(2024 UPDATE LINK IN DESCRIPTION) - AZ-900 Azure Fundamentals Certification Exam Cram -

Video Statistics and Information

Video
Captions Word Cloud
Reddit Comments
Captions
if the azure fundamentals exam is your first azure certification it can be a bit intimidating and difficult to dial in your focus as you prepare so if you want to get ready for az900 without wasting time and money this is the place and in this exam cram course i'm going to optimize your prep time by touching on each item in the skills measured document and by sharing unique characteristics of the azure concepts and services that will help you more effectively pick the right answer on exam day if you stick around to the end of the session i have another surprise to help you prepare [Music] the azure fundamentals exam is comprised of six areas of knowledge called objective domains all of which we'll cover in this course so let's take just a few seconds to touch on those and then we'll get right into module one domain one is cloud concepts which will test your understanding of a number of cloud terms and your understanding of cloud computing models followed by core azure services this is really going to focus on some foundational components of the azure platform followed by core solutions and management tools which will drill down into the services and tools within azure followed by security and module 4 talking about general security and network security features module 5 is going to drill down on identity and governance which are more technical topics as well as privacy and compliance which in this case will be less technical and the final domain is cost management and service level agreements and since this is a fundamentals exam you want to make sure you're focused on the right technical level so you'll notice that the verb in each of these domains is the word describe so when we see described there that tells us that we need to be able to to explain concepts and services and identify the use cases where they apply so i just want to cover off comparing cloud models and services with you and and this is an area where i think you can expect a fair bit of focus this is up in in objective domain one but let's uh let's dig in here so the services we're talking about here are infrastructure platform and software as a service so the as a service offerings in the cloud and then your cloud models which are private hybrid and public now all of these are going to to be tied together in a discussion around the shared responsibility model which you're expected to understand so let's start by covering the shared responsibility model and then we'll dig into the cloud models and services so when you're on prem you are the responsible party this is a hundred percent yours you own the stack you are the customer in blue the cloud service provider is the csp that will show up in gray now as we move into cloud with infrastructure as a service you see the csp microsoft in this case takes ownership of some of the stacks so they're providing you the underlying networking storage server and virtualization layers you're managing your virtual machines they're patching the applications you're running on them when we move into platform as a service as your web app for example or azure sql you're managing data and applications but microsoft is providing additional functions here so you're not worried about operating systems or runtime or a sql server instance microsoft is managing a lot of that middleware for you and then in the world of software as a service you're basically configuring features you are a consumer of a service that is owned lock stock and barrel by microsoft and managed by them end to end and what you notice here is that the csp responsibility is greater as we move to the right so that's the shared responsibility model so so in the world of is just know that you're taking care of a little bit more than you would be in the world to pass and then even less so in sas so you have to think about that as an operational consideration for sure so let's break down the cloud model so infrastructure as a service microsoft provides you the the building blocks network storage compute virtualization they're staffing the data center they're managing the hardware they're managing the people so really you're using the uh the stack that they give you there azure virtual machines is where this factors if you if you come from the world of amazon ec2 from google gcp compute engine if you if you're coming to us to azure from one of those other platforms that's what you'd be dealing with so let's talk about platform as a service so in the the paths option here responsible for deployment and management of your app so that's you know in a web app scenario or an azure azure um sql scenario you're dealing with code and data and microsoft is dealing with the underlying configuration hardware operating system and to a fair degree the provisioning details under the hood so azure sql api management azure app service all great examples of platform as a service in the microsoft stack so let's talk about software as a service now so in the world of sas you're really configuring features microsoft is giving you a service that they manage they're responsible for management operation and availability of the stack a great example there is office 365. so in the the world of third-party sas you might be familiar with service servicenow or salesforce just to give you a basis of comparison okay so let's talk through cloud computing in terms of benefits and then we'll get into the uh the private hybrid and public cloud models here and i'm going to use some of that word association to help you lock some terminology in your mind as we move forward through some concepts here in the next couple of tips so benefit to cloud computing it's global it's secure it's scalable it's cost effective it doesn't require substantial capital expenditure outlays uh it typically lowers the skills bar for us at least when we're dealing with with public cloud as an example so let's dig into public cloud so with public cloud we're running everything on our provider's hardware and we expect scale and agility or built in our ability to react is greater there's a reduced need for maintenance our skills within our it department can be lower and we can we can still move into the cloud we can leverage our cloud service providers knowledge microsoft's knowledge and experience in this case so with private cloud it's really just a cloud environment in your own data center so in terms of advantages you know if you need legacy support or you need control or you have specific regulatory compliance needs the private cloud is under your control so you can you can manage all of these scenarios you can accommodate all of these scenarios where public cloud is not going to be so straightforward in that respect because a cloud public cloud is always up to date and will have limited concern for legacy scenarios and may not address all of your compliance scenarios if they are less less common now do bear in mind that you will be tested on on some of those compliant elements and microsoft azure has more certifications than any other cloud provider out there so you'll find that microsoft can accommodate a lot of compliance but maybe not all of them so in a hybrid cloud scenario this combines the public scenario and the private cloud scenario allowing you to run your apps in the location that best suits so the real advantage here is flexibility if i have the need for legacy support or some odd compliance scenario i can go to my private cloud if i'm prioritizing on scalability and agility i can go the public option so hybrid just gives me the advantage of choosing where i want to go and of course with microsoft we have great capability to connect our private and public clouds in that hybrid scenario we can use azure ad connect we can use a site to cite vpn we can establish what we call the synchronized identity model which is the most common identity model out there so the microsoft azure is a great supporter of of hybrid cloud is your frontline support struggling with too many microsoft cloud portals now they can manage office 365 users and devices directly from microsoft teams using simon the ai-powered chatbot for the microsoft cloud a link with more info in the video description so cloud concepts so there are some some concepts that you're expected to be familiar with and i want to call them out here and and again associate some terms to to some concepts to help you lock these into your mind uh more quickly as you're preparing for az900 so scalability is one that comes up and scalability generally for refers to growth the ability of a system to handle growth if that's users or work elasticity may come up so when a system is elastic it can grow and shrink based on our app demand so on premises we typically have to provision for our spike right for our peak so when we provision a sharepoint farm on prem our servers on the front end are sized for our peak that sort of thing is not necessary in the cloud by and large because the cloud is elastic and services that we provision can generally grow and shrink based on app demand and that's particularly true when we look in the past space agility so this is the ability to react quickly to changes in demand so provisioning additional capacity quickly without manual intervention and the cloud also enables agility in terms of going to market so as environment or market conditions change the the cloud makes us more agile generally speaking because we can respond to those changes more quickly you know than if we had to order additional server infrastructure go go get the budget approval for that spin up a big project for all that deployment economies of scale bottom line when you're working with a cloud provider like microsoft they have lower per unit cost than you could achieve on your own because they are operating at a larger scale at a global scale so they are achieving what we call an economy of scale capital expenditure you're generally going to hear this simply called capex and this is spending of money on physical infrastructure up front so so when you're buying servers that's an example of capex when you're buying infrastructure for your private cloud operational expenditure typically just called opex is spending money on services or products now and being billed as you go so that's really where the cloud comes in so the cloud means we're we're trading capex for opex typically it doesn't mean that we're necessarily spending less money in all cases it simply means that the nature of our spending is different we're trading capex robex when we move to cloud and a consumption based model that's simply paying for what we use when we pay for a virtual machine we're paying for increments of time as we run that virtual machine when we work with azure functions with logic apps we may be paying by execution when we're working with different flavors of azure storage we might be paying by gigabyte and and you know paying a different price depending on how long we retain that data so pay for what you use typically based on per unit of time or capacity so minutes gigabytes executions etc including but not limited to those models so for tip number five i've broken some concepts out separately because they all fall into that area of high availability and disaster recovery so i want to help you kind of sort these out in terms of their scope so the first term is fault tolerance so this is the ability of a system to handle faults like a power failure a network failure a hardware failure typically when you're dealing with fault tolerance you're talking about component level failures so that's the scope we're typically dealing with when it comes to high availability that's the ability of a system to keep that's the ability to keep services up and running for long periods of time so when we're thinking about high availability we're often talking about service level failures often we're talking about within a single data center we're not talking about site failure but but we could be we're