust
- Pricing
- Support
The tools you need to be familiar with to pass this exam are:
- Azure Portal
- Azure CLI
- Azure PowerShell
- Azure Cloud Shell
- Azure Mobile Apps (download the app for IOS or Android, so you can access Azure from your smartphone)
- ARM Templates (automate and simplify Azure resources)
Some of the terms
The 7 main concepts using when working in the Cloud are:
- High Availability; means the systems are always available, even automatically; this is achieve by using different datacenters in Azure
- Reliability; describes how Azure can tolerate failures or even disasters
- Scalability; refers to scaling out or scaling up while automatically providing resources as needed
- Predictability; is knowing your application will always perform as expected and knowing what it will cost
- Security; is having full control of your cloud security posture
- Governance; is standardising cloud deployments to meet requirements and company standards
- Manageability; is management of cloud resources and how we interact with them
The National Institute for Standards in Technology (NIST) defines Cloud Computing as having the characteristics of pay-per-use, resource pooling, rapid elasticity of resources and on-demand self-service. There are basically 3 types of Delivery Models of the Cloud, as follows, and your company may need one, two or all three models implemented, it depends:
- IaaS: Infrastructure as a Service (datacenters); you move virtualisation, servers, storage and networking to the Cloud. This is the most flexible way of using the Cloud but you still need someone to look after the Firewalls, networking and Operating Systems. A larger provider of this is Amazon Web Services, Microsoft Azure and Google Cloud Platform
- SaaS; Software as a Service (deployment), the most popular way of using the Cloud, with this method the client just uses a cloud-based app something like email, office 365 or storage (dropbox, oneDrive, box.com, etc). A large provider of this is Salesforce, providing cheaper ways to consume enterprises applications such as CRM and ERP, also consider Google Apps for Work (automation on demand) and Microsoft 365 (office over the open Internet)
- PaaS: Platform as a Service (web browsers), focused on developers where you only have to worry for your apps. PaaS lies on IaaS to work, and with PaaS you don't have to worry about the OS,windows updates, IIS configuration, networking, storage, etc. A large provider of this is Google App Engine, AWS's Elastic Beanstalk or some part of Azure too. For example, with PaaS you can use Azure SQL instead of a VM with your SQL.
- PaaS includes Middleware, which is software that lies in between your apps and the OSs. You can get lots of middleware apps from the Azure Marketplace, all of them built to save you time. You can find the Azure Maketplace on this link:
- https://azuremarketplace.microsoft.com/en-us/marketplace/
- Azure Marketplace offer less maintenance than creating your own service or application from scratch
Depending on the Model used above (IaaS, PaaS or SaaS), the Shared Responsibility Model will also change, thouh at all time you are responsibly for your data and accounts
Economy of Scale: you can buy one apple for £1, but if you buy 100 apples all at once, each apple might cost you just 10 pence each. Rocket Science ah? :) And this Economy of Scale can be apply to these two things;
- CapEX (Capital Expenditure); you spent money upfront as a one time purchase for hardware, e.g. you buy a laptop. Problem is the value of the item will go down with time
- OpEx (Operational Expenditure); you go a subscribe to a payment plan with Apple, and eery month to pay and always have the latest phone in the market. This is a more agile approach, and can be described as the ongoing cost needed to run your business
Cloud Architecture Model (Deployment Models of the Cloud,) you can implement the Cloud in your company in basically 3 ways, but of course you have to UNDERSTAND the workloads first before suggesting anything
Public; (elastic scaling) everything is at the provider's end, you put all your VMs on Azure and that's it, gives you Scalability/Agility, pay-as-you-go, some of your VMs could be running very security sensitive-data, so you might prefer to have them in-house. This model provides the best security
Private; (more secure) it behaves like a public cloud but the company owns all the infrastructure, is like having VMware vSphere where you own all the kit and your provide cloud services to your company. Government entities will do that, for example. This method provides no scalability and also you need to provide the IT personnel to support this
Hybrid; (seamless, of the two above) this is mixed of the two, with some services running on a private datacenter (running Hyper-V or VMware vSphere) and others in the public cloud (Azure or AWS). Note that connecting your private cloud to your public cloud could be a complex task and requires skilled IT personnel (like us :)) This model can be the best of all models, but it incurs in lots of complexity to setup
- AD Connect Tool; integrates your local AD to Azure, syhn users groups and computers and providing SSO and ADFS, thus making you a hybrid mutant, and allowing your users to access both your on-prem and cloud resources
