Microsoft Azure Fundamentals - AZ -900

Basic Terminologies: 

Cloud Computing :  The delivery of computing services over the internet.  Flexible Resources, Pay As you Go.

Types of Cloud :  Public Cloud, Private Cloud and Hybrid Cloud.

HA - High Availability - Ability of a system to remain operational to users during planned or unplanned outage.  It also measured in terms of total uptime.

 

Scalability - Ability of the system to scale up or down by adding resources based on the demand.

Vertical Scaling - Scaling Up or Scaling down by addition additional resources such as CPU , Memory.

Horizontal Scaling - Scaling Out and Scaling In by adding additional servers.

 

Elasticity - Ability of the system to quickly and easily scale up/down automatically based on the demand.  This is also called as Autoscaling - Based on the resource monitoring alerts.

Reliability - The ability of the system to recover from failures.  Auto Scaling , multi region, Data backups and replication.

 Predictability - Ability of the system to forecast and control the performance and behavior of the system.

Governance - The process of defining, implementing and monitoring the policies defined at Org level for cloud operations.  Perform basic auditing and reporting . Compliant with industry standard such as HIPAA or PCC or GDPR.

HIPAA - Health Insurance Portability and Accountability Act. US Law.

PHI - Protected Health Information.

GDPR - General Data Protection Regulation - EU Law.

Azure Concepts and Services

Regions

• Geographical areas where Azure datacentres are located.

Region Pairs

• Regions interconnected with a low-latency network.

Sovereign Regions

• Private cloud regions requiring approval to create or join a subscription.

Public Clouds

• Also known as Azure Commercial.

Availability Zones

• Physical datacentre locations within a region, with up to three availability zones interconnected by a low-latency network.

Types of Availability Zone (AZ) Services

1. Zonal Services: Services present in a specific AZ, like virtual machines.
2. Zonal-Redundant Services: Multi-AZ services, such as load balancers and SQL databases, with replicas for failover.
3. Always Available Services: Azure-managed or global services deployed across multiple regions, like Active Directory or Azure Front Door.

Resources, Resource Groups, and Subscriptions

• Resources: All services provided by Azure.
• Resource Groups: Collections of related resources, helping manage services like all DEV resources. Access permissions can be set at the resource group level.
• Subscriptions: Billing units for resources, with companies able to subscribe to multiple subscriptions, e.g., one for each department.
• Management Groups: Optional service for managing multiple subscriptions, though not widely used.

 

Core Azure Services

1. Compute Services
2. Network Services
3. Storage Services
4. Database Services

Compute Services

• Virtual Machines (VMs)
• VM Scale Sets: Also known as Auto Scaling Groups.
• App Services / Web Apps
• Azure Container Instances (ACI): Single container instances for running container images.
• Azure Container Apps: Multiple containers with load balancers.
• Azure Kubernetes Service (AKS): Container orchestration service.
• Azure Virtual Desktop (AVD): Virtualized desktops accessible from mobile and web browsers.

Virtual Machine Scale Sets

• Auto-scaling groups for horizontal scaling, increasing VM count based on demand.
• Includes a load balancer to distribute load across VMs.
• Can handle 100 to 1,000 VMs.

Availability Sets

• Also known as Placement Groups in OCI.
• Place multiple instances in separate fault domains or RACs to avoid failures.
• Separate update domains ensure patches are applied in batches, minimizing downtime.

Proximity Groups

• Placement groups for VMs to reduce latency by placing them nearby.

App Services / Web Apps

• PaaS services provided by Azure, with no access to hardware.

 

Windows VM - Installing New Software

• Use Server Manager to install new software.
• Use Add Roles and Features to add new software.
• Adding the Web Service IIS server role allows for adding a web server.

Vertical Scaling

• Requires a VM restart.

Web Apps

• Server names must be globally unique.
• Select runtime stack (Java/.NET/PHP/Python/Node) during creation.
• Choose VM type (Windows or Linux) and pricing plan.
• Configure databases and GitHub during provisioning.

Azure Functions

• Create functions by selecting supported technology, which creates a function executor.
• Inside the executor, create the code to perform tasks.
• Choose execution methods (HTTP URL, scheduled, event-based).
• Azure provides sample code that can be updated as needed.
• Select the default URL to invoke the API.