talking about service level failures though when we think about it in the cloud context and then disaster recovery is our ability to recover from an event which is taken down a cloud service so that could be any number of things like a data center failure which you know in the case of azure would be exceedingly rare in the case of virtual machines we can use azure site recovery to replicate those vms and bring them up quickly in the event that we lose those vms for any reason and if we had a service fail in a particular region say azure sql failed in a particular region if we're replicating that database we can bring it up in another region so so disaster recovery comes in many many shapes and sizes and forms in the cloud but because the cloud is global we don't have to worry about spinning up multiple remote data centers to make sure that our service is always available in the event we have a localized outage at a data center for example in a traditional sense in in you know on-premises compute in private cloud we always would think of disaster recovery as recovery in the event of a site failure but really in the cloud context this is a service failure or a site failure it's not not exclusively a site event now we're going to move into the second area of knowledge which is describing core azure services and there are two sections to this objective domain the first is core architectural components and the other is core resources available in azure so let's start with architectural components you'll notice that the verb here is described so it's the same theme we talked about in terms of technical depth and we're going to look at regions and region pairs availability zones resource groups subscriptions management groups and azure resource manager and all of these are describe the benefits and usage of i just abbreviated for us there and then we'll finish this section up with explain azure resources so in the area of core architecture components let's start at the very top and work our way down in terms of scope so at the highest level we have an azure geography which is a discrete market that contains two or more regions that preserves our data residency and compliance boundaries and if i just look at a map here geographies would be laid out something like this so you've got you know the us you have europe you have uh australia china there's africa south america and then within a geography of regions and a region is a set of data centers deployed within a latency defined perimeter and they're connected in a dedicated regional low-latency network so it's fast connectivity amongst this set of data centers so in a region like azure us east for example you're going to have fast connectivity between a number of data centers in a tight footprint so multiple data centers small area so the same would be true of east us-2 south central central u.s west central etc now i want to take just a minute and look at geographies and regions together with you in context here so so when i look at a geography like asia pacific for example i can see the regions contained in the asia-pacific geography south america has two data centers in brazil two data centers in canada several more in the u.s there's europe with data centers in countries throughout europe uh followed by africa and the middle east so pretty intuitive in that respect now beneath regions we have the concept of region pairs so this is a relationship between two azure regions within the same geographic region for disaster recovery purposes so the region pairs will be specific to the geography so let's take the u.s for example the east u.s region has a region pair and its partner is the west u.s so the region pairs are chosen by microsoft you don't get to choose these these are pre-defined and wherever possible they are selected as a pair with more than 300 miles between them there are a small number of cases where that's not possible but generally speaking you're going to have 300 miles between your your regions in the region pair and your azure services that are highly available that you also configure highly available will have failover protocols that kick in when when a region fails but a region pair is designed to address a failure of a given region so then we have availability zones so availability zones are unique physical locations within a region with independent power network and cooling so within a region is the key there right so this is uh the scope of availability zones is to deal with failures within an azure region it's comprised of one or more data centers so so us east as a region for example will have multiple data centers in a a footprint and it adds tolerance to data center failures via redundancy and isolation so just looking at an example here i have a web farm with a sql backend and i would have availability zones for each of my front ends and back in there so i can tolerate a failure within a data center and my load balancer is going to be zone redundant which is a special phrase you will want to just park in the back of your mind and zone redundant comes up in special cases like with the load balancer so a single ip address in a load balancer scenario here can survive a failure across any of those availability zones so the idea with zone redundancy is that a single front-end ip address would survive a zone failure now we'll look at some logical architecture components so let's dive in here so we have at the highest level management groups then subscriptions resource groups and resources so let's take a look at how these fit together so at the the highest level in these architectural components we have the management group which can contain one or more subscriptions we then have resource groups and a resource group belongs to exactly one subscription a subscription will typically contain multiple resource groups and then the resources themselves so starting with management groups management groups provide a level of scope above a subscription so we can bring those subscriptions together into a single boundary for management so each directory is given a single top level management group called the root so all of your subscriptions belong to that root by default however we can create management groups that contain a subset of our subscriptions as we like so we can use that as a boundary for management then we have subscriptions so a subscription is a logical container used to provision resources in azure and why would i create multiple subscriptions well there are a few reasons so when subscription limits are reached and every sub every service in the subscription has certain limits and sometimes those limits are set beneath the maximum and we can increase those but at some level you're going to hit a subscription level limit so if you have a a level of very high scale you may need multiple subscriptions to achieve your scale to use different payment methods you know maybe i have one group that wants to pay with a credit card another that pays in a different way or maybe we're doing it so we can isolate resources between departments and projects and sometimes these last two go hand in hand we want to isolate our resources between departments and projects uh from a security perspective from a scale perspective but also from a cost tracking perspective so so payment and isolation can go hand in hand in that respect now a resource group is a container that holds the resources that are related to an azure solution so a great example of this is an azure virtual machine we can use a resource group to group the resources that share a common resource life cycle and the resources themselves that can be any entity that's managed by azure like a virtual machine or a virtual network or a storage account so just to cement that concept i want to have a look at a resource group and the resources it contains with you now i'm going to switch over to the azure portal and i'm at portal.azure.com if i click on resource groups it's going to bring me to this interface and i have pre uh searched pre-filtered down to the resource group i'd like to show you so i mentioned a resource group as a container that contains related resources that share a common life cycle so in this case i have a resource group that contains a virtual machine and here i see all of the resources related to that virtual machine i see the public i p address a network security group an interface a disk a virtual network so all of these elements are related to my virtual machine and when this virtual machine's life cycle comes to an end i would typically want to delete all of those related resources as a unit so i can simply delete the resource group and all of these resources will be deleted as a result it also bears mentioning that i could use this resource group as a boundary for assigning permissions you see access control here i could apply permissions at the resource group level to give certain people or groups within my organization permissions to that resource so i want to visualize this last set of architecture components a different way and and make a few additional points and recap what we've covered here so starting at that management group that's that highest level logical container we can use management groups to aggregate policy and initiative assignments an initiative as a group of policies we're going to talk about policies and initiatives later in the governance section it can contain multiple subscriptions and all new subscriptions will be placed under the root management group by default that would contain all subscriptions but you can create a management group that contains the subset of subscriptions you would like to manage via policy as a unit so then beneath our management group we have subscriptions that's a unit of of management billing and scale so a unit of management we get but it's also a unit of billing and scale because our subscription has scalability limits this serves as a management boundary for assigning policy you know governance and isolation as well so we get a degree of isolation here we can apply policies at this level so so it's another management boundary and our subscriptions will contain one or more resource groups so the resource group is that container that holds resources with a common life cycle as we saw in the demo earlier but that common life cycle is the key there it also makes it easy for us to delete items to delete resources as a unit when the life cycle comes to an end and then of course the resources are contained within a resource group and to be crystal clear there resources can be a member of exactly one resource group and a resource group can be a member of exactly one subscription so the resource group is contained within a specific subscription and the resources contained within a specific resource group now we're going to dive into the second half of objective domain 2 and this is describing some of the core resources available in azure so this section is going to focus on compute network storage and database far from the only services we'll cover but there's quite a lot of material in this particular subsection so let's just get into it we'll start with compute so we'll talk about virtual machines azure app services container instances kubernetes particularly in particular the azure kubernetes service and windows virtual desktop and then we'll look at networks vpn peering and express route so basically compute and network so let's just get right into it so on the compute side we have azure vms we have app service where we'd run web services we have azure container instance azure kubernetes services and windows virtual desktop so we really want to break these down in such a way that you know a bit about each service but you can spot where it fits into a use case on the exam so let's start with azure vms one of the basics here so this is server virtualization this is spinning up compute on demand without the need for a hardware purchase we don't have to buy a hyper-v host we can spin up a virtual machine quickly and easily so app service is an http based service for hosting web applications so think hosting websites or