Azure Regions: be mindful, you don't want to deploy your IIS server in Europe if your main customers are based in South-East-Asia (SEA). For logistical purposes, Azure geographical areas may contain one or more regions. To minimize latency, you want a datacenter that is on the closest region where you are. Price varies from Region to Region, as well as features. Azure Region is a set of datacenters that are close enough to each other that it doesn't matter which datacenter your data is in
Regions Pairs; each Region is pair with another Region (except Brazil South), two regions that are at least 300 miles from one to another (within the same geography area) where one region kind of functions as the backup of the other. When doing planned updates, only one Region in the pair is updated at any one time
Availability Zones; they are physically isolated datacenters; if you create 2 x VMs (master & replica) and put them on the same region, the replica will go to an availability zone, physically away from the production area. Availability Zone is within a Region, and each zone has its own separated power, cooling and networking
Resource Group; Everything in Azure is inside a Resource Group, no exceptions, but note that the Resource Group itself is not a resource, they help structure your Azure architecture. They are use to logically group your stuff, the items in a Resource Group can expand different regions. Note that one resource can only be part of a Resource Group. The "Locks" option prevents you form accidentally deleting a resource group, you can also "lock" a VM to prevent deletion
new-azresourcegroup -name NazaudyRG -location 'East US 2'
Azure Resource Manager (ARM); when interacting with resources you are interacting with ARM, whether you go with the web, PowerCLI, etc, so basically ARM is the key component of Azure Portal itself, the core engine. All interaction with Azure resources go through the ARM
ARM Templates; let's say you create a resource for your website, which obviously will contain 2 x VMS (web end + database) in addition to network connections, virtual IPs, storage, etc. You can save this resource creation as an ARM Template, which will be saved on a JSON file, in case you want to deploy the same solution again in the future
Tags; it allows you greater customisation to group your resources
Availability Sets; they are logical groups of 2 or more VMS that ensure you remain up and running during plan (or uplan) periods, basically it puts the VMs on different rack servers if they fall on the same datacenter. Note that you can only mark a VM with High Availability at its creating point, once it is created you'd need to delete it if you want it to be part of an availability set. If you forget to put your infrastructure on an availability set, it is possible that all of it could be restarted at once, when Azure does update of the datacenter where all your VMs are, therefore it is advisable to configure the "Availability set" at the time of create VMs to ensure you have a high SLA
This section covers Compute, Networking, Storage and Database
Compute
Creating a VM: A virtual machine in Azure is your machine exclusively. Virtual machines are an IaaS offering, where you are responsible for the entire virtual machine. Using the Azure portal gets the clicks >>> the API chats to the Orchestrator >>> the Orchestrator send the inputs to the Fabric Controllers >>> and they push the info to the rack servers, where your VM is then created. Azure Virtual Machines take advantage of Azure tools
new-azvm -name VM1 -resourcegroup NazaudyRG -location 'East US 2'-image CentOS -size "Standards_bits" -credential $credential
Scale-Sets; manage a group of identical, load-balanced VMs, where you can create a rule by which if a VM CPU's hits over 70% Azure can automatically create another VM, and another VM to deal with the load
az vmss crete --help
#vmss stands for Virtual Machine Scale Set
App Services; is a PaaS offering from Azure where you can deploy Web Apps, API Apps, Web Jobs, Mobile Apps, etc without of course worrying about the infrastructure. Swagger is a standard for designing APIs https://swagger.io/ There are fundamentally 3 types of apps offering in the App Services of Azure:
- Web Apps: use to host web site and web applications
- Web Apps containers; all the dependencies and code are inside the containers
- API apps; is an application programming interface without any GUI, they can be created using a wide range of programming languages
Containers in Azure: if you put your application inside a container together with all the dependencies, it should run on any mahine. Containers are an important part of modern computing. Container in Azure can be used in 2 ways
- ACI (Azure Container Instances) is a PaaS so you don't have to worry about the underlining OS, this is for small deployments with one a few containers
- AKS (Azure Kunernetes Services), is a way to orchestrate your containers, enabling communication through APIs from one container to another. This is what to use if you have lots of containers
Docker is a way of creating containers (an easy way), visit https://hub.docker.com/ to download images to create containers
Azure Container Instances (AZI); they are use to run container workloads
Azure Kubernetes Services (AKS); Kubernetes sometimes is pronounces "K8s" and in means 'governor' or 'captain' in Greek language. Kubernetes is an open-source (code is available to the public) container orchestration system (keep track of lots of parts of the system), automatic deployment, scaling and management. Kubernetes allows you to replicate containers architectures