Container Instances / Container Apps

• Use Azure Registry or an external registry to download images.

 

Azure Networking

Virtual Network (VNets)

• Assigned with IPv4 or IPv6 network addresses.
• These IPs are private and cannot be accessed from the internet.
• All VNets are subdivided into subnets, each with an IP address that is a subset of the VNet’s IP address.
• All VMs are attached to a subnet via a Virtual Network Interface Card (VNIC). Some VMs can have more than one VNIC and can connect to multiple subnets.
• VMs can be assigned a public IP address to be accessed from the internet.

Network Security Group (NSG)

• Acts like a virtual firewall. All traffic passes through NSG rules.
• By default, all traffic is disabled. ALLOW rules must be defined to enable traffic.
• Rules are executed in ascending order.
• An Access Control List (ACL) is defined to control ingress and egress flows.
• NSG rules are based on the following five tuples:
• Source IP
• Source Port
• Destination IP
• Destination Port
• Protocol

Peering

• Allows two VMs on different VNets to communicate.
• Enables connection between subnets on different VNets.

Azure DNS (Domain Name System)

• Can be used to resolve local hostnames, also known as private domain names.
• It’s a private DNS available over the internet.

VPN (Virtual Private Network)

• Encrypts traffic between two points.
• A VPN physical device must be installed on a private/on-premises network to establish a VPN connection.
• Azure provides a VPN Gateway to be installed on the Azure network to establish the VPN connection.
• The VPN Gateway needs to be installed on a separate subnet.
• Desktop to office VPN connection is also called Point-to-Site (P2S) VPN connection.
• Network-to-network (on-premises to cloud) connection is called Site-to-Site (S2S) VPN connection.

ExpressRoute

• Provides a direct wired connection to Azure.
• Offers low latency connection.
• Connection is established from an Internet Service Provider (ISP) to Azure.
• It’s a private connection.

 

Azure Storage:

• Container Storage (Blob Storage): Used to store objects.
• File Storage
• Queue Storage
• Table Storage
• Disk Storage: Used for VM storage, including SSD, SSDv2, and Ultra Disk (Solid State Drives).

General Purpose (GP) Storage:

• Data Lakes: Used for high volume and large size data storage.

Container Storage:

• Stores unstructured data/files.
• Can be public or private.
• It’s a regional service and can be created in any region.
• Provides redundancy services, storing files in multiple zones or fault domains.
• Offers global redundancy, storing files across multiple regions.
• Data is stored in four tiers:
• HOT: Frequently accessed, balanced cost.
• COOL: Infrequent access, cheaper storage, expensive retrieval. 30 days
• COLD: More than 90 Days
• ARCHIVE: Very cheap, used for data archival. 180 days

Creating a Storage Account:

• Generates a unique URL to access files.
• Options include:
• LRS: Local Redundancy Service
• ZRS: Zonal Redundancy Service
• GRS: Geo/Global Redundancy Service
• GZRS: Geo Zonal Redundancy Service
• Enable versioning.
• Enable event notifications to track changes.
• Make files immutable.
• Files are encrypted by default using Microsoft Managed Keys (MMK).

Inside a Storage Account:

• Create specific storage types such as Container, File, Queue, or Table.
• Generate a Shared Access Signature (SAS) at the Container/File/Account level to access files.
• Create lifecycle management rules to move files between tiers.
• Use Azure Storage Explorer desktop app to access files.
• Use AzCopy to copy files between containers on different subscriptions or within the same subscription:
• AzCopy copy 'Source SAS URL' 'Destination SAS URL'

Azure File Storage:

• Follows a hierarchical structure.
• Can be mounted to VM machines and added as a drive.
• Supports SMB (Server Message Blocks) and NFS (Network File Storage) protocols:
• SMB: All platforms.
• NFS: Linux.
• Azure File Sync: Allows applications to use both on-premises and cloud file storage, with binaries on-premises and app files in the cloud.

Azure Migrate:

• Tool to perform assessment and migrate servers. It discovers, assesses, and migrates servers.

Azure Data Box:

• Comes in three flavors: Data Box, Data Box Disk, and Data Box Heavy, to move files from on-premises to the cloud.

