Nazaudy, a spark in your curious mind

Lab Setup for Microsoft Exam Azure AZ-900

In this article I explore how to do a lab Setup for Microsoft Exam Azure AZ-900, so you can do testing before taking the actual AZ-900 exam. I didn't have any Azure certification, and though I have quite a few Microsoft "flat-operating-system" certifications, plus Cisco certification and plus VMware certification, and of course all the years of actual experience with these products on production environments, I never underestimate the importance of any other certification no matter how "small" or "insignificant" it may appear to the market, for sure you always learn something new during the course of any exam taken

So, let's go and get Microsoft Azure Fundamentals certified. The topics for the Exam AZ-900: Microsoft Azure Fundamentals can be found here: , these topics were last updated by Microsoft 9th November 2020

The Cloud could be described as simply using somebody else's CPU and memory, basically somebody else computer. Just so we understand the concept, let me share this video with you. It is an ancient video relating to a VMware product, but to me it clearly demonstrate what cloud computing (name it Azure, VMware or Google) can do for you, how flexible "borrowing" resource from the Cloud could be for your business

These are the contents of this article:

  1. Azure - starting up
  2. Cloud Concepts
  3. Azure Services
  4. Core solutions and management tools on Azure
    • Cloud Shell, Azure CLI
  5. General security and network security features
  6. Identity, Governance, privacy and compliance features
  7. Cost management and Service Level Agreements


1. Azure - starting up

You should already have registered your email account with Microsoft. If so, then use it to sign up at Azure Portal here: You'll get lots of things with this new account, and it is absolutely perfect to explore Azure and do some testing without messing up with your production environment

AZ Asure subscription

During the setup process, you will need to verify your account by entering your mobile number (notice VoIP phone numbers are not allowed for some silly reason) and a valid credit card number. There is no way to avoid this, so just do it! Unfortunately, you only got one month to test Azure, after that you'll get the "not eligible" message if you try to register again with another account

You're not eligible for an Azure free account

Even if you sign it with a different credit card number, Microsoft Azure won't allow you to "cheat" and duplicate the account, so basically you only have one flipping month to use the free service. Be wise and use it just to prepare for this exam!

You can create multiple subscriptions in a single Azure Active Directory tenant

Creating a VM: The Azure portal gets the clicks >>> the API chats to the Orchestrator >>> the Orchestrator send the inputs to the Fabric Controllers >>> and they push the info to the rack servers, where your VM is then created

new-azvm -name VM1 -resourcegroup NazaudyRG -location 'East US 2'-image CentOS -size "Standards_bits" -credential $credential

A virtual network is bound to one region only. To see your networks nicely, visit Virtual Networks >> your vnet >> Diagram

VPN Gateway; is the way you connect your Azure VMS to your VMs in your local datacenter, if need it to

Network Security Group (NSG); this is the name for Azure Firewall

Azure Application Gateway; it provides load-balancing for web services, in particular URL routing, and also includes a Firewall called WAF (Web Application Firewall)

Azure Traffic Manager; allows by the grace of DNS to put your resources as close of your customers as possible, avoiding in that way high latency and providing the best performance, but relies on replication (obviously) and it could expensive that is probably why Azure has an alternative to reduce the latency called CND:

  • Content Delivery Network (CND), it provides a "cache" (not a full replication) that is distributed as close to your customers as possible to reduce latency; this method would be cheaper

Azure Regions: be mindful, you don't want to deploy your IIS server in Europe if your main customers are based in South-East-Asia (SEA). For logistical purposes, Azure geographical areas may contain one or more regions

Availability Zones; they are physically isolated datacenters; if you create 2 x VMs (master & replica) and put them on the same region, the replica will go to an availability zone, physically away from the production area

Regions Pairs; two regions that are at least 300 miles from one to another (within the same geography area) where one region kind of functions as the backup of the other