Azure Container Registry; this service keep track of current valid container images, managing the associated files and being a repository of images from where containers and Kubernetes are created
AKS Cluster; A Pod is a group of one or more containers, where K8s can provisioning pods once the load increases
Azure Virtual Desktop; this comes with different benefits like reuse of Windows 10 license
Azure Functions; code with servers for developers, is the smallest compute service on Azure and can be called or invoked via a standard web address. Azure Functions runs once and then stops. We have these flavours of serverless Azure Funtions, note that of course there is always a server behind, but Azure uses the word "serverless" to emphasise that you don't manage any aspect of the server in the background
- Golden Oldie; the first serverless service on Azure, they are the smallest compute system in Azure
- Event Grid; is a term in Azure that tells an application when something has happened
- Azure Event Grid; is a serverless routing service for sending and receiving events between applications
Azure Logic Apps; server-less workflows for those who don't know how to code but want results
Networking
Azure Vnet; that is the name of a network in Azure, Vnet. A virtual network is bound to one region only, meaning that every resource associated to the Vnet must be in the same region too. To see your networks nicely, visit Virtual Networks >> your vnet >> Diagram. You can essentially peer Vnet using a local balancer or using a VPN gateway to increase availability
VPN Gateway; they are instrumental in a hybrid cloud architecture, is the way you connect your Azure VMS to your VMs on-prem in your local datacenter, if you need to.
Load Balancer; distributes new inbound flow (traffic from web or local network) that arrives on the Load Balancer front's end and send it to the backend VMs according to rules and health probes that redirect the traffic according to IP and/or port number
Application Gateway; AG i a higher level of load balancer, if you want to re-direct traffic using attributes other than IP or port number, use an application balancer. The traffic can be specific routed using header. Application Gateway span multiple availability zones and improve fault resiliency. Application Gateway provides load-balancing for web services, in particular URL routing, and also includes a Firewall called WAF (Web Application Firewall)
Content Delivery Network (CDN), it provides a "cache" (not a full replication) that is distributed as close to your customers as possible to reduce latency; this method would be cheaper. CDN places caches of your data on other datacenter physically closer to the customer's location for speed access
Express Route; is a private network inside Azure with low latency and high bandwidth connection, some businesses like Google
Storage
Using the right storage for your Azure solution is critical. In Azure the "storage account" is unique in the whole of Azure, being an object with its own web address, like for example: nazaudy.storage-type.core.windows.net.
Blob; stands for Binary Large Object, the data is stored in containers into the storage account, you can store files of any type like images, videos to be streamed, logs, backups. The pricing tiers of Blob can be Hot (lower access time but high cost), Cool (same as hot but data remains here for only 30 days) and Archive (the cheapest but the highest access time). Blob is organised in 3 types:
- Blob Block; store text and binary data up to 4.7 TB, and is made up of individually managed blocks of data
- Blob Append; like above but are optimised for data that is appended like data coming from VMs
- Page Blob; store files up to 8TB, and this emulate the hold typical hard drive
You create a Storage Account first, then a Container within the Storage Account, and then a Blob inside the container
Data Redundancy; in Azure you have a minimum of 3 copies, this is an automatic process invisible to the en end users. You can improve t his is you like and provide a higher data redundancy by choosing options like, which all of them including 3 copies per region, meaning that if you choose multi-region you will have 6 copies of the data, 3 in the primary zone and 3 in the secondary zone:
- Locally Redundant Storage (LRS); use a single-region and a single datacenter). Premium data storage Page Blob only supports LRS
- Zone-Redundant Storage (ZRS); uses a single-region but the data is stored on more than one datacenter
- Geo-Redundant Storage (GRS); is multi-region, having 3 copies in 2 different regions
- Geo-Zone Redundant Storage (GZRS); is multi-region too, providing the maximum redundancy by having 3 copies in different zones in the primary region
Tools for moving data: Azure comes with different way to moving data across your Azure VMS, like AZCopy (command-line utility), Azure Storage Explorer (GUI tool which you can download on your own computer) and Azure File Sync (sync files between Azure and on-prem file serves, handy for disaster scenarios where you want to use your data on the cloud just in case). For large scale migration with lots of data to migrate, you can use:
- Azure Data Box; in case you have slow bandwidth, the data is transfer to a box, and then from the box to your Storage Account or viceversa
- Azure Migrate; to migrate on-prem application to the cloud like VMs, Database or your whole local datacenter
Databases
"If you DATA doesn't exists in 3 different places, it really doesn't exist" Networkchuck. Azure supports 3 types of data structure:
- Structured data, relational databases