web apps rest apis mobile backend and of course since it's http based you'd secure that with with tls transport layer security or ssl using a certificate as your container instance so this is running docker containers on demand in a managed serverless environment you're quite literally just spinning up a container and and you don't worry about anything else now the catch here is with aci with azure container instance it's a solution for any scenario where you need to run an isolated container without orchestration which means we don't have the benefit of a kubernetes cluster in this case and you'll see aci come up in you know truly an isolated scenario where you need to run where you need to run a container containerized application without orchestration but it can also function as a burst mechanism for an azure kubernetes uh service instance so so you could burst out into aci but but generally speaking what you want to focus on here isolated containers without orchestration right there's no orchestrator here like you have in a kubernetes cluster so azure kubernetes service is a hosted kubernetes service where azure handles the critical tasks like health monitoring and maintenance for you the cluster itself is managed for you and that being said aks is free you basically pay for the agent nodes you pay for the virtual machines where the workloads run within your cluster not for what they call the masters or managers effectively you know that piece is managed for you windows virtual desktop is a desktop and app virtualization service that runs in azure so so it pros and managed service providers can spin up windows 10 virtual desktops in azure at high scale this has been a really popular solution in the work from home revolution and in particular what's been brought on in 2020 with uh with with pandemic work from home requirements really so now we're going to talk about network services in azure so we'll talk about virtual networks about vpn gateways about vpn in particular v-net peering and i'll share a little secret as to why v-net peering is actually necessary and we'll cover express route and how you can spot questions where express route is the answer on the exam so let's talk about virtual networks so this is a logical representation of your you know ip-based network in azure uh you'll often see a virtual network referred to simply as a v-net two two ways to reference the same thing a v-net contains one or more ip subnets subnets are where your where your virtual machines and your other uh components are actually connected within that virtual network so i can have one subnet or multiple subnets v-nets provide logical isolation and azure dedicated to your subscription so it's your network think of it as a dedicated private cloud-only network we can connect it to our on-premises network by configuring a site to site vpn for example so i can extend the network in my data center to azure and i can route traffic to and from my azure subscription across that site to site vpn this enables hybrid cloud scenarios in fact one other thing you want to remember are vms in different virtual networks cannot communicate by default so v-nets within the same subnet can communicate but when the the virtual machines are in different v-nets in different virtual networks they cannot communicate so a vpn gateway is what sends encrypted traffic between an azure v-net and an on-premises location over the internet this is a core component of hybrid cloud we're connecting our on-premises network to the internet uh a site-to-site vpn the traffic on a site-to-site vpn actually traverses the internet that's important to know it's it's encrypted of course but it's traveling across the internet now v-net peering is how we can connect two virtual networks two or more virtual networks really seamlessly in azure so that would allow us to connect our virtual network so our virtual machines can communicate so we can direct traffic between those so two networks then function as one in terms of connectivity gives us a way to to route traffic in complex environments express route is a solution that extends our on-premises networks into azure over a private connection with the help of a connectivity provider so a a telecom provider so express route is the same concept as site-to-site vpn in that it connects azure to our on-premises you know data center network however the traffic does not traverse the internet therefore it is generally speaking faster it is therefore uh generally speaking considered more secure that is not to imply that site-to-site vpn is not secure i'm simply saying express route because it does not traverse the internet because it is a private connection is more secure so if you see questions on the exam that talk about connecting your data center to azure and security and eliminating latency are high priorities express route is going to be a great way to do that bear in mind that site-to-site vpn is generally speaking going to be less expensive than express route which probably doesn't surprise you and while it's not super important i want to take a quick look with you at a v-net and a subnet in an azure subscription here so i'll just click on my resource group that contains the virtual machine i showed you earlier and i have a v-net in here so here's a virtual network you'll see that it says the type is virtual network and when i click on that virtual network i can see in here connected devices so i can see the virtual machine that's connected right by its network interface and there's its ip address i can see the subnet that was created and in fact when you create a virtual network the the subnet you create is going to be named default unless you give it another name but i can then click this and create more subnet so i can have multiple subnets within my v-net but within that virtual network my virtual machines on my subnets there can communicate now when i put virtual machines or anything else in different virtual networks they cannot communicate by default that's where v-net peering comes in real handy continuing on the second objective domain we're still talking core azure services we're going to move into discussing storage in azure as well as the many database offerings in azure so starting with storage let's first look at blob storage disk storage file storage and storage tiers so blob storage blob storage is optimized for storing massive amounts of unstructured data and unstructured data is a fancy way of saying not a database you might use blob storage to store image data or video data that's accessible via your website or your mobile app or for log files so azure file storage are fully managed file shares that are accessible in azure via smb or nfs so smb is server message block widely used in the windows world and nfs's network file system commonly used on the linux platform disk storage refers to managed disks which are block level volumes managed by azure and used with azure vms they're just like physical disks that you would use in servers on premises they're just virtualized and really you just configure a bit of information about the type pick a size and provision so so simplified storage really thank you cloud and storage tier so azure includes hot cool and archive access tiers to store blob object data in a cost effective way so the hot data is data that's frequently accessed and then your infrequently accessed data is going to be in the cool tier for at least 30 days and then your archived tier is stored data that's rarely accessed and it's going to be the highest latency to get uh that data back for uh for visibility so retrieving that archive data is not going to be an instant operation but storing data in the archived tier is going to be very inexpensive and you can use lifecycle management policies to automate uh how the data shows up in these tiers i don't expect that you're going to see anything about lifecycle management policies on the exam but i wanted to throw that out there because that is a pretty common question i hear can i automate which tier the the data shows up in and the short answer is yes so that's not it when it comes to storage in azure so we also have table storage and queue storage that are worth discussing for sure so table storage allows us to store structured nosql data in azure including a schemas key attribute store so i see table storage used in a case where one might normally use a sql database but the relational aspect of sql isn't required where you just need a table of of you know keys and values and what's great about table storage in that respect is it's it's relatively cheap and it's fast and easy to manage at that point so let's talk about queue storage so this is a service restoring large numbers of messages that are accessible from anywhere via authenticated http or https calls and because q storage will scale way into the millions of messages this this shows up in in applications many times so cq storage talked about a lot in an application development context but the key word here is messages so you might wonder how how much like you know on-premises physical disks are disks in azure so i'm just going to flip over to my portal here quickly and i'll click on that resource group we looked at earlier in the course and i'm looking at the properties of my virtual machine here and i'm going to click on its disk so just as you would in a virtualization environment on-premises if you needed to examine disk performance you'll see that i can look at disk operations here so immediately i have some metrics that are available to me so i can assess my disk performance and if i find that my disk isn't performing at the level i need i can come in here and resize my disk so now let's transition to databases so quite a few options here we'll talk about cosmos db my sequel postgresql microsoft sql and sql managed instance so i'll point out some differentiating factors of each of these offerings where they fit so you know how to pick them out in the questions on the exam so let's start with cosmos db so cosmos db is a fully managed nosql database designed for modern application development it features ultra low response latency anywhere in the world it has apis for several popular languages and database platforms so essentially it can function as many other types of databases like uh sql mongodb gremlin cassandra spark i've used cosmos db for db myself using the api for so my mongodb queries can work against cosmos db and because it's a global platform the ultra low response latency those are those are keywords you want to remember for the exam and know that really cosmos features fast global access and data convergence in fact when you set up cosmos you can figure how it's going to behave and and where it's going to be available so setting up cosmos in a global configuration is actually not that difficult so microsoft sql so azure sql this is a fully managed pass database engine that handles most of the manage functions management functions for you like upgrading patching backups and monitoring in fact i'll show you an azure sql instance in just a moment we'll have a quick look so continuing here postgresql very similar it's a relational database service in the in the cloud based on postgresql community edition uh when you look at it in the azure portal it is a paths database offering it looks very much like microsoft sql in in the azure sql offering it's it's simply a different platform under the hood um mysql uh same thing based on my sql mysql community edition another paths relational database service and many of those functions handled in azure sql also handled in my sequel so and in fact when you look at these services they are three distinct services but they look very similar in the azure portal and in terms of their features in fact let's just pop over to the azure portal right quick and have a quick look at an azure sql instance so you'll notice here that you see the little sql icon it says sql server this is my azure sql server and if i click on that server i can come in here and see my sql databases and so there's my database and as i mentioned many