Availability Sets; they are logical groups of 2 or more VMS that ensure you remain up and running during plan (or uplan) periods, basically it puts the VMs on different rack servers if they fall on the same datacenter. Note that you can only mark a VM with High Availability at its creating point, once it is created you'd need to delete it if you want it to be part of an availability set. If you forget to put your infrastructure on an availability set, it is possible that all of it could be restarted at once, when Azure does update of the datacenter where all your VMs are, therefore it is advisable to configure the "Availability set" at the time of create VMs to ensure you have a high SLA

Scale-Sets; manage a group of identical, load-balanced VMs, where you can create a rule by which if a VM CPU's hits over 70% Azure can automatically create another VM, and another VM to deal with the load

az vmss crete --help
#vmss stands for Virtual Machine Scale Set

Azure Batch; is like scale sets but on steroids, where you can deploy hundred or thousand of computer

Azure Policy; a service in Azure where you can define, assign and manage standard for the usage of resources in your environment, this is where you'll  go if you want to allow let's say the Engineers team to have the ability to create their own VMs, with limitations. You can create policies to force the version of Windows to use, if https will be enforced, etc

  1. Policy Definition, is the first thing you need to create, it defines the action to take, which could be deny, disable, append, audit, deploy, etc. The Policy Definition is on JSON format
  2. Policy Assignment, you assign the Policy Definition to create a scope, you can assign to a subscription, resource or group

Initiative Definition; a group of policies definitions that can be assign to a resource or scope, with Initiative Definition you have many policies but only do an assignment, thus saving time and reducing management complexity

Azure Monitor; collect and analyse the health of your resources based on telemetry (events), you can also send to "Monitor" your data from the on-prem infrastructure as well as from other cloud-services like AWS

Azure Service Health; a tool to check how healthy Azure is and to see a history of previously incidents or downtimes of Azure, of course most of time it would be fab just like on this screenshot:

Azure no service issues found





2. Cloud Concepts

The National Institute for Standards in Technology (NIST) defines Cloud Computing as having the characteristics of pay-per-use, resource pooling, rapid elasticity of resources and on-demand self-service. There are basically 3 types of Delivery Models of the Cloud, as follows, and your company may need one, two or all three models implemented, it depends:

  1. IaaS: Infrastructure as a Service (datacenters); you move virtualisation, servers, storage and networking to the Cloud. This is the most flexible way of using the Cloud but you still need someone to look after the Firewalls, networking and Operating Systems. A larger provider of this is Amazon Web Services, Microsoft Azure and Google Cloud Platform
  2. SaaS; Software as a Service (deployment), the most popular way of using the Cloud, with this method the client just uses a cloud-based app something like email, office 365 or storage (dropbox, oneDrive,, etc). A large provider of this is Salesforce, providing cheaper ways to consume enterprises applications such as CRM and ERP, also consider Google Apps for Work (automation on demand) and Microsoft 365 (office over the open Internet)
  3. PaaS: Platform as a Service (web browsers), focused on developers where you only have to worry for your apps. PaaS lies on IaaS to work, and with PaaS you don't have to worry about the OS,windows updates, IIS configuration, networking, storage, etc. A large provider of this is Google App Engine, AWS's Elastic Beanstalk or some part of Azure too. For example, with PaaS you can use Azure SQL instead of a VM with your SQL

Economy of Scale: you can buy one apple for £1, but if you buy 100 apples all at once, each apple might cost you just 10 pence each. Rocket Science ah? :)

Middleware; software that lies in between your apps and the OSs. You can get lots of middleware apps from the Azure Marketplace, all of them built to save you time:

  • CapEX (Capital Expenditure); you spent money at front, eg you buy a laptop. Problem is the value of the item will go down with time
  • OpEx (Operational Expenditure); you go a subscribe to a payment plan with Apple, and eery month to pay and always have the latest phone in the market. This is a more agile approach

Deployment Models of the Cloud, you can implement the Cloud in your company in basically 3 ways, but of course you have to UNDERSTAND the workloads first before suggesting anything