- Semi-structure data, non-relational databases, non-sql where data is organised in tags and is all over the place
- Unstructured data, everything else, video files, etc
If you have all your data on-premisses, then all the security is on-you, you got to look after entrance, security door, CCTV, physical servers, etc. When you use Azure as IaaS you still have to worry about the security of the OS, networking, etc but not physical any-more, as Azure will look after that for you. With PaaS you still have to worry who can access that, while with SaaS all the security lies on Microsoft Azure, you deal plainly with the simple access, no "share responsibility" whatsoever
Cosmos DB; to create non-sql databases for modern app development with integration with open-source APIs, MongoDB and Cassandra; Cosmos DB is an example of PaaS. https://azure.microsoft.com/en-gb/services/cosmos-db/ Cosmos DB make it easy to expand your data to other regions; Cosmos DB provide single digit milliseconds of latency across the world, providing infinite number of users. The big pitfall of Cosmos DB is....its price of course!
Cosmos DB is a non-relational database, where data is stored in files
Azure SQL; for structured data databaes (sql), allows you to move your SQL data to the cloud. Azure SQL is use to manage Azure itself. Azure SQL suports up to 100 TB database in size. Azure SQL is composed of two components:
- Azure SQL Database, it most like the traditional SQL database
- Azure SQL Managed Instance; it meant to bridge the gap and help migrate on-prem DB to Azure
Here we got the main differences in between the two:
MySQL and PostgreSQL; open source databases, they are relational databases (built on relationship between tables), their format is also supported in Azure. MySQL use cases are web applications, e-commerce, mobile apps, digital marketing, finance management and gaming that must have low latency among others. PostgreSQL is default DB for macOS, and some of the features it has are: extensions, horizontal scaling without impact on performance and fully managed like automated backup and patching. Governments, Financials and Manufacturing use PostgreSQL a lot due to its features
5. Authentication and Authorisation
Azure Active Directory; not that the classic AD is not the same as Azure AD, this is Identity as a service, it allows you to authenticate your own AD with the management accounts of Azure, you can access only the users portal using this link: https://aad.portal.azure.com
Applications that do not use OAuth 2.0 are not able to authenticate to Azure Directory properly
Azure AD Connect; it syncs the on-prem AD with the Azure AD
Azure AD Service (AAD); you can't have an Azure account without an ADD service, every Azure account needs a first user and this user is the initial ADD instance. A "tenant" represent an organisation in Azure Multiple subscriptions can be associated to a single tenant. Every Azure account will have an Azure AD service. A user can be a member of up to 500 tenants
Azure Active Directory Domain Services (Azure AD DS); AD DS is a fully managed service, no need to configure any OS, though behind the screen there are 2 x DC for high availability. For AD DS you need to create a unique namespace/domain name (for example adds-nazaudy.com) totally separated from your internal domain name, and there is only one-way sync with Azure AD
Subscription; a subscription is a billing entity; all resources belong to a single subscription
Zero Trust Security Model; whether inside or outside the security boundary network, all users are assumed to be untrustworthy unless proven otherwise; your identity is the key to access the resources without the location (inside or outside building, the VPN, etc) like on the traditional model
Multi-factor authentication; no excuses, 2FA is a must to access any resource now, authenticate using your phone, fob, face, finger print, etc. MFA uses something you know (username+password) plus something you have (phone, fob, biometrics, etc). MFA; Multi Factor Authentication uses more than one thing to authenticate you. For the Azure account that manages Azure MFA is free of charge, but for everybody else... guess what, buy a licence
- Something you know, like a password or security question
- Something you posses, like your phone or an app on your phone
- Something you are, like finger print of facial recognition
Conditional Access Policies; they are "if" and "then" policies (access lists) in order to gain access to resources, you can do stuff like block sign-ins using legacy authentication protocols, grant access only from specific location, enforce MFA, etc
Passwordless Authentication; MFA is more secure but obviously is less convenient, with passwordless authentication you use the Microsoft Authentication App to generate an enter a code that is used as a password; FIDO2 Security key is another method, where you enter a USB that is used as a password
Business2business accounts; you can invite external guest to Azure to provide business 2 business collaboration, effectively inviting external users into your internal environment without having to create an internal account for them
Azure Active Directory Seamless Single Sign-On; this is SSO for Azure
There are tons and tons of solutions in Azure, like for example:
IoT Central Hub; Internet of Things, provides data for millions of sensors. Internet Of Things Central is a software-as-a-service solution that provide all pre-made components that you need