of the functions the management functions are handled for you in this service so if i go to manage backups this is a great example because you'll see this across all three of those services across the microsoft azure sql and my sql and the postgresql offering is that you have a backup capability and you can configure retention here and you'll notice here i can go and i can do point in time restores uh all the way up to 35 days i can configure my retention so similar capabilities across my sequel and post post sql sql as well so closing out our database discussion we have sql managed instance so this is a cloud database service that combines the broadest sql service database engine compatibility with all the benefits of a platform as a service offering but broadest compatibility is the key here so you'll see this come up pretty typically in situations where we want to migrate an on-premises db to the cloud and compatibility is key because the database and and perhaps the application aren't quite ready for the cloud yet so sql managed instance solves for that problem and closing out this section the azure marketplace so this is a catalog of more than 17 000 certified apps and services as of today that's growing no doubt essentially you can seamlessly deploy applications from the and services from the catalog it simplifies billing because you can have a single bill so so remember in terms of benefits simplifying billing single bill for all your microsoft and third party offerings in fact if i just switch over to the azure portal i'll just switch over to the azure portal and you'll see there's a marketplace icon there and that opens up the marketplace where i see a list of many offers and i can search here for whatever it is that i would like to purchase i can search by keyword or i can search down for specific solutions so as we move into objective domain three on az 900 i want to point out an important fact here and that's uh in the skills measured document for every azure certification exam i have ever looked at you're going to find right up near the the top under skills measured the following statement this list is not definitive or exhaustive meaning that there are elements related to the skills measured that may not be called out explicitly on the list of skills measured that may still appear on the exam that will become very apparent in a couple of key areas in objective domain three where i will call out some elements i think you may well see on the exam in spite of the fact that they are not called out explicitly in the skills measured in part because there are some components i know to be important commonly used and in part because i have seen those components called out explicitly in previous versions of az 900 we're not going to waste a lot of time on it but they'll be called out so you have awareness going into that exam so objective domain 3 is divided into two parts there is describe core solutions available in azure and describe azure management tools so core solutions we'll touch on the following themes where you'll need to describe the benefits and usage of the core solutions iot synapse analytics hdinsight and azure data bricks are in the data warehouse category and then in machine learning and ai followed by serverless computing solutions that include azure functions and logic apps but are not limited to those two components and in the theme of devops we'll talk about azure devops github github actions and azure devtest lab so let's get right into it we'll talk about iot first and let's look at iot hub so iot hub is a central message hub for bi-directional communication between your iot app and the devices it manages so bi-directional is a key element here sometimes iot hub is compared to azure event hub and a key difference between iot hub and event hub is that the iot hub is bi-directional and in fact the event hub was used in iot scenarios before iot hub was released but that's one of the key capabilities that iot hub brought to the party so remember that when you see questions around iot hub if you see bi-directional show up there anywhere iot hub is bidirectional event hub is not iot central an iot application platform that simplifies the creation of iot solutions and helps to reduce the burden and cost of iot management operations and development this really points to the the core mission of iot central so iot central was developed to simplify the iot management process to reduce the the burden and the knowledge level required for organizations trying to manage iot in fact iot central is a fully managed sas solution so it's really lowering the bar by bringing some native management and monitoring functionality for your iot devices so those will be key elements you want to watch for in questions related to iot when you're trying to find the right solution so azure sphere is a secure high level application platform created by microsoft with built-in communication and security features for internet connected devices essentially it's a linux based operating system and a cloud-based security service that provides continuous security it was actually created by microsoft to run on an azure sphere certified chip and to connect with the azure sphere security service so definitely a purpose purpose-built operating system so let's talk about data warehouse if you see data lake synapse analytics hd insight or data bricks mentioned that all refers to something related to data warehouse now data lake didn't show up explicitly in that list i have seen data lake on az 900 exam descriptions previously so just keep an eye out for that so any of these four elements really would fall into common data warehouse scenarios so let's break these down and talk about how each fits so data lake the one not mentioned this is a technology that enables big data analytics and artificial intelligence it provides really less expensive storage than a relational database and it will store data from a variety of systems so it'll store data from business systems or other databases but most importantly here it will store diverse types of data relational and non-relational from diverse sources so data lake is a place where we can store large volumes of data inexpensively even if the data is not all of the same type and it's a place where we can leave data that will not be accessed constantly so synapse analytics is an integrated analytics service that basically gives us off-the-shelf insight into data warehouses and big data systems most importantly perhaps is that synapse analytics was formerly known as azure sql data warehouse so this is the core solution when it comes to data warehousing hdinsight will show up in discussions around hadoop so it's a cloud distribution of hadoop that makes processing massive amounts of data quickly much easier and it supports a number of open source frameworks so if you see hadoop spark hive kafka storm or any of those mentioned hdinsight may well be the answer that you are looking for so those open source frameworks are are key i think when it comes to hadoop and then databricks which is another analytics platform optimized for the azure platform and it offers two environments for developing data intensive applications so so keep that phrase in mind they have uh the databricks sql analytics and the databricks workspace but when you think about developing data intensive applications keep that phrase in mind when you're thinking about data bricks so let's move into machine learning and ai so there is azure machine learning cognitive services and the azure bot service so we'll start with azure machine learning so this is a cloud-based environment you can use to train deploy automate manage and track machine learning models this is where you're going to bring your models and cognitive services are cloud-based services with rest apis and client library sdks that help you to build cognitive intelligence into your application so the keywords there build in applications and it provides cognitive understanding in five main pillars vision speech language decision and search so just some defining characteristics for you there and again we have to describe these components right so this is really about your being able to identify uh which components fit into a solution and azure bot service is a managed bot development service that helps you connect your users via popular channels it's really a purpose-built environment for bot development so pretty easy to spot but those are the defining characteristics there that will help you pick the right answer on some of those exam questions now serverless so logic apps and functions were mentioned on that list it said including logic app and function so i've added event grid here which also falls into the serverless category again the list is not exhaustive it only takes a minute to mention it so i want to put it in front of you it's important so let's start with logic app a cloud service that helps you schedule automate and orchestrate tasks business processes and workflows and you can choose from a gallery of hundreds of pre-built connectors both microsoft connectors and connectors for third-party services this is really one of the defining characteristics of logic app in fact power automate previously known as flow is built on top of logic app so actually let me just switch over and show you the list of logic app connectors there's actually a page that lists them here there are hundreds of these connectors many for microsoft services many for a third party services but 300 plus last i i checked count and you can you can leverage these you know alone or in in conjunction with one another there's no rule against having a workflow and logic app with multiple connectors involved so it's a pretty exciting capability so let's talk about azure functions this is an event driven compute on demand experience as microsoft calls it that extends the existing azure application platform with capabilities to implement code triggered events uh occurring in azure as well as in on-premises systems but but code triggered events is key here i want you to pay special attention to that phrase triggered by events that means that the functions are only running when they are triggered that is a hallmark of serverless we'll dig into the difference between platform as a service and serverless in just a moment but remember that when we're thinking about functions and event grid enables you to manage events across many different azure services and applications let me just show you here so so really event grid allows us to take events from a number of different sources all the sources are on the left here and we can trigger the event grid and push those over to handler so it's what we call a pub sub model also uh it's really an app or a service reacting to an event sometimes you'll hear it described as reactive uh programming so bottom line the way i think of it is is you know it enables you to easily push events to the configured destination as opposed to the much less the much less efficient pull model across serverless architecture in a pull model you have to set up a a subscription and there's a polling that happened so the push model eliminates the need for the the the destination to do a a polling operation for the for the pull so that really makes event grid a bit of a game changer in that respect okay so now the million dollar question that i promised you we would answer how is serverless different from platform as a service in terms of responsibility and really in terms of functionality so let's have a look so we have on one hand platform as a service and on the other hand serverless now they do have some common elements here so there's some overlap number one your devs have to write code in azure functions you're going to write code in c sharp or powershell or python or what have you uh serverless same scenario there's no server management you know with platform as a service and and serverless both uh you're relieved of managing the underlying infrastructure that's great now here's where the two differ so platform as a service does give you more control over