Public; (elastic scaling) everything is at the provider's end, you put all your VMs on Azure and that's it, gives you Scalability/Agility, pay-as-you-go, some of your VMs could be running very security sensitive-data, so you might prefer to have them in-house

Private; (more secure) it behaves like a public cloud but the company owns all the infrastructure, is like having VMware vSphere where you own all the kit and your provide cloud services to your company. Government entities will do that, for example. This method provides no scalability and also you need to provide the IT personnel to support this

Hybrid; (seamless, of the two above)  this is mixed of the two, with some services running on a private datacenter (running Hyper-V or VMware vSphere) and others in the public cloud (Azure or AWS). Note that connecting your private cloud to your public cloud could be a complex task and requires skilled IT personnel (like us :))

  • AD Connect Tool; integrates your local AD to Azure, syhn users groups and computers and providing SSO and ADFS, thus making you a hybrid mutant, and allowing your users to access both your on-prem and cloud resources




3. Azure Services

The official link of Azure services when doing Microsoft free training is linked here:

Containers in Azure: they can be used in 2 ways

  • ACI (Azure Container Instances) is a PaaS so you don't have to worry about the underlining OS, this is for small deployments with one a few containers
  • AKS (Azure Kunernetes Services), is a way to orchestrate your containers, enabling communication through APIs from one container to another. This is what to use if you have lots of containers

Docker is a way of creating containers (an easy way), visit to download images to create containers

Azure App Service; is a PaaS offering from Azure where you can deploy Web Apps, API Apps, Web Jobs, Mobile Apps, etc without of course worrying about the infrastructure. Swagger is a standard for designing APIs

Azure Functions; code with servers for developers

Azure Logic Apps; server-less workflows for those who don't know how to code but want results

Azure SQL Database; for structured data databaes (sql), allows you to move your SQL data to the cloud

Azure SQL Data Warehouse; this works with Power BI

Azure Cosmos Database; to create non-sql databases for modern app development with integration with open-source APIs, MongoDB and Cassandra; Cosmos DB is an example of PaaS.

Azure Blob; support lots of data, tera-petabytes

Azure Data Lake Storage Gen2; use for Big Data Analytics, you upload your data and then Azure analyses it. This seats on top of Azure Blob service; Data Lake include all of the capabilities required to make it easy for developers, data scientists and analysts to store data of nay size and shape, and at any speed, it works with Power BI too!

Azure Queue; to store a large number of messages, it helps out app to off load messages on their behalf

Azure IoT Hub; Internet of Things, provides data for millions of sensors

Azure Resource Manager (ARM); this is basically the Azure Portal, but just a funny name for it

ARM Templates; let's say you create a resource for your website, which obviously will contain 2 x VMS (web end + database) in addition to network connections, virtual IPs, storage, etc. You can save this resource creation as an ARM Template, which will be saved on a JSON file, in case you want to deploy the same solution again in the future

Resource Group; logically group your stuff, the items in a Resource Group can expand different regions. Note that one resource can only be part of a Resource Group. The "Locks" option prevent form accidentally delete a resource group, you can also "lock" a VM to prevent deletion

new-azresourcegroup -name NazaudyRG -location 'East US 2'

Tags; it allows you greater customisation to group your resources

Azure Databricks is an Apache spark-base analytics service

Power Apps, it lets you quickly build business applications with little or no code, allowing organisations to create websites which can be shared with external users through logon providers of their choice like Linkedin, Microsoft Account or other commercial login providers



4. Core solutions and management tools on Azure

Cloud Shell; visit or click the PS icon on the top-right corner of the Azure Portal to start Powershell (if you're using Windows) or Bash (if you prefer a Linux environment). The 1st time you're trying to open Cloud Shell, it will ask you to create storage, I'm afraid there is no escape and you have to create it, check here the pricing list for this storage: Lab Setup for Microsoft Exam Azure AZ-900

You can also have Cloud Powershell on you phone too!!! (Azure mobile app), fire up some VMs while you queue up for a coffee