 IAM - Identity and Access Management:

• A person, application, or device can have an identity. Devices can include printers, etc.
• Azure Active Directory (Azure AD) is now called Microsoft Entra ID.
• Active Directory runs on a server and handles many identities.
• Entra ID is not a replacement for Active Directory; it is the cloud version of Active Directory.
• Active Directory uses LDAP and Kerberos protocols for communication.
• Entra ID uses SAML and OAuth protocols for communication.
• Can integrate Entra with Azure cloud services.
• Supports SSO and federations using social media authentications.
• Entra ID - Conditional Access: A paid service used to detect unexpected, suspicious attempts (from different geo-locations, new IPs, etc.). Based on the assessment, it enforces MFA to ensure the right user is accessing the application.

MFA - Multi-Factor Authentication: A free service that includes:

• Something we know - Password
• Something we have - Token/Phone/Apps
• Something we are - Biometric

RBAC - Role-Based Access Control:

• The premium version of Entra allows the creation of custom roles.
• Pre-built roles can be used for access control.
• Start with least privileges and extend access as needed.
• Three basic roles:
• Reader
• Contributor: Full access but cannot assign permissions to others.
• Owner: Full access and can assign permissions.

Zero Trust Policy Model:

• Verify every access attempts.
• Use least privilege.
• JIT - Just-In-Time Access: Elevate access for a specific short period and then revert it.
• JEA - Just-Enough-Access

Microsoft Defender:

• A paid service that includes a list of security products to enhance security.
• Checks security setups and detects threats.

 

Azure Management and Governance

Factors Affecting Costs:

• Time: Charged on an hourly basis.
• Consumption of Storage, Compute, and Bandwidth: Functions are charged based on consumption.
• Service Tiers: Basic, Standard, Premium (e.g., Entra ID).
• Computing Power: CPU/RAM.
• Software Licenses.
• Egress Bandwidth Charges.
• Ingress Bandwidth: Free.

Tools and Concepts:

• Azure Pricing Calculator: Calculate usage charges upfront.
• TCO (Total Cost of Ownership): Helps determine the cost incurred for owning and using Azure services.
• Cost Management: Analyze costs, perform budgeting, create cost reports, etc.
• Automated Tags: Policies can be created to add automated tags.

Governance and Compliance:

• Implementation: Security, legal governance, etc., set at the company level.
• Sample Rules:
• All servers must run on the latest supported Microsoft versions.
• All servers must be backed up every 24 hours.
• All firewalls must block requests other than those on port 443 from external IPs.
• Policy Management:
• Deploy resources using ARM templates.
• Use prebuilt or custom JSON policies to manage rules.
• Demo:
• Azure Portal -> Search for Policy.
• Definitions -> Search for Policy.
• Select the specific policy to apply.
• Select Assign.
• Select the Scope (Subscription).
• Select the Resource Group to apply the policy.
• Resource Locks: Prevent deletion or changes.
• Read-Only Lock.
• Delete Lock.
• Microsoft Purview: Data governance rules.

CLI Commands:

• Commands Start with AZ:
• az.
• The AZ PowerShell module can be used for executing AZ commands.

Azure Arc:

• Management: Manage VMs, containers, and physical servers outside Azure.
• Compatibility: Supports on-premises or other cloud providers.
• Data Services: Supported.
• Kubernetes Cluster Management.
• VM Extensions: Required for server management.

IaC (Infrastructure as Code):

• Tools:
• ARM Templates (JSON files).
• Terraform.
• Bicep.
• Chef, Puppet.
• PowerShell scripts.
• ARM (Azure Resource Manager):
• Management layer for all commands, API calls, and portal actions.
• Authenticates commands/actions and passes them to create/modify resources.

 

Monitoring Tools:

• Azure Advisor:
• Dashboard displays status and recommendations.
• Categories: Cost, Security, Reliability, Operational Excellence, Performance, Service Health.
• Managed Service Status:
• Monitor Azure service status.
• Create alerting rules for unplanned outages.
• Provides historical status.
• Azure Monitor:
• Centralized monitoring tool.
• Tracks logging and analytics across the account.
• Enable insights at the service level to capture logs and display on the monitor dashboard.
• Query logs using Kusto Query Language (KQL).
• Use metrics to monitor graphs.

!