the deployment environment so think about azure app service it's where we can host web applications i can configure a number of settings a wide variety of settings in fact related to the the web hosting instance there which will control certain aspects of how my application behaves on the serverless side you have less control over the deployment environment so think uh logic apps uh for is a great example with logic app uh really you're working in a low code scenario i mean there's there's some code involved in in logic app certainly you're going to be working with certain code-ish elements but it's a lower code environment and you have no control under the over the underlying environment it's just there and ready for you to use on the path side the application has to be configured to auto scale and on the serverless side the application scales automatically it's not your problem the scale is built into the platform and then on the platform as a service side the application can take a while to spin up and i've seen this firsthand in in the app service space there there are things you can do to make sure your app is always awake and ready to answer requests but but certainly a web app can go to sleep the thread can go to sleep when it's not executed for a certain number of minutes when there are no calls coming in right with serverless the application code only executes when it's invoked we're not worried about spinning up an azure function executes when it is triggered it's code triggered by events uh and that's another key difference so serverless has some small performance advantages and it relieves us of certain responsibilities it just adds a bit of additional polish in in certain use cases but that's the difference so so now you'll know for the exam so now we're going to move into devops so we'll talk about azure devops github github actions and azure dev test labs so azure devops this is a single platform for implementing devops deploying code using the the cicd framework that's continuous integration continuous deployment it's how we facilitate agile software development and azure devops is microsoft's native platform there are multiple components within azure devops there's a get capability called azure repos you have your your kanban board style functionality and azure boards just to name a couple on the other hand github is a service that microsoft acquired not too long ago it's a web-based git repository hosting service for source code management and distributed revision control now azure boards provides that sort of capability but github is a very widely used service across the internet by you know many people that don't necessarily use microsoft technology even it offers all the functionality of git for your source code management but it has a number of its own features github actions helps you automate your software development workflows from within github so it provides some similar functionality to what we would see in the ci cd uh scenario in azure devops but that's really what it's helping facilitate there is cicd the continuous integration and continuous deployment and you can build test package released or deploy an application or project on github with a workflow but cicd is the the acronym that comes up frequently in devops that's uh continuous integration continuous deployment or sometimes continuous delivery depending on who you ask then there's azure dev test labs which provides a self-service sandbox environment so you can quickly create dev test environments so you're minimizing the waste of deploying virtual machines that sit around running wasting your funds makes it easier to control your cost essentially so sandbox is the key keyword there and and the focus on minimizing waste controlling cost right it's about saving saving money and being more efficient in our dev test process if you're anything like me you don't like to waste money running your azure lab vms 24 7 and that's where the resource scheduler for microsoft azure can help it's got a simple web ui making it an easy way to set up those vm run schedules and it comes with a free lifetime sub for 10 vms or less and you can find it in the azure marketplace you'll find a link in this video's description now we're going to move into the second half of objective domain 3 which will focus on describing azure management tool so look at the functionality and usage of azure portal powershell azure cli cloud shell and azure mobile app we'll talk about azure advisor azure resource manager or arm templates a great deployment capability will touch on azure monitor and azure service health all in that azure management bucket so when we think about interacting with our azure sub we have the azure portal which we can go to in any browser we have azure cloud shell which actually gives us access to the azure cli or azure powershell in a browser very exciting capability very convenient we have azure powershell which we you know typically access on a windows or linux system and then the azure mobile app which we can access from any ios or android device and finally azure cli which is going to be your your bash type your bash style command line also accessible both on windows and linux distros and and to be thorough you know azure you know powershell and azure cli both been tested on mac os so so it's not just windows and and linux so bear that in mind but azure portal that's our web-based unified console portal.azure.com where we can manage our azure subscription using a web-based gui it's our graphical ui the cloud shell is an interactive authenticated browser accessible shell for managing your azure resources if you've not gone through any of the the ms learn content related to az 900 or looked at any of the examples on the microsoft site frequently you will find quick start tutorials that leverage azure cloud shell to deploy the capability that you're going to work with in that tutorial in fact let me just show you the cloud shell quickly so here in the azure portal there are two couple of ways i can get to the cloud shell so number one at portal.azure.com i can simply hit the cloud shell icon here which is going to switch me over to the cloud shell and there i have you'll see the bash version of the cloud shell so if i use azure cli syntax here i'll do a z account list and i get a list of my azure subscriptions now i can also go to shell.azure.com and that's going to do a redirect over to start the cloud shell for me as well and you notice there that we have a couple of flavors right we have bash or powershell so you can pick your preferred language i tend to to use azure cli so i use the bash version but uh the powershell version equally valid here so i'll just flip over to the powershell version and we'll have a look here that took a minute to come up but there we have our powershell version of the command shell so i can then just type powershell commandlets so i'll do the same operation but in powershell speaks a get dash az subscription and i can list my subscription so you can pick your language any browser which means you can really take this to any client operating system where you you have a browser you can work with so very handy in that respect but it includes both those options and now azure powershell so this is a set of commandlets for managing azure resources directly from the powershell command line so you'd use this on your windows 10 client for example or a linux system or even a recent build a mac os the azure mobile app is an app for ios and android that enables manage managing tracking health and status and troubleshooting your azure resources i tend to use the mobile app for quick operations if i need to start a virtual machine for example if there's something small that i'd like to look into i'm not a big fan of working on small screens but the azure mobile app has come a long way over the years and and there's a lot of capability that at your fingertips there from the phone and the azure cli so this is the command line interface uh abbreviated as your cli actually so this is a set of commands used to create and manage azure resources this is where we we work at the the bash command line so i find azure cli is very friendly to open source developers who work in the world of linux who who maybe don't use powershell today azure cli is very friendly to the the other side of the house as i sometimes refer to them but it's available on windows mac os linux docker and azure cloud shell so you can get to it everywhere azure advisor so azure advisor scans your azure configuration and it recommends changes to optimize deployments increase security and save you money but it analyzes the configuration of the resources present in the azure subscription so already present meaning existing resources right this isn't uh isn't taking place on new deployments that aren't yet deployed it's focusing on four areas again high availability security performance and costs of those existing deployments in fact you get a prompt sometimes when you log into the portal that azure advisor would like to help you out now we're going to talk about azure resource manager templates or arm templates for short so an arm template is a json file that describes the infrastructure and configuration for our project it's how we describe to azure what we would like to deploy and generally speaking arm templates are the preferred deployment methodology in azure and there's a good reason for that that's because in part arm templates use a declarative syntax declarative means that we describe our desired end result in that json document without spelling out the exact steps that are required the exact step-by-step process required to achieve that end result so we save a lot of time writing out step-by-step code in a script for example so it's very efficient in that respect arm templates are also idempotent which means we can deploy that template as many times as we want and we get the same resources and the same state as an end result so if i would like to deploy one virtual machine behind an azure firewall attached to a virtual network if i run that template five times at the end of the day i will still have in that template for vm1 after five runs i will have a single virtual machine named vm1 configured as that template defined and that property of being idempotent or or idempotent means that when we have a situation where maybe our environment has been changed by unauthorized manual changes in some way i can rerun that deployment template and bring my environment up to the component and the state the same resources and state that i desire so very handy in that respect you'll you'll often hear arm templates used in the same sentence as the phrase infrastructure as code that's really what we're doing here and i can deploy arm templates from azure powershell azure cli and azure devops in the azure portal i can use them everywhere really the ability to use arm templates is ubiquitous throughout my my azure tooling in that respect all right so azure monitor is a service that collects monitoring telemetry from from a variety of ad not only azure sources but on-premises sources we can use an agent to gather data and management tools like azure security center also push log data to azure monitor in fact azure monitor aggregates and stores this telemetry in an azure log analytics instance so so that log analytics instance is the back end data store and finally azure service health this notifies us about azure service incidents and plan maintenance so we can take action to mitigate downtime very simple all about notification and now we're moving into objective domain 4 which is describe general security and network security features and if we look at the skills measured here objective domain 4 is broken into a couple of parts there's describe azure security features and describe azure network security so let's dive right in so the first part here describing security features we'll talk about azure security center including functionality within security center like policy compliance security alerts secure score and resource hygiene describing the