Azure Sphere; An all-in-one solution for IoT devices on Azure
Data Lake Analytics; where a data lake is a very large body of data; collecting data is easy, just storing it, but make sense of it and meaning is different, hence the following tools to extract meaning from the data from a business value: Data Lake Analytics, HDInsights (open sources supported)
Azure Databricks is an Apache spark-base analytics service; Apache Spark is a distributed cluster-computing framework; Databricks provides all the computer power
Azure Synapse Analytics (used to be called Azure SQL Data Warehouse), is used for reporting and data analysis, uses the Synapse SQL Language to manipulate the data in any way you need. The old Azure SQL Data Warehouse works with PowerBI
Machine Learning; this is the AI (Artificial Intelligence) of Azure where we allow the machines to take decisions for us. A model is a set of rules of how to use the data provided, the model finds patters based on the rules. Knowledge Mining use Azure Search to find existing insights in your data like file relationship, geography connections and more. The main tool for use machine learning in Azure is Machine Learning Studio, a pre-made modules for your project. The Machine Learning Service is a end-to-end service that uses AI almost anywhere in Azure; AI is about better products and better customer services
Azure Boot Service; this is machine learning Azure PaSS offering that lets you build boots for Q&A services, virtual assistants and more
Azure Cognitive Services; they provide vision to recognise images, decision to detect IoT anomalies and leverage data analytics and automatic speech-to-text transcription, for speaker identification and verification
DevOps; devops is the work between the development and the production of an app, code or feature. DevOps is about how developers, engineers and SysAdmins organise themselves and work as a team to deliver better products faster, and on that line Azure DevOps comes to helps with the following services
- Azure Boards (loved by project managers) that helps keep track of work tasks, timelines, issues, planning and much more
- Azure Pipelines; produce and test your software automatically and continuously
- Azure Repos; store the code for your application
- Azure Test Plans; design tests of application to implement automatically
- Azure Artifacts; share applications and code libraries with other teams inside and outside your organisation
Azure DevTest Labs; it focuses on the environment to test and deploy the app, it contain templates that you can use
GitHub; is a code repository service for lots of big and small projects, it was bought by Microsoft in 2018; GitHub is well known for hosting open-source communities, being Microsoft one of its biggest users
GitHub Actions; is very similar to Azure pipeline, in which it is use to build, test and publish code
Hands-on with AI: use this Microsoft AI link to find out what AI can do for you: https://aidemos.microsoft.com/
The official link of Azure services when doing Microsoft free training is linked here:
Defense in Depth; having a single security measure is....never enough! On chess, not only the queen defense the king, but also the pawns, bishop, knight, etc. The same thing goes for Azure and on-prem, you need to build up several layers of defense, these layers are: Physical >> Identity and Access >> Perimiter >> Network >> Compute (databases) >> Gateways and Firewall >> Data (ensure it is encrypted)
DDoS Protection Service; in 2012 60GB of traffic per seconds was sent on a DDoS attack in 6 banks, CloudFlare had similar attack in 2014 with 400GB of traffic per second, and GitHub suffered the same in 2018 with 1.35TB a second. The Distributed (meaning it comes from different sources) Denial of Service (DDoS) attack is the most fearful attack to suffer on the web
Network Security Group (NSG); are personal resource firewall that attach to virtual network, subnet or network interface. An extension of NGS ia an Application Security Group that focus on securing an application rather than an IP endpoint
Private Endpoints; they are publicly reachable PaaS services, a good example of this is an Azure Storage (public endpoint) that is accessible your your on-prem VM, in order to secure this endpoints we use these methods:
Service Endpoint; you connect to the resource via the Azure subnet, Microsoft private backbone, hence not going through the public Internet, in other words, you privately connect VNet subnet to Azure PaaS services. The limitation of Service Endpoints is that it secures only VNet Azure access (not on-prem, meaning that on-prem must still use access over a Public IP), and its settings apply to the entire VNet and not to a single storage account if we need
Private Endpoint; acts as a managed network interface and is "better" than service endpoint
Microsoft Defender for Cloud; a console where you get alerts, policy and compliance metrics, secure scores to visualise the strength of your security, etc. This console integrates with other cloud provides (but for that Azure Arc is required). To setup Defender for Cloud you need to define your policies, protect resources and response to any security alerts if any. The word "hygiene" is used in this context to tag the security weakness and best practices of the resources
Microsoft Defender for Identity (formerly known as Advanced Treat Protection - ATP); a cloud-based security solution that identifies and detect compromised systems and identities as well as malicious insider actions. This solution is locate in https://portal.atp.azure.com/ and to access it you need to be a member of Microsoft Defender for Identity, the Azure AD security group. This contain an ATP Sensor that you install on your ADs and then send the data back to the ATP Portal, from where you can analyse al the security events. Microsoft Defender for Identity monitor users, create a baseline behaviour for them and suggest changes to conform with security best practices in order to reduce risks
Cyber-Attack Kill Chain; is a methodology used by hackers that follow: reconnaissance (search for IPs, info, etc), Brute Force and increasing Privileges
Azure Key Vault; this is a centralised cloud service where you lock your private keys, your passwords, certificates, tokens, API keys, etc. These are the two main ways to encrypt data on Azure:
- Storage Service Encryption (SSE), it encrypts the data before it is stored and decrypts it before it is retrieved, meaning that it is transparent to you; it is automatic and enabled by default on Blob, Managed disks, Queue storage and Azure Files
- Client-side Encryption; the data is already encrypts it by the client before Azure access it, this method implies that you store your private key on the Azure Key Vault
Azure Information Protection (AIP); companies need to share documents, emails and data outside of the company network. AIP is used to protect files that are transfer between companies
Azure Sentinel; is a security information and event management (SIEM) tool, that works by first collect the data from services (logs, dns, etc), then aggregation and normalisation of that data, and finally analysis and treat detection upon which actions can be taken. Some of the benefits and features of Azure Sentinel are: behavioural analytics, AWS integration and cloud scale meaning large companies use it
Azure Dedicated Hosts; in case you need to compliance with your company and run a VM with specific hardware, etc, you can use Azure Dedicated Hosts, meaning you get control of the entire physical server on Azure without any other 'foreign' VMs but yours running on that host. The only issue with this is that, of course, it is expensive
Governance; set of policies to ensure the Azure resources compliant with the policies, the example is a rocket launcher where sysadmin, devops, engineers, etc, all working together towards a goal guided by the Governance instead of each individual or group doing whatever they want
Cloud Adoption Framework; is use by the Governance to make a smooth transaction to the cloud
RBAC (Role-Based Access Control); this is just like the access list in NFTS, give the bare minimum permission that you an get away with. RBAC is the area where you configure the set of permissions an roles that users can be be a member of to access Azure Services. Privilege Identity Manager (PIM), is an add-on to RBAC and paid-for offering that takes are of all the roles ensuring they are all correct
Locks; they can de assigned to a subscription, resource group or resources
Azure blueprints; are templates where you can find rules and regulations, policies and sample of common regulations and highlights,; the blueprint templates are for creating standard Azure environments. Blueprints; a repeatable set of Azure resources that adhere to standard set of requirements, they are like ARM Templates but also including RBAC roles, policies, resources groups, etc, things that ARM Template can do. Blueprints basically put the creation of a new company in a JSON file, while ARM Templates puts the infrastructure on a JSON
Azure Advisor; Azure Advisor for Security Assassinate is part of the Security Center
Azure Monitor; collect and analyse the health of your resources based on telemetry (events), you can also send to "Monitor" your data from the on-prem infrastructure as well as from other cloud-services like AWS. VM telemetry (data of sensors) is feed constantly into Azure Monitor, even on-prem VMs can be configure to send their telemetry data to Azure Monitor with the goal of maximise performance, maximise availability and identify issues
Azure Monitor Alerts; give you notifications of misbehaving of your VMs. Your first create an alert rule
Azure Service Health; a tool to check how healthy Azure is and to see a history of previously incidents or downtimes of Azure, of course most of time it would be fab just like on this screenshot:
Log Analytics; stores and queries the data to gain valuable insights. You can create queries using the Kusto Query Language (KQL) to aks the logs or choose some of the pre-built queries
Application Insights; give you performance metrics, potential bottlenecks and more for your web applications only
Compliance
Privacy
Trust
Azure Arc, relatively new
Trust Center; a gigantic resource of information to prove that you can trust Microsoft with your infrastructure and data https://www.microsoft.com/en-gb/trust-center
- Security
- Privacy
- Compliance
Service Trust Portal; another portal from Microsoft to show you how good they are at keeping, auditing your data, it this contains a tool called "Compliance Management" that tell you if you're compliance with standards and data regulations
Azure Data Lake Storage Gen2; use for Big Data Analytics, you upload your data and then Azure analyses it. This seats on top of Azure Blob service; Data Lake include all of the capabilities required to make it easy for developers, data scientists and analysts to store data of nay size and shape, and at any speed, it works with Power BI too!
Azure Queue; to store a large number of messages, it helps out app to off load messages on their behalf
Power Apps, it lets you quickly build business applications with little or no code, allowing organisations to create websites which can be shared with external users through logon providers of their choice like Linkedin, Microsoft Account or other commercial login providers
Azure Traffic Manager; allows by the grace of DNS to put your resources as close of your customers as possible, avoiding in that way high latency and providing the best performance, but relies on replication (obviously) and it could expensive that is probably why Azure has an alternative to reduce the latency called CND:
Azure Security Center; it checks that you are doing the things right, monitoring that your settings for security are correct. Azure also uses machine learning to scan your machine for potential malware (Azure Defender) as well for any kind of attacks, if you enable those features ($$), of course
Azure Network Security group is a stateless firewall (analyses only traffic by port) while the Azure Firewall is a stateful firewall (analyses traffic end-to-end)
Azure address machine authentication in two ways:
- Service Principal, identity used by a service or application, most likely the credentials are stored on the code
- Managed Identity, a bit more secure as the credentials are automated by Microsoft, all you got to do is just enable/disable the access as needed. No security sensitivity information is stored in any code whatsoever
Azure Disk Encryption (ADE) is for the VMs data disk and that you have to turn it on
Transparent Data Encryption (TDE) is use to back up databases and log files at rest
Just a bit of theory, in IT we have to types of encryption:
- Symmetric; uses the same key for encrypt it and decrypt it
- Asymmetric; uses different keys, a public to encrypt it and a private key to decrypt the message
Azure Information Protection (AiP), a purchased add-on solution that helps you classify and protect your office documents and emails
8. Core solutions and management tools on Azure
Cloud Shell; visit https://shell.azure.com or click the PS icon on the top-right corner of the Azure Portal to start Powershell (if you're using Windows) or Bash (if you prefer a Linux environment). The 1st time you're trying to open Cloud Shell, it will ask you to create storage, I'm afraid there is no escape and you have to create it, check here the pricing list for this storage:
You can also have Cloud Powershell on you phone too!!! (Azure mobile app), fire up some VMs while you queue up for a coffee
Azure CLI; Microsoft developed this as a transition between Powershell and the portal. You use the Cloud Shell window to run Azure CLI commands, all CLI commands start with "az" , you can install it on macOS, Linux and Windows for automation of tasks. Azure CLI is definitely the way to go when working with Azure because is stable, its commands don't change, the CLI commands are structured in a way that is logical and is Cross Platform (you can use it in Linux), it provides Automation and Logging, so Go Azure CLI!
az (focus) xxx (group) xxx (subgroup) xxx (base comannd) --xxx (required arguments)
--xxx (optional arguments)
--xxx (global arguments)
az vm -h #calls for help to see what you can do with the group "vm"
az vm create -h #again, the -h will shows you the options for the "create" subgroup
az vm create --resource-group myRG --name myVM01 --image ubuntuOS --generate-ssh-keys
az vm show
az vm list
az vm deallocate --name VM01 -g myRG
For learning Azure CLI quickly, use it in "interactive" mode so that it will give you the options for you to easily choose
az interactive
az configure --defaults
#you can configure the shell to use default VMs, groups, etc to work with while commanding
Scale-Sets; manage a group of identical, load-balanced VMs, where you can create a rule by which if a VM CPU's hits over 70% Azure can automatically create another VM, and another VM to deal with the load
az vmss crete --help
#vmss stands for Virtual Machine Scale Set
Azure Batch; is like scale sets but on steroids, where you can deploy hundred or thousand of computer
Azure Policy; a service in Azure where you can define, assign and manage standard for the usage of resources in your environment, this is where you'll go if you want to allow let's say the Engineers team to have the ability to create their own VMs, with limitations. You can create policies to force the version of Windows to use, if https will be enforced, etc
- Policy Definition, is the first thing you need to create, it defines the action to take, which could be deny, disable, append, audit, deploy, etc. The Policy Definition is on JSON format
- Policy Assignment, you assign the Policy Definition to create a scope, you can assign to a subscription, resource or group
Initiative Definition; a group of policies definitions that can be assign to a resource or scope, with Initiative Definition you have many policies but only do an assignment, thus saving time and reducing management complexity
Azure AD Join and Azure AD Domain Services allows you to join to Azure AD both computers and applications. To manage devices in Azure AD Join you use Microsoft InTune or other MDM solutions
Azure AD B2B; Business to Business, allows you to share you Azure resources with another company Azure's stuff, this is like AD Federation services and Domains and Trusts
Azure AD B2C; Business to Customers, allows you to share your Azure resources with customers on different organisations
Management Groups; is a layer on top of subscriptions where you can managed them if you have more than one
7. Cost management and Service Level Agreements
All the resources of Azure are bound to a subscription, so the credit card associated to the subscription is the one that will get charge. The Pay-as-you-Go payment model (also called "Web Direct") is the starting way to go. The "Usage Meters" of every resource are ones that keep track of your usage, and add to your bill at the end of the month
- Enterprise Subscription model: you pay directly to Microsoft, most likely annually
- Cloud Solution Provider; you pay a 3rd party company who in return pay to Microsoft
Even if all your VMs are off, you still will get charge for the space, so be mindful of the VM sizes when creating it
We careful as well of where you place your VM, the running costs of Datacenter regions are different: having a datacenter in south-Europe will cost more than in Iceland, for example, where you pay very little for air cooling
Azure will not charge you for upload (they are already charging for space, anyway), but they indeed will charge you for any bandwidth of data leaving their datacener, for what you download from them https://azure.microsoft.com/en-gb/pricing/details/bandwidth/
Azure Pricing Calculator; find out how much you would pay before moving your stuff to the cloud by using this tool https://azure.microsoft.com/en-gb/pricing/calculator/
Total Cost of Ownership; lets you estimate the cost of migrating your workloads to Azure, and any savings that you could make https://azure.microsoft.com/en-gb/pricing/tco/calculator/
After you move your servers and workloads to the cloud, you can use these two tools to further optimise the costings, so we don't waste resources:
- Azure Advisor, also called just "Advisor", it gives you recommendation after a 14-days of usage to see if you actually need to downsize some VMs that were over specs
- Cost Management and Billing Service
Both of these tools are found on the Azure portal
If you buy Visual Studio you might be entitle to free Azure credit. Spending Limit is when you have spent all your credit and Azure then shuts down all your stuff
SLA; 99.95% (21 minutes downtime a month) is the reality of what you get instead of the advertised 99.999% (down for only 25.9 seconds a month) of availability
Composite SLA; this is when you combine 1 or more SLA that are dependable of one another for a complete solution to run effectively. For example you have a Web Front End VM that needs to run at 99.95 % of the time, and a SQL database the feeds that server that needs to run at 99.99%, we you combine those times for your solution you get a composite SLA: 99.4%
Azure support, these are the different types of support in Azure:
- Basic; free, you still get support by phone, but this is the only plan in which you cannot open support cases
- Premier; this plan provides customer specific architectural support such as design reviews, performance tuning, configuration and implementation assistance delivered by Microsoft
- Professional Direct
- Standard
- Developer
References
- https://medium.com/devops-cloud-it-career/why-did-i-take-the-microsoft-az-900-exam-1ef8fa5405a
- https://www.linkedin.com/pulse/exam-az-900-microsoft-azure-fundamentals-study-guide-jason-zandri/
- https://thecomputerperson.wordpress.com/2015/10/30/signing-up-to-microsoft-azure-and-avoiding-the-sorry-voip-phone-number-is-not-allowed-restriction/
- https://www.itexams.com/exam/AZ-900?