Azure CLI; Microsoft developed this as a transition between Powershell and the portal. You use the Cloud Shell window to run Azure CLI commands, all CLI commands start with "az" , you can install it on macOS, Linux and Windows for automation of tasks

az (focus) xxx (group) xxx (subgroup) xxx (base comannd) --xxx (required arguments)
                                                         --xxx (optional arguments)
                                                         --xxx (global arguments) 

az vm -h #calls for help to see what you can do with the group "vm"
az vm create -h #again, the -h will shows you the options for the "create" subgroup

az vm create --resource-group myRG --name myVM01 --image ubuntuOS --generate-ssh-keys
az vm show
az vm list
az vm deallocate --name VM01 -g myRG

For learning Azure CLI quickly, use it in "interactive" mode so that it will give you the options for you to easily choose

az interactive

az configure --defaults
#you can configure the shell to use default VMs, groups, etc to work with while commanding



5. General security and network security features

"If you DATA doesn't exists in 3 different places, it really doesn't exist" Networkchuck. Azure supports 3 types of data structure:

  1. Structured data, relational databases
  2. Semi-structure data, non-relational databases, non-sql where data is organised in tags and is all over the place
  3. Unstructured data, everything else, video files, etc

If you have all your data on-premisses, then all the security is on-you, you got to look after entrance, security door, CCTV, physical servers, etc. When you use Azure as IaaS you still have to worry about the security of the OS, networking, etc but not physical any-more, as Azure will look after that for you. With PaaS you still have to worry who can access that, while with SaaS all the security lies on Microsoft Azure, you deal plainly with the simple access, no "share responsibility" whatsoever

Azure Security Center; it checks that you are doing the things right, monitoring that your settings for security are correct. Azure also uses machine learning to scan your machine for potential malware (Azure Defender) as well for any kind of attacks, if you enable those features ($$), of course

Azure Network Security group is a stateless firewall (analyses only traffic by port) while the Azure Firewall is a stateful firewall (analyses traffic end-to-end)

Azure address machine authentication in two ways:

  • Service Principal, identity used by a service or application, most likely the credentials are stored on the code
  • Managed Identity, a bit more secure as the credentials are automated by Microsoft, all you got to do is just enable/disable the access as needed. No security sensitivity information is stored in any code whatsoever

Role Based Access Control (RBAC); the area where you configure the set of permissions an roles that users can be be a member of to access Azure Services

  • Privilege Identity Manager (PIM), is an add-on to RBAC and paid-for offering that takes are of all the roles ensuring they are all correct 

These are the two main ways to encrypt data on Azure:

  • Storage Service Encryption (SSE), it encrypts the data before it is stored and decrypts it before it is retrieved, meaning that it is transparent to you; it is automatic and enabled by default on Blob, Managed disks, Queue storage and Azure Files
  • Client-side Encryption; the data is already encrypts it by the client before Azure access it, this method implies that you store your private key on the Azure Key Vault

Azure Disk Encryption (ADE) is for the VMs data disk and that you have to turn it on

Transparent Data Encryption (TDE) is use to back up databases and log files at rest

Just a bit of theory, in IT we have to types of encryption:

  1. Symmetric; uses the same key for encrypt it and decrypt it
  2. Asymmetric; uses different keys, a public to encrypt it and a private key to decrypt the message

Azure Key Vault; this is a centralised cloud service where you lock your private keys, your passwords, certificates, tokens, API keys, etc

Azure Information Protection (AiP), a purchased add-on solution that helps you classify and protect your office documents and emails

Azure Advance Threat Protection (ATP), a cloud-based security solution that identifies and detect compromised systems and identities as well as malicious insider actions. This solution is locate in and to access it you need to be a member of Microsoft Defender for Identity, the Azure AD security group. This contain an ATP Sensor that you install on your ADs and then send the data back to the ATP Portal, from where you can analyse al the security events




6. Identity, Governance, privacy and compliance features

Azure AD; this is Identity as a service, it allows you to authenticate your own AD with the management accounts of Azure, you can access only the users portal using this link:

Azure AD Join and Azure AD Domain Services allows you to join to Azure AD both computers and applications. To manage devices in Azure AD Join you use Microsoft InTune or other MDM solutions

Azure AD B2B; Business to Business, allows you to share you Azure resources with another company Azure's stuff, this is like AD Federation services and Domains and Trusts

Azure AD B2C; Business to Customers, allows you to share your Azure resources with customers on different organisations

MFA; Multi Factor Authentication uses more than one thing to authenticate you. For the Azure account that manages Azure MFA is free of charge, but for everybody else... guess what, buy a licence

  • Something you know, like a password or security question
  • Something you posses, like your phone or an app on your phone
  • Something you are, like finger print of facial recognition

Management Groups; is a layer on top of subscriptions where you can managed them if you have more than one

Blueprints; a repeatable set of Azure resources that adhere to standard set of requirements, they are like ARM Templates but also including RBAC roles, policies, resources gropus, etc, things that ARM Template can do. Blueprints basically put the creation of a new company in a JSON file, while ARM Templates puts the infrastructure on a JSON

Trust Center; a gigantic resource of information to prove that you can trust Microsoft with your infrastructure and data

  • Security
  • Privacy
  • Compliance

Service Trust Portal; another portal from Microsoft to show you how good they are at keeping, auditing your data, it this contains a tool called "Compliance Management" that tell you if you're compliance with standards and data regulations




7. Cost management and Service Level Agreements

All the resources of Azure are bound to a subscription, so the credit card associated to the subscription is the one that will get charge. The Pay-as-you-Go payment model (also called "Web Direct") is the starting way to go. The "Usage Meters" of every resource are ones that keep track of your usage, and add to your bill at the end of the month

  • Enterprise Subscription model: you pay directly to Microsoft, most likely annually
  • Cloud Solution Provider; you pay a 3rd party company who in return pay to Microsoft

Even if all your VMs are off, you still will get charge for the space, so be mindful of the VM sizes when creating it

We careful as well of where you place your VM, the running costs of Datacenter regions are different: having a datacenter in south-Europe will cost more than in Iceland, for example, where you pay very little for air cooling

Azure will not charge you for upload (they are already charging for space, anyway), but they indeed will charge you for any bandwidth of data leaving their datacener, for what you download from them

Azure Pricing Calculator; find out how much you would pay before moving your stuff to the cloud by using this tool 

Total Cost of Ownership; lets you estimate the cost of migrating your workloads to Azure, and any savings that you could make 

After you move your servers and workloads to the cloud, you can use these two tools to further optimise the costings, so we don't waste resources:

  • Azure Advisor, also called just "Advisor", it gives you recommendation after a 14-days of usage to see if you actually need to downsize some VMs that were over specs
  • Cost Management and Billing Service

Both of these tools are found on the Azure portal

If you buy Visual Studio you might be entitle to free Azure credit. Spending Limit is when you have spent all your credit and Azure then shuts down all your stuff

SLA; 99.95% (21 minutes downtime a month) is the reality of what you get instead of the advertised 99.999% (down for only 25.9 seconds a month) of availability

Composite SLA; this is when you combine 1 or more SLA that are dependable of one another for a complete solution to run effectively. For example you have a Web Front End VM that needs to run at 99.95 % of the time, and a SQL database the feeds that server that needs to run at 99.99%, we you combine those times for your solution you get a composite SLA: 99.4%

Azure support, these are the different types of support in Azure:

  • Basic; free, you still get support by phone, but this is the only plan in which you cannot open support cases
  • Premier; this plan provides customer specific architectural support such as design reviews, performance tuning, configuration and implementation assistance delivered by Microsoft
  • Professional Direct
  • Standard
  • Developer





Why did I take the Microsoft AZ-900 exam?

Exam AZ-900 Microsoft Azure Fundamentals Study Guide 

Signing up to Microsoft Azure and avoiding the “Sorry, VOIP phone number is not allowed.” restriction

AZ-900 Training questions