functionality and usage of key vault functionality around azure sentinel microsoft security information an event management solution and then finally functionality and usage of azure dedicated hosts so let's get right to it so we have security center key vault azure sentinel and dedicated host so we'll start with security center so this is a unified infrastructure security management system that basically strengthens our security posture through security guidance so security center will provide guidance around compute data network storage apps and other services i think the best way to tell you about this is to simply show you so let's take a quick look at security center i'll switch over to my azure portal and from the left menu here i can click on security center and bring up my security center overview page so amongst some of the features mentioned in the skills measured i see my secure score here which shows me my current score relative to the maximum score with a link with options to improve my score that link will actually take me to the recommendations and in here we will see some of the the recommendations around resource hygiene the recommendations are listed in descending order based on their potential to increase my score so for example enabling mfa across all accounts with owner permissions and it shows me the subscriptions where i need to do that red means work needs to be done green would be healthy and we'll see the security alerts capability here so alerts are just surfaced in the uh the right here in the portal if anything has uh has arisen uh i can look at pricing and settings and here's where i can see some difference between the free tier and the paid tier or the standard tier of security center you're also going to notice here that it mentions azure defender so at microsoft ignite uh the big conference in in late 2020 there was a rebranding of microsoft security products bringing them all under the microsoft defender family and security center comes under the azure defender moniker so this is really just a bit of branding here the the functionality uh whether it's security center or listed as azure defender uh is the same uh that's merely a branding chain so there's actually a link to a related video in the video description here that will walk you through those branding changes that happened at microsoft ignite but i wanted to bring you here to show you that we can see here the difference between the free tier of security center and the paid tier so in the free tier we get the continuous assessment we get the resource hygiene and the security recommendations we get the secure score but what we're missing are advanced features like just-in-time vm access uh regulatory compliance uh any sort of advanced threat protection the elements that that add uh advanced functionality or intelligence as i like to call them many times are missing and when i turn azure defender on when i go to that standard tier i can come down here and turn defender defender on security center on for specific workloads you see here that servers and app service and azure sql and kubernetes and key vault they're all of these workloads are split out i can see the pricing very clearly i could even use policy to exclude certain instances if i didn't want to to pay for a hundred percent of my servers or a hundred percent of my azure sql databases i can certainly break those resources off into separate subscriptions but even at the subscription level i could get in here and configure that with a little more granularity but point being you get some free functionality here that gives you the basics to to help improve the security of your environment really important feature very likely to come up on the exam azure key vault is a place where we can securely store and access secrets and this cloud service allows us to store anything that we want to tightly control access to whether it's an api key a password a a an ssl certificate a certificate we'd use for secure http communication for example or cryptogear cryptographic keys and i can access key vault from a variety of methods so i can access the key vault from the azure portal i can access it from azure devops from my arm templates from powershell azure cli programmatically via api so really ubiquitous in terms of how i can access my secrets during the you know various deployment options that i have for azure now azure sentinel is microsoft's cloud native security information event management solution which comes with the additional functionality known as soar security orchestration automated response so not only can we ingest data from our many services in azure and our third party services that have security information to provide us like firewalls and network devices for example but azure sentinel can provide orchestrated automated response where necessary an azure sentinel has built-in ai uh there's a feature called fusion that's enabled by default so so ai comes in azure sentinel right out of the box and microsoft is always working to improve that capability uh but but azure sentinel is quite easy to set up because you're by and large enabling a broad range of connectors uh you know for for everything from azure active directory logs to office 365 connectors to which don't require much beyond pushing a couple of buttons to connectors that do require some configuration such as ingesting syslog or common event format data from your network devices and dedicated hosts azure dedicated hosts are just what they probably sound like to you it's a dedicated physical server that's able to host you know one or more virtual machines in a single azure subscription so a host that you are not sharing and and i can definitely think of a few very high security uh scenarios life and death situations where having a dedicated host for security and or performance may well be desirable such as if life or death human safety were involved so we're going to finish out objective domain 4 by looking at the last half of that domain which is uh azure network security so we'll talk about defense and depth network security groups azure firewall azure distributed denial of service protection so why don't we start with defense and depth this is a concept that espouses that promotes a layered approach to security basically not relying on one method to completely protect our environment but layering in multiple tools to provide better security posture a pretty widely uh adopted concept in the world of cyber security a network security group is a construct that contains security rules that allow or deny inbound traffic network traffic to a component a service or outbound traffic from several types of azure resources for each rule in a network security group you can specify a source and a destination important protocol and an allow or deny and you can apply network security groups to a subnet or on a vm we can even attach it to a network adapter in fact why don't i just show you a network security group right quick so i'll switch over to my azure portal i'm going to click on the resource group for the virtual machine we looked at earlier in the course and there's a network security group created automatically when you deploy an azure vm and so for a windows vm when i look at my network security group i will see inbound security rules and outbound security rules so the the last rule in terms of priority on the inbound is deny all inbound so it's any port any protocol any source any destination so the only thing i have coming from any source which would include the internet is i have an allow rule here that allows remote desktop protocol so i can use rdp to attach to this vm and you see the little warning symbol there just alerting me that hey you have a port open to the internet i could protect this using the just in time vm access feature in azure security center in in azure defender if i wanted but that gives you a good idea of the default it feels a little bit like a firewall uh but but it's not so so it's really um something a bit different in in that respect but uh network adapter by the way you know you may see that referred to as nick in some questions so if you're not super technical and you haven't heard of nick um network adapter and nick are two ways to refer to the same thing all right azure firewall so this is a managed cloud-based network security service that protects your azure virtual network resources and it's a fully stable firewall as a service it's called it has built-in high availability and unrestricted cloud scalability so among the many interesting things about azure firewall is i don't have to deploy multiple virtual network appliances for that high availability and scalability it's built into the service for me so aha comes out of the box by default then finally azure ddos so this is a service that provides enhanced distributed denial of service mitigation features to defend against distributed denial of service or ddos attacks do bear in mind there is a basic tier of azure ddos so the standard tier provides enhanced ddos mitigation and that enhanced tier that standard tier we call it includes logging alerting and telemetry that you don't get in the free basic tier that's present everywhere by default you don't have to do anything for the basic tier now we're going to move into objective domain 5 where we'll talk about identity governance privacy and compliance features in azure and this objective domain is broken up into a few parts so we have described core azure identity services describe azure governance features and describe privacy and compliance resources so let's start with azure identity services we'll talk about the difference between authentication and authorization we'll talk about azure active directory and what is azure ad exactly and finally we'll touch on some related concepts that pop up in azure active directory discussions specifically conditional access multi-factor authentication and single sign-on so let's start with authentication and authorization which we we also call authen and auth z so authentication is the process of proving that you are who you say you are and then authorization is the act of granting that authenticated party permission to do something so i kind of think of this as identity and access really if i'm breaking it down into plain english now azure active directory which is azure ad for short is microsoft's cloud-based identity and access management service it helps our employees sign in and access resources uh internal resources such as apps on our corporate network or custom cloud apps or external resources like microsoft 365 and the azure portal and many sas apps that show up in the catalog or that i integrate or federate with my azure ad instance so let's touch on single sign-on multi-factor authentication and conditional access and we'll have a look at azure ad in a moment so we can tie all of these concepts together and and just solidify in your mind what we're talking about here conceptually so single sign-on means a user doesn't have to sign into every application they use uh essentially the user logs in once and that credential is is reused for multiple apps but but the logging in once is the the key there and single sign-on based authentication systems are often called modern authentication the multi-factor authentication works by essentially requiring two or more authentication methods so beyond just entering a password um mfa would would take something you know like a pin or a password and couple that with something you have like a trusted device uh and or or something that you are like a biometric like uh using your face uh or a fingerprint so something you have a trusted device with the authenticator app is is typically how we we see folks authenticating to azure active directory and the the whole idea of authentication and authorization the concepts we're talking about here the the rabbit hole runs really deep you you can expect that you won't get into too much depth on the az900 exam uh thankfully conditional access uh is used by azure active directory to bring signals together to make decisions and enforce organizational policies in scenarios where a user attempts to access resources so essentially a user when they when they attempt to log in a conditional access policy is going to look at their location the device the application they're trying to log in with and then real-time risk are they coming from a strange ip address for example and and based on that we'll verify the access attempt and allow access or if there's some risk require multi-factor authentication or if there's extreme risk you know block access altogether and if the user gets past these gates they can get to the resource they are requesting access to so let me just switch over to the azure portal and show you around conditional access in azure ad briefly so we'll just switch over to portal.azure.com and i've actually clicked on active directory and if i scroll down under security i can get down here to conditional access and we'll just look at a conditional access policy i'll really just get down into any conditional access policy so you can see some of the settings so i can assign a policy to specific users and groups and i can include and exclude users based on who they are or the roles they're in i can assign my policy to be effective for specific apps or even all apps and i can you know put some exclusions in here it can be very selective so all cloud apps i can exclude specific apps when i get down to conditions here you'll see that i can provide other conditions that my policy can use to assess the access attempt so if i've turned on the identity protection feature there's which comes in the higher plan two tier of azure id i can incorporate risk into the process so if the user is assessed as being medium or high risk based on their circumstances maybe they're coming from an unfamiliar ip or they've exhibited impossible travel we can take action based on that we can look at sign in risk so the specific risk level and which levels this policy will apply to i can look at device platform so i could enable this policy to be specific to certain devices maybe i'm i'm only looking at my mobile platforms for this particular rule for example or maybe i'm just looking at my windows desktops i can look at location so just as important as providing a second factor of authentication it's not providing a second factor when it's not necessary so for example i might want to exclude named locations so if i have trusted locations like my office for example i don't want to prompt a user when they're coming from a trusted managed device in the office that's really just annoying isn't it so i might exclude those locations but lots of capabilities here and then once all my settings are met or not i can then configure the conditions under which i grant access so for example i can block access based on conditions or i can grant access based on one or multiple of these items you'll notice here i can require multi-factor a device to be marked as compliant a device to be hybrid azure adjoined or using an approved app and you'll notice here for multiple controls i can require all or require only one of these items so so a lot of flexibility in azure ad conditional access and i can even able enable a policy to report only so i can apply a policy in report only mode and see what the the impact would be so pretty exciting functionality really so next in objective domain five we'll talk about azure governance features we'll touch on role-based access control resource locks using tags functionality around azure policy we'll touch on blueprints and briefly touch on the cloud adoption framework for azure so governance features we have role-based access control so this helps us manage who has access to azure resources what they can do with those resources and which areas they have access to and this is built on azure resource manager it provides fine-grained access management of azure resources and in fact if i look in azure active directory there's a roles and administrator area where i can see pre-defined roles that are available to me so i can configure a very granular role-based access control strategy and incidentally i can also use the new custom role option here to create custom roles so i can even further target my role-based access control strategy so how i delegate permissions in my environment so resource locks allow us to prevent users in our organization from accidentally deleting or modifying critical resources deployed in our azure subscription so the lock overrides any permissions that the user might have so it's a preventative measure really so let's talk about azure governance let's get into policy initiatives and blueprints so azure policy this is a definition of the conditions that we want to control or govern in our environment so we use azure policy to help enforce our standards so i can ensure that virtual machines are only deployed in certain sizes they're only deployed to certain regions i can enforce naming conventions uh quite a wide variety and an initiative is a collection of azure policy definitions that are grouped together to help work towards a specific goal and way back in objective domain one we talked about management groups and subscriptions for example so management groups are really common boundary used to apply our policy so we can actually enforce our standards across multiple subscriptions at the same time it's how we we can manage we can provide that consistency at scale so you may see blueprint come up somewhere a blueprint is a container for composing sets of standards patterns and requirements for for implementation of our our services security and design and azure blueprint is often used in the same sentence as the phrase new environment and incidentally blueprint was not mentioned on the skills measured but again going back to that phrase neither exhaustive nor definitive i wanted to just mention blueprint so you've you've got that in your head in case blueprints shows up somewhere and tags so a tag is a name and a value pair used to logically organize azure resources resource groups or subscriptions into a logical taxonomy an ordered structure that is to say so tags are often the basis for applying business policies or tracking costs for example i might have a tag that contains the cost center i might have a tag that contains the owner of a resource so so i can use it for for tracking costs or or i may use tags in the application of policy enforcing my standards on an environment and and we can even enforce tagging rules within our azure policy so we can make sure that when resources are deployed the appropriate to the required tags that we would like applied are in fact applied so we don't let resources go into our environment without tags which could be important in making sure we can always track costs we can always apply business policies we always have an owner of a resource should there be a need to contact the owner you may see questions around the cloud adoption framework and you just need to understand what the cloud adoption framework is for really you're not expected to know this at any level of technical depth so the cloud adoption framework is guidance from microsoft designed to help you create and implement the the business and technology strategies uh you want to succeed in your azure deployments and i'm actually just going to switch over to a browser here so the cloud adoption framework for azure is laid out in the form of documentation and tools and if i scroll down here they they've defined a cloud adoption journey that starts with strategy we we plan uh prepare our environment go through the migration process there's governance section and then some guidance around ongoing management so so it pays before the exam to just read through this get a feel for the resources available in microsoft's cloud adoption framework and in the final section of objective domain 5 we'll talk about privacy and compliance resources so a decidedly less technical subject so we'll talk about the core tenants of security privacy and compliance uh we'll talk through briefly the the microsoft privacy statement online service terms and the data protection amendment there's actually a mistake in the az 900 skills measured here so i'll talk to you about that as well we'll talk about the purpose of the trust center we'll take a look at where you find the azure compliance documentation and then talk briefly about azure sovereign region specifically talking about uh government and and china and we'll throw germany in there for good measure so let's start with the the tenets of security privacy and compliance so security is about protecting data that's entrusted to microsoft using strong encryption and access control so this is really about how microsoft protects our data the data that we entrust to the the microsoft and their platforms and privacy is about uh microsoft making meaningful choices about how they collect data and why that data is being collected and used and of course informing customers that that data is in fact being collected you know one of the the most admirable admirable things about microsoft is how transparent they are about our privacy versus many big tech companies out there today but they're microsoft always does their best to tell us how they're collecting that data why that data is being collected and used so we're never in the dark about that we're never the product so to speak and then compliance with regulations is critical and microsoft aims to ease this task for azure customers which in part means giving us the ability to see which regulatory compliance standards out there for which azure has been certified so part of our compliance with regulatory standards as a customer would be ensuring that our services are running in an environment that is in fact compliant with those same standards or at least has the controls to allow us to configure our services in such a way that they are compliant and the azure compliance documentation has been grouped together to make it easy to find microsoft groups that compliance documentation geographically and and by industry as well and you'll also find template audit documents that you can tailor to to your needs or to your customers needs if if you're a partner so let me just switch over to the azure portal quickly here so if we look at the azure compliance documentation area here you'll see that the compliance offerings are are sorted uh based on industry as i mentioned right and then you'll also see some regions so there are some some standards that are global of course but if i scroll down here i see geographies and industry right so there's america's apac emea so pretty well documented it's searchable here so so all of the compliance documentation you need to ensure your organization complies a legal or regulatory standard that's right here so just know that's available for the exam and how it's it's organized all right and let's talk about the microsoft privacy statement which explains what data microsoft processes how microsoft processes that data and for what purpose the data is utilized so the what and the how and then really what purpose tells us why they are processing that data online service terms this contains all the terms and conditions for software and online services through microsoft commercial licensing programs and this is an area where there's a small error in the az 900 skills measure because the online service terms has been re-named consolidated within another document called the product terms site and and the online service terms or ost has been archived so uh ost and is now contained within product terms so so i'm not sure which you'll see on the exam i just wanted to point that out that there's been a change that hasn't made its way into the exam as of february uh 2021 or at least hasn't made its way into the exam skills measured area let's put it that way but it focuses on commercial licensing just park that in the back of your head you'll also want to know the purpose of the data protection amendment or dpa as it's called out in the skills measured so this further defines data processing and security terms for online services uh gives us information around compliance disclosure security data transfer and data retention this is another minor typographical error in the skills measured for az900 the data protection amendment is actually the data protection addendum so the dpa is data protection addendum don't overthink it i just wanted to point that out in case it shows up in a form different than what you see in the skills measured as of february 2021 just worth worth having that information in hand and the trust center this is where you can learn about the four foundational principles of trust with microsoft security privacy compliance and transparency so the the four principles of trust will be the the key to remember uh as you go into the exam in fact if you just uh in a browser go to the the trust center at microsoft you can see those four principles called out uh in their their statement right here on the uh the trust center home page and in fact uh you can get to that trust center quite easily it's just microsoft.com ford slash trust all right azure sovereign region so these are special regions that you might need to consider for legal or compliance purposes so specifically i'm talking about azure government as your uh china and germany so so these regions have a couple of things in common number one they're operated by special trustees so in the case of uh government government that's u.s government it's operated by screened persons uh the china cloud in azure is operated by a china-based trustee it's a partnership between microsoft and a company called 21vnet and similarly germany has a a trustee model uh in that situation as well and then uh there's physical and logical isolation in particular with uh with the us government cloud it's described as a physical and logical network isolated instance all right we're ready for the big finish here so objective domain six is described as your cost management and service level agreement you're almost there so in objective domain six we have described the methods for planning and managing costs describe azure service level agreements and service life cycles so just these two parts let's start with part one here we'll talk about uh what can affect costs how we can reduce costs and then we'll touch on the functionality of the pricing calculator and the total cost of ownership calculator and functionality and usage of azure cost management so cost impact so so factors that can affect azure resource cost include the types of resources we're deploying are we deploying vms are we deploying cosmos db the location we're deploying so the the cost of resources will vary slightly by location and maybe considerably when you switch between different geographies and ingress and egress traffic so so ingress traffic is typically free in in the azure realm although you don't want to count on that always you want to look at the the billing model for a service egress traffic often costs money and that's that can be a little bit unpredictable so it's an area that you want to be very uh cognizant uh very aware of as you deploy services if you're going to have a large amount of egress traffic traffic leaving your azure subscription you can potentially rack up a lot of a lot of cost there that won't be entirely transparent to you ahead of time there are a few different ways we can reduce our cost in azure so factors here include reserved instances reserved capacity the hybrid use benefit and spot pricing so let me break each of these down for you so you're familiar with how they work and where they apply so reserved instances allow us to reserve virtual machines in advance and save up to 72 percent compared to pay-as-you-go pricing by selecting a one year or three year commitment the longer uh commitment will result in greater savings but it's virtual machine specific and there is a scheme whereby if you you can't live up to your if you can't uh you see out your one year or three year commitments you can get some sort of prorated refund there it's not a total loss if you can't make it to the one or three year mark so reserved capacity uh brings significant savings around azure sql database cosmos db synapse analytics and azure cash for redis and this discount again is product specific so in these first cases we're talking about how how planning and reservation can help us save cost reserved capacity allows us to more easily manage costs across both predictable and variable workloads basically allowing us to optimize our budgeting and our format our forecasting but it also includes one year and three-year options just as we saw with reserved instances it's just reserved capacity applies to a different type of workload right okay the hybrid use benefit is a licensing benefit this allows us to reduce the cost of running our workloads in the cloud by leveraging some existing licensing so essentially it lets us use our on-premises software assurance-enabled windows server and sql server licenses running on azure so when you couple reserved instances together with hybrid use benefits you can save up to 80 percent on your virtual machine workload so that's a really a significant number but it's windows server sql server red hat and suse linux where where the hybrid use benefit applies and then there is spot pricing so with spot pricing you can access unused azure compute capacity at very deep discounts up to 90 percent in fact compared to the the pay as you go pricing and this applies to azure vms only the thing to remember with spot pricing is you're using unused capacity and when you set up a vm on spot pricing you have to define the circumstances under which your virtual machine workload can be evicted when microsoft needs to use that unused capacity so so when you have workloads that aren't mission critical where you have some flexibility in when it runs and if it's killed occasionally spot pricing allows you to save a lot of money you're just not going to have quite the predictability you have with a typical production workload so fairly new feature in the life of azure so we then have the pricing calculator this is an interactive calculator that allows you to estimate azure resource costs um you can choose a region instance tiers you can you can turn the knobs to configure the size and the settings for your workload to match your functionality and budgetary needs so you can can put a configuration in place and and check the pricing and tweak it until you get the pricing the the run rate the pricing calculator is going to show you what it will cost uh what the estimate is for running that workload on a monthly and annual basis but this the key is this is going to give you pricing before you deploy and in fact let's just switch over to the portal and we'll have a look and the same would hold true of the total cost of ownership calculator these are before you deploy type tools so let's just switch over to the azure portal so the pricing calculator is right here so i can pick the type of workload that i want to work with and so if i just click virtual machines for example it's going to pull up a calculator and allow me to configure the settings and see my monthly cost it's it's pretty straightforward i can i can save my work here i can do this for a variety of workloads to uh to help better estimate my cost before i deploy now the total cost of ownership calculator is a little bit different so it's less like a calculator so so when i look at the pricing calculator it's very much a calculator i'm picking the region uh an operating system for my vm scenario the tier um the the os type the size of the instance right and i can see here the the settings the virtual machine and then configure the the hours you know typically we're configuring the hours by the month and then you see here i can pick my reserved instance if i like i can set the hybrid benefit so i can work in all of those money saving opportunities in this pricing calculator to to get down to a fairly realistic estimate of what i'm going to be paying the total cost of ownership calculator is a little bit different you see this is really helping us estimate the cost savings we can realize by migrating workloads to azure so this is a bit more of a survey where we can add server workloads databases and storage and networking to get to an estimate of of what we can save our total cost of ownership running in the cloud so so i would suggest before the exam just lay your hands on the tco calculator and the pricing calculator as well bearing in mind that both these calculators are before you deploy type resources right as opposed to azure cost management which is a suite of tools provided by microsoft that help you analyze manage and optimize the costs of your workloads so this is more of an after you deploy type tool so complementary to the the calculators in that respect so we have guidance before we deploy and then guidance to help us optimize and save after we deploy but make sure you're familiar with that fact uh for the exam so uh the next section of objective domain six is describe azure slas and service life cycles we're in the home stretch here this is the big finish so we're going to to talk about azure service level agreements actions that can impact an sla we'll talk about the service life cycle in azure so the purpose of an azure sla it's essentially to provide a clear explanation of availability and sometimes performance of an azure service um actions that can affect an sla well failing to deploy a service in a manner that meets sla requirements for example and really any azure service that you're deploying will have some specifications around that sla so for example the sla is not going to you're not going to get a 99.9 uptime sla on an azure vm you deploy with spot pricing because that could be ejected at any time right so you want to make sure that when you're performing your your cost estimates before deployment that you're also looking at your availability needs and making sure that as you're working through the numbers to save money that you're also bearing in mind what your availability requirements are for your service so you find the right balance of cost and availability and in terms of the service life cycle there are three sort of service definitions you want to be aware of so there's private preview so this is a service that's open only to to companies or users that are invited or who have applied and have been accepted to preview a service so this allows you to use a service in advance of its full release so it's really for evaluation only you don't run private preview services in production period full stop there's public preview so this is open to the public but the preview limitations apply which means we're not running in production and then when a service is fully released approved for production use it's considered generally available and microsoft will make an announcement of general availability and to wrap things up i have a surprise for you i'm going to give you free access to some practice questions for the az 900 exam so really just to help you assess your readiness for the exam one of these is a 50 question practice test you don't even have to to log in to try you can just go to a webpage kick it off answer the questions get the answer explanations and see where you land and i also have a set of three practice exams available with a training partner i have links to both of these resources in the description below this video use them with my compliments and incidentally when you go to that training provider you can sign up for a free trial of a few days and access those questions without any cost and that is it for our az900 exam cram i hope you've enjoyed the course best of luck on the exam and until next time be well stay safe and take care
Info
Channel: Inside Cloud and Security
Views: 574,430
Rating: undefined out of 5
Keywords: #azure, #certification, #az900, #examprep
Id: gH3pwWO0Q9Y
Channel Id: undefined
Length: 118min 23sec (7103 seconds)
Published: Thu Feb 11 2021
Related Videos
Note
Please note that this website is currently a work in progress! Lots of interesting data